- Timestamp:
- Jun 22, 2021, 9:00:19 PM (3 years ago)
- Location:
- azure_iot_hub_f767zi/trunk/wolfssl-4.7.0
- Files:
-
- 1 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/wolfcrypt/src/rsa.c
r457 r464 20 20 */ 21 21 22 22 /* 23 24 DESCRIPTION 25 This library provides the interface to the RSA. 26 RSA keys can be used to encrypt, decrypt, sign and verify data. 27 28 */ 23 29 #ifdef HAVE_CONFIG_H 24 30 #include <config.h> … … 336 342 } 337 343 338 #ifdef HAVE_PKCS11344 #ifdef WOLF_CRYPTO_CB 339 345 int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, 340 346 int devId) … … 349 355 if (ret == 0) 350 356 ret = wc_InitRsaKey_ex(key, heap, devId); 351 352 357 if (ret == 0 && id != NULL && len != 0) { 353 358 XMEMCPY(key->id, id, len); 354 359 key->idLen = len; 360 } 361 362 return ret; 363 } 364 365 int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId) 366 { 367 int ret = 0; 368 int labelLen = 0; 369 370 if (key == NULL || label == NULL) 371 ret = BAD_FUNC_ARG; 372 if (ret == 0) { 373 labelLen = (int)XSTRLEN(label); 374 if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN) 375 ret = BUFFER_E; 376 } 377 378 if (ret == 0) 379 ret = wc_InitRsaKey_ex(key, heap, devId); 380 if (ret == 0) { 381 XMEMCPY(key->label, label, labelLen); 382 key->labelLen = labelLen; 355 383 } 356 384 … … 381 409 mSz = mp_unsigned_bin_size(&(key->n)); 382 410 m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY); 383 if (m == 0) {411 if (m == NULL) { 384 412 return MEMORY_E; 385 413 } … … 478 506 CRYS_RSAKGFipsContext_t FipsCtx; 479 507 byte ex[3]; 480 uint16_teSz = sizeof(ex);508 word16 eSz = sizeof(ex); 481 509 byte n[256]; 482 uint16_tnSz = sizeof(n);510 word16 nSz = sizeof(n); 483 511 484 512 ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState, 485 513 wc_rndGenVectFunc, 486 514 (byte*)&e, 487 3*sizeof( uint8_t),515 3*sizeof(byte), 488 516 size, 489 517 &key->ctx.privKey, … … 606 634 ret = MP_READ_E; 607 635 } 608 609 636 #ifdef WOLFSSL_HAVE_SP_RSA 610 #ifndef WOLFSSL_SP_NO_2048 611 if (mp_count_bits(&key->n) == 2048) { 612 ret = sp_ModExp_2048(k, &key->e, &key->n, tmp); 613 if (ret != 0) 637 if (ret == 0) { 638 switch (mp_count_bits(&key->n)) { 639 #ifndef WOLFSSL_SP_NO_2048 640 case 2048: 641 ret = sp_ModExp_2048(k, &key->e, &key->n, tmp); 642 if (ret != 0) 643 ret = MP_EXPTMOD_E; 644 if (ret == 0) { 645 ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp); 646 if (ret != 0) 647 ret = MP_EXPTMOD_E; 648 } 649 break; 650 #endif /* WOLFSSL_SP_NO_2048 */ 651 #ifndef WOLFSSL_SP_NO_3072 652 case 3072: 653 ret = sp_ModExp_3072(k, &key->e, &key->n, tmp); 654 if (ret != 0) 655 ret = MP_EXPTMOD_E; 656 if (ret == 0) { 657 ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp); 658 if (ret != 0) 659 ret = MP_EXPTMOD_E; 660 } 661 break; 662 #endif /* WOLFSSL_SP_NO_3072 */ 663 #ifdef WOLFSSL_SP_4096 664 case 4096: 665 ret = sp_ModExp_4096(k, &key->e, &key->n, tmp); 666 if (ret != 0) 667 ret = MP_EXPTMOD_E; 668 if (ret == 0) { 669 ret = sp_ModExp_4096(tmp, &key->d, &key->n, tmp); 670 if (ret != 0) 671 ret = MP_EXPTMOD_E; 672 } 673 break; 674 #endif /* WOLFSSL_SP_4096 */ 675 default: 676 /* If using only single precsision math then issue key size 677 * error, otherwise fall-back to multi-precision math 678 * calculation */ 679 #if defined(WOLFSSL_SP_MATH) 680 ret = WC_KEY_SIZE_E; 681 #else 682 if (mp_exptmod_nct(k, &key->e, &key->n, tmp) != MP_OKAY) 683 ret = MP_EXPTMOD_E; 684 if (ret == 0) { 685 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 686 ret = MP_EXPTMOD_E; 687 } 688 #endif 689 break; 690 } 691 } 692 #else 693 if (ret == 0) { 694 if (mp_exptmod_nct(k, &key->e, &key->n, tmp) != MP_OKAY) 614 695 ret = MP_EXPTMOD_E; 615 ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp); 616 if (ret != 0) 696 } 697 698 if (ret == 0) { 699 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 