source: azure_iot_hub_f767zi/trunk/wolfssl-4.4.0/wolfcrypt/src/rsa.c@ 457

Last change on this file since 457 was 457, checked in by coas-nagasima, 4 years ago

ファイルを追加
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc;charset=UTF-8
File size: 121.9 KB
Line 
1/* rsa.c
2 *
3 * Copyright (C) 2006-2020 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22
23#ifdef HAVE_CONFIG_H
24 #include <config.h>
25#endif
26
27#include <wolfssl/wolfcrypt/settings.h>
28#include <wolfssl/wolfcrypt/error-crypt.h>
29
30#ifndef NO_RSA
31
32#if defined(HAVE_FIPS) && \
33 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
34
35 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
36 #define FIPS_NO_WRAPPERS
37
38 #ifdef USE_WINDOWS_API
39 #pragma code_seg(".fipsA$e")
40 #pragma const_seg(".fipsB$e")
41 #endif
42#endif
43
44#include <wolfssl/wolfcrypt/rsa.h>
45
46#ifdef WOLFSSL_AFALG_XILINX_RSA
47#include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
48#endif
49
50#ifdef WOLFSSL_HAVE_SP_RSA
51#include <wolfssl/wolfcrypt/sp.h>
52#endif
53
54/*
55Possible RSA enable options:
56 * NO_RSA: Overall control of RSA default: on (not defined)
57 * WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off
58 Note: slower by ~20%
59 * WOLFSSL_KEY_GEN: Allows Private Key Generation default: off
60 * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off
61 * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined)
62 * WC_RSA_NONBLOCK: Enables support for RSA non-blocking default: off
63 * WC_RSA_NONBLOCK_TIME:Enables support for time based blocking default: off
64 * time calculation.
65*/
66
67/*
68RSA Key Size Configuration:
69 * FP_MAX_BITS: With USE_FAST_MATH only default: 4096
70 If USE_FAST_MATH then use this to override default.
71 Value is key size * 2. Example: RSA 3072 = 6144
72*/
73
74
75/* If building for old FIPS. */
76#if defined(HAVE_FIPS) && \
77 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
78
79int wc_InitRsaKey(RsaKey* key, void* ptr)
80{
81 if (key == NULL) {
82 return BAD_FUNC_ARG;
83 }
84
85 return InitRsaKey_fips(key, ptr);
86}
87
88
89int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
90{
91 (void)devId;
92 if (key == NULL) {
93 return BAD_FUNC_ARG;
94 }
95 return InitRsaKey_fips(key, ptr);
96}
97
98
99int wc_FreeRsaKey(RsaKey* key)
100{
101 return FreeRsaKey_fips(key);
102}
103
104
105#ifndef WOLFSSL_RSA_VERIFY_ONLY
106int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
107 word32 outLen, RsaKey* key, WC_RNG* rng)
108{
109 if (in == NULL || out == NULL || key == NULL || rng == NULL) {
110 return BAD_FUNC_ARG;
111 }
112 return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
113}
114#endif
115
116
117#ifndef WOLFSSL_RSA_PUBLIC_ONLY
118int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
119 RsaKey* key)
120{
121 if (in == NULL || out == NULL || key == NULL) {
122 return BAD_FUNC_ARG;
123 }
124 return RsaPrivateDecryptInline_fips(in, inLen, out, key);
125}
126
127
128int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
129 word32 outLen, RsaKey* key)
130{
131 if (in == NULL || out == NULL || key == NULL) {
132 return BAD_FUNC_ARG;
133 }
134 return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
135}
136
137
138int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
139 word32 outLen, RsaKey* key, WC_RNG* rng)
140{
141 if (in == NULL || out == NULL || key == NULL || inLen == 0) {
142 return BAD_FUNC_ARG;
143 }
144 return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
145}
146#endif
147
148
149int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
150{
151 if (in == NULL || out == NULL || key == NULL) {
152 return BAD_FUNC_ARG;
153 }
154 return RsaSSL_VerifyInline_fips(in, inLen, out, key);
155}
156
157
158int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out,
159 word32 outLen, RsaKey* key)
160{
161 if (in == NULL || out == NULL || key == NULL || inLen == 0) {
162 return BAD_FUNC_ARG;
163 }
164 return RsaSSL_Verify_fips(in, inLen, out, outLen, key);
165}
166
167
168int wc_RsaEncryptSize(RsaKey* key)
169{
170 if (key == NULL) {
171 return BAD_FUNC_ARG;
172 }
173 return RsaEncryptSize_fips(key);
174}
175
176
177#ifndef WOLFSSL_RSA_VERIFY_ONLY
178int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
179 word32* bSz)
180{
181
182 /* not specified as fips so not needing _fips */
183 return RsaFlattenPublicKey(key, a, aSz, b, bSz);
184}
185#endif
186
187
188#ifdef WOLFSSL_KEY_GEN
189 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
190 {
191 return MakeRsaKey(key, size, e, rng);
192 }
193#endif
194
195
196/* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c
197* wc_RsaPrivateKeyDecode
198* wc_RsaPublicKeyDecode
199*/
200
201#else /* else build without fips, or for new fips */
202
203#include <wolfssl/wolfcrypt/random.h>
204#include <wolfssl/wolfcrypt/logging.h>
205#ifdef WOLF_CRYPTO_CB
206 #include <wolfssl/wolfcrypt/cryptocb.h>
207#endif
208#ifdef NO_INLINE
209 #include <wolfssl/wolfcrypt/misc.h>
210#else
211 #define WOLFSSL_MISC_INCLUDED
212 #include <wolfcrypt/src/misc.c>
213#endif
214
215
216enum {
217 RSA_STATE_NONE = 0,
218
219 RSA_STATE_ENCRYPT_PAD,
220 RSA_STATE_ENCRYPT_EXPTMOD,
221 RSA_STATE_ENCRYPT_RES,
222
223 RSA_STATE_DECRYPT_EXPTMOD,
224 RSA_STATE_DECRYPT_UNPAD,
225 RSA_STATE_DECRYPT_RES,
226};
227
228
229static void wc_RsaCleanup(RsaKey* key)
230{
231#ifndef WOLFSSL_RSA_VERIFY_INLINE
232 if (key && key->data) {
233 /* make sure any allocated memory is free'd */
234 if (key->dataIsAlloc) {
235 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
236 if (key->type == RSA_PRIVATE_DECRYPT ||
237 key->type == RSA_PRIVATE_ENCRYPT) {
238 ForceZero(key->data, key->dataLen);
239 }
240 #endif
241 XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
242 key->dataIsAlloc = 0;
243 }
244 key->data = NULL;
245 key->dataLen = 0;
246 }
247#else
248 (void)key;
249#endif
250}
251
252int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
253{
254 int ret = 0;
255
256 if (key == NULL) {
257 return BAD_FUNC_ARG;
258 }
259
260 XMEMSET(key, 0, sizeof(RsaKey));
261
262 key->type = RSA_TYPE_UNKNOWN;
263 key->state = RSA_STATE_NONE;
264 key->heap = heap;
265#ifndef WOLFSSL_RSA_VERIFY_INLINE
266 key->dataIsAlloc = 0;
267 key->data = NULL;
268#endif
269 key->dataLen = 0;
270#ifdef WC_RSA_BLINDING
271 key->rng = NULL;
272#endif
273
274#ifdef WOLF_CRYPTO_CB
275 key->devId = devId;
276#else
277 (void)devId;
278#endif
279
280#ifdef WOLFSSL_ASYNC_CRYPT
281 #ifdef WOLFSSL_CERT_GEN
282 XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
283 #endif
284
285 #ifdef WC_ASYNC_ENABLE_RSA
286 /* handle as async */
287 ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA,
288 key->heap, devId);
289 if (ret != 0)
290 return ret;
291 #endif /* WC_ASYNC_ENABLE_RSA */
292#endif /* WOLFSSL_ASYNC_CRYPT */
293
294#ifndef WOLFSSL_RSA_PUBLIC_ONLY
295 ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
296 if (ret != MP_OKAY)
297 return ret;
298
299#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
300 ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
301#else
302 ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
303#endif
304 if (ret != MP_OKAY) {
305 mp_clear(&key->n);
306 mp_clear(&key->e);
307 return ret;
308 }
309#else
310 ret = mp_init(&key->n);
311 if (ret != MP_OKAY)
312 return ret;
313 ret = mp_init(&key->e);
314 if (ret != MP_OKAY) {
315 mp_clear(&key->n);
316 return ret;
317 }
318#endif
319
320#ifdef WOLFSSL_XILINX_CRYPT
321 key->pubExp = 0;
322 key->mod = NULL;
323#endif
324
325#ifdef WOLFSSL_AFALG_XILINX_RSA
326 key->alFd = WC_SOCK_NOTSET;
327 key->rdFd = WC_SOCK_NOTSET;
328#endif
329
330 return ret;
331}
332
333int wc_InitRsaKey(RsaKey* key, void* heap)
334{
335 return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
336}
337
338#ifdef HAVE_PKCS11
339int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
340 int devId)
341{
342 int ret = 0;
343
344 if (key == NULL)
345 ret = BAD_FUNC_ARG;
346 if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
347 ret = BUFFER_E;
348
349 if (ret == 0)
350 ret = wc_InitRsaKey_ex(key, heap, devId);
351
352 if (ret == 0 && id != NULL && len != 0) {
353 XMEMCPY(key->id, id, len);
354 key->idLen = len;
355 }
356
357 return ret;
358}
359#endif
360
361
362#ifdef WOLFSSL_XILINX_CRYPT
363#define MAX_E_SIZE 4
364/* Used to setup hardware state
365 *
366 * key the RSA key to setup
367 *
368 * returns 0 on success
369 */
370int wc_InitRsaHw(RsaKey* key)
371{
372 unsigned char* m; /* RSA modulous */
373 word32 e = 0; /* RSA public exponent */
374 int mSz;
375 int eSz;
376
377 if (key == NULL) {
378 return BAD_FUNC_ARG;
379 }
380
381 mSz = mp_unsigned_bin_size(&(key->n));
382 m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
383 if (m == 0) {
384 return MEMORY_E;
385 }
386
387 if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
388 WOLFSSL_MSG("Unable to get RSA key modulus");
389 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
390 return MP_READ_E;
391 }
392
393 eSz = mp_unsigned_bin_size(&(key->e));
394 if (eSz > MAX_E_SIZE) {
395 WOLFSSL_MSG("Exponent of size 4 bytes expected");
396 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
397 return BAD_FUNC_ARG;
398 }
399
400 if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
401 != MP_OKAY) {
402 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
403 WOLFSSL_MSG("Unable to get RSA key exponent");
404 return MP_READ_E;
405 }
406
407 /* check for existing mod buffer to avoid memory leak */
408 if (key->mod != NULL) {
409 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
410 }
411
412 key->pubExp = e;
413 key->mod = m;
414
415 if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
416 (byte*)&(key->pubExp)) != XST_SUCCESS) {
417 WOLFSSL_MSG("Unable to initialize RSA on hardware");
418 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
419 return BAD_STATE_E;
420 }
421
422#ifdef WOLFSSL_XILINX_PATCH
423 /* currently a patch of xsecure_rsa.c for 2048 bit keys */
424 if (wc_RsaEncryptSize(key) == 256) {
425 if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
426 WOLFSSL_MSG("Unable to set RSA key size on hardware");
427 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
428 return BAD_STATE_E;
429 }
430 }
431#endif
432 return 0;
433} /* WOLFSSL_XILINX_CRYPT*/
434
435#elif defined(WOLFSSL_CRYPTOCELL)
436
437int wc_InitRsaHw(RsaKey* key)
438{
439 CRYSError_t ret = 0;
440 byte e[3];
441 word32 eSz = sizeof(e);
442 byte n[256];
443 word32 nSz = sizeof(n);
444 byte d[256];
445 word32 dSz = sizeof(d);
446 byte p[128];
447 word32 pSz = sizeof(p);
448 byte q[128];
449 word32 qSz = sizeof(q);
450
451 if (key == NULL) {
452 return BAD_FUNC_ARG;
453 }
454
455 ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
456 if (ret != 0)
457 return MP_READ_E;
458
459 ret = CRYS_RSA_Build_PubKey(&key->ctx.pubKey, e, eSz, n, nSz);
460 if (ret != SA_SILIB_RET_OK){
461 WOLFSSL_MSG("CRYS_RSA_Build_PubKey failed");
462 return ret;
463 }
464
465 ret = CRYS_RSA_Build_PrivKey(&key->ctx.privKey, d, dSz, e, eSz, n, nSz);
466
467 if (ret != SA_SILIB_RET_OK){
468 WOLFSSL_MSG("CRYS_RSA_Build_PrivKey failed");
469 return ret;
470 }
471 key->type = RSA_PRIVATE;
472 return 0;
473}
474static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
475{
476 CRYSError_t ret = 0;
477 CRYS_RSAKGData_t KeyGenData;
478 CRYS_RSAKGFipsContext_t FipsCtx;
479 byte ex[3];
480 uint16_t eSz = sizeof(ex);
481 byte n[256];
482 uint16_t nSz = sizeof(n);
483
484 ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
485 wc_rndGenVectFunc,
486 (byte*)&e,
487 3*sizeof(uint8_t),
488 size,
489 &key->ctx.privKey,
490 &key->ctx.pubKey,
491 &KeyGenData,
492 &FipsCtx);
493
494 if (ret != SA_SILIB_RET_OK){
495 WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
496 return ret;
497 }
498
499 ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
500 if (ret != SA_SILIB_RET_OK){
501 WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
502 return ret;
503 }
504 ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);
505
506 key->type = RSA_PRIVATE;
507
508 return ret;
509}
510#endif /* WOLFSSL_CRYPTOCELL */
511
512int wc_FreeRsaKey(RsaKey* key)
513{
514 int ret = 0;
515
516 if (key == NULL) {
517 return BAD_FUNC_ARG;
518 }
519
520 wc_RsaCleanup(key);
521
522#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
523 wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
524#endif
525
526#ifndef WOLFSSL_RSA_PUBLIC_ONLY
527 if (key->type == RSA_PRIVATE) {
528#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
529 mp_forcezero(&key->u);
530 mp_forcezero(&key->dQ);
531 mp_forcezero(&key->dP);
532#endif
533 mp_forcezero(&key->q);
534 mp_forcezero(&key->p);
535 mp_forcezero(&key->d);
536 }
537 /* private part */
538#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
539 mp_clear(&key->u);
540 mp_clear(&key->dQ);
541 mp_clear(&key->dP);
542#endif
543 mp_clear(&key->q);
544 mp_clear(&key->p);
545 mp_clear(&key->d);
546#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
547
548 /* public part */
549 mp_clear(&key->e);
550 mp_clear(&key->n);
551
552#ifdef WOLFSSL_XILINX_CRYPT
553 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
554 key->mod = NULL;
555#endif
556
557#ifdef WOLFSSL_AFALG_XILINX_RSA
558 /* make sure that sockets are closed on cleanup */
559 if (key->alFd > 0) {
560 close(key->alFd);
561 key->alFd = WC_SOCK_NOTSET;
562 }
563 if (key->rdFd > 0) {
564 close(key->rdFd);
565 key->rdFd = WC_SOCK_NOTSET;
566 }
567#endif
568
569 return ret;
570}
571
572#ifndef WOLFSSL_RSA_PUBLIC_ONLY
573#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
574/* Check the pair-wise consistency of the RSA key.
575 * From NIST SP 800-56B, section 6.4.1.1.
