Xuyi Wang
/
wolfcrypt
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
rsa.c
00001 /* rsa.c 00002 * 00003 * Copyright (C) 2006-2017 wolfSSL Inc. 00004 * 00005 * This file is part of wolfSSL. 00006 * 00007 * wolfSSL is free software; you can redistribute it and/or modify 00008 * it under the terms of the GNU General Public License as published by 00009 * the Free Software Foundation; either version 2 of the License, or 00010 * (at your option) any later version. 00011 * 00012 * wolfSSL is distributed in the hope that it will be useful, 00013 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00015 * GNU General Public License for more details. 00016 * 00017 * You should have received a copy of the GNU General Public License 00018 * along with this program; if not, write to the Free Software 00019 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA 00020 */ 00021 00022 00023 #ifdef HAVE_CONFIG_H 00024 #include <config.h> 00025 #endif 00026 00027 #include <wolfcrypt/settings.h> 00028 #include <wolfcrypt/error-crypt.h> 00029 00030 #ifndef NO_RSA 00031 00032 #if defined(HAVE_FIPS) && \ 00033 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) 00034 00035 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ 00036 #define FIPS_NO_WRAPPERS 00037 00038 #ifdef USE_WINDOWS_API 00039 #pragma code_seg(".fipsA$e") 00040 #pragma const_seg(".fipsB$e") 00041 #endif 00042 #endif 00043 00044 #include <wolfcrypt/rsa.h> 00045 00046 #ifdef WOLFSSL_HAVE_SP_RSA 00047 #include <wolfcrypt/sp.h> 00048 #endif 00049 00050 /* 00051 Possible RSA enable options: 00052 * NO_RSA: Overall control of RSA default: on (not defined) 00053 * WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off 00054 Note: slower by ~20% 00055 * WOLFSSL_KEY_GEN: Allows Private Key Generation default: off 00056 * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off 00057 * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined) 00058 00059 */ 00060 00061 /* 00062 RSA Key Size Configuration: 00063 * FP_MAX_BITS: With USE_FAST_MATH only default: 4096 00064 If USE_FAST_MATH then use this to override default. 00065 Value is key size * 2. Example: RSA 3072 = 6144 00066 */ 00067 00068 00069 /* If building for old FIPS. */ 00070 #if defined(HAVE_FIPS) && \ 00071 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) 00072 00073 int wc_InitRsaKey(RsaKey* key, void* ptr) 00074 { 00075 if (key == NULL) { 00076 return BAD_FUNC_ARG; 00077 } 00078 00079 return InitRsaKey_fips(key, ptr); 00080 } 00081 00082 00083 int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId) 00084 { 00085 (void)devId; 00086 if (key == NULL) { 00087 return BAD_FUNC_ARG; 00088 } 00089 return InitRsaKey_fips(key, ptr); 00090 } 00091 00092 00093 int wc_FreeRsaKey(RsaKey* key) 00094 { 00095 return FreeRsaKey_fips(key); 00096 } 00097 00098 00099 int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, 00100 word32 outLen, RsaKey* key, WC_RNG* rng) 00101 { 00102 if (in == NULL || out == NULL || key == NULL || rng == NULL) { 00103 return BAD_FUNC_ARG; 00104 } 00105 return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng); 00106 } 00107 00108 00109 int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, 00110 RsaKey* key) 00111 { 00112 if (in == NULL || out == NULL || key == NULL) { 00113 return BAD_FUNC_ARG; 00114 } 00115 return RsaPrivateDecryptInline_fips(in, inLen, out, key); 00116 } 00117 00118 00119 int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, 00120 word32 outLen, RsaKey* key) 00121 { 00122 if (in == NULL || out == NULL || key == NULL) { 00123 return BAD_FUNC_ARG; 00124 } 00125 return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key); 00126 } 00127 00128 00129 int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, 00130 word32 outLen, RsaKey* key, WC_RNG* rng) 00131 { 00132 if (in == NULL || out == NULL || key == NULL || inLen == 0) { 00133 return BAD_FUNC_ARG; 00134 } 00135 return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng); 00136 } 00137 00138 00139 int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) 00140 { 00141 if (in == NULL || out == NULL || key == NULL) { 00142 return BAD_FUNC_ARG; 00143 } 00144 return RsaSSL_VerifyInline_fips(in, inLen, out, key); 00145 } 00146 00147 00148 int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, 00149 word32 outLen, RsaKey* key) 00150 { 00151 if (in == NULL || out == NULL || key == NULL || inLen == 0) { 00152 return BAD_FUNC_ARG; 00153 } 00154 return RsaSSL_Verify_fips(in, inLen, out, outLen, key); 00155 } 00156 00157 00158 int wc_RsaEncryptSize(RsaKey* key) 00159 { 00160 if (key == NULL) { 00161 return BAD_FUNC_ARG; 00162 } 00163 return RsaEncryptSize_fips(key); 00164 } 00165 00166 00167 int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b, 00168 word32* bSz) 00169 { 00170 00171 /* not specified as fips so not needing _fips */ 00172 return RsaFlattenPublicKey(key, a, aSz, b, bSz); 00173 } 00174 00175 00176 #ifdef WOLFSSL_KEY_GEN 00177 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) 00178 { 00179 return MakeRsaKey(key, size, e, rng); 00180 } 00181 #endif 00182 00183 00184 /* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c 00185 * wc_RsaPrivateKeyDecode 00186 * wc_RsaPublicKeyDecode 00187 */ 00188 00189 #else /* else build without fips, or for new fips */ 00190 00191 #include <wolfcrypt/random.h> 00192 #include <wolfcrypt/logging.h> 00193 #ifdef WOLF_CRYPTO_DEV 00194 #include <wolfcrypt/cryptodev.h> 00195 #endif 00196 #ifdef NO_INLINE 00197 #include <wolfcrypt/misc.h> 00198 #else 00199 #define WOLFSSL_MISC_INCLUDED 00200 #include <wolfcrypt/src/misc.c> 00201 #endif 00202 00203 #define ERROR_OUT(x) { ret = (x); goto done;} 00204 00205 00206 enum { 00207 RSA_STATE_NONE = 0, 00208 00209 RSA_STATE_ENCRYPT_PAD, 00210 RSA_STATE_ENCRYPT_EXPTMOD, 00211 RSA_STATE_ENCRYPT_RES, 00212 00213 RSA_STATE_DECRYPT_EXPTMOD, 00214 RSA_STATE_DECRYPT_UNPAD, 00215 RSA_STATE_DECRYPT_RES, 00216 }; 00217 00218 static void wc_RsaCleanup(RsaKey* key) 00219 { 00220 if (key && key->data) { 00221 /* make sure any allocated memory is free'd */ 00222 if (key->dataIsAlloc) { 00223 if (key->type == RSA_PRIVATE_DECRYPT || 00224 key->type == RSA_PRIVATE_ENCRYPT) { 00225 ForceZero(key->data, key->dataLen); 00226 } 00227 XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT); 00228 key->dataIsAlloc = 0; 00229 } 00230 key->data = NULL; 00231 key->dataLen = 0; 00232 } 00233 } 00234 00235 int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId) 00236 { 00237 int ret = 0; 00238 00239 if (key == NULL) { 00240 return BAD_FUNC_ARG; 00241 } 00242 00243 XMEMSET(key, 0, sizeof(RsaKey)); 00244 00245 key->type = RSA_TYPE_UNKNOWN; 00246 key->state = RSA_STATE_NONE; 00247 key->heap = heap; 00248 key->data = NULL; 00249 key->dataLen = 0; 00250 key->dataIsAlloc = 0; 00251 #ifdef WC_RSA_BLINDING 00252 key->rng = NULL; 00253 #endif 00254 00255 #ifdef WOLF_CRYPTO_DEV 00256 key->devId = devId; 00257 #else 00258 (void)devId; 00259 #endif 00260 00261 #ifdef WOLFSSL_ASYNC_CRYPT 00262 #ifdef WOLFSSL_CERT_GEN 00263 XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx)); 00264 #endif 00265 00266 #ifdef WC_ASYNC_ENABLE_RSA 00267 /* handle as async */ 00268 ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA, 00269 key->heap, devId); 00270 if (ret != 0) 00271 return ret; 00272 #endif /* WC_ASYNC_ENABLE_RSA */ 00273 #endif /* WOLFSSL_ASYNC_CRYPT */ 00274 00275 ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL); 00276 if (ret != MP_OKAY) 00277 return ret; 00278 00279 #if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM) 00280 ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL); 00281 #else 00282 ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u); 00283 #endif 00284 if (ret != MP_OKAY) { 00285 mp_clear(&key->n); 00286 mp_clear(&key->e); 00287 return ret; 00288 } 00289 00290 #ifdef WOLFSSL_XILINX_CRYPT 00291 key->pubExp = 0; 00292 key->mod = NULL; 00293 #endif 00294 00295 return ret; 00296 } 00297 00298 int wc_InitRsaKey(RsaKey* key, void* heap) 00299 { 00300 return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); 00301 } 00302 00303 00304 #ifdef WOLFSSL_XILINX_CRYPT 00305 #define MAX_E_SIZE 4 00306 /* Used to setup hardware state 00307 * 00308 * key the RSA key to setup 00309 * 00310 * returns 0 on success 00311 */ 00312 int wc_InitRsaHw(RsaKey* key) 00313 { 00314 unsigned char* m; /* RSA modulous */ 00315 word32 e = 0; /* RSA public exponent */ 00316 int mSz; 00317 int eSz; 00318 00319 if (key == NULL) { 00320 return BAD_FUNC_ARG; 00321 } 00322 00323 mSz = mp_unsigned_bin_size(&(key->n)); 00324 m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY); 00325 if (m == 0) { 00326 return MEMORY_E; 00327 } 00328 00329 if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) { 00330 WOLFSSL_MSG("Unable to get RSA key modulus"); 00331 XFREE(m, key->heap, DYNAMIC_TYPE_KEY); 00332 return MP_READ_E; 00333 } 00334 00335 eSz = mp_unsigned_bin_size(&(key->e)); 00336 if (eSz > MAX_E_SIZE) { 00337 WOLFSSL_MSG("Exponent of size 4 bytes expected"); 00338 XFREE(m, key->heap, DYNAMIC_TYPE_KEY); 00339 return BAD_FUNC_ARG; 00340 } 00341 00342 if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz)) 00343 != MP_OKAY) { 00344 XFREE(m, key->heap, DYNAMIC_TYPE_KEY); 00345 WOLFSSL_MSG("Unable to get RSA key exponent"); 00346 return MP_READ_E; 00347 } 00348 00349 /* check for existing mod buffer to avoid memory leak */ 00350 if (key->mod != NULL) { 00351 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY); 00352 } 00353 00354 key->pubExp = e; 00355 key->mod = m; 00356 00357 if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL, 00358 (byte*)&(key->pubExp)) != XST_SUCCESS) { 00359 WOLFSSL_MSG("Unable to initialize RSA on hardware"); 00360 XFREE(m, key->heap, DYNAMIC_TYPE_KEY); 00361 return BAD_STATE_E; 00362 } 00363 00364 #ifdef WOLFSSL_XILINX_PATCH 00365 /* currently a patch of xsecure_rsa.c for 2048 bit keys */ 00366 if (wc_RsaEncryptSize(key) == 256) { 00367 if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) { 00368 WOLFSSL_MSG("Unable to set RSA key size on hardware"); 00369 XFREE(m, key->heap, DYNAMIC_TYPE_KEY); 00370 return BAD_STATE_E; 00371 } 00372 } 00373 #endif 00374 00375 return 0; 00376 } 00377 #endif /* WOLFSSL_XILINX_CRYPT */ 00378 00379 int wc_FreeRsaKey(RsaKey* key) 00380 { 00381 int ret = 0; 00382 00383 if (key == NULL) { 00384 return BAD_FUNC_ARG; 00385 } 00386 00387 wc_RsaCleanup(key); 00388 00389 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) 00390 wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA); 00391 #endif 00392 00393 if (key->type == RSA_PRIVATE) { 00394 #if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM) 00395 mp_forcezero(&key->u); 00396 mp_forcezero(&key->dQ); 00397 mp_forcezero(&key->dP); 00398 #endif 00399 mp_forcezero(&key->q); 00400 mp_forcezero(&key->p); 00401 mp_forcezero(&key->d); 00402 } 00403 /* private part */ 00404 #if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM) 00405 mp_clear(&key->u); 00406 mp_clear(&key->dQ); 00407 mp_clear(&key->dP); 00408 #endif 00409 mp_clear(&key->q); 00410 mp_clear(&key->p); 00411 mp_clear(&key->d); 00412 00413 /* public part */ 00414 mp_clear(&key->e); 00415 mp_clear(&key->n); 00416 00417 #ifdef WOLFSSL_XILINX_CRYPT 00418 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY); 00419 key->mod = NULL; 00420 #endif 00421 00422 return ret; 00423 } 00424 00425 00426 /* Check the pair-wise consistency of the RSA key. 00427 * From NIST SP 800-56B, section 6.4.1.1. 