617 700 ret = MP_EXPTMOD_E; 618 701 } 619 else 620 #endif 621 #ifndef WOLFSSL_SP_NO_3072 622 if (mp_count_bits(&key->n) == 3072) { 623 ret = sp_ModExp_3072(k, &key->e, &key->n, tmp); 624 if (ret != 0) 625 ret = MP_EXPTMOD_E; 626 ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp); 627 if (ret != 0) 628 ret = MP_EXPTMOD_E; 629 } 630 else 631 #endif 632 #ifdef WOLFSSL_SP_4096 633 if (mp_count_bits(&key->n) == 4096) { 634 ret = sp_ModExp_4096(k, &key->e, &key->n, tmp); 635 if (ret != 0) 636 ret = MP_EXPTMOD_E; 637 ret = sp_ModExp_4096(tmp, &key->d, &key->n, tmp); 638 if (ret != 0) 639 ret = MP_EXPTMOD_E; 640 } 641 else 642 #endif 643 #endif 644 #ifdef WOLFSSL_SP_MATH 645 { 646 ret = WC_KEY_SIZE_E; 647 } 648 #else 649 { 650 if (ret == 0) { 651 if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY) 652 ret = MP_EXPTMOD_E; 653 } 654 655 if (ret == 0) { 656 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 657 ret = MP_EXPTMOD_E; 658 } 659 } 660 #endif 702 #endif /* WOLFSSL_HAVE_SP_RSA */ 661 703 662 704 if (ret == 0) { … … 757 799 return ret; 758 800 } 759 #endif 760 #endif 801 #endif /* WOLFSSL_KEY_GEN && !WOLFSSL_NO_RSA_KEY_CHECK */ 802 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */ 761 803 762 804 … … 816 858 817 859 /* counter to byte array appended to tmp */ 818 tmp[seedSz] = ( counter >> 24) & 0xFF;819 tmp[seedSz + 1] = ( counter >> 16) & 0xFF;820 tmp[seedSz + 2] = ( counter >> 8) & 0xFF;821 tmp[seedSz + 3] = ( counter) & 0xFF;860 tmp[seedSz] = (byte)((counter >> 24) & 0xFF); 861 tmp[seedSz + 1] = (byte)((counter >> 16) & 0xFF); 862 tmp[seedSz + 2] = (byte)((counter >> 8) & 0xFF); 863 tmp[seedSz + 3] = (byte)((counter) & 0xFF); 822 864 823 865 /* hash and append to existing output */ … … 1103 1145 byte* m; 1104 1146 byte* s; 1147 #if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY) 1148 byte msg[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ]; 1149 #else 1150 byte* msg = NULL; 1151 #endif 1105 1152 #if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER) 1106 #if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY) 1107 byte salt[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ]; 1108 #else 1109 byte* salt = NULL; 1110 #endif 1153 byte* salt; 1111 1154 #else 1112 1155 byte salt[WC_MAX_DIGEST_SIZE]; … … 1122 1165 if (hLen < 0) 1123 1166 return hLen; 1167 if ((int)inputLen != hLen) { 1168 return BAD_FUNC_ARG; 1169 } 1124 1170 1125 1171 hiBits = (bits - 1) & 0x7; 1126 1172 if (hiBits == 0) { 1173 /* Per RFC8017, set the leftmost 8emLen - emBits bits of the 1174 leftmost octet in DB to zero. 1175 */ 1127 1176 *(pkcsBlock++) = 0; 1128 1177 pkcsBlockLen--; … … 1161 1210 return PSS_SALTLEN_E; 1162 1211 } 1163 1164 1212 maskLen = pkcsBlockLen - 1 - hLen; 1165 1213 1166 1214 #if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER) 1167 1215 #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY) 1168 salt= (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap,1216 msg = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap, 1169 1217 DYNAMIC_TYPE_RSA_BUFFER); 1170 if ( salt== NULL) {1218 if (msg == NULL) { 1171 1219 return MEMORY_E; 1172 1220 } 1173 1221 #endif 1174 s = m = salt;1222 salt = s = m = msg; 1175 1223 XMEMSET(m, 0, RSA_PSS_PAD_SZ); 1176 1224 m += RSA_PSS_PAD_SZ; … … 1185 1233 } 1186 1234 #else 1187 s = m = pkcsBlock; 1235 if (pkcsBlockLen < RSA_PSS_PAD_SZ + inputLen + saltLen) { 1236 #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY) 1237 msg = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap, 1238 DYNAMIC_TYPE_RSA_BUFFER); 1239 if (msg == NULL) { 1240 return MEMORY_E; 1241 } 1242 #endif 1243 m = msg; 1244 } 1245 else { 1246 m = pkcsBlock; 1247 } 1248 s = m; 1188 1249 XMEMSET(m, 0, RSA_PSS_PAD_SZ); 1189 1250 m += RSA_PSS_PAD_SZ; … … 1204 1265 } 1205 1266 if (ret == 0) { 1267 /* Set the last eight bits or trailer field to the octet 0xbc */ 1206 1268 pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM; 1207 1269 … … 1209 1271 } 1210 1272 if (ret == 0) { 1211 pkcsBlock[0] &= (1 << hiBits) - 1; 1273 /* Clear the first high bit when "8emLen - emBits" is non-zero. 1274 where emBits = n modBits - 1 */ 1275 if (hiBits) 1276 pkcsBlock[0] &= (1 << hiBits) - 1; 1212 1277 1213 1278 m = pkcsBlock + maskLen - saltLen - 1; … … 1218 1283 } 1219 1284 1220 #if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)1221 1285 #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY) 1222 if ( salt!