576 * Verify that k = (k^e)^d, for some k: 1 < k < n-1. */
577int wc_CheckRsaKey(RsaKey* key)
578{
579#if defined(WOLFSSL_CRYPTOCELL)
580 return 0;
581#endif
582#ifdef WOLFSSL_SMALL_STACK
583 mp_int *k = NULL, *tmp = NULL;
584#else
585 mp_int k[1], tmp[1];
586#endif
587 int ret = 0;
588
589#ifdef WOLFSSL_SMALL_STACK
590 k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA);
591 if (k == NULL)
592 return MEMORY_E;
593 tmp = k + 1;
594#endif
595
596 if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY)
597 ret = MP_INIT_E;
598
599 if (ret == 0) {
600 if (key == NULL)
601 ret = BAD_FUNC_ARG;
602 }
603
604 if (ret == 0) {
605 if (mp_set_int(k, 0x2342) != MP_OKAY)
606 ret = MP_READ_E;
607 }
608
609#ifdef WOLFSSL_HAVE_SP_RSA
610#ifndef WOLFSSL_SP_NO_2048
611 if (mp_count_bits(&key->n) == 2048) {
612 ret = sp_ModExp_2048(k, &key->e, &key->n, tmp);
613 if (ret != 0)
614 ret = MP_EXPTMOD_E;
615 ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp);
616 if (ret != 0)
617 ret = MP_EXPTMOD_E;
618 }
619 else
620#endif
621#ifndef WOLFSSL_SP_NO_3072
622 if (mp_count_bits(&key->n) == 3072) {
623 ret = sp_ModExp_3072(k, &key->e, &key->n, tmp);
624 if (ret != 0)
625 ret = MP_EXPTMOD_E;
626 ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp);
627 if (ret != 0)
628 ret = MP_EXPTMOD_E;
629 }
630 else
631#endif
632#ifdef WOLFSSL_SP_4096
633 if (mp_count_bits(&key->n) == 4096) {
634 ret = sp_ModExp_4096(k, &key->e, &key->n, tmp);
635 if (ret != 0)
636 ret = MP_EXPTMOD_E;
637 ret = sp_ModExp_4096(tmp, &key->d, &key->n, tmp);
638 if (ret != 0)
639 ret = MP_EXPTMOD_E;
640 }
641 else
642#endif
643#endif
644#ifdef WOLFSSL_SP_MATH
645 {
646 ret = WC_KEY_SIZE_E;
647 }
648#else
649 {
650 if (ret == 0) {
651 if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY)
652 ret = MP_EXPTMOD_E;
653 }
654
655 if (ret == 0) {
656 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
657 ret = MP_EXPTMOD_E;
658 }
659 }
660#endif
661
662 if (ret == 0) {
663 if (mp_cmp(k, tmp) != MP_EQ)
664 ret = RSA_KEY_PAIR_E;
665 }
666
667 /* Check d is less than n. */
668 if (ret == 0 ) {
669 if (mp_cmp(&key->d, &key->n) != MP_LT) {
670 ret = MP_EXPTMOD_E;
671 }
672 }
673 /* Check p*q = n. */
674 if (ret == 0 ) {
675 if (mp_mul(&key->p, &key->q, tmp) != MP_OKAY) {
676 ret = MP_EXPTMOD_E;
677 }
678 }
679 if (ret == 0 ) {
680 if (mp_cmp(&key->n, tmp) != MP_EQ) {
681 ret = MP_EXPTMOD_E;
682 }
683 }
684
685 /* Check dP, dQ and u if they exist */
686 if (ret == 0 && !mp_iszero(&key->dP)) {
687 if (mp_sub_d(&key->p, 1, tmp) != MP_OKAY) {
688 ret = MP_EXPTMOD_E;
689 }
690 /* Check dP <= p-1. */
691 if (ret == 0) {
692 if (mp_cmp(&key->dP, tmp) != MP_LT) {
693 ret = MP_EXPTMOD_E;
694 }
695 }
696 /* Check e*dP mod p-1 = 1. (dP = 1/e mod p-1) */
697 if (ret == 0) {
698 if (mp_mulmod(&key->dP, &key->e, tmp, tmp) != MP_OKAY) {
699 ret = MP_EXPTMOD_E;
700 }
701 }
702 if (ret == 0 ) {
703 if (!mp_isone(tmp)) {
704 ret = MP_EXPTMOD_E;
705 }
706 }
707
708 if (ret == 0) {
709 if (mp_sub_d(&key->q, 1, tmp) != MP_OKAY) {
710 ret = MP_EXPTMOD_E;
711 }
712 }
713 /* Check dQ <= q-1. */
714 if (ret == 0) {
715 if (mp_cmp(&key->dQ, tmp) != MP_LT) {
716 ret = MP_EXPTMOD_E;
717 }
718 }
719 /* Check e*dP mod p-1 = 1. (dQ = 1/e mod q-1) */
720 if (ret == 0) {
721 if (mp_mulmod(&key->dQ, &key->e, tmp, tmp) != MP_OKAY) {
722 ret = MP_EXPTMOD_E;
723 }
724 }
725 if (ret == 0 ) {
726 if (!mp_isone(tmp)) {
727 ret = MP_EXPTMOD_E;
728 }
729 }
730
731 /* Check u <= p. */
732 if (ret == 0) {
733 if (mp_cmp(&key->u, &key->p) != MP_LT) {
734 ret = MP_EXPTMOD_E;
735 }
736 }
737 /* Check u*q mod p = 1. (u = 1/q mod p) */
738 if (ret == 0) {
739 if (mp_mulmod(&key->u, &key->q, &key->p, tmp) != MP_OKAY) {
740 ret = MP_EXPTMOD_E;
741 }
742 }
743 if (ret == 0 ) {
744 if (!mp_isone(tmp)) {
745 ret = MP_EXPTMOD_E;
746 }
747 }
748 }
749
750 mp_forcezero(tmp);
751 mp_clear(tmp);
752 mp_clear(k);
753#ifdef WOLFSSL_SMALL_STACK
754 XFREE(k, NULL, DYNAMIC_TYPE_RSA);
755#endif
756
757 return ret;
758}
759#endif
760#endif
761
762
763#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
764/* Uses MGF1 standard as a mask generation function
765 hType: hash type used
766 seed: seed to use for generating mask
767 seedSz: size of seed buffer
768 out: mask output after generation
769 outSz: size of output buffer
770 */
771#if !defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
772static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
773 byte* out, word32 outSz, void* heap)
774{
775 byte* tmp;
776 /* needs to be large enough for seed size plus counter(4) */
777 byte tmpA[WC_MAX_DIGEST_SIZE + 4];
778 byte tmpF; /* 1 if dynamic memory needs freed */
779 word32 tmpSz;
780 int hLen;
781 int ret;
782 word32 counter;
783 word32 idx;
784 hLen = wc_HashGetDigestSize(hType);
785 counter = 0;
786 idx = 0;
787
788 (void)heap;
789
790 /* check error return of wc_HashGetDigestSize */
791 if (hLen < 0) {
792 return hLen;
793 }
794
795 /* if tmp is not large enough than use some dynamic memory */
796 if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
797 /* find largest amount of memory needed which will be the max of
798 * hLen and (seedSz + 4) since tmp is used to store the hash digest */
799 tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
800 tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
801 if (tmp == NULL) {
802 return MEMORY_E;
803 }
804 tmpF = 1; /* make sure to free memory when done */
805 }
806 else {
807 /* use array on the stack */
808 tmpSz = sizeof(tmpA);
809 tmp = tmpA;
810 tmpF = 0; /* no need to free memory at end */
811 }
812
813 do {
814 int i = 0;
815 XMEMCPY(tmp, seed, seedSz);
816
817 /* counter to byte array appended to tmp */
818 tmp[seedSz] = (counter >> 24) & 0xFF;
819 tmp[seedSz + 1] = (counter >> 16) & 0xFF;
820 tmp[seedSz + 2] = (counter >> 8) & 0xFF;
821 tmp[seedSz + 3] = (counter) & 0xFF;
822
823 /* hash and append to existing output */
824 if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) {
825 /* check for if dynamic memory was needed, then free */
826 if (tmpF) {
827 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
828 }
829 return ret;
830 }
831
832 for (i = 0; i < hLen && idx < outSz; i++) {
833 out[idx++] = tmp[i];
834 }
835 counter++;
836 } while (idx < outSz);
837
838 /* check for if dynamic memory was needed, then free */
839 if (tmpF) {
840 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
841 }
842
843 return 0;
844}
845#endif /* SHA2 Hashes */
846
847/* helper function to direct which mask generation function is used
848 switched on type input
849 */
850static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
851 word32 outSz, void* heap)
852{
853 int ret;
854
855 switch(type) {
856 #ifndef NO_SHA
857 case WC_MGF1SHA1:
858 ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
859 break;
860 #endif
861 #ifndef NO_SHA256
862 #ifdef WOLFSSL_SHA224
863 case WC_MGF1SHA224:
864 ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
865 break;
866 #endif
867 case WC_MGF1SHA256:
868 ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
869 break;
870 #endif
871 #ifdef WOLFSSL_SHA384
872 case WC_MGF1SHA384:
873 ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
874 break;
875 #endif
876 #ifdef WOLFSSL_SHA512
877 case WC_MGF1SHA512:
878 ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
879 break;
880 #endif
881 default:
882 WOLFSSL_MSG("Unknown MGF type: check build options");
883 ret = BAD_FUNC_ARG;
884 }
885
886 /* in case of default avoid unused warning */
887 (void)seed;
888 (void)seedSz;
889 (void)out;
890 (void)outSz;
891 (void)heap;
892
893 return ret;
894}
895#endif /* !WC_NO_RSA_OAEP || WC_RSA_PSS */
896
897
898/* Padding */
899#ifndef WOLFSSL_RSA_VERIFY_ONLY
900#ifndef WC_NO_RNG
901#ifndef WC_NO_RSA_OAEP
902static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
903 word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
904 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
905 void* heap)
906{
907 int ret;
908 int hLen;
909 int psLen;
910 int i;
911 word32 idx;
912
913 byte* dbMask;
914
915 #ifdef WOLFSSL_SMALL_STACK
916 byte* lHash = NULL;
917 byte* seed = NULL;
918 #else
919 /* must be large enough to contain largest hash */
920 byte lHash[WC_MAX_DIGEST_SIZE];
921 byte seed[ WC_MAX_DIGEST_SIZE];
922 #endif
923
924 /* no label is allowed, but catch if no label provided and length > 0 */
925 if (optLabel == NULL && labelLen > 0) {
926 return BUFFER_E;
927 }
928
929 /* limit of label is the same as limit of hash function which is massive */
930 hLen = wc_HashGetDigestSize(hType);
931 if (hLen < 0) {
932 return hLen;
933 }
934
935 #ifdef WOLFSSL_SMALL_STACK
936 lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
937 if (lHash == NULL) {
938 return MEMORY_E;
939 }
940 seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
941 if (seed == NULL) {
942 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
943 return MEMORY_E;
944 }
945 #else
946 /* hLen should never be larger than lHash since size is max digest size,
947 but check before blindly calling wc_Hash */
948 if ((word32)hLen > sizeof(lHash)) {
949 WOLFSSL_MSG("OAEP lHash to small for digest!!");
950 return MEMORY_E;
951 }
952 #endif
953
954 if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
955 WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
956 #ifdef WOLFSSL_SMALL_STACK
957 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
958 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
959 #endif
960 return ret;
961 }
962
963 /* handles check of location for idx as well as psLen, cast to int to check
964 for pkcsBlockLen(k) - 2 * hLen - 2 being negative
965 This check is similar to decryption where k > 2 * hLen + 2 as msg
966 size approaches 0. In decryption if k is less than or equal -- then there
967 is no possible room for msg.
968 k = RSA key size
969 hLen = hash digest size -- will always be >= 0 at this point
970 */
971 if ((word32)(2 * hLen + 2) > pkcsBlockLen) {
972 WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
973 #ifdef WOLFSSL_SMALL_STACK
974 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
975 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
976 #endif
977 return BAD_FUNC_ARG;
978 }
979
980 if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
981 WOLFSSL_MSG("OAEP pad error message too long");
982 #ifdef WOLFSSL_SMALL_STACK
983 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
984 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
985 #endif
986 return BAD_FUNC_ARG;
987 }
988
989 /* concatenate lHash || PS || 0x01 || msg */
990 idx = pkcsBlockLen - 1 - inputLen;
991 psLen = pkcsBlockLen - inputLen - 2 * hLen - 2;
992 if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
993 #ifdef WOLFSSL_SMALL_STACK
994 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
995 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
996 #endif
997 return BUFFER_E;
998 }
999 XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
1000 pkcsBlock[idx--] = 0x01; /* PS and M separator */
1001 while (psLen > 0 && idx > 0) {
1002 pkcsBlock[idx--] = 0x00;
1003 psLen--;
1004 }
1005
1006 idx = idx - hLen + 1;
1007 XMEMCPY(pkcsBlock + idx, lHash, hLen);
1008
1009 /* generate random seed */
1010 if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
1011 #ifdef WOLFSSL_SMALL_STACK
1012 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1013 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1014 #endif
1015 return ret;
1016 }
1017
1018 /* create maskedDB from dbMask */
1019 dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
1020 if (dbMask == NULL) {
1021 #ifdef WOLFSSL_SMALL_STACK
1022 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1023 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1024 #endif
1025 return MEMORY_E;
1026 }
1027 XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
1028
1029 ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
1030 if (ret != 0) {
1031 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
1032 #ifdef WOLFSSL_SMALL_STACK
1033 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1034 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1035 #endif
1036 return ret;
1037 }
1038
1039 i = 0;
1040 idx = hLen + 1;
1041 while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) {
1042 pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx];
1043 idx++;
1044 }
1045 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
1046
1047
1048 /* create maskedSeed from seedMask */
1049 idx = 0;
1050 pkcsBlock[idx++] = 0x00;
1051 /* create seedMask inline */
1052 if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
1053 pkcsBlock + 1, hLen, heap)) != 0) {
1054 #ifdef WOLFSSL_SMALL_STACK
1055 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1056 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1057 #endif
1058 return ret;
1059 }
1060
1061 /* xor created seedMask with seed to make maskedSeed */
1062 i = 0;
1063 while (idx < (word32)(hLen + 1) && i < hLen) {
1064 pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++];
1065 idx++;
1066 }
1067
1068 #ifdef WOLFSSL_SMALL_STACK
1069 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1070 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1071 #endif
1072 (void)padValue;
1073
1074 return 0;
1075}
1076#endif /* !WC_NO_RSA_OAEP */
1077
1078#ifdef WC_RSA_PSS
1079
1080/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
1081 * XOR MGF over all bytes down to end of Salt
1082 * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
1083 *
1084 * input Digest of the message.
1085 * inputLen Length of digest.
1086 * pkcsBlock Buffer to write to.
1087 * pkcsBlockLen Length of buffer to write to.
1088 * rng Random number generator (for salt).
1089 * htype Hash function to use.
1090 * mgf Mask generation function.
1091 * saltLen Length of salt to put in padding.
1092 * bits Length of key in bits.
1093 * heap Used for dynamic memory allocation.
1094 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
1095 * and other negative values on error.