00428 * Verify that k = (k^e)^d, for some k: 1 < k < n-1. */ 00429 int wc_CheckRsaKey(RsaKey* key) 00430 { 00431 #ifdef WOLFSSL_SMALL_STACK 00432 mp_int *k = NULL, *tmp = NULL; 00433 #else 00434 mp_int k[1], tmp[1]; 00435 #endif 00436 int ret = 0; 00437 00438 #ifdef WOLFSSL_SMALL_STACK 00439 k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA); 00440 if (k == NULL) 00441 return MEMORY_E; 00442 tmp = k + 1; 00443 #endif 00444 00445 if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY) 00446 ret = MP_INIT_E; 00447 00448 if (ret == 0) { 00449 if (key == NULL) 00450 ret = BAD_FUNC_ARG; 00451 } 00452 00453 if (ret == 0) { 00454 if (mp_set_int(k, 0x2342) != MP_OKAY) 00455 ret = MP_READ_E; 00456 } 00457 00458 #ifdef WOLFSSL_SP_RSA 00459 #ifndef WOLFSSL_SP_NO_2048 00460 if (mp_count_bits(&key->n) == 2048) { 00461 ret = sp_ModExp_2048(k, &key->e, &key->n, tmp); 00462 if (ret != 0) 00463 ret = MP_EXPTMOD_E; 00464 ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp); 00465 if (ret != 0) 00466 ret = MP_EXPTMOD_E; 00467 } 00468 else 00469 #endif 00470 #ifndef WOLFSSL_SP_NO_3072 00471 if (mp_count_bits(&key->n) == 3072) { 00472 ret = sp_ModExp_3072(k, &key->e, &key->n, tmp); 00473 if (ret != 0) 00474 ret = MP_EXPTMOD_E; 00475 ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp); 00476 if (ret != 0) 00477 ret = MP_EXPTMOD_E; 00478 } 00479 else 00480 #endif 00481 #endif 00482 #ifdef WOLFSSL_SP_MATH 00483 { 00484 ret = WC_KEY_SIZE_E; 00485 } 00486 #else 00487 { 00488 if (ret == 0) { 00489 if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY) 00490 ret = MP_EXPTMOD_E; 00491 } 00492 00493 if (ret == 0) { 00494 if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 00495 ret = MP_EXPTMOD_E; 00496 } 00497 } 00498 #endif 00499 00500 if (ret == 0) { 00501 if (mp_cmp(k, tmp) != MP_EQ) 00502 ret = RSA_KEY_PAIR_E; 00503 } 00504 00505 mp_forcezero(tmp); 00506 mp_clear(tmp); 00507 mp_clear(k); 00508 #ifdef WOLFSSL_SMALL_STACK 00509 XFREE(k, NULL, DYNAMIC_TYPE_RSA); 00510 #endif 00511 00512 return ret; 00513 } 00514 00515 00516 #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS) 00517 /* Uses MGF1 standard as a mask generation function 00518 hType: hash type used 00519 seed: seed to use for generating mask 00520 seedSz: size of seed buffer 00521 out: mask output after generation 00522 outSz: size of output buffer 00523 */ 00524 static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz, 00525 byte* out, word32 outSz, void* heap) 00526 { 00527 byte* tmp; 00528 /* needs to be large enough for seed size plus counter(4) */ 00529 byte tmpA[WC_MAX_DIGEST_SIZE + 4]; 00530 byte tmpF; /* 1 if dynamic memory needs freed */ 00531 word32 tmpSz; 00532 int hLen; 00533 int ret; 00534 word32 counter; 00535 word32 idx; 00536 hLen = wc_HashGetDigestSize(hType); 00537 counter = 0; 00538 idx = 0; 00539 00540 (void)heap; 00541 00542 /* check error return of wc_HashGetDigestSize */ 00543 if (hLen < 0) { 00544 return hLen; 00545 } 00546 00547 /* if tmp is not large enough than use some dynamic memory */ 00548 if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) { 00549 /* find largest amount of memory needed which will be the max of 00550 * hLen and (seedSz + 4) since tmp is used to store the hash digest */ 00551 tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen; 00552 tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER); 00553 if (tmp == NULL) { 00554 return MEMORY_E; 00555 } 00556 tmpF = 1; /* make sure to free memory when done */ 00557 } 00558 else { 00559 /* use array on the stack */ 00560 tmpSz = sizeof(tmpA); 00561 tmp = tmpA; 00562 tmpF = 0; /* no need to free memory at end */ 00563 } 00564 00565 do { 00566 int i = 0; 00567 XMEMCPY(tmp, seed, seedSz); 00568 00569 /* counter to byte array appended to tmp */ 00570 tmp[seedSz] = (counter >> 24) & 0xFF; 00571 tmp[seedSz + 1] = (counter >> 16) & 0xFF; 00572 tmp[seedSz + 2] = (counter >> 8) & 0xFF; 00573 tmp[seedSz + 3] = (counter) & 0xFF; 00574 00575 /* hash and append to existing output */ 00576 if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) { 00577 /* check for if dynamic memory was needed, then free */ 00578 if (tmpF) { 00579 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 00580 } 00581 return ret; 00582 } 00583 00584 for (i = 0; i < hLen && idx < outSz; i++) { 00585 out[idx++] = tmp[i]; 00586 } 00587 counter++; 00588 } while (idx < outSz); 00589 00590 /* check for if dynamic memory was needed, then free */ 00591 if (tmpF) { 00592 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 00593 } 00594 00595 return 0; 00596 } 00597 00598 /* helper function to direct which mask generation function is used 00599 switeched on type input 00600 */ 00601 static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out, 00602 word32 outSz, void* heap) 00603 { 00604 int ret; 00605 00606 switch(type) { 00607 #ifndef NO_SHA 00608 case WC_MGF1SHA1: 00609 ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap); 00610 break; 00611 #endif 00612 #ifndef NO_SHA256 00613 #ifdef WOLFSSL_SHA224 00614 case WC_MGF1SHA224: 00615 ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap); 00616 break; 00617 #endif 00618 case WC_MGF1SHA256: 00619 ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap); 00620 break; 00621 #endif 00622 #ifdef WOLFSSL_SHA384 00623 case WC_MGF1SHA384: 00624 ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap); 00625 break; 00626 #endif 00627 #ifdef WOLFSSL_SHA512 00628 case WC_MGF1SHA512: 00629 ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap); 00630 break; 00631 #endif 00632 default: 00633 WOLFSSL_MSG("Unknown MGF type: check build options"); 00634 ret = BAD_FUNC_ARG; 00635 } 00636 00637 /* in case of default avoid unused warning */ 00638 (void)seed; 00639 (void)seedSz; 00640 (void)out; 00641 (void)outSz; 00642 (void)heap; 00643 00644 return ret; 00645 } 00646 #endif /* !WC_NO_RSA_OAEP */ 00647 00648 00649 /* Padding */ 00650 #ifndef WC_NO_RSA_OAEP 00651 static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, 00652 word32 pkcsBlockLen, byte padValue, WC_RNG* rng, 00653 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, 00654 void* heap) 00655 { 00656 int ret; 00657 int hLen; 00658 int psLen; 00659 int i; 00660 word32 idx; 00661 00662 byte* dbMask; 00663 00664 #ifdef WOLFSSL_SMALL_STACK 00665 byte* lHash = NULL; 00666 byte* seed = NULL; 00667 #else 00668 /* must be large enough to contain largest hash */ 00669 byte lHash[WC_MAX_DIGEST_SIZE]; 00670 byte seed[ WC_MAX_DIGEST_SIZE]; 00671 #endif 00672 00673 /* no label is allowed, but catch if no label provided and length > 0 */ 00674 if (optLabel == NULL && labelLen > 0) { 00675 return BUFFER_E; 00676 } 00677 00678 /* limit of label is the same as limit of hash function which is massive */ 00679 hLen = wc_HashGetDigestSize(hType); 00680 if (hLen < 0) { 00681 return hLen; 00682 } 00683 00684 #ifdef WOLFSSL_SMALL_STACK 00685 lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER); 00686 if (lHash == NULL) { 00687 return MEMORY_E; 00688 } 00689 seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER); 00690 if (seed == NULL) { 00691 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00692 return MEMORY_E; 00693 } 00694 #else 00695 /* hLen should never be larger than lHash since size is max digest size, 00696 but check before blindly calling wc_Hash */ 00697 if ((word32)hLen > sizeof(lHash)) { 00698 WOLFSSL_MSG("OAEP lHash to small for digest!!"); 00699 return MEMORY_E; 00700 } 00701 #endif 00702 00703 if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) { 00704 WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small"); 00705 #ifdef WOLFSSL_SMALL_STACK 00706 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00707 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00708 #endif 00709 return ret; 00710 } 00711 00712 /* handles check of location for idx as well as psLen, cast to int to check 00713 for pkcsBlockLen(k) - 2 * hLen - 2 being negative 00714 This check is similar to decryption where k > 2 * hLen + 2 as msg 00715 size approaches 0. In decryption if k is less than or equal -- then there 00716 is no possible room for msg. 00717 k = RSA key size 00718 hLen = hash digest size -- will always be >= 0 at this point 00719 */ 00720 if ((word32)(2 * hLen + 2) > pkcsBlockLen) { 00721 WOLFSSL_MSG("OAEP pad error hash to big for RSA key size"); 00722 #ifdef WOLFSSL_SMALL_STACK 00723 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00724 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00725 #endif 00726 return BAD_FUNC_ARG; 00727 } 00728 00729 if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) { 00730 WOLFSSL_MSG("OAEP pad error message too long"); 00731 #ifdef WOLFSSL_SMALL_STACK 00732 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00733 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00734 #endif 00735 return BAD_FUNC_ARG; 00736 } 00737 00738 /* concatenate lHash || PS || 0x01 || msg */ 00739 idx = pkcsBlockLen - 1 - inputLen; 00740 psLen = pkcsBlockLen - inputLen - 2 * hLen - 2; 00741 if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */ 00742 #ifdef WOLFSSL_SMALL_STACK 00743 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00744 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00745 #endif 00746 return BUFFER_E; 00747 } 00748 XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen); 00749 pkcsBlock[idx--] = 0x01; /* PS and M separator */ 00750 while (psLen > 0 && idx > 0) { 00751 pkcsBlock[idx--] = 0x00; 00752 psLen--; 00753 } 00754 00755 idx = idx - hLen + 1; 00756 XMEMCPY(pkcsBlock + idx, lHash, hLen); 00757 00758 /* generate random seed */ 00759 if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) { 00760 #ifdef WOLFSSL_SMALL_STACK 00761 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00762 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00763 #endif 00764 return ret; 00765 } 00766 00767 /* create maskedDB from dbMask */ 00768 dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA); 00769 if (dbMask == NULL) { 00770 #ifdef WOLFSSL_SMALL_STACK 00771 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00772 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00773 #endif 00774 return MEMORY_E; 00775 } 00776 XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */ 00777 00778 ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap); 00779 if (ret != 0) { 00780 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA); 00781 #ifdef WOLFSSL_SMALL_STACK 00782 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00783 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00784 #endif 00785 return ret; 00786 } 00787 00788 i = 0; 00789 idx = hLen + 1; 00790 while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) { 00791 pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx]; 00792 idx++; 00793 } 00794 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA); 00795 00796 00797 /* create maskedSeed from seedMask */ 00798 idx = 0; 00799 pkcsBlock[idx++] = 0x00; 00800 /* create seedMask inline */ 00801 if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1, 00802 pkcsBlock + 1, hLen, heap)) != 0) { 00803 #ifdef WOLFSSL_SMALL_STACK 00804 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00805 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00806 #endif 00807 return ret; 00808 } 00809 00810 /* xor created seedMask with seed to make maskedSeed */ 00811 i = 0; 00812 while (idx < (word32)(hLen + 1) && i < hLen) { 00813 pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++]; 00814 idx++; 00815 } 00816 00817 #ifdef WOLFSSL_SMALL_STACK 00818 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); 00819 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); 00820 #endif 00821 (void)padValue; 00822 00823 return 0; 00824 } 00825 #endif /* !WC_NO_RSA_OAEP */ 00826 00827 #ifdef WC_RSA_PSS 00828 00829 /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc 00830 * XOR MGF over all bytes down to end of Salt 00831 * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt) 00832 * 00833 * input Digest of the message. 