= NULL) {1223 XFREE( salt, heap, DYNAMIC_TYPE_RSA_BUFFER);1286 if (msg != NULL) { 1287 XFREE(msg, heap, DYNAMIC_TYPE_RSA_BUFFER); 1224 1288 } 1225 1289 #endif 1226 #endif1227 1290 return ret; 1228 1291 } … … 1238 1301 } 1239 1302 1303 if (pkcsBlockLen - RSA_MIN_PAD_SZ < inputLen) { 1304 WOLFSSL_MSG("RsaPad error, invalid length"); 1305 return RSA_PAD_E; 1306 } 1240 1307 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */ 1241 1308 pkcsBlock++; pkcsBlockLen--; … … 1243 1310 1244 1311 if (padValue == RSA_BLOCK_TYPE_1) { 1245 if (pkcsBlockLen < inputLen + 2) {1246 WOLFSSL_MSG("RsaPad error, invalid length");1247 return RSA_PAD_E;1248 }1249 1312 1250 1313 /* pad with 0xff bytes */ … … 1256 1319 word32 padLen, i; 1257 1320 int ret; 1258 1259 if (pkcsBlockLen < inputLen + 1) {1260 WOLFSSL_MSG("RsaPad error, invalid length");1261 return RSA_PAD_E;1262 }1263 1264 1321 padLen = pkcsBlockLen - inputLen - 1; 1265 1322 ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen); … … 1458 1515 * bits Length of key in bits. 1459 1516 * heap Used for dynamic memory allocation. 1460 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid, 1461 * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails 1462 * and other negative values on error. 1517 * returns the sum of salt length and SHA-256 digest size on success. 1518 * Otherwise, PSS_SALTLEN_E for an incorrect salt length, 1519 * WC_KEY_SIZE_E for an incorrect encoded message (EM) size 1520 and other negative values on error. 1463 1521 */ 1464 1522 static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen, … … 1597 1655 #endif 1598 1656 1599 if (output == NULL || pkcsBlockLen == 0|| pkcsBlockLen > 0xFFFF) {1657 if (output == NULL || pkcsBlockLen < 2 || pkcsBlockLen > 0xFFFF) { 1600 1658 return BAD_FUNC_ARG; 1601 1659 } … … 1719 1777 } 1720 1778 1721 #if defined(WOLFSSL_XILINX_CRYPT) 1722 /* 1723 * Xilinx hardened crypto acceleration. 1724 * 1725 * Returns 0 on success and negative values on error. 1726 */ 1727 static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out, 1728 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 1729 { 1730 int ret = 0; 1731 word32 keyLen; 1732 (void)rng; 1733 1734 keyLen = wc_RsaEncryptSize(key); 1735 if (keyLen > *outLen) { 1736 WOLFSSL_MSG("Output buffer is not big enough"); 1737 return BAD_FUNC_ARG; 1738 } 1739 1740 if (inLen != keyLen) { 1741 WOLFSSL_MSG("Expected that inLen equals RSA key length"); 1742 return BAD_FUNC_ARG; 1743 } 1744 1745 switch(type) { 1746 case RSA_PRIVATE_DECRYPT: 1747 case RSA_PRIVATE_ENCRYPT: 1748 /* Currently public exponent is loaded by default. 1749 * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes 1750 * leading to private key operations with Xsecure_RsaDecrypt not being 1751 * supported */ 1752 ret = RSA_WRONG_TYPE_E; 1779 int wc_hash2mgf(enum wc_HashType hType) 1780 { 1781 switch (hType) { 1782 case WC_HASH_TYPE_NONE: 1783 return WC_MGF1NONE; 1784 case WC_HASH_TYPE_SHA: 1785 #ifndef NO_SHA 1786 return WC_MGF1SHA1; 1787 #else 1753 1788 break; 1754 case RSA_PUBLIC_ENCRYPT: 1755 case RSA_PUBLIC_DECRYPT:1756 if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) { 1757 ret = BAD_STATE_E;1758 } 1789 #endif 1790 case WC_HASH_TYPE_SHA224: 1791 #ifdef WOLFSSL_SHA224 1792 return WC_MGF1SHA224; 1793 #else 1759 