1096 */
1097static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
1098 word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
1099 int saltLen, int bits, void* heap)
1100{
1101 int ret = 0;
1102 int hLen, i, o, maskLen, hiBits;
1103 byte* m;
1104 byte* s;
1105#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1106 #if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
1107 byte salt[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
1108 #else
1109 byte* salt = NULL;
1110 #endif
1111#else
1112 byte salt[WC_MAX_DIGEST_SIZE];
1113#endif
1114
1115#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1116 if (pkcsBlockLen > RSA_MAX_SIZE/8) {
1117 return MEMORY_E;
1118 }
1119#endif
1120
1121 hLen = wc_HashGetDigestSize(hType);
1122 if (hLen < 0)
1123 return hLen;
1124
1125 hiBits = (bits - 1) & 0x7;
1126 if (hiBits == 0) {
1127 *(pkcsBlock++) = 0;
1128 pkcsBlockLen--;
1129 }
1130
1131 if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
1132 saltLen = hLen;
1133 #ifdef WOLFSSL_SHA512
1134 /* See FIPS 186-4 section 5.5 item (e). */
1135 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) {
1136 saltLen = RSA_PSS_SALT_MAX_SZ;
1137 }
1138 #endif
1139 }
1140#ifndef WOLFSSL_PSS_LONG_SALT
1141 else if (saltLen > hLen) {
1142 return PSS_SALTLEN_E;
1143 }
1144#endif
1145#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
1146 else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
1147 return PSS_SALTLEN_E;
1148 }
1149#else
1150 else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
1151 saltLen = (int)pkcsBlockLen - hLen - 2;
1152 if (saltLen < 0) {
1153 return PSS_SALTLEN_E;
1154 }
1155 }
1156 else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
1157 return PSS_SALTLEN_E;
1158 }
1159#endif
1160 if ((int)pkcsBlockLen - hLen < saltLen + 2) {
1161 return PSS_SALTLEN_E;
1162 }
1163
1164 maskLen = pkcsBlockLen - 1 - hLen;
1165
1166#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1167 #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1168 salt = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap,
1169 DYNAMIC_TYPE_RSA_BUFFER);
1170 if (salt == NULL) {
1171 return MEMORY_E;
1172 }
1173 #endif
1174 s = m = salt;
1175 XMEMSET(m, 0, RSA_PSS_PAD_SZ);
1176 m += RSA_PSS_PAD_SZ;
1177 XMEMCPY(m, input, inputLen);
1178 m += inputLen;
1179 o = (int)(m - s);
1180 if (saltLen > 0) {
1181 ret = wc_RNG_GenerateBlock(rng, m, saltLen);
1182 if (ret == 0) {
1183 m += saltLen;
1184 }
1185 }
1186#else
1187 s = m = pkcsBlock;
1188 XMEMSET(m, 0, RSA_PSS_PAD_SZ);
1189 m += RSA_PSS_PAD_SZ;
1190 XMEMCPY(m, input, inputLen);
1191 m += inputLen;
1192 o = 0;
1193 if (saltLen > 0) {
1194 ret = wc_RNG_GenerateBlock(rng, salt, saltLen);
1195 if (ret == 0) {
1196 XMEMCPY(m, salt, saltLen);
1197 m += saltLen;
1198 }
1199 }
1200#endif
1201 if (ret == 0) {
1202 /* Put Hash at end of pkcsBlock - 1 */
1203 ret = wc_Hash(hType, s, (word32)(m - s), pkcsBlock + maskLen, hLen);
1204 }
1205 if (ret == 0) {
1206 pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
1207
1208 ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, pkcsBlock, maskLen, heap);
1209 }
1210 if (ret == 0) {
1211 pkcsBlock[0] &= (1 << hiBits) - 1;
1212
1213 m = pkcsBlock + maskLen - saltLen - 1;
1214 *(m++) ^= 0x01;
1215 for (i = 0; i < saltLen; i++) {
1216 m[i] ^= salt[o + i];
1217 }
1218 }
1219
1220#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1221 #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1222 if (salt != NULL) {
1223 XFREE(salt, heap, DYNAMIC_TYPE_RSA_BUFFER);
1224 }
1225 #endif
1226#endif
1227 return ret;
1228}
1229#endif /* WC_RSA_PSS */
1230#endif /* !WC_NO_RNG */
1231
1232static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
1233 word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
1234{
1235 if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
1236 pkcsBlockLen == 0) {
1237 return BAD_FUNC_ARG;
1238 }
1239
1240 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
1241 pkcsBlock++; pkcsBlockLen--;
1242 pkcsBlock[0] = padValue; /* insert padValue */
1243
1244 if (padValue == RSA_BLOCK_TYPE_1) {
1245 if (pkcsBlockLen < inputLen + 2) {
1246 WOLFSSL_MSG("RsaPad error, invalid length");
1247 return RSA_PAD_E;
1248 }
1249
1250 /* pad with 0xff bytes */
1251 XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
1252 }
1253 else {
1254#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WC_NO_RNG)
1255 /* pad with non-zero random bytes */
1256 word32 padLen, i;
1257 int ret;
1258
1259 if (pkcsBlockLen < inputLen + 1) {
1260 WOLFSSL_MSG("RsaPad error, invalid length");
1261 return RSA_PAD_E;
1262 }
1263
1264 padLen = pkcsBlockLen - inputLen - 1;
1265 ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
1266 if (ret != 0) {
1267 return ret;
1268 }
1269
1270 /* remove zeros */
1271 for (i = 1; i < padLen; i++) {
1272 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
1273 }
1274#else
1275 (void)rng;
1276 return RSA_WRONG_TYPE_E;
1277#endif
1278 }
1279
1280 pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
1281 XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
1282
1283 return 0;
1284}
1285
1286/* helper function to direct which padding is used */
1287int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
1288 word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
1289 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
1290 int saltLen, int bits, void* heap)
1291{
1292 int ret;
1293
1294 switch (padType)
1295 {
1296 case WC_RSA_PKCSV15_PAD:
1297 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
1298 ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
1299 padValue, rng);
1300 break;
1301
1302#ifndef WC_NO_RNG
1303 #ifndef WC_NO_RSA_OAEP
1304 case WC_RSA_OAEP_PAD:
1305 WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
1306 ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
1307 padValue, rng, hType, mgf, optLabel, labelLen, heap);
1308 break;
1309 #endif
1310
1311 #ifdef WC_RSA_PSS
1312 case WC_RSA_PSS_PAD:
1313 WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
1314 ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
1315 hType, mgf, saltLen, bits, heap);
1316 break;
1317 #endif
1318#endif /* !WC_NO_RNG */
1319
1320 #ifdef WC_RSA_NO_PADDING
1321 case WC_RSA_NO_PAD:
1322 WOLFSSL_MSG("wolfSSL Using NO padding");
1323
1324 /* In the case of no padding being used check that input is exactly
1325 * the RSA key length */
1326 if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) {
1327 WOLFSSL_MSG("Bad input size");
1328 ret = RSA_PAD_E;
1329 }
1330 else {
1331 XMEMCPY(pkcsBlock, input, inputLen);
1332 ret = 0;
1333 }
1334 break;
1335 #endif
1336
1337 default:
1338 WOLFSSL_MSG("Unknown RSA Pad Type");
1339 ret = RSA_PAD_E;
1340 }
1341
1342 /* silence warning if not used with padding scheme */
1343 (void)input;
1344 (void)inputLen;
1345 (void)pkcsBlock;
1346 (void)pkcsBlockLen;
1347 (void)padValue;
1348 (void)rng;
1349 (void)padType;
1350 (void)hType;
1351 (void)mgf;
1352 (void)optLabel;
1353 (void)labelLen;
1354 (void)saltLen;
1355 (void)bits;
1356 (void)heap;
1357
1358 return ret;
1359}
1360#endif /* WOLFSSL_RSA_VERIFY_ONLY */
1361
1362
1363/* UnPadding */
1364#ifndef WC_NO_RSA_OAEP
1365/* UnPad plaintext, set start to *output, return length of plaintext,
1366 * < 0 on error */
1367static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
1368 byte **output, enum wc_HashType hType, int mgf,
1369 byte* optLabel, word32 labelLen, void* heap)
1370{
1371 int hLen;
1372 int ret;
1373 byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
1374 byte* tmp;
1375 word32 idx;
1376
1377 /* no label is allowed, but catch if no label provided and length > 0 */
1378 if (optLabel == NULL && labelLen > 0) {
1379 return BUFFER_E;
1380 }
1381
1382 hLen = wc_HashGetDigestSize(hType);
1383 if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) {
1384 return BAD_FUNC_ARG;
1385 }
1386
1387 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1388 if (tmp == NULL) {
1389 return MEMORY_E;
1390 }
1391 XMEMSET(tmp, 0, pkcsBlockLen);
1392
1393 /* find seedMask value */
1394 if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
1395 pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) {
1396 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1397 return ret;
1398 }
1399
1400 /* xor seedMask value with maskedSeed to get seed value */
1401 for (idx = 0; idx < (word32)hLen; idx++) {
1402 tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx];
1403 }
1404
1405 /* get dbMask value */
1406 if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen,
1407 pkcsBlockLen - hLen - 1, heap)) != 0) {
1408 XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
1409 return ret;
1410 }
1411
1412 /* get DB value by doing maskedDB xor dbMask */
1413 for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) {
1414 pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen];
1415 }
1416
1417 /* done with use of tmp buffer */
1418 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1419
1420 /* advance idx to index of PS and msg separator, account for PS size of 0*/
1421 idx = hLen + 1 + hLen;
1422 while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;}
1423
1424 /* create hash of label for comparison with hash sent */
1425 if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) {
1426 return ret;
1427 }
1428
1429 /* say no to chosen ciphertext attack.
1430 Comparison of lHash, Y, and separator value needs to all happen in
1431 constant time.
1432 Attackers should not be able to get error condition from the timing of
1433 these checks.
1434 */
1435 ret = 0;
1436 ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen);
1437 ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
1438 ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */
1439
1440 /* Return 0 data length on error. */
1441 idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen);
1442
1443 /* adjust pointer to correct location in array and return size of M */
1444 *output = (byte*)(pkcsBlock + idx);
1445 return pkcsBlockLen - idx;
1446}
1447#endif /* WC_NO_RSA_OAEP */
1448
1449#ifdef WC_RSA_PSS
1450/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
1451 * MGF over all bytes down to end of Salt
1452 *
1453 * pkcsBlock Buffer holding decrypted data.
1454 * pkcsBlockLen Length of buffer.
1455 * htype Hash function to use.
1456 * mgf Mask generation function.
1457 * saltLen Length of salt to put in padding.
1458 * bits Length of key in bits.
1459 * heap Used for dynamic memory allocation.
1460 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid,
1461 * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails
1462 * and other negative values on error.
1463 */
1464static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
1465 byte **output, enum wc_HashType hType, int mgf,
1466 int saltLen, int bits, void* heap)
1467{
1468 int ret;
1469 byte* tmp;
1470 int hLen, i, maskLen;
1471#ifdef WOLFSSL_SHA512
1472 int orig_bits = bits;
1473#endif
1474#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
1475 byte tmp_buf[RSA_MAX_SIZE/8];
1476 tmp = tmp_buf;
1477
1478 if (pkcsBlockLen > RSA_MAX_SIZE/8) {
1479 return MEMORY_E;
1480 }
1481#endif
1482
1483 hLen = wc_HashGetDigestSize(hType);
1484 if (hLen < 0)
1485 return hLen;
1486 bits = (bits - 1) & 0x7;
1487 if ((pkcsBlock[0] & (0xff << bits)) != 0) {
1488 return BAD_PADDING_E;
1489 }
1490 if (bits == 0) {
1491 pkcsBlock++;
1492 pkcsBlockLen--;
1493 }
1494 maskLen = (int)pkcsBlockLen - 1 - hLen;
1495 if (maskLen < 0) {
1496 WOLFSSL_MSG("RsaUnPad_PSS: Hash too large");
1497 return WC_KEY_SIZE_E;
1498 }
1499
1500 if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
1501 saltLen = hLen;
1502 #ifdef WOLFSSL_SHA512
1503 /* See FIPS 186-4 section 5.5 item (e). */
1504 if (orig_bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
1505 saltLen = RSA_PSS_SALT_MAX_SZ;
1506 #endif
1507 }
1508#ifndef WOLFSSL_PSS_LONG_SALT
1509 else if (saltLen > hLen)
1510 return PSS_SALTLEN_E;
1511#endif
1512#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
1513 else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT)
1514 return PSS_SALTLEN_E;
1515 if (maskLen < saltLen + 1) {
1516 return PSS_SALTLEN_E;
1517 }
1518#else
1519 else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER)
1520 return PSS_SALTLEN_E;
1521 if (saltLen != RSA_PSS_SALT_LEN_DISCOVER && maskLen < saltLen + 1) {
1522 return WC_KEY_SIZE_E;
1523 }
1524#endif
1525
1526 if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
1527 WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
1528 return BAD_PADDING_E;
1529 }
1530
1531#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1532 tmp = (byte*)XMALLOC(maskLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1533 if (tmp == NULL) {
1534 return MEMORY_E;
1535 }
1536#endif
1537
1538 if ((ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, tmp, maskLen,
1539 heap)) != 0) {
1540 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1541 return ret;
1542 }
1543
1544 tmp[0] &= (1 << bits) - 1;
1545 pkcsBlock[0] &= (1 << bits) - 1;
1546#ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
1547 if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
1548 for (i = 0; i < maskLen - 1; i++) {
1549 if (tmp[i] != pkcsBlock[i]) {
1550 break;
1551 }
1552 }
1553 if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
1554 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1555 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
1556 return PSS_SALTLEN_RECOVER_E;
1557 }
1558 saltLen = maskLen - (i + 1);
1559 }
1560 else
1561#endif
1562 {
1563 for (i = 0; i < maskLen - 1 - saltLen; i++) {
1564 if (tmp[i] != pkcsBlock[i]) {
1565 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1566 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
1567 return PSS_SALTLEN_E;
1568 }
1569 }
1570 if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
1571 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1572 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
1573 return PSS_SALTLEN_E;
1574 }
1575 }
1576 for (i++; i < maskLen; i++)
1577 pkcsBlock[i] ^= tmp[i];
1578
1579#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1580 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1581#endif
1582
1583 *output = pkcsBlock + maskLen - saltLen;
1584 return saltLen + hLen;
1585}
1586#endif
1587
1588/* UnPad plaintext, set start to *output, return length of plaintext,
1589 * < 0 on error */
1590static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
1591 byte **output, byte padValue)
1592{
1593 int ret = BAD_FUNC_ARG;
1594 word16 i;
1595#ifndef WOLFSSL_RSA_VERIFY_ONLY
1596 byte invalid = 0;
1597#endif
1598
1599 if (output == NULL || pkcsBlockLen == 0 || pkcsBlockLen > 0xFFFF) {
1600 return BAD_FUNC_ARG;
1601 }
1602
1603 if (padValue == RSA_BLOCK_TYPE_1) {
1604 /* First byte must be 0x00 and Second byte, block type, 0x01 */
1605 if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
1606 WOLFSSL_MSG("RsaUnPad error, invalid formatting");
1607 return RSA_PAD_E;
1608 }
1609
1610 /* check the padding until we find the separator */
1611 for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { }
1612
1613 /* Minimum of 11 bytes of pre-message data and must have separator. */
1614 if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
1615 WOLFSSL_MSG("RsaUnPad error, bad formatting");
1616 return RSA_PAD_E;
1617 }
1618
1619 *output = (byte *)(pkcsBlock + i);
1620 ret = pkcsBlockLen - i;
1621 }
1622#ifndef WOLFSSL_RSA_VERIFY_ONLY
1623 else {
1624 word16 j;
1625 word16 pastSep = 0;
1626
1627 /* Decrypted with private key - unpad must be constant time. */
1628 for (i = 0, j = 2; j < pkcsBlockLen; j++) {
1629 /* Update i if not passed the separator and at separator. */
1630 i |= (~pastSep) & ctMask16Eq(pkcsBlock[j], 0x00) & (j + 1);
1631 pastSep |= ctMask16Eq(pkcsBlock[j], 0x00);
1632 }
1633
1634 /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
1635 invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
1636 /* Must have seen separator. */
1637 invalid |= ~pastSep;
1638 /* First byte must be 0x00. */
1639 invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
1640 /* Check against expected block type: padValue */
1641 invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
1642
1643 *output = (byte *)(pkcsBlock + i);
1644 ret = ((int)~invalid) & (pkcsBlockLen - i);
1645 }
1646#endif
1647
1648 return ret;
1649}
1650
1651/* helper function to direct unpadding
1652 *
1653 * bits is the key modulus size in bits
1654 */
1655int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
1656 byte padValue, int padType, enum wc_HashType hType,
1657 int mgf, byte* optLabel, word32 labelLen, int saltLen,
1658 int bits, void* heap)
1659{
1660 int ret;
1661
1662 switch (padType) {
1663 case WC_RSA_PKCSV15_PAD:
1664 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
1665 ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue);
1666 break;
1667
1668 #ifndef WC_NO_RSA_OAEP
1669 case WC_RSA_OAEP_PAD:
1670 WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
1671 ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
1672 hType, mgf, optLabel, labelLen, heap);
1673 break;
1674 #endif
1675
1676 #ifdef WC_RSA_PSS
1677 case WC_RSA_PSS_PAD:
1678 WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
1679 ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
1680 saltLen, bits, heap);
1681 break;
1682 #endif
1683
1684 #ifdef WC_RSA_NO_PADDING
1685 case WC_RSA_NO_PAD:
1686 WOLFSSL_MSG("wolfSSL Using NO un-padding");
1687
1688 /* In the case of no padding being used check that input is exactly
1689 * the RSA key length */
1690 if (bits <= 0 || pkcsBlockLen !=
1691 ((word32)(bits+WOLFSSL_BIT_SIZE-1)/WOLFSSL_BIT_SIZE)) {
1692 WOLFSSL_MSG("Bad input size");
1693 ret = RSA_PAD_E;
1694 }
1695 else {
1696 if (out != NULL) {
1697 *out = pkcsBlock;
1698 }
1699 ret = pkcsBlockLen;
1700 }
1701 break;
1702 #endif /* WC_RSA_NO_PADDING */
1703
1704 default:
1705 WOLFSSL_MSG("Unknown RSA UnPad Type");
1706 ret = RSA_PAD_E;
1707 }
1708
1709 /* silence warning if not used with padding scheme */
1710 (void)hType;
1711 (void)mgf;
1712 (void)optLabel;
1713 (void)labelLen;
1714 (void)saltLen;
1715 (void)bits;
1716 (void)heap;
1717
1718 return ret;
1719}
1720
1721#if defined(WOLFSSL_XILINX_CRYPT)
1722/*
1723 * Xilinx hardened crypto acceleration.
