wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/rsa.c@13:f67a6c6013ca, 2017-08-22 (annotated)
- Committer:
- wolfSSL
- Date:
- Tue Aug 22 10:48:22 2017 +0000
- Revision:
- 13:f67a6c6013ca
wolfSSL3.12.0 with TLS1.3
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 13:f67a6c6013ca | 1 | /* rsa.c |
wolfSSL | 13:f67a6c6013ca | 2 | * |
wolfSSL | 13:f67a6c6013ca | 3 | * Copyright (C) 2006-2016 wolfSSL Inc. |
wolfSSL | 13:f67a6c6013ca | 4 | * |
wolfSSL | 13:f67a6c6013ca | 5 | * This file is part of wolfSSL. |
wolfSSL | 13:f67a6c6013ca | 6 | * |
wolfSSL | 13:f67a6c6013ca | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 13:f67a6c6013ca | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 13:f67a6c6013ca | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 13:f67a6c6013ca | 10 | * (at your option) any later version. |
wolfSSL | 13:f67a6c6013ca | 11 | * |
wolfSSL | 13:f67a6c6013ca | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 13:f67a6c6013ca | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 13:f67a6c6013ca | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 13:f67a6c6013ca | 15 | * GNU General Public License for more details. |
wolfSSL | 13:f67a6c6013ca | 16 | * |
wolfSSL | 13:f67a6c6013ca | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 13:f67a6c6013ca | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 13:f67a6c6013ca | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 13:f67a6c6013ca | 20 | */ |
wolfSSL | 13:f67a6c6013ca | 21 | |
wolfSSL | 13:f67a6c6013ca | 22 | |
wolfSSL | 13:f67a6c6013ca | 23 | #ifdef HAVE_CONFIG_H |
wolfSSL | 13:f67a6c6013ca | 24 | #include <config.h> |
wolfSSL | 13:f67a6c6013ca | 25 | #endif |
wolfSSL | 13:f67a6c6013ca | 26 | |
wolfSSL | 13:f67a6c6013ca | 27 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 13:f67a6c6013ca | 28 | #include <wolfssl/wolfcrypt/error-crypt.h> |
wolfSSL | 13:f67a6c6013ca | 29 | |
wolfSSL | 13:f67a6c6013ca | 30 | #ifndef NO_RSA |
wolfSSL | 13:f67a6c6013ca | 31 | |
wolfSSL | 13:f67a6c6013ca | 32 | #include <wolfssl/wolfcrypt/rsa.h> |
wolfSSL | 13:f67a6c6013ca | 33 | |
wolfSSL | 13:f67a6c6013ca | 34 | /* |
wolfSSL | 13:f67a6c6013ca | 35 | Possible RSA enable options: |
wolfSSL | 13:f67a6c6013ca | 36 | * NO_RSA: Overall control of RSA default: on (not defined) |
wolfSSL | 13:f67a6c6013ca | 37 | * WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off |
wolfSSL | 13:f67a6c6013ca | 38 | Note: slower by ~20% |
wolfSSL | 13:f67a6c6013ca | 39 | * WOLFSSL_KEY_GEN: Allows Private Key Generation default: off |
wolfSSL | 13:f67a6c6013ca | 40 | * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off |
wolfSSL | 13:f67a6c6013ca | 41 | * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined) |
wolfSSL | 13:f67a6c6013ca | 42 | |
wolfSSL | 13:f67a6c6013ca | 43 | */ |
wolfSSL | 13:f67a6c6013ca | 44 | |
wolfSSL | 13:f67a6c6013ca | 45 | /* |
wolfSSL | 13:f67a6c6013ca | 46 | RSA Key Size Configuration: |
wolfSSL | 13:f67a6c6013ca | 47 | * FP_MAX_BITS: With USE_FAST_MATH only default: 4096 |
wolfSSL | 13:f67a6c6013ca | 48 | If USE_FAST_MATH then use this to override default. |
wolfSSL | 13:f67a6c6013ca | 49 | Value is key size * 2. Example: RSA 3072 = 6144 |
wolfSSL | 13:f67a6c6013ca | 50 | */ |
wolfSSL | 13:f67a6c6013ca | 51 | |
wolfSSL | 13:f67a6c6013ca | 52 | |
wolfSSL | 13:f67a6c6013ca | 53 | #ifdef HAVE_FIPS |
wolfSSL | 13:f67a6c6013ca | 54 | int wc_InitRsaKey(RsaKey* key, void* ptr) |
wolfSSL | 13:f67a6c6013ca | 55 | { |
wolfSSL | 13:f67a6c6013ca | 56 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 57 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 58 | } |
wolfSSL | 13:f67a6c6013ca | 59 | |
wolfSSL | 13:f67a6c6013ca | 60 | return InitRsaKey_fips(key, ptr); |
wolfSSL | 13:f67a6c6013ca | 61 | } |
wolfSSL | 13:f67a6c6013ca | 62 | |
wolfSSL | 13:f67a6c6013ca | 63 | int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId) |
wolfSSL | 13:f67a6c6013ca | 64 | { |
wolfSSL | 13:f67a6c6013ca | 65 | (void)devId; |
wolfSSL | 13:f67a6c6013ca | 66 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 67 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 68 | } |
wolfSSL | 13:f67a6c6013ca | 69 | return InitRsaKey_fips(key, ptr); |
wolfSSL | 13:f67a6c6013ca | 70 | } |
wolfSSL | 13:f67a6c6013ca | 71 | |
wolfSSL | 13:f67a6c6013ca | 72 | int wc_FreeRsaKey(RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 73 | { |
wolfSSL | 13:f67a6c6013ca | 74 | return FreeRsaKey_fips(key); |
wolfSSL | 13:f67a6c6013ca | 75 | } |
wolfSSL | 13:f67a6c6013ca | 76 | |
wolfSSL | 13:f67a6c6013ca | 77 | |
wolfSSL | 13:f67a6c6013ca | 78 | int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 79 | word32 outLen, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 80 | { |
wolfSSL | 13:f67a6c6013ca | 81 | if (in == NULL || out == NULL || key == NULL || rng == NULL) { |
wolfSSL | 13:f67a6c6013ca | 82 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 83 | } |
wolfSSL | 13:f67a6c6013ca | 84 | return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng); |
wolfSSL | 13:f67a6c6013ca | 85 | } |
wolfSSL | 13:f67a6c6013ca | 86 | |
wolfSSL | 13:f67a6c6013ca | 87 | |
wolfSSL | 13:f67a6c6013ca | 88 | int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, |
wolfSSL | 13:f67a6c6013ca | 89 | RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 90 | { |
wolfSSL | 13:f67a6c6013ca | 91 | if (in == NULL || out == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 92 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 93 | } |
wolfSSL | 13:f67a6c6013ca | 94 | return RsaPrivateDecryptInline_fips(in, inLen, out, key); |
wolfSSL | 13:f67a6c6013ca | 95 | } |
wolfSSL | 13:f67a6c6013ca | 96 | |
wolfSSL | 13:f67a6c6013ca | 97 | |
wolfSSL | 13:f67a6c6013ca | 98 | int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 99 | word32 outLen, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 100 | { |
wolfSSL | 13:f67a6c6013ca | 101 | if (in == NULL || out == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 102 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 103 | } |
wolfSSL | 13:f67a6c6013ca | 104 | return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key); |
wolfSSL | 13:f67a6c6013ca | 105 | } |
wolfSSL | 13:f67a6c6013ca | 106 | |
wolfSSL | 13:f67a6c6013ca | 107 | |
wolfSSL | 13:f67a6c6013ca | 108 | int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 109 | word32 outLen, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 110 | { |
wolfSSL | 13:f67a6c6013ca | 111 | if (in == NULL || out == NULL || key == NULL || inLen == 0) { |
wolfSSL | 13:f67a6c6013ca | 112 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 113 | } |
wolfSSL | 13:f67a6c6013ca | 114 | return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng); |
wolfSSL | 13:f67a6c6013ca | 115 | } |
wolfSSL | 13:f67a6c6013ca | 116 | |
wolfSSL | 13:f67a6c6013ca | 117 | |
wolfSSL | 13:f67a6c6013ca | 118 | int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 119 | { |
wolfSSL | 13:f67a6c6013ca | 120 | if (in == NULL || out == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 121 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 122 | } |
wolfSSL | 13:f67a6c6013ca | 123 | return RsaSSL_VerifyInline_fips(in, inLen, out, key); |
wolfSSL | 13:f67a6c6013ca | 124 | } |
wolfSSL | 13:f67a6c6013ca | 125 | |
wolfSSL | 13:f67a6c6013ca | 126 | |
wolfSSL | 13:f67a6c6013ca | 127 | int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 128 | word32 outLen, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 129 | { |
wolfSSL | 13:f67a6c6013ca | 130 | if (in == NULL || out == NULL || key == NULL || inLen == 0) { |
wolfSSL | 13:f67a6c6013ca | 131 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 132 | } |
wolfSSL | 13:f67a6c6013ca | 133 | return RsaSSL_Verify_fips(in, inLen, out, outLen, key); |
wolfSSL | 13:f67a6c6013ca | 134 | } |
wolfSSL | 13:f67a6c6013ca | 135 | |
wolfSSL | 13:f67a6c6013ca | 136 | |
wolfSSL | 13:f67a6c6013ca | 137 | int wc_RsaEncryptSize(RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 138 | { |
wolfSSL | 13:f67a6c6013ca | 139 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 140 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 141 | } |
wolfSSL | 13:f67a6c6013ca | 142 | return RsaEncryptSize_fips(key); |
wolfSSL | 13:f67a6c6013ca | 143 | } |
wolfSSL | 13:f67a6c6013ca | 144 | |
wolfSSL | 13:f67a6c6013ca | 145 | |
wolfSSL | 13:f67a6c6013ca | 146 | int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b, |
wolfSSL | 13:f67a6c6013ca | 147 | word32* bSz) |
wolfSSL | 13:f67a6c6013ca | 148 | { |
wolfSSL | 13:f67a6c6013ca | 149 | |
wolfSSL | 13:f67a6c6013ca | 150 | /* not specified as fips so not needing _fips */ |
wolfSSL | 13:f67a6c6013ca | 151 | return RsaFlattenPublicKey(key, a, aSz, b, bSz); |
wolfSSL | 13:f67a6c6013ca | 152 | } |
wolfSSL | 13:f67a6c6013ca | 153 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 13:f67a6c6013ca | 154 | int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 155 | { |
wolfSSL | 13:f67a6c6013ca | 156 | return MakeRsaKey(key, size, e, rng); |
wolfSSL | 13:f67a6c6013ca | 157 | } |
wolfSSL | 13:f67a6c6013ca | 158 | #endif |
wolfSSL | 13:f67a6c6013ca | 159 | |
wolfSSL | 13:f67a6c6013ca | 160 | |
wolfSSL | 13:f67a6c6013ca | 161 | /* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c |
wolfSSL | 13:f67a6c6013ca | 162 | * wc_RsaPrivateKeyDecode |
wolfSSL | 13:f67a6c6013ca | 163 | * wc_RsaPublicKeyDecode |
wolfSSL | 13:f67a6c6013ca | 164 | */ |
wolfSSL | 13:f67a6c6013ca | 165 | |
wolfSSL | 13:f67a6c6013ca | 166 | #else /* else build without fips */ |
wolfSSL | 13:f67a6c6013ca | 167 | |
wolfSSL | 13:f67a6c6013ca | 168 | #include <wolfssl/wolfcrypt/random.h> |
wolfSSL | 13:f67a6c6013ca | 169 | #include <wolfssl/wolfcrypt/logging.h> |
wolfSSL | 13:f67a6c6013ca | 170 | #ifdef NO_INLINE |
wolfSSL | 13:f67a6c6013ca | 171 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 13:f67a6c6013ca | 172 | #else |
wolfSSL | 13:f67a6c6013ca | 173 | #define WOLFSSL_MISC_INCLUDED |
wolfSSL | 13:f67a6c6013ca | 174 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 13:f67a6c6013ca | 175 | #endif |
wolfSSL | 13:f67a6c6013ca | 176 | |
wolfSSL | 13:f67a6c6013ca | 177 | #define ERROR_OUT(x) { ret = (x); goto done;} |
wolfSSL | 13:f67a6c6013ca | 178 | |
wolfSSL | 13:f67a6c6013ca | 179 | |
wolfSSL | 13:f67a6c6013ca | 180 | enum { |
wolfSSL | 13:f67a6c6013ca | 181 | RSA_STATE_NONE = 0, |
wolfSSL | 13:f67a6c6013ca | 182 | |
wolfSSL | 13:f67a6c6013ca | 183 | RSA_STATE_ENCRYPT_PAD, |
wolfSSL | 13:f67a6c6013ca | 184 | RSA_STATE_ENCRYPT_EXPTMOD, |
wolfSSL | 13:f67a6c6013ca | 185 | RSA_STATE_ENCRYPT_RES, |
wolfSSL | 13:f67a6c6013ca | 186 | |
wolfSSL | 13:f67a6c6013ca | 187 | RSA_STATE_DECRYPT_EXPTMOD, |
wolfSSL | 13:f67a6c6013ca | 188 | RSA_STATE_DECRYPT_UNPAD, |
wolfSSL | 13:f67a6c6013ca | 189 | RSA_STATE_DECRYPT_RES, |
wolfSSL | 13:f67a6c6013ca | 190 | }; |
wolfSSL | 13:f67a6c6013ca | 191 | |
wolfSSL | 13:f67a6c6013ca | 192 | static void wc_RsaCleanup(RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 193 | { |
wolfSSL | 13:f67a6c6013ca | 194 | if (key && key->data) { |
wolfSSL | 13:f67a6c6013ca | 195 | /* make sure any allocated memory is free'd */ |
wolfSSL | 13:f67a6c6013ca | 196 | if (key->dataIsAlloc) { |
wolfSSL | 13:f67a6c6013ca | 197 | if (key->type == RSA_PRIVATE_DECRYPT || |
wolfSSL | 13:f67a6c6013ca | 198 | key->type == RSA_PRIVATE_ENCRYPT) { |
wolfSSL | 13:f67a6c6013ca | 199 | ForceZero(key->data, key->dataLen); |
wolfSSL | 13:f67a6c6013ca | 200 | } |
wolfSSL | 13:f67a6c6013ca | 201 | XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT); |
wolfSSL | 13:f67a6c6013ca | 202 | key->dataIsAlloc = 0; |
wolfSSL | 13:f67a6c6013ca | 203 | } |
wolfSSL | 13:f67a6c6013ca | 204 | key->data = NULL; |
wolfSSL | 13:f67a6c6013ca | 205 | key->dataLen = 0; |
wolfSSL | 13:f67a6c6013ca | 206 | } |
wolfSSL | 13:f67a6c6013ca | 207 | } |
wolfSSL | 13:f67a6c6013ca | 208 | |
wolfSSL | 13:f67a6c6013ca | 209 | int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId) |
wolfSSL | 13:f67a6c6013ca | 210 | { |
wolfSSL | 13:f67a6c6013ca | 211 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 212 | |
wolfSSL | 13:f67a6c6013ca | 213 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 214 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 215 | } |
wolfSSL | 13:f67a6c6013ca | 216 | |
wolfSSL | 13:f67a6c6013ca | 217 | key->type = RSA_TYPE_UNKNOWN; |
wolfSSL | 13:f67a6c6013ca | 218 | key->state = RSA_STATE_NONE; |
wolfSSL | 13:f67a6c6013ca | 219 | key->heap = heap; |
wolfSSL | 13:f67a6c6013ca | 220 | key->data = NULL; |
wolfSSL | 13:f67a6c6013ca | 221 | key->dataLen = 0; |
wolfSSL | 13:f67a6c6013ca | 222 | key->dataIsAlloc = 0; |
wolfSSL | 13:f67a6c6013ca | 223 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 224 | key->rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 225 | #endif |
wolfSSL | 13:f67a6c6013ca | 226 | |
wolfSSL | 13:f67a6c6013ca | 227 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 13:f67a6c6013ca | 228 | #ifdef WOLFSSL_CERT_GEN |
wolfSSL | 13:f67a6c6013ca | 229 | XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx)); |
wolfSSL | 13:f67a6c6013ca | 230 | #endif |
wolfSSL | 13:f67a6c6013ca | 231 | |
wolfSSL | 13:f67a6c6013ca | 232 | #ifdef WC_ASYNC_ENABLE_RSA |
wolfSSL | 13:f67a6c6013ca | 233 | /* handle as async */ |
wolfSSL | 13:f67a6c6013ca | 234 | ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA, |
wolfSSL | 13:f67a6c6013ca | 235 | key->heap, devId); |
wolfSSL | 13:f67a6c6013ca | 236 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 237 | return ret; |
wolfSSL | 13:f67a6c6013ca | 238 | #endif /* WC_ASYNC_ENABLE_RSA */ |
wolfSSL | 13:f67a6c6013ca | 239 | #else |
wolfSSL | 13:f67a6c6013ca | 240 | (void)devId; |
wolfSSL | 13:f67a6c6013ca | 241 | #endif /* WOLFSSL_ASYNC_CRYPT */ |
wolfSSL | 13:f67a6c6013ca | 242 | |
wolfSSL | 13:f67a6c6013ca | 243 | ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL); |
wolfSSL | 13:f67a6c6013ca | 244 | if (ret != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 245 | return ret; |
wolfSSL | 13:f67a6c6013ca | 246 | |
wolfSSL | 13:f67a6c6013ca | 247 | ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u); |
wolfSSL | 13:f67a6c6013ca | 248 | if (ret != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 249 | mp_clear(&key->n); |
wolfSSL | 13:f67a6c6013ca | 250 | mp_clear(&key->e); |
wolfSSL | 13:f67a6c6013ca | 251 | return ret; |
wolfSSL | 13:f67a6c6013ca | 252 | } |
wolfSSL | 13:f67a6c6013ca | 253 | |
wolfSSL | 13:f67a6c6013ca | 254 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 13:f67a6c6013ca | 255 | key->pubExp = 0; |
wolfSSL | 13:f67a6c6013ca | 256 | key->mod = NULL; |
wolfSSL | 13:f67a6c6013ca | 257 | #endif |
wolfSSL | 13:f67a6c6013ca | 258 | |
wolfSSL | 13:f67a6c6013ca | 259 | return ret; |
wolfSSL | 13:f67a6c6013ca | 260 | } |
