- Timestamp:
- Feb 7, 2019, 8:36:33 AM (5 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
asp3_tinet_ecnl_arm/trunk/wolfssl-3.12.2/wolfcrypt/src/rsa.c
r352 r372 30 30 #ifndef NO_RSA 31 31 32 #if defined(HAVE_FIPS) && \ 33 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) 34 35 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ 36 #define FIPS_NO_WRAPPERS 37 38 #ifdef USE_WINDOWS_API 39 #pragma code_seg(".fipsA$e") 40 #pragma const_seg(".fipsB$e") 41 #endif 42 #endif 43 32 44 #include <wolfssl/wolfcrypt/rsa.h> 33 45 … … 44 56 * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off 45 57 * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined) 46 58 * WC_RSA_NONBLOCK: Enables support for RSA non-blocking default: off 59 * WC_RSA_NONBLOCK_TIME:Enables support for time based blocking default: off 60 * time calculation. 47 61 */ 48 62 … … 55 69 56 70 57 #ifdef HAVE_FIPS 71 /* If building for old FIPS. */ 72 #if defined(HAVE_FIPS) && \ 73 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) 74 58 75 int wc_InitRsaKey(RsaKey* key, void* ptr) 59 76 { … … 64 81 return InitRsaKey_fips(key, ptr); 65 82 } 83 66 84 67 85 int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId) … … 74 92 } 75 93 94 76 95 int wc_FreeRsaKey(RsaKey* key) 77 96 { … … 80 99 81 100 101 #ifndef WOLFSSL_RSA_VERIFY_ONLY 82 102 int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, 83 103 word32 outLen, RsaKey* key, WC_RNG* rng) … … 88 108 return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng); 89 109 } 90 91 110 #endif 111 112 113 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 92 114 int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, 93 115 RsaKey* key) … … 118 140 return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng); 119 141 } 142 #endif 120 143 121 144 … … 148 171 149 172 173 #ifndef WOLFSSL_RSA_VERIFY_ONLY 150 174 int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b, 151 175 word32* bSz) … … 155 179 return RsaFlattenPublicKey(key, a, aSz, b, bSz); 156 180 } 181 #endif 182 183 157 184 #ifdef WOLFSSL_KEY_GEN 158 185 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) … … 168 195 */ 169 196 170 #else /* else build without fips */197 #else /* else build without fips, or for new fips */ 171 198 172 199 #include <wolfssl/wolfcrypt/random.h> 173 200 #include <wolfssl/wolfcrypt/logging.h> 201 #ifdef WOLF_CRYPTO_DEV 202 #include <wolfssl/wolfcrypt/cryptodev.h> 203 #endif 174 204 #ifdef NO_INLINE 175 205 #include <wolfssl/wolfcrypt/misc.h> … … 179 209 #endif 180 210 181 #define ERROR_OUT(x) { ret = (x); goto done;}182 183 211 184 212 enum { … … 196 224 static void wc_RsaCleanup(RsaKey* key) 197 225 { 226 #ifndef WOLFSSL_RSA_VERIFY_INLINE 198 227 if (key && key->data) { 199 228 /* make sure any allocated memory is free'd */ 200 229 if (key->dataIsAlloc) { 230 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 201 231 if (key->type == RSA_PRIVATE_DECRYPT || 202 232 key->type == RSA_PRIVATE_ENCRYPT) { 203 233 ForceZero(key->data, key->dataLen); 204 234 } 235 #endif 205 236 XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT); 206 237 key->dataIsAlloc = 0; … … 209 240 key->dataLen = 0; 210 241 } 242 #else 243 (void)key; 244 #endif 211 245 } 212 246 … … 218 252 return BAD_FUNC_ARG; 219 253 } 254 255 XMEMSET(key, 0, sizeof(RsaKey)); 220 256 221 257 key->type = RSA_TYPE_UNKNOWN; 222 258 key->state = RSA_STATE_NONE; 223 259 key->heap = heap; 260 #ifndef WOLFSSL_RSA_VERIFY_INLINE 261 key->dataIsAlloc = 0; 224 262 key->data = NULL; 263 #endif 225 264 key->dataLen = 0; 226 key->dataIsAlloc = 0;227 265 #ifdef WC_RSA_BLINDING 228 266 key->rng = NULL; 267 #endif 268 269 #ifdef WOLF_CRYPTO_DEV 270 key->devId = devId; 271 #else 272 (void)devId; 229 273 #endif 230 274 … … 241 285 return ret; 242 286 #endif /* WC_ASYNC_ENABLE_RSA */ 243 #else244 (void)devId;245 287 #endif /* WOLFSSL_ASYNC_CRYPT */ 246 288 289 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 247 290 ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL); 248 291 if (ret != MP_OKAY) 249 292 return ret; 250 293 294 #if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM) 295 ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL); 296 #else 251 297 ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u); 298 #endif 252 299 if (ret != MP_OKAY) { 253 300 mp_clear(&key->n); … … 255 302 return ret; 256 303 } 304 #else 305 ret = mp_init(&key->n); 306 if (ret != MP_OKAY) 307 return ret; 308 ret = mp_init(&key->e); 309 if (ret != MP_OKAY) { 310 mp_clear(&key->n); 311 return ret; 312 } 313 #endif 257 314 258 315 #ifdef WOLFSSL_XILINX_CRYPT … … 268 325 return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); 269 326 } 327 328 #ifdef HAVE_PKCS11 329 int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap, 330 int devId) 331 { 332 int ret = 0; 333 334 if (key == NULL) 335 ret = BAD_FUNC_ARG; 336 if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN)) 337 ret = BUFFER_E; 338 339 if (ret == 0) 340 ret = wc_InitRsaKey_ex(key, heap, devId); 341 342 if (ret == 0 && id != NULL && len != 0) { 343 XMEMCPY(key->id, id, len); 344 key->idLen = len; 345 } 346 347 return ret; 348 } 349 #endif 270 350 271 351 … … 359 439 #endif 360 440 441 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 361 442 if (key->type == RSA_PRIVATE) { 443 #if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM) 362 444 mp_forcezero(&key->u); 363 445 mp_forcezero(&key->dQ); 364 446 mp_forcezero(&key->dP); 447 #endif 365 448 mp_forcezero(&key->q); 366 449 mp_forcezero(&key->p); … … 368 451 } 369 452 /* private part */ 453 #if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM) 370 454 mp_clear(&key->u); 371 455 mp_clear(&key->dQ); 372 456 mp_clear(&key->dP); 457 #endif 373 458 mp_clear(&key->q); 374 459 mp_clear(&key->p); 375 460 mp_clear(&key->d); 461 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */ 376 462 377 463 /* public part */ … … 386 472 return ret; 387 473 } 474 475 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 476 /* Check the pair-wise consistency of the RSA key. 477 * From NIST SP 800-56B, section 6.4.1.1. 478 * Verify that k = (k^e)^d, for some k: 1 < k < n-1. */ 479 int wc_CheckRsaKey(RsaKey* key) 480 { 481 #ifdef WOLFSSL_SMALL_STACK 482 mp_int *k = NULL, *tmp = NULL; 483 #else 484 mp_int k[1], tmp[1]; 485 #endif 486 int ret = 0; 487 488 #ifdef WOLFSSL_SMALL_STACK 489 k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA); 490 if (k == NULL) 491 return MEMORY_E; 492 tmp = k + 1; 493 #endif 494 495 if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY) 496 ret = MP_INIT_E; 497 498 if (ret == 0) { 499 if (key == NULL) 500 ret = BAD_FUNC_ARG; 501 } 502 503 if (ret == 0) { 504 if (mp_set_int(k, 0x2342) != MP_OKAY) 505 ret = MP_READ_E; 506 } 507 508 #ifdef WOLFSSL_SP_RSA 509 #ifndef WOLFSSL_SP_NO_2048 510 if (mp_count_bits(&key->n) == 2048) { 511 ret = sp_ModExp_2048(k, &key->e, &key->n, tmp); 512 if (ret != 0) 513 ret = MP_EXPTMOD_E; 514 ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp); 515 if (ret != 0) 516 ret = MP_EXPTMOD_E; 517 } 518 else 519 #endif 520 #ifndef WOLFSSL_SP_NO_3072 521 if (mp_count_bits(&key->n) == 3072) { 522 ret = sp_ModExp_3072(k, &key->e, &key->n, tmp); 523 if (ret != 0) 524 ret = MP_EXPTMOD_E; 525 ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp); 526 if (ret != 0) 527 ret = MP_EXPTMOD_E; 528 } 529 else 530 #endif 531 #endif 532 #ifdef WOLFSSL_SP_MATH 533 { 534 ret = WC_KEY_SIZE_E; 535 } 536 #else 537 { 538 if (ret == 0) { 539 if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY) 540 ret = MP_EXPTMOD_E; 541 } 542 543 if (ret == 0) { 544 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 545 ret = MP_EXPTMOD_E; 546 } 547 } 548 #endif 549 550 if (ret == 0) { 551 if (mp_cmp(k, tmp) != MP_EQ) 552 ret = RSA_KEY_PAIR_E; 553 } 554 555 mp_forcezero(tmp); 556 mp_clear(tmp); 557 mp_clear(k); 558 #ifdef WOLFSSL_SMALL_STACK 559 XFREE(k, NULL, DYNAMIC_TYPE_RSA); 560 #endif 561 562 return ret; 563 } 564 #endif 388 565 389 566 … … 494 671 break; 495 672 #endif 496 #ifdef WOLFSSL_SHA512497 673 #ifdef WOLFSSL_SHA384 498 674 case WC_MGF1SHA384: … … 500 676 break; 501 677 #endif 678 #ifdef WOLFSSL_SHA512 502 679 case WC_MGF1SHA512: 503 680 ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap); … … 522 699 523 700 /* Padding */ 701 #ifndef WOLFSSL_RSA_VERIFY_ONLY 702 #ifndef WC_NO_RNG 524 703 #ifndef WC_NO_RSA_OAEP 525 704 static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, … … 700 879 701 880 #ifdef WC_RSA_PSS 881 702 882 /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc 703 883 * XOR MGF over all bytes down to end of Salt 704 884 * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt) 885 * 886 * input Digest of the message. 887 * inputLen Length of digest. 888 * pkcsBlock Buffer to write to. 889 * pkcsBlockLen Length of buffer to write to. 890 * rng Random number generator (for salt). 891 * htype Hash function to use. 892 * mgf Mask generation function. 893 * saltLen Length of salt to put in padding. 894 * bits Length of key in bits. 895 * heap Used for dynamic memory allocation. 896 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid 897 * and other negative values on error. 