1724 *
1725 * Returns 0 on success and negative values on error.
1726 */
1727static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out,
1728 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
1729{
1730 int ret = 0;
1731 word32 keyLen;
1732 (void)rng;
1733
1734 keyLen = wc_RsaEncryptSize(key);
1735 if (keyLen > *outLen) {
1736 WOLFSSL_MSG("Output buffer is not big enough");
1737 return BAD_FUNC_ARG;
1738 }
1739
1740 if (inLen != keyLen) {
1741 WOLFSSL_MSG("Expected that inLen equals RSA key length");
1742 return BAD_FUNC_ARG;
1743 }
1744
1745 switch(type) {
1746 case RSA_PRIVATE_DECRYPT:
1747 case RSA_PRIVATE_ENCRYPT:
1748 /* Currently public exponent is loaded by default.
1749 * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
1750 * leading to private key operations with Xsecure_RsaDecrypt not being
1751 * supported */
1752 ret = RSA_WRONG_TYPE_E;
1753 break;
1754 case RSA_PUBLIC_ENCRYPT:
1755 case RSA_PUBLIC_DECRYPT:
1756 if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
1757 ret = BAD_STATE_E;
1758 }
1759 break;
1760 default:
1761 ret = RSA_WRONG_TYPE_E;
1762 }
1763
1764 *outLen = keyLen;
1765
1766 return ret;
1767}
1768#endif /* WOLFSSL_XILINX_CRYPT */
1769
1770#ifdef WC_RSA_NONBLOCK
1771static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
1772 word32* outLen, int type, RsaKey* key)
1773{
1774 int ret = 0;
1775 word32 keyLen, len;
1776
1777 if (key == NULL || key->nb == NULL) {
1778 return BAD_FUNC_ARG;
1779 }
1780
1781 if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
1782 if (mp_init(&key->nb->tmp) != MP_OKAY) {
1783 ret = MP_INIT_E;
1784 }
1785
1786 if (ret == 0) {
1787 if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
1788 ret = MP_READ_E;
1789 }
1790 }
1791 }
1792
1793 if (ret == 0) {
1794 switch(type) {
1795 case RSA_PRIVATE_DECRYPT:
1796 case RSA_PRIVATE_ENCRYPT:
1797 ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
1798 &key->n, &key->nb->tmp);
1799 if (ret == FP_WOULDBLOCK)
1800 return ret;
1801 if (ret != MP_OKAY)
1802 ret = MP_EXPTMOD_E;
1803 break;
1804
1805 case RSA_PUBLIC_ENCRYPT:
1806 case RSA_PUBLIC_DECRYPT:
1807 ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
1808 &key->n, &key->nb->tmp);
1809 if (ret == FP_WOULDBLOCK)
1810 return ret;
1811 if (ret != MP_OKAY)
1812 ret = MP_EXPTMOD_E;
1813 break;
1814 default:
1815 ret = RSA_WRONG_TYPE_E;
1816 break;
1817 }
1818 }
1819
1820 if (ret == 0) {
1821 keyLen = wc_RsaEncryptSize(key);
1822 if (keyLen > *outLen)
1823 ret = RSA_BUFFER_E;
1824 }
1825 if (ret == 0) {
1826 len = mp_unsigned_bin_size(&key->nb->tmp);
1827
1828 /* pad front w/ zeros to match key length */
1829 while (len < keyLen) {
1830 *out++ = 0x00;
1831 len++;
1832 }
1833
1834 *outLen = keyLen;
1835
1836 /* convert */
1837 if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
1838 ret = MP_TO_E;
1839 }
1840 }
1841
1842 mp_clear(&key->nb->tmp);
1843
1844 return ret;
1845}
1846#endif /* WC_RSA_NONBLOCK */
1847
1848#ifdef WOLFSSL_AFALG_XILINX_RSA
1849#ifndef ERROR_OUT
1850#define ERROR_OUT(x) ret = (x); goto done
1851#endif
1852
1853static const char WC_TYPE_ASYMKEY[] = "skcipher";
1854static const char WC_NAME_RSA[] = "xilinx-zynqmp-rsa";
1855#ifndef MAX_XILINX_RSA_KEY
1856 /* max key size of 4096 bits / 512 bytes */
1857 #define MAX_XILINX_RSA_KEY 512
1858#endif
1859static const byte XILINX_RSA_FLAG[] = {0x1};
1860
1861
1862/* AF_ALG implementation of RSA */
1863static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
1864 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
1865{
1866 struct msghdr msg;
1867 struct cmsghdr* cmsg;
1868 struct iovec iov;
1869 byte* keyBuf = NULL;
1870 word32 keyBufSz = 0;
1871 char cbuf[CMSG_SPACE(4) + CMSG_SPACE(sizeof(struct af_alg_iv) + 1)] = {0};
1872 int ret = 0;
1873 int op = 0; /* decryption vs encryption flag */
1874 word32 keyLen;
1875
1876 /* input and output buffer need to be aligned */
1877 ALIGN64 byte outBuf[MAX_XILINX_RSA_KEY];
1878 ALIGN64 byte inBuf[MAX_XILINX_RSA_KEY];
1879
1880 XMEMSET(&msg, 0, sizeof(struct msghdr));
1881 (void)rng;
1882
1883 keyLen = wc_RsaEncryptSize(key);
1884 if (keyLen > *outLen) {
1885 ERROR_OUT(RSA_BUFFER_E);
1886 }
1887
1888 if (keyLen > MAX_XILINX_RSA_KEY) {
1889 WOLFSSL_MSG("RSA key size larger than supported");
1890 ERROR_OUT(BAD_FUNC_ARG);
1891 }
1892
1893 if ((keyBuf = (byte*)XMALLOC(keyLen * 2, key->heap, DYNAMIC_TYPE_KEY))
1894 == NULL) {
1895 ERROR_OUT(MEMORY_E);
1896 }
1897
1898 if ((ret = mp_to_unsigned_bin(&(key->n), keyBuf)) != MP_OKAY) {
1899 ERROR_OUT(MP_TO_E);
1900 }
1901
1902 switch(type) {
1903 case RSA_PRIVATE_DECRYPT:
1904 case RSA_PRIVATE_ENCRYPT:
1905 op = 1; /* set as decrypt */
1906 {
1907 keyBufSz = mp_unsigned_bin_size(&(key->d));
1908 if ((mp_to_unsigned_bin(&(key->d), keyBuf + keyLen))
1909 != MP_OKAY) {
1910 ERROR_OUT(MP_TO_E);
1911 }
1912 }
1913 break;
1914
1915 case RSA_PUBLIC_DECRYPT:
1916 case RSA_PUBLIC_ENCRYPT: {
1917 word32 exp = 0;
1918 word32 eSz = mp_unsigned_bin_size(&(key->e));
1919 if ((mp_to_unsigned_bin(&(key->e), (byte*)&exp +
1920 (sizeof(word32) - eSz))) != MP_OKAY) {
1921 ERROR_OUT(MP_TO_E);
1922 }
1923 keyBufSz = sizeof(word32);
1924 XMEMCPY(keyBuf + keyLen, (byte*)&exp, keyBufSz);
1925 break;
1926 }
1927
1928 default:
1929 ERROR_OUT(RSA_WRONG_TYPE_E);
1930 }
1931 keyBufSz += keyLen; /* add size of modulus */
1932
1933 /* check for existing sockets before creating new ones */
1934 if (key->alFd > 0) {
1935 close(key->alFd);
1936 key->alFd = WC_SOCK_NOTSET;
1937 }
1938 if (key->rdFd > 0) {
1939 close(key->rdFd);
1940 key->rdFd = WC_SOCK_NOTSET;
1941 }
1942
1943 /* create new sockets and set the key to use */
1944 if ((key->alFd = wc_Afalg_Socket()) < 0) {
1945 WOLFSSL_MSG("Unable to create socket");
1946 ERROR_OUT(key->alFd);
1947 }
1948 if ((key->rdFd = wc_Afalg_CreateRead(key->alFd, WC_TYPE_ASYMKEY,
1949 WC_NAME_RSA)) < 0) {
1950 WOLFSSL_MSG("Unable to bind and create read/send socket");
1951 ERROR_OUT(key->rdFd);
1952 }
1953 if ((ret = setsockopt(key->alFd, SOL_ALG, ALG_SET_KEY, keyBuf,
1954 keyBufSz)) < 0) {
1955 WOLFSSL_MSG("Error setting RSA key");
1956 ERROR_OUT(ret);
1957 }
1958
1959 msg.msg_control = cbuf;
1960 msg.msg_controllen = sizeof(cbuf);
1961 cmsg = CMSG_FIRSTHDR(&msg);
1962 if ((ret = wc_Afalg_SetOp(cmsg, op)) < 0) {
1963 ERROR_OUT(ret);
1964 }
1965
1966 /* set flag in IV spot, needed for Xilinx hardware acceleration use */
1967 cmsg = CMSG_NXTHDR(&msg, cmsg);
1968 if ((ret = wc_Afalg_SetIv(cmsg, (byte*)XILINX_RSA_FLAG,
1969 sizeof(XILINX_RSA_FLAG))) != 0) {
1970 ERROR_OUT(ret);
1971 }
1972
1973 /* compose and send msg */
1974 XMEMCPY(inBuf, (byte*)in, inLen); /* for alignment */
1975 iov.iov_base = inBuf;
1976 iov.iov_len = inLen;
1977 msg.msg_iov = &iov;
1978 msg.msg_iovlen = 1;
1979 if ((ret = sendmsg(key->rdFd, &msg, 0)) <= 0) {
1980 ERROR_OUT(WC_AFALG_SOCK_E);
1981 }
1982
1983 if ((ret = read(key->rdFd, outBuf, inLen)) <= 0) {
1984 ERROR_OUT(WC_AFALG_SOCK_E);
1985 }
1986 XMEMCPY(out, outBuf, ret);
1987 *outLen = keyLen;
1988
1989done:
1990 /* clear key data and free buffer */
1991 if (keyBuf != NULL) {
1992 ForceZero(keyBuf, keyBufSz);
1993 }
1994 XFREE(keyBuf, key->heap, DYNAMIC_TYPE_KEY);
1995
1996 if (key->alFd > 0) {
1997 close(key->alFd);
1998 key->alFd = WC_SOCK_NOTSET;
1999 }
2000 if (key->rdFd > 0) {
2001 close(key->rdFd);
2002 key->rdFd = WC_SOCK_NOTSET;
2003 }
2004
2005 return ret;
2006}
2007
2008#else
2009static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
2010 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2011{
2012#ifndef WOLFSSL_SP_MATH
2013#ifdef WOLFSSL_SMALL_STACK
2014 mp_int* tmp;
2015#ifdef WC_RSA_BLINDING
2016 mp_int* rnd;
2017 mp_int* rndi;
2018#endif
2019#else
2020 mp_int tmp[1];
2021#ifdef WC_RSA_BLINDING
2022 mp_int rnd[1], rndi[1];
2023#endif
2024#endif
2025 int ret = 0;
2026 word32 keyLen = 0;
2027#endif
2028
2029#ifdef WOLFSSL_HAVE_SP_RSA
2030#ifndef WOLFSSL_SP_NO_2048
2031 if (mp_count_bits(&key->n) == 2048) {
2032 switch(type) {
2033#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2034 case RSA_PRIVATE_DECRYPT:
2035 case RSA_PRIVATE_ENCRYPT:
2036 #ifdef WC_RSA_BLINDING
2037 if (rng == NULL)
2038 return MISSING_RNG_E;
2039 #endif
2040 #ifndef RSA_LOW_MEM
2041 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
2042 &key->dP, &key->dQ, &key->u, &key->n,
2043 out, outLen);
2044 #else
2045 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
2046 NULL, NULL, NULL, &key->n, out, outLen);
2047 #endif
2048#endif
2049 case RSA_PUBLIC_ENCRYPT:
2050 case RSA_PUBLIC_DECRYPT:
2051 return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
2052 }
2053 }
2054#endif
2055#ifndef WOLFSSL_SP_NO_3072
2056 if (mp_count_bits(&key->n) == 3072) {
2057 switch(type) {
2058#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2059 case RSA_PRIVATE_DECRYPT:
2060 case RSA_PRIVATE_ENCRYPT:
2061 #ifdef WC_RSA_BLINDING
2062 if (rng == NULL)
2063 return MISSING_RNG_E;
2064 #endif
2065 #ifndef RSA_LOW_MEM
2066 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
2067 &key->dP, &key->dQ, &key->u, &key->n,
2068 out, outLen);
2069 #else
2070 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
2071 NULL, NULL, NULL, &key->n, out, outLen);
2072 #endif
2073#endif
2074 case RSA_PUBLIC_ENCRYPT:
2075 case RSA_PUBLIC_DECRYPT:
2076 return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
2077 }
2078 }
2079#endif
2080#ifdef WOLFSSL_SP_4096
2081 if (mp_count_bits(&key->n) == 4096) {
2082 switch(type) {
2083#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2084 case RSA_PRIVATE_DECRYPT:
2085 case RSA_PRIVATE_ENCRYPT:
2086 #ifdef WC_RSA_BLINDING
2087 if (rng == NULL)
2088 return MISSING_RNG_E;
2089 #endif
2090 #ifndef RSA_LOW_MEM
2091 return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
2092 &key->dP, &key->dQ, &key->u, &key->n,
2093 out, outLen);
2094 #else
2095 return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
2096 NULL, NULL, NULL, &key->n, out, outLen);
2097 #endif
2098#endif
2099 case RSA_PUBLIC_ENCRYPT:
2100 case RSA_PUBLIC_DECRYPT:
2101 return sp_RsaPublic_4096(in, inLen, &key->e, &key->n, out, outLen);
2102 }
2103 }
2104#endif
2105#endif /* WOLFSSL_HAVE_SP_RSA */
2106
2107#ifdef WOLFSSL_SP_MATH
2108 (void)rng;
2109 WOLFSSL_MSG("SP Key Size Error");
2110 return WC_KEY_SIZE_E;
2111#else
2112 (void)rng;
2113
2114#ifdef WOLFSSL_SMALL_STACK
2115 tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
2116 if (tmp == NULL)
2117 return MEMORY_E;
2118#ifdef WC_RSA_BLINDING
2119 rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
2120 if (rnd == NULL) {
2121 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
2122 return MEMORY_E;
2123 }
2124 rndi = rnd + 1;
2125#endif /* WC_RSA_BLINDING */
2126#endif /* WOLFSSL_SMALL_STACK */
2127
2128 if (mp_init(tmp) != MP_OKAY)
2129 ret = MP_INIT_E;
2130
2131#ifdef WC_RSA_BLINDING
2132 if (ret == 0) {
2133 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
2134 if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) {
2135 mp_clear(tmp);
2136 ret = MP_INIT_E;
2137 }
2138 }
2139 }
2140#endif
2141
2142#ifndef TEST_UNPAD_CONSTANT_TIME
2143 if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY)
2144 ret = MP_READ_E;
2145
2146 if (ret == 0) {
2147 switch(type) {
2148 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
2149 case RSA_PRIVATE_DECRYPT:
2150 case RSA_PRIVATE_ENCRYPT:
2151 {
2152 #if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2153 /* blind */
2154 ret = mp_rand(rnd, get_digit_count(&key->n), rng);
2155
2156 /* rndi = 1/rnd mod n */
2157 if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY)
2158 ret = MP_INVMOD_E;
2159
2160 /* rnd = rnd^e */
2161 if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY)
2162 ret = MP_EXPTMOD_E;
2163
2164 /* tmp = tmp*rnd mod n */
2165 if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY)
2166 ret = MP_MULMOD_E;
2167 #endif /* WC_RSA_BLINDING && !WC_NO_RNG */
2168
2169 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
2170 if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
2171 ret = MP_EXPTMOD_E;
2172 #else
2173 if (ret == 0) {
2174 #ifdef WOLFSSL_SMALL_STACK
2175 mp_int* tmpa;
2176 mp_int* tmpb = NULL;
2177 #else
2178 mp_int tmpa[1], tmpb[1];
2179 #endif
2180 int cleara = 0, clearb = 0;
2181
2182 #ifdef WOLFSSL_SMALL_STACK
2183 tmpa = (mp_int*)XMALLOC(sizeof(mp_int) * 2,
2184 key->heap, DYNAMIC_TYPE_RSA);
2185 if (tmpa != NULL)
2186 tmpb = tmpa + 1;
2187 else
2188 ret = MEMORY_E;
2189 #endif
2190
2191 if (ret == 0) {
2192 if (mp_init(tmpa) != MP_OKAY)
2193 ret = MP_INIT_E;
2194 else
2195 cleara = 1;
2196 }
2197
2198 if (ret == 0) {
2199 if (mp_init(tmpb) != MP_OKAY)
2200 ret = MP_INIT_E;
2201 else
2202 clearb = 1;
2203 }
2204
2205 /* tmpa = tmp^dP mod p */
2206 if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p,
2207 tmpa) != MP_OKAY)
2208 ret = MP_EXPTMOD_E;
2209
2210 /* tmpb = tmp^dQ mod q */
2211 if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q,
2212 tmpb) != MP_OKAY)
2213 ret = MP_EXPTMOD_E;
2214
2215 /* tmp = (tmpa - tmpb) * qInv (mod p) */
2216 if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
2217 ret = MP_SUB_E;
2218
2219 if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p,
2220 tmp) != MP_OKAY)
2221 ret = MP_MULMOD_E;
2222
2223 /* tmp = tmpb + q * tmp */
2224 if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
2225 ret = MP_MUL_E;
2226
2227 if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