wolfSSL | 13:f67a6c6013ca | 261 | |
wolfSSL | 13:f67a6c6013ca | 262 | int wc_InitRsaKey(RsaKey* key, void* heap) |
wolfSSL | 13:f67a6c6013ca | 263 | { |
wolfSSL | 13:f67a6c6013ca | 264 | return wc_InitRsaKey_ex(key, heap, INVALID_DEVID); |
wolfSSL | 13:f67a6c6013ca | 265 | } |
wolfSSL | 13:f67a6c6013ca | 266 | |
wolfSSL | 13:f67a6c6013ca | 267 | |
wolfSSL | 13:f67a6c6013ca | 268 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 13:f67a6c6013ca | 269 | #define MAX_E_SIZE 4 |
wolfSSL | 13:f67a6c6013ca | 270 | /* Used to setup hardware state |
wolfSSL | 13:f67a6c6013ca | 271 | * |
wolfSSL | 13:f67a6c6013ca | 272 | * key the RSA key to setup |
wolfSSL | 13:f67a6c6013ca | 273 | * |
wolfSSL | 13:f67a6c6013ca | 274 | * returns 0 on success |
wolfSSL | 13:f67a6c6013ca | 275 | */ |
wolfSSL | 13:f67a6c6013ca | 276 | int wc_InitRsaHw(RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 277 | { |
wolfSSL | 13:f67a6c6013ca | 278 | unsigned char* m; /* RSA modulous */ |
wolfSSL | 13:f67a6c6013ca | 279 | word32 e = 0; /* RSA public exponent */ |
wolfSSL | 13:f67a6c6013ca | 280 | int mSz; |
wolfSSL | 13:f67a6c6013ca | 281 | int eSz; |
wolfSSL | 13:f67a6c6013ca | 282 | |
wolfSSL | 13:f67a6c6013ca | 283 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 284 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 285 | } |
wolfSSL | 13:f67a6c6013ca | 286 | |
wolfSSL | 13:f67a6c6013ca | 287 | mSz = mp_unsigned_bin_size(&(key->n)); |
wolfSSL | 13:f67a6c6013ca | 288 | m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 289 | if (m == 0) { |
wolfSSL | 13:f67a6c6013ca | 290 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 291 | } |
wolfSSL | 13:f67a6c6013ca | 292 | |
wolfSSL | 13:f67a6c6013ca | 293 | if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 294 | WOLFSSL_MSG("Unable to get RSA key modulous"); |
wolfSSL | 13:f67a6c6013ca | 295 | XFREE(m, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 296 | return MP_READ_E; |
wolfSSL | 13:f67a6c6013ca | 297 | } |
wolfSSL | 13:f67a6c6013ca | 298 | |
wolfSSL | 13:f67a6c6013ca | 299 | eSz = mp_unsigned_bin_size(&(key->e)); |
wolfSSL | 13:f67a6c6013ca | 300 | if (eSz > MAX_E_SIZE) { |
wolfSSL | 13:f67a6c6013ca | 301 | WOLFSSL_MSG("Expnonent of size 4 bytes expected"); |
wolfSSL | 13:f67a6c6013ca | 302 | XFREE(m, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 303 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 304 | } |
wolfSSL | 13:f67a6c6013ca | 305 | |
wolfSSL | 13:f67a6c6013ca | 306 | if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz)) |
wolfSSL | 13:f67a6c6013ca | 307 | != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 308 | XFREE(m, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 309 | WOLFSSL_MSG("Unable to get RSA key exponent"); |
wolfSSL | 13:f67a6c6013ca | 310 | return MP_READ_E; |
wolfSSL | 13:f67a6c6013ca | 311 | } |
wolfSSL | 13:f67a6c6013ca | 312 | |
wolfSSL | 13:f67a6c6013ca | 313 | /* check for existing mod buffer to avoid memory leak */ |
wolfSSL | 13:f67a6c6013ca | 314 | if (key->mod != NULL) { |
wolfSSL | 13:f67a6c6013ca | 315 | XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 316 | } |
wolfSSL | 13:f67a6c6013ca | 317 | |
wolfSSL | 13:f67a6c6013ca | 318 | key->pubExp = e; |
wolfSSL | 13:f67a6c6013ca | 319 | key->mod = m; |
wolfSSL | 13:f67a6c6013ca | 320 | |
wolfSSL | 13:f67a6c6013ca | 321 | if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL, |
wolfSSL | 13:f67a6c6013ca | 322 | (byte*)&(key->pubExp)) != XST_SUCCESS) { |
wolfSSL | 13:f67a6c6013ca | 323 | WOLFSSL_MSG("Unable to initialize RSA on hardware"); |
wolfSSL | 13:f67a6c6013ca | 324 | XFREE(m, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 325 | return BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 326 | } |
wolfSSL | 13:f67a6c6013ca | 327 | |
wolfSSL | 13:f67a6c6013ca | 328 | #ifdef WOLFSSL_XILINX_PATCH |
wolfSSL | 13:f67a6c6013ca | 329 | /* currently a patch of xsecure_rsa.c for 2048 bit keys */ |
wolfSSL | 13:f67a6c6013ca | 330 | if (wc_RsaEncryptSize(key) == 256) { |
wolfSSL | 13:f67a6c6013ca | 331 | if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) { |
wolfSSL | 13:f67a6c6013ca | 332 | WOLFSSL_MSG("Unable to set RSA key size on hardware"); |
wolfSSL | 13:f67a6c6013ca | 333 | XFREE(m, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 334 | return BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 335 | } |
wolfSSL | 13:f67a6c6013ca | 336 | } |
wolfSSL | 13:f67a6c6013ca | 337 | #endif |
wolfSSL | 13:f67a6c6013ca | 338 | |
wolfSSL | 13:f67a6c6013ca | 339 | return 0; |
wolfSSL | 13:f67a6c6013ca | 340 | } |
wolfSSL | 13:f67a6c6013ca | 341 | #endif /* WOLFSSL_XILINX_CRYPT */ |
wolfSSL | 13:f67a6c6013ca | 342 | |
wolfSSL | 13:f67a6c6013ca | 343 | int wc_FreeRsaKey(RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 344 | { |
wolfSSL | 13:f67a6c6013ca | 345 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 346 | |
wolfSSL | 13:f67a6c6013ca | 347 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 348 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 349 | } |
wolfSSL | 13:f67a6c6013ca | 350 | |
wolfSSL | 13:f67a6c6013ca | 351 | wc_RsaCleanup(key); |
wolfSSL | 13:f67a6c6013ca | 352 | |
wolfSSL | 13:f67a6c6013ca | 353 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) |
wolfSSL | 13:f67a6c6013ca | 354 | wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA); |
wolfSSL | 13:f67a6c6013ca | 355 | #endif |
wolfSSL | 13:f67a6c6013ca | 356 | |
wolfSSL | 13:f67a6c6013ca | 357 | if (key->type == RSA_PRIVATE) { |
wolfSSL | 13:f67a6c6013ca | 358 | mp_forcezero(&key->u); |
wolfSSL | 13:f67a6c6013ca | 359 | mp_forcezero(&key->dQ); |
wolfSSL | 13:f67a6c6013ca | 360 | mp_forcezero(&key->dP); |
wolfSSL | 13:f67a6c6013ca | 361 | mp_forcezero(&key->q); |
wolfSSL | 13:f67a6c6013ca | 362 | mp_forcezero(&key->p); |
wolfSSL | 13:f67a6c6013ca | 363 | mp_forcezero(&key->d); |
wolfSSL | 13:f67a6c6013ca | 364 | } |
wolfSSL | 13:f67a6c6013ca | 365 | /* private part */ |
wolfSSL | 13:f67a6c6013ca | 366 | mp_clear(&key->u); |
wolfSSL | 13:f67a6c6013ca | 367 | mp_clear(&key->dQ); |
wolfSSL | 13:f67a6c6013ca | 368 | mp_clear(&key->dP); |
wolfSSL | 13:f67a6c6013ca | 369 | mp_clear(&key->q); |
wolfSSL | 13:f67a6c6013ca | 370 | mp_clear(&key->p); |
wolfSSL | 13:f67a6c6013ca | 371 | mp_clear(&key->d); |
wolfSSL | 13:f67a6c6013ca | 372 | |
wolfSSL | 13:f67a6c6013ca | 373 | /* public part */ |
wolfSSL | 13:f67a6c6013ca | 374 | mp_clear(&key->e); |
wolfSSL | 13:f67a6c6013ca | 375 | mp_clear(&key->n); |
wolfSSL | 13:f67a6c6013ca | 376 | |
wolfSSL | 13:f67a6c6013ca | 377 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 13:f67a6c6013ca | 378 | XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY); |
wolfSSL | 13:f67a6c6013ca | 379 | key->mod = NULL; |
wolfSSL | 13:f67a6c6013ca | 380 | #endif |
wolfSSL | 13:f67a6c6013ca | 381 | |
wolfSSL | 13:f67a6c6013ca | 382 | return ret; |
wolfSSL | 13:f67a6c6013ca | 383 | } |
wolfSSL | 13:f67a6c6013ca | 384 | |
wolfSSL | 13:f67a6c6013ca | 385 | |
wolfSSL | 13:f67a6c6013ca | 386 | #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS) |
wolfSSL | 13:f67a6c6013ca | 387 | /* Uses MGF1 standard as a mask generation function |
wolfSSL | 13:f67a6c6013ca | 388 | hType: hash type used |
wolfSSL | 13:f67a6c6013ca | 389 | seed: seed to use for generating mask |
wolfSSL | 13:f67a6c6013ca | 390 | seedSz: size of seed buffer |
wolfSSL | 13:f67a6c6013ca | 391 | out: mask output after generation |
wolfSSL | 13:f67a6c6013ca | 392 | outSz: size of output buffer |
wolfSSL | 13:f67a6c6013ca | 393 | */ |
wolfSSL | 13:f67a6c6013ca | 394 | static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz, |
wolfSSL | 13:f67a6c6013ca | 395 | byte* out, word32 outSz, void* heap) |
wolfSSL | 13:f67a6c6013ca | 396 | { |
wolfSSL | 13:f67a6c6013ca | 397 | byte* tmp; |
wolfSSL | 13:f67a6c6013ca | 398 | /* needs to be large enough for seed size plus counter(4) */ |
wolfSSL | 13:f67a6c6013ca | 399 | byte tmpA[WC_MAX_DIGEST_SIZE + 4]; |
wolfSSL | 13:f67a6c6013ca | 400 | byte tmpF; /* 1 if dynamic memory needs freed */ |
wolfSSL | 13:f67a6c6013ca | 401 | word32 tmpSz; |
wolfSSL | 13:f67a6c6013ca | 402 | int hLen; |
wolfSSL | 13:f67a6c6013ca | 403 | int ret; |
wolfSSL | 13:f67a6c6013ca | 404 | word32 counter; |
wolfSSL | 13:f67a6c6013ca | 405 | word32 idx; |
wolfSSL | 13:f67a6c6013ca | 406 | hLen = wc_HashGetDigestSize(hType); |
wolfSSL | 13:f67a6c6013ca | 407 | counter = 0; |
wolfSSL | 13:f67a6c6013ca | 408 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 409 | |
wolfSSL | 13:f67a6c6013ca | 410 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 411 | |
wolfSSL | 13:f67a6c6013ca | 412 | /* check error return of wc_HashGetDigestSize */ |
wolfSSL | 13:f67a6c6013ca | 413 | if (hLen < 0) { |
wolfSSL | 13:f67a6c6013ca | 414 | return hLen; |
wolfSSL | 13:f67a6c6013ca | 415 | } |
wolfSSL | 13:f67a6c6013ca | 416 | |
wolfSSL | 13:f67a6c6013ca | 417 | /* if tmp is not large enough than use some dynamic memory */ |
wolfSSL | 13:f67a6c6013ca | 418 | if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) { |
wolfSSL | 13:f67a6c6013ca | 419 | /* find largest amount of memory needed which will be the max of |
wolfSSL | 13:f67a6c6013ca | 420 | * hLen and (seedSz + 4) since tmp is used to store the hash digest */ |
wolfSSL | 13:f67a6c6013ca | 421 | tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen; |
wolfSSL | 13:f67a6c6013ca | 422 | tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 423 | if (tmp == NULL) { |
wolfSSL | 13:f67a6c6013ca | 424 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 425 | } |
wolfSSL | 13:f67a6c6013ca | 426 | tmpF = 1; /* make sure to free memory when done */ |
wolfSSL | 13:f67a6c6013ca | 427 | } |
wolfSSL | 13:f67a6c6013ca | 428 | else { |
wolfSSL | 13:f67a6c6013ca | 429 | /* use array on the stack */ |
wolfSSL | 13:f67a6c6013ca | 430 | tmpSz = sizeof(tmpA); |
wolfSSL | 13:f67a6c6013ca | 431 | tmp = tmpA; |
wolfSSL | 13:f67a6c6013ca | 432 | tmpF = 0; /* no need to free memory at end */ |
wolfSSL | 13:f67a6c6013ca | 433 | } |
wolfSSL | 13:f67a6c6013ca | 434 | |
wolfSSL | 13:f67a6c6013ca | 435 | do { |
wolfSSL | 13:f67a6c6013ca | 436 | int i = 0; |
wolfSSL | 13:f67a6c6013ca | 437 | XMEMCPY(tmp, seed, seedSz); |
wolfSSL | 13:f67a6c6013ca | 438 | |
wolfSSL | 13:f67a6c6013ca | 439 | /* counter to byte array appended to tmp */ |
wolfSSL | 13:f67a6c6013ca | 440 | tmp[seedSz] = (counter >> 24) & 0xFF; |
wolfSSL | 13:f67a6c6013ca | 441 | tmp[seedSz + 1] = (counter >> 16) & 0xFF; |
wolfSSL | 13:f67a6c6013ca | 442 | tmp[seedSz + 2] = (counter >> 8) & 0xFF; |
wolfSSL | 13:f67a6c6013ca | 443 | tmp[seedSz + 3] = (counter) & 0xFF; |
wolfSSL | 13:f67a6c6013ca | 444 | |
wolfSSL | 13:f67a6c6013ca | 445 | /* hash and append to existing output */ |
wolfSSL | 13:f67a6c6013ca | 446 | if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 447 | /* check for if dynamic memory was needed, then free */ |
wolfSSL | 13:f67a6c6013ca | 448 | if (tmpF) { |
wolfSSL | 13:f67a6c6013ca | 449 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 450 | } |
wolfSSL | 13:f67a6c6013ca | 451 | return ret; |
wolfSSL | 13:f67a6c6013ca | 452 | } |
wolfSSL | 13:f67a6c6013ca | 453 | |
wolfSSL | 13:f67a6c6013ca | 454 | for (i = 0; i < hLen && idx < outSz; i++) { |
wolfSSL | 13:f67a6c6013ca | 455 | out[idx++] = tmp[i]; |
wolfSSL | 13:f67a6c6013ca | 456 | } |
wolfSSL | 13:f67a6c6013ca | 457 | counter++; |
wolfSSL | 13:f67a6c6013ca | 458 | } while (idx < outSz); |
wolfSSL | 13:f67a6c6013ca | 459 | |
wolfSSL | 13:f67a6c6013ca | 460 | /* check for if dynamic memory was needed, then free */ |
wolfSSL | 13:f67a6c6013ca | 461 | if (tmpF) { |
wolfSSL | 13:f67a6c6013ca | 462 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 463 | } |
wolfSSL | 13:f67a6c6013ca | 464 | |
wolfSSL | 13:f67a6c6013ca | 465 | return 0; |
wolfSSL | 13:f67a6c6013ca | 466 | } |
wolfSSL | 13:f67a6c6013ca | 467 | |
wolfSSL | 13:f67a6c6013ca | 468 | /* helper function to direct which mask generation function is used |
wolfSSL | 13:f67a6c6013ca | 469 | switeched on type input |
wolfSSL | 13:f67a6c6013ca | 470 | */ |
wolfSSL | 13:f67a6c6013ca | 471 | static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out, |
wolfSSL | 13:f67a6c6013ca | 472 | word32 outSz, void* heap) |
wolfSSL | 13:f67a6c6013ca | 473 | { |
wolfSSL | 13:f67a6c6013ca | 474 | int ret; |
wolfSSL | 13:f67a6c6013ca | 475 | |
wolfSSL | 13:f67a6c6013ca | 476 | switch(type) { |
wolfSSL | 13:f67a6c6013ca | 477 | #ifndef NO_SHA |
wolfSSL | 13:f67a6c6013ca | 478 | case WC_MGF1SHA1: |
wolfSSL | 13:f67a6c6013ca | 479 | ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap); |
wolfSSL | 13:f67a6c6013ca | 480 | break; |
wolfSSL | 13:f67a6c6013ca | 481 | #endif |
wolfSSL | 13:f67a6c6013ca | 482 | #ifndef NO_SHA256 |
wolfSSL | 13:f67a6c6013ca | 483 | #ifdef WOLFSSL_SHA224 |
wolfSSL | 13:f67a6c6013ca | 484 | case WC_MGF1SHA224: |
wolfSSL | 13:f67a6c6013ca | 485 | ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap); |
wolfSSL | 13:f67a6c6013ca | 486 | break; |
wolfSSL | 13:f67a6c6013ca | 487 | #endif |
wolfSSL | 13:f67a6c6013ca | 488 | case WC_MGF1SHA256: |
wolfSSL | 13:f67a6c6013ca | 489 | ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap); |
wolfSSL | 13:f67a6c6013ca | 490 | break; |
wolfSSL | 13:f67a6c6013ca | 491 | #endif |
wolfSSL | 13:f67a6c6013ca | 492 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 13:f67a6c6013ca | 493 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 13:f67a6c6013ca | 494 | case WC_MGF1SHA384: |
wolfSSL | 13:f67a6c6013ca | 495 | ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap); |
wolfSSL | 13:f67a6c6013ca | 496 | break; |
wolfSSL | 13:f67a6c6013ca | 497 | #endif |
wolfSSL | 13:f67a6c6013ca | 498 | case WC_MGF1SHA512: |
wolfSSL | 13:f67a6c6013ca | 499 | ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap); |
wolfSSL | 13:f67a6c6013ca | 500 | break; |
wolfSSL | 13:f67a6c6013ca | 501 | #endif |
wolfSSL | 13:f67a6c6013ca | 502 | default: |
wolfSSL | 13:f67a6c6013ca | 503 | WOLFSSL_MSG("Unknown MGF type: check build options"); |
wolfSSL | 13:f67a6c6013ca | 504 | ret = BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 505 | } |
wolfSSL | 13:f67a6c6013ca | 506 | |
wolfSSL | 13:f67a6c6013ca | 507 | /* in case of default avoid unused warning */ |
wolfSSL | 13:f67a6c6013ca | 508 | (void)seed; |
wolfSSL | 13:f67a6c6013ca | 509 | (void)seedSz; |
wolfSSL | 13:f67a6c6013ca | 510 | (void)out; |
wolfSSL | 13:f67a6c6013ca | 511 | (void)outSz; |
wolfSSL | 13:f67a6c6013ca | 512 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 513 | |
wolfSSL | 13:f67a6c6013ca | 514 | return ret; |
wolfSSL | 13:f67a6c6013ca | 515 | } |
wolfSSL | 13:f67a6c6013ca | 516 | #endif /* !WC_NO_RSA_OAEP */ |
wolfSSL | 13:f67a6c6013ca | 517 | |
wolfSSL | 13:f67a6c6013ca | 518 | |