1794 break; 1795 #endif 1796 case WC_HASH_TYPE_SHA256: 1797 #ifndef NO_SHA256 1798 return WC_MGF1SHA256; 1799 #else 1800 break; 1801 #endif 1802 case WC_HASH_TYPE_SHA384: 1803 #ifdef WOLFSSL_SHA384 1804 return WC_MGF1SHA384; 1805 #else 1806 break; 1807 #endif 1808 case WC_HASH_TYPE_SHA512: 1809 #ifdef WOLFSSL_SHA512 1810 return WC_MGF1SHA512; 1811 #else 1812 break; 1813 #endif 1814 case WC_HASH_TYPE_MD2: 1815 case WC_HASH_TYPE_MD4: 1816 case WC_HASH_TYPE_MD5: 1817 case WC_HASH_TYPE_MD5_SHA: 1818 case WC_HASH_TYPE_SHA3_224: 1819 case WC_HASH_TYPE_SHA3_256: 1820 case WC_HASH_TYPE_SHA3_384: 1821 case WC_HASH_TYPE_SHA3_512: 1822 case WC_HASH_TYPE_BLAKE2B: 1823 case WC_HASH_TYPE_BLAKE2S: 1760 1824 default: 1761 ret = RSA_WRONG_TYPE_E; 1762 } 1763 1764 *outLen = keyLen; 1765 1766 return ret; 1767 } 1768 #endif /* WOLFSSL_XILINX_CRYPT */ 1825 break; 1826 } 1827 WOLFSSL_MSG("Unrecognized or unsupported hash function"); 1828 return WC_MGF1NONE; 1829 } 1769 1830 1770 1831 #ifdef WC_RSA_NONBLOCK … … 1846 1907 #endif /* WC_RSA_NONBLOCK */ 1847 1908 1848 #ifdef WOLFSSL_AFALG_XILINX_RSA 1909 #ifdef WOLFSSL_XILINX_CRYPT 1910 /* 1911 * Xilinx hardened crypto acceleration. 1912 * 1913 * Returns 0 on success and negative values on error. 1914 */ 1915 static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out, 1916 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 1917 { 1918 int ret = 0; 1919 word32 keyLen; 1920 (void)rng; 1921 1922 keyLen = wc_RsaEncryptSize(key); 1923 if (keyLen > *outLen) { 1924 WOLFSSL_MSG("Output buffer is not big enough"); 1925 return BAD_FUNC_ARG; 1926 } 1927 1928 if (inLen != keyLen) { 1929 WOLFSSL_MSG("Expected that inLen equals RSA key length"); 1930 return BAD_FUNC_ARG; 1931 } 1932 1933 switch(type) { 1934 case RSA_PRIVATE_DECRYPT: 1935 case RSA_PRIVATE_ENCRYPT: 1936 #ifdef WOLFSSL_XILINX_CRYPTO_OLD 1937 /* Currently public exponent is loaded by default. 1938 * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes 1939 * leading to private key operations with Xsecure_RsaDecrypt not being 1940 * supported */ 1941 ret = RSA_WRONG_TYPE_E; 1942 #else 1943 { 1944 byte *d; 1945 int dSz; 1946 XSecure_Rsa rsa; 1947 1948 dSz = mp_unsigned_bin_size(&key->d); 1949 d = (byte*)XMALLOC(dSz, key->heap, DYNAMIC_TYPE_PRIVATE_KEY); 1950 if (d == NULL) { 1951 ret = MEMORY_E; 1952 } 1953 else { 1954 ret = mp_to_unsigned_bin(&key->d, d); 1955 XSecure_RsaInitialize(&rsa, key->mod, NULL, d); 1956 } 1957 1958 if (ret == 0) { 1959 if (XSecure_RsaPrivateDecrypt(&rsa, (u8*)in, inLen, out) != 1960 XST_SUCCESS) { 1961 ret = BAD_STATE_E; 1962 } 1963 } 1964 1965 if (d != NULL) { 1966 XFREE(d, key->heap, DYNAMIC_TYPE_PRIVATE_KEY); 1967 } 1968 } 1969 #endif 1970 break; 1971 case RSA_PUBLIC_ENCRYPT: 1972 case RSA_PUBLIC_DECRYPT: 1973 #ifdef WOLFSSL_XILINX_CRYPTO_OLD 1974 if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) { 1975 ret = BAD_STATE_E; 1976 } 1977 #else 1978 /* starting at Xilinx release 2019 the function XSecure_RsaDecrypt was removed */ 1979 if (XSecure_RsaPublicEncrypt(&(key->xRsa), (u8*)in, inLen, out) != XST_SUCCESS) { 1980 WOLFSSL_MSG("Error happened when calling hardware RSA public operation"); 1981 ret = BAD_STATE_E; 1982 } 1983 #endif 1984 break; 1985 default: 1986 ret = RSA_WRONG_TYPE_E; 1987 } 1988 1989 *outLen = keyLen; 1990 1991 return ret; 1992 } 1993 1994 #elif defined(WOLFSSL_AFALG_XILINX_RSA) 1849 1995 #ifndef ERROR_OUT 1850 1996 #define ERROR_OUT(x) ret = (x); goto done … … 2010 2156 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 2011 2157 { 2012 #if ndef WOLFSSL_SP_MATH2158 #if !defined(WOLFSSL_SP_MATH) 2013 2159 #ifdef WOLFSSL_SMALL_STACK 2014 2160 mp_int* tmp; … … 2039 2185 #endif 2040 2186 #ifndef RSA_LOW_MEM 2041 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, 2042 &key->dP, &key->dQ, &key->u, &key->n, 2043 out, outLen); 2187 if ((mp_count_bits(&key->p) == 