00834 * inputLen Length of digest. 00835 * pkcsBlock Buffer to write to. 00836 * pkcsBlockLen Length of buffer to write to. 00837 * rng Random number generator (for salt). 00838 * htype Hash function to use. 00839 * mgf Mask generation function. 00840 * saltLen Length of salt to put in padding. 00841 * bits Length of key in bits. 00842 * heap Used for dynamic memory allocation. 00843 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid 00844 * and other negative values on error. 00845 */ 00846 static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock, 00847 word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf, 00848 int saltLen, int bits, void* heap) 00849 { 00850 int ret; 00851 int hLen, i; 00852 byte* s; 00853 byte* m; 00854 byte* h; 00855 byte salt[WC_MAX_DIGEST_SIZE]; 00856 00857 hLen = wc_HashGetDigestSize(hType); 00858 if (hLen < 0) 00859 return hLen; 00860 00861 if (saltLen == -1) { 00862 saltLen = hLen; 00863 #ifdef WOLFSSL_SHA512 00864 /* See FIPS 186-4 section 5.5 item (e). */ 00865 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 00866 saltLen = RSA_PSS_SALT_MAX_SZ; 00867 #endif 00868 } 00869 else if (saltLen > hLen || saltLen < -1) 00870 return PSS_SALTLEN_E; 00871 if ((int)pkcsBlockLen - hLen < saltLen + 2) 00872 return PSS_SALTLEN_E; 00873 00874 s = m = pkcsBlock; 00875 XMEMSET(m, 0, RSA_PSS_PAD_SZ); 00876 m += RSA_PSS_PAD_SZ; 00877 XMEMCPY(m, input, inputLen); 00878 m += inputLen; 00879 if ((ret = wc_RNG_GenerateBlock(rng, salt, saltLen)) != 0) 00880 return ret; 00881 XMEMCPY(m, salt, saltLen); 00882 m += saltLen; 00883 00884 h = pkcsBlock + pkcsBlockLen - 1 - hLen; 00885 if ((ret = wc_Hash(hType, s, (word32)(m - s), h, hLen)) != 0) 00886 return ret; 00887 pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM; 00888 00889 ret = RsaMGF(mgf, h, hLen, pkcsBlock, pkcsBlockLen - hLen - 1, heap); 00890 if (ret != 0) 00891 return ret; 00892 pkcsBlock[0] &= (1 << ((bits - 1) & 0x7)) - 1; 00893 00894 m = pkcsBlock + pkcsBlockLen - 1 - saltLen - hLen - 1; 00895 *(m++) ^= 0x01; 00896 for (i = 0; i < saltLen; i++) 00897 m[i] ^= salt[i]; 00898 00899 return 0; 00900 } 00901 #endif 00902 00903 static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock, 00904 word32 pkcsBlockLen, byte padValue, WC_RNG* rng) 00905 { 00906 if (input == NULL || inputLen == 0 || pkcsBlock == NULL || 00907 pkcsBlockLen == 0) { 00908 return BAD_FUNC_ARG; 00909 } 00910 00911 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */ 00912 pkcsBlock++; pkcsBlockLen--; 00913 pkcsBlock[0] = padValue; /* insert padValue */ 00914 00915 if (padValue == RSA_BLOCK_TYPE_1) { 00916 if (pkcsBlockLen < inputLen + 2) { 00917 WOLFSSL_MSG("RsaPad error, invalid length"); 00918 return RSA_PAD_E; 00919 } 00920 00921 /* pad with 0xff bytes */ 00922 XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2); 00923 } 00924 else { 00925 /* pad with non-zero random bytes */ 00926 word32 padLen, i; 00927 int ret; 00928 00929 if (pkcsBlockLen < inputLen + 1) { 00930 WOLFSSL_MSG("RsaPad error, invalid length"); 00931 return RSA_PAD_E; 00932 } 00933 00934 padLen = pkcsBlockLen - inputLen - 1; 00935 ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen); 00936 if (ret != 0) { 00937 return ret; 00938 } 00939 00940 /* remove zeros */ 00941 for (i = 1; i < padLen; i++) { 00942 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01; 00943 } 00944 } 00945 00946 pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */ 00947 XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen); 00948 00949 return 0; 00950 } 00951 00952 /* helper function to direct which padding is used */ 00953 static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, 00954 word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType, 00955 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, 00956 int saltLen, int bits, void* heap) 00957 { 00958 int ret; 00959 00960 switch (padType) 00961 { 00962 case WC_RSA_PKCSV15_PAD: 00963 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/ 00964 ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen, 00965 padValue, rng); 00966 break; 00967 00968 #ifndef WC_NO_RSA_OAEP 00969 case WC_RSA_OAEP_PAD: 00970 WOLFSSL_MSG("wolfSSL Using RSA OAEP padding"); 00971 ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen, 00972 padValue, rng, hType, mgf, optLabel, labelLen, heap); 00973 break; 00974 #endif 00975 00976 #ifdef WC_RSA_PSS 00977 case WC_RSA_PSS_PAD: 00978 WOLFSSL_MSG("wolfSSL Using RSA PSS padding"); 00979 ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng, 00980 hType, mgf, saltLen, bits, heap); 00981 break; 00982 #endif 00983 00984 #ifdef WC_RSA_NO_PADDING 00985 case WC_RSA_NO_PAD: 00986 WOLFSSL_MSG("wolfSSL Using NO padding"); 00987 00988 /* In the case of no padding being used check that input is exactly 00989 * the RSA key length */ 00990 if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) { 00991 WOLFSSL_MSG("Bad input size"); 00992 ret = RSA_PAD_E; 00993 } 00994 else { 00995 XMEMCPY(pkcsBlock, input, inputLen); 00996 ret = 0; 00997 } 00998 break; 00999 #endif 01000 01001 default: 01002 WOLFSSL_MSG("Unknown RSA Pad Type"); 01003 ret = RSA_PAD_E; 01004 } 01005 01006 /* silence warning if not used with padding scheme */ 01007 (void)hType; 01008 (void)mgf; 01009 (void)optLabel; 01010 (void)labelLen; 01011 (void)saltLen; 01012 (void)bits; 01013 (void)heap; 01014 01015 return ret; 01016 } 01017 01018 01019 /* UnPadding */ 01020 #ifndef WC_NO_RSA_OAEP 01021 /* UnPad plaintext, set start to *output, return length of plaintext, 01022 * < 0 on error */ 01023 static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen, 01024 byte **output, enum wc_HashType hType, int mgf, 01025 byte* optLabel, word32 labelLen, void* heap) 01026 { 01027 int hLen; 01028 int ret; 01029 byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */ 01030 byte* tmp; 01031 word32 idx; 01032 01033 /* no label is allowed, but catch if no label provided and length > 0 */ 01034 if (optLabel == NULL && labelLen > 0) { 01035 return BUFFER_E; 01036 } 01037 01038 hLen = wc_HashGetDigestSize(hType); 01039 if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) { 01040 return BAD_FUNC_ARG; 01041 } 01042 01043 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER); 01044 if (tmp == NULL) { 01045 return MEMORY_E; 01046 } 01047 XMEMSET(tmp, 0, pkcsBlockLen); 01048 01049 /* find seedMask value */ 01050 if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)), 01051 pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) { 01052 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 01053 return ret; 01054 } 01055 01056 /* xor seedMask value with maskedSeed to get seed value */ 01057 for (idx = 0; idx < (word32)hLen; idx++) { 01058 tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx]; 01059 } 01060 01061 /* get dbMask value */ 01062 if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen, 01063 pkcsBlockLen - hLen - 1, heap)) != 0) { 01064 XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER); 01065 return ret; 01066 } 01067 01068 /* get DB value by doing maskedDB xor dbMask */ 01069 for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) { 01070 pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen]; 01071 } 01072 01073 /* done with use of tmp buffer */ 01074 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 01075 01076 /* advance idx to index of PS and msg separator, account for PS size of 0*/ 01077 idx = hLen + 1 + hLen; 01078 while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;} 01079 01080 /* create hash of label for comparison with hash sent */ 01081 if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) { 01082 return ret; 01083 } 01084 01085 /* say no to chosen ciphertext attack. 01086 Comparison of lHash, Y, and separator value needs to all happen in 01087 constant time. 01088 Attackers should not be able to get error condition from the timing of 01089 these checks. 01090 */ 01091 ret = 0; 01092 ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen); 01093 ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */ 01094 ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */ 01095 01096 if (ret != 0) { 01097 WOLFSSL_MSG("RsaUnPad_OAEP: Padding Error"); 01098 return BAD_PADDING_E; 01099 } 01100 01101 /* adjust pointer to correct location in array and return size of M */ 01102 *output = (byte*)(pkcsBlock + idx); 01103 return pkcsBlockLen - idx; 01104 } 01105 #endif /* WC_NO_RSA_OAEP */ 01106 01107 #ifdef WC_RSA_PSS 01108 /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc 01109 * MGF over all bytes down to end of Salt 01110 * 01111 * pkcsBlock Buffer holding decrypted data. 01112 * pkcsBlockLen Length of buffer. 01113 * htype Hash function to use. 01114 * mgf Mask generation function. 01115 * saltLen Length of salt to put in padding. 01116 * bits Length of key in bits. 01117 * heap Used for dynamic memory allocation. 01118 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid, 01119 * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails 01120 * and other negative values on error. 01121 */ 01122 static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen, 01123 byte **output, enum wc_HashType hType, int mgf, 01124 int saltLen, int bits, void* heap) 01125 { 01126 int ret; 01127 byte* tmp; 01128 int hLen, i; 01129 01130 hLen = wc_HashGetDigestSize(hType); 01131 if (hLen < 0) 01132 return hLen; 01133 01134 if (saltLen == -1) { 01135 saltLen = hLen; 01136 #ifdef WOLFSSL_SHA512 01137 /* See FIPS 186-4 section 5.5 item (e). */ 01138 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 01139 saltLen = RSA_PSS_SALT_MAX_SZ; 01140 #endif 01141 } 01142 else if (saltLen > hLen || saltLen < -1) 01143 return PSS_SALTLEN_E; 01144 if ((int)pkcsBlockLen - hLen < saltLen + 2) 01145 return PSS_SALTLEN_E; 01146 01147 if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) { 01148 WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error"); 01149 return BAD_PADDING_E; 01150 } 01151 01152 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER); 01153 if (tmp == NULL) 01154 return MEMORY_E; 01155 01156 if ((ret = RsaMGF(mgf, pkcsBlock + pkcsBlockLen - 1 - hLen, hLen, 01157 tmp, pkcsBlockLen - 1 - hLen, heap)) != 0) { 01158 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 01159 return ret; 01160 } 01161 01162 tmp[0] &= (1 << ((bits - 1) & 0x7)) - 1; 01163 for (i = 0; i < (int)(pkcsBlockLen - 1 - saltLen - hLen - 1); i++) { 01164 if (tmp[i] != pkcsBlock[i]) { 01165 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 01166 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match"); 01167 return BAD_PADDING_E; 01168 } 01169 } 01170 if (tmp[i] != (pkcsBlock[i] ^ 0x01)) { 01171 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 01172 WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End"); 01173 return BAD_PADDING_E; 01174 } 01175 for (i++; i < (int)(pkcsBlockLen - 1 - hLen); i++) 01176 pkcsBlock[i] ^= tmp[i]; 01177 01178 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); 01179 01180 *output = pkcsBlock + pkcsBlockLen - (hLen + saltLen + 1); 01181 return saltLen + hLen; 01182 } 01183 #endif 01184 01185 /* UnPad plaintext, set start to *output, return length of plaintext, 01186 * < 0 on error */ 01187 static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, 01188 byte **output, byte padValue) 01189 { 01190 word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0; 01191 word32 invalid = 0; 01192 word32 i = 1; 01193 word32 outputLen; 01194 01195 if (output == NULL || pkcsBlockLen == 0) { 01196 return BAD_FUNC_ARG; 01197 } 01198 01199 if (pkcsBlock[0] != 0x0) { /* skip past zero */ 01200 invalid = 1; 01201 } 01202 pkcsBlock++; pkcsBlockLen--; 01203 01204 /* Require block type padValue */ 01205 invalid = (pkcsBlock[0] != padValue) || invalid; 01206 01207 /* verify the padding until we find the separator */ 01208 if (padValue == RSA_BLOCK_TYPE_1) { 01209 while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */} 01210 } 01211 else { 01212 while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */} 01213 } 01214 01215 if (!