wolfSSL | 13:f67a6c6013ca | 519 | /* Padding */ |
wolfSSL | 13:f67a6c6013ca | 520 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 521 | static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock, |
wolfSSL | 13:f67a6c6013ca | 522 | word32 pkcsBlockLen, byte padValue, WC_RNG* rng, |
wolfSSL | 13:f67a6c6013ca | 523 | enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, |
wolfSSL | 13:f67a6c6013ca | 524 | void* heap) |
wolfSSL | 13:f67a6c6013ca | 525 | { |
wolfSSL | 13:f67a6c6013ca | 526 | int ret; |
wolfSSL | 13:f67a6c6013ca | 527 | int hLen; |
wolfSSL | 13:f67a6c6013ca | 528 | int psLen; |
wolfSSL | 13:f67a6c6013ca | 529 | int i; |
wolfSSL | 13:f67a6c6013ca | 530 | word32 idx; |
wolfSSL | 13:f67a6c6013ca | 531 | |
wolfSSL | 13:f67a6c6013ca | 532 | byte* dbMask; |
wolfSSL | 13:f67a6c6013ca | 533 | |
wolfSSL | 13:f67a6c6013ca | 534 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 535 | byte* lHash = NULL; |
wolfSSL | 13:f67a6c6013ca | 536 | byte* seed = NULL; |
wolfSSL | 13:f67a6c6013ca | 537 | #else |
wolfSSL | 13:f67a6c6013ca | 538 | /* must be large enough to contain largest hash */ |
wolfSSL | 13:f67a6c6013ca | 539 | byte lHash[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 540 | byte seed[ WC_MAX_DIGEST_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 541 | #endif |
wolfSSL | 13:f67a6c6013ca | 542 | |
wolfSSL | 13:f67a6c6013ca | 543 | /* no label is allowed, but catch if no label provided and length > 0 */ |
wolfSSL | 13:f67a6c6013ca | 544 | if (optLabel == NULL && labelLen > 0) { |
wolfSSL | 13:f67a6c6013ca | 545 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 546 | } |
wolfSSL | 13:f67a6c6013ca | 547 | |
wolfSSL | 13:f67a6c6013ca | 548 | /* limit of label is the same as limit of hash function which is massive */ |
wolfSSL | 13:f67a6c6013ca | 549 | hLen = wc_HashGetDigestSize(hType); |
wolfSSL | 13:f67a6c6013ca | 550 | if (hLen < 0) { |
wolfSSL | 13:f67a6c6013ca | 551 | return hLen; |
wolfSSL | 13:f67a6c6013ca | 552 | } |
wolfSSL | 13:f67a6c6013ca | 553 | |
wolfSSL | 13:f67a6c6013ca | 554 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 555 | lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 556 | if (lHash == NULL) { |
wolfSSL | 13:f67a6c6013ca | 557 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 558 | } |
wolfSSL | 13:f67a6c6013ca | 559 | seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 560 | if (seed == NULL) { |
wolfSSL | 13:f67a6c6013ca | 561 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 562 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 563 | } |
wolfSSL | 13:f67a6c6013ca | 564 | #else |
wolfSSL | 13:f67a6c6013ca | 565 | /* hLen should never be larger than lHash since size is max digest size, |
wolfSSL | 13:f67a6c6013ca | 566 | but check before blindly calling wc_Hash */ |
wolfSSL | 13:f67a6c6013ca | 567 | if ((word32)hLen > sizeof(lHash)) { |
wolfSSL | 13:f67a6c6013ca | 568 | WOLFSSL_MSG("OAEP lHash to small for digest!!"); |
wolfSSL | 13:f67a6c6013ca | 569 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 570 | } |
wolfSSL | 13:f67a6c6013ca | 571 | #endif |
wolfSSL | 13:f67a6c6013ca | 572 | |
wolfSSL | 13:f67a6c6013ca | 573 | if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 574 | WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small"); |
wolfSSL | 13:f67a6c6013ca | 575 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 576 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 577 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 578 | #endif |
wolfSSL | 13:f67a6c6013ca | 579 | return ret; |
wolfSSL | 13:f67a6c6013ca | 580 | } |
wolfSSL | 13:f67a6c6013ca | 581 | |
wolfSSL | 13:f67a6c6013ca | 582 | /* handles check of location for idx as well as psLen, cast to int to check |
wolfSSL | 13:f67a6c6013ca | 583 | for pkcsBlockLen(k) - 2 * hLen - 2 being negative |
wolfSSL | 13:f67a6c6013ca | 584 | This check is similar to decryption where k > 2 * hLen + 2 as msg |
wolfSSL | 13:f67a6c6013ca | 585 | size aproaches 0. In decryption if k is less than or equal -- then there |
wolfSSL | 13:f67a6c6013ca | 586 | is no possible room for msg. |
wolfSSL | 13:f67a6c6013ca | 587 | k = RSA key size |
wolfSSL | 13:f67a6c6013ca | 588 | hLen = hash digest size -- will always be >= 0 at this point |
wolfSSL | 13:f67a6c6013ca | 589 | */ |
wolfSSL | 13:f67a6c6013ca | 590 | if ((word32)(2 * hLen + 2) > pkcsBlockLen) { |
wolfSSL | 13:f67a6c6013ca | 591 | WOLFSSL_MSG("OAEP pad error hash to big for RSA key size"); |
wolfSSL | 13:f67a6c6013ca | 592 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 593 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 594 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 595 | #endif |
wolfSSL | 13:f67a6c6013ca | 596 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 597 | } |
wolfSSL | 13:f67a6c6013ca | 598 | |
wolfSSL | 13:f67a6c6013ca | 599 | if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) { |
wolfSSL | 13:f67a6c6013ca | 600 | WOLFSSL_MSG("OAEP pad error message too long"); |
wolfSSL | 13:f67a6c6013ca | 601 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 602 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 603 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 604 | #endif |
wolfSSL | 13:f67a6c6013ca | 605 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 606 | } |
wolfSSL | 13:f67a6c6013ca | 607 | |
wolfSSL | 13:f67a6c6013ca | 608 | /* concatenate lHash || PS || 0x01 || msg */ |
wolfSSL | 13:f67a6c6013ca | 609 | idx = pkcsBlockLen - 1 - inputLen; |
wolfSSL | 13:f67a6c6013ca | 610 | psLen = pkcsBlockLen - inputLen - 2 * hLen - 2; |
wolfSSL | 13:f67a6c6013ca | 611 | if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */ |
wolfSSL | 13:f67a6c6013ca | 612 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 613 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 614 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 615 | #endif |
wolfSSL | 13:f67a6c6013ca | 616 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 617 | } |
wolfSSL | 13:f67a6c6013ca | 618 | XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen); |
wolfSSL | 13:f67a6c6013ca | 619 | pkcsBlock[idx--] = 0x01; /* PS and M separator */ |
wolfSSL | 13:f67a6c6013ca | 620 | while (psLen > 0 && idx > 0) { |
wolfSSL | 13:f67a6c6013ca | 621 | pkcsBlock[idx--] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 622 | psLen--; |
wolfSSL | 13:f67a6c6013ca | 623 | } |
wolfSSL | 13:f67a6c6013ca | 624 | |
wolfSSL | 13:f67a6c6013ca | 625 | idx = idx - hLen + 1; |
wolfSSL | 13:f67a6c6013ca | 626 | XMEMCPY(pkcsBlock + idx, lHash, hLen); |
wolfSSL | 13:f67a6c6013ca | 627 | |
wolfSSL | 13:f67a6c6013ca | 628 | /* generate random seed */ |
wolfSSL | 13:f67a6c6013ca | 629 | if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 630 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 631 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 632 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 633 | #endif |
wolfSSL | 13:f67a6c6013ca | 634 | return ret; |
wolfSSL | 13:f67a6c6013ca | 635 | } |
wolfSSL | 13:f67a6c6013ca | 636 | |
wolfSSL | 13:f67a6c6013ca | 637 | /* create maskedDB from dbMask */ |
wolfSSL | 13:f67a6c6013ca | 638 | dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 639 | if (dbMask == NULL) { |
wolfSSL | 13:f67a6c6013ca | 640 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 641 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 642 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 643 | #endif |
wolfSSL | 13:f67a6c6013ca | 644 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 645 | } |
wolfSSL | 13:f67a6c6013ca | 646 | XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */ |
wolfSSL | 13:f67a6c6013ca | 647 | |
wolfSSL | 13:f67a6c6013ca | 648 | ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap); |
wolfSSL | 13:f67a6c6013ca | 649 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 650 | XFREE(dbMask, heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 651 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 652 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 653 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 654 | #endif |
wolfSSL | 13:f67a6c6013ca | 655 | return ret; |
wolfSSL | 13:f67a6c6013ca | 656 | } |
wolfSSL | 13:f67a6c6013ca | 657 | |
wolfSSL | 13:f67a6c6013ca | 658 | i = 0; |
wolfSSL | 13:f67a6c6013ca | 659 | idx = hLen + 1; |
wolfSSL | 13:f67a6c6013ca | 660 | while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) { |
wolfSSL | 13:f67a6c6013ca | 661 | pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx]; |
wolfSSL | 13:f67a6c6013ca | 662 | idx++; |
wolfSSL | 13:f67a6c6013ca | 663 | } |
wolfSSL | 13:f67a6c6013ca | 664 | XFREE(dbMask, heap, DYNAMIC_TYPE_RSA); |
wolfSSL | 13:f67a6c6013ca | 665 | |
wolfSSL | 13:f67a6c6013ca | 666 | |
wolfSSL | 13:f67a6c6013ca | 667 | /* create maskedSeed from seedMask */ |
wolfSSL | 13:f67a6c6013ca | 668 | idx = 0; |
wolfSSL | 13:f67a6c6013ca | 669 | pkcsBlock[idx++] = 0x00; |
wolfSSL | 13:f67a6c6013ca | 670 | /* create seedMask inline */ |
wolfSSL | 13:f67a6c6013ca | 671 | if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1, |
wolfSSL | 13:f67a6c6013ca | 672 | pkcsBlock + 1, hLen, heap)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 673 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 674 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 675 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 676 | #endif |
wolfSSL | 13:f67a6c6013ca | 677 | return ret; |
wolfSSL | 13:f67a6c6013ca | 678 | } |
wolfSSL | 13:f67a6c6013ca | 679 | |
wolfSSL | 13:f67a6c6013ca | 680 | /* xor created seedMask with seed to make maskedSeed */ |
wolfSSL | 13:f67a6c6013ca | 681 | i = 0; |
wolfSSL | 13:f67a6c6013ca | 682 | while (idx < (word32)(hLen + 1) && i < hLen) { |
wolfSSL | 13:f67a6c6013ca | 683 | pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++]; |
wolfSSL | 13:f67a6c6013ca | 684 | idx++; |
wolfSSL | 13:f67a6c6013ca | 685 | } |
wolfSSL | 13:f67a6c6013ca | 686 | |
wolfSSL | 13:f67a6c6013ca | 687 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 13:f67a6c6013ca | 688 | XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 689 | XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 690 | #endif |
wolfSSL | 13:f67a6c6013ca | 691 | (void)padValue; |
wolfSSL | 13:f67a6c6013ca | 692 | |
wolfSSL | 13:f67a6c6013ca | 693 | return 0; |
wolfSSL | 13:f67a6c6013ca | 694 | } |
wolfSSL | 13:f67a6c6013ca | 695 | #endif /* !WC_NO_RSA_OAEP */ |
wolfSSL | 13:f67a6c6013ca | 696 | |
wolfSSL | 13:f67a6c6013ca | 697 | #ifdef WC_RSA_PSS |
wolfSSL | 13:f67a6c6013ca | 698 | /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc |
wolfSSL | 13:f67a6c6013ca | 699 | * XOR MGF over all bytes down to end of Salt |
wolfSSL | 13:f67a6c6013ca | 700 | * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt) |
wolfSSL | 13:f67a6c6013ca | 701 | */ |
wolfSSL | 13:f67a6c6013ca | 702 | static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock, |
wolfSSL | 13:f67a6c6013ca | 703 | word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf, |
wolfSSL | 13:f67a6c6013ca | 704 | int bits, void* heap) |
wolfSSL | 13:f67a6c6013ca | 705 | { |
wolfSSL | 13:f67a6c6013ca | 706 | int ret; |
wolfSSL | 13:f67a6c6013ca | 707 | int hLen, i; |
wolfSSL | 13:f67a6c6013ca | 708 | byte* s; |
wolfSSL | 13:f67a6c6013ca | 709 | byte* m; |
wolfSSL | 13:f67a6c6013ca | 710 | byte* h; |
wolfSSL | 13:f67a6c6013ca | 711 | byte salt[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 13:f67a6c6013ca | 712 | |
wolfSSL | 13:f67a6c6013ca | 713 | hLen = wc_HashGetDigestSize(hType); |
wolfSSL | 13:f67a6c6013ca | 714 | if (hLen < 0) |
wolfSSL | 13:f67a6c6013ca | 715 | return hLen; |
wolfSSL | 13:f67a6c6013ca | 716 | |
wolfSSL | 13:f67a6c6013ca | 717 | s = m = pkcsBlock; |
wolfSSL | 13:f67a6c6013ca | 718 | XMEMSET(m, 0, 8); |
wolfSSL | 13:f67a6c6013ca | 719 | m += 8; |
wolfSSL | 13:f67a6c6013ca | 720 | XMEMCPY(m, input, inputLen); |
wolfSSL | 13:f67a6c6013ca | 721 | m += inputLen; |
wolfSSL | 13:f67a6c6013ca | 722 | if ((ret = wc_RNG_GenerateBlock(rng, salt, hLen)) != 0) |
wolfSSL | 13:f67a6c6013ca | 723 | return ret; |
wolfSSL | 13:f67a6c6013ca | 724 | XMEMCPY(m, salt, hLen); |
wolfSSL | 13:f67a6c6013ca | 725 | m += hLen; |
wolfSSL | 13:f67a6c6013ca | 726 | |
wolfSSL | 13:f67a6c6013ca | 727 | h = pkcsBlock + pkcsBlockLen - 1 - hLen; |
wolfSSL | 13:f67a6c6013ca | 728 | if ((ret = wc_Hash(hType, s, (word32)(m - s), h, hLen)) != 0) |
wolfSSL | 13:f67a6c6013ca | 729 | return ret; |
wolfSSL | 13:f67a6c6013ca | 730 | pkcsBlock[pkcsBlockLen - 1] = 0xbc; |
wolfSSL | 13:f67a6c6013ca | 731 | |
wolfSSL | 13:f67a6c6013ca | 732 | ret = RsaMGF(mgf, h, hLen, pkcsBlock, pkcsBlockLen - hLen - 1, heap); |
wolfSSL | 13:f67a6c6013ca | 733 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 734 | return ret; |
wolfSSL | 13:f67a6c6013ca | 735 | pkcsBlock[0] &= (1 << ((bits - 1) & 0x7)) - 1; |
wolfSSL | 13:f67a6c6013ca | 736 | |
wolfSSL | 13:f67a6c6013ca | 737 | m = pkcsBlock + pkcsBlockLen - 1 - hLen - hLen - 1; |
wolfSSL | 13:f67a6c6013ca | 738 | *(m++) ^= 0x01; |
wolfSSL | 13:f67a6c6013ca | 739 | for (i = 0; i < hLen; i++) |
wolfSSL | 13:f67a6c6013ca | 740 | m[i] ^= salt[i]; |
wolfSSL | 13:f67a6c6013ca | 741 | |
wolfSSL | 13:f67a6c6013ca | 742 | return 0; |
wolfSSL | 13:f67a6c6013ca | 743 | } |
wolfSSL | 13:f67a6c6013ca | 744 | #endif |
wolfSSL | 13:f67a6c6013ca | 745 | |
wolfSSL | 13:f67a6c6013ca | 746 | static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock, |
wolfSSL | 13:f67a6c6013ca | 747 | word32 pkcsBlockLen, byte padValue, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 748 | { |
wolfSSL | 13:f67a6c6013ca | 749 | if (input == NULL || inputLen == 0 || pkcsBlock == NULL || |
wolfSSL | 13:f67a6c6013ca | 750 | pkcsBlockLen == 0) { |
wolfSSL | 13:f67a6c6013ca | 751 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 752 | } |
wolfSSL | 13:f67a6c6013ca | 753 | |
wolfSSL | 13:f67a6c6013ca | 754 | pkcsBlock[0] = 0x0; /* set first byte to zero and advance */ |
wolfSSL | 13:f67a6c6013ca | 755 | pkcsBlock++; pkcsBlockLen--; |
wolfSSL | 13:f67a6c6013ca | 756 | pkcsBlock[0] = padValue; /* insert padValue */ |
wolfSSL | 13:f67a6c6013ca | 757 | |
wolfSSL | 13:f67a6c6013ca | 758 | if (padValue == RSA_BLOCK_TYPE_1) { |
wolfSSL | 13:f67a6c6013ca | 759 | if (pkcsBlockLen < inputLen + 2) { |
wolfSSL | 13:f67a6c6013ca | 760 | WOLFSSL_MSG("RsaPad error, invalid length"); |
wolfSSL | 13:f67a6c6013ca | 761 | return RSA_PAD_E; |
wolfSSL | 13:f67a6c6013ca | 762 | } |
wolfSSL | 13:f67a6c6013ca | 763 | |
wolfSSL | 13:f67a6c6013ca | 764 | /* pad with 0xff bytes */ |
wolfSSL | 13:f67a6c6013ca | 765 | XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2); |
wolfSSL | 13:f67a6c6013ca | 766 | } |
wolfSSL | 13:f67a6c6013ca | 767 | else { |