2228 ret = MP_ADD_E;
2229
2230 #ifdef WOLFSSL_SMALL_STACK
2231 if (tmpa != NULL)
2232 #endif
2233 {
2234 if (cleara)
2235 mp_clear(tmpa);
2236 if (clearb)
2237 mp_clear(tmpb);
2238 #ifdef WOLFSSL_SMALL_STACK
2239 XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA);
2240 #endif
2241 }
2242 } /* tmpa/b scope */
2243 #endif /* RSA_LOW_MEM */
2244
2245 #ifdef WC_RSA_BLINDING
2246 /* unblind */
2247 if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY)
2248 ret = MP_MULMOD_E;
2249 #endif /* WC_RSA_BLINDING */
2250
2251 break;
2252 }
2253 #endif
2254 case RSA_PUBLIC_ENCRYPT:
2255 case RSA_PUBLIC_DECRYPT:
2256 #ifdef WOLFSSL_XILINX_CRYPT
2257 ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng);
2258 #else
2259 if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY)
2260 ret = MP_EXPTMOD_E;
2261 #endif
2262 break;
2263 default:
2264 ret = RSA_WRONG_TYPE_E;
2265 break;
2266 }
2267 }
2268
2269 if (ret == 0) {
2270 keyLen = wc_RsaEncryptSize(key);
2271 if (keyLen > *outLen)
2272 ret = RSA_BUFFER_E;
2273 }
2274 if (ret == 0) {
2275 *outLen = keyLen;
2276 if (mp_to_unsigned_bin_len(tmp, out, keyLen) != MP_OKAY)
2277 ret = MP_TO_E;
2278 }
2279#else
2280 (void)type;
2281 (void)key;
2282 (void)keyLen;
2283 XMEMCPY(out, in, inLen);
2284 *outLen = inLen;
2285#endif
2286
2287 mp_clear(tmp);
2288#ifdef WOLFSSL_SMALL_STACK
2289 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
2290#endif
2291#ifdef WC_RSA_BLINDING
2292 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
2293 mp_clear(rndi);
2294 mp_clear(rnd);
2295 }
2296#ifdef WOLFSSL_SMALL_STACK
2297 XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA);
2298#endif
2299#endif /* WC_RSA_BLINDING */
2300 return ret;
2301#endif /* WOLFSSL_SP_MATH */
2302}
2303#endif
2304
2305#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
2306static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
2307 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2308{
2309 int ret = 0;
2310
2311 (void)rng;
2312
2313#ifdef WOLFSSL_ASYNC_CRYPT_TEST
2314 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_FUNC)) {
2315 WC_ASYNC_TEST* testDev = &key->asyncDev.test;
2316 testDev->rsaFunc.in = in;
2317 testDev->rsaFunc.inSz = inLen;
2318 testDev->rsaFunc.out = out;
2319 testDev->rsaFunc.outSz = outLen;
2320 testDev->rsaFunc.type = type;
2321 testDev->rsaFunc.key = key;
2322 testDev->rsaFunc.rng = rng;
2323 return WC_PENDING_E;
2324 }
2325#endif /* WOLFSSL_ASYNC_CRYPT_TEST */
2326
2327 switch(type) {
2328#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2329 case RSA_PRIVATE_DECRYPT:
2330 case RSA_PRIVATE_ENCRYPT:
2331 #ifdef HAVE_CAVIUM
2332 key->dataLen = key->n.raw.len;
2333 ret = NitroxRsaExptMod(in, inLen,
2334 key->d.raw.buf, key->d.raw.len,
2335 key->n.raw.buf, key->n.raw.len,
2336 out, outLen, key);
2337 #elif defined(HAVE_INTEL_QA)
2338 #ifdef RSA_LOW_MEM
2339 ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
2340 &key->d.raw, &key->n.raw,
2341 out, outLen);
2342 #else
2343 ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
2344 &key->p.raw, &key->q.raw,
2345 &key->dP.raw, &key->dQ.raw,
2346 &key->u.raw,
2347 out, outLen);
2348 #endif
2349 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
2350 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
2351 #endif
2352 break;
2353#endif
2354
2355 case RSA_PUBLIC_ENCRYPT:
2356 case RSA_PUBLIC_DECRYPT:
2357 #ifdef HAVE_CAVIUM
2358 key->dataLen = key->n.raw.len;
2359 ret = NitroxRsaExptMod(in, inLen,
2360 key->e.raw.buf, key->e.raw.len,
2361 key->n.raw.buf, key->n.raw.len,
2362 out, outLen, key);
2363 #elif defined(HAVE_INTEL_QA)
2364 ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
2365 &key->e.raw, &key->n.raw,
2366 out, outLen);
2367 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
2368 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
2369 #endif
2370 break;
2371
2372 default:
2373 ret = RSA_WRONG_TYPE_E;
2374 }
2375
2376 return ret;
2377}
2378#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
2379
2380#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
2381/* Function that does the RSA operation directly with no padding.
2382 *
2383 * in buffer to do operation on
2384 * inLen length of input buffer
2385 * out buffer to hold results
2386 * outSz gets set to size of result buffer. Should be passed in as length
2387 * of out buffer. If the pointer "out" is null then outSz gets set to
2388 * the expected buffer size needed and LENGTH_ONLY_E gets returned.
2389 * key RSA key to use for encrypt/decrypt
2390 * type if using private or public key {RSA_PUBLIC_ENCRYPT,
2391 * RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT}
2392 * rng wolfSSL RNG to use if needed
2393 *
2394 * returns size of result on success
2395 */
2396int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
2397 RsaKey* key, int type, WC_RNG* rng)
2398{
2399 int ret;
2400
2401 if (in == NULL || outSz == NULL || key == NULL) {
2402 return BAD_FUNC_ARG;
2403 }
2404
2405 /* sanity check on type of RSA operation */
2406 switch (type) {
2407 case RSA_PUBLIC_ENCRYPT:
2408 case RSA_PUBLIC_DECRYPT:
2409 case RSA_PRIVATE_ENCRYPT:
2410 case RSA_PRIVATE_DECRYPT:
2411 break;
2412 default:
2413 WOLFSSL_MSG("Bad RSA type");
2414 return BAD_FUNC_ARG;
2415 }
2416
2417 if ((ret = wc_RsaEncryptSize(key)) < 0) {
2418 return BAD_FUNC_ARG;
2419 }
2420
2421 if (inLen != (word32)ret) {
2422 WOLFSSL_MSG("Bad input length. Should be RSA key size");
2423 return BAD_FUNC_ARG;
2424 }
2425
2426 if (out == NULL) {
2427 *outSz = inLen;
2428 return LENGTH_ONLY_E;
2429 }
2430
2431 switch (key->state) {
2432 case RSA_STATE_NONE:
2433 case RSA_STATE_ENCRYPT_PAD:
2434 case RSA_STATE_ENCRYPT_EXPTMOD:
2435 case RSA_STATE_DECRYPT_EXPTMOD:
2436 case RSA_STATE_DECRYPT_UNPAD:
2437 key->state = (type == RSA_PRIVATE_ENCRYPT ||
2438 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
2439 RSA_STATE_DECRYPT_EXPTMOD;
2440
2441 key->dataLen = *outSz;
2442
2443 ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
2444 if (ret >= 0 || ret == WC_PENDING_E) {
2445 key->state = (type == RSA_PRIVATE_ENCRYPT ||
2446 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
2447 RSA_STATE_DECRYPT_RES;
2448 }
2449 if (ret < 0) {
2450 break;
2451 }
2452
2453 FALL_THROUGH;
2454
2455 case RSA_STATE_ENCRYPT_RES:
2456 case RSA_STATE_DECRYPT_RES:
2457 ret = key->dataLen;
2458 break;
2459
2460 default:
2461 ret = BAD_STATE_E;
2462 }
2463
2464 /* if async pending then skip cleanup*/
2465 if (ret == WC_PENDING_E
2466 #ifdef WC_RSA_NONBLOCK
2467 || ret == FP_WOULDBLOCK
2468 #endif
2469 ) {
2470 return ret;
2471 }
2472
2473 key->state = RSA_STATE_NONE;
2474 wc_RsaCleanup(key);
2475
2476 return ret;
2477}
2478#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */
2479
2480#if defined(WOLFSSL_CRYPTOCELL)
2481static int cc310_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
2482 word32 outLen, RsaKey* key)
2483{
2484 CRYSError_t ret = 0;
2485 CRYS_RSAPrimeData_t primeData;
2486 int modulusSize = wc_RsaEncryptSize(key);
2487
2488 /* The out buffer must be at least modulus size bytes long. */
2489 if (outLen < modulusSize)
2490 return BAD_FUNC_ARG;
2491
2492 ret = CRYS_RSA_PKCS1v15_Encrypt(&wc_rndState,
2493 wc_rndGenVectFunc,
2494 &key->ctx.pubKey,
2495 &primeData,
2496 (byte*)in,
2497 inLen,
2498 out);
2499
2500 if (ret != SA_SILIB_RET_OK){
2501 WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Encrypt failed");
2502 return -1;
2503 }
2504
2505 return modulusSize;
2506}
2507static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
2508 word32 outLen, RsaKey* key)
2509{
2510 CRYSError_t ret = 0;
2511 CRYS_RSAPrimeData_t primeData;
2512 uint16_t actualOutLen = outLen;
2513
2514 ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey,
2515 &primeData,
2516 (byte*)in,
2517 inLen,
2518 out,
2519 &actualOutLen);
2520
2521 if (ret != SA_SILIB_RET_OK){
2522 WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Decrypt failed");
2523 return -1;
2524 }
2525 return actualOutLen;
2526}
2527
2528int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
2529 word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
2530{
2531 CRYSError_t ret = 0;
2532 uint16_t actualOutLen = outLen*sizeof(byte);
2533 CRYS_RSAPrivUserContext_t contextPrivate;
2534
2535 ret = CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
2536 wc_rndGenVectFunc,
2537 &contextPrivate,
2538 &key->ctx.privKey,
2539 mode,
2540 (byte*)in,
2541 inLen,
2542 out,
2543 &actualOutLen);
2544
2545 if (ret != SA_SILIB_RET_OK){
2546 WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Sign failed");
2547 return -1;
2548 }
2549 return actualOutLen;
2550}
2551
2552int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
2553 RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
2554{
2555 CRYSError_t ret = 0;
2556 CRYS_RSAPubUserContext_t contextPub;
2557
2558 /* verify the signature in the sig pointer */
2559 ret = CRYS_RSA_PKCS1v15_Verify(&contextPub,
2560 &key->ctx.pubKey,
2561 mode,
2562 (byte*)in,
2563 inLen,
2564 sig);
2565
2566 if (ret != SA_SILIB_RET_OK){
2567 WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Verify failed");
2568 return -1;
2569 }
2570
2571 return ret;
2572}
2573#endif /* WOLFSSL_CRYPTOCELL */
2574
2575int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
2576 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2577{
2578 int ret = 0;
2579
2580 if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
2581 outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
2582 return BAD_FUNC_ARG;
2583 }
2584
2585#ifdef WOLF_CRYPTO_CB
2586 if (key->devId != INVALID_DEVID) {
2587 ret = wc_CryptoCb_Rsa(in, inLen, out, outLen, type, key, rng);
2588 if (ret != CRYPTOCB_UNAVAILABLE)
2589 return ret;
2590 /* fall-through when unavailable */
2591 ret = 0; /* reset error code and try using software */
2592 }
2593#endif
2594
2595#ifndef TEST_UNPAD_CONSTANT_TIME
2596#ifndef NO_RSA_BOUNDS_CHECK
2597 if (type == RSA_PRIVATE_DECRYPT &&
2598 key->state == RSA_STATE_DECRYPT_EXPTMOD) {
2599
2600 /* Check that 1 < in < n-1. (Requirement of 800-56B.) */
2601#ifdef WOLFSSL_SMALL_STACK
2602 mp_int* c;
2603#else
2604 mp_int c[1];
2605#endif
2606
2607#ifdef WOLFSSL_SMALL_STACK
2608 c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
2609 if (c == NULL)
2610 ret = MEMORY_E;
2611#endif
2612
2613 if (mp_init(c) != MP_OKAY)
2614 ret = MEMORY_E;
2615 if (ret == 0) {
2616 if (mp_read_unsigned_bin(c, in, inLen) != 0)
2617 ret = MP_READ_E;
2618 }
2619 if (ret == 0) {
2620 /* check c > 1 */
2621 if (mp_cmp_d(c, 1) != MP_GT)
2622 ret = RSA_OUT_OF_RANGE_E;
2623 }
2624 if (ret == 0) {
2625 /* add c+1 */
2626 if (mp_add_d(c, 1, c) != MP_OKAY)
2627 ret = MP_ADD_E;
2628 }
2629 if (ret == 0) {
2630 /* check c+1 < n */
2631 if (mp_cmp(c, &key->n) != MP_LT)
2632 ret = RSA_OUT_OF_RANGE_E;
2633 }
2634 mp_clear(c);
2635
2636#ifdef WOLFSSL_SMALL_STACK
2637 XFREE(c, key->heap, DYNAMIC_TYPE_RSA);
2638#endif
2639
2640 if (ret != 0)
2641 return ret;
2642 }
2643#endif /* NO_RSA_BOUNDS_CHECK */
2644#endif
2645
2646#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
2647 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2648 key->n.raw.len > 0) {
2649 ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
2650 }
2651 else
2652#endif
2653#ifdef WC_RSA_NONBLOCK
2654 if (key->nb) {
2655 ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
2656 }
2657 else
2658#endif
2659 {
2660 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
2661 }
2662
2663 /* handle error */
2664 if (ret < 0 && ret != WC_PENDING_E
2665 #ifdef WC_RSA_NONBLOCK
2666 && ret != FP_WOULDBLOCK
2667 #endif
2668 ) {
2669 if (ret == MP_EXPTMOD_E) {
2670 /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
2671 WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
2672 }
2673
2674 key->state = RSA_STATE_NONE;
2675 wc_RsaCleanup(key);
2676 }
2677
2678 return ret;
2679}
2680
2681
2682#ifndef WOLFSSL_RSA_VERIFY_ONLY
2683/* Internal Wrappers */
2684/* Gives the option of choosing padding type
2685 in : input to be encrypted
2686 inLen: length of input buffer
2687 out: encrypted output
2688 outLen: length of encrypted output buffer
2689 key : wolfSSL initialized RSA key struct
2690 rng : wolfSSL initialized random number struct
2691 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
2692 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
2693 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
2694 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
2695 WC_RSA_NO_PAD or WC_RSA_PSS_PAD
2696 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
2697 mgf : type of mask generation function to use
2698 label : optional label
2699 labelSz : size of optional label buffer
2700 saltLen : Length of salt used in PSS
2701 rng : random number generator */
2702static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
2703 word32 outLen, RsaKey* key, int rsa_type,
2704 byte pad_value, int pad_type,
2705 enum wc_HashType hash, int mgf,
2706 byte* label, word32 labelSz, int saltLen,
2707 WC_RNG* rng)
2708{
2709 int ret, sz;
2710
2711 if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
2712 return BAD_FUNC_ARG;
2713 }
2714
2715 sz = wc_RsaEncryptSize(key);
2716 if (sz > (int)outLen) {
2717 return RSA_BUFFER_E;
2718 }
2719
2720 if (sz < RSA_MIN_PAD_SZ) {
2721 return WC_KEY_SIZE_E;
2722 }
2723
2724 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
2725#ifdef WC_RSA_NO_PADDING