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) { 01216 WOLFSSL_MSG("RsaUnPad error, bad formatting"); 01217 return RSA_PAD_E; 01218 } 01219 01220 outputLen = pkcsBlockLen - i; 01221 invalid = (outputLen > maxOutputLen) || invalid; 01222 01223 if (invalid) { 01224 WOLFSSL_MSG("RsaUnPad error, invalid formatting"); 01225 return RSA_PAD_E; 01226 } 01227 01228 *output = (byte *)(pkcsBlock + i); 01229 return outputLen; 01230 } 01231 01232 /* helper function to direct unpadding 01233 * 01234 * bits is the key modulus size in bits 01235 */ 01236 static int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out, 01237 byte padValue, int padType, enum wc_HashType hType, 01238 int mgf, byte* optLabel, word32 labelLen, int saltLen, 01239 int bits, void* heap) 01240 { 01241 int ret; 01242 01243 switch (padType) { 01244 case WC_RSA_PKCSV15_PAD: 01245 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/ 01246 ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue); 01247 break; 01248 01249 #ifndef WC_NO_RSA_OAEP 01250 case WC_RSA_OAEP_PAD: 01251 WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding"); 01252 ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out, 01253 hType, mgf, optLabel, labelLen, heap); 01254 break; 01255 #endif 01256 01257 #ifdef WC_RSA_PSS 01258 case WC_RSA_PSS_PAD: 01259 WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding"); 01260 ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf, 01261 saltLen, bits, heap); 01262 break; 01263 #endif 01264 01265 #ifdef WC_RSA_NO_PADDING 01266 case WC_RSA_NO_PAD: 01267 WOLFSSL_MSG("wolfSSL Using NO un-padding"); 01268 01269 /* In the case of no padding being used check that input is exactly 01270 * the RSA key length */ 01271 if (bits <= 0 || pkcsBlockLen != ((word32)bits/WOLFSSL_BIT_SIZE)) { 01272 WOLFSSL_MSG("Bad input size"); 01273 ret = RSA_PAD_E; 01274 } 01275 else { 01276 if (out != NULL) { 01277 *out = pkcsBlock; 01278 } 01279 ret = pkcsBlockLen; 01280 } 01281 break; 01282 #endif /* WC_RSA_NO_PADDING */ 01283 01284 default: 01285 WOLFSSL_MSG("Unknown RSA UnPad Type"); 01286 ret = RSA_PAD_E; 01287 } 01288 01289 /* silence warning if not used with padding scheme */ 01290 (void)hType; 01291 (void)mgf; 01292 (void)optLabel; 01293 (void)labelLen; 01294 (void)saltLen; 01295 (void)bits; 01296 (void)heap; 01297 01298 return ret; 01299 } 01300 01301 #if defined(WOLFSSL_XILINX_CRYPT) 01302 /* 01303 * Xilinx hardened crypto acceleration. 01304 * 01305 * Returns 0 on success and negative values on error. 01306 */ 01307 static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out, 01308 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 01309 { 01310 int ret = 0; 01311 word32 keyLen, len; 01312 (void)rng; 01313 01314 keyLen = wc_RsaEncryptSize(key); 01315 if (keyLen > *outLen) { 01316 WOLFSSL_MSG("Output buffer is not big enough"); 01317 return BAD_FUNC_ARG; 01318 } 01319 01320 if (inLen != keyLen) { 01321 WOLFSSL_MSG("Expected that inLen equals RSA key length"); 01322 return BAD_FUNC_ARG; 01323 } 01324 01325 switch(type) { 01326 case RSA_PRIVATE_DECRYPT: 01327 case RSA_PRIVATE_ENCRYPT: 01328 /* Currently public exponent is loaded by default. 01329 * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes 01330 * leading to private key operations with Xsecure_RsaDecrypt not being 01331 * supported */ 01332 ret = RSA_WRONG_TYPE_E; 01333 break; 01334 case RSA_PUBLIC_ENCRYPT: 01335 case RSA_PUBLIC_DECRYPT: 01336 if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) { 01337 ret = BAD_STATE_E; 01338 } 01339 break; 01340 default: 01341 ret = RSA_WRONG_TYPE_E; 01342 } 01343 01344 *outLen = keyLen; 01345 01346 return ret; 01347 } 01348 #endif /* WOLFSSL_XILINX_CRYPT */ 01349 01350 static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out, 01351 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 01352 { 01353 #ifndef WOLFSSL_SP_MATH 01354 #ifdef WOLFSSL_SMALL_STACK 01355 mp_int* tmp = NULL; 01356 #ifdef WC_RSA_BLINDING 01357 mp_int* rnd = NULL; 01358 mp_int* rndi = NULL; 01359 #endif 01360 #else 01361 mp_int tmp[1]; 01362 #ifdef WC_RSA_BLINDING 01363 mp_int rnd[1], rndi[1]; 01364 #endif 01365 #endif 01366 int ret = 0; 01367 word32 keyLen, len; 01368 #endif 01369 01370 #ifdef WOLFSSL_HAVE_SP_RSA 01371 #ifndef WOLFSSL_SP_NO_2048 01372 if (mp_count_bits(&key->n) == 2048) { 01373 switch(type) { 01374 case RSA_PRIVATE_DECRYPT: 01375 case RSA_PRIVATE_ENCRYPT: 01376 #ifdef WC_RSA_BLINDING 01377 if (rng == NULL) 01378 return MISSING_RNG_E; 01379 #endif 01380 #ifndef RSA_LOW_MEM 01381 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, 01382 &key->dP, &key->dQ, &key->u, &key->n, 01383 out, outLen); 01384 #else 01385 return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, 01386 NULL, NULL, NULL, &key->n, out, outLen); 01387 #endif 01388 case RSA_PUBLIC_ENCRYPT: 01389 case RSA_PUBLIC_DECRYPT: 01390 return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen); 01391 } 01392 } 01393 #endif 01394 #ifndef WOLFSSL_SP_NO_3072 01395 if (mp_count_bits(&key->n) == 3072) { 01396 switch(type) { 01397 case RSA_PRIVATE_DECRYPT: 01398 case RSA_PRIVATE_ENCRYPT: 01399 #ifdef WC_RSA_BLINDING 01400 if (rng == NULL) 01401 return MISSING_RNG_E; 01402 #endif 01403 #ifndef RSA_LOW_MEM 01404 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, 01405 &key->dP, &key->dQ, &key->u, &key->n, 01406 out, outLen); 01407 #else 01408 return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, 01409 NULL, NULL, NULL, &key->n, out, outLen); 01410 #endif 01411 case RSA_PUBLIC_ENCRYPT: 01412 case RSA_PUBLIC_DECRYPT: 01413 return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen); 01414 } 01415 } 01416 #endif 01417 #endif /* WOLFSSL_HAVE_SP_RSA */ 01418 01419 #ifdef WOLFSSL_SP_MATH 01420 return WC_KEY_SIZE_E; 01421 #else 01422 (void)rng; 01423 01424 #ifdef WOLFSSL_SMALL_STACK 01425 tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA); 01426 if (tmp == NULL) 01427 return MEMORY_E; 01428 #ifdef WC_RSA_BLINDING 01429 rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA); 01430 if (rnd == NULL) { 01431 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA); 01432 return MEMORY_E; 01433 } 01434 rndi = rnd + 1; 01435 #endif /* WC_RSA_BLINDING */ 01436 #endif /* WOLFSSL_SMALL_STACK */ 01437 01438 if (mp_init(tmp) != MP_OKAY) 01439 ret = MP_INIT_E; 01440 01441 #ifdef WC_RSA_BLINDING 01442 if (ret == 0) { 01443 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { 01444 if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) { 01445 mp_clear(tmp); 01446 ret = MP_INIT_E; 01447 } 01448 } 01449 } 01450 #endif 01451 01452 if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY) 01453 ret = MP_READ_E; 01454 01455 if (ret == 0) { 01456 switch(type) { 01457 case RSA_PRIVATE_DECRYPT: 01458 case RSA_PRIVATE_ENCRYPT: 01459 { 01460 #ifdef WC_RSA_BLINDING 01461 /* blind */ 01462 ret = mp_rand(rnd, get_digit_count(&key->n), rng); 01463 01464 /* rndi = 1/rnd mod n */ 01465 if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY) 01466 ret = MP_INVMOD_E; 01467 01468 /* rnd = rnd^e */ 01469 if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY) 01470 ret = MP_EXPTMOD_E; 01471 01472 /* tmp = tmp*rnd mod n */ 01473 if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY) 01474 ret = MP_MULMOD_E; 01475 #endif /* WC_RSA_BLINDING */ 01476 01477 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */ 01478 if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) 01479 ret = MP_EXPTMOD_E; 01480 #else 01481 if (ret == 0) { 01482 #ifdef WOLFSSL_SMALL_STACK 01483 mp_int* tmpa = NULL; 01484 mp_int* tmpb = NULL; 01485 #else 01486 mp_int tmpa[1], tmpb[1]; 01487 #endif 01488 int cleara = 0, clearb = 0; 01489 01490 #ifdef WOLFSSL_SMALL_STACK 01491 tmpa = XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA); 01492 if (tmpa != NULL) 01493 tmpb = tmpa + 1; 01494 else 01495 ret = MEMORY_E; 01496 #endif 01497 01498 if (ret == 0) { 01499 if (mp_init(tmpa) != MP_OKAY) 01500 ret = MP_INIT_E; 01501 else 01502 cleara = 1; 01503 } 01504 01505 if (ret == 0) { 01506 if (mp_init(tmpb) != MP_OKAY) 01507 ret = MP_INIT_E; 01508 else 01509 clearb = 1; 01510 } 01511 01512 /* tmpa = tmp^dP mod p */ 01513 if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p, 01514 tmpa) != MP_OKAY) 01515 ret = MP_EXPTMOD_E; 01516 01517 /* tmpb = tmp^dQ mod q */ 01518 if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q, 01519 tmpb) != MP_OKAY) 01520 ret = MP_EXPTMOD_E; 01521 01522 /* tmp = (tmpa - tmpb) * qInv (mod p) */ 01523 if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY) 01524 ret = MP_SUB_E; 01525 01526 if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p, 01527 tmp) != MP_OKAY) 01528 ret = MP_MULMOD_E; 01529 01530 /* tmp = tmpb + q * tmp */ 01531 if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY) 01532 ret = MP_MUL_E; 01533 01534 if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY) 01535 ret = MP_ADD_E; 01536 01537 #ifdef WOLFSSL_SMALL_STACK 01538 if (tmpa != NULL) 01539 #endif 01540 { 01541 if (cleara) 01542 mp_clear(tmpa); 01543 if (clearb) 01544 mp_clear(tmpb); 01545 #ifdef WOLFSSL_SMALL_STACK 01546 XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA); 01547 #endif 01548 } 01549 } /* tmpa/b scope */ 01550 #endif /* RSA_LOW_MEM */ 01551 01552 #ifdef WC_RSA_BLINDING 01553 /* unblind */ 01554 if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY) 01555 ret = MP_MULMOD_E; 01556 #endif /* WC_RSA_BLINDING */ 01557 01558 break; 01559 } 01560 case RSA_PUBLIC_ENCRYPT: 01561 case RSA_PUBLIC_DECRYPT: 01562 #ifdef WOLFSSL_XILINX_CRYPT 01563 ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng); 01564 #else 01565 if (mp_exptmod(tmp, &key->e, &key->n, tmp) != MP_OKAY) 01566 ret = MP_EXPTMOD_E; 01567 break; 01568 #endif 01569 default: 01570 ret = RSA_WRONG_TYPE_E; 01571 break; 01572 } 01573 } 01574 01575 if (ret == 0) { 01576 keyLen = wc_RsaEncryptSize(key); 01577 if (keyLen > *outLen) 01578 ret = RSA_BUFFER_E; 01579 } 01580 if (ret == 0) { 01581 len = mp_unsigned_bin_size(tmp); 01582 01583 /* pad front w/ zeros to match key length */ 01584 while (len < keyLen) { 01585 *out++ = 0x00; 01586 len++; 01587 } 01588 01589 *outLen = keyLen; 01590 01591 /* convert */ 01592 if (mp_to_unsigned_bin(tmp, out) != MP_OKAY) 01593 ret = MP_TO_E; 01594 } 01595 01596 mp_clear(tmp); 01597 #ifdef WOLFSSL_SMALL_STACK 01598 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA); 01599 #endif 01600 #ifdef WC_RSA_BLINDING 01601 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { 01602 mp_clear(rndi); 01603 mp_clear(rnd); 01604 } 01605 #ifdef WOLFSSL_SMALL_STACK 01606 XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA); 01607 #endif 01608 #endif /* WC_RSA_BLINDING */ 01609 return ret; 01610 #endif /* WOLFSSL_SP_MATH */ 01611 } 01612 01613 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) 01614 static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out, 01615 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 01616 { 01617 int ret = 0; 01618 01619 (void)rng; 01620 01621 #ifdef WOLFSSL_ASYNC_CRYPT_TEST 01622 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_FUNC)) { 01623 WC_ASYNC_TEST* testDev = &key->asyncDev.test; 01624 testDev->rsaFunc.in = in; 01625 testDev->rsaFunc.inSz = inLen; 01626 testDev->rsaFunc.out = out; 01627 testDev->rsaFunc.outSz = outLen; 01628 testDev->rsaFunc.type = type; 01629 testDev->rsaFunc.key = key; 01630 testDev->rsaFunc.rng = rng; 01631 return WC_PENDING_E; 01632 } 01633 #endif /* WOLFSSL_ASYNC_CRYPT_TEST */ 01634 01635 switch(type) { 01636 case RSA_PRIVATE_DECRYPT: 01637 case RSA_PRIVATE_ENCRYPT: 01638 #ifdef HAVE_CAVIUM 01639 key->dataLen = key->n.raw.len; 01640 ret = NitroxRsaExptMod(in, inLen, 01641 key->d.raw.buf, key->d.raw.len, 01642 key->n.raw.buf, key->n.raw.len, 01643 out, outLen, key); 01644 #elif defined(HAVE_INTEL_QA) 01645 #ifdef RSA_LOW_MEM 01646 ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen, 01647 &key->d.raw, &key->n.raw, 01648 out, outLen); 01649 #else 01650 ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen, 01651 &key->p.raw, &key->q.raw, 01652 &key->dP.raw, &key->dQ.raw, 01653 &key->u.raw, 01654 out, outLen); 01655 #endif 01656 #else /* WOLFSSL_ASYNC_CRYPT_TEST */ 01657 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); 01658 #endif 01659 break; 01660 01661 case RSA_PUBLIC_ENCRYPT: 01662 case RSA_PUBLIC_DECRYPT: 01663 #ifdef HAVE_CAVIUM 01664 key->dataLen = key->n.raw.len; 01665 ret = NitroxRsaExptMod(in, inLen, 01666 key->e.raw.buf, key->e.raw.len, 01667 key->n.raw.buf, key->n.raw.len, 01668 out, outLen, key); 01669 #elif defined(HAVE_INTEL_QA) 01670 ret = IntelQaRsaPublic(&key->asyncDev, in, inLen, 01671 &key->e.raw, &key->n.raw, 01672 out, outLen); 01673 #else /* WOLFSSL_ASYNC_CRYPT_TEST */ 01674 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); 01675 #endif 01676 break; 01677 01678 default: 01679 ret = RSA_WRONG_TYPE_E; 01680 } 01681 01682 return ret; 01683 } 01684 #endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */ 01685 01686 #if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING) 01687 /* Function that does the RSA operation directly with no padding. 01688 * 01689 * in buffer to do operation on 01690 * inLen length of input buffer 01691 * out buffer to hold results 01692 * outSz gets set to size of result buffer. Should be passed in as length 01693 * of out buffer. If the pointer "out" is null then outSz gets set to 01694 * the expected buffer size needed and LENGTH_ONLY_E gets returned. 01695 * key RSA key to use for encrypt/decrypt 01696 * type if using private or public key {RSA_PUBLIC_ENCRYPT, 01697 * RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT} 01698 * rng wolfSSL RNG to use if needed 01699 * 01700 * returns size of result on success 01701 */ 01702 int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz, 01703 RsaKey* key, int type, WC_RNG* rng) 01704 { 01705 int ret; 01706 01707 if (in == NULL || outSz == NULL || key == NULL) { 01708 return BAD_FUNC_ARG; 01709 } 01710 01711 /* sanity check on type of RSA operation */ 01712 switch (type) { 01713 case RSA_PUBLIC_ENCRYPT: 01714 case RSA_PUBLIC_DECRYPT: 01715 case RSA_PRIVATE_ENCRYPT: 01716 case RSA_PRIVATE_DECRYPT: 01717 break; 01718 default: 01719 WOLFSSL_MSG("Bad RSA type"); 01720 return BAD_FUNC_ARG; 01721 } 01722 01723 if ((ret = wc_RsaEncryptSize(key)) < 0) { 01724 return BAD_FUNC_ARG; 01725 } 01726 01727 if (inLen != (word32)ret) { 01728 WOLFSSL_MSG("Bad input length. Should be RSA key size"); 01729 return BAD_FUNC_ARG; 01730 } 01731 01732 if (out == NULL) { 01733 *outSz = inLen; 01734 return LENGTH_ONLY_E; 01735 } 01736 01737 switch (key->state) { 01738 case RSA_STATE_NONE: 01739 case RSA_STATE_ENCRYPT_PAD: 01740 case RSA_STATE_ENCRYPT_EXPTMOD: 01741 case RSA_STATE_DECRYPT_EXPTMOD: 01742 case RSA_STATE_DECRYPT_UNPAD: 01743 key->state = (type == RSA_PRIVATE_ENCRYPT || 01744 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD: 01745 RSA_STATE_DECRYPT_EXPTMOD; 01746 01747 key->dataLen = *outSz; 01748 01749 ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng); 01750 if (ret >= 0 || ret == WC_PENDING_E) { 01751 key->state = (type == RSA_PRIVATE_ENCRYPT || 01752 type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES: 01753 RSA_STATE_DECRYPT_RES; 01754 } 01755 if (ret < 0) { 01756 break; 01757 } 01758 01759 FALL_THROUGH; 01760 01761 case RSA_STATE_ENCRYPT_RES: 01762 case RSA_STATE_DECRYPT_RES: 01763 ret = key->dataLen; 01764 break; 01765 01766 default: 01767 ret = BAD_STATE_E; 01768 } 01769 01770 /* if async pending then skip cleanup*/ 01771 if (ret == WC_PENDING_E) { 01772 return ret; 01773 } 01774 01775 key->state = RSA_STATE_NONE; 01776 wc_RsaCleanup(key); 01777 01778 return ret; 01779 } 01780 #endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */ 01781 01782 01783 int wc_RsaFunction(const byte* in, word32 inLen, byte* out, 01784 word32* outLen, int type, RsaKey* key, WC_RNG* rng) 01785 { 01786 int ret = 0; 01787 01788 if (key == NULL || in == NULL || inLen == 0 || out == NULL || 01789 outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) { 01790 return BAD_FUNC_ARG; 01791 } 01792 01793 #ifdef WOLF_CRYPTO_DEV 01794 if (key->devId != INVALID_DEVID) { 01795 ret = wc_CryptoDev_Rsa(in, inLen, out, outLen, type, key, rng); 01796 if (ret != NOT_COMPILED_IN) 01797 return ret; 01798 ret = 0; /* reset error code and try using software */ 01799 } 01800 #endif 01801 01802 #ifndef NO_RSA_BOUNDS_CHECK 01803 if (type == RSA_PRIVATE_DECRYPT && 01804 key->state == RSA_STATE_DECRYPT_EXPTMOD) { 01805 01806 /* Check that 1 < in < n-1. (Requirement of 800-56B.) */ 01807 #ifdef WOLFSSL_SMALL_STACK 01808 mp_int* c = NULL; 01809 #else 01810 mp_int c[1]; 01811 #endif 01812 01813 #ifdef WOLFSSL_SMALL_STACK 01814 c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA); 01815 if (c == NULL) 01816 ret = MEMORY_E; 01817 #endif 01818 01819 if (mp_init(c) != MP_OKAY) 01820 ret = MEMORY_E; 01821 if (ret == 0) { 01822 if (mp_read_unsigned_bin(c, in, inLen) != 0) 01823 ret = MP_READ_E; 01824 } 01825 if (ret == 0) { 01826 /* check c > 1 */ 01827 if (mp_cmp_d(c, 1) != MP_GT) 01828 ret = RSA_OUT_OF_RANGE_E; 01829 } 01830 if (ret == 0) { 01831 /* add c+1 */ 01832 if (mp_add_d(c, 1, c) != MP_OKAY) 01833 ret = MP_ADD_E; 01834 } 01835 if (ret == 0) { 01836 /* check c+1 < n */ 01837 if (mp_cmp(c, &key->n) != MP_LT) 01838 ret = RSA_OUT_OF_RANGE_E; 01839 } 01840 mp_clear(c); 01841 01842 #ifdef WOLFSSL_SMALL_STACK 01843 XFREE(c, key->heap, DYNAMIC_TYPE_RSA); 01844 #endif 01845 01846 if (ret != 0) 01847 return ret; 01848 } 01849 #endif /* NO_RSA_BOUNDS_CHECK */ 01850 01851 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) 01852 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 01853 key->n.raw.len > 0) { 01854 ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng); 01855 } 01856 else 01857 #endif 01858 { 01859 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); 01860 } 01861 01862 /* handle error */ 01863 if (ret < 0 && ret != WC_PENDING_E) { 01864 if (ret == MP_EXPTMOD_E) { 01865 /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */ 01866 WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem"); 01867 } 01868 01869 key->state = RSA_STATE_NONE; 01870 wc_RsaCleanup(key); 01871 } 01872 01873 return ret; 01874 } 01875 01876 01877 /* Internal Wrappers */ 01878 /* Gives the option of choosing padding type 01879 in : input to be encrypted 01880 inLen: length of input buffer 01881 out: encrypted output 01882 outLen: length of encrypted output buffer 01883 key : wolfSSL initialized RSA key struct 01884 rng : wolfSSL initialized random number struct 01885 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT, 01886 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT 01887 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2 01888 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD, 01889 WC_RSA_NO_PAD or WC_RSA_PSS_PAD 01890 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h 01891 mgf : type of mask generation function to use 01892 label : optional label 01893 labelSz : size of optional label buffer 01894 saltLen : Length of salt used in PSS 01895 rng : random number generator */ 01896 static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out, 01897 word32 outLen, RsaKey* key, int rsa_type, 01898 byte pad_value, int pad_type, 01899 enum wc_HashType hash, int mgf, 01900 byte* label, word32 labelSz, int saltLen, 01901 WC_RNG* rng) 01902 { 01903 int ret, sz; 01904 01905 if (in == NULL || inLen == 0 || out == NULL || key == NULL) { 01906 return BAD_FUNC_ARG; 01907 } 01908 01909 sz = wc_RsaEncryptSize(key); 01910 if (sz > (int)outLen) { 01911 return RSA_BUFFER_E; 01912 } 01913 01914 if (sz < RSA_MIN_PAD_SZ) { 01915 return WC_KEY_SIZE_E; 01916 } 01917 01918 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) { 01919 #ifdef WC_RSA_NO_PADDING 01920 /* In the case that no padding is used the input length can and should 01921 * be the same size as the RSA key. */ 01922 if (pad_type != WC_RSA_NO_PAD) 01923 #endif 01924 return RSA_BUFFER_E; 01925 } 01926 01927 switch (key->state) { 01928 case RSA_STATE_NONE: 01929 case RSA_STATE_ENCRYPT_PAD: 01930 key->state = RSA_STATE_ENCRYPT_PAD; 01931 01932 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ 01933 defined(HAVE_CAVIUM) 01934 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 01935 pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) { 01936 /* Async operations that include padding */ 01937 if (rsa_type == RSA_PUBLIC_ENCRYPT && 01938 pad_value == RSA_BLOCK_TYPE_2) { 01939 key->state = RSA_STATE_ENCRYPT_RES; 01940 key->dataLen = key->n.raw.len; 01941 return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key); 01942 } 01943 else if (rsa_type == RSA_PRIVATE_ENCRYPT && 01944 pad_value == RSA_BLOCK_TYPE_1) { 01945 key->state = RSA_STATE_ENCRYPT_RES; 01946 key->dataLen = key->n.raw.len; 01947 return NitroxRsaSSL_Sign(in, inLen, out, outLen, key); 01948 } 01949 } 01950 #endif 01951 01952 ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash, 01953 mgf, label, labelSz, saltLen, mp_count_bits(&key->n), 01954 key->heap); 01955 if (ret < 0) { 01956 break; 01957 } 01958 01959 key->state = RSA_STATE_ENCRYPT_EXPTMOD; 01960 01961 FALL_THROUGH; 01962 01963 case RSA_STATE_ENCRYPT_EXPTMOD: 01964 01965 key->dataLen = outLen; 01966 ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng); 01967 01968 if (ret >= 0 || ret == WC_PENDING_E) { 01969 key->state = RSA_STATE_ENCRYPT_RES; 01970 } 01971 if (ret < 0) { 01972 break; 01973 } 01974 01975 FALL_THROUGH; 01976 01977 case RSA_STATE_ENCRYPT_RES: 01978 ret = key->dataLen; 01979 break; 01980 01981 default: 01982 ret = BAD_STATE_E; 01983 break; 01984 } 01985 01986 /* if async pending then return and skip done cleanup below */ 01987 if (ret == WC_PENDING_E) { 01988 return ret; 01989 } 01990 01991 key->state = RSA_STATE_NONE; 01992 wc_RsaCleanup(key); 01993 01994 return ret; 01995 } 01996 01997 /* Gives the option of choosing padding type 01998 in : input to be decrypted 01999 inLen: length of input buffer 02000 out: decrypted message 02001 outLen: length of decrypted message in bytes 02002 outPtr: optional inline output pointer (if provided doing inline) 02003 key : wolfSSL initialized RSA key struct 02004 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT, 02005 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT 02006 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2 02007 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD, 02008 WC_RSA_NO_PAD, WC_RSA_PSS_PAD 02009 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h 02010 mgf : type of mask generation function to use 02011 label : optional label 02012 labelSz : size of optional label buffer 02013 saltLen : Length of salt used in PSS 02014 rng : random number generator */ 02015 static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out, 02016 word32 outLen, byte** outPtr, RsaKey* key, 02017 int rsa_type, byte pad_value, int pad_type, 02018 enum wc_HashType hash, int mgf, 02019 byte* label, word32 labelSz, int saltLen, 02020 WC_RNG* rng) 02021 { 02022 int ret = RSA_WRONG_TYPE_E; 02023 02024 if (in == NULL || inLen == 0 || out == NULL || key == NULL) { 02025 return BAD_FUNC_ARG; 02026 } 02027 02028 switch (key->state) { 02029 case RSA_STATE_NONE: 02030 case RSA_STATE_DECRYPT_EXPTMOD: 02031 key->state = RSA_STATE_DECRYPT_EXPTMOD; 02032 key->dataLen = inLen; 02033 02034 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ 02035 defined(HAVE_CAVIUM) 02036 /* Async operations that include padding */ 02037 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 02038 pad_type != WC_RSA_PSS_PAD) { 02039 if (rsa_type == RSA_PRIVATE_DECRYPT && 02040 pad_value == RSA_BLOCK_TYPE_2) { 02041 key->state = RSA_STATE_DECRYPT_RES; 02042 key->data = NULL; 02043 return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen, 02044 key); 02045 } 02046 else if (rsa_type == RSA_PUBLIC_DECRYPT && 02047 pad_value == RSA_BLOCK_TYPE_1) { 02048 key->state = RSA_STATE_DECRYPT_RES; 02049 key->data = NULL; 02050 return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key); 02051 } 02052 } 02053 #endif 02054 02055 /* verify the tmp ptr is NULL, otherwise indicates bad state */ 02056 if (key->data != NULL) { 02057 ret = BAD_STATE_E; 02058 break; 02059 } 02060 02061 /* if not doing this inline then allocate a buffer for it */ 02062 if (outPtr == NULL) { 02063 key->data = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_WOLF_BIGINT); 02064 key->dataIsAlloc = 1; 02065 if (key->data == NULL) { 02066 ret = MEMORY_E; 02067 break; 02068 } 02069 XMEMCPY(key->data, in, inLen); 02070 } 02071 else { 02072 key->data = out; 02073 } 02074 ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen, rsa_type, 02075 key, rng); 02076 02077 if (ret >= 0 || ret == WC_PENDING_E) { 02078 key->state = RSA_STATE_DECRYPT_UNPAD; 02079 } 02080 if (ret < 0) { 02081 break; 02082 } 02083 02084 FALL_THROUGH; 02085 02086 case RSA_STATE_DECRYPT_UNPAD: 02087 { 02088 byte* pad = NULL; 02089 ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type, 02090 hash, mgf, label, labelSz, saltLen, 02091 mp_count_bits(&key->n), key->heap); 02092 if (ret > 0 && ret <= (int)outLen && pad != NULL) { 02093 /* only copy output if not inline */ 02094 if (outPtr == NULL) { 02095 XMEMCPY(out, pad, ret); 02096 } 02097 else { 02098 *outPtr = pad; 02099 } 02100 } 02101 else if (ret >= 0) { 02102 ret = RSA_BUFFER_E; 02103 } 02104 if (ret < 0) { 02105 break; 02106 } 02107 02108 key->state = RSA_STATE_DECRYPT_RES; 02109 02110 FALL_THROUGH; 02111 } 02112 case RSA_STATE_DECRYPT_RES: 02113 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ 02114 defined(HAVE_CAVIUM) 02115 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && 02116 pad_type != WC_RSA_PSS_PAD) { 02117 /* convert result */ 02118 byte* dataLen = (byte*)&key->dataLen; 02119 ret = (dataLen[0] << 8) | (dataLen[1]); 02120 02121 if (outPtr) 02122 *outPtr = in; 02123 } 02124 #endif 02125 break; 02126 02127 default: 02128 ret = BAD_STATE_E; 02129 break; 02130 } 02131 02132 /* if async pending then return and skip done cleanup below */ 02133 if (ret == WC_PENDING_E) { 02134 return ret; 02135 } 02136 02137 key->state = RSA_STATE_NONE; 02138 wc_RsaCleanup(key); 02139 02140 return ret; 02141 } 02142 02143 02144 /* Public RSA Functions */ 02145 int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen, 02146 RsaKey* key, WC_RNG* rng) 02147 { 02148 return RsaPublicEncryptEx(in, inLen, out, outLen, key, 02149 RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, 02150 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 02151 } 02152 02153 02154 #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING) 02155 int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out, 02156 word32 outLen, RsaKey* key, WC_RNG* rng, int type, 02157 enum wc_HashType hash, int mgf, byte* label, 02158 word32 labelSz) 02159 { 02160 return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT, 02161 RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng); 02162 } 02163 #endif /* WC_NO_RSA_OAEP */ 02164 02165 02166 int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key) 02167 { 02168 WC_RNG* rng = NULL; 02169 #ifdef WC_RSA_BLINDING 02170 rng = key->rng; 02171 #endif 02172 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 02173 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, 02174 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 02175 } 02176 02177 02178 #ifndef WC_NO_RSA_OAEP 02179 int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out, 02180 RsaKey* key, int type, enum wc_HashType hash, 02181 int mgf, byte* label, word32 labelSz) 02182 { 02183 WC_RNG* rng = NULL; 02184 #ifdef WC_RSA_BLINDING 02185 rng = key->rng; 02186 #endif 02187 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 02188 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, 02189 mgf, label, labelSz, 0, rng); 02190 } 02191 #endif /* WC_NO_RSA_OAEP */ 02192 02193 02194 int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, 02195 word32 outLen, RsaKey* key) 02196 { 02197 WC_RNG* rng = NULL; 02198 #ifdef WC_RSA_BLINDING 02199 rng = key->rng; 02200 #endif 02201 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 02202 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, 02203 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 02204 } 02205 02206 #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING) 02207 int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out, 02208 word32 outLen, RsaKey* key, int type, 02209 enum wc_HashType hash, int mgf, byte* label, 02210 word32 labelSz) 02211 { 02212 WC_RNG* rng = NULL; 02213 #ifdef WC_RSA_BLINDING 02214 rng = key->rng; 02215 #endif 02216 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 02217 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label, 02218 labelSz, 0, rng); 02219 } 02220 #endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */ 02221 02222 02223 int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) 02224 { 02225 WC_RNG* rng = NULL; 02226 #ifdef WC_RSA_BLINDING 02227 rng = key->rng; 02228 #endif 02229 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 02230 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, 02231 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 02232 } 02233 02234 int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen, 02235 RsaKey* key) 02236 { 02237 WC_RNG* rng; 02238 02239 if (key == NULL) { 02240 return BAD_FUNC_ARG; 02241 } 02242 02243 rng = NULL; 02244 #ifdef WC_RSA_BLINDING 02245 rng = key->rng; 02246 #endif 02247 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, 02248 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, 02249 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 02250 } 02251 02252 #ifdef WC_RSA_PSS 02253 /* Verify the message signed with RSA-PSS. 02254 * The input buffer is reused for the ouput buffer. 02255 * Salt length is equal to hash length. 02256 * 02257 * in Buffer holding encrypted data. 02258 * inLen Length of data in buffer. 02259 * out Pointer to address containing the PSS data. 02260 * hash Hash algorithm. 02261 * mgf Mask generation function. 02262 * key Public RSA key. 02263 * returns the length of the PSS data on success and negative indicates failure. 02264 */ 02265 int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out, 02266 enum wc_HashType hash, int mgf, RsaKey* key) 02267 { 02268 return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, -1, key); 02269 } 02270 02271 /* Verify the message signed with RSA-PSS. 02272 * The input buffer is reused for the ouput buffer. 02273 * 02274 * in Buffer holding encrypted data. 02275 * inLen Length of data in buffer. 02276 * out Pointer to address containing the PSS data. 02277 * hash Hash algorithm. 02278 * mgf Mask generation function. 02279 * key Public RSA key. 02280 * saltLen Length of salt used. -1 indicates salt length is the same as the 02281 * hash length. 02282 * returns the length of the PSS data on success and negative indicates failure. 02283 */ 02284 int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out, 02285 enum wc_HashType hash, int mgf, int saltLen, 02286 RsaKey* key) 02287 { 02288 WC_RNG* rng = NULL; 02289 #ifdef WC_RSA_BLINDING 02290 rng = key->rng; 02291 #endif 02292 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, 02293 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, 02294 hash, mgf, NULL, 0, saltLen, rng); 02295 } 02296 02297 /* Verify the message signed with RSA-PSS. 02298 * Salt length is equal to hash length. 02299 * 02300 * in Buffer holding encrypted data. 02301 * inLen Length of data in buffer. 02302 * out Pointer to address containing the PSS data. 02303 * hash Hash algorithm. 02304 * mgf Mask generation function. 02305 * key Public RSA key. 02306 * returns the length of the PSS data on success and negative indicates failure. 02307 */ 02308 int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen, 02309 enum wc_HashType hash, int mgf, RsaKey* key) 02310 { 02311 return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf, -1, key); 02312 } 02313 02314 /* Verify the message signed with RSA-PSS. 02315 * 02316 * in Buffer holding encrypted data. 02317 * inLen Length of data in buffer. 02318 * out Pointer to address containing the PSS data. 02319 * hash Hash algorithm. 02320 * mgf Mask generation function. 02321 * key Public RSA key. 02322 * saltLen Length of salt used. -1 indicates salt length is the same as the 02323 * hash length. 02324 * returns the length of the PSS data on success and negative indicates failure. 