wolfSSL | 13:f67a6c6013ca | 768 | /* pad with non-zero random bytes */ |
wolfSSL | 13:f67a6c6013ca | 769 | word32 padLen, i; |
wolfSSL | 13:f67a6c6013ca | 770 | int ret; |
wolfSSL | 13:f67a6c6013ca | 771 | |
wolfSSL | 13:f67a6c6013ca | 772 | if (pkcsBlockLen < inputLen + 1) { |
wolfSSL | 13:f67a6c6013ca | 773 | WOLFSSL_MSG("RsaPad error, invalid length"); |
wolfSSL | 13:f67a6c6013ca | 774 | return RSA_PAD_E; |
wolfSSL | 13:f67a6c6013ca | 775 | } |
wolfSSL | 13:f67a6c6013ca | 776 | |
wolfSSL | 13:f67a6c6013ca | 777 | padLen = pkcsBlockLen - inputLen - 1; |
wolfSSL | 13:f67a6c6013ca | 778 | ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen); |
wolfSSL | 13:f67a6c6013ca | 779 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 780 | return ret; |
wolfSSL | 13:f67a6c6013ca | 781 | } |
wolfSSL | 13:f67a6c6013ca | 782 | |
wolfSSL | 13:f67a6c6013ca | 783 | /* remove zeros */ |
wolfSSL | 13:f67a6c6013ca | 784 | for (i = 1; i < padLen; i++) { |
wolfSSL | 13:f67a6c6013ca | 785 | if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01; |
wolfSSL | 13:f67a6c6013ca | 786 | } |
wolfSSL | 13:f67a6c6013ca | 787 | } |
wolfSSL | 13:f67a6c6013ca | 788 | |
wolfSSL | 13:f67a6c6013ca | 789 | pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */ |
wolfSSL | 13:f67a6c6013ca | 790 | XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen); |
wolfSSL | 13:f67a6c6013ca | 791 | |
wolfSSL | 13:f67a6c6013ca | 792 | return 0; |
wolfSSL | 13:f67a6c6013ca | 793 | } |
wolfSSL | 13:f67a6c6013ca | 794 | |
wolfSSL | 13:f67a6c6013ca | 795 | /* helper function to direct which padding is used */ |
wolfSSL | 13:f67a6c6013ca | 796 | static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock, |
wolfSSL | 13:f67a6c6013ca | 797 | word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType, |
wolfSSL | 13:f67a6c6013ca | 798 | enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, int bits, |
wolfSSL | 13:f67a6c6013ca | 799 | void* heap) |
wolfSSL | 13:f67a6c6013ca | 800 | { |
wolfSSL | 13:f67a6c6013ca | 801 | int ret; |
wolfSSL | 13:f67a6c6013ca | 802 | |
wolfSSL | 13:f67a6c6013ca | 803 | switch (padType) |
wolfSSL | 13:f67a6c6013ca | 804 | { |
wolfSSL | 13:f67a6c6013ca | 805 | case WC_RSA_PKCSV15_PAD: |
wolfSSL | 13:f67a6c6013ca | 806 | /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/ |
wolfSSL | 13:f67a6c6013ca | 807 | ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen, |
wolfSSL | 13:f67a6c6013ca | 808 | padValue, rng); |
wolfSSL | 13:f67a6c6013ca | 809 | break; |
wolfSSL | 13:f67a6c6013ca | 810 | |
wolfSSL | 13:f67a6c6013ca | 811 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 812 | case WC_RSA_OAEP_PAD: |
wolfSSL | 13:f67a6c6013ca | 813 | WOLFSSL_MSG("wolfSSL Using RSA OAEP padding"); |
wolfSSL | 13:f67a6c6013ca | 814 | ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen, |
wolfSSL | 13:f67a6c6013ca | 815 | padValue, rng, hType, mgf, optLabel, labelLen, heap); |
wolfSSL | 13:f67a6c6013ca | 816 | break; |
wolfSSL | 13:f67a6c6013ca | 817 | #endif |
wolfSSL | 13:f67a6c6013ca | 818 | |
wolfSSL | 13:f67a6c6013ca | 819 | #ifdef WC_RSA_PSS |
wolfSSL | 13:f67a6c6013ca | 820 | case WC_RSA_PSS_PAD: |
wolfSSL | 13:f67a6c6013ca | 821 | WOLFSSL_MSG("wolfSSL Using RSA PSS padding"); |
wolfSSL | 13:f67a6c6013ca | 822 | ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng, |
wolfSSL | 13:f67a6c6013ca | 823 | hType, mgf, bits, heap); |
wolfSSL | 13:f67a6c6013ca | 824 | break; |
wolfSSL | 13:f67a6c6013ca | 825 | #endif |
wolfSSL | 13:f67a6c6013ca | 826 | |
wolfSSL | 13:f67a6c6013ca | 827 | default: |
wolfSSL | 13:f67a6c6013ca | 828 | WOLFSSL_MSG("Unknown RSA Pad Type"); |
wolfSSL | 13:f67a6c6013ca | 829 | ret = RSA_PAD_E; |
wolfSSL | 13:f67a6c6013ca | 830 | } |
wolfSSL | 13:f67a6c6013ca | 831 | |
wolfSSL | 13:f67a6c6013ca | 832 | /* silence warning if not used with padding scheme */ |
wolfSSL | 13:f67a6c6013ca | 833 | (void)hType; |
wolfSSL | 13:f67a6c6013ca | 834 | (void)mgf; |
wolfSSL | 13:f67a6c6013ca | 835 | (void)optLabel; |
wolfSSL | 13:f67a6c6013ca | 836 | (void)labelLen; |
wolfSSL | 13:f67a6c6013ca | 837 | (void)bits; |
wolfSSL | 13:f67a6c6013ca | 838 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 839 | |
wolfSSL | 13:f67a6c6013ca | 840 | return ret; |
wolfSSL | 13:f67a6c6013ca | 841 | } |
wolfSSL | 13:f67a6c6013ca | 842 | |
wolfSSL | 13:f67a6c6013ca | 843 | |
wolfSSL | 13:f67a6c6013ca | 844 | /* UnPadding */ |
wolfSSL | 13:f67a6c6013ca | 845 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 846 | /* UnPad plaintext, set start to *output, return length of plaintext, |
wolfSSL | 13:f67a6c6013ca | 847 | * < 0 on error */ |
wolfSSL | 13:f67a6c6013ca | 848 | static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen, |
wolfSSL | 13:f67a6c6013ca | 849 | byte **output, enum wc_HashType hType, int mgf, |
wolfSSL | 13:f67a6c6013ca | 850 | byte* optLabel, word32 labelLen, void* heap) |
wolfSSL | 13:f67a6c6013ca | 851 | { |
wolfSSL | 13:f67a6c6013ca | 852 | int hLen; |
wolfSSL | 13:f67a6c6013ca | 853 | int ret; |
wolfSSL | 13:f67a6c6013ca | 854 | byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */ |
wolfSSL | 13:f67a6c6013ca | 855 | byte* tmp; |
wolfSSL | 13:f67a6c6013ca | 856 | word32 idx; |
wolfSSL | 13:f67a6c6013ca | 857 | |
wolfSSL | 13:f67a6c6013ca | 858 | /* no label is allowed, but catch if no label provided and length > 0 */ |
wolfSSL | 13:f67a6c6013ca | 859 | if (optLabel == NULL && labelLen > 0) { |
wolfSSL | 13:f67a6c6013ca | 860 | return BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 861 | } |
wolfSSL | 13:f67a6c6013ca | 862 | |
wolfSSL | 13:f67a6c6013ca | 863 | hLen = wc_HashGetDigestSize(hType); |
wolfSSL | 13:f67a6c6013ca | 864 | if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) { |
wolfSSL | 13:f67a6c6013ca | 865 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 866 | } |
wolfSSL | 13:f67a6c6013ca | 867 | |
wolfSSL | 13:f67a6c6013ca | 868 | tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 869 | if (tmp == NULL) { |
wolfSSL | 13:f67a6c6013ca | 870 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 871 | } |
wolfSSL | 13:f67a6c6013ca | 872 | XMEMSET(tmp, 0, pkcsBlockLen); |
wolfSSL | 13:f67a6c6013ca | 873 | |
wolfSSL | 13:f67a6c6013ca | 874 | /* find seedMask value */ |
wolfSSL | 13:f67a6c6013ca | 875 | if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)), |
wolfSSL | 13:f67a6c6013ca | 876 | pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 877 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 878 | return ret; |
wolfSSL | 13:f67a6c6013ca | 879 | } |
wolfSSL | 13:f67a6c6013ca | 880 | |
wolfSSL | 13:f67a6c6013ca | 881 | /* xor seedMask value with maskedSeed to get seed value */ |
wolfSSL | 13:f67a6c6013ca | 882 | for (idx = 0; idx < (word32)hLen; idx++) { |
wolfSSL | 13:f67a6c6013ca | 883 | tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx]; |
wolfSSL | 13:f67a6c6013ca | 884 | } |
wolfSSL | 13:f67a6c6013ca | 885 | |
wolfSSL | 13:f67a6c6013ca | 886 | /* get dbMask value */ |
wolfSSL | 13:f67a6c6013ca | 887 | if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen, |
wolfSSL | 13:f67a6c6013ca | 888 | pkcsBlockLen - hLen - 1, heap)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 889 | XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 890 | return ret; |
wolfSSL | 13:f67a6c6013ca | 891 | } |
wolfSSL | 13:f67a6c6013ca | 892 | |
wolfSSL | 13:f67a6c6013ca | 893 | /* get DB value by doing maskedDB xor dbMask */ |
wolfSSL | 13:f67a6c6013ca | 894 | for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) { |
wolfSSL | 13:f67a6c6013ca | 895 | pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen]; |
wolfSSL | 13:f67a6c6013ca | 896 | } |
wolfSSL | 13:f67a6c6013ca | 897 | |
wolfSSL | 13:f67a6c6013ca | 898 | /* done with use of tmp buffer */ |
wolfSSL | 13:f67a6c6013ca | 899 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 900 | |
wolfSSL | 13:f67a6c6013ca | 901 | /* advance idx to index of PS and msg separator, account for PS size of 0*/ |
wolfSSL | 13:f67a6c6013ca | 902 | idx = hLen + 1 + hLen; |
wolfSSL | 13:f67a6c6013ca | 903 | while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;} |
wolfSSL | 13:f67a6c6013ca | 904 | |
wolfSSL | 13:f67a6c6013ca | 905 | /* create hash of label for comparision with hash sent */ |
wolfSSL | 13:f67a6c6013ca | 906 | if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 907 | return ret; |
wolfSSL | 13:f67a6c6013ca | 908 | } |
wolfSSL | 13:f67a6c6013ca | 909 | |
wolfSSL | 13:f67a6c6013ca | 910 | /* say no to chosen ciphertext attack. |
wolfSSL | 13:f67a6c6013ca | 911 | Comparison of lHash, Y, and separator value needs to all happen in |
wolfSSL | 13:f67a6c6013ca | 912 | constant time. |
wolfSSL | 13:f67a6c6013ca | 913 | Attackers should not be able to get error condition from the timing of |
wolfSSL | 13:f67a6c6013ca | 914 | these checks. |
wolfSSL | 13:f67a6c6013ca | 915 | */ |
wolfSSL | 13:f67a6c6013ca | 916 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 917 | ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen); |
wolfSSL | 13:f67a6c6013ca | 918 | ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */ |
wolfSSL | 13:f67a6c6013ca | 919 | ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */ |
wolfSSL | 13:f67a6c6013ca | 920 | |
wolfSSL | 13:f67a6c6013ca | 921 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 922 | return BAD_PADDING_E; |
wolfSSL | 13:f67a6c6013ca | 923 | } |
wolfSSL | 13:f67a6c6013ca | 924 | |
wolfSSL | 13:f67a6c6013ca | 925 | /* adjust pointer to correct location in array and return size of M */ |
wolfSSL | 13:f67a6c6013ca | 926 | *output = (byte*)(pkcsBlock + idx); |
wolfSSL | 13:f67a6c6013ca | 927 | return pkcsBlockLen - idx; |
wolfSSL | 13:f67a6c6013ca | 928 | } |
wolfSSL | 13:f67a6c6013ca | 929 | #endif /* WC_NO_RSA_OAEP */ |
wolfSSL | 13:f67a6c6013ca | 930 | |
wolfSSL | 13:f67a6c6013ca | 931 | #ifdef WC_RSA_PSS |
wolfSSL | 13:f67a6c6013ca | 932 | static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen, |
wolfSSL | 13:f67a6c6013ca | 933 | byte **output, enum wc_HashType hType, int mgf, |
wolfSSL | 13:f67a6c6013ca | 934 | int bits, void* heap) |
wolfSSL | 13:f67a6c6013ca | 935 | { |
wolfSSL | 13:f67a6c6013ca | 936 | int ret; |
wolfSSL | 13:f67a6c6013ca | 937 | byte* tmp; |
wolfSSL | 13:f67a6c6013ca | 938 | int hLen, i; |
wolfSSL | 13:f67a6c6013ca | 939 | |
wolfSSL | 13:f67a6c6013ca | 940 | hLen = wc_HashGetDigestSize(hType); |
wolfSSL | 13:f67a6c6013ca | 941 | if (hLen < 0) |
wolfSSL | 13:f67a6c6013ca | 942 | return hLen; |
wolfSSL | 13:f67a6c6013ca | 943 | |
wolfSSL | 13:f67a6c6013ca | 944 | if (pkcsBlock[pkcsBlockLen - 1] != 0xbc) |
wolfSSL | 13:f67a6c6013ca | 945 | return BAD_PADDING_E; |
wolfSSL | 13:f67a6c6013ca | 946 | |
wolfSSL | 13:f67a6c6013ca | 947 | tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 948 | if (tmp == NULL) { |
wolfSSL | 13:f67a6c6013ca | 949 | return MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 950 | } |
wolfSSL | 13:f67a6c6013ca | 951 | |
wolfSSL | 13:f67a6c6013ca | 952 | if ((ret = RsaMGF(mgf, pkcsBlock + pkcsBlockLen - 1 - hLen, hLen, |
wolfSSL | 13:f67a6c6013ca | 953 | tmp, pkcsBlockLen - 1 - hLen, heap)) != 0) { |
wolfSSL | 13:f67a6c6013ca | 954 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 955 | return ret; |
wolfSSL | 13:f67a6c6013ca | 956 | } |
wolfSSL | 13:f67a6c6013ca | 957 | |
wolfSSL | 13:f67a6c6013ca | 958 | tmp[0] &= (1 << ((bits - 1) & 0x7)) - 1; |
wolfSSL | 13:f67a6c6013ca | 959 | for (i = 0; i < (int)(pkcsBlockLen - 1 - hLen - hLen - 1); i++) { |
wolfSSL | 13:f67a6c6013ca | 960 | if (tmp[i] != pkcsBlock[i]) { |
wolfSSL | 13:f67a6c6013ca | 961 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 962 | return BAD_PADDING_E; |
wolfSSL | 13:f67a6c6013ca | 963 | } |
wolfSSL | 13:f67a6c6013ca | 964 | } |
wolfSSL | 13:f67a6c6013ca | 965 | if (tmp[i] != (pkcsBlock[i] ^ 0x01)) { |
wolfSSL | 13:f67a6c6013ca | 966 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 967 | return BAD_PADDING_E; |
wolfSSL | 13:f67a6c6013ca | 968 | } |
wolfSSL | 13:f67a6c6013ca | 969 | for (i++; i < (int)(pkcsBlockLen - 1 - hLen); i++) |
wolfSSL | 13:f67a6c6013ca | 970 | pkcsBlock[i] ^= tmp[i]; |
wolfSSL | 13:f67a6c6013ca | 971 | |
wolfSSL | 13:f67a6c6013ca | 972 | XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); |
wolfSSL | 13:f67a6c6013ca | 973 | |
wolfSSL | 13:f67a6c6013ca | 974 | i = pkcsBlockLen - (RSA_PSS_PAD_SZ + 3 * hLen + 1); |
wolfSSL | 13:f67a6c6013ca | 975 | XMEMSET(pkcsBlock + i, 0, RSA_PSS_PAD_SZ); |
wolfSSL | 13:f67a6c6013ca | 976 | |
wolfSSL | 13:f67a6c6013ca | 977 | *output = pkcsBlock + i; |
wolfSSL | 13:f67a6c6013ca | 978 | return RSA_PSS_PAD_SZ + 3 * hLen; |
wolfSSL | 13:f67a6c6013ca | 979 | } |
wolfSSL | 13:f67a6c6013ca | 980 | #endif |
wolfSSL | 13:f67a6c6013ca | 981 | |
wolfSSL | 13:f67a6c6013ca | 982 | /* UnPad plaintext, set start to *output, return length of plaintext, |
wolfSSL | 13:f67a6c6013ca | 983 | * < 0 on error */ |
wolfSSL | 13:f67a6c6013ca | 984 | static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, |
wolfSSL | 13:f67a6c6013ca | 985 | byte **output, byte padValue) |
wolfSSL | 13:f67a6c6013ca | 986 | { |
wolfSSL | 13:f67a6c6013ca | 987 | word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0; |
wolfSSL | 13:f67a6c6013ca | 988 | word32 invalid = 0; |
wolfSSL | 13:f67a6c6013ca | 989 | word32 i = 1; |
wolfSSL | 13:f67a6c6013ca | 990 | word32 outputLen; |
wolfSSL | 13:f67a6c6013ca | 991 | |
wolfSSL | 13:f67a6c6013ca | 992 | if (output == NULL || pkcsBlockLen == 0) { |
wolfSSL | 13:f67a6c6013ca | 993 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 994 | } |
wolfSSL | 13:f67a6c6013ca | 995 | |
wolfSSL | 13:f67a6c6013ca | 996 | if (pkcsBlock[0] != 0x0) { /* skip past zero */ |
wolfSSL | 13:f67a6c6013ca | 997 | invalid = 1; |
wolfSSL | 13:f67a6c6013ca | 998 | } |
wolfSSL | 13:f67a6c6013ca | 999 | pkcsBlock++; pkcsBlockLen--; |
wolfSSL | 13:f67a6c6013ca | 1000 | |
wolfSSL | 13:f67a6c6013ca | 1001 | /* Require block type padValue */ |
wolfSSL | 13:f67a6c6013ca | 1002 | invalid = (pkcsBlock[0] != padValue) || invalid; |
wolfSSL | 13:f67a6c6013ca | 1003 | |
wolfSSL | 13:f67a6c6013ca | 1004 | /* verify the padding until we find the separator */ |
wolfSSL | 13:f67a6c6013ca | 1005 | if (padValue == RSA_BLOCK_TYPE_1) { |
wolfSSL | 13:f67a6c6013ca | 1006 | while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */} |
wolfSSL | 13:f67a6c6013ca | 1007 | } |
wolfSSL | 13:f67a6c6013ca | 1008 | else { |
wolfSSL | 13:f67a6c6013ca | 1009 | while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */} |
wolfSSL | 13:f67a6c6013ca | 1010 | } |
wolfSSL | 13:f67a6c6013ca | 1011 | |
wolfSSL | 13:f67a6c6013ca | 1012 | if (!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) { |
wolfSSL | 13:f67a6c6013ca | 1013 | WOLFSSL_MSG("RsaUnPad error, bad formatting"); |