2726 /* In the case that no padding is used the input length can and should
2727 * be the same size as the RSA key. */
2728 if (pad_type != WC_RSA_NO_PAD)
2729#endif
2730 return RSA_BUFFER_E;
2731 }
2732
2733 switch (key->state) {
2734 case RSA_STATE_NONE:
2735 case RSA_STATE_ENCRYPT_PAD:
2736 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
2737 defined(HAVE_CAVIUM)
2738 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2739 pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
2740 /* Async operations that include padding */
2741 if (rsa_type == RSA_PUBLIC_ENCRYPT &&
2742 pad_value == RSA_BLOCK_TYPE_2) {
2743 key->state = RSA_STATE_ENCRYPT_RES;
2744 key->dataLen = key->n.raw.len;
2745 return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
2746 }
2747 else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
2748 pad_value == RSA_BLOCK_TYPE_1) {
2749 key->state = RSA_STATE_ENCRYPT_RES;
2750 key->dataLen = key->n.raw.len;
2751 return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
2752 }
2753 }
2754 #elif defined(WOLFSSL_CRYPTOCELL)
2755 if (rsa_type == RSA_PUBLIC_ENCRYPT &&
2756 pad_value == RSA_BLOCK_TYPE_2) {
2757
2758 return cc310_RsaPublicEncrypt(in, inLen, out, outLen, key);
2759 }
2760 else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
2761 pad_value == RSA_BLOCK_TYPE_1) {
2762 return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
2763 cc310_hashModeRSA(hash, 0));
2764 }
2765 #endif /* WOLFSSL_CRYPTOCELL */
2766
2767 key->state = RSA_STATE_ENCRYPT_PAD;
2768 ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash,
2769 mgf, label, labelSz, saltLen, mp_count_bits(&key->n),
2770 key->heap);
2771 if (ret < 0) {
2772 break;
2773 }
2774
2775 key->state = RSA_STATE_ENCRYPT_EXPTMOD;
2776 FALL_THROUGH;
2777
2778 case RSA_STATE_ENCRYPT_EXPTMOD:
2779
2780 key->dataLen = outLen;
2781 ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng);
2782
2783 if (ret >= 0 || ret == WC_PENDING_E) {
2784 key->state = RSA_STATE_ENCRYPT_RES;
2785 }
2786 if (ret < 0) {
2787 break;
2788 }
2789
2790 FALL_THROUGH;
2791
2792 case RSA_STATE_ENCRYPT_RES:
2793 ret = key->dataLen;
2794 break;
2795
2796 default:
2797 ret = BAD_STATE_E;
2798 break;
2799 }
2800
2801 /* if async pending then return and skip done cleanup below */
2802 if (ret == WC_PENDING_E
2803 #ifdef WC_RSA_NONBLOCK
2804 || ret == FP_WOULDBLOCK
2805 #endif
2806 ) {
2807 return ret;
2808 }
2809
2810 key->state = RSA_STATE_NONE;
2811 wc_RsaCleanup(key);
2812
2813 return ret;
2814}
2815
2816#endif
2817
2818/* Gives the option of choosing padding type
2819 in : input to be decrypted
2820 inLen: length of input buffer
2821 out: decrypted message
2822 outLen: length of decrypted message in bytes
2823 outPtr: optional inline output pointer (if provided doing inline)
2824 key : wolfSSL initialized RSA key struct
2825 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
2826 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
2827 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
2828 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
2829 WC_RSA_NO_PAD, WC_RSA_PSS_PAD
2830 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
2831 mgf : type of mask generation function to use
2832 label : optional label
2833 labelSz : size of optional label buffer
2834 saltLen : Length of salt used in PSS
2835 rng : random number generator */
2836static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
2837 word32 outLen, byte** outPtr, RsaKey* key,
2838 int rsa_type, byte pad_value, int pad_type,
2839 enum wc_HashType hash, int mgf,
2840 byte* label, word32 labelSz, int saltLen,
2841 WC_RNG* rng)
2842{
2843 int ret = RSA_WRONG_TYPE_E;
2844 byte* pad = NULL;
2845
2846 if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
2847 return BAD_FUNC_ARG;
2848 }
2849
2850 switch (key->state) {
2851 case RSA_STATE_NONE:
2852 key->dataLen = inLen;
2853
2854 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
2855 defined(HAVE_CAVIUM)
2856 /* Async operations that include padding */
2857 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2858 pad_type != WC_RSA_PSS_PAD) {
2859#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2860 if (rsa_type == RSA_PRIVATE_DECRYPT &&
2861 pad_value == RSA_BLOCK_TYPE_2) {
2862 key->state = RSA_STATE_DECRYPT_RES;
2863 key->data = NULL;
2864 return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
2865 key);
2866#endif
2867 }
2868 else if (rsa_type == RSA_PUBLIC_DECRYPT &&
2869 pad_value == RSA_BLOCK_TYPE_1) {
2870 key->state = RSA_STATE_DECRYPT_RES;
2871 key->data = NULL;
2872 return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
2873 }
2874 }
2875 #elif defined(WOLFSSL_CRYPTOCELL)
2876 if (rsa_type == RSA_PRIVATE_DECRYPT &&
2877 pad_value == RSA_BLOCK_TYPE_2) {
2878 ret = cc310_RsaPublicDecrypt(in, inLen, out, outLen, key);
2879 if (outPtr != NULL)
2880 *outPtr = out; /* for inline */
2881 return ret;
2882 }
2883 else if (rsa_type == RSA_PUBLIC_DECRYPT &&
2884 pad_value == RSA_BLOCK_TYPE_1) {
2885 return cc310_RsaSSL_Verify(in, inLen, out, key,
2886 cc310_hashModeRSA(hash, 0));
2887 }
2888 #endif /* WOLFSSL_CRYPTOCELL */
2889
2890
2891#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2892 /* verify the tmp ptr is NULL, otherwise indicates bad state */
2893 if (key->data != NULL) {
2894 ret = BAD_STATE_E;
2895 break;
2896 }
2897
2898 /* if not doing this inline then allocate a buffer for it */
2899 if (outPtr == NULL) {
2900 key->data = (byte*)XMALLOC(inLen, key->heap,
2901 DYNAMIC_TYPE_WOLF_BIGINT);
2902 key->dataIsAlloc = 1;
2903 if (key->data == NULL) {
2904 ret = MEMORY_E;
2905 break;
2906 }
2907 XMEMCPY(key->data, in, inLen);
2908 }
2909 else {
2910 key->data = out;
2911 }
2912#endif
2913
2914 key->state = RSA_STATE_DECRYPT_EXPTMOD;
2915 FALL_THROUGH;
2916
2917 case RSA_STATE_DECRYPT_EXPTMOD:
2918#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2919 ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen,
2920 rsa_type, key, rng);
2921#else
2922 ret = wc_RsaFunction(in, inLen, out, &key->dataLen, rsa_type, key, rng);
2923#endif
2924
2925 if (ret >= 0 || ret == WC_PENDING_E) {
2926 key->state = RSA_STATE_DECRYPT_UNPAD;
2927 }
2928 if (ret < 0) {
2929 break;
2930 }
2931
2932 FALL_THROUGH;
2933
2934 case RSA_STATE_DECRYPT_UNPAD:
2935#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2936 ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
2937 hash, mgf, label, labelSz, saltLen,
2938 mp_count_bits(&key->n), key->heap);
2939#else
2940 ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash,
2941 mgf, label, labelSz, saltLen,
2942 mp_count_bits(&key->n), key->heap);
2943#endif
2944 if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
2945 ret = RSA_BUFFER_E;
2946 else if (ret >= 0 && pad != NULL) {
2947#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2948 signed char c;
2949#endif
2950
2951 /* only copy output if not inline */
2952 if (outPtr == NULL) {
2953#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
2954 if (rsa_type == RSA_PRIVATE_DECRYPT) {
2955 word32 i, j;
2956 int start = (int)((size_t)pad - (size_t)key->data);
2957
2958 for (i = 0, j = 0; j < key->dataLen; j++) {
2959 out[i] = key->data[j];
2960 c = ctMaskGTE(j, start);
2961 c &= ctMaskLT(i, outLen);
2962 /* 0 - no add, -1 add */
2963 i += (word32)((byte)(-c));
2964 }
2965 }
2966 else
2967#endif
2968 {
2969 XMEMCPY(out, pad, ret);
2970 }
2971 }
2972 else
2973 *outPtr = pad;
2974
2975#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
2976 ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
2977 ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
2978#else
2979 if (outLen < (word32)ret)
2980 ret = RSA_BUFFER_E;
2981#endif
2982 }
2983
2984 key->state = RSA_STATE_DECRYPT_RES;
2985 FALL_THROUGH;
2986
2987 case RSA_STATE_DECRYPT_RES:
2988 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
2989 defined(HAVE_CAVIUM)
2990 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
2991 pad_type != WC_RSA_PSS_PAD) {
2992 if (ret > 0) {
2993 /* convert result */
2994 byte* dataLen = (byte*)&key->dataLen;
2995 ret = (dataLen[0] << 8) | (dataLen[1]);
2996
2997 if (outPtr)
2998 *outPtr = in;
2999 }
3000 }
3001 #endif
3002 break;
3003
3004 default:
3005 ret = BAD_STATE_E;
3006 break;
3007 }
3008
3009 /* if async pending then return and skip done cleanup below */
3010 if (ret == WC_PENDING_E
3011 #ifdef WC_RSA_NONBLOCK
3012 || ret == FP_WOULDBLOCK
3013 #endif
3014 ) {
3015 return ret;
3016 }
3017
3018 key->state = RSA_STATE_NONE;
3019 wc_RsaCleanup(key);
3020
3021 return ret;
3022}
3023
3024
3025#ifndef WOLFSSL_RSA_VERIFY_ONLY
3026/* Public RSA Functions */
3027int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
3028 RsaKey* key, WC_RNG* rng)
3029{
3030 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
3031 RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
3032 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
3033}
3034
3035
3036#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
3037int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
3038 word32 outLen, RsaKey* key, WC_RNG* rng, int type,
3039 enum wc_HashType hash, int mgf, byte* label,
3040 word32 labelSz)
3041{
3042 return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
3043 RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
3044}
3045#endif /* WC_NO_RSA_OAEP */
3046#endif
3047
3048
3049#ifndef WOLFSSL_RSA_PUBLIC_ONLY
3050int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
3051{
3052 WC_RNG* rng;
3053#ifdef WC_RSA_BLINDING
3054 rng = key->rng;
3055#else
3056 rng = NULL;
3057#endif
3058 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
3059 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
3060 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
3061}
3062
3063
3064#ifndef WC_NO_RSA_OAEP
3065int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
3066 RsaKey* key, int type, enum wc_HashType hash,
3067 int mgf, byte* label, word32 labelSz)
3068{
3069 WC_RNG* rng;
3070#ifdef WC_RSA_BLINDING
3071 rng = key->rng;
3072#else
3073 rng = NULL;
3074#endif
3075 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
3076 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
3077 mgf, label, labelSz, 0, rng);
3078}
3079#endif /* WC_NO_RSA_OAEP */
3080
3081
3082int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
3083 word32 outLen, RsaKey* key)
3084{
3085 WC_RNG* rng;
3086#ifdef WC_RSA_BLINDING
3087 rng = key->rng;
3088#else
3089 rng = NULL;
3090#endif
3091 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
3092 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
3093 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
3094}
3095
3096#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
3097int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
3098 word32 outLen, RsaKey* key, int type,
3099 enum wc_HashType hash, int mgf, byte* label,
3100 word32 labelSz)
3101{
3102 WC_RNG* rng;
3103#ifdef WC_RSA_BLINDING
3104 rng = key->rng;
3105#else
3106 rng = NULL;
3107#endif
3108 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
3109 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
3110 labelSz, 0, rng);
3111}
3112#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
3113#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
3114
3115#if !defined(WOLFSSL_CRYPTOCELL)
3116int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
3117{
3118 WC_RNG* rng;
3119#ifdef WC_RSA_BLINDING
3120 rng = key->rng;
3121#else
3122 rng = NULL;
3123#endif
3124 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
3125 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
3126 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
3127}
3128#endif
3129
3130#ifndef WOLFSSL_RSA_VERIFY_ONLY
3131int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
3132 RsaKey* key)
3133{
3134 return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key , WC_RSA_PKCSV15_PAD);
3135}
3136
3137int wc_RsaSSL_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
3138 RsaKey* key, int pad_type)
3139{
3140 WC_RNG* rng;
3141
3142 if (key == NULL) {
3143 return BAD_FUNC_ARG;
3144 }
3145
3146#ifdef WC_RSA_BLINDING
3147 rng = key->rng;
3148#else
3149 rng = NULL;
3150#endif
3151
3152 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
3153 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
3154 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
3155}
3156#endif
3157
3158#ifdef WC_RSA_PSS
3159/* Verify the message signed with RSA-PSS.
3160 * The input buffer is reused for the output buffer.
3161 * Salt length is equal to hash length.
3162 *
3163 * in Buffer holding encrypted data.
3164 * inLen Length of data in buffer.
3165 * out Pointer to address containing the PSS data.
3166 * hash Hash algorithm.
3167 * mgf Mask generation function.
3168 * key Public RSA key.
3169 * returns the length of the PSS data on success and negative indicates failure.
3170 */
3171int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
3172 enum wc_HashType hash, int mgf, RsaKey* key)
3173{
3174#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
3175 return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
3176 RSA_PSS_SALT_LEN_DEFAULT, key);
3177#else
3178 return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
3179 RSA_PSS_SALT_LEN_DISCOVER, key);
3180#endif
3181}
3182
3183/* Verify the message signed with RSA-PSS.
3184 * The input buffer is reused for the output buffer.