02325 */ 02326 int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen, 02327 enum wc_HashType hash, int mgf, int saltLen, 02328 RsaKey* key) 02329 { 02330 WC_RNG* rng = NULL; 02331 #ifdef WC_RSA_BLINDING 02332 rng = key->rng; 02333 #endif 02334 return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key, 02335 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, 02336 hash, mgf, NULL, 0, saltLen, rng); 02337 } 02338 02339 02340 /* Checks the PSS data to ensure that the signature matches. 02341 * Salt length is equal to hash length. 02342 * 02343 * in Hash of the data that is being verified. 02344 * inSz Length of hash. 02345 * sig Buffer holding PSS data. 02346 * sigSz Size of PSS data. 02347 * hashType Hash algorithm. 02348 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when 02349 * NULL is passed in to in or sig or inSz is not the same as the hash 02350 * algorithm length and 0 on success. 02351 */ 02352 int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig, 02353 word32 sigSz, enum wc_HashType hashType) 02354 { 02355 return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0); 02356 } 02357 02358 /* Checks the PSS data to ensure that the signature matches. 02359 * 02360 * in Hash of the data that is being verified. 02361 * inSz Length of hash. 02362 * sig Buffer holding PSS data. 02363 * sigSz Size of PSS data. 02364 * hashType Hash algorithm. 02365 * saltLen Length of salt used. -1 indicates salt length is the same as the 02366 * hash length. 02367 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when 02368 * NULL is passed in to in or sig or inSz is not the same as the hash 02369 * algorithm length and 0 on success. 02370 */ 02371 int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig, 02372 word32 sigSz, enum wc_HashType hashType, 02373 int saltLen, int bits) 02374 { 02375 int ret = 0; 02376 byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ]; 02377 02378 (void)bits; 02379 02380 if (in == NULL || sig == NULL || 02381 inSz != (word32)wc_HashGetDigestSize(hashType)) 02382 ret = BAD_FUNC_ARG; 02383 02384 if (ret == 0) { 02385 if (saltLen == -1) { 02386 saltLen = inSz; 02387 #ifdef WOLFSSL_SHA512 02388 /* See FIPS 186-4 section 5.5 item (e). */ 02389 if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) 02390 saltLen = RSA_PSS_SALT_MAX_SZ; 02391 #endif 02392 } 02393 else if (saltLen < -1 || (word32)saltLen > inSz) 02394 ret = PSS_SALTLEN_E; 02395 } 02396 02397 /* Sig = Salt | Exp Hash */ 02398 if (ret == 0) { 02399 if (sigSz != inSz + saltLen) 02400 ret = BAD_PADDING_E; 02401 } 02402 02403 /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */ 02404 if (ret == 0) { 02405 XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ); 02406 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz); 02407 XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen); 02408 ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen, 02409 sigCheck, inSz); 02410 } 02411 if (ret == 0) { 02412 if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) { 02413 WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error"); 02414 ret = BAD_PADDING_E; 02415 } 02416 } 02417 02418 return ret; 02419 } 02420 02421 02422 /* Verify the message signed with RSA-PSS. 02423 * The input buffer is reused for the ouput buffer. 02424 * Salt length is equal to hash length. 02425 * 02426 * in Buffer holding encrypted data. 02427 * inLen Length of data in buffer. 02428 * out Pointer to address containing the PSS data. 02429 * digest Hash of the data that is being verified. 02430 * digestLen Length of hash. 02431 * hash Hash algorithm. 02432 * mgf Mask generation function. 02433 * key Public RSA key. 02434 * returns the length of the PSS data on success and negative indicates failure. 02435 */ 02436 int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out, 02437 const byte* digest, word32 digestLen, 02438 enum wc_HashType hash, int mgf, RsaKey* key) 02439 { 02440 int ret = 0, verify, saltLen, hLen, bits = 0; 02441 02442 hLen = wc_HashGetDigestSize(hash); 02443 if (hLen < 0) 02444 return hLen; 02445 if ((word32)hLen != digestLen) 02446 return BAD_FUNC_ARG; 02447 02448 saltLen = hLen; 02449 #ifdef WOLFSSL_SHA512 02450 /* See FIPS 186-4 section 5.5 item (e). */ 02451 bits = mp_count_bits(&key->n); 02452 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 02453 saltLen = RSA_PSS_SALT_MAX_SZ; 02454 #endif 02455 02456 verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key); 02457 if (verify > 0) 02458 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify, 02459 hash, saltLen, bits); 02460 if (ret == 0) 02461 ret = verify; 02462 02463 return ret; 02464 } 02465 02466 02467 /* Verify the message signed with RSA-PSS. 02468 * Salt length is equal to hash length. 02469 * 02470 * in Buffer holding encrypted data. 02471 * inLen Length of data in buffer. 02472 * out Pointer to address containing the PSS data. 02473 * outLen Length of the output. 02474 * digest Hash of the data that is being verified. 02475 * digestLen Length of hash. 02476 * hash Hash algorithm. 02477 * mgf Mask generation function. 02478 * key Public RSA key. 02479 * returns the length of the PSS data on success and negative indicates failure. 02480 */ 02481 int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen, 02482 const byte* digest, word32 digestLen, 02483 enum wc_HashType hash, int mgf, 02484 RsaKey* key) 02485 { 02486 int ret = 0, verify, saltLen, hLen, bits = 0; 02487 02488 hLen = wc_HashGetDigestSize(hash); 02489 if (hLen < 0) 02490 return hLen; 02491 if ((word32)hLen != digestLen) 02492 return BAD_FUNC_ARG; 02493 02494 saltLen = hLen; 02495 #ifdef WOLFSSL_SHA512 02496 /* See FIPS 186-4 section 5.5 item (e). */ 02497 bits = mp_count_bits(&key->n); 02498 if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) 02499 saltLen = RSA_PSS_SALT_MAX_SZ; 02500 #endif 02501 02502 verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, 02503 mgf, saltLen, key); 02504 if (verify > 0) 02505 ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify, 02506 hash, saltLen, bits); 02507 if (ret == 0) 02508 ret = verify; 02509 02510 return ret; 02511 } 02512 02513 #endif 02514 02515 int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, 02516 RsaKey* key, WC_RNG* rng) 02517 { 02518 return RsaPublicEncryptEx(in, inLen, out, outLen, key, 02519 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, 02520 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng); 02521 } 02522 02523 #ifdef WC_RSA_PSS 02524 /* Sign the hash of a message using RSA-PSS. 02525 * Salt length is equal to hash length. 02526 * 02527 * in Buffer holding hash of message. 02528 * inLen Length of data in buffer (hash length). 02529 * out Buffer to write encrypted signature into. 02530 * outLen Size of buffer to write to. 02531 * hash Hash algorithm. 02532 * mgf Mask generation function. 02533 * key Public RSA key. 02534 * rng Random number generator. 02535 * returns the length of the encrypted signature on success, a negative value 02536 * indicates failure. 02537 */ 02538 int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, 02539 enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng) 02540 { 02541 return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf, -1, key, rng); 02542 } 02543 02544 /* Sign the hash of a message using RSA-PSS. 02545 * 02546 * in Buffer holding hash of message. 02547 * inLen Length of data in buffer (hash length). 02548 * out Buffer to write encrypted signature into. 02549 * outLen Size of buffer to write to. 02550 * hash Hash algorithm. 02551 * mgf Mask generation function. 02552 * saltLen Length of salt used. -1 indicates salt length is the same as the 02553 * hash length. 02554 * key Public RSA key. 02555 * rng Random number generator. 02556 * returns the length of the encrypted signature on success, a negative value 02557 * indicates failure. 02558 */ 02559 int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen, 02560 enum wc_HashType hash, int mgf, int saltLen, RsaKey* key, 02561 WC_RNG* rng) 02562 { 02563 return RsaPublicEncryptEx(in, inLen, out, outLen, key, 02564 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, 02565 hash, mgf, NULL, 0, saltLen, rng); 02566 } 02567 #endif 02568 02569 int wc_RsaEncryptSize(RsaKey* key) 02570 { 02571 int ret; 02572 02573 if (key == NULL) { 02574 return BAD_FUNC_ARG; 02575 } 02576 02577 ret = mp_unsigned_bin_size(&key->n); 02578 02579 #ifdef WOLF_CRYPTO_DEV 02580 if (ret == 0 && key->devId != INVALID_DEVID) { 02581 ret = 2048/8; /* hardware handles, use 2048-bit as default */ 02582 } 02583 #endif 02584 02585 return ret; 02586 } 02587 02588 02589 /* flatten RsaKey structure into individual elements (e, n) */ 02590 int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, 02591 word32* nSz) 02592 { 02593 int sz, ret; 02594 02595 if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) { 02596 return BAD_FUNC_ARG; 02597 } 02598 02599 sz = mp_unsigned_bin_size(&key->e); 02600 if ((word32)sz > *eSz) 02601 return RSA_BUFFER_E; 02602 ret = mp_to_unsigned_bin(&key->e, e); 02603 if (ret != MP_OKAY) 02604 return ret; 02605 *eSz = (word32)sz; 02606 02607 sz = wc_RsaEncryptSize(key); 02608 if ((word32)sz > *nSz) 02609 return RSA_BUFFER_E; 02610 ret = mp_to_unsigned_bin(&key->n, n); 02611 if (ret != MP_OKAY) 02612 return ret; 02613 *nSz = (word32)sz; 02614 02615 return 0; 02616 } 02617 02618 02619 static int RsaGetValue(mp_int* in, byte* out, word32* outSz) 02620 { 02621 word32 sz; 02622 int ret = 0; 02623 02624 /* Parameters ensured by calling function. */ 02625 02626 sz = (word32)mp_unsigned_bin_size(in); 02627 if (sz > *outSz) 02628 ret = RSA_BUFFER_E; 02629 02630 if (ret == 0) 02631 ret = mp_to_unsigned_bin(in, out); 02632 02633 if (ret == MP_OKAY) 02634 *outSz = sz; 02635 02636 return ret; 02637 } 02638 02639 02640 int wc_RsaExportKey(RsaKey* key, 02641 byte* e, word32* eSz, byte* n, word32* nSz, 02642 byte* d, word32* dSz, byte* p, word32* pSz, 02643 byte* q, word32* qSz) 02644 { 02645 int ret = BAD_FUNC_ARG; 02646 02647 if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz) 02648 ret = 0; 02649 02650 if (ret == 0) 02651 ret = RsaGetValue(&key->e, e, eSz); 02652 if (ret == 0) 02653 ret = RsaGetValue(&key->n, n, nSz); 02654 if (ret == 0) 02655 ret = RsaGetValue(&key->d, d, dSz); 02656 if (ret == 0) 02657 ret = RsaGetValue(&key->p, p, pSz); 02658 if (ret == 0) 02659 ret = RsaGetValue(&key->q, q, qSz); 02660 02661 return ret; 02662 } 02663 02664 02665 #ifdef WOLFSSL_KEY_GEN 02666 02667 /* Check that |p-q| > 2^((size/2)-100) */ 02668 static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size) 02669 { 02670 mp_int c, d; 02671 int ret; 02672 02673 if (p == NULL || q == NULL) 02674 return BAD_FUNC_ARG; 02675 02676 ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL); 02677 02678 /* c = 2^((size/2)-100) */ 02679 if (ret == 0) 02680 ret = mp_2expt(&c, (size/2)-100); 02681 02682 /* d = |p-q| */ 02683 if (ret == 0) 02684 ret = mp_sub(p, q, &d); 02685 02686 if (ret == 0) 02687 ret = mp_abs(&d, &d); 02688 02689 /* compare */ 02690 if (ret == 0) 02691 ret = mp_cmp(&d, &c); 02692 02693 if (ret == MP_GT) 02694 ret = MP_OKAY; 02695 02696 mp_clear(&d); 02697 mp_clear(&c); 02698 02699 return ret; 02700 } 02701 02702 02703 /* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096. 