705 898 */ 706 899 static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock, 707 900 word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf, 708 int bits, void* heap)901 int saltLen, int bits, void* heap) 709 902 { 710 903 int ret; … … 719 912 return hLen; 720 913 914 if (saltLen == -1) { 915 saltLen = hLen; 916 #ifdef WOLFSSL_SHA512 917 /* See FIPS 186-4 section 5.5 item (e). */ 918 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 919 saltLen = RSA_PSS_SALT_MAX_SZ; 920 #endif 921 } 922 else if (saltLen > hLen || saltLen < -1) 923 return PSS_SALTLEN_E; 924 if ((int)pkcsBlockLen - hLen < saltLen + 2) 925 return PSS_SALTLEN_E; 926 721 927 s = m = pkcsBlock; 722 XMEMSET(m, 0, 8);723 m += 8;928 XMEMSET(m, 0, RSA_PSS_PAD_SZ); 929 m += RSA_PSS_PAD_SZ; 724 930 XMEMCPY(m, input, inputLen); 725 931 m += inputLen; 726 if ((ret = wc_RNG_GenerateBlock(rng, salt, hLen)) != 0)932 if ((ret = wc_RNG_GenerateBlock(rng, salt, saltLen)) != 0) 727 933 return ret; 728 XMEMCPY(m, salt, hLen);729 m += hLen;934 XMEMCPY(m, salt, saltLen); 935 m += saltLen; 730 936 731 937 h = pkcsBlock + pkcsBlockLen - 1 - hLen; 732 938 if ((ret = wc_Hash(hType, s, (word32)(m - s), h, hLen)) != 0) 733 939 return ret; 734 pkcsBlock[pkcsBlockLen - 1] = 0xbc;940 pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM; 735 941 736 942 ret = RsaMGF(mgf, h, hLen, pkcsBlock, pkcsBlockLen - hLen - 1, heap); … … 739 945 pkcsBlock[0] &= (1 << ((bits - 1) & 0x7)) - 1; 740 946 741 m = pkcsBlock + pkcsBlockLen - 1 - hLen - hLen - 1;947 m = pkcsBlock + pkcsBlockLen - 1 - saltLen - hLen - 1; 742 948 *(m++) ^= 0x01; 743 for (i = 0; i < hLen; i++)949 for (i = 0; i < saltLen; i++) 744 950 m[i] ^= salt[i]; 745 951 746 952 return 0; 747 953 } 748 #endif 954 #endif /* WC_RSA_PSS */ 749 955 750 956 static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock, … … 770 976 } 771 977 else { 978 #ifndef WOLFSSL_RSA_VERIFY_ONLY 772 979 /* pad with non-zero random bytes */ 773 980 word32 padLen, i; … … 789 996 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01; 790 997 } 998 #else 999 (void)rng; 1000 return RSA_WRONG_TYPE_E; 1001 #endif 791 1002 } 792 1003 … … 796 1007 return 0; 797 1008 } 1009 #endif /* !WC_NO_RNG */ 798 1010 799 1011 /* helper function to direct which padding is used */ 800 1012 static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, 801 1013 word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType, 802 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, int bits,803 void* heap)1014 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, 1015 int saltLen, int bits, void* heap) 804 1016 { 805 1017 int ret; … … 807 1019 switch (padType) 808 1020 { 1021 #ifndef WC_NO_RNG 809 1022 case WC_RSA_PKCSV15_PAD: 810 1023 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/ … … 825 1038 WOLFSSL_MSG("wolfSSL Using RSA PSS padding"); 826 1039 ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng, 827 hType, mgf, bits, heap); 1040 hType, mgf, saltLen, bits, heap); 1041 break; 1042 #endif 1043 #endif /* !WC_NO_RNG */ 1044 1045 #ifdef WC_RSA_NO_PADDING 1046 case WC_RSA_NO_PAD: 1047 WOLFSSL_MSG("wolfSSL Using NO padding"); 1048 1049 /* In the case of no padding being used check that input is exactly 1050 * the RSA key length */ 1051 if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) { 1052 WOLFSSL_MSG("Bad input size"); 1053 ret = RSA_PAD_E; 1054 } 1055 else { 1056 XMEMCPY(pkcsBlock, input, inputLen); 1057 ret = 0; 1058 } 828 1059 break; 829 1060 #endif … … 835 1066 836 1067 /* silence warning if not used with padding scheme */ 1068 (void)input; 1069 (void)inputLen; 1070 (void)pkcsBlock; 1071 (void)pkcsBlockLen; 1072 (void)padValue; 1073 (void)rng; 1074 (void)padType; 837 1075 (void)hType; 838 1076 (void)mgf; 839 1077 (void)optLabel; 840 1078 (void)labelLen; 1079 (void)saltLen; 841 1080 (void)bits; 842 1081 (void)heap; … … 844 1083 return ret; 845 1084 } 1085 #endif /* WOLFSSL_RSA_VERIFY_ONLY */ 846 1086 847 1087 … … 923 1163 ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */ 924 1164 925 if (ret != 0) { 926 WOLFSSL_MSG("RsaUnPad_OAEP: Padding Error"); 927 return BAD_PADDING_E; 928 } 1165 /* Return 0 data length on error. */ 1166 idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen); 929 1167 930 1168 /* adjust pointer to correct location in array and return size of M */ … … 935 1173 936 1174 #ifdef WC_RSA_PSS 1175 /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc 1176 * MGF over all bytes down to end of Salt 1177 * 1178 * pkcsBlock Buffer holding decrypted data. 1179 * pkcsBlockLen Length of buffer. 1180 * htype Hash function to use. 1181 * mgf Mask generation function. 1182 * saltLen Length of salt to put in padding. 1183 * bits Length of key in bits. 1184 * heap Used for dynamic memory allocation. 1185 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid, 1186 * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails 1187 * and other negative values on error. 1188 */ 937 1189 static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen, 938 1190 byte **output, enum wc_HashType hType, int mgf, 939 int bits, void* heap)1191 int saltLen, int bits, void* heap) 940 1192 { 941 1193 int ret; … … 947 1199 return hLen; 948 1200 949 if (pkcsBlock[pkcsBlockLen - 1] != 0xbc) { 950 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error 0xBC"); 1201 if (saltLen == -1) { 1202 saltLen = hLen; 1203 #ifdef WOLFSSL_SHA512 1204 /* See FIPS 186-4 section 5.5 item (e). */ 1205 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 1206 saltLen = RSA_PSS_SALT_MAX_SZ; 1207 #endif 1208 } 1209 else if (saltLen > hLen || saltLen < -1) 1210 return PSS_SALTLEN_E; 1211 if ((int)pkcsBlockLen - hLen < saltLen + 2) 1212 return PSS_SALTLEN_E; 1213 1214 if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) { 1215 WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error"); 951 1216 return BAD_PADDING_E; 952 1217 } 953 1218 954 1219 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER); 955 if (tmp == NULL) {1220 if (tmp == NULL) 956 1221 return MEMORY_E; 957 }958 1222 959 1223 if ((ret = RsaMGF(mgf, pkcsBlock + pkcsBlockLen - 1 - hLen, hLen, … … 964 1228 965 1229 tmp[0] &= (1 << ((bits - 1) & 0x7)) - 1; 966 for (i = 0; i < (int)(pkcsBlockLen - 1 - hLen - hLen - 1); i++) {1230 for (i = 0; i < (int)(pkcsBlockLen - 1 - saltLen - hLen - 1); i++) { 967 1231 if (tmp[i] != pkcsBlock[i]) { 968 1232 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); … … 981 1245 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 982 1246 983 i = pkcsBlockLen - (RSA_PSS_PAD_SZ + 3 * hLen + 1); 984 XMEMSET(pkcsBlock + i, 0, RSA_PSS_PAD_SZ); 985 986 *output = pkcsBlock + i; 987 return RSA_PSS_PAD_SZ + 3 * hLen; 1247 *output = pkcsBlock + pkcsBlockLen - (hLen + saltLen + 1); 1248 return saltLen + hLen; 988 1249 } 989 1250 #endif … … 994 1255 byte **output, byte padValue) 995 1256 { 996 word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0; 997 word32 invalid = 0; 998 word32 i = 1; 999 word32 outputLen; 1257 int ret = BAD_FUNC_ARG; 1258 word32 i; 1259 #ifndef WOLFSSL_RSA_VERIFY_ONLY 1260 byte invalid = 0; 1261 #endif 1000 1262 1001 1263 if (output == NULL || pkcsBlockLen == 0) { … … 1003 1265 } 1004 1266 1005 if (pkcsBlock[0] != 0x0) { /* skip past zero */1006 invalid = 1;1007 }1008 pkcsBlock++; pkcsBlockLen--;1009 1010 /* Require block type padValue */1011 invalid = (pkcsBlock[0] != padValue) || invalid;1012 1013 /* verify the padding until we find the separator */1014 1267 if (padValue == RSA_BLOCK_TYPE_1) { 1015 while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */} 1016 } 1017 else { 1018 while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */} 1019 } 1020 1021 if (!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) { 1268 /* First byte must be 0x00 and Second byte, block type, 0x01 */ 1269 if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) { 1270 WOLFSSL_MSG("RsaUnPad error, invalid formatting"); 1271 return RSA_PAD_E; 1272 } 1273 1274 /* check the padding until we find the separator */ 1275 for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { } 1276 1277 /* Minimum of 11 bytes of pre-message data and must have separator. */ 1278 if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) { 1022 1279 WOLFSSL_MSG("RsaUnPad error, bad formatting"); 1023 1280 return RSA_PAD_E; 1024 1281 } 1025 1282 1026 outputLen = pkcsBlockLen - i; 1027 invalid = (outputLen > maxOutputLen) || invalid; 1028 1029 if (invalid) { 1030 WOLFSSL_MSG("RsaUnPad error, invalid formatting"); 1031 return RSA_PAD_E; 1032 } 1283 *output = (byte *)(pkcsBlock + i); 1284 ret = pkcsBlockLen - i; 1285 } 1286 #ifndef WOLFSSL_RSA_VERIFY_ONLY 1287 else { 1288 word32 j; 1289 byte pastSep = 0; 1290 1291 /* Decrypted with private key - unpad must be constant time. */ 1292 for (i = 0, j = 2; j < pkcsBlockLen; j++) { 1293 /* Update i if not passed the separator and at separator. */ 1294 i |= (~pastSep) & ctMaskEq(pkcsBlock[j], 0x00) & (j + 1); 1295 pastSep |= ctMaskEq(pkcsBlock[j], 0x00); 1296 } 1297 1298 /* Minimum of 11 bytes of pre-message data - including leading 0x00. */ 1299 invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ); 1300 /* Must have seen separator. */ 1301 invalid |= ~pastSep; 1302 /* First byte must be 0x00. */ 1303 invalid |= ctMaskNotEq(pkcsBlock[0], 0x00); 1304 /* Check against expected block type: padValue */ 1305 invalid |= ctMaskNotEq(pkcsBlock[1], padValue); 1033 1306 1034 1307 *output = (byte *)(pkcsBlock + i); 1035 return outputLen; 1036 } 1037 1038 /* helper function to direct unpadding */ 1308 ret = ((int)~invalid) & (pkcsBlockLen - i); 1309 } 1310 #endif 1311 1312 return ret; 1313 } 1314 1315 /* helper function to direct unpadding 1316 * 1317 * bits is the key modulus size in bits 1318 */ 1039 1319 static int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out, 1040 1320 byte padValue, int padType, enum wc_HashType hType, 1041 int mgf, byte* optLabel, word32 labelLen, int bits,1042 void* heap)1321 int mgf, byte* optLabel, word32 labelLen, int saltLen, 1322 int bits, void* heap) 1043 1323 { 1044 1324 int ret; … … 1062 1342 WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding"); 1063 1343 ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf, 1064 1344 saltLen, bits, heap); 1065 1345 break; 1066 1346 #endif 1347 1348 #ifdef WC_RSA_NO_PADDING 1349 case WC_RSA_NO_PAD: 1350 WOLFSSL_MSG("wolfSSL Using NO un-padding"); 1351 1352 /* In the case of no padding being used check that input is exactly 1353 * the RSA key length */ 1354 if (bits <= 0 || pkcsBlockLen != ((word32)bits/WOLFSSL_BIT_SIZE)) { 1355 WOLFSSL_MSG("Bad