1024) && 2188 (mp_count_bits(&key->q) == 1024)) { 2189 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, 2190 &key->dP, &key->dQ, &key->u, &key->n, 2191 out, outLen); 2192 } 2193 break; 2044 2194 #else 2045 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,2046 NULL, NULL, NULL,&key->n, out, outLen);2195 return sp_RsaPrivate_2048(in, inLen, &key->d, NULL, NULL, NULL, 2196 NULL, NULL, &key->n, out, outLen); 2047 2197 #endif 2048 2198 #endif … … 2064 2214 #endif 2065 2215 #ifndef RSA_LOW_MEM 2066 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, 2067 &key->dP, &key->dQ, &key->u, &key->n, 2068 out, outLen); 2216 if ((mp_count_bits(&key->p) == 1536) && 2217 (mp_count_bits(&key->q) == 1536)) { 2218 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, 2219 &key->dP, &key->dQ, &key->u, &key->n, 2220 out, outLen); 2221 } 2222 break; 2069 2223 #else 2070 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,2071 NULL, NULL, NULL,&key->n, out, outLen);2224 return sp_RsaPrivate_3072(in, inLen, &key->d, NULL, NULL, NULL, 2225 NULL, NULL, &key->n, out, outLen); 2072 2226 #endif 2073 2227 #endif … … 2089 2243 #endif 2090 2244 #ifndef RSA_LOW_MEM 2091 return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q, 2092 &key->dP, &key->dQ, &key->u, &key->n, 2093 out, outLen); 2245 if ((mp_count_bits(&key->p) == 2048) && 2246 (mp_count_bits(&key->q) == 2048)) { 2247 return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q, 2248 &key->dP, &key->dQ, &key->u, &key->n, 2249 out, outLen); 2250 } 2251 break; 2094 2252 #else 2095 return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,2096 NULL, NULL, NULL,&key->n, out, outLen);2253 return sp_RsaPrivate_4096(in, inLen, &key->d, NULL, NULL, NULL, 2254 NULL, NULL, &key->n, out, outLen); 2097 2255 #endif 2098 2256 #endif … … 2105 2263 #endif /* WOLFSSL_HAVE_SP_RSA */ 2106 2264 2107 #if def WOLFSSL_SP_MATH2265 #if defined(WOLFSSL_SP_MATH) 2108 2266 (void)rng; 2109 2267 WOLFSSL_MSG("SP Key Size Error"); … … 2116 2274 if (tmp == NULL) 2117 2275 return MEMORY_E; 2276 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY) 2118 2277 #ifdef WC_RSA_BLINDING 2119 2278 rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA); … … 2124 2283 rndi = rnd + 1; 2125 2284 #endif /* WC_RSA_BLINDING */ 2285 #endif 2126 2286 #endif /* WOLFSSL_SMALL_STACK */ 2127 2287 … … 2129 2289 ret = MP_INIT_E; 2130 2290 2291 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY) 2131 2292 #ifdef WC_RSA_BLINDING 2132 2293 if (ret == 0) { … … 2139 2300 } 2140 2301 #endif 2302 #endif 2141 2303 2142 2304 #ifndef TEST_UNPAD_CONSTANT_TIME … … 2146 2308 if (ret == 0) { 2147 2309 switch(type) { 2148 #if ndef WOLFSSL_RSA_PUBLIC_ONLY2310 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY) 2149 2311 case RSA_PRIVATE_DECRYPT: 2150 2312 case RSA_PRIVATE_ENCRYPT: … … 2159 2321 2160 2322 /* rnd = rnd^e */ 2323 #ifndef WOLFSSL_SP_MATH_ALL 2161 2324 if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY) 2162 2325 ret = MP_EXPTMOD_E; 2326 #else 2327 if (ret == 0 && mp_exptmod_nct(rnd, &key->e, &key->n, 2328 rnd) != MP_OKAY) { 2329 ret = MP_EXPTMOD_E; 2330 } 2331 #endif 2163 2332 2164 2333 /* tmp = tmp*rnd mod n */ … … 2214 2383 2215 2384 /* tmp = (tmpa - tmpb) * qInv (mod p) */ 2385 #if defined(WOLFSSL_SP_MATH) || (defined(WOLFSSL_SP_MATH_ALL) && \ 2386 !defined(WOLFSSL_SP_INT_NEGATIVE)) 2387 if (ret == 0 && mp_submod(tmpa, tmpb, &key->p, tmp) != MP_OKAY) 2388 ret = MP_SUB_E; 2389 #else 2216 2390 if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY) 2217 2391 ret = MP_SUB_E; 2392 #endif 2218 2393 2219 2394 if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p, … … 2254 2429 case RSA_PUBLIC_ENCRYPT: 2255 2430 case RSA_PUBLIC_DECRYPT: 2256 #ifdef WOLFSSL_XILINX_CRYPT2257 ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng);2258 #else2259 2431 