02704 * This number was calculated using a small test tool written with a common 02705 * large number math library. Other values of nlen may be checked with a subset 02706 * of lower_bound. */ 02707 static const byte lower_bound[] = { 02708 0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84, 02709 0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F, 02710 0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C, 02711 0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15, 02712 /* 512 */ 02713 0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3, 02714 0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39, 02715 0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A, 02716 0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68, 02717 /* 1024 */ 02718 0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E, 02719 0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B, 02720 0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A, 02721 0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33, 02722 0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC, 02723 0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D, 02724 0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E, 02725 0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A, 02726 /* 2048 */ 02727 0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD, 02728 0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C, 02729 0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51, 02730 0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7, 02731 0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F, 02732 0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF, 02733 0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07, 02734 0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2, 02735 /* 3072 */ 02736 0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33, 02737 0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2, 02738 0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82, 02739 0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80, 02740 0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05, 02741 0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23, 02742 0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B, 02743 0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1 02744 /* 4096 */ 02745 }; 02746 02747 02748 /* returns 1 on key size ok and 0 if not ok */ 02749 static WC_INLINE int RsaSizeCheck(int size) 02750 { 02751 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) { 02752 return 0; 02753 } 02754 02755 #ifdef HAVE_FIPS 02756 /* Key size requirements for CAVP */ 02757 switch (size) { 02758 case 1024: 02759 case 2048: 02760 case 3072: 02761 case 4096: 02762 return 1; 02763 } 02764 02765 return 0; 02766 #else 02767 return 1; /* allow unusual key sizes in non FIPS mode */ 02768 #endif /* HAVE_FIPS */ 02769 } 02770 02771 02772 static int wc_CheckProbablePrime_ex(mp_int* p, mp_int* q, mp_int* e, int nlen, 02773 int* isPrime) 02774 { 02775 int ret; 02776 mp_int tmp1, tmp2; 02777 mp_int* prime; 02778 02779 if (p == NULL || e == NULL || isPrime == NULL) 02780 return BAD_FUNC_ARG; 02781 02782 if (!RsaSizeCheck(nlen)) 02783 return BAD_FUNC_ARG; 02784 02785 *isPrime = MP_NO; 02786 02787 if (q != NULL) { 02788 /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */ 02789 ret = wc_CompareDiffPQ(p, q, nlen); 02790 if (ret != MP_OKAY) goto notOkay; 02791 prime = q; 02792 } 02793 else 02794 prime = p; 02795 02796 ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL); 02797 if (ret != MP_OKAY) goto notOkay; 02798 02799 /* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1)) 02800 * This is a comparison against lowerBound */ 02801 ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16); 02802 if (ret != MP_OKAY) goto notOkay; 02803 ret = mp_cmp(prime, &tmp1); 02804 if (ret == MP_LT) goto exit; 02805 02806 /* 4.5,5.6 - Check that GCD(p-1, e) == 1 */ 02807 ret = mp_sub_d(prime, 1, &tmp1); /* tmp1 = prime-1 */ 02808 if (ret != MP_OKAY) goto notOkay; 02809 ret = mp_gcd(&tmp1, e, &tmp2); /* tmp2 = gcd(prime-1, e) */ 02810 if (ret != MP_OKAY) goto notOkay; 02811 ret = mp_cmp_d(&tmp2, 1); 02812 if (ret != MP_EQ) goto exit; /* e divides p-1 */ 02813 02814 /* 4.5.1,5.6.1 - Check primality of p with 8 iterations */ 02815 ret = mp_prime_is_prime(prime, 8, isPrime); 02816 /* Performs some divides by a table of primes, and then does M-R, 02817 * it sets isPrime as a side-effect. */ 02818 if (ret != MP_OKAY) goto notOkay; 02819 02820 exit: 02821 ret = MP_OKAY; 02822 notOkay: 02823 mp_clear(&tmp1); 02824 mp_clear(&tmp2); 02825 return ret; 02826 } 02827 02828 02829 02830 int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz, 02831 const byte* qRaw, word32 qRawSz, 02832 const byte* eRaw, word32 eRawSz, 02833 int nlen, int* isPrime) 02834 { 02835 mp_int p, q, e; 02836 mp_int* Q = NULL; 02837 int ret; 02838 02839 if (pRaw == NULL || pRawSz == 0 || 02840 eRaw == NULL || eRawSz == 0 || 02841 isPrime == NULL) { 02842 02843 return BAD_FUNC_ARG; 02844 } 02845 02846 if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0)) 02847 return BAD_FUNC_ARG; 02848 02849 ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL); 02850 02851 if (ret == MP_OKAY) 02852 ret = mp_read_unsigned_bin(&p, pRaw, pRawSz); 02853 02854 if (ret == MP_OKAY) { 02855 if (qRaw != NULL) { 02856 ret = mp_read_unsigned_bin(&q, qRaw, qRawSz); 02857 if (ret == MP_OKAY) 02858 Q = &q; 02859 } 02860 } 02861 02862 if (ret == MP_OKAY) 02863 ret = mp_read_unsigned_bin(&e, eRaw, eRawSz); 02864 02865 if (ret == MP_OKAY) 02866 ret = wc_CheckProbablePrime_ex(&p, Q, &e, nlen, isPrime); 02867 02868 ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E; 02869 02870 mp_clear(&p); 02871 mp_clear(&q); 02872 mp_clear(&e); 02873 02874 return ret; 02875 } 02876 02877 02878 /* Make an RSA key for size bits, with e specified, 65537 is a good e */ 02879 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) 02880 { 02881 mp_int p, q, tmp1, tmp2, tmp3; 02882 int err, i, failCount, primeSz, isPrime = 0; 02883 byte* buf = NULL; 02884 02885 if (key == NULL || rng == NULL) 02886 return BAD_FUNC_ARG; 02887 02888 if (!RsaSizeCheck(size)) 02889 return BAD_FUNC_ARG; 02890 02891 if (e < 3 || (e & 1) == 0) 02892 return BAD_FUNC_ARG; 02893 02894 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) 02895 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { 02896 #ifdef HAVE_CAVIUM 02897 /* TODO: Not implemented */ 02898 #elif defined(HAVE_INTEL_QA) 02899 /* TODO: Not implemented */ 02900 #else 02901 if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) { 02902 WC_ASYNC_TEST* testDev = &key->asyncDev.test; 02903 testDev->rsaMake.rng = rng; 02904 testDev->rsaMake.key = key; 02905 testDev->rsaMake.size = size; 02906 testDev->rsaMake.e = e; 02907 return WC_PENDING_E; 02908 } 02909 #endif 02910 } 02911 #endif 02912 02913 err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL); 02914 02915 if (err == MP_OKAY) 02916 err = mp_set_int(&tmp3, e); 02917 02918 /* The failCount value comes from NIST FIPS 186-4, section B.3.3, 02919 * process steps 4.7 and 5.8. */ 02920 failCount = 5 * (size / 2); 02921 primeSz = size / 16; /* size is the size of n in bits. 02922 primeSz is in bytes. */ 02923 02924 /* allocate buffer to work with */ 02925 if (err == MP_OKAY) { 02926 buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA); 02927 if (buf == NULL) 02928 err = MEMORY_E; 02929 } 02930 02931 /* make p */ 02932 if (err == MP_OKAY) { 02933 isPrime = 0; 02934 i = 0; 02935 do { 02936 #ifdef SHOW_GEN 02937 printf("."); 02938 fflush(stdout); 02939 #endif 02940 /* generate value */ 02941 err = wc_RNG_GenerateBlock(rng, buf, primeSz); 02942 02943 if (err == 0) { 02944 /* prime lower bound has the MSB set, set it in candidate */ 02945 buf[0] |= 0x80; 02946 /* make candidate odd */ 02947 buf[primeSz-1] |= 0x01; 02948 /* load value */ 02949 err = mp_read_unsigned_bin(&p, buf, primeSz); 02950 } 02951 02952 if (err == MP_OKAY) 02953 err = wc_CheckProbablePrime_ex(&p, NULL, &tmp3, size, &isPrime); 02954 02955 #ifdef WOLFSSL_FIPS 02956 i++; 02957 #else 02958 /* Keep the old retry behavior in non-FIPS build. */ 02959 (void)i; 02960 #endif 02961 } while (err == MP_OKAY && !isPrime && i < failCount); 02962 } 02963 02964 if (err == MP_OKAY && !isPrime) 02965 err = PRIME_GEN_E; 02966 02967 /* make q */ 02968 if (err == MP_OKAY) { 02969 isPrime = 0; 02970 i = 0; 02971 do { 02972 #ifdef SHOW_GEN 02973 printf("."); 02974 fflush(stdout); 02975 #endif 02976 /* generate value */ 02977 err = wc_RNG_GenerateBlock(rng, buf, primeSz); 02978 02979 if (err == 0) { 02980 /* prime lower bound has the MSB set, set it in candidate */ 02981 buf[0] |= 0x80; 02982 /* make candidate odd */ 02983 buf[primeSz-1] |= 0x01; 02984 /* load value */ 02985 err = mp_read_unsigned_bin(&q, buf, primeSz); 02986 } 02987 02988 if (err == MP_OKAY) 02989 err = wc_CheckProbablePrime_ex(&p, &q, &tmp3, size, &isPrime); 02990 02991 #ifdef WOLFSSL_FIPS 02992 i++; 02993 #else 02994 /* Keep the old retry behavior in non-FIPS build. */ 02995 (void)i; 02996 #endif 02997 } while (err == MP_OKAY && !isPrime && i < failCount); 02998 } 02999 03000 if (err == MP_OKAY && !isPrime) 03001 err = PRIME_GEN_E; 03002 03003 if (buf) { 03004 ForceZero(buf, primeSz); 03005 XFREE(buf, key->heap, DYNAMIC_TYPE_RSA); 03006 } 03007 03008 if (err == MP_OKAY) 03009 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL); 03010 03011 if (err == MP_OKAY) 03012 err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL); 03013 03014 if (err == MP_OKAY) 03015 err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */ 03016 03017 if (err == MP_OKAY) 03018 err = mp_sub_d(&q, 1, &tmp2); /* tmp2 = q-1 */ 03019 03020 if (err == MP_OKAY) 03021 err = mp_lcm(&tmp1, &tmp2, &tmp3); /* tmp3 = lcm(p-1, q-1),last loop */ 03022 03023 /* make key */ 03024 if (err == MP_OKAY) 03025 err = mp_set_int(&key->e, (mp_digit)e); /* key->e = e */ 03026 03027 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */ 03028 err = mp_invmod(&key->e, &tmp3, &key->d); 03029 03030 if (err == MP_OKAY) 03031 err = mp_mul(&p, &q, &key->n); /* key->n = pq */ 03032 03033 if (err == MP_OKAY) 03034 err = mp_mod(&key->d, &tmp1, &key->dP); /* key->dP = d mod(p-1) */ 03035 03036 if (err == MP_OKAY) 03037 err = mp_mod(&key->d, &tmp2, &key->dQ); /* key->dQ = d mod(q-1) */ 03038 03039 if (err == MP_OKAY) 03040 err = mp_invmod(&q, &p, &key->u); /* key->u = 1/q mod p */ 03041 03042 if (err == MP_OKAY) 03043 err = mp_copy(&p, &key->p); 03044 03045 if (err == MP_OKAY) 03046 err = mp_copy(&q, &key->q); 03047 03048 if (err == MP_OKAY) 03049 key->type = RSA_PRIVATE; 03050 03051 mp_clear(&tmp1); 03052 mp_clear(&tmp2); 03053 mp_clear(&tmp3); 03054 mp_clear(&p); 03055 mp_clear(&q); 03056 03057 /* Perform the pair-wise consistency test on the new key. */ 03058 if (err == 0) 03059 err = wc_CheckRsaKey(key); 03060 03061 if (err != 0) { 03062 wc_FreeRsaKey(key); 03063 return err; 03064 } 03065 03066 #ifdef WOLFSSL_XILINX_CRYPT 03067 if (wc_InitRsaHw(key) != 0) { 03068 return BAD_STATE_E; 03069 } 03070 #endif 03071 03072 return 0; 03073 } 03074 #endif /* WOLFSSL_KEY_GEN */ 03075 03076 03077 #ifdef WC_RSA_BLINDING 03078 03079 int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng) 03080 { 03081 if (key == NULL) 03082 return BAD_FUNC_ARG; 03083 03084 key->rng = rng; 03085 03086 return 0; 03087 } 03088 03089 #endif /* WC_RSA_BLINDING */ 03090 03091 03092 #undef ERROR_OUT 03093 03094 #endif /* HAVE_FIPS */ 03095 #endif /* NO_RSA */ 03096
Generated on Tue Jul 12 2022 16:58:07 by
1.7.2