wolfSSL | 13:f67a6c6013ca | 1014 | return RSA_PAD_E; |
wolfSSL | 13:f67a6c6013ca | 1015 | } |
wolfSSL | 13:f67a6c6013ca | 1016 | |
wolfSSL | 13:f67a6c6013ca | 1017 | outputLen = pkcsBlockLen - i; |
wolfSSL | 13:f67a6c6013ca | 1018 | invalid = (outputLen > maxOutputLen) || invalid; |
wolfSSL | 13:f67a6c6013ca | 1019 | |
wolfSSL | 13:f67a6c6013ca | 1020 | if (invalid) { |
wolfSSL | 13:f67a6c6013ca | 1021 | WOLFSSL_MSG("RsaUnPad error, invalid formatting"); |
wolfSSL | 13:f67a6c6013ca | 1022 | return RSA_PAD_E; |
wolfSSL | 13:f67a6c6013ca | 1023 | } |
wolfSSL | 13:f67a6c6013ca | 1024 | |
wolfSSL | 13:f67a6c6013ca | 1025 | *output = (byte *)(pkcsBlock + i); |
wolfSSL | 13:f67a6c6013ca | 1026 | return outputLen; |
wolfSSL | 13:f67a6c6013ca | 1027 | } |
wolfSSL | 13:f67a6c6013ca | 1028 | |
wolfSSL | 13:f67a6c6013ca | 1029 | /* helper function to direct unpadding */ |
wolfSSL | 13:f67a6c6013ca | 1030 | static int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out, |
wolfSSL | 13:f67a6c6013ca | 1031 | byte padValue, int padType, enum wc_HashType hType, |
wolfSSL | 13:f67a6c6013ca | 1032 | int mgf, byte* optLabel, word32 labelLen, int bits, |
wolfSSL | 13:f67a6c6013ca | 1033 | void* heap) |
wolfSSL | 13:f67a6c6013ca | 1034 | { |
wolfSSL | 13:f67a6c6013ca | 1035 | int ret; |
wolfSSL | 13:f67a6c6013ca | 1036 | |
wolfSSL | 13:f67a6c6013ca | 1037 | switch (padType) { |
wolfSSL | 13:f67a6c6013ca | 1038 | case WC_RSA_PKCSV15_PAD: |
wolfSSL | 13:f67a6c6013ca | 1039 | /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/ |
wolfSSL | 13:f67a6c6013ca | 1040 | ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue); |
wolfSSL | 13:f67a6c6013ca | 1041 | break; |
wolfSSL | 13:f67a6c6013ca | 1042 | |
wolfSSL | 13:f67a6c6013ca | 1043 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 1044 | case WC_RSA_OAEP_PAD: |
wolfSSL | 13:f67a6c6013ca | 1045 | WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding"); |
wolfSSL | 13:f67a6c6013ca | 1046 | ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out, |
wolfSSL | 13:f67a6c6013ca | 1047 | hType, mgf, optLabel, labelLen, heap); |
wolfSSL | 13:f67a6c6013ca | 1048 | break; |
wolfSSL | 13:f67a6c6013ca | 1049 | #endif |
wolfSSL | 13:f67a6c6013ca | 1050 | |
wolfSSL | 13:f67a6c6013ca | 1051 | #ifdef WC_RSA_PSS |
wolfSSL | 13:f67a6c6013ca | 1052 | case WC_RSA_PSS_PAD: |
wolfSSL | 13:f67a6c6013ca | 1053 | WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding"); |
wolfSSL | 13:f67a6c6013ca | 1054 | ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf, |
wolfSSL | 13:f67a6c6013ca | 1055 | bits, heap); |
wolfSSL | 13:f67a6c6013ca | 1056 | break; |
wolfSSL | 13:f67a6c6013ca | 1057 | #endif |
wolfSSL | 13:f67a6c6013ca | 1058 | |
wolfSSL | 13:f67a6c6013ca | 1059 | default: |
wolfSSL | 13:f67a6c6013ca | 1060 | WOLFSSL_MSG("Unknown RSA UnPad Type"); |
wolfSSL | 13:f67a6c6013ca | 1061 | ret = RSA_PAD_E; |
wolfSSL | 13:f67a6c6013ca | 1062 | } |
wolfSSL | 13:f67a6c6013ca | 1063 | |
wolfSSL | 13:f67a6c6013ca | 1064 | /* silence warning if not used with padding scheme */ |
wolfSSL | 13:f67a6c6013ca | 1065 | (void)hType; |
wolfSSL | 13:f67a6c6013ca | 1066 | (void)mgf; |
wolfSSL | 13:f67a6c6013ca | 1067 | (void)optLabel; |
wolfSSL | 13:f67a6c6013ca | 1068 | (void)labelLen; |
wolfSSL | 13:f67a6c6013ca | 1069 | (void)bits; |
wolfSSL | 13:f67a6c6013ca | 1070 | (void)heap; |
wolfSSL | 13:f67a6c6013ca | 1071 | |
wolfSSL | 13:f67a6c6013ca | 1072 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1073 | } |
wolfSSL | 13:f67a6c6013ca | 1074 | |
wolfSSL | 13:f67a6c6013ca | 1075 | #if defined(WOLFSSL_XILINX_CRYPT) |
wolfSSL | 13:f67a6c6013ca | 1076 | /* |
wolfSSL | 13:f67a6c6013ca | 1077 | * Xilinx hardened crypto acceleration. |
wolfSSL | 13:f67a6c6013ca | 1078 | * |
wolfSSL | 13:f67a6c6013ca | 1079 | * Returns 0 on success and negative values on error. |
wolfSSL | 13:f67a6c6013ca | 1080 | */ |
wolfSSL | 13:f67a6c6013ca | 1081 | static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1082 | word32* outLen, int type, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1083 | { |
wolfSSL | 13:f67a6c6013ca | 1084 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 1085 | word32 keyLen, len; |
wolfSSL | 13:f67a6c6013ca | 1086 | (void)rng; |
wolfSSL | 13:f67a6c6013ca | 1087 | |
wolfSSL | 13:f67a6c6013ca | 1088 | keyLen = wc_RsaEncryptSize(key); |
wolfSSL | 13:f67a6c6013ca | 1089 | if (keyLen > *outLen) { |
wolfSSL | 13:f67a6c6013ca | 1090 | WOLFSSL_MSG("Output buffer is not big enough"); |
wolfSSL | 13:f67a6c6013ca | 1091 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1092 | } |
wolfSSL | 13:f67a6c6013ca | 1093 | |
wolfSSL | 13:f67a6c6013ca | 1094 | if (inLen != keyLen) { |
wolfSSL | 13:f67a6c6013ca | 1095 | WOLFSSL_MSG("Expected that inLen equals RSA key length"); |
wolfSSL | 13:f67a6c6013ca | 1096 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1097 | } |
wolfSSL | 13:f67a6c6013ca | 1098 | |
wolfSSL | 13:f67a6c6013ca | 1099 | switch(type) { |
wolfSSL | 13:f67a6c6013ca | 1100 | case RSA_PRIVATE_DECRYPT: |
wolfSSL | 13:f67a6c6013ca | 1101 | case RSA_PRIVATE_ENCRYPT: |
wolfSSL | 13:f67a6c6013ca | 1102 | /* Currently public exponent is loaded by default. |
wolfSSL | 13:f67a6c6013ca | 1103 | * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes |
wolfSSL | 13:f67a6c6013ca | 1104 | * leading to private key operations with Xsecure_RsaDecrypt not being |
wolfSSL | 13:f67a6c6013ca | 1105 | * supported */ |
wolfSSL | 13:f67a6c6013ca | 1106 | ret = RSA_WRONG_TYPE_E; |
wolfSSL | 13:f67a6c6013ca | 1107 | break; |
wolfSSL | 13:f67a6c6013ca | 1108 | case RSA_PUBLIC_ENCRYPT: |
wolfSSL | 13:f67a6c6013ca | 1109 | case RSA_PUBLIC_DECRYPT: |
wolfSSL | 13:f67a6c6013ca | 1110 | if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) { |
wolfSSL | 13:f67a6c6013ca | 1111 | ret = BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 1112 | } |
wolfSSL | 13:f67a6c6013ca | 1113 | break; |
wolfSSL | 13:f67a6c6013ca | 1114 | default: |
wolfSSL | 13:f67a6c6013ca | 1115 | ret = RSA_WRONG_TYPE_E; |
wolfSSL | 13:f67a6c6013ca | 1116 | } |
wolfSSL | 13:f67a6c6013ca | 1117 | |
wolfSSL | 13:f67a6c6013ca | 1118 | *outLen = keyLen; |
wolfSSL | 13:f67a6c6013ca | 1119 | |
wolfSSL | 13:f67a6c6013ca | 1120 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1121 | } |
wolfSSL | 13:f67a6c6013ca | 1122 | #endif /* WOLFSSL_XILINX_CRYPT */ |
wolfSSL | 13:f67a6c6013ca | 1123 | |
wolfSSL | 13:f67a6c6013ca | 1124 | static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1125 | word32* outLen, int type, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1126 | { |
wolfSSL | 13:f67a6c6013ca | 1127 | mp_int tmp; |
wolfSSL | 13:f67a6c6013ca | 1128 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1129 | mp_int rnd, rndi; |
wolfSSL | 13:f67a6c6013ca | 1130 | #endif |
wolfSSL | 13:f67a6c6013ca | 1131 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 1132 | word32 keyLen, len; |
wolfSSL | 13:f67a6c6013ca | 1133 | |
wolfSSL | 13:f67a6c6013ca | 1134 | (void)rng; |
wolfSSL | 13:f67a6c6013ca | 1135 | |
wolfSSL | 13:f67a6c6013ca | 1136 | if (mp_init(&tmp) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1137 | return MP_INIT_E; |
wolfSSL | 13:f67a6c6013ca | 1138 | |
wolfSSL | 13:f67a6c6013ca | 1139 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1140 | if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { |
wolfSSL | 13:f67a6c6013ca | 1141 | if (mp_init_multi(&rnd, &rndi, NULL, NULL, NULL, NULL) != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 1142 | mp_clear(&tmp); |
wolfSSL | 13:f67a6c6013ca | 1143 | return MP_INIT_E; |
wolfSSL | 13:f67a6c6013ca | 1144 | } |
wolfSSL | 13:f67a6c6013ca | 1145 | } |
wolfSSL | 13:f67a6c6013ca | 1146 | #endif |
wolfSSL | 13:f67a6c6013ca | 1147 | |
wolfSSL | 13:f67a6c6013ca | 1148 | if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1149 | ERROR_OUT(MP_READ_E); |
wolfSSL | 13:f67a6c6013ca | 1150 | |
wolfSSL | 13:f67a6c6013ca | 1151 | switch(type) { |
wolfSSL | 13:f67a6c6013ca | 1152 | case RSA_PRIVATE_DECRYPT: |
wolfSSL | 13:f67a6c6013ca | 1153 | case RSA_PRIVATE_ENCRYPT: |
wolfSSL | 13:f67a6c6013ca | 1154 | { |
wolfSSL | 13:f67a6c6013ca | 1155 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1156 | /* blind */ |
wolfSSL | 13:f67a6c6013ca | 1157 | ret = mp_rand(&rnd, get_digit_count(&key->n), rng); |
wolfSSL | 13:f67a6c6013ca | 1158 | if (ret != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1159 | goto done; |
wolfSSL | 13:f67a6c6013ca | 1160 | |
wolfSSL | 13:f67a6c6013ca | 1161 | /* rndi = 1/rnd mod n */ |
wolfSSL | 13:f67a6c6013ca | 1162 | if (mp_invmod(&rnd, &key->n, &rndi) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1163 | ERROR_OUT(MP_INVMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1164 | |
wolfSSL | 13:f67a6c6013ca | 1165 | /* rnd = rnd^e */ |
wolfSSL | 13:f67a6c6013ca | 1166 | if (mp_exptmod(&rnd, &key->e, &key->n, &rnd) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1167 | ERROR_OUT(MP_EXPTMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1168 | |
wolfSSL | 13:f67a6c6013ca | 1169 | /* tmp = tmp*rnd mod n */ |
wolfSSL | 13:f67a6c6013ca | 1170 | if (mp_mulmod(&tmp, &rnd, &key->n, &tmp) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1171 | ERROR_OUT(MP_MULMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1172 | #endif /* WC_RSA_BLINGING */ |
wolfSSL | 13:f67a6c6013ca | 1173 | |
wolfSSL | 13:f67a6c6013ca | 1174 | #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */ |
wolfSSL | 13:f67a6c6013ca | 1175 | if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1176 | ERROR_OUT(MP_EXPTMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1177 | #else |
wolfSSL | 13:f67a6c6013ca | 1178 | /* Return 0 when cond is false and n when cond is true. */ |
wolfSSL | 13:f67a6c6013ca | 1179 | #define COND_N(cond, n) ((0 - (cond)) & (n)) |
wolfSSL | 13:f67a6c6013ca | 1180 | /* If ret has an error value return it otherwise if r is OK then return |
wolfSSL | 13:f67a6c6013ca | 1181 | * 0 otherwise return e. |
wolfSSL | 13:f67a6c6013ca | 1182 | */ |
wolfSSL | 13:f67a6c6013ca | 1183 | #define RET_ERR(ret, r, e) \ |
wolfSSL | 13:f67a6c6013ca | 1184 | ((ret) | (COND_N((ret) == 0, COND_N((r) != MP_OKAY, (e))))) |
wolfSSL | 13:f67a6c6013ca | 1185 | |
wolfSSL | 13:f67a6c6013ca | 1186 | { /* tmpa/b scope */ |
wolfSSL | 13:f67a6c6013ca | 1187 | mp_int tmpa, tmpb; |
wolfSSL | 13:f67a6c6013ca | 1188 | int r; |
wolfSSL | 13:f67a6c6013ca | 1189 | |
wolfSSL | 13:f67a6c6013ca | 1190 | if (mp_init(&tmpa) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1191 | ERROR_OUT(MP_INIT_E); |
wolfSSL | 13:f67a6c6013ca | 1192 | |
wolfSSL | 13:f67a6c6013ca | 1193 | if (mp_init(&tmpb) != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 1194 | mp_clear(&tmpa); |
wolfSSL | 13:f67a6c6013ca | 1195 | ERROR_OUT(MP_INIT_E); |
wolfSSL | 13:f67a6c6013ca | 1196 | } |
wolfSSL | 13:f67a6c6013ca | 1197 | |
wolfSSL | 13:f67a6c6013ca | 1198 | /* tmpa = tmp^dP mod p */ |
wolfSSL | 13:f67a6c6013ca | 1199 | r = mp_exptmod(&tmp, &key->dP, &key->p, &tmpa); |
wolfSSL | 13:f67a6c6013ca | 1200 | ret = RET_ERR(ret, r, MP_EXPTMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1201 | |
wolfSSL | 13:f67a6c6013ca | 1202 | /* tmpb = tmp^dQ mod q */ |
wolfSSL | 13:f67a6c6013ca | 1203 | r = mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb); |
wolfSSL | 13:f67a6c6013ca | 1204 | ret = RET_ERR(ret, r, MP_EXPTMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1205 | |
wolfSSL | 13:f67a6c6013ca | 1206 | /* tmp = (tmpa - tmpb) * qInv (mod p) */ |
wolfSSL | 13:f67a6c6013ca | 1207 | r = mp_sub(&tmpa, &tmpb, &tmp); |
wolfSSL | 13:f67a6c6013ca | 1208 | ret = RET_ERR(ret, r, MP_SUB_E); |
wolfSSL | 13:f67a6c6013ca | 1209 | |
wolfSSL | 13:f67a6c6013ca | 1210 | r = mp_mulmod(&tmp, &key->u, &key->p, &tmp); |
wolfSSL | 13:f67a6c6013ca | 1211 | ret = RET_ERR(ret, r, MP_MULMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1212 | |
wolfSSL | 13:f67a6c6013ca | 1213 | /* tmp = tmpb + q * tmp */ |
wolfSSL | 13:f67a6c6013ca | 1214 | r = mp_mul(&tmp, &key->q, &tmp); |
wolfSSL | 13:f67a6c6013ca | 1215 | ret = RET_ERR(ret, r, MP_MUL_E); |
wolfSSL | 13:f67a6c6013ca | 1216 | |
wolfSSL | 13:f67a6c6013ca | 1217 | r = mp_add(&tmp, &tmpb, &tmp); |
wolfSSL | 13:f67a6c6013ca | 1218 | ret = RET_ERR(ret, r, MP_ADD_E); |
wolfSSL | 13:f67a6c6013ca | 1219 | |
wolfSSL | 13:f67a6c6013ca | 1220 | mp_clear(&tmpa); |
wolfSSL | 13:f67a6c6013ca | 1221 | mp_clear(&tmpb); |
wolfSSL | 13:f67a6c6013ca | 1222 | |
wolfSSL | 13:f67a6c6013ca | 1223 | if (ret != 0) { |
wolfSSL | 13:f67a6c6013ca | 1224 | goto done; |
wolfSSL | 13:f67a6c6013ca | 1225 | } |
wolfSSL | 13:f67a6c6013ca | 1226 | #undef RET_ERR |
wolfSSL | 13:f67a6c6013ca | 1227 | #undef COND_N |
wolfSSL | 13:f67a6c6013ca | 1228 | } /* tmpa/b scope */ |
wolfSSL | 13:f67a6c6013ca | 1229 | #endif /* RSA_LOW_MEM */ |
wolfSSL | 13:f67a6c6013ca | 1230 | |
wolfSSL | 13:f67a6c6013ca | 1231 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1232 | /* unblind */ |
wolfSSL | 13:f67a6c6013ca | 1233 | if (mp_mulmod(&tmp, &rndi, &key->n, &tmp) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1234 | ERROR_OUT(MP_MULMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1235 | #endif /* WC_RSA_BLINDING */ |
wolfSSL | 13:f67a6c6013ca | 1236 | |
wolfSSL | 13:f67a6c6013ca | 1237 | break; |
wolfSSL | 13:f67a6c6013ca | 1238 | } |
wolfSSL | 13:f67a6c6013ca | 1239 | case RSA_PUBLIC_ENCRYPT: |
wolfSSL | 13:f67a6c6013ca | 1240 | case RSA_PUBLIC_DECRYPT: |
wolfSSL | 13:f67a6c6013ca | 1241 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 13:f67a6c6013ca | 1242 | ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng); |
wolfSSL | 13:f67a6c6013ca | 1243 | goto done; |
wolfSSL | 13:f67a6c6013ca | 1244 | #else |
wolfSSL | 13:f67a6c6013ca | 1245 | if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1246 | ERROR_OUT(MP_EXPTMOD_E); |
wolfSSL | 13:f67a6c6013ca | 1247 | break; |
wolfSSL | 13:f67a6c6013ca | 1248 | #endif |
wolfSSL | 13:f67a6c6013ca | 1249 | default: |
wolfSSL | 13:f67a6c6013ca | 1250 | ERROR_OUT(RSA_WRONG_TYPE_E); |
wolfSSL | 13:f67a6c6013ca | 1251 | } |
wolfSSL | 13:f67a6c6013ca | 1252 | |
wolfSSL | 13:f67a6c6013ca | 1253 | keyLen = wc_RsaEncryptSize(key); |
wolfSSL | 13:f67a6c6013ca | 1254 | if (keyLen > *outLen) { |
wolfSSL | 13:f67a6c6013ca | 1255 | ERROR_OUT(RSA_BUFFER_E); |
wolfSSL | 13:f67a6c6013ca | 1256 | } |
wolfSSL | 13:f67a6c6013ca | 1257 | |
wolfSSL | 13:f67a6c6013ca | 1258 | len = mp_unsigned_bin_size(&tmp); |
wolfSSL | 13:f67a6c6013ca | 1259 | |
wolfSSL | 13:f67a6c6013ca | 1260 | /* pad front w/ zeros to match key length */ |
wolfSSL | 13:f67a6c6013ca | 1261 | while (len < keyLen) { |
wolfSSL | 13:f67a6c6013ca | 1262 | *out++ = 0x00; |
wolfSSL | 13:f67a6c6013ca | 1263 | len++; |
wolfSSL | 13:f67a6c6013ca | 1264 | } |