if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY) 2260 2432 ret = MP_EXPTMOD_E; 2261 #endif2262 2433 break; 2263 2434 default: … … 2272 2443 ret = RSA_BUFFER_E; 2273 2444 } 2445 2446 #ifndef WOLFSSL_XILINX_CRYPT 2274 2447 if (ret == 0) { 2275 2448 *outLen = keyLen; … … 2277 2450 ret = MP_TO_E; 2278 2451 } 2452 #endif 2279 2453 #else 2280 2454 (void)type; … … 2510 2684 CRYSError_t ret = 0; 2511 2685 CRYS_RSAPrimeData_t primeData; 2512 uint16_tactualOutLen = outLen;2686 word16 actualOutLen = outLen; 2513 2687 2514 2688 ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey, … … 2530 2704 { 2531 2705 CRYSError_t ret = 0; 2532 uint16_tactualOutLen = outLen*sizeof(byte);2706 word16 actualOutLen = outLen*sizeof(byte); 2533 2707 CRYS_RSAPrivUserContext_t contextPrivate; 2534 2708 … … 2593 2767 #endif 2594 2768 2769 #ifndef WOLFSSL_RSA_VERIFY_ONLY 2595 2770 #ifndef TEST_UNPAD_CONSTANT_TIME 2596 2771 #ifndef NO_RSA_BOUNDS_CHECK … … 2612 2787 2613 2788 if (mp_init(c) != MP_OKAY) 2614 ret = M EMORY_E;2789 ret = MP_INIT_E; 2615 2790 if (ret == 0) { 2616 2791 if (mp_read_unsigned_bin(c, in, inLen) != 0) … … 2642 2817 } 2643 2818 #endif /* NO_RSA_BOUNDS_CHECK */ 2819 #endif 2644 2820 #endif 2645 2821 … … 2990 3166 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 2991 3167 pad_type != WC_RSA_PSS_PAD) { 2992 if (ret > 0) { 3168 ret = key->asyncDev.event.ret; 3169 if (ret >= 0) { 2993 3170 /* convert result */ 2994 3171 byte* dataLen = (byte*)&key->dataLen; … … 3132 3309 RsaKey* key) 3133 3310 { 3134 return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key 3311 return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key, WC_RSA_PKCSV15_PAD); 3135 3312 } 3136 3313 … … 3138 3315 RsaKey* key, int pad_type) 3139 3316 { 3317 return wc_RsaSSL_Verify_ex2(in, inLen, out, outLen, key, pad_type, 3318 WC_HASH_TYPE_NONE); 3319 } 3320 3321 int wc_RsaSSL_Verify_ex2(const byte* in, word32 inLen, byte* out, word32 outLen, 3322 RsaKey* key, int pad_type, enum wc_HashType hash) 3323 { 3140 3324 WC_RNG* rng; 3141 3325 … … 3150 3334 #endif 3151 3335 3336 #ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER 3152 3337 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 3153 3338 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type, 3154 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 3339 hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DEFAULT, rng); 3340 #else 3341 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 3342 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type, 3343 hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DISCOVER, rng); 3344 #endif 3155 3345 } 3156 3346 #endif … … 3407 3597 hLen = wc_HashGetDigestSize(hash); 3408 3598 if (hLen < 0) 3409 return hLen;3599 return BAD_FUNC_ARG; 3410 3600 if ((word32)hLen != digestLen) 3411 3601 return BAD_FUNC_ARG; … … 3674 3864 ret = mp_sub(p, q, &d); 3675 3865 3866 #if !defined(WOLFSSL_SP_MATH) && (!defined(WOLFSSL_SP_MATH_ALL) || \ 3867 defined(WOLFSSL_SP_INT_NEGATIVE)) 3676 3868 if (ret == 0) 3677 3869 ret = mp_abs(&d, &d); 3870 #endif 3678 3871 3679 3872 /* compare */ … … 3887 4080 { 3888 4081 #ifndef WC_NO_RNG 3889 mp_int p, q, tmp1, tmp2, tmp3; 4082 #ifdef WOLFSSL_SMALL_STACK 4083 mp_int *p = (mp_int *)XMALLOC(sizeof *p, key->heap, DYNAMIC_TYPE_RSA); 4084 mp_int *q = (mp_int *)XMALLOC(sizeof *q, key->heap, DYNAMIC_TYPE_RSA); 4085 mp_int *tmp1 = (mp_int *)XMALLOC(sizeof *tmp1, key->heap, DYNAMIC_TYPE_RSA); 4086 mp_int *tmp2 = (mp_int *)XMALLOC(sizeof *tmp2, key->heap, DYNAMIC_TYPE_RSA); 4087 mp_int *tmp3 = (mp_int *)XMALLOC(sizeof *tmp3, key->heap, DYNAMIC_TYPE_RSA); 4088 #else 4089 mp_int p_buf, *p = &p_buf; 4090 mp_int q_buf, *q = &q_buf; 4091 mp_int tmp1_buf, *tmp1 = &tmp1_buf; 4092 mp_int tmp2_buf, *tmp2 = &tmp2_buf; 4093 mp_int tmp3_buf, *tmp3 = &tmp3_buf; 4094 #endif 3890 4095 int err, i, failCount, primeSz, isPrime = 