3185 *
3186 * in Buffer holding encrypted data.
3187 * inLen Length of data in buffer.
3188 * out Pointer to address containing the PSS data.
3189 * hash Hash algorithm.
3190 * mgf Mask generation function.
3191 * key Public RSA key.
3192 * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
3193 * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
3194 * indicates salt length is determined from the data.
3195 * returns the length of the PSS data on success and negative indicates failure.
3196 */
3197int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
3198 enum wc_HashType hash, int mgf, int saltLen,
3199 RsaKey* key)
3200{
3201 WC_RNG* rng;
3202#ifdef WC_RSA_BLINDING
3203 rng = key->rng;
3204#else
3205 rng = NULL;
3206#endif
3207 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
3208 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
3209 hash, mgf, NULL, 0, saltLen, rng);
3210}
3211
3212/* Verify the message signed with RSA-PSS.
3213 * Salt length is equal to hash length.
3214 *
3215 * in Buffer holding encrypted data.
3216 * inLen Length of data in buffer.
3217 * out Pointer to address containing the PSS data.
3218 * hash Hash algorithm.
3219 * mgf Mask generation function.
3220 * key Public RSA key.
3221 * returns the length of the PSS data on success and negative indicates failure.
3222 */
3223int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen,
3224 enum wc_HashType hash, int mgf, RsaKey* key)
3225{
3226#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
3227 return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
3228 RSA_PSS_SALT_LEN_DEFAULT, key);
3229#else
3230 return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
3231 RSA_PSS_SALT_LEN_DISCOVER, key);
3232#endif
3233}
3234
3235/* Verify the message signed with RSA-PSS.
3236 *
3237 * in Buffer holding encrypted data.
3238 * inLen Length of data in buffer.
3239 * out Pointer to address containing the PSS data.
3240 * hash Hash algorithm.
3241 * mgf Mask generation function.
3242 * key Public RSA key.
3243 * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
3244 * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
3245 * indicates salt length is determined from the data.
3246 * returns the length of the PSS data on success and negative indicates failure.
3247 */
3248int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen,
3249 enum wc_HashType hash, int mgf, int saltLen,
3250 RsaKey* key)
3251{
3252 WC_RNG* rng;
3253#ifdef WC_RSA_BLINDING
3254 rng = key->rng;
3255#else
3256 rng = NULL;
3257#endif
3258 return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
3259 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
3260 hash, mgf, NULL, 0, saltLen, rng);
3261}
3262
3263
3264/* Checks the PSS data to ensure that the signature matches.
3265 * Salt length is equal to hash length.
3266 *
3267 * in Hash of the data that is being verified.
3268 * inSz Length of hash.
3269 * sig Buffer holding PSS data.
3270 * sigSz Size of PSS data.
3271 * hashType Hash algorithm.
3272 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
3273 * NULL is passed in to in or sig or inSz is not the same as the hash
3274 * algorithm length and 0 on success.
3275 */
3276int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
3277 word32 sigSz, enum wc_HashType hashType)
3278{
3279 return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0);
3280}
3281
3282/* Checks the PSS data to ensure that the signature matches.
3283 *
3284 * in Hash of the data that is being verified.
3285 * inSz Length of hash.
3286 * sig Buffer holding PSS data.
3287 * sigSz Size of PSS data.
3288 * hashType Hash algorithm.
3289 * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
3290 * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
3291 * indicates salt length is determined from the data.
3292 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
3293 * NULL is passed in to in or sig or inSz is not the same as the hash
3294 * algorithm length and 0 on success.
3295 */
3296int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig,
3297 word32 sigSz, enum wc_HashType hashType,
3298 int saltLen, int bits)
3299{
3300 int ret = 0;
3301#ifndef WOLFSSL_PSS_LONG_SALT
3302 byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
3303#else
3304 byte *sigCheck = NULL;
3305#endif
3306
3307 (void)bits;
3308
3309 if (in == NULL || sig == NULL ||
3310 inSz != (word32)wc_HashGetDigestSize(hashType)) {
3311 ret = BAD_FUNC_ARG;
3312 }
3313
3314 if (ret == 0) {
3315 if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
3316 saltLen = inSz;
3317 #ifdef WOLFSSL_SHA512
3318 /* See FIPS 186-4 section 5.5 item (e). */
3319 if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) {
3320 saltLen = RSA_PSS_SALT_MAX_SZ;
3321 }
3322 #endif
3323 }
3324#ifndef WOLFSSL_PSS_LONG_SALT
3325 else if ((word32)saltLen > inSz) {
3326 ret = PSS_SALTLEN_E;
3327 }
3328#endif
3329#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
3330 else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
3331 ret = PSS_SALTLEN_E;
3332 }
3333#else
3334 else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
3335 saltLen = sigSz - inSz;
3336 if (saltLen < 0) {
3337 ret = PSS_SALTLEN_E;
3338 }
3339 }
3340 else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
3341 ret = PSS_SALTLEN_E;
3342 }
3343#endif
3344 }
3345
3346 /* Sig = Salt | Exp Hash */
3347 if (ret == 0) {
3348 if (sigSz != inSz + saltLen) {
3349 ret = PSS_SALTLEN_E;
3350 }
3351 }
3352
3353#ifdef WOLFSSL_PSS_LONG_SALT
3354 if (ret == 0) {
3355 sigCheck = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inSz + saltLen, NULL,
3356 DYNAMIC_TYPE_RSA_BUFFER);
3357 if (sigCheck == NULL) {
3358 ret = MEMORY_E;
3359 }
3360 }
3361#endif
3362
3363 /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
3364 if (ret == 0) {
3365 XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
3366 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
3367 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen);
3368 ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen,
3369 sigCheck, inSz);
3370 }
3371 if (ret == 0) {
3372 if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
3373 WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
3374 ret = BAD_PADDING_E;
3375 }
3376 }
3377
3378#ifdef WOLFSSL_PSS_LONG_SALT
3379 if (sigCheck != NULL) {
3380 XFREE(sigCheck, NULL, DYNAMIC_TYPE_RSA_BUFFER);
3381 }
3382#endif
3383 return ret;
3384}
3385
3386
3387/* Verify the message signed with RSA-PSS.
3388 * The input buffer is reused for the output buffer.
3389 * Salt length is equal to hash length.
3390 *
3391 * in Buffer holding encrypted data.
3392 * inLen Length of data in buffer.
3393 * out Pointer to address containing the PSS data.
3394 * digest Hash of the data that is being verified.
3395 * digestLen Length of hash.
3396 * hash Hash algorithm.
3397 * mgf Mask generation function.
3398 * key Public RSA key.
3399 * returns the length of the PSS data on success and negative indicates failure.
3400 */
3401int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
3402 const byte* digest, word32 digestLen,
3403 enum wc_HashType hash, int mgf, RsaKey* key)
3404{
3405 int ret = 0, verify, saltLen, hLen, bits = 0;
3406
3407 hLen = wc_HashGetDigestSize(hash);
3408 if (hLen < 0)
3409 return hLen;
3410 if ((word32)hLen != digestLen)
3411 return BAD_FUNC_ARG;
3412
3413 saltLen = hLen;
3414 #ifdef WOLFSSL_SHA512
3415 /* See FIPS 186-4 section 5.5 item (e). */
3416 bits = mp_count_bits(&key->n);
3417 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
3418 saltLen = RSA_PSS_SALT_MAX_SZ;
3419 #endif
3420
3421 verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
3422 if (verify > 0)
3423 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify,
3424 hash, saltLen, bits);
3425 if (ret == 0)
3426 ret = verify;
3427
3428 return ret;
3429}
3430
3431
3432/* Verify the message signed with RSA-PSS.
3433 * Salt length is equal to hash length.
3434 *
3435 * in Buffer holding encrypted data.
3436 * inLen Length of data in buffer.
3437 * out Pointer to address containing the PSS data.
3438 * outLen Length of the output.
3439 * digest Hash of the data that is being verified.
3440 * digestLen Length of hash.
3441 * hash Hash algorithm.
3442 * mgf Mask generation function.
3443 * key Public RSA key.
3444 * returns the length of the PSS data on success and negative indicates failure.
3445 */
3446int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
3447 const byte* digest, word32 digestLen,
3448 enum wc_HashType hash, int mgf,
3449 RsaKey* key)
3450{
3451 int ret = 0, verify, saltLen, hLen, bits = 0;
3452
3453 hLen = wc_HashGetDigestSize(hash);
3454 if (hLen < 0)
3455 return hLen;
3456 if ((word32)hLen != digestLen)
3457 return BAD_FUNC_ARG;
3458
3459 saltLen = hLen;
3460 #ifdef WOLFSSL_SHA512
3461 /* See FIPS 186-4 section 5.5 item (e). */
3462 bits = mp_count_bits(&key->n);
3463 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
3464 saltLen = RSA_PSS_SALT_MAX_SZ;
3465 #endif
3466
3467 verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
3468 mgf, saltLen, key);
3469 if (verify > 0)
3470 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify,
3471 hash, saltLen, bits);
3472 if (ret == 0)
3473 ret = verify;
3474
3475 return ret;
3476}
3477
3478#endif
3479
3480#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
3481int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
3482 RsaKey* key, WC_RNG* rng)
3483{
3484 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
3485 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
3486 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
3487}
3488
3489#ifdef WC_RSA_PSS
3490/* Sign the hash of a message using RSA-PSS.
3491 * Salt length is equal to hash length.
3492 *
3493 * in Buffer holding hash of message.
3494 * inLen Length of data in buffer (hash length).
3495 * out Buffer to write encrypted signature into.
3496 * outLen Size of buffer to write to.
3497 * hash Hash algorithm.
3498 * mgf Mask generation function.
3499 * key Public RSA key.
3500 * rng Random number generator.
3501 * returns the length of the encrypted signature on success, a negative value
3502 * indicates failure.
3503 */
3504int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
3505 enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
3506{
3507 return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
3508 RSA_PSS_SALT_LEN_DEFAULT, key, rng);
3509}
3510
3511/* Sign the hash of a message using RSA-PSS.
3512 *
3513 * in Buffer holding hash of message.
3514 * inLen Length of data in buffer (hash length).
3515 * out Buffer to write encrypted signature into.
3516 * outLen Size of buffer to write to.
3517 * hash Hash algorithm.
3518 * mgf Mask generation function.
3519 * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
3520 * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
3521 * indicates salt length is determined from the data.
3522 * key Public RSA key.
3523 * rng Random number generator.
3524 * returns the length of the encrypted signature on success, a negative value
3525 * indicates failure.
3526 */
3527int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
3528 enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
3529 WC_RNG* rng)
3530{
3531 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
3532 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
3533 hash, mgf, NULL, 0, saltLen, rng);
3534}
3535#endif
3536#endif
3537
3538#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(WOLFSSL_SP_MATH) || \
3539 defined(WC_RSA_PSS)
3540int wc_RsaEncryptSize(RsaKey* key)
3541{
3542 int ret;
3543
3544 if (key == NULL) {
3545 return BAD_FUNC_ARG;
3546 }
3547
3548 ret = mp_unsigned_bin_size(&key->n);
3549
3550#ifdef WOLF_CRYPTO_CB
3551 if (ret == 0 && key->devId != INVALID_DEVID) {
3552 ret = 2048/8; /* hardware handles, use 2048-bit as default */
3553 }
3554#endif
3555
3556 return ret;
3557}
3558#endif
3559
3560#ifndef WOLFSSL_RSA_VERIFY_ONLY
3561/* flatten RsaKey structure into individual elements (e, n) */
3562int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
3563 word32* nSz)
3564{
3565 int sz, ret;
3566
3567 if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
3568 return BAD_FUNC_ARG;
3569 }
3570
3571 sz = mp_unsigned_bin_size(&key->e);
3572 if ((word32)sz > *eSz)
3573 return RSA_BUFFER_E;
3574 ret = mp_to_unsigned_bin(&key->e, e);
3575 if (ret != MP_OKAY)
3576 return ret;
3577 *eSz = (word32)sz;
3578
3579 sz = wc_RsaEncryptSize(key);
3580 if ((word32)sz > *nSz)
3581 return RSA_BUFFER_E;
3582 ret = mp_to_unsigned_bin(&key->n, n);
3583 if (ret != MP_OKAY)
3584 return ret;
3585 *nSz = (word32)sz;
3586
3587 return 0;
3588}
3589#endif
3590
3591#endif /* HAVE_FIPS */
3592
3593
3594#ifndef WOLFSSL_RSA_VERIFY_ONLY
3595static int RsaGetValue(mp_int* in, byte* out, word32* outSz)
3596{
3597 word32 sz;
3598 int ret = 0;
3599
3600 /* Parameters ensured by calling function. */
3601
3602 sz = (word32)mp_unsigned_bin_size(in);
3603 if (sz > *outSz)
3604 ret = RSA_BUFFER_E;
3605
3606 if (ret == 0)
3607 ret = mp_to_unsigned_bin(in, out);
3608
3609 if (ret == MP_OKAY)
3610 *outSz = sz;
3611
3612 return ret;
3613}
3614
3615
3616int wc_RsaExportKey(RsaKey* key,
3617 byte* e, word32* eSz, byte* n, word32* nSz,
3618 byte* d, word32* dSz, byte* p, word32* pSz,
3619 byte* q, word32* qSz)
3620{
3621 int ret = BAD_FUNC_ARG;
3622
3623 if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz)
3624 ret = 0;
3625
3626 if (ret == 0)
3627 ret = RsaGetValue(&key->e, e, eSz);
3628 if (ret == 0)
3629 ret = RsaGetValue(&key->n, n, nSz);
3630#ifndef WOLFSSL_RSA_PUBLIC_ONLY
3631 if (ret == 0)
3632 ret = RsaGetValue(&key->d, d, dSz);
3633 if (ret == 0)
3634 ret = RsaGetValue(&key->p, p, pSz);
3635 if (ret == 0)
3636 ret = RsaGetValue(&key->q, q, qSz);
3637#else
3638 /* no private parts to key */
3639 if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
3640 || qSz == NULL) {
3641 ret = BAD_FUNC_ARG;
3642 }
3643 else {
3644 *dSz = 0;
3645 *pSz = 0;
3646 *qSz = 0;
3647 }
3648#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
3649
3650 return ret;
3651}
3652#endif
3653
3654
3655#ifdef WOLFSSL_KEY_GEN
3656
3657/* Check that |p-q| > 2^((size/2)-100) */
3658static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
3659{
3660 mp_int c, d;
3661 int ret;
3662
3663 if (p == NULL || q == NULL)
3664 return BAD_FUNC_ARG;
3665
3666 ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL);
3667
3668 /* c = 2^((size/2)-100) */
3669 if (ret == 0)
3670 ret = mp_2expt(&c, (size/2)-100);
3671
3672 /* d = |p-q| */
3673 if (ret == 0)
3674 ret = mp_sub(p, q, &d);
3675
3676 if (ret == 0)
3677 ret = mp_abs(&d, &d);
3678
3679 /* compare */
3680 if (ret == 0)
3681 ret = mp_cmp(&d, &c);
3682
3683 if (ret == MP_GT)
3684 ret = MP_OKAY;
3685
3686 mp_clear(&d);
3687 mp_clear(&c);
3688
3689 return ret;
3690}
3691
3692
3693/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
3694 * This number was calculated using a small test tool written with a common
3695 * large number math library. Other values of nlen may be checked with a subset
3696 * of lower_bound. */
3697static const byte lower_bound[] = {
3698 0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
3699 0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
3700 0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
3701 0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
3702/* 512 */
3703 0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
3704 0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
3705 0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
3706 0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
3707/* 1024 */
3708 0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
3709 0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
3710 0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
3711 0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
3712 0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
3713 0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
3714 0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
3715 0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
3716/* 2048 */
3717 0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
3718 0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
3719 0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
3720 0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
3721 0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
3722 0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
3723 0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
3724 0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
3725/* 3072 */
3726 0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
3727 0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
3728 0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
3729 0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
3730 0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
3731 0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
3732 0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
3733 0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
3734/* 4096 */
3735};
3736
3737
3738/* returns 1 on key size ok and 0 if not ok */
3739static WC_INLINE int RsaSizeCheck(int size)
3740{
3741 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
3742 return 0;
3743 }
3744
3745#ifdef HAVE_FIPS
3746 /* Key size requirements for CAVP */
3747 switch (size) {
3748 case 1024:
3749 case 2048:
3750 case 3072:
3751 case 4096:
3752 return 1;
3753 }
3754
3755 return 0;
3756#else
3757 return 1; /* allow unusual key sizes in non FIPS mode */
3758#endif /* HAVE_FIPS */
3759}
3760
3761
3762static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
3763 int* isPrime, WC_RNG* rng)
3764{
3765 int ret;
3766 mp_int tmp1, tmp2;
3767 mp_int* prime;
3768
3769 if (p == NULL || e == NULL || isPrime == NULL)
3770 return BAD_FUNC_ARG;
3771
3772 if (!RsaSizeCheck(nlen))
3773 return BAD_FUNC_ARG;
3774
3775 *isPrime = MP_NO;
3776
3777 if (q != NULL) {
3778 /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
3779 ret = wc_CompareDiffPQ(p, q, nlen);
3780 if (ret != MP_OKAY) goto notOkay;
3781 prime = q;
3782 }
3783 else
3784 prime = p;
3785
3786 ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL);
3787 if (ret != MP_OKAY) goto notOkay;
3788
3789 /* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1))
3790 * This is a comparison against lowerBound */
3791 ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16);
3792 if (ret != MP_OKAY) goto notOkay;
3793 ret = mp_cmp(prime, &tmp1);
3794 if (ret == MP_LT) goto exit;
3795
3796 /* 4.5,5.6 - Check that GCD(p-1, e) == 1 */
3797 ret = mp_sub_d(prime, 1, &tmp1); /* tmp1 = prime-1 */
3798 if (ret != MP_OKAY) goto notOkay;
3799 ret = mp_gcd(&tmp1, e, &tmp2); /* tmp2 = gcd(prime-1, e) */
3800 if (ret != MP_OKAY) goto notOkay;
3801 ret = mp_cmp_d(&tmp2, 1);
3802 if (ret != MP_EQ) goto exit; /* e divides p-1 */
3803
3804 /* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
3805 * mp_prime_is_prime_ex() performs test divisions against the first 256
3806 * prime numbers. After that it performs 8 rounds of M-R using random
3807 * bases between 2 and n-2.