wolfSSL | 13:f67a6c6013ca | 1265 | |
wolfSSL | 13:f67a6c6013ca | 1266 | *outLen = keyLen; |
wolfSSL | 13:f67a6c6013ca | 1267 | |
wolfSSL | 13:f67a6c6013ca | 1268 | /* convert */ |
wolfSSL | 13:f67a6c6013ca | 1269 | if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1270 | ERROR_OUT(MP_TO_E); |
wolfSSL | 13:f67a6c6013ca | 1271 | |
wolfSSL | 13:f67a6c6013ca | 1272 | done: |
wolfSSL | 13:f67a6c6013ca | 1273 | mp_clear(&tmp); |
wolfSSL | 13:f67a6c6013ca | 1274 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1275 | if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { |
wolfSSL | 13:f67a6c6013ca | 1276 | mp_clear(&rndi); |
wolfSSL | 13:f67a6c6013ca | 1277 | mp_clear(&rnd); |
wolfSSL | 13:f67a6c6013ca | 1278 | } |
wolfSSL | 13:f67a6c6013ca | 1279 | #endif |
wolfSSL | 13:f67a6c6013ca | 1280 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1281 | } |
wolfSSL | 13:f67a6c6013ca | 1282 | |
wolfSSL | 13:f67a6c6013ca | 1283 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) |
wolfSSL | 13:f67a6c6013ca | 1284 | static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1285 | word32* outLen, int type, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1286 | { |
wolfSSL | 13:f67a6c6013ca | 1287 | int ret = 0; |
wolfSSL | 13:f67a6c6013ca | 1288 | |
wolfSSL | 13:f67a6c6013ca | 1289 | (void)rng; |
wolfSSL | 13:f67a6c6013ca | 1290 | |
wolfSSL | 13:f67a6c6013ca | 1291 | #ifdef WOLFSSL_ASYNC_CRYPT_TEST |
wolfSSL | 13:f67a6c6013ca | 1292 | WC_ASYNC_TEST* testDev = &key->asyncDev.test; |
wolfSSL | 13:f67a6c6013ca | 1293 | if (testDev->type == ASYNC_TEST_NONE) { |
wolfSSL | 13:f67a6c6013ca | 1294 | testDev->type = ASYNC_TEST_RSA_FUNC; |
wolfSSL | 13:f67a6c6013ca | 1295 | testDev->rsaFunc.in = in; |
wolfSSL | 13:f67a6c6013ca | 1296 | testDev->rsaFunc.inSz = inLen; |
wolfSSL | 13:f67a6c6013ca | 1297 | testDev->rsaFunc.out = out; |
wolfSSL | 13:f67a6c6013ca | 1298 | testDev->rsaFunc.outSz = outLen; |
wolfSSL | 13:f67a6c6013ca | 1299 | testDev->rsaFunc.type = type; |
wolfSSL | 13:f67a6c6013ca | 1300 | testDev->rsaFunc.key = key; |
wolfSSL | 13:f67a6c6013ca | 1301 | testDev->rsaFunc.rng = rng; |
wolfSSL | 13:f67a6c6013ca | 1302 | return WC_PENDING_E; |
wolfSSL | 13:f67a6c6013ca | 1303 | } |
wolfSSL | 13:f67a6c6013ca | 1304 | #endif /* WOLFSSL_ASYNC_CRYPT_TEST */ |
wolfSSL | 13:f67a6c6013ca | 1305 | |
wolfSSL | 13:f67a6c6013ca | 1306 | switch(type) { |
wolfSSL | 13:f67a6c6013ca | 1307 | case RSA_PRIVATE_DECRYPT: |
wolfSSL | 13:f67a6c6013ca | 1308 | case RSA_PRIVATE_ENCRYPT: |
wolfSSL | 13:f67a6c6013ca | 1309 | #ifdef HAVE_CAVIUM |
wolfSSL | 13:f67a6c6013ca | 1310 | ret = NitroxRsaExptMod(in, inLen, |
wolfSSL | 13:f67a6c6013ca | 1311 | key->d.raw.buf, key->d.raw.len, |
wolfSSL | 13:f67a6c6013ca | 1312 | key->n.raw.buf, key->n.raw.len, |
wolfSSL | 13:f67a6c6013ca | 1313 | out, outLen, key); |
wolfSSL | 13:f67a6c6013ca | 1314 | #elif defined(HAVE_INTEL_QA) |
wolfSSL | 13:f67a6c6013ca | 1315 | #ifdef RSA_LOW_MEM |
wolfSSL | 13:f67a6c6013ca | 1316 | ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen, |
wolfSSL | 13:f67a6c6013ca | 1317 | &key->d.raw, &key->n.raw, |
wolfSSL | 13:f67a6c6013ca | 1318 | out, outLen); |
wolfSSL | 13:f67a6c6013ca | 1319 | #else |
wolfSSL | 13:f67a6c6013ca | 1320 | ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen, |
wolfSSL | 13:f67a6c6013ca | 1321 | &key->p.raw, &key->q.raw, |
wolfSSL | 13:f67a6c6013ca | 1322 | &key->dP.raw, &key->dQ.raw, |
wolfSSL | 13:f67a6c6013ca | 1323 | &key->u.raw, |
wolfSSL | 13:f67a6c6013ca | 1324 | out, outLen); |
wolfSSL | 13:f67a6c6013ca | 1325 | #endif |
wolfSSL | 13:f67a6c6013ca | 1326 | #else /* WOLFSSL_ASYNC_CRYPT_TEST */ |
wolfSSL | 13:f67a6c6013ca | 1327 | ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); |
wolfSSL | 13:f67a6c6013ca | 1328 | #endif |
wolfSSL | 13:f67a6c6013ca | 1329 | break; |
wolfSSL | 13:f67a6c6013ca | 1330 | |
wolfSSL | 13:f67a6c6013ca | 1331 | case RSA_PUBLIC_ENCRYPT: |
wolfSSL | 13:f67a6c6013ca | 1332 | case RSA_PUBLIC_DECRYPT: |
wolfSSL | 13:f67a6c6013ca | 1333 | #ifdef HAVE_CAVIUM |
wolfSSL | 13:f67a6c6013ca | 1334 | ret = NitroxRsaExptMod(in, inLen, |
wolfSSL | 13:f67a6c6013ca | 1335 | key->e.raw.buf, key->e.raw.len, |
wolfSSL | 13:f67a6c6013ca | 1336 | key->n.raw.buf, key->n.raw.len, |
wolfSSL | 13:f67a6c6013ca | 1337 | out, outLen, key); |
wolfSSL | 13:f67a6c6013ca | 1338 | #elif defined(HAVE_INTEL_QA) |
wolfSSL | 13:f67a6c6013ca | 1339 | ret = IntelQaRsaPublic(&key->asyncDev, in, inLen, |
wolfSSL | 13:f67a6c6013ca | 1340 | &key->e.raw, &key->n.raw, |
wolfSSL | 13:f67a6c6013ca | 1341 | out, outLen); |
wolfSSL | 13:f67a6c6013ca | 1342 | #else /* WOLFSSL_ASYNC_CRYPT_TEST */ |
wolfSSL | 13:f67a6c6013ca | 1343 | ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); |
wolfSSL | 13:f67a6c6013ca | 1344 | #endif |
wolfSSL | 13:f67a6c6013ca | 1345 | break; |
wolfSSL | 13:f67a6c6013ca | 1346 | |
wolfSSL | 13:f67a6c6013ca | 1347 | default: |
wolfSSL | 13:f67a6c6013ca | 1348 | ret = RSA_WRONG_TYPE_E; |
wolfSSL | 13:f67a6c6013ca | 1349 | } |
wolfSSL | 13:f67a6c6013ca | 1350 | |
wolfSSL | 13:f67a6c6013ca | 1351 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1352 | } |
wolfSSL | 13:f67a6c6013ca | 1353 | #endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */ |
wolfSSL | 13:f67a6c6013ca | 1354 | |
wolfSSL | 13:f67a6c6013ca | 1355 | int wc_RsaFunction(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1356 | word32* outLen, int type, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1357 | { |
wolfSSL | 13:f67a6c6013ca | 1358 | int ret; |
wolfSSL | 13:f67a6c6013ca | 1359 | |
wolfSSL | 13:f67a6c6013ca | 1360 | if (key == NULL || in == NULL || inLen == 0 || out == NULL || |
wolfSSL | 13:f67a6c6013ca | 1361 | outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) { |
wolfSSL | 13:f67a6c6013ca | 1362 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1363 | } |
wolfSSL | 13:f67a6c6013ca | 1364 | |
wolfSSL | 13:f67a6c6013ca | 1365 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) |
wolfSSL | 13:f67a6c6013ca | 1366 | if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && |
wolfSSL | 13:f67a6c6013ca | 1367 | key->n.raw.len > 0) { |
wolfSSL | 13:f67a6c6013ca | 1368 | ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng); |
wolfSSL | 13:f67a6c6013ca | 1369 | } |
wolfSSL | 13:f67a6c6013ca | 1370 | else |
wolfSSL | 13:f67a6c6013ca | 1371 | #endif |
wolfSSL | 13:f67a6c6013ca | 1372 | { |
wolfSSL | 13:f67a6c6013ca | 1373 | ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng); |
wolfSSL | 13:f67a6c6013ca | 1374 | } |
wolfSSL | 13:f67a6c6013ca | 1375 | |
wolfSSL | 13:f67a6c6013ca | 1376 | /* handle error */ |
wolfSSL | 13:f67a6c6013ca | 1377 | if (ret < 0 && ret != WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 1378 | if (ret == MP_EXPTMOD_E) { |
wolfSSL | 13:f67a6c6013ca | 1379 | /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */ |
wolfSSL | 13:f67a6c6013ca | 1380 | WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem"); |
wolfSSL | 13:f67a6c6013ca | 1381 | } |
wolfSSL | 13:f67a6c6013ca | 1382 | |
wolfSSL | 13:f67a6c6013ca | 1383 | key->state = RSA_STATE_NONE; |
wolfSSL | 13:f67a6c6013ca | 1384 | wc_RsaCleanup(key); |
wolfSSL | 13:f67a6c6013ca | 1385 | } |
wolfSSL | 13:f67a6c6013ca | 1386 | |
wolfSSL | 13:f67a6c6013ca | 1387 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1388 | } |
wolfSSL | 13:f67a6c6013ca | 1389 | |
wolfSSL | 13:f67a6c6013ca | 1390 | |
wolfSSL | 13:f67a6c6013ca | 1391 | /* Internal Wrappers */ |
wolfSSL | 13:f67a6c6013ca | 1392 | /* Gives the option of choosing padding type |
wolfSSL | 13:f67a6c6013ca | 1393 | in : input to be encrypted |
wolfSSL | 13:f67a6c6013ca | 1394 | inLen: length of input buffer |
wolfSSL | 13:f67a6c6013ca | 1395 | out: encrypted output |
wolfSSL | 13:f67a6c6013ca | 1396 | outLen: length of encrypted output buffer |
wolfSSL | 13:f67a6c6013ca | 1397 | key : wolfSSL initialized RSA key struct |
wolfSSL | 13:f67a6c6013ca | 1398 | rng : wolfSSL initialized random number struct |
wolfSSL | 13:f67a6c6013ca | 1399 | rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT, |
wolfSSL | 13:f67a6c6013ca | 1400 | RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT |
wolfSSL | 13:f67a6c6013ca | 1401 | pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2 |
wolfSSL | 13:f67a6c6013ca | 1402 | pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD or |
wolfSSL | 13:f67a6c6013ca | 1403 | WC_RSA_PSS_PAD |
wolfSSL | 13:f67a6c6013ca | 1404 | hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h |
wolfSSL | 13:f67a6c6013ca | 1405 | mgf : type of mask generation function to use |
wolfSSL | 13:f67a6c6013ca | 1406 | label : optional label |
wolfSSL | 13:f67a6c6013ca | 1407 | labelSz : size of optional label buffer */ |
wolfSSL | 13:f67a6c6013ca | 1408 | static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1409 | word32 outLen, RsaKey* key, int rsa_type, |
wolfSSL | 13:f67a6c6013ca | 1410 | byte pad_value, int pad_type, |
wolfSSL | 13:f67a6c6013ca | 1411 | enum wc_HashType hash, int mgf, |
wolfSSL | 13:f67a6c6013ca | 1412 | byte* label, word32 labelSz, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1413 | { |
wolfSSL | 13:f67a6c6013ca | 1414 | int ret, sz; |
wolfSSL | 13:f67a6c6013ca | 1415 | |
wolfSSL | 13:f67a6c6013ca | 1416 | if (in == NULL || inLen == 0 || out == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1417 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1418 | } |
wolfSSL | 13:f67a6c6013ca | 1419 | |
wolfSSL | 13:f67a6c6013ca | 1420 | sz = wc_RsaEncryptSize(key); |
wolfSSL | 13:f67a6c6013ca | 1421 | if (sz > (int)outLen) { |
wolfSSL | 13:f67a6c6013ca | 1422 | return RSA_BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1423 | } |
wolfSSL | 13:f67a6c6013ca | 1424 | |
wolfSSL | 13:f67a6c6013ca | 1425 | if (sz < RSA_MIN_PAD_SZ) { |
wolfSSL | 13:f67a6c6013ca | 1426 | return WC_KEY_SIZE_E; |
wolfSSL | 13:f67a6c6013ca | 1427 | } |
wolfSSL | 13:f67a6c6013ca | 1428 | |
wolfSSL | 13:f67a6c6013ca | 1429 | if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) { |
wolfSSL | 13:f67a6c6013ca | 1430 | return RSA_BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1431 | } |
wolfSSL | 13:f67a6c6013ca | 1432 | |
wolfSSL | 13:f67a6c6013ca | 1433 | switch (key->state) { |
wolfSSL | 13:f67a6c6013ca | 1434 | case RSA_STATE_NONE: |
wolfSSL | 13:f67a6c6013ca | 1435 | case RSA_STATE_ENCRYPT_PAD: |
wolfSSL | 13:f67a6c6013ca | 1436 | key->state = RSA_STATE_ENCRYPT_PAD; |
wolfSSL | 13:f67a6c6013ca | 1437 | |
wolfSSL | 13:f67a6c6013ca | 1438 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ |
wolfSSL | 13:f67a6c6013ca | 1439 | defined(HAVE_CAVIUM) |
wolfSSL | 13:f67a6c6013ca | 1440 | if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && key->n.raw.buf) { |
wolfSSL | 13:f67a6c6013ca | 1441 | /* Async operations that include padding */ |
wolfSSL | 13:f67a6c6013ca | 1442 | if (rsa_type == RSA_PUBLIC_ENCRYPT && |
wolfSSL | 13:f67a6c6013ca | 1443 | pad_value == RSA_BLOCK_TYPE_2) { |
wolfSSL | 13:f67a6c6013ca | 1444 | key->state = RSA_STATE_ENCRYPT_RES; |
wolfSSL | 13:f67a6c6013ca | 1445 | key->dataLen = key->n.raw.len; |
wolfSSL | 13:f67a6c6013ca | 1446 | return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key); |
wolfSSL | 13:f67a6c6013ca | 1447 | } |
wolfSSL | 13:f67a6c6013ca | 1448 | else if (rsa_type == RSA_PRIVATE_ENCRYPT && |
wolfSSL | 13:f67a6c6013ca | 1449 | pad_value == RSA_BLOCK_TYPE_1) { |
wolfSSL | 13:f67a6c6013ca | 1450 | key->state = RSA_STATE_ENCRYPT_RES; |
wolfSSL | 13:f67a6c6013ca | 1451 | key->dataLen = key->n.raw.len; |
wolfSSL | 13:f67a6c6013ca | 1452 | return NitroxRsaSSL_Sign(in, inLen, out, outLen, key); |
wolfSSL | 13:f67a6c6013ca | 1453 | } |
wolfSSL | 13:f67a6c6013ca | 1454 | } |
wolfSSL | 13:f67a6c6013ca | 1455 | #endif |
wolfSSL | 13:f67a6c6013ca | 1456 | |
wolfSSL | 13:f67a6c6013ca | 1457 | ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash, |
wolfSSL | 13:f67a6c6013ca | 1458 | mgf, label, labelSz, mp_count_bits(&key->n), |
wolfSSL | 13:f67a6c6013ca | 1459 | key->heap); |
wolfSSL | 13:f67a6c6013ca | 1460 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 1461 | break; |
wolfSSL | 13:f67a6c6013ca | 1462 | } |
wolfSSL | 13:f67a6c6013ca | 1463 | |
wolfSSL | 13:f67a6c6013ca | 1464 | key->state = RSA_STATE_ENCRYPT_EXPTMOD; |
wolfSSL | 13:f67a6c6013ca | 1465 | |
wolfSSL | 13:f67a6c6013ca | 1466 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 1467 | |
wolfSSL | 13:f67a6c6013ca | 1468 | case RSA_STATE_ENCRYPT_EXPTMOD: |
wolfSSL | 13:f67a6c6013ca | 1469 | |
wolfSSL | 13:f67a6c6013ca | 1470 | key->dataLen = outLen; |
wolfSSL | 13:f67a6c6013ca | 1471 | ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng); |
wolfSSL | 13:f67a6c6013ca | 1472 | |
wolfSSL | 13:f67a6c6013ca | 1473 | if (ret >= 0 || ret == WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 1474 | key->state = RSA_STATE_ENCRYPT_RES; |
wolfSSL | 13:f67a6c6013ca | 1475 | } |
wolfSSL | 13:f67a6c6013ca | 1476 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 1477 | break; |
wolfSSL | 13:f67a6c6013ca | 1478 | } |
wolfSSL | 13:f67a6c6013ca | 1479 | |
wolfSSL | 13:f67a6c6013ca | 1480 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 1481 | |
wolfSSL | 13:f67a6c6013ca | 1482 | case RSA_STATE_ENCRYPT_RES: |
wolfSSL | 13:f67a6c6013ca | 1483 | ret = key->dataLen; |
wolfSSL | 13:f67a6c6013ca | 1484 | break; |
wolfSSL | 13:f67a6c6013ca | 1485 | |
wolfSSL | 13:f67a6c6013ca | 1486 | default: |
wolfSSL | 13:f67a6c6013ca | 1487 | ret = BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 1488 | break; |
wolfSSL | 13:f67a6c6013ca | 1489 | } |
wolfSSL | 13:f67a6c6013ca | 1490 | |
wolfSSL | 13:f67a6c6013ca | 1491 | /* if async pending then return and skip done cleanup below */ |
wolfSSL | 13:f67a6c6013ca | 1492 | if (ret == WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 1493 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1494 | } |
wolfSSL | 13:f67a6c6013ca | 1495 | |
wolfSSL | 13:f67a6c6013ca | 1496 | key->state = RSA_STATE_NONE; |
wolfSSL | 13:f67a6c6013ca | 1497 | wc_RsaCleanup(key); |
wolfSSL | 13:f67a6c6013ca | 1498 | |
wolfSSL | 13:f67a6c6013ca | 1499 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1500 | } |
wolfSSL | 13:f67a6c6013ca | 1501 | |
wolfSSL | 13:f67a6c6013ca | 1502 | /* Gives the option of choosing padding type |
wolfSSL | 13:f67a6c6013ca | 1503 | in : input to be decrypted |
wolfSSL | 13:f67a6c6013ca | 1504 | inLen: length of input buffer |
wolfSSL | 13:f67a6c6013ca | 1505 | out: decrypted message |
wolfSSL | 13:f67a6c6013ca | 1506 | outLen: length of decrypted message in bytes |
wolfSSL | 13:f67a6c6013ca | 1507 | outPtr: optional inline output pointer (if provided doing inline) |
wolfSSL | 13:f67a6c6013ca | 1508 | key : wolfSSL initialized RSA key struct |