0; 3891 4096 byte* buf = NULL; 3892 4097 3893 if (key == NULL || rng == NULL) 3894 return BAD_FUNC_ARG; 3895 3896 if (!RsaSizeCheck(size)) 3897 return BAD_FUNC_ARG; 3898 3899 if (e < 3 || (e & 1) == 0) 3900 return BAD_FUNC_ARG; 4098 #ifdef WOLFSSL_SMALL_STACK 4099 if ((p == NULL) || 4100 (q == NULL) || 4101 (tmp1 == NULL) || 4102 (tmp2 == NULL) || 4103 (tmp3 == NULL)) { 4104 err = MEMORY_E; 4105 goto out; 4106 } 4107 #endif 4108 4109 if (key == NULL || rng == NULL) { 4110 err = BAD_FUNC_ARG; 4111 goto out; 4112 } 4113 4114 if (!RsaSizeCheck(size)) { 4115 err = BAD_FUNC_ARG; 4116 goto out; 4117 } 4118 4119 if (e < 3 || (e & 1) == 0) { 4120 err = BAD_FUNC_ARG; 4121 goto out; 4122 } 3901 4123 3902 4124 #if defined(WOLFSSL_CRYPTOCELL) 3903 4125 3904 return cc310_RSA_GenerateKeyPair(key, size, e); 4126 err = cc310_RSA_GenerateKeyPair(key, size, e); 4127 goto out; 3905 4128 3906 4129 #endif /*WOLFSSL_CRYPTOCELL*/ … … 3908 4131 #ifdef WOLF_CRYPTO_CB 3909 4132 if (key->devId != INVALID_DEVID) { 3910 int ret= wc_CryptoCb_MakeRsaKey(key, size, e, rng);3911 if ( ret!= CRYPTOCB_UNAVAILABLE)3912 return ret;4133 err = wc_CryptoCb_MakeRsaKey(key, size, e, rng); 4134 if (err != CRYPTOCB_UNAVAILABLE) 4135 goto out; 3913 4136 /* fall-through when unavailable */ 3914 4137 } … … 3921 4144 /* TODO: Not implemented */ 3922 4145 #elif defined(HAVE_INTEL_QA) 3923 return IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng); 4146 err = IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng); 4147 goto out; 3924 4148 #else 3925 4149 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) { … … 3929 4153 testDev->rsaMake.size = size; 3930 4154 testDev->rsaMake.e = e; 3931 return WC_PENDING_E; 4155 err = WC_PENDING_E; 4156 goto out; 3932 4157 } 3933 4158 #endif … … 3935 4160 #endif 3936 4161 3937 err = mp_init_multi( &p, &q, &tmp1, &tmp2, &tmp3, NULL);4162 err = mp_init_multi(p, q, tmp1, tmp2, tmp3, NULL); 3938 4163 3939 4164 if (err == MP_OKAY) 3940 err = mp_set_int( &tmp3, e);4165 err = mp_set_int(tmp3, e); 3941 4166 3942 4167 /* The failCount value comes from NIST FIPS 186-4, section B.3.3, … … 3970 4195 buf[primeSz-1] |= 0x01; 3971 4196 /* load value */ 3972 err = mp_read_unsigned_bin( &p, buf, primeSz);4197 err = mp_read_unsigned_bin(p, buf, primeSz); 3973 4198 } 3974 4199 3975 4200 if (err == MP_OKAY) 3976 err = _CheckProbablePrime( &p, NULL, &tmp3, size, &isPrime, rng);4201 err = _CheckProbablePrime(p, NULL, tmp3, size, &isPrime, rng); 3977 4202 3978 4203 #ifdef HAVE_FIPS … … 4005 4230 buf[primeSz-1] |= 0x01; 4006 4231 /* load value */ 4007 err = mp_read_unsigned_bin( &q, buf, primeSz);4232 err = mp_read_unsigned_bin(q, buf, primeSz); 4008 4233 } 4009 4234 4010 4235 if (err == MP_OKAY) 4011 err = _CheckProbablePrime( &p, &q, &tmp3, size, &isPrime, rng);4236 err = _CheckProbablePrime(p, q, tmp3, size, &isPrime, rng); 4012 4237 4013 4238 #ifdef HAVE_FIPS … … 4028 4253 } 4029 4254 4030 if (err == MP_OKAY && mp_cmp( &p, &q) < 0) {4031 err = mp_copy( &p, &tmp1);4255 if (err == MP_OKAY && mp_cmp(p, q) < 0) { 4256 err = mp_copy(p, tmp1); 4032 4257 if (err == MP_OKAY) 4033 err = mp_copy( &q, &p);4258 err = mp_copy(q, p); 4034 4259 if (err == MP_OKAY) 4035 mp_copy( &tmp1, &q);4260 mp_copy(tmp1, q); 4036 4261 } 4037 4262 … … 4044 4269 /* Software Key Calculation */ 4045 4270 if (err == MP_OKAY) /* tmp1 = p-1 */ 4046 err = mp_sub_d( &p, 1, &tmp1);4271 err = mp_sub_d(p, 1, tmp1); 4047 4272 if (err == MP_OKAY) /* tmp2 = q-1 */ 4048 err = mp_sub_d( &q, 1, &tmp2);4273 err = mp_sub_d(q, 1, tmp2); 4049 4274 #ifdef WC_RSA_BLINDING 4050 4275 if (err == MP_OKAY) /* tmp3 = order of n */ 4051 err = mp_mul( &tmp1, &tmp2, &tmp3);4276 err = mp_mul(tmp1, tmp2, tmp3); 4052 4277 #else 4053 4278 if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */ 4054 err = mp_lcm( &tmp1, &tmp2, &tmp3);4279 err = mp_lcm(tmp1, tmp2, tmp3); 