input size"); 1356 ret = RSA_PAD_E; 1357 } 1358 else { 1359 if (out != NULL) { 1360 *out = pkcsBlock; 1361 } 1362 ret = pkcsBlockLen; 1363 } 1364 break; 1365 #endif /* WC_RSA_NO_PADDING */ 1067 1366 1068 1367 default: … … 1076 1375 (void)optLabel; 1077 1376 (void)labelLen; 1377 (void)saltLen; 1078 1378 (void)bits; 1079 1379 (void)heap; … … 1131 1431 #endif /* WOLFSSL_XILINX_CRYPT */ 1132 1432 1433 #ifdef WC_RSA_NONBLOCK 1434 static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out, 1435 word32* outLen, int type, RsaKey* key) 1436 { 1437 int ret = 0; 1438 word32 keyLen, len; 1439 1440 if (key == NULL || key->nb == NULL) { 1441 return BAD_FUNC_ARG; 1442 } 1443 1444 if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) { 1445 if (mp_init(&key->nb->tmp) != MP_OKAY) { 1446 ret = MP_INIT_E; 1447 } 1448 1449 if (ret == 0) { 1450 if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) { 1451 ret = MP_READ_E; 1452 } 1453 } 1454 } 1455 1456 if (ret == 0) { 1457 switch(type) { 1458 case RSA_PRIVATE_DECRYPT: 1459 case RSA_PRIVATE_ENCRYPT: 1460 ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d, 1461 &key->n, &key->nb->tmp); 1462 if (ret == FP_WOULDBLOCK) 1463 return ret; 1464 if (ret != MP_OKAY) 1465 ret = MP_EXPTMOD_E; 1466 break; 1467 1468 case RSA_PUBLIC_ENCRYPT: 1469 case RSA_PUBLIC_DECRYPT: 1470 ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e, 1471 &key->n, &key->nb->tmp); 1472 if (ret == FP_WOULDBLOCK) 1473 return ret; 1474 if (ret != MP_OKAY) 1475 ret = MP_EXPTMOD_E; 1476 break; 1477 default: 1478 ret = RSA_WRONG_TYPE_E; 1479 break; 1480 } 1481 } 1482 1483 if (ret == 0) { 1484 keyLen = wc_RsaEncryptSize(key); 1485 if (keyLen > *outLen) 1486 ret = RSA_BUFFER_E; 1487 } 1488 if (ret == 0) { 1489 len = mp_unsigned_bin_size(&key->nb->tmp); 1490 1491 /* pad front w/ zeros to match key length */ 1492 while (len < keyLen) { 1493 *out++ = 0x00; 1494 len++; 1495 } 1496 1497 *outLen = keyLen; 1498 1499 /* convert */ 1500 if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) { 1501 ret = MP_TO_E; 1502 } 1503 } 1504 1505 mp_clear(&key->nb->tmp); 1506 1507 return ret; 1508 } 1509 #endif /* WC_RSA_NONBLOCK */ 1510 1133 1511 static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out, 1134 1512 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 1135 1513 { 1136 mp_int tmp; 1514 #ifndef WOLFSSL_SP_MATH 1515 #ifdef WOLFSSL_SMALL_STACK 1516 mp_int* tmp = NULL; 1137 1517 #ifdef WC_RSA_BLINDING 1138 mp_int rnd, rndi; 1518 mp_int* rnd = NULL; 1519 mp_int* rndi = NULL; 1520 #endif 1521 #else 1522 mp_int tmp[1]; 1523 #ifdef WC_RSA_BLINDING 1524 mp_int rnd[1], rndi[1]; 1525 #endif 1139 1526 #endif 1140 1527 int ret = 0; 1141 word32 keyLen, len; 1528 word32 keyLen = 0; 1529 #endif 1142 1530 1143 1531 #ifdef WOLFSSL_HAVE_SP_RSA … … 1145 1533 if (mp_count_bits(&key->n) == 2048) { 1146 1534 switch(type) { 1535 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1147 1536 case RSA_PRIVATE_DECRYPT: 1148 1537 case RSA_PRIVATE_ENCRYPT: … … 1151 1540 return MISSING_RNG_E; 1152 1541 #endif 1542 #ifndef RSA_LOW_MEM 1153 1543 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, 1154 1544 &key->dP, &key->dQ, &key->u, &key->n, 1155 1545 out, outLen); 1546 #else 1547 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, 1548 NULL, NULL, NULL, &key->n, out, outLen); 1549 #endif 1550 #endif 1156 1551 case RSA_PUBLIC_ENCRYPT: 1157 1552 case RSA_PUBLIC_DECRYPT: … … 1163 1558 if (mp_count_bits(&key->n) == 3072) { 1164 1559 switch(type) { 1560 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1165 1561 case RSA_PRIVATE_DECRYPT: 1166 1562 case RSA_PRIVATE_ENCRYPT: … … 1169 1565 return MISSING_RNG_E; 1170 1566 #endif 1567 #ifndef RSA_LOW_MEM 1171 1568 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, 1172 1569 &key->dP, &key->dQ, &key->u, &key->n, 1173 1570 out, outLen); 1571 #else 1572 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, 1573 NULL, NULL, NULL, &key->n, out, outLen); 1574 #endif 1575 #endif 1174 1576 case RSA_PUBLIC_ENCRYPT: 1175 1577 case RSA_PUBLIC_DECRYPT: … … 1180 1582 #endif /* WOLFSSL_HAVE_SP_RSA */ 1181 1583 1584 #ifdef WOLFSSL_SP_MATH 1182 1585 (void)rng; 1183 1184 if (mp_init(&tmp) != MP_OKAY) 1185 return MP_INIT_E; 1186 1586 return WC_KEY_SIZE_E; 1587 #else 1588 (void)rng; 1589 1590 #ifdef WOLFSSL_SMALL_STACK 1591 tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA); 1592 if (tmp == NULL) 1593 return MEMORY_E; 1187 1594 #ifdef WC_RSA_BLINDING 1595 rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA); 1596 if (rnd == NULL) { 1597 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA); 1598 return MEMORY_E; 1599 } 1600 rndi = rnd + 1; 1601 #endif /* WC_RSA_BLINDING */ 1602 #endif /* WOLFSSL_SMALL_STACK */ 1603 1604 if (mp_init(tmp) != MP_OKAY) 1605 ret = MP_INIT_E; 1606 1607 #ifdef WC_RSA_BLINDING 1608 if (ret == 0) { 1188 1609 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { 1189 if (mp_init_multi(&rnd, &rndi, NULL, NULL, NULL, NULL) != MP_OKAY) { 1190 mp_clear(&tmp); 1191 return MP_INIT_E; 1192 } 1193 } 1194 #endif 1195 1196 if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY) 1197 ERROR_OUT(MP_READ_E); 1198 1610 if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) { 1611 mp_clear(tmp); 1612 ret = MP_INIT_E; 1613 } 1614 } 1615 } 1616 #endif 1617 1618 #ifndef TEST_UNPAD_CONSTANT_TIME 1619 if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY) 1620 ret = MP_READ_E; 1621 1622 if (ret == 0) { 1199 1623 switch(type) { 1624 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1200 1625 case RSA_PRIVATE_DECRYPT: 1201 1626 case RSA_PRIVATE_ENCRYPT: 1202 1627 { 1203 #ifdef WC_RSA_BLINDING1628 #if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG) 1204 1629 /* blind */ 1205 ret = mp_rand(&rnd, get_digit_count(&key->n), rng); 1206 if (ret != MP_OKAY) 1207 goto done; 1630 ret = mp_rand(rnd, get_digit_count(&key->n), rng); 1208 1631 1209 1632 /* rndi = 1/rnd mod n */ 1210 if (mp_invmod(&rnd, &key->n, &rndi) != MP_OKAY)1211 ERROR_OUT(MP_INVMOD_E);1633 if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY) 1634 ret = MP_INVMOD_E; 1212 1635 1213 1636 /* rnd = rnd^e */ 1214 if (mp_exptmod(&rnd, &key->e, &key->n, &rnd) != MP_OKAY)1215 ERROR_OUT(MP_EXPTMOD_E);1637 if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY) 1638 ret = MP_EXPTMOD_E; 1216 1639 1217 1640 /* tmp = tmp*rnd mod n */ 1218 if (mp_mulmod(&tmp, &rnd, &key->n, &tmp) != MP_OKAY)1219 ERROR_OUT(MP_MULMOD_E);1220 #endif /* WC_RSA_BLINGING */1641 if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY) 1642 ret = MP_MULMOD_E; 1643 #endif /* WC_RSA_BLINDING && !WC_NO_RNG */ 1221 1644 1222 1645 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */ 1223 if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)1224 ERROR_OUT(MP_EXPTMOD_E);1646 if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 1647 ret = MP_EXPTMOD_E; 1225 1648 #else 1226 /* Return 0 when cond is false and n when cond is true. */ 1227 #define COND_N(cond, n) ((0 - (cond)) & (n)) 1228 /* If ret has an error value return it otherwise if r is OK then return 1229 * 0 otherwise return e. 1230 */ 1231 #define RET_ERR(ret, r, e) \ 1232 ((ret) | (COND_N((ret) == 0, COND_N((r) != MP_OKAY, (e))))) 1233 1234 { /* tmpa/b scope */ 1235 mp_int tmpa, tmpb; 1236 int r; 1237 1238 if (mp_init(&tmpa) != MP_OKAY) 1239 ERROR_OUT(MP_INIT_E); 1240 1241 if (mp_init(&tmpb) != MP_OKAY) { 1242 mp_clear(&tmpa); 1243 ERROR_OUT(MP_INIT_E); 1649 if (ret == 0) { 1650 #ifdef WOLFSSL_SMALL_STACK 1651 mp_int* tmpa = NULL; 1652 mp_int* tmpb = NULL; 1653 #else 1654 mp_int tmpa[1], tmpb[1]; 1655 #endif 1656 int cleara = 0, clearb = 0; 1657 1658 #ifdef WOLFSSL_SMALL_STACK 1659 tmpa = XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA); 1660 if (tmpa != NULL) 1661 tmpb = tmpa + 1; 1662 else 1663 ret = MEMORY_E; 1664 #endif 1665 1666 if (ret == 0) { 1667 if (mp_init(tmpa) != MP_OKAY) 1668 ret = MP_INIT_E; 1669 else 1670 cleara = 1; 1671 } 1672 1673 if (ret == 0) { 1674 if (mp_init(tmpb) != MP_OKAY) 1675 ret = MP_INIT_E; 1676 else 1677 clearb = 1; 1244 1678 } 1245 1679 1246 1680 /* tmpa = tmp^dP mod p */ 1247 r = mp_exptmod(&tmp, &key->dP, &key->p, &tmpa); 1248 ret = RET_ERR(ret, r, MP_EXPTMOD_E); 1681 if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p, 1682 tmpa) != MP_OKAY) 1683 ret = MP_EXPTMOD_E; 1249 1684 1250 1685 /* tmpb = tmp^dQ mod q */ 1251 r = mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb); 1252 ret = RET_ERR(ret, r, MP_EXPTMOD_E); 1686 if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q, 1687 tmpb) != MP_OKAY) 1688 ret = MP_EXPTMOD_E; 1253 1689 1254 1690 /* tmp = (tmpa - tmpb) * qInv (mod p) */ 1255 r = mp_sub(&tmpa, &tmpb, &tmp); 1256 ret = RET_ERR(ret, r, MP_SUB_E); 1257 1258 r = mp_mulmod(&tmp, &key->u, &key->p, &tmp); 1259 ret = RET_ERR(ret, r, MP_MULMOD_E); 1691 if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY) 1692 ret = MP_SUB_E; 1693 1694 if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p, 1695 tmp) != MP_OKAY) 1696 ret = MP_MULMOD_E; 1260 1697 1261 1698 /* tmp = tmpb + q * tmp */ 1262 r = mp_mul(&tmp, &key->q, &tmp); 1263 ret = RET_ERR(ret, r, MP_MUL_E); 1264 1265 r = mp_add(&tmp, &tmpb, &tmp); 1266 ret = RET_ERR(ret, r, MP_ADD_E); 1267 1268 mp_clear(&tmpa); 1269 mp_clear(&tmpb); 1270 1271 if (ret != 0) { 1272 goto done; 1273 } 1274 #undef RET_ERR 1275 #undef COND_N 1699 if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY) 1700 ret = MP_MUL_E; 1701 1702 if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY) 1703 ret = MP_ADD_E; 1704 1705 #ifdef WOLFSSL_SMALL_STACK 1706 if (tmpa != NULL) 1707 #endif 1708 { 1709 if (cleara) 1710 mp_clear(tmpa); 1711 if (clearb) 1712 mp_clear(tmpb); 1713 #ifdef WOLFSSL_SMALL_STACK 1714 XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA); 1715 #endif 1716 } 1276 1717 } /* tmpa/b scope */ 1277 1718 #endif /* RSA_LOW_MEM */ … … 1279 1720 #ifdef WC_RSA_BLINDING 1280 1721 /* unblind */ 1281 if (mp_mulmod(&tmp, &rndi, &key->n, &tmp) != MP_OKAY)1282 ERROR_OUT(MP_MULMOD_E);1722 if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY) 1723 ret = MP_MULMOD_E; 1283 1724 #endif /* WC_RSA_BLINDING */ 1284 1725 1285 1726 break; 1286 1727 } 1728 #endif 1287 1729 case RSA_PUBLIC_ENCRYPT: 1288 1730 case RSA_PUBLIC_DECRYPT: 1289 1731 #ifdef WOLFSSL_XILINX_CRYPT 1290 1732 ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng); 1291 goto done;1292 1733 #else 1293 if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)1294 ERROR_OUT(MP_EXPTMOD_E);1734 if (mp_exptmod(tmp, &key->e, &key->n, tmp) != MP_OKAY) 1735 ret = MP_EXPTMOD_E; 1295 1736 break; 1296 1737 #endif 1297 1738 default: 1298 ERROR_OUT(RSA_WRONG_TYPE_E); 1299 } 1300 1301 keyLen = wc_RsaEncryptSize(key); 1302 if (keyLen > *outLen) { 1303 ERROR_OUT(RSA_BUFFER_E); 1304 } 1305 1306 len = mp_unsigned_bin_size(&tmp); 1307 1308 /* pad front w/ zeros to match key length */ 1309 while (len < keyLen) { 1310 *out++ = 0x00; 1311 len++; 1312 } 1313 1739 ret = RSA_WRONG_TYPE_E; 1740 break; 1741 } 1742 } 1743 1744 if (ret == 0) { 1745 keyLen = wc_RsaEncryptSize(key); 1746 if (keyLen > *outLen) 1747 ret = RSA_BUFFER_E; 1748 } 1749 if (ret == 0) { 1314 1750 *outLen = keyLen; 1315 1316 /* convert */ 1317 if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY) 1318 ERROR_OUT(MP_TO_E); 1319 1320 done: 1321 mp_clear(&tmp); 1751 if (mp_to_unsigned_bin_len(tmp, out, keyLen) != MP_OKAY) 1752 ret = MP_TO_E; 1753 } 1754 #else 1755 (void)type; 1756 (void)key; 1757 (void)keyLen; 1758 XMEMCPY(out, in, inLen); 1759 *outLen = inLen; 1760 #endif 1761 1762 mp_clear(tmp); 1763 #ifdef WOLFSSL_SMALL_STACK 1764 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA); 1765 #endif 1322 1766 #ifdef WC_RSA_BLINDING 1323 1767 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { 1324 mp_clear(&rndi); 1325 mp_clear(&rnd); 1326 } 1327 #endif 1768 mp_clear(rndi); 1769 mp_clear(rnd); 1770 } 1771 #ifdef WOLFSSL_SMALL_STACK 1772 XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA); 1773 #endif 1774 #endif /* WC_RSA_BLINDING */ 1328 1775 return ret; 1776 #endif /* WOLFSSL_SP_MATH */ 1329 1777 } 1330 1778 … … 1352 1800 1353 1801 switch(type) { 1802 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1354 1803 case RSA_PRIVATE_DECRYPT: 1355 1804 case RSA_PRIVATE_ENCRYPT: 1356 1805 #ifdef HAVE_CAVIUM 1806 key->dataLen = key->n.raw.len; 1357 1807 ret = NitroxRsaExptMod(in, inLen, 1358 1808 key->d.raw.buf, key->d.raw.len, … … 1375 1825 #endif 1376 1826 break; 1827 #endif 1377 1828 1378 1829 case RSA_PUBLIC_ENCRYPT: 1379 1830 case RSA_PUBLIC_DECRYPT: 1380 1831 #ifdef HAVE_CAVIUM 1832 key->dataLen = key->n.raw.len; 1381 1833 ret = NitroxRsaExptMod(in, inLen, 1382 1834 key->e.raw.buf, key->e.raw.len, … … 1400 1852 #endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */ 1401 1853 1854 #if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING) 1855 /* Function that does the RSA operation directly with no padding. 1856 * 1857 * in buffer to do operation on 1858 * inLen length of input buffer 1859 * out buffer to hold results 1860 * outSz gets set to size of result buffer. Should be passed in as length 1861 * of out buffer. If the pointer "out" is null then outSz gets set to 1862 * the expected buffer size needed and LENGTH_ONLY_E gets returned. 1863 * key RSA key to use for encrypt/decrypt 1864 * type if using private or public key {RSA_PUBLIC_ENCRYPT, 1865 * RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT} 1866 * rng wolfSSL RNG to use if needed 1867 * 1868 * returns size of result on success 1869 */ 1870 int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz, 1871 RsaKey* key, int type, WC_RNG* rng) 1872 { 1873 int ret; 1874 1875 if (in == NULL || outSz == NULL || key == NULL) { 1876 return BAD_FUNC_ARG; 1877 } 1878 1879 /* sanity check on type of RSA operation */ 1880 switch (type) { 1881 case RSA_PUBLIC_ENCRYPT: 1882 case RSA_PUBLIC_DECRYPT: 1883 case RSA_PRIVATE_ENCRYPT: 1884 case RSA_PRIVATE_DECRYPT: 1885 break; 1886 default: 1887 WOLFSSL_MSG("Bad RSA type"); 1888 return BAD_FUNC_ARG; 1889 } 1890 1891 if ((ret = wc_RsaEncryptSize(key)) < 0) { 1892 return BAD_FUNC_ARG; 1893 } 1894 1895 if (inLen != (word32)ret) { 1896 WOLFSSL_MSG("Bad input length. Should be RSA key size"); 1897 return BAD_FUNC_ARG; 1898 } 1899 1900 if (out == NULL) { 1901 *outSz = inLen; 1902 return LENGTH_ONLY_E; 1903 } 1904 1905 switch (key->state) { 1906 case RSA_STATE_NONE: 1907 case RSA_STATE_ENCRYPT_PAD: 1908 case RSA_STATE_ENCRYPT_EXPTMOD: 1909 case RSA_STATE_DECRYPT_EXPTMOD: 1910 case RSA_STATE_DECRYPT_UNPAD: 1911 key->state = (type == RSA_PRIVATE_ENCRYPT || 1912 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD: 1913 RSA_STATE_DECRYPT_EXPTMOD; 1914 1915 key->dataLen = *outSz; 1916 1917 ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng); 1918 if (ret >= 0 || ret == WC_PENDING_E) { 1919 key->state = (type == RSA_PRIVATE_ENCRYPT || 1920 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES: 1921 RSA_STATE_DECRYPT_RES; 1922 } 1923 if (ret < 0) { 1924 break; 1925 } 1926 1927 FALL_THROUGH; 1928 1929 case RSA_STATE_ENCRYPT_RES: 1930 case RSA_STATE_DECRYPT_RES: 1931 ret = key->dataLen; 1932 break; 1933 1934 default: 1935 ret = BAD_STATE_E; 1936 } 1937 1938 /* if async pending then skip cleanup*/ 1939 if (ret == WC_PENDING_E 1940 #ifdef WC_RSA_NONBLOCK 1941 || ret == FP_WOULDBLOCK 1942 #endif 1943 ) { 1944 return ret; 1945 } 1946 1947 key->state = RSA_STATE_NONE; 1948 wc_RsaCleanup(key); 1949 1950 return ret; 1951 } 1952 #endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */ 1953 1954 1402 1955 int wc_RsaFunction(const byte* in, word32 inLen, byte* out, 1403 1956 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 1404 1957 { 1405 int ret ;1958 int ret = 0; 1406 1959 1407 1960 if (key == NULL || in == NULL || inLen == 0 || out == NULL || … … 1409 1962 return BAD_FUNC_ARG; 1410 1963 } 1964 1965 #ifdef WOLF_CRYPTO_DEV 1966 if (key->devId != INVALID_DEVID) { 1967 ret = wc_CryptoDev_Rsa(in, inLen, out, outLen, type, key, rng); 1968 if (ret != NOT_COMPILED_IN) 1969 return ret; 1970 ret = 0; /* reset error code and try using software */ 1971 } 1972 #endif 1973 1974 #ifndef TEST_UNPAD_CONSTANT_TIME 1975 #ifndef NO_RSA_BOUNDS_CHECK 1976 if (type == RSA_PRIVATE_DECRYPT && 1977 key->state == RSA_STATE_DECRYPT_EXPTMOD) { 1978 1979 /* Check that 1 < in < n-1. (Requirement of 800-56B.) */ 1980 #ifdef WOLFSSL_SMALL_STACK 1981 mp_int* c = NULL; 1982 #else 1983 mp_int c[1]; 1984 #endif 1985 1986 #ifdef WOLFSSL_SMALL_STACK 1987 c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA); 1988 if (c == NULL) 1989 ret = MEMORY_E; 1990 #endif 1991 1992 if (mp_init(c) != MP_OKAY) 1993 ret = MEMORY_E; 1994 if (ret == 0) { 1995 if (mp_read_unsigned_bin(c, in, inLen) != 0) 1996 ret = MP_READ_E; 1997 } 1998 if (ret == 0) { 1999 /* check c > 1 */ 2000 if (mp_cmp_d(c, 1) != MP_GT) 2001 ret = RSA_OUT_OF_RANGE_E; 2002 } 2003 if (ret == 0) { 2004 /* add c+1 */ 2005 if (mp_add_d(c, 1, c) != MP_OKAY) 2006 ret = MP_ADD_E; 2007 } 2008 if (ret == 0) { 2009 /* check c+1 < n */ 2010 if (mp_cmp(c, &key->n) != MP_LT) 2011 ret = RSA_OUT_OF_RANGE_E; 2012 } 2013 mp_clear(c); 2014 2015 #ifdef WOLFSSL_SMALL_STACK 2016 XFREE(c, key->heap, DYNAMIC_TYPE_RSA); 2017 #endif 2018 2019 if (ret != 0) 2020 return ret; 2021 } 2022 #endif /* NO_RSA_BOUNDS_CHECK */ 2023 #endif 1411 2024 1412 2025 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) … … 1417 2030 else 1418 2031 #endif 2032 #ifdef WC_RSA_NONBLOCK 2033 if (key->nb) { 2034 ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key); 2035 } 2036 else 2037 #endif 1419 2038 { 1420 2039 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); … … 1422 2041 1423 2042 /* handle error */ 1424 if (ret < 0 && ret != WC_PENDING_E) { 2043 if (ret < 0 && ret != WC_PENDING_E 2044 #ifdef WC_RSA_NONBLOCK 2045 && ret != FP_WOULDBLOCK 2046 #endif 2047 ) { 1425 2048 if (ret == MP_EXPTMOD_E) { 1426 2049 /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */ … … 1436 2059 1437 2060 2061 #ifndef WOLFSSL_RSA_VERIFY_ONLY 1438 2062 /* Internal Wrappers */ 1439 2063 /* Gives the option of choosing padding type … … 1447 2071 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT 1448 2072 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2 1449 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD or1450 WC_RSA_ PSS_PAD2073 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD, 2074 WC_RSA_NO_PAD or WC_RSA_PSS_PAD 1451 2075 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h 1452 2076 mgf : type of mask generation function to use 1453 2077 label : optional label 1454 labelSz : size of optional label buffer */ 2078 labelSz : size of optional label buffer 2079 saltLen : Length of salt used in PSS 2080 rng : random number generator */ 1455 2081 static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out, 1456 2082 word32 outLen, RsaKey* key, int rsa_type, 1457 2083 byte pad_value, int pad_type, 1458 2084 enum wc_HashType hash, int mgf, 1459 byte* label, word32 labelSz, WC_RNG* rng) 2085 byte* label, word32 labelSz, int saltLen, 2086 WC_RNG* rng) 1460 2087 { 1461 2088 int ret, sz; … … 1475 2102 1476 2103 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) { 2104 #ifdef WC_RSA_NO_PADDING 2105 /* In the case that no padding is used the input length can and should 2106 * be the same size as the RSA key. */ 2107 if (pad_type != WC_RSA_NO_PAD) 2108 #endif 1477 2109 return RSA_BUFFER_E; 1478 2110 } … … 1481 2113 case RSA_STATE_NONE: 1482 2114 case RSA_STATE_ENCRYPT_PAD: 1483 key->state = RSA_STATE_ENCRYPT_PAD;1484 1485 2115 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ 1486 2116 defined(HAVE_CAVIUM) 1487 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && key->n.raw.buf) { 2117 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 2118 pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) { 1488 2119 /* Async operations that include padding */ 1489 2120 if (rsa_type == RSA_PUBLIC_ENCRYPT && … … 1502 2133 #endif 1503 2134 2135 key->state = RSA_STATE_ENCRYPT_PAD; 1504 2136 ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash, 1505 mgf, label, labelSz, mp_count_bits(&key->n),2137 mgf, label, labelSz, saltLen, mp_count_bits(&key->n), 1506 2138 key->heap); 1507 2139 if (ret < 0) { … … 1510 2142 1511 2143 key->state = RSA_STATE_ENCRYPT_EXPTMOD; 1512 1513 2144 FALL_THROUGH; 1514 2145 … … 1537 2168 1538 2169 /* if async pending then return and skip done cleanup below */ 1539 if (ret == WC_PENDING_E) { 2170 if (ret == WC_PENDING_E 2171 #ifdef WC_RSA_NONBLOCK 2172 || ret == FP_WOULDBLOCK 2173 #endif 2174 ) { 1540 2175 return ret; 1541 2176 } … … 1546 2181 return ret; 1547 2182 } 2183 #endif 1548 2184 1549 2185 /* Gives the option of choosing padding type … … 1557 2193 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT 1558 2194 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2 1559 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD 1560 WC_RSA_ PSS_PAD2195 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD, 2196 WC_RSA_NO_PAD, WC_RSA_PSS_PAD 1561 2197 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h 1562 2198 mgf : type of mask generation function to use 1563 2199 label : optional label 1564 labelSz : size of optional label buffer */ 2200 labelSz : size of optional label buffer 2201 saltLen : Length of salt used in PSS 2202 rng : random number generator */ 1565 2203 static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out, 1566 2204 word32 outLen, byte** outPtr, RsaKey* key, 1567 2205 int rsa_type, byte pad_value, int pad_type, 1568 2206 enum wc_HashType hash, int mgf, 1569 byte* label, word32 labelSz, WC_RNG* rng) 2207 byte* label, word32 labelSz, int saltLen, 2208 WC_RNG* rng) 1570 2209 { 1571 2210 int ret = RSA_WRONG_TYPE_E; … … 1577 2216 switch (key->state) { 1578 2217 case RSA_STATE_NONE: 1579 case RSA_STATE_DECRYPT_EXPTMOD:1580 key->state = RSA_STATE_DECRYPT_EXPTMOD;1581 2218 key->dataLen = inLen; 1582 2219 … … 1584 2221 defined(HAVE_CAVIUM) 1585 2222 /* Async operations that include padding */ 1586 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { 2223 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 2224 pad_type != WC_RSA_PSS_PAD) { 2225 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1587 2226 if (rsa_type == RSA_PRIVATE_DECRYPT && 1588 2227 pad_value == RSA_BLOCK_TYPE_2) { 1589 2228 key->state = RSA_STATE_DECRYPT_RES; 1590 2229 key->data = NULL; 1591 if (outPtr)1592 *outPtr = in;1593 return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen, key); 2230 return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen, 2231 key); 2232 #endif 1594 2233 } 1595 2234 else if (rsa_type == RSA_PUBLIC_DECRYPT && … … 1602 2241 #endif 1603 2242 2243 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) 1604 2244 /* verify the tmp ptr is NULL, otherwise indicates bad state */ 1605 2245 if (key->data != NULL) { … … 1610 2250 /* if not doing this inline then allocate a buffer for it */ 1611 2251 if (outPtr == NULL) { 1612 key->data = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_WOLF_BIGINT); 2252 key->data = (byte*)XMALLOC(inLen, key->heap, 2253 DYNAMIC_TYPE_WOLF_BIGINT); 1613 2254 key->dataIsAlloc = 1; 1614 2255 if (key->data == NULL) { … … 1621 2262 key->data = out; 1622 2263 } 1623 ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen, rsa_type, 1624 key, rng); 2264 #endif 2265 2266 key->state = RSA_STATE_DECRYPT_EXPTMOD; 2267 FALL_THROUGH; 2268 2269 case RSA_STATE_DECRYPT_EXPTMOD: 2270 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) 2271 ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen, 2272 rsa_type, key, rng); 2273 #else 2274 ret = wc_RsaFunction(out, inLen, out, &key->dataLen, rsa_type, key, 2275 rng); 2276 #endif 1625 2277 1626 2278 if (ret >= 0 || ret == WC_PENDING_E) { … … 1636 2288 { 1637 2289 byte* pad = NULL; 2290 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) 1638 2291 ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type, 1639 hash, mgf, label, labelSz, mp_count_bits(&key->n), 1640 key->heap); 1641 if (ret > 0 && ret <= (int)outLen && pad != NULL) { 2292 hash, mgf, label, labelSz, saltLen, 2293 mp_count_bits(&key->n), key->heap); 2294 #else 2295 ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash, 2296 mgf, label, labelSz, saltLen, 2297 mp_count_bits(&key->n), key->heap); 2298 #endif 2299 if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen) 2300 ret = RSA_BUFFER_E; 2301 else if (ret >= 0 && pad != NULL) { 2302 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) 2303 signed char c; 2304 #endif 2305 1642 2306 /* only copy output if not inline */ 1643 2307 if (outPtr == NULL) { 2308 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) 2309 word32 i, j; 2310 int start = (int)((size_t)pad - (size_t)key->data); 2311 2312 for (i = 0, j = 0; j < key->dataLen; j++) { 2313 out[i] = key->data[j]; 2314 c = ctMaskGTE(j, start); 2315 c &= ctMaskLT(i, outLen); 2316 /* 0 - no add, -1 add */ 2317 i += -c; 2318 } 2319 #else 1644 2320 XMEMCPY(out, pad, ret); 2321 #endif 1645 2322 } 1646 else {2323 else 1647 2324 *outPtr = pad; 1648 } 1649 } 1650 else if (ret >= 0) { 2325 2326 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) 2327 ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E); 2328 ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E); 2329 #else 2330 if (outLen < (word32)ret) 1651 2331 ret = RSA_BUFFER_E; 1652 } 1653 if (ret < 0) { 1654 break; 2332 #endif 1655 2333 } 1656 2334 … … 1662 2340 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ 1663 2341 defined(HAVE_CAVIUM) 1664 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { 1665 /* return event ret */ 1666 ret = key->asyncDev.event.ret; 1667 if (ret == 0) { 2342 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 2343 pad_type != WC_RSA_PSS_PAD) { 2344 if (ret > 0) { 1668 2345 /* convert result */ 1669 2346 byte* dataLen = (byte*)&key->dataLen; 1670 2347 ret = (dataLen[0] << 8) | (dataLen[1]); 2348 2349 if (outPtr) 2350 *outPtr = in; 1671 2351 } 1672 2352 } … … 1680 2360 1681 2361 /* if async pending then return and skip done cleanup below */ 1682 if (ret == WC_PENDING_E) { 2362 if (ret == WC_PENDING_E 2363 #ifdef WC_RSA_NONBLOCK 2364 || ret == FP_WOULDBLOCK 2365 #endif 2366 ) { 1683 2367 return ret; 1684 2368 } … … 1691 2375 1692 2376 2377 #ifndef WOLFSSL_RSA_VERIFY_ONLY 1693 2378 /* Public RSA Functions */ 1694 2379 int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen, … … 1697 2382 return RsaPublicEncryptEx(in, inLen, out, outLen, key, 1698 2383 RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, 1699 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);1700 } 1701 1702 1703 #if ndef WC_NO_RSA_OAEP2384 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 2385 } 2386 2387 2388 #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING) 1704 2389 int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out, 1705 2390 word32 outLen, RsaKey* key, WC_RNG* rng, int type, … … 1708 2393 { 1709 2394 return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT, 1710 RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, rng);2395 RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng); 1711 2396 } 1712 2397 #endif /* WC_NO_RSA_OAEP */ 1713 1714 2398 #endif 2399 2400 2401 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1715 2402 int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key) 1716 2403 { … … 1721 2408 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 1722 2409 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, 1723 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);2410 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 1724 2411 } 1725 2412 … … 1736 2423 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 1737 2424 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, 1738 mgf, label, labelSz, rng);2425 mgf, label, labelSz, 0, rng); 1739 2426 } 1740 2427 #endif /* WC_NO_RSA_OAEP */ … … 1750 2437 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 1751 2438 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, 1752 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);1753 } 1754 1755 #if ndef WC_NO_RSA_OAEP2439 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 2440 } 2441 2442 #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING) 1756 2443 int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out, 1757 2444 word32 outLen, RsaKey* key, int type, … … 1765 2452 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 1766 2453 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label, 1767 labelSz, rng); 1768 } 1769 #endif /* WC_NO_RSA_OAEP */ 2454 labelSz, 0, rng); 2455 } 2456 #endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */ 2457 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */ 1770 2458 1771 2459 … … 1778 2466 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 1779 2467 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, 1780 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); 1781 } 1782 2468 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 2469 } 2470 2471 #ifndef WOLFSSL_RSA_VERIFY_ONLY 1783 2472 int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen, 1784 2473 RsaKey* key) … … 1796 2485 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 1797 2486 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, 1798 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); 1799 } 2487 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 2488 } 2489 #endif 1800 2490 1801 2491 #ifdef WC_RSA_PSS 2492 /* Verify the message signed with RSA-PSS. 2493 * The input buffer is reused for the ouput buffer. 2494 * Salt length is equal to hash length. 2495 * 2496 * in Buffer holding encrypted data. 2497 * inLen Length of data in buffer. 