wolfSSL | 13:f67a6c6013ca | 1509 | rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT, |
wolfSSL | 13:f67a6c6013ca | 1510 | RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT |
wolfSSL | 13:f67a6c6013ca | 1511 | pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2 |
wolfSSL | 13:f67a6c6013ca | 1512 | pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD |
wolfSSL | 13:f67a6c6013ca | 1513 | WC_RSA_PSS_PAD |
wolfSSL | 13:f67a6c6013ca | 1514 | hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h |
wolfSSL | 13:f67a6c6013ca | 1515 | mgf : type of mask generation function to use |
wolfSSL | 13:f67a6c6013ca | 1516 | label : optional label |
wolfSSL | 13:f67a6c6013ca | 1517 | labelSz : size of optional label buffer */ |
wolfSSL | 13:f67a6c6013ca | 1518 | static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1519 | word32 outLen, byte** outPtr, RsaKey* key, |
wolfSSL | 13:f67a6c6013ca | 1520 | int rsa_type, byte pad_value, int pad_type, |
wolfSSL | 13:f67a6c6013ca | 1521 | enum wc_HashType hash, int mgf, |
wolfSSL | 13:f67a6c6013ca | 1522 | byte* label, word32 labelSz, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1523 | { |
wolfSSL | 13:f67a6c6013ca | 1524 | int ret = RSA_WRONG_TYPE_E; |
wolfSSL | 13:f67a6c6013ca | 1525 | |
wolfSSL | 13:f67a6c6013ca | 1526 | if (in == NULL || inLen == 0 || out == NULL || key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1527 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1528 | } |
wolfSSL | 13:f67a6c6013ca | 1529 | |
wolfSSL | 13:f67a6c6013ca | 1530 | switch (key->state) { |
wolfSSL | 13:f67a6c6013ca | 1531 | case RSA_STATE_NONE: |
wolfSSL | 13:f67a6c6013ca | 1532 | case RSA_STATE_DECRYPT_EXPTMOD: |
wolfSSL | 13:f67a6c6013ca | 1533 | key->state = RSA_STATE_DECRYPT_EXPTMOD; |
wolfSSL | 13:f67a6c6013ca | 1534 | key->dataLen = inLen; |
wolfSSL | 13:f67a6c6013ca | 1535 | |
wolfSSL | 13:f67a6c6013ca | 1536 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ |
wolfSSL | 13:f67a6c6013ca | 1537 | defined(HAVE_CAVIUM) |
wolfSSL | 13:f67a6c6013ca | 1538 | /* Async operations that include padding */ |
wolfSSL | 13:f67a6c6013ca | 1539 | if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { |
wolfSSL | 13:f67a6c6013ca | 1540 | if (rsa_type == RSA_PRIVATE_DECRYPT && |
wolfSSL | 13:f67a6c6013ca | 1541 | pad_value == RSA_BLOCK_TYPE_2) { |
wolfSSL | 13:f67a6c6013ca | 1542 | key->state = RSA_STATE_DECRYPT_RES; |
wolfSSL | 13:f67a6c6013ca | 1543 | key->data = NULL; |
wolfSSL | 13:f67a6c6013ca | 1544 | if (outPtr) |
wolfSSL | 13:f67a6c6013ca | 1545 | *outPtr = in; |
wolfSSL | 13:f67a6c6013ca | 1546 | return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen, key); |
wolfSSL | 13:f67a6c6013ca | 1547 | } |
wolfSSL | 13:f67a6c6013ca | 1548 | else if (rsa_type == RSA_PUBLIC_DECRYPT && |
wolfSSL | 13:f67a6c6013ca | 1549 | pad_value == RSA_BLOCK_TYPE_1) { |
wolfSSL | 13:f67a6c6013ca | 1550 | key->state = RSA_STATE_DECRYPT_RES; |
wolfSSL | 13:f67a6c6013ca | 1551 | key->data = NULL; |
wolfSSL | 13:f67a6c6013ca | 1552 | return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key); |
wolfSSL | 13:f67a6c6013ca | 1553 | } |
wolfSSL | 13:f67a6c6013ca | 1554 | } |
wolfSSL | 13:f67a6c6013ca | 1555 | #endif |
wolfSSL | 13:f67a6c6013ca | 1556 | |
wolfSSL | 13:f67a6c6013ca | 1557 | /* verify the tmp ptr is NULL, otherwise indicates bad state */ |
wolfSSL | 13:f67a6c6013ca | 1558 | if (key->data != NULL) { |
wolfSSL | 13:f67a6c6013ca | 1559 | ret = BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 1560 | break; |
wolfSSL | 13:f67a6c6013ca | 1561 | } |
wolfSSL | 13:f67a6c6013ca | 1562 | |
wolfSSL | 13:f67a6c6013ca | 1563 | /* if not doing this inline then allocate a buffer for it */ |
wolfSSL | 13:f67a6c6013ca | 1564 | if (outPtr == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1565 | key->data = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_WOLF_BIGINT); |
wolfSSL | 13:f67a6c6013ca | 1566 | key->dataIsAlloc = 1; |
wolfSSL | 13:f67a6c6013ca | 1567 | if (key->data == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1568 | ret = MEMORY_E; |
wolfSSL | 13:f67a6c6013ca | 1569 | break; |
wolfSSL | 13:f67a6c6013ca | 1570 | } |
wolfSSL | 13:f67a6c6013ca | 1571 | XMEMCPY(key->data, in, inLen); |
wolfSSL | 13:f67a6c6013ca | 1572 | } |
wolfSSL | 13:f67a6c6013ca | 1573 | else { |
wolfSSL | 13:f67a6c6013ca | 1574 | key->data = out; |
wolfSSL | 13:f67a6c6013ca | 1575 | } |
wolfSSL | 13:f67a6c6013ca | 1576 | ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen, rsa_type, |
wolfSSL | 13:f67a6c6013ca | 1577 | key, rng); |
wolfSSL | 13:f67a6c6013ca | 1578 | |
wolfSSL | 13:f67a6c6013ca | 1579 | if (ret >= 0 || ret == WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 1580 | key->state = RSA_STATE_DECRYPT_UNPAD; |
wolfSSL | 13:f67a6c6013ca | 1581 | } |
wolfSSL | 13:f67a6c6013ca | 1582 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 1583 | break; |
wolfSSL | 13:f67a6c6013ca | 1584 | } |
wolfSSL | 13:f67a6c6013ca | 1585 | |
wolfSSL | 13:f67a6c6013ca | 1586 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 1587 | |
wolfSSL | 13:f67a6c6013ca | 1588 | case RSA_STATE_DECRYPT_UNPAD: |
wolfSSL | 13:f67a6c6013ca | 1589 | { |
wolfSSL | 13:f67a6c6013ca | 1590 | byte* pad = NULL; |
wolfSSL | 13:f67a6c6013ca | 1591 | ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type, |
wolfSSL | 13:f67a6c6013ca | 1592 | hash, mgf, label, labelSz, mp_count_bits(&key->n), |
wolfSSL | 13:f67a6c6013ca | 1593 | key->heap); |
wolfSSL | 13:f67a6c6013ca | 1594 | if (ret > 0 && ret <= (int)outLen && pad != NULL) { |
wolfSSL | 13:f67a6c6013ca | 1595 | /* only copy output if not inline */ |
wolfSSL | 13:f67a6c6013ca | 1596 | if (outPtr == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1597 | XMEMCPY(out, pad, ret); |
wolfSSL | 13:f67a6c6013ca | 1598 | } |
wolfSSL | 13:f67a6c6013ca | 1599 | else { |
wolfSSL | 13:f67a6c6013ca | 1600 | *outPtr = pad; |
wolfSSL | 13:f67a6c6013ca | 1601 | } |
wolfSSL | 13:f67a6c6013ca | 1602 | } |
wolfSSL | 13:f67a6c6013ca | 1603 | else if (ret >= 0) { |
wolfSSL | 13:f67a6c6013ca | 1604 | ret = RSA_BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1605 | } |
wolfSSL | 13:f67a6c6013ca | 1606 | if (ret < 0) { |
wolfSSL | 13:f67a6c6013ca | 1607 | break; |
wolfSSL | 13:f67a6c6013ca | 1608 | } |
wolfSSL | 13:f67a6c6013ca | 1609 | |
wolfSSL | 13:f67a6c6013ca | 1610 | key->state = RSA_STATE_DECRYPT_RES; |
wolfSSL | 13:f67a6c6013ca | 1611 | |
wolfSSL | 13:f67a6c6013ca | 1612 | FALL_THROUGH; |
wolfSSL | 13:f67a6c6013ca | 1613 | } |
wolfSSL | 13:f67a6c6013ca | 1614 | case RSA_STATE_DECRYPT_RES: |
wolfSSL | 13:f67a6c6013ca | 1615 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \ |
wolfSSL | 13:f67a6c6013ca | 1616 | defined(HAVE_CAVIUM) |
wolfSSL | 13:f67a6c6013ca | 1617 | if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { |
wolfSSL | 13:f67a6c6013ca | 1618 | /* return event ret */ |
wolfSSL | 13:f67a6c6013ca | 1619 | ret = key->asyncDev.event.ret; |
wolfSSL | 13:f67a6c6013ca | 1620 | if (ret == 0) { |
wolfSSL | 13:f67a6c6013ca | 1621 | /* convert result */ |
wolfSSL | 13:f67a6c6013ca | 1622 | byte* dataLen = (byte*)&key->dataLen; |
wolfSSL | 13:f67a6c6013ca | 1623 | ret = (dataLen[0] << 8) | (dataLen[1]); |
wolfSSL | 13:f67a6c6013ca | 1624 | } |
wolfSSL | 13:f67a6c6013ca | 1625 | } |
wolfSSL | 13:f67a6c6013ca | 1626 | #endif |
wolfSSL | 13:f67a6c6013ca | 1627 | break; |
wolfSSL | 13:f67a6c6013ca | 1628 | |
wolfSSL | 13:f67a6c6013ca | 1629 | default: |
wolfSSL | 13:f67a6c6013ca | 1630 | ret = BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 1631 | break; |
wolfSSL | 13:f67a6c6013ca | 1632 | } |
wolfSSL | 13:f67a6c6013ca | 1633 | |
wolfSSL | 13:f67a6c6013ca | 1634 | /* if async pending then return and skip done cleanup below */ |
wolfSSL | 13:f67a6c6013ca | 1635 | if (ret == WC_PENDING_E) { |
wolfSSL | 13:f67a6c6013ca | 1636 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1637 | } |
wolfSSL | 13:f67a6c6013ca | 1638 | |
wolfSSL | 13:f67a6c6013ca | 1639 | key->state = RSA_STATE_NONE; |
wolfSSL | 13:f67a6c6013ca | 1640 | wc_RsaCleanup(key); |
wolfSSL | 13:f67a6c6013ca | 1641 | |
wolfSSL | 13:f67a6c6013ca | 1642 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1643 | } |
wolfSSL | 13:f67a6c6013ca | 1644 | |
wolfSSL | 13:f67a6c6013ca | 1645 | |
wolfSSL | 13:f67a6c6013ca | 1646 | /* Public RSA Functions */ |
wolfSSL | 13:f67a6c6013ca | 1647 | int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen, |
wolfSSL | 13:f67a6c6013ca | 1648 | RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1649 | { |
wolfSSL | 13:f67a6c6013ca | 1650 | return RsaPublicEncryptEx(in, inLen, out, outLen, key, |
wolfSSL | 13:f67a6c6013ca | 1651 | RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, |
wolfSSL | 13:f67a6c6013ca | 1652 | WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1653 | } |
wolfSSL | 13:f67a6c6013ca | 1654 | |
wolfSSL | 13:f67a6c6013ca | 1655 | |
wolfSSL | 13:f67a6c6013ca | 1656 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 1657 | int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1658 | word32 outLen, RsaKey* key, WC_RNG* rng, int type, |
wolfSSL | 13:f67a6c6013ca | 1659 | enum wc_HashType hash, int mgf, byte* label, |
wolfSSL | 13:f67a6c6013ca | 1660 | word32 labelSz) |
wolfSSL | 13:f67a6c6013ca | 1661 | { |
wolfSSL | 13:f67a6c6013ca | 1662 | return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT, |
wolfSSL | 13:f67a6c6013ca | 1663 | RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, rng); |
wolfSSL | 13:f67a6c6013ca | 1664 | } |
wolfSSL | 13:f67a6c6013ca | 1665 | #endif /* WC_NO_RSA_OAEP */ |
wolfSSL | 13:f67a6c6013ca | 1666 | |
wolfSSL | 13:f67a6c6013ca | 1667 | |
wolfSSL | 13:f67a6c6013ca | 1668 | int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 1669 | { |
wolfSSL | 13:f67a6c6013ca | 1670 | WC_RNG* rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1671 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1672 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1673 | #endif |
wolfSSL | 13:f67a6c6013ca | 1674 | return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, |
wolfSSL | 13:f67a6c6013ca | 1675 | RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, |
wolfSSL | 13:f67a6c6013ca | 1676 | WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1677 | } |
wolfSSL | 13:f67a6c6013ca | 1678 | |
wolfSSL | 13:f67a6c6013ca | 1679 | |
wolfSSL | 13:f67a6c6013ca | 1680 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 1681 | int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out, |
wolfSSL | 13:f67a6c6013ca | 1682 | RsaKey* key, int type, enum wc_HashType hash, |
wolfSSL | 13:f67a6c6013ca | 1683 | int mgf, byte* label, word32 labelSz) |
wolfSSL | 13:f67a6c6013ca | 1684 | { |
wolfSSL | 13:f67a6c6013ca | 1685 | WC_RNG* rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1686 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1687 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1688 | #endif |
wolfSSL | 13:f67a6c6013ca | 1689 | return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, |
wolfSSL | 13:f67a6c6013ca | 1690 | RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, |
wolfSSL | 13:f67a6c6013ca | 1691 | mgf, label, labelSz, rng); |
wolfSSL | 13:f67a6c6013ca | 1692 | } |
wolfSSL | 13:f67a6c6013ca | 1693 | #endif /* WC_NO_RSA_OAEP */ |
wolfSSL | 13:f67a6c6013ca | 1694 | |
wolfSSL | 13:f67a6c6013ca | 1695 | |
wolfSSL | 13:f67a6c6013ca | 1696 | int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1697 | word32 outLen, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 1698 | { |
wolfSSL | 13:f67a6c6013ca | 1699 | WC_RNG* rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1700 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1701 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1702 | #endif |
wolfSSL | 13:f67a6c6013ca | 1703 | return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, |
wolfSSL | 13:f67a6c6013ca | 1704 | RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD, |
wolfSSL | 13:f67a6c6013ca | 1705 | WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1706 | } |
wolfSSL | 13:f67a6c6013ca | 1707 | |
wolfSSL | 13:f67a6c6013ca | 1708 | #ifndef WC_NO_RSA_OAEP |
wolfSSL | 13:f67a6c6013ca | 1709 | int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out, |
wolfSSL | 13:f67a6c6013ca | 1710 | word32 outLen, RsaKey* key, int type, |
wolfSSL | 13:f67a6c6013ca | 1711 | enum wc_HashType hash, int mgf, byte* label, |
wolfSSL | 13:f67a6c6013ca | 1712 | word32 labelSz) |
wolfSSL | 13:f67a6c6013ca | 1713 | { |
wolfSSL | 13:f67a6c6013ca | 1714 | WC_RNG* rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1715 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1716 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1717 | #endif |
wolfSSL | 13:f67a6c6013ca | 1718 | return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, |
wolfSSL | 13:f67a6c6013ca | 1719 | RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label, |
wolfSSL | 13:f67a6c6013ca | 1720 | labelSz, rng); |
wolfSSL | 13:f67a6c6013ca | 1721 | } |
wolfSSL | 13:f67a6c6013ca | 1722 | #endif /* WC_NO_RSA_OAEP */ |
wolfSSL | 13:f67a6c6013ca | 1723 | |
wolfSSL | 13:f67a6c6013ca | 1724 | |
wolfSSL | 13:f67a6c6013ca | 1725 | int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 1726 | { |
wolfSSL | 13:f67a6c6013ca | 1727 | WC_RNG* rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1728 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1729 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1730 | #endif |
wolfSSL | 13:f67a6c6013ca | 1731 | return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, |
wolfSSL | 13:f67a6c6013ca | 1732 | RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, |
wolfSSL | 13:f67a6c6013ca | 1733 | WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1734 | } |
wolfSSL | 13:f67a6c6013ca | 1735 | |
wolfSSL | 13:f67a6c6013ca | 1736 | int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen, |
wolfSSL | 13:f67a6c6013ca | 1737 | RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 1738 | { |
wolfSSL | 13:f67a6c6013ca | 1739 | WC_RNG* rng; |
wolfSSL | 13:f67a6c6013ca | 1740 | |
wolfSSL | 13:f67a6c6013ca | 1741 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1742 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1743 | } |
wolfSSL | 13:f67a6c6013ca | 1744 | |
wolfSSL | 13:f67a6c6013ca | 1745 | rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1746 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1747 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1748 | #endif |
wolfSSL | 13:f67a6c6013ca | 1749 | return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key, |
wolfSSL | 13:f67a6c6013ca | 1750 | RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, |
wolfSSL | 13:f67a6c6013ca | 1751 | WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1752 | } |