4055 4280 #endif 4056 4281 /* make key */ … … 4061 4286 if (err == MP_OKAY) { 4062 4287 do { 4063 err = mp_rand(&key->p, get_digit_count( &tmp3), rng);4288 err = mp_rand(&key->p, get_digit_count(tmp3), rng); 4064 4289 if (err == MP_OKAY) 4065 4290 err = mp_set_bit(&key->p, 0); … … 4067 4292 err = mp_set_bit(&key->p, size - 1); 4068 4293 if (err == MP_OKAY) 4069 err = mp_gcd(&key->p, &tmp3, &key->q);4294 err = mp_gcd(&key->p, tmp3, &key->q); 4070 4295 } 4071 4296 while ((err == MP_OKAY) && !mp_isone(&key->q)); … … 4075 4300 #endif 4076 4301 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */ 4077 err = mp_invmod(&key->e, &tmp3, &key->d);4302 err = mp_invmod(&key->e, tmp3, &key->d); 4078 4303 #ifdef WC_RSA_BLINDING 4079 4304 /* Take off blinding from d and reset e */ 4080 4305 if (err == MP_OKAY) 4081 err = mp_mulmod(&key->d, &key->p, &tmp3, &key->d);4306 err = mp_mulmod(&key->d, &key->p, tmp3, &key->d); 4082 4307 if (err == MP_OKAY) 4083 4308 err = mp_set_int(&key->e, (mp_digit)e); 4084 4309 #endif 4085 4310 if (err == MP_OKAY) /* key->n = pq */ 4086 err = mp_mul( &p, &q, &key->n);4311 err = mp_mul(p, q, &key->n); 4087 4312 if (err == MP_OKAY) /* key->dP = d mod(p-1) */ 4088 err = mp_mod(&key->d, &tmp1, &key->dP);4313 err = mp_mod(&key->d, tmp1, &key->dP); 4089 4314 if (err == MP_OKAY) /* key->dQ = d mod(q-1) */ 4090 err = mp_mod(&key->d, &tmp2, &key->dQ);4315 err = mp_mod(&key->d, tmp2, &key->dQ); 4091 4316 #ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME 4092 4317 if (err == MP_OKAY) /* key->u = 1/q mod p */ 4093 err = mp_invmod( &q, &p, &key->u);4318 err = mp_invmod(q, p, &key->u); 4094 4319 #else 4095 4320 if (err == MP_OKAY) 4096 err = mp_sub_d( &p, 2, &tmp3);4321 err = mp_sub_d(p, 2, tmp3); 4097 4322 if (err == MP_OKAY) /* key->u = 1/q mod p = q^p-2 mod p */ 4098 err = mp_exptmod( &q, &tmp3 , &p, &key->u);4323 err = mp_exptmod(q, tmp3 , p, &key->u); 4099 4324 #endif 4100 4325 if (err == MP_OKAY) 4101 err = mp_copy( &p, &key->p);4326 err = mp_copy(p, &key->p); 4102 4327 if (err == MP_OKAY) 4103 err = mp_copy( &q, &key->q);4328 err = mp_copy(q, &key->q); 4104 4329 4105 4330 #ifdef HAVE_WOLF_BIGINT … … 4126 4351 key->type = RSA_PRIVATE; 4127 4352 4128 mp_clear( &tmp1);4129 mp_clear( &tmp2);4130 mp_clear( &tmp3);4131 mp_clear( &p);4132 mp_clear( &q);4353 mp_clear(tmp1); 4354 mp_clear(tmp2); 4355 mp_clear(tmp3); 4356 mp_clear(p); 4357 mp_clear(q); 4133 4358 4134 4359 #if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK) … … 4140 4365 if (err != 0) { 4141 4366 wc_FreeRsaKey(key); 4142 return err;4367 goto out; 4143 4368 } 4144 4369 … … 4148 4373 } 4149 4374 #endif 4150 return 0; 4375 4376 err = 0; 4377 4378 out: 4379 4380 #ifdef WOLFSSL_SMALL_STACK 4381 if (p) 4382 XFREE(p, key->heap, DYNAMIC_TYPE_RSA); 4383 if (q) 4384 XFREE(q, key->heap, DYNAMIC_TYPE_RSA); 4385 if (tmp1) 4386 XFREE(tmp1, key->heap, DYNAMIC_TYPE_RSA); 4387 if (tmp2) 4388 XFREE(tmp2, key->heap, DYNAMIC_TYPE_RSA); 4389 if (tmp3) 4390 XFREE(tmp3, key->heap, DYNAMIC_TYPE_RSA); 4391 #endif 4392 4393 return err; 4151 4394 #else 4152 4395 return NOT_COMPILED_IN; … … 4160 4403 int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng) 4161 4404 { 4405 if (key == NULL || rng == NULL) 4406 return BAD_FUNC_ARG; 4407 4408 key->rng = rng; 4409 4410 return 0; 4411 } 4412 #endif /* WC_RSA_BLINDING */ 4413 4414 #ifdef WC_RSA_NONBLOCK 4415 int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb) 4416 { 4162 4417 if (key == NULL) 4163 4418 return BAD_FUNC_ARG; 4164 4419 4165 key->rng = rng;4166 4167 return 0;4168 }4169 #endif /* WC_RSA_BLINDING */4170 4171 #ifdef WC_RSA_NONBLOCK4172 int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)4173 {4174 if (key == NULL)4175 return BAD_FUNC_ARG;4176 4177 4420 if (nb) { 4178 4421 XMEMSET(nb, 0, sizeof(RsaNb));
Note:
See TracChangeset
for help on using the changeset viewer.