3808 * mp_prime_is_prime() performs the same test divisions and then does
3809 * M-R with the first 8 primes. Both functions set isPrime as a
3810 * side-effect. */
3811 if (rng != NULL)
3812 ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
3813 else
3814 ret = mp_prime_is_prime(prime, 8, isPrime);
3815 if (ret != MP_OKAY) goto notOkay;
3816
3817exit:
3818 ret = MP_OKAY;
3819notOkay:
3820 mp_clear(&tmp1);
3821 mp_clear(&tmp2);
3822 return ret;
3823}
3824
3825
3826int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
3827 const byte* qRaw, word32 qRawSz,
3828 const byte* eRaw, word32 eRawSz,
3829 int nlen, int* isPrime, WC_RNG* rng)
3830{
3831 mp_int p, q, e;
3832 mp_int* Q = NULL;
3833 int ret;
3834
3835 if (pRaw == NULL || pRawSz == 0 ||
3836 eRaw == NULL || eRawSz == 0 ||
3837 isPrime == NULL) {
3838
3839 return BAD_FUNC_ARG;
3840 }
3841
3842 if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
3843 return BAD_FUNC_ARG;
3844
3845 ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL);
3846
3847 if (ret == MP_OKAY)
3848 ret = mp_read_unsigned_bin(&p, pRaw, pRawSz);
3849
3850 if (ret == MP_OKAY) {
3851 if (qRaw != NULL) {
3852 ret = mp_read_unsigned_bin(&q, qRaw, qRawSz);
3853 if (ret == MP_OKAY)
3854 Q = &q;
3855 }
3856 }
3857
3858 if (ret == MP_OKAY)
3859 ret = mp_read_unsigned_bin(&e, eRaw, eRawSz);
3860
3861 if (ret == MP_OKAY)
3862 ret = _CheckProbablePrime(&p, Q, &e, nlen, isPrime, rng);
3863
3864 ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
3865
3866 mp_clear(&p);
3867 mp_clear(&q);
3868 mp_clear(&e);
3869
3870 return ret;
3871}
3872
3873
3874int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
3875 const byte* qRaw, word32 qRawSz,
3876 const byte* eRaw, word32 eRawSz,
3877 int nlen, int* isPrime)
3878{
3879 return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
3880 eRaw, eRawSz, nlen, isPrime, NULL);
3881}
3882
3883#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
3884 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
3885/* Make an RSA key for size bits, with e specified, 65537 is a good e */
3886int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
3887{
3888#ifndef WC_NO_RNG
3889 mp_int p, q, tmp1, tmp2, tmp3;
3890 int err, i, failCount, primeSz, isPrime = 0;
3891 byte* buf = NULL;
3892
3893 if (key == NULL || rng == NULL)
3894 return BAD_FUNC_ARG;
3895
3896 if (!RsaSizeCheck(size))
3897 return BAD_FUNC_ARG;
3898
3899 if (e < 3 || (e & 1) == 0)
3900 return BAD_FUNC_ARG;
3901
3902#if defined(WOLFSSL_CRYPTOCELL)
3903
3904 return cc310_RSA_GenerateKeyPair(key, size, e);
3905
3906#endif /*WOLFSSL_CRYPTOCELL*/
3907
3908#ifdef WOLF_CRYPTO_CB
3909 if (key->devId != INVALID_DEVID) {
3910 int ret = wc_CryptoCb_MakeRsaKey(key, size, e, rng);
3911 if (ret != CRYPTOCB_UNAVAILABLE)
3912 return ret;
3913 /* fall-through when unavailable */
3914 }
3915#endif
3916
3917#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
3918 defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
3919 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
3920 #ifdef HAVE_CAVIUM
3921 /* TODO: Not implemented */
3922 #elif defined(HAVE_INTEL_QA)
3923 return IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
3924 #else
3925 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) {
3926 WC_ASYNC_TEST* testDev = &key->asyncDev.test;
3927 testDev->rsaMake.rng = rng;
3928 testDev->rsaMake.key = key;
3929 testDev->rsaMake.size = size;
3930 testDev->rsaMake.e = e;
3931 return WC_PENDING_E;
3932 }
3933 #endif
3934 }
3935#endif
3936
3937 err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL);
3938
3939 if (err == MP_OKAY)
3940 err = mp_set_int(&tmp3, e);
3941
3942 /* The failCount value comes from NIST FIPS 186-4, section B.3.3,
3943 * process steps 4.7 and 5.8. */
3944 failCount = 5 * (size / 2);
3945 primeSz = size / 16; /* size is the size of n in bits.
3946 primeSz is in bytes. */
3947
3948 /* allocate buffer to work with */
3949 if (err == MP_OKAY) {
3950 buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
3951 if (buf == NULL)
3952 err = MEMORY_E;
3953 }
3954
3955 /* make p */
3956 if (err == MP_OKAY) {
3957 isPrime = 0;
3958 i = 0;
3959 do {
3960#ifdef SHOW_GEN
3961 printf(".");
3962 fflush(stdout);
3963#endif
3964 /* generate value */
3965 err = wc_RNG_GenerateBlock(rng, buf, primeSz);
3966 if (err == 0) {
3967 /* prime lower bound has the MSB set, set it in candidate */
3968 buf[0] |= 0x80;
3969 /* make candidate odd */
3970 buf[primeSz-1] |= 0x01;
3971 /* load value */
3972 err = mp_read_unsigned_bin(&p, buf, primeSz);
3973 }
3974
3975 if (err == MP_OKAY)
3976 err = _CheckProbablePrime(&p, NULL, &tmp3, size, &isPrime, rng);
3977
3978#ifdef HAVE_FIPS
3979 i++;
3980#else
3981 /* Keep the old retry behavior in non-FIPS build. */
3982 (void)i;
3983#endif
3984 } while (err == MP_OKAY && !isPrime && i < failCount);
3985 }
3986
3987 if (err == MP_OKAY && !isPrime)
3988 err = PRIME_GEN_E;
3989
3990 /* make q */
3991 if (err == MP_OKAY) {
3992 isPrime = 0;
3993 i = 0;
3994 do {
3995#ifdef SHOW_GEN
3996 printf(".");
3997 fflush(stdout);
3998#endif
3999 /* generate value */
4000 err = wc_RNG_GenerateBlock(rng, buf, primeSz);
4001 if (err == 0) {
4002 /* prime lower bound has the MSB set, set it in candidate */
4003 buf[0] |= 0x80;
4004 /* make candidate odd */
4005 buf[primeSz-1] |= 0x01;
4006 /* load value */
4007 err = mp_read_unsigned_bin(&q, buf, primeSz);
4008 }
4009
4010 if (err == MP_OKAY)
4011 err = _CheckProbablePrime(&p, &q, &tmp3, size, &isPrime, rng);
4012
4013#ifdef HAVE_FIPS
4014 i++;
4015#else
4016 /* Keep the old retry behavior in non-FIPS build. */
4017 (void)i;
4018#endif
4019 } while (err == MP_OKAY && !isPrime && i < failCount);
4020 }
4021
4022 if (err == MP_OKAY && !isPrime)
4023 err = PRIME_GEN_E;
4024
4025 if (buf) {
4026 ForceZero(buf, primeSz);
4027 XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
4028 }
4029
4030 if (err == MP_OKAY && mp_cmp(&p, &q) < 0) {
4031 err = mp_copy(&p, &tmp1);
4032 if (err == MP_OKAY)
4033 err = mp_copy(&q, &p);
4034 if (err == MP_OKAY)
4035 mp_copy(&tmp1, &q);
4036 }
4037
4038 /* Setup RsaKey buffers */
4039 if (err == MP_OKAY)
4040 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
4041 if (err == MP_OKAY)
4042 err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
4043
4044 /* Software Key Calculation */
4045 if (err == MP_OKAY) /* tmp1 = p-1 */
4046 err = mp_sub_d(&p, 1, &tmp1);
4047 if (err == MP_OKAY) /* tmp2 = q-1 */
4048 err = mp_sub_d(&q, 1, &tmp2);
4049#ifdef WC_RSA_BLINDING
4050 if (err == MP_OKAY) /* tmp3 = order of n */
4051 err = mp_mul(&tmp1, &tmp2, &tmp3);
4052#else
4053 if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */
4054 err = mp_lcm(&tmp1, &tmp2, &tmp3);
4055#endif
4056 /* make key */
4057 if (err == MP_OKAY) /* key->e = e */
4058 err = mp_set_int(&key->e, (mp_digit)e);
4059#ifdef WC_RSA_BLINDING
4060 /* Blind the inverse operation with a value that is invertable */
4061 if (err == MP_OKAY) {
4062 do {
4063 err = mp_rand(&key->p, get_digit_count(&tmp3), rng);
4064 if (err == MP_OKAY)
4065 err = mp_set_bit(&key->p, 0);
4066 if (err == MP_OKAY)
4067 err = mp_set_bit(&key->p, size - 1);
4068 if (err == MP_OKAY)
4069 err = mp_gcd(&key->p, &tmp3, &key->q);
4070 }
4071 while ((err == MP_OKAY) && !mp_isone(&key->q));
4072 }
4073 if (err == MP_OKAY)
4074 err = mp_mul_d(&key->p, (mp_digit)e, &key->e);
4075#endif
4076 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
4077 err = mp_invmod(&key->e, &tmp3, &key->d);
4078#ifdef WC_RSA_BLINDING
4079 /* Take off blinding from d and reset e */
4080 if (err == MP_OKAY)
4081 err = mp_mulmod(&key->d, &key->p, &tmp3, &key->d);
4082 if (err == MP_OKAY)
4083 err = mp_set_int(&key->e, (mp_digit)e);
4084#endif
4085 if (err == MP_OKAY) /* key->n = pq */
4086 err = mp_mul(&p, &q, &key->n);
4087 if (err == MP_OKAY) /* key->dP = d mod(p-1) */
4088 err = mp_mod(&key->d, &tmp1, &key->dP);
4089 if (err == MP_OKAY) /* key->dQ = d mod(q-1) */
4090 err = mp_mod(&key->d, &tmp2, &key->dQ);
4091#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
4092 if (err == MP_OKAY) /* key->u = 1/q mod p */
4093 err = mp_invmod(&q, &p, &key->u);
4094#else
4095 if (err == MP_OKAY)
4096 err = mp_sub_d(&p, 2, &tmp3);
4097 if (err == MP_OKAY) /* key->u = 1/q mod p = q^p-2 mod p */
4098 err = mp_exptmod(&q, &tmp3 , &p, &key->u);
4099#endif
4100 if (err == MP_OKAY)
4101 err = mp_copy(&p, &key->p);
4102 if (err == MP_OKAY)
4103 err = mp_copy(&q, &key->q);
4104
4105#ifdef HAVE_WOLF_BIGINT
4106 /* make sure raw unsigned bin version is available */
4107 if (err == MP_OKAY)
4108 err = wc_mp_to_bigint(&key->n, &key->n.raw);
4109 if (err == MP_OKAY)
4110 err = wc_mp_to_bigint(&key->e, &key->e.raw);
4111 if (err == MP_OKAY)
4112 err = wc_mp_to_bigint(&key->d, &key->d.raw);
4113 if (err == MP_OKAY)
4114 err = wc_mp_to_bigint(&key->p, &key->p.raw);
4115 if (err == MP_OKAY)
4116 err = wc_mp_to_bigint(&key->q, &key->q.raw);
4117 if (err == MP_OKAY)
4118 err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
4119 if (err == MP_OKAY)
4120 err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
4121 if (err == MP_OKAY)
4122 err = wc_mp_to_bigint(&key->u, &key->u.raw);
4123#endif
4124
4125 if (err == MP_OKAY)
4126 key->type = RSA_PRIVATE;
4127
4128 mp_clear(&tmp1);
4129 mp_clear(&tmp2);
4130 mp_clear(&tmp3);
4131 mp_clear(&p);
4132 mp_clear(&q);
4133
4134#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
4135 /* Perform the pair-wise consistency test on the new key. */
4136 if (err == 0)
4137 err = wc_CheckRsaKey(key);
4138#endif
4139
4140 if (err != 0) {
4141 wc_FreeRsaKey(key);
4142 return err;
4143 }
4144
4145#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
4146 if (wc_InitRsaHw(key) != 0) {
4147 return BAD_STATE_E;
4148 }
4149#endif
4150 return 0;
4151#else
4152 return NOT_COMPILED_IN;
4153#endif
4154}
4155#endif /* !FIPS || FIPS_VER >= 2 */
4156#endif /* WOLFSSL_KEY_GEN */
4157
4158
4159#ifdef WC_RSA_BLINDING
4160int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
4161{
4162 if (key == NULL)
4163 return BAD_FUNC_ARG;
4164
4165 key->rng = rng;
4166
4167 return 0;
4168}
4169#endif /* WC_RSA_BLINDING */
4170
4171#ifdef WC_RSA_NONBLOCK
4172int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
4173{
4174 if (key == NULL)
4175 return BAD_FUNC_ARG;
4176
4177 if (nb) {
4178 XMEMSET(nb, 0, sizeof(RsaNb));
4179 }
4180
4181 /* Allow nb == NULL to clear non-block mode */
4182 key->nb = nb;
4183
4184 return 0;
4185}
4186#ifdef WC_RSA_NONBLOCK_TIME
4187int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
4188{
4189 if (key == NULL || key->nb == NULL) {
4190 return BAD_FUNC_ARG;
4191 }
4192
4193 /* calculate maximum number of instructions to block */
4194 key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
4195
4196 return 0;
4197}
4198#endif /* WC_RSA_NONBLOCK_TIME */
4199#endif /* WC_RSA_NONBLOCK */
4200
4201#endif /* NO_RSA */
Note: See TracBrowser for help on using the repository browser.