wolfSSL | 13:f67a6c6013ca | 1753 | |
wolfSSL | 13:f67a6c6013ca | 1754 | #ifdef WC_RSA_PSS |
wolfSSL | 13:f67a6c6013ca | 1755 | int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out, |
wolfSSL | 13:f67a6c6013ca | 1756 | enum wc_HashType hash, int mgf, RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 1757 | { |
wolfSSL | 13:f67a6c6013ca | 1758 | WC_RNG* rng = NULL; |
wolfSSL | 13:f67a6c6013ca | 1759 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1760 | rng = key->rng; |
wolfSSL | 13:f67a6c6013ca | 1761 | #endif |
wolfSSL | 13:f67a6c6013ca | 1762 | return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key, |
wolfSSL | 13:f67a6c6013ca | 1763 | RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, |
wolfSSL | 13:f67a6c6013ca | 1764 | hash, mgf, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1765 | } |
wolfSSL | 13:f67a6c6013ca | 1766 | |
wolfSSL | 13:f67a6c6013ca | 1767 | /* Sig = 8 * 0x00 | Space for Message Hash | Salt | Exp Hash |
wolfSSL | 13:f67a6c6013ca | 1768 | * Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) |
wolfSSL | 13:f67a6c6013ca | 1769 | */ |
wolfSSL | 13:f67a6c6013ca | 1770 | int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig, |
wolfSSL | 13:f67a6c6013ca | 1771 | word32 sigSz, enum wc_HashType hashType) |
wolfSSL | 13:f67a6c6013ca | 1772 | { |
wolfSSL | 13:f67a6c6013ca | 1773 | int ret; |
wolfSSL | 13:f67a6c6013ca | 1774 | |
wolfSSL | 13:f67a6c6013ca | 1775 | if (in == NULL || sig == NULL || |
wolfSSL | 13:f67a6c6013ca | 1776 | inSz != (word32)wc_HashGetDigestSize(hashType) || |
wolfSSL | 13:f67a6c6013ca | 1777 | sigSz != RSA_PSS_PAD_SZ + inSz * 3) |
wolfSSL | 13:f67a6c6013ca | 1778 | ret = BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1779 | else { |
wolfSSL | 13:f67a6c6013ca | 1780 | XMEMCPY(sig + RSA_PSS_PAD_SZ, in, inSz); |
wolfSSL | 13:f67a6c6013ca | 1781 | ret = wc_Hash(hashType, sig, RSA_PSS_PAD_SZ + inSz * 2, sig, inSz); |
wolfSSL | 13:f67a6c6013ca | 1782 | if (ret != 0) |
wolfSSL | 13:f67a6c6013ca | 1783 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1784 | if (XMEMCMP(sig, sig + RSA_PSS_PAD_SZ + inSz * 2, inSz) != 0) |
wolfSSL | 13:f67a6c6013ca | 1785 | ret = BAD_PADDING_E; |
wolfSSL | 13:f67a6c6013ca | 1786 | else |
wolfSSL | 13:f67a6c6013ca | 1787 | ret = 0; |
wolfSSL | 13:f67a6c6013ca | 1788 | } |
wolfSSL | 13:f67a6c6013ca | 1789 | |
wolfSSL | 13:f67a6c6013ca | 1790 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1791 | } |
wolfSSL | 13:f67a6c6013ca | 1792 | #endif |
wolfSSL | 13:f67a6c6013ca | 1793 | |
wolfSSL | 13:f67a6c6013ca | 1794 | int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, |
wolfSSL | 13:f67a6c6013ca | 1795 | RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1796 | { |
wolfSSL | 13:f67a6c6013ca | 1797 | return RsaPublicEncryptEx(in, inLen, out, outLen, key, |
wolfSSL | 13:f67a6c6013ca | 1798 | RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD, |
wolfSSL | 13:f67a6c6013ca | 1799 | WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1800 | } |
wolfSSL | 13:f67a6c6013ca | 1801 | |
wolfSSL | 13:f67a6c6013ca | 1802 | #ifdef WC_RSA_PSS |
wolfSSL | 13:f67a6c6013ca | 1803 | int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, |
wolfSSL | 13:f67a6c6013ca | 1804 | enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1805 | { |
wolfSSL | 13:f67a6c6013ca | 1806 | return RsaPublicEncryptEx(in, inLen, out, outLen, key, |
wolfSSL | 13:f67a6c6013ca | 1807 | RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, |
wolfSSL | 13:f67a6c6013ca | 1808 | hash, mgf, NULL, 0, rng); |
wolfSSL | 13:f67a6c6013ca | 1809 | } |
wolfSSL | 13:f67a6c6013ca | 1810 | #endif |
wolfSSL | 13:f67a6c6013ca | 1811 | |
wolfSSL | 13:f67a6c6013ca | 1812 | int wc_RsaEncryptSize(RsaKey* key) |
wolfSSL | 13:f67a6c6013ca | 1813 | { |
wolfSSL | 13:f67a6c6013ca | 1814 | if (key == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1815 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1816 | } |
wolfSSL | 13:f67a6c6013ca | 1817 | return mp_unsigned_bin_size(&key->n); |
wolfSSL | 13:f67a6c6013ca | 1818 | } |
wolfSSL | 13:f67a6c6013ca | 1819 | |
wolfSSL | 13:f67a6c6013ca | 1820 | |
wolfSSL | 13:f67a6c6013ca | 1821 | /* flatten RsaKey structure into individual elements (e, n) */ |
wolfSSL | 13:f67a6c6013ca | 1822 | int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, |
wolfSSL | 13:f67a6c6013ca | 1823 | word32* nSz) |
wolfSSL | 13:f67a6c6013ca | 1824 | { |
wolfSSL | 13:f67a6c6013ca | 1825 | int sz, ret; |
wolfSSL | 13:f67a6c6013ca | 1826 | |
wolfSSL | 13:f67a6c6013ca | 1827 | if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) { |
wolfSSL | 13:f67a6c6013ca | 1828 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1829 | } |
wolfSSL | 13:f67a6c6013ca | 1830 | |
wolfSSL | 13:f67a6c6013ca | 1831 | sz = mp_unsigned_bin_size(&key->e); |
wolfSSL | 13:f67a6c6013ca | 1832 | if ((word32)sz > *eSz) |
wolfSSL | 13:f67a6c6013ca | 1833 | return RSA_BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1834 | ret = mp_to_unsigned_bin(&key->e, e); |
wolfSSL | 13:f67a6c6013ca | 1835 | if (ret != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1836 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1837 | *eSz = (word32)sz; |
wolfSSL | 13:f67a6c6013ca | 1838 | |
wolfSSL | 13:f67a6c6013ca | 1839 | sz = wc_RsaEncryptSize(key); |
wolfSSL | 13:f67a6c6013ca | 1840 | if ((word32)sz > *nSz) |
wolfSSL | 13:f67a6c6013ca | 1841 | return RSA_BUFFER_E; |
wolfSSL | 13:f67a6c6013ca | 1842 | ret = mp_to_unsigned_bin(&key->n, n); |
wolfSSL | 13:f67a6c6013ca | 1843 | if (ret != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1844 | return ret; |
wolfSSL | 13:f67a6c6013ca | 1845 | *nSz = (word32)sz; |
wolfSSL | 13:f67a6c6013ca | 1846 | |
wolfSSL | 13:f67a6c6013ca | 1847 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1848 | } |
wolfSSL | 13:f67a6c6013ca | 1849 | |
wolfSSL | 13:f67a6c6013ca | 1850 | #ifdef WOLFSSL_KEY_GEN |
wolfSSL | 13:f67a6c6013ca | 1851 | /* Make an RSA key for size bits, with e specified, 65537 is a good e */ |
wolfSSL | 13:f67a6c6013ca | 1852 | int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1853 | { |
wolfSSL | 13:f67a6c6013ca | 1854 | mp_int p, q, tmp1, tmp2, tmp3; |
wolfSSL | 13:f67a6c6013ca | 1855 | int err; |
wolfSSL | 13:f67a6c6013ca | 1856 | |
wolfSSL | 13:f67a6c6013ca | 1857 | if (key == NULL || rng == NULL) |
wolfSSL | 13:f67a6c6013ca | 1858 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1859 | |
wolfSSL | 13:f67a6c6013ca | 1860 | if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) |
wolfSSL | 13:f67a6c6013ca | 1861 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1862 | |
wolfSSL | 13:f67a6c6013ca | 1863 | if (e < 3 || (e & 1) == 0) |
wolfSSL | 13:f67a6c6013ca | 1864 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1865 | |
wolfSSL | 13:f67a6c6013ca | 1866 | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) |
wolfSSL | 13:f67a6c6013ca | 1867 | if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { |
wolfSSL | 13:f67a6c6013ca | 1868 | #ifdef HAVE_CAVIUM |
wolfSSL | 13:f67a6c6013ca | 1869 | /* TODO: Not implemented */ |
wolfSSL | 13:f67a6c6013ca | 1870 | #elif defined(HAVE_INTEL_QA) |
wolfSSL | 13:f67a6c6013ca | 1871 | /* TODO: Not implemented */ |
wolfSSL | 13:f67a6c6013ca | 1872 | #else |
wolfSSL | 13:f67a6c6013ca | 1873 | WC_ASYNC_TEST* testDev = &key->asyncDev.test; |
wolfSSL | 13:f67a6c6013ca | 1874 | if (testDev->type == ASYNC_TEST_NONE) { |
wolfSSL | 13:f67a6c6013ca | 1875 | testDev->type = ASYNC_TEST_RSA_MAKE; |
wolfSSL | 13:f67a6c6013ca | 1876 | testDev->rsaMake.rng = rng; |
wolfSSL | 13:f67a6c6013ca | 1877 | testDev->rsaMake.key = key; |
wolfSSL | 13:f67a6c6013ca | 1878 | testDev->rsaMake.size = size; |
wolfSSL | 13:f67a6c6013ca | 1879 | testDev->rsaMake.e = e; |
wolfSSL | 13:f67a6c6013ca | 1880 | return WC_PENDING_E; |
wolfSSL | 13:f67a6c6013ca | 1881 | } |
wolfSSL | 13:f67a6c6013ca | 1882 | #endif |
wolfSSL | 13:f67a6c6013ca | 1883 | } |
wolfSSL | 13:f67a6c6013ca | 1884 | #endif |
wolfSSL | 13:f67a6c6013ca | 1885 | |
wolfSSL | 13:f67a6c6013ca | 1886 | if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1887 | return err; |
wolfSSL | 13:f67a6c6013ca | 1888 | |
wolfSSL | 13:f67a6c6013ca | 1889 | err = mp_set_int(&tmp3, e); |
wolfSSL | 13:f67a6c6013ca | 1890 | |
wolfSSL | 13:f67a6c6013ca | 1891 | /* make p */ |
wolfSSL | 13:f67a6c6013ca | 1892 | if (err == MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 1893 | do { |
wolfSSL | 13:f67a6c6013ca | 1894 | err = mp_rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */ |
wolfSSL | 13:f67a6c6013ca | 1895 | |
wolfSSL | 13:f67a6c6013ca | 1896 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1897 | err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */ |
wolfSSL | 13:f67a6c6013ca | 1898 | |
wolfSSL | 13:f67a6c6013ca | 1899 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1900 | err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(p-1, e) */ |
wolfSSL | 13:f67a6c6013ca | 1901 | } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divides p-1 */ |
wolfSSL | 13:f67a6c6013ca | 1902 | } |
wolfSSL | 13:f67a6c6013ca | 1903 | |
wolfSSL | 13:f67a6c6013ca | 1904 | /* make q */ |
wolfSSL | 13:f67a6c6013ca | 1905 | if (err == MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 1906 | do { |
wolfSSL | 13:f67a6c6013ca | 1907 | err = mp_rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */ |
wolfSSL | 13:f67a6c6013ca | 1908 | |
wolfSSL | 13:f67a6c6013ca | 1909 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1910 | err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */ |
wolfSSL | 13:f67a6c6013ca | 1911 | |
wolfSSL | 13:f67a6c6013ca | 1912 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1913 | err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(q-1, e) */ |
wolfSSL | 13:f67a6c6013ca | 1914 | } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divides q-1 */ |
wolfSSL | 13:f67a6c6013ca | 1915 | } |
wolfSSL | 13:f67a6c6013ca | 1916 | |
wolfSSL | 13:f67a6c6013ca | 1917 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1918 | err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL); |
wolfSSL | 13:f67a6c6013ca | 1919 | |
wolfSSL | 13:f67a6c6013ca | 1920 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1921 | err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL); |
wolfSSL | 13:f67a6c6013ca | 1922 | |
wolfSSL | 13:f67a6c6013ca | 1923 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1924 | err = mp_sub_d(&p, 1, &tmp2); /* tmp2 = p-1 */ |
wolfSSL | 13:f67a6c6013ca | 1925 | |
wolfSSL | 13:f67a6c6013ca | 1926 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1927 | err = mp_lcm(&tmp1, &tmp2, &tmp1); /* tmp1 = lcm(p-1, q-1),last loop */ |
wolfSSL | 13:f67a6c6013ca | 1928 | |
wolfSSL | 13:f67a6c6013ca | 1929 | /* make key */ |
wolfSSL | 13:f67a6c6013ca | 1930 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1931 | err = mp_set_int(&key->e, (mp_digit)e); /* key->e = e */ |
wolfSSL | 13:f67a6c6013ca | 1932 | |
wolfSSL | 13:f67a6c6013ca | 1933 | if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */ |
wolfSSL | 13:f67a6c6013ca | 1934 | err = mp_invmod(&key->e, &tmp1, &key->d); |
wolfSSL | 13:f67a6c6013ca | 1935 | |
wolfSSL | 13:f67a6c6013ca | 1936 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1937 | err = mp_mul(&p, &q, &key->n); /* key->n = pq */ |
wolfSSL | 13:f67a6c6013ca | 1938 | |
wolfSSL | 13:f67a6c6013ca | 1939 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1940 | err = mp_sub_d(&p, 1, &tmp1); |
wolfSSL | 13:f67a6c6013ca | 1941 | |
wolfSSL | 13:f67a6c6013ca | 1942 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1943 | err = mp_sub_d(&q, 1, &tmp2); |
wolfSSL | 13:f67a6c6013ca | 1944 | |
wolfSSL | 13:f67a6c6013ca | 1945 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1946 | err = mp_mod(&key->d, &tmp1, &key->dP); |
wolfSSL | 13:f67a6c6013ca | 1947 | |
wolfSSL | 13:f67a6c6013ca | 1948 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1949 | err = mp_mod(&key->d, &tmp2, &key->dQ); |
wolfSSL | 13:f67a6c6013ca | 1950 | |
wolfSSL | 13:f67a6c6013ca | 1951 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1952 | err = mp_invmod(&q, &p, &key->u); |
wolfSSL | 13:f67a6c6013ca | 1953 | |
wolfSSL | 13:f67a6c6013ca | 1954 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1955 | err = mp_copy(&p, &key->p); |
wolfSSL | 13:f67a6c6013ca | 1956 | |
wolfSSL | 13:f67a6c6013ca | 1957 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1958 | err = mp_copy(&q, &key->q); |
wolfSSL | 13:f67a6c6013ca | 1959 | |
wolfSSL | 13:f67a6c6013ca | 1960 | if (err == MP_OKAY) |
wolfSSL | 13:f67a6c6013ca | 1961 | key->type = RSA_PRIVATE; |
wolfSSL | 13:f67a6c6013ca | 1962 | |
wolfSSL | 13:f67a6c6013ca | 1963 | mp_clear(&tmp3); |
wolfSSL | 13:f67a6c6013ca | 1964 | mp_clear(&tmp2); |
wolfSSL | 13:f67a6c6013ca | 1965 | mp_clear(&tmp1); |
wolfSSL | 13:f67a6c6013ca | 1966 | mp_clear(&q); |
wolfSSL | 13:f67a6c6013ca | 1967 | mp_clear(&p); |
wolfSSL | 13:f67a6c6013ca | 1968 | |
wolfSSL | 13:f67a6c6013ca | 1969 | if (err != MP_OKAY) { |
wolfSSL | 13:f67a6c6013ca | 1970 | wc_FreeRsaKey(key); |
wolfSSL | 13:f67a6c6013ca | 1971 | return err; |
wolfSSL | 13:f67a6c6013ca | 1972 | } |
wolfSSL | 13:f67a6c6013ca | 1973 | |
wolfSSL | 13:f67a6c6013ca | 1974 | #ifdef WOLFSSL_XILINX_CRYPT |
wolfSSL | 13:f67a6c6013ca | 1975 | if (wc_InitRsaHw(key) != 0) { |
wolfSSL | 13:f67a6c6013ca | 1976 | return BAD_STATE_E; |
wolfSSL | 13:f67a6c6013ca | 1977 | } |
wolfSSL | 13:f67a6c6013ca | 1978 | #endif |
wolfSSL | 13:f67a6c6013ca | 1979 | |
wolfSSL | 13:f67a6c6013ca | 1980 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1981 | } |
wolfSSL | 13:f67a6c6013ca | 1982 | #endif /* WOLFSSL_KEY_GEN */ |
wolfSSL | 13:f67a6c6013ca | 1983 | |
wolfSSL | 13:f67a6c6013ca | 1984 | |
wolfSSL | 13:f67a6c6013ca | 1985 | #ifdef WC_RSA_BLINDING |
wolfSSL | 13:f67a6c6013ca | 1986 | |
wolfSSL | 13:f67a6c6013ca | 1987 | int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng) |
wolfSSL | 13:f67a6c6013ca | 1988 | { |
wolfSSL | 13:f67a6c6013ca | 1989 | if (key == NULL) |
wolfSSL | 13:f67a6c6013ca | 1990 | return BAD_FUNC_ARG; |
wolfSSL | 13:f67a6c6013ca | 1991 | |
wolfSSL | 13:f67a6c6013ca | 1992 | key->rng = rng; |
wolfSSL | 13:f67a6c6013ca | 1993 | |
wolfSSL | 13:f67a6c6013ca | 1994 | return 0; |
wolfSSL | 13:f67a6c6013ca | 1995 | } |
wolfSSL | 13:f67a6c6013ca | 1996 | |
wolfSSL | 13:f67a6c6013ca | 1997 | #endif /* WC_RSA_BLINDING */ |
wolfSSL | 13:f67a6c6013ca | 1998 | |
wolfSSL | 13:f67a6c6013ca | 1999 | |
wolfSSL | 13:f67a6c6013ca | 2000 | #undef ERROR_OUT |
wolfSSL | 13:f67a6c6013ca | 2001 | |
wolfSSL | 13:f67a6c6013ca | 2002 | #endif /* HAVE_FIPS */ |
wolfSSL | 13:f67a6c6013ca | 2003 | #endif /* NO_RSA */ |
wolfSSL | 13:f67a6c6013ca | 2004 |