2498 * out Pointer to address containing the PSS data. 2499 * hash Hash algorithm. 2500 * mgf Mask generation function. 2501 * key Public RSA key. 2502 * returns the length of the PSS data on success and negative indicates failure. 2503 */ 1802 2504 int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out, 1803 2505 enum wc_HashType hash, int mgf, RsaKey* key) 2506 { 2507 return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, -1, key); 2508 } 2509 2510 /* Verify the message signed with RSA-PSS. 2511 * The input buffer is reused for the ouput buffer. 2512 * 2513 * in Buffer holding encrypted data. 2514 * inLen Length of data in buffer. 2515 * out Pointer to address containing the PSS data. 2516 * hash Hash algorithm. 2517 * mgf Mask generation function. 2518 * key Public RSA key. 2519 * saltLen Length of salt used. -1 indicates salt length is the same as the 2520 * hash length. 2521 * returns the length of the PSS data on success and negative indicates failure. 2522 */ 2523 int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out, 2524 enum wc_HashType hash, int mgf, int saltLen, 2525 RsaKey* key) 1804 2526 { 1805 2527 WC_RNG* rng = NULL; … … 1809 2531 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 1810 2532 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, 1811 hash, mgf, NULL, 0, rng); 1812 } 1813 1814 /* Sig = 8 * 0x00 | Space for Message Hash | Salt | Exp Hash 1815 * Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) 2533 hash, mgf, NULL, 0, saltLen, rng); 2534 } 2535 2536 /* Verify the message signed with RSA-PSS. 2537 * Salt length is equal to hash length. 2538 * 2539 * in Buffer holding encrypted data. 2540 * inLen Length of data in buffer. 2541 * out Pointer to address containing the PSS data. 2542 * hash Hash algorithm. 2543 * mgf Mask generation function. 2544 * key Public RSA key. 2545 * returns the length of the PSS data on success and negative indicates failure. 2546 */ 2547 int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen, 2548 enum wc_HashType hash, int mgf, RsaKey* key) 2549 { 2550 return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf, -1, key); 2551 } 2552 2553 /* Verify the message signed with RSA-PSS. 2554 * 2555 * in Buffer holding encrypted data. 2556 * inLen Length of data in buffer. 2557 * out Pointer to address containing the PSS data. 2558 * hash Hash algorithm. 2559 * mgf Mask generation function. 2560 * key Public RSA key. 2561 * saltLen Length of salt used. -1 indicates salt length is the same as the 2562 * hash length. 2563 * returns the length of the PSS data on success and negative indicates failure. 2564 */ 2565 int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen, 2566 enum wc_HashType hash, int mgf, int saltLen, 2567 RsaKey* key) 2568 { 2569 WC_RNG* rng = NULL; 2570 #ifdef WC_RSA_BLINDING 2571 rng = key->rng; 2572 #endif 2573 return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key, 2574 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, 2575 hash, mgf, NULL, 0, saltLen, rng); 2576 } 2577 2578 2579 /* Checks the PSS data to ensure that the signature matches. 2580 * Salt length is equal to hash length. 2581 * 2582 * in Hash of the data that is being verified. 2583 * inSz Length of hash. 2584 * sig Buffer holding PSS data. 2585 * sigSz Size of PSS data. 2586 * hashType Hash algorithm. 2587 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when 2588 * NULL is passed in to in or sig or inSz is not the same as the hash 2589 * algorithm length and 0 on success. 1816 2590 */ 1817 2591 int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig, 1818 2592 word32 sigSz, enum wc_HashType hashType) 1819 2593 { 1820 int ret; 2594 return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0); 2595 } 2596 2597 /* Checks the PSS data to ensure that the signature matches. 2598 * 2599 * in Hash of the data that is being verified. 2600 * inSz Length of hash. 2601 * sig Buffer holding PSS data. 2602 * sigSz Size of PSS data. 2603 * hashType Hash algorithm. 2604 * saltLen Length of salt used. -1 indicates salt length is the same as the 2605 * hash length. 2606 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when 2607 * NULL is passed in to in or sig or inSz is not the same as the hash 2608 * algorithm length and 0 on success. 2609 */ 2610 int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig, 2611 word32 sigSz, enum wc_HashType hashType, 2612 int saltLen, int bits) 2613 { 2614 int ret = 0; 2615 byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ]; 2616 2617 (void)bits; 1821 2618 1822 2619 if (in == NULL || sig == NULL || 1823 inSz != (word32)wc_HashGetDigestSize(hashType) || 1824 sigSz != RSA_PSS_PAD_SZ + inSz * 3) 2620 inSz != (word32)wc_HashGetDigestSize(hashType)) 1825 2621 ret = BAD_FUNC_ARG; 1826 else { 1827 XMEMCPY(sig + RSA_PSS_PAD_SZ, in, inSz); 1828 ret = wc_Hash(hashType, sig, RSA_PSS_PAD_SZ + inSz * 2, sig, inSz); 1829 if (ret != 0) 1830 return ret; 1831 if (XMEMCMP(sig, sig + RSA_PSS_PAD_SZ + inSz * 2, inSz) != 0) { 2622 2623 if (ret == 0) { 2624 if (saltLen == -1) { 2625 saltLen = inSz; 2626 #ifdef WOLFSSL_SHA512 2627 /* See FIPS 186-4 section 5.5 item (e). */ 2628 if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) 2629 saltLen = RSA_PSS_SALT_MAX_SZ; 2630 #endif 2631 } 2632 else if (saltLen < -1 || (word32)saltLen > inSz) 2633 ret = PSS_SALTLEN_E; 2634 } 2635 2636 /* Sig = Salt | Exp Hash */ 2637 if (ret == 0) { 2638 if (sigSz != inSz + saltLen) 2639 ret = BAD_PADDING_E; 2640 } 2641 2642 /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */ 2643 if (ret == 0) { 2644 XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ); 2645 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz); 2646 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen); 2647 ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen, 2648 sigCheck, inSz); 2649 } 2650 if (ret == 0) { 2651 if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) { 1832 2652 WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error"); 1833 2653 ret = BAD_PADDING_E; 1834 2654 } 1835 else1836 ret = 0;1837 2655 } 1838 2656 1839 2657 return ret; 1840 2658 } 1841 #endif 1842 2659 2660 2661 /* Verify the message signed with RSA-PSS. 2662 * The input buffer is reused for the ouput buffer. 2663 * Salt length is equal to hash length. 2664 * 2665 * in Buffer holding encrypted data. 2666 * inLen Length of data in buffer. 2667 * out Pointer to address containing the PSS data. 2668 * digest Hash of the data that is being verified. 2669 * digestLen Length of hash. 2670 * hash Hash algorithm. 2671 * mgf Mask generation function. 2672 * key Public RSA key. 2673 * returns the length of the PSS data on success and negative indicates failure. 2674 */ 2675 int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out, 2676 const byte* digest, word32 digestLen, 2677 enum wc_HashType hash, int mgf, RsaKey* key) 2678 { 2679 int ret = 0, verify, saltLen, hLen, bits = 0; 2680 2681 hLen = wc_HashGetDigestSize(hash); 2682 if (hLen < 0) 2683 return hLen; 2684 if ((word32)hLen != digestLen) 2685 return BAD_FUNC_ARG; 2686 2687 saltLen = hLen; 2688 #ifdef WOLFSSL_SHA512 2689 /* See FIPS 186-4 section 5.5 item (e). */ 2690 bits = mp_count_bits(&key->n); 2691 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 2692 saltLen = RSA_PSS_SALT_MAX_SZ; 2693 #endif 2694 2695 verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key); 2696 if (verify > 0) 2697 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify, 2698 hash, saltLen, bits); 2699 if (ret == 0) 2700 ret = verify; 2701 2702 return ret; 2703 } 2704 2705 2706 /* Verify the message signed with RSA-PSS. 2707 * Salt length is equal to hash length. 2708 * 2709 * in Buffer holding encrypted data. 2710 * inLen Length of data in buffer. 2711 * out Pointer to address containing the PSS data. 2712 * outLen Length of the output. 2713 * digest Hash of the data that is being verified. 2714 * digestLen Length of hash. 2715 * hash Hash algorithm. 2716 * mgf Mask generation function. 2717 * key Public RSA key. 2718 * returns the length of the PSS data on success and negative indicates failure. 2719 */ 2720 int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen, 2721 const byte* digest, word32 digestLen, 2722 enum wc_HashType hash, int mgf, 2723 RsaKey* key) 2724 { 2725 int ret = 0, verify, saltLen, hLen, bits = 0; 2726 2727 hLen = wc_HashGetDigestSize(hash); 2728 if (hLen < 0) 2729 return hLen; 2730 if ((word32)hLen != digestLen) 2731 return BAD_FUNC_ARG; 2732 2733 saltLen = hLen; 2734 #ifdef WOLFSSL_SHA512 2735 /* See FIPS 186-4 section 5.5 item (e). */ 2736 bits = mp_count_bits(&key->n); 2737 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 2738 saltLen = RSA_PSS_SALT_MAX_SZ; 2739 #endif 2740 2741 verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, 2742 mgf, saltLen, key); 2743 if (verify > 0) 2744 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify, 2745 hash, saltLen, bits); 2746 if (ret == 0) 2747 ret = verify; 2748 2749 return ret; 2750 } 2751 2752 #endif 2753 2754 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 1843 2755 int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, 1844 2756 RsaKey* key, WC_RNG* rng) … … 1846 2758 return RsaPublicEncryptEx(in, inLen, out, outLen, key, 1847 2759 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, 1848 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);2760 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 1849 2761 } 1850 2762 1851 2763 #ifdef WC_RSA_PSS 2764 /* Sign the hash of a message using RSA-PSS. 2765 * Salt length is equal to hash length. 2766 * 2767 * in Buffer holding hash of message. 2768 * inLen Length of data in buffer (hash length). 2769 * out Buffer to write encrypted signature into. 2770 * outLen Size of buffer to write to. 2771 * hash Hash algorithm. 2772 * mgf Mask generation function. 2773 * key Public RSA key. 2774 * rng Random number generator. 2775 * returns the length of the encrypted signature on success, a negative value 2776 * indicates failure. 2777 */ 1852 2778 int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, 1853 2779 enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng) 1854 2780 { 2781 return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf, -1, key, rng); 2782 } 2783 2784 /* Sign the hash of a message using RSA-PSS. 2785 * 2786 * in Buffer holding hash of message. 2787 * inLen Length of data in buffer (hash length). 2788 * out Buffer to write encrypted signature into. 2789 * outLen Size of buffer to write to. 2790 * hash Hash algorithm. 2791 * mgf Mask generation function. 2792 * saltLen Length of salt used. -1 indicates salt length is the same as the 2793 * hash length. 2794 * key Public RSA key. 2795 * rng Random number generator. 2796 * returns the length of the encrypted signature on success, a negative value 2797 * indicates failure. 2798 */ 2799 int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen, 2800 enum wc_HashType hash, int mgf, int saltLen, RsaKey* key, 2801 WC_RNG* rng) 2802 { 1855 2803 return RsaPublicEncryptEx(in, inLen, out, outLen, key, 1856 2804 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, 1857 hash, mgf, NULL, 0, rng); 1858 } 1859 #endif 1860 2805 hash, mgf, NULL, 0, saltLen, rng); 2806 } 2807 #endif 2808 #endif 2809 2810 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || !defined(WOLFSSL_SP_MATH) 1861 2811 int wc_RsaEncryptSize(RsaKey* key) 1862 2812 { 2813 int ret; 2814 1863 2815 if (key == NULL) { 1864 2816 return BAD_FUNC_ARG; 1865 2817 } 1866 return mp_unsigned_bin_size(&key->n); 1867 } 1868 1869 2818 2819 ret = mp_unsigned_bin_size(&key->n); 2820 2821 #ifdef WOLF_CRYPTO_DEV 2822 if (ret == 0 && key->devId != INVALID_DEVID) { 2823 ret = 2048/8; /* hardware handles, use 2048-bit as default */ 2824 } 2825 #endif 2826 2827 return ret; 2828 } 2829 #endif 2830 2831 #ifndef WOLFSSL_RSA_VERIFY_ONLY 1870 2832 /* flatten RsaKey structure into individual elements (e, n) */ 1871 2833 int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, … … 1896 2858 return 0; 1897 2859 } 2860 #endif 2861 2862 #endif /* HAVE_FIPS */ 2863 2864 2865 #ifndef WOLFSSL_RSA_VERIFY_ONLY 2866 static int RsaGetValue(mp_int* in, byte* out, word32* outSz) 2867 { 2868 word32 sz; 2869 int ret = 0; 2870 2871 /* Parameters ensured by calling function. */ 2872 2873 sz = (word32)mp_unsigned_bin_size(in); 2874 if (sz > *outSz) 2875 ret = RSA_BUFFER_E; 2876 2877 if (ret == 0) 2878 ret = mp_to_unsigned_bin(in, out); 2879 2880 if (ret == MP_OKAY) 2881 *outSz = sz; 2882 2883 return ret; 2884 } 2885 2886 2887 int wc_RsaExportKey(RsaKey* key, 2888 byte* e, word32* eSz, byte* n, word32* nSz, 2889 byte* d, word32* dSz, byte* p, word32* pSz, 2890 byte* q, word32* qSz) 2891 { 2892 int ret = BAD_FUNC_ARG; 2893 2894 if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz) 2895 ret = 0; 2896 2897 if (ret == 0) 2898 ret = RsaGetValue(&key->e, e, eSz); 2899 if (ret == 0) 2900 ret = RsaGetValue(&key->n, n, nSz); 2901 #ifndef WOLFSSL_RSA_PUBLIC_ONLY 2902 if (ret == 0) 2903 ret = RsaGetValue(&key->d, d, dSz); 2904 if (ret == 0) 2905 ret = RsaGetValue(&key->p, p, pSz); 2906 if (ret == 0) 2907 ret = RsaGetValue(&key->q, q, qSz); 2908 #else 2909 /* no private parts to key */ 2910 if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL 2911 || qSz == NULL) { 2912 ret = BAD_FUNC_ARG; 2913 } 2914 else { 2915 *dSz = 0; 2916 *pSz = 0; 2917 *qSz = 0; 2918 } 2919 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */ 2920 2921 return ret; 2922 } 2923 #endif 2924 1898 2925 1899 2926 #ifdef WOLFSSL_KEY_GEN 2927 2928 /* Check that |p-q| > 2^((size/2)-100) */ 2929 static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size) 2930 { 2931 mp_int c, d; 2932 int ret; 2933 2934 if (p == NULL || q == NULL) 2935 return BAD_FUNC_ARG; 2936 2937 ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL); 2938 2939 /* c = 2^((size/2)-100) */ 2940 if (ret == 0) 2941 ret = mp_2expt(&c, (size/2)-100); 2942 2943 /* d = |p-q| */ 2944 if (ret == 0) 2945 ret = mp_sub(p, q, &d); 2946 2947 if (ret == 0) 2948 ret = mp_abs(&d, &d); 2949 2950 /* compare */ 2951 if (ret == 0) 2952 ret = mp_cmp(&d, &c); 2953 2954 if (ret == MP_GT) 2955 ret = MP_OKAY; 2956 2957 mp_clear(&d); 2958 mp_clear(&c); 2959 2960 return ret; 2961 } 2962 2963 2964 /* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096. 2965 * This number was calculated using a small test tool written with a common 2966 * large number math library. Other values of nlen may be checked with a subset 2967 * of lower_bound. */ 2968 static const byte lower_bound[] = { 2969 0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84, 2970 0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F, 2971 0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C, 2972 0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15, 2973 /* 512 */ 2974 0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3, 2975 0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39, 2976 0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A, 2977 0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68, 2978 /* 1024 */ 2979 0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E, 2980 0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B, 2981 0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A, 2982 0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33, 2983 0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC, 2984 0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D, 2985 0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E, 2986 0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A, 2987 /* 2048 */ 2988 0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD, 2989 0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C, 2990 0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51, 2991 0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7, 2992 0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F, 2993 0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF, 2994 0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07, 2995 0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2, 2996 /* 3072 */ 2997 0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33, 2998 0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2, 2999 0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82, 3000 0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80, 3001 0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05, 3002 0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23, 3003 0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B, 3004 0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1 3005 /* 4096 */ 3006 }; 3007 3008 3009 /* returns 1 on key size ok and 0 if not ok */ 3010 static WC_INLINE int RsaSizeCheck(int size) 3011 { 3012 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) { 3013 return 0; 3014 } 3015 3016 #ifdef HAVE_FIPS 3017 /* Key size requirements for CAVP */ 3018 switch (size) { 3019 case 1024: 3020 case 2048: 3021 case 3072: 3022 case 4096: 3023 return 1; 3024 } 3025 3026 return 0; 3027 #else 3028 return 1; /* allow unusual key sizes in non FIPS mode */ 3029 #endif /* HAVE_FIPS */ 3030 } 3031 3032 3033 static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen, 3034 int* isPrime, WC_RNG* rng) 3035 { 3036 int ret; 3037 mp_int tmp1, tmp2; 3038 mp_int* prime; 3039 3040 if (p == NULL || e == NULL || isPrime == NULL) 3041 return BAD_FUNC_ARG; 3042 3043 if (!RsaSizeCheck(nlen)) 3044 return BAD_FUNC_ARG; 3045 3046 *isPrime = MP_NO; 3047 3048 if (q != NULL) { 3049 /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */ 3050 ret = wc_CompareDiffPQ(p, q, nlen); 3051 if (ret != MP_OKAY) goto notOkay; 3052 prime = q; 3053 } 3054 else 3055 prime = p; 3056 3057 ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL); 3058 if (ret != MP_OKAY) goto notOkay; 3059 3060 /* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1)) 3061 * This is a comparison against lowerBound */ 3062 ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16); 3063 if (ret != MP_OKAY) goto notOkay; 3064 ret = mp_cmp(prime, &tmp1); 3065 if (ret == MP_LT) goto exit; 3066 3067 /* 4.5,5.6 - Check that GCD(p-1, e) == 1 */ 3068 ret = mp_sub_d(prime, 1, &tmp1); /* tmp1 = prime-1 */ 3069 if (ret != MP_OKAY) goto notOkay; 3070 ret = mp_gcd(&tmp1, e, &tmp2); /* tmp2 = gcd(prime-1, e) */ 3071 if (ret != MP_OKAY) goto notOkay; 3072 ret = mp_cmp_d(&tmp2, 1); 3073 if (ret != MP_EQ) goto exit; /* e divides p-1 */ 3074 3075 /* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R. 3076 * mp_prime_is_prime_ex() performs test divisions against the first 256 3077 * prime numbers. After that it performs 8 rounds of M-R using random 3078 * bases between 2 and n-2. 3079 * mp_prime_is_prime() performs the same test divisions and then does 3080 * M-R with the first 8 primes. Both functions set isPrime as a 3081 * side-effect. */ 3082 if (rng != NULL) 3083 ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng); 3084 else 3085 ret = mp_prime_is_prime(prime, 8, isPrime); 3086 if (ret != MP_OKAY) goto notOkay; 3087 3088 exit: 3089 ret = MP_OKAY; 3090 notOkay: 3091 mp_clear(&tmp1); 3092 mp_clear(&tmp2); 3093 return ret; 3094 } 3095 3096 3097 int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz, 3098 const byte* qRaw, word32 qRawSz, 3099 const byte* eRaw, word32 eRawSz, 3100 int nlen, int* isPrime, WC_RNG* rng) 3101 { 3102 mp_int p, q, e; 3103 mp_int* Q = NULL; 3104 int ret; 3105 3106 if (pRaw == NULL || pRawSz == 0 || 3107 eRaw == NULL || eRawSz == 0 || 3108 isPrime == NULL) { 3109 3110 return BAD_FUNC_ARG; 3111 } 3112 3113 if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0)) 3114 return BAD_FUNC_ARG; 3115 3116 ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL); 3117 3118 if (ret == MP_OKAY) 3119 ret = mp_read_unsigned_bin(&p, pRaw, pRawSz); 3120 3121 if (ret == MP_OKAY) { 3122 if (qRaw != NULL) { 3123 ret = mp_read_unsigned_bin(&q, qRaw, qRawSz); 3124 if (ret == MP_OKAY) 3125 Q = &q; 3126 } 3127 } 3128 3129 if (ret == MP_OKAY) 3130 ret = mp_read_unsigned_bin(&e, eRaw, eRawSz); 3131 3132 if (ret == MP_OKAY) 3133 ret = _CheckProbablePrime(&p, Q, &e, nlen, isPrime, rng); 3134 3135 ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E; 3136 3137 mp_clear(&p); 3138 mp_clear(&q); 3139 mp_clear(&e); 3140 3141 return ret; 3142 } 3143 3144 3145 int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz, 3146 const byte* qRaw, word32 qRawSz, 3147 const byte* eRaw, word32 eRawSz, 3148 int nlen, int* isPrime) 3149 { 3150 return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz, 3151 eRaw, eRawSz, nlen, isPrime, NULL); 3152 } 3153 3154 #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \ 3155 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) 1900 3156 /* Make an RSA key for size bits, with e specified, 65537 is a good e */ 1901 3157 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) 1902 3158 { 3159 #ifndef WC_NO_RNG 1903 3160 mp_int p, q, tmp1, tmp2, tmp3; 1904 int err; 3161 int err, i, failCount, primeSz, isPrime = 0; 3162 byte* buf = NULL; 1905 3163 1906 3164 if (key == NULL || rng == NULL) 1907 3165 return BAD_FUNC_ARG; 1908 3166 1909 if ( size < RSA_MIN_SIZE || size > RSA_MAX_SIZE)3167 if (!RsaSizeCheck(size)) 1910 3168 return BAD_FUNC_ARG; 1911 3169 … … 1913 3171 return BAD_FUNC_ARG; 1914 3172 1915 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) 3173 #ifdef WOLF_CRYPTO_DEV 3174 if (key->devId != INVALID_DEVID) { 3175 int ret = wc_CryptoDev_MakeRsaKey(key, size, e, rng); 3176 if (ret != NOT_COMPILED_IN) 3177 return ret; 3178 } 3179 #endif 3180 3181 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ 3182 defined(WC_ASYNC_ENABLE_RSA_KEYGEN) 1916 3183 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { 1917 3184 #ifdef HAVE_CAVIUM 1918 3185 /* TODO: Not implemented */ 1919 3186 #elif defined(HAVE_INTEL_QA) 1920 /* TODO: Not implemented */3187 return IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng); 1921 3188 #else 1922 3189 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) { … … 1932 3199 #endif 1933 3200 1934 if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY)1935 return err; 1936 3201 err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL); 3202 3203 if (err == MP_OKAY) 1937 3204 err = mp_set_int(&tmp3, e); 3205 3206 /* The failCount value comes from NIST FIPS 186-4, section B.3.3, 3207 * process steps 4.7 and 5.8. */ 3208 failCount = 5 * (size / 2); 3209 primeSz = size / 16; /* size is the size of n in bits. 3210 primeSz is in bytes. */ 3211 3212 /* allocate buffer to work with */ 3213 if (err == MP_OKAY) { 3214 buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA); 3215 if (buf == NULL) 3216 err = MEMORY_E; 3217 } 1938 3218 1939 3219 /* make p */ 1940 3220 if (err == MP_OKAY) { 3221 isPrime = 0; 3222 i = 0; 1941 3223 do { 1942 err = mp_rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */ 3224 #ifdef SHOW_GEN 3225 printf("."); 3226 fflush(stdout); 3227 #endif 3228 /* generate value */ 3229 err = wc_RNG_GenerateBlock(rng, buf, primeSz); 3230 if (err == 0) { 3231 /* prime lower bound has the MSB set, set it in candidate */ 3232 buf[0] |= 0x80; 3233 /* make candidate odd */ 3234 buf[primeSz-1] |= 0x01; 3235 /* load value */ 3236 err = mp_read_unsigned_bin(&p, buf, primeSz); 3237 } 1943 3238 1944 3239 if (err == MP_OKAY) 1945 err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */ 1946 1947 if (err == MP_OKAY) 1948 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(p-1, e) */ 1949 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divides p-1 */ 1950 } 3240 err = _CheckProbablePrime(&p, NULL, &tmp3, size, &isPrime, rng); 3241 3242 #ifdef WOLFSSL_FIPS 3243 i++; 3244 #else 3245 /* Keep the old retry behavior in non-FIPS build. */ 3246 (void)i; 3247 #endif 3248 } while (err == MP_OKAY && !isPrime && i < failCount); 3249 } 3250 3251 if (err == MP_OKAY && !isPrime) 3252 err = PRIME_GEN_E; 1951 3253 1952 3254 /* make q */ 1953 3255 if (err == MP_OKAY) { 3256 isPrime = 0; 3257 i = 0; 1954 3258 do { 1955 err = mp_rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */ 3259 #ifdef SHOW_GEN 3260 printf("."); 3261 fflush(stdout); 3262 #endif 3263 /* generate value */ 3264 err = wc_RNG_GenerateBlock(rng, buf, primeSz); 3265 if (err == 0) { 3266 /* prime lower bound has the MSB set, set it in candidate */ 3267 buf[0] |= 0x80; 3268 /* make candidate odd */ 3269 buf[primeSz-1] |= 0x01; 3270 /* load value */ 3271 err = mp_read_unsigned_bin(&q, buf, primeSz); 3272 } 1956 3273 1957 3274 if (err == MP_OKAY) 1958 err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */ 1959 1960 if (err == MP_OKAY) 1961 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(q-1, e) */ 1962 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divides q-1 */ 1963 } 1964 3275 err = _CheckProbablePrime(&p, &q, &tmp3, size, &isPrime, rng); 3276 3277 #ifdef WOLFSSL_FIPS 3278 i++; 3279 #else 3280 /* Keep the old retry behavior in non-FIPS build. */ 3281 (void)i; 3282 #endif 3283 } while (err == MP_OKAY && !isPrime && i < failCount); 3284 } 3285 3286 if (err == MP_OKAY && !isPrime) 3287 err = PRIME_GEN_E; 3288 3289 if (buf) { 3290 ForceZero(buf, primeSz); 3291 XFREE(buf, key->heap, DYNAMIC_TYPE_RSA); 3292 } 3293 3294 3295 /* Setup RsaKey buffers */ 1965 3296 if (err == MP_OKAY) 1966 3297 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL); 1967 1968 3298 if (err == MP_OKAY) 1969 3299 err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL); 1970 3300 1971 if (err == MP_OKAY) 1972 err = mp_sub_d(&p, 1, &tmp2); /* tmp2 = p-1 */ 1973 1974 if (err == MP_OKAY) 1975 err = mp_lcm(&tmp1, &tmp2, &tmp1); /* tmp1 = lcm(p-1, q-1),last loop */ 1976 3301 /* Software Key Calculation */ 3302 if (err == MP_OKAY) /* tmp1 = p-1 */ 3303 err = mp_sub_d(&p, 1, &tmp1); 3304 if (err == MP_OKAY) /* tmp2 = q-1 */ 3305 err = mp_sub_d(&q, 1, &tmp2); 3306 if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */ 3307 err = mp_lcm(&tmp1, &tmp2, &tmp3); 1977 3308 /* make key */ 1978 if (err == MP_OKAY) 1979 err = mp_set_int(&key->e, (mp_digit)e); /* key->e = e */ 1980 3309 if (err == MP_OKAY) /* key->e = e */ 3310 err = mp_set_int(&key->e, (mp_digit)e); 1981 3311 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */ 1982 err = mp_invmod(&key->e, &tmp1, &key->d); 1983 1984 if (err == MP_OKAY) 1985 err = mp_mul(&p, &q, &key->n); /* key->n = pq */ 1986 1987 if (err == MP_OKAY) 1988 err = mp_sub_d(&p, 1, &tmp1); 1989 1990 if (err == MP_OKAY) 1991 err = mp_sub_d(&q, 1, &tmp2); 1992 1993 if (err == MP_OKAY) 3312 err = mp_invmod(&key->e, &tmp3, &key->d); 3313 if (err == MP_OKAY) /* key->n = pq */ 3314 err = mp_mul(&p, &q, &key->n); 3315 if (err == MP_OKAY) /* key->dP = d mod(p-1) */ 1994 3316 err = mp_mod(&key->d, &tmp1, &key->dP); 1995 1996 if (err == MP_OKAY) 3317 if (err == MP_OKAY) /* key->dQ = d mod(q-1) */ 1997 3318 err = mp_mod(&key->d, &tmp2, &key->dQ); 1998 1999 if (err == MP_OKAY) 3319 if (err == MP_OKAY) /* key->u = 1/q mod p */ 2000 3320 err = mp_invmod(&q, &p, &key->u); 2001 2002 3321 if (err == MP_OKAY) 2003 3322 err = mp_copy(&p, &key->p); 2004 2005 3323 if (err == MP_OKAY) 2006 3324 err = mp_copy(&q, &key->q); 2007 3325 3326 #ifdef HAVE_WOLF_BIGINT 3327 /* make sure raw unsigned bin version is available */ 3328 if (err == MP_OKAY) 3329 err = wc_mp_to_bigint(&key->n, &key->n.raw); 3330 if (err == MP_OKAY) 3331 err = wc_mp_to_bigint(&key->e, &key->e.raw); 3332 if (err == MP_OKAY) 3333 err = wc_mp_to_bigint(&key->d, &key->d.raw); 3334 if (err == MP_OKAY) 3335 err = wc_mp_to_bigint(&key->p, &key->p.raw); 3336 if (err == MP_OKAY) 3337 err = wc_mp_to_bigint(&key->q, &key->q.raw); 3338 if (err == MP_OKAY) 3339 err = wc_mp_to_bigint(&key->dP, &key->dP.raw); 3340 if (err == MP_OKAY) 3341 err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw); 3342 if (err == MP_OKAY) 3343 err = wc_mp_to_bigint(&key->u, &key->u.raw); 3344 #endif 3345 2008 3346 if (err == MP_OKAY) 2009 3347 key->type = RSA_PRIVATE; 2010 3348 3349 mp_clear(&tmp1); 3350 mp_clear(&tmp2); 2011 3351 mp_clear(&tmp3); 2012 mp_clear(&tmp2); 2013 mp_clear(&tmp1); 3352 mp_clear(&p); 2014 3353 mp_clear(&q); 2015 mp_clear(&p); 2016 2017 if (err != MP_OKAY) { 3354 3355 /* Perform the pair-wise consistency test on the new key. */ 3356 if (err == 0) 3357 err = wc_CheckRsaKey(key); 3358 3359 if (err != 0) { 2018 3360 wc_FreeRsaKey(key); 2019 3361 return err; … … 2025 3367 } 2026 3368 #endif 2027 2028 3369 return 0; 2029 } 3370 #else 3371 return NOT_COMPILED_IN; 3372 #endif 3373 } 3374 #endif /* !FIPS || FIPS_VER >= 2 */ 2030 3375 #endif /* WOLFSSL_KEY_GEN */ 2031 3376 2032 3377 2033 3378 #ifdef WC_RSA_BLINDING 2034 2035 3379 int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng) 2036 3380 { … … 2042 3386 return 0; 2043 3387 } 2044 2045 3388 #endif /* WC_RSA_BLINDING */ 2046 3389 2047 2048 #undef ERROR_OUT 2049 2050 #endif /* HAVE_FIPS */ 3390 #ifdef WC_RSA_NONBLOCK 3391 int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb) 3392 { 3393 if (key == NULL) 3394 return BAD_FUNC_ARG; 3395 3396 if (nb) { 3397 XMEMSET(nb, 0, sizeof(RsaNb)); 3398 } 3399 3400 /* Allow nb == NULL to clear non-block mode */ 3401 key->nb = nb; 3402 3403 return 0; 3404 } 3405 #ifdef WC_RSA_NONBLOCK_TIME 3406 int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz) 3407 { 3408 if (key == NULL || key->nb == NULL) { 3409 return BAD_FUNC_ARG; 3410 } 3411 3412 /* calculate maximum number of instructions to block */ 3413 key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs; 3414 3415 return 0; 3416 } 3417 #endif /* WC_RSA_NONBLOCK_TIME */ 3418 #endif /* WC_RSA_NONBLOCK */ 3419 2051 3420 #endif /* NO_RSA */
Note:
See TracChangeset
for help on using the changeset viewer.