wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/rsa.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Committer:
wolfSSL
Date:
Tue Aug 22 10:48:22 2017 +0000
Revision:
13:f67a6c6013ca
wolfSSL3.12.0 with TLS1.3

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 13:f67a6c6013ca 1 /* rsa.c
wolfSSL 13:f67a6c6013ca 2 *
wolfSSL 13:f67a6c6013ca 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 13:f67a6c6013ca 4 *
wolfSSL 13:f67a6c6013ca 5 * This file is part of wolfSSL.
wolfSSL 13:f67a6c6013ca 6 *
wolfSSL 13:f67a6c6013ca 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 13:f67a6c6013ca 8 * it under the terms of the GNU General Public License as published by
wolfSSL 13:f67a6c6013ca 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 13:f67a6c6013ca 10 * (at your option) any later version.
wolfSSL 13:f67a6c6013ca 11 *
wolfSSL 13:f67a6c6013ca 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 13:f67a6c6013ca 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 13:f67a6c6013ca 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 13:f67a6c6013ca 15 * GNU General Public License for more details.
wolfSSL 13:f67a6c6013ca 16 *
wolfSSL 13:f67a6c6013ca 17 * You should have received a copy of the GNU General Public License
wolfSSL 13:f67a6c6013ca 18 * along with this program; if not, write to the Free Software
wolfSSL 13:f67a6c6013ca 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 13:f67a6c6013ca 20 */
wolfSSL 13:f67a6c6013ca 21
wolfSSL 13:f67a6c6013ca 22
wolfSSL 13:f67a6c6013ca 23 #ifdef HAVE_CONFIG_H
wolfSSL 13:f67a6c6013ca 24 #include <config.h>
wolfSSL 13:f67a6c6013ca 25 #endif
wolfSSL 13:f67a6c6013ca 26
wolfSSL 13:f67a6c6013ca 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 13:f67a6c6013ca 28 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 13:f67a6c6013ca 29
wolfSSL 13:f67a6c6013ca 30 #ifndef NO_RSA
wolfSSL 13:f67a6c6013ca 31
wolfSSL 13:f67a6c6013ca 32 #include <wolfssl/wolfcrypt/rsa.h>
wolfSSL 13:f67a6c6013ca 33
wolfSSL 13:f67a6c6013ca 34 /*
wolfSSL 13:f67a6c6013ca 35 Possible RSA enable options:
wolfSSL 13:f67a6c6013ca 36 * NO_RSA: Overall control of RSA default: on (not defined)
wolfSSL 13:f67a6c6013ca 37 * WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off
wolfSSL 13:f67a6c6013ca 38 Note: slower by ~20%
wolfSSL 13:f67a6c6013ca 39 * WOLFSSL_KEY_GEN: Allows Private Key Generation default: off
wolfSSL 13:f67a6c6013ca 40 * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off
wolfSSL 13:f67a6c6013ca 41 * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined)
wolfSSL 13:f67a6c6013ca 42
wolfSSL 13:f67a6c6013ca 43 */
wolfSSL 13:f67a6c6013ca 44
wolfSSL 13:f67a6c6013ca 45 /*
wolfSSL 13:f67a6c6013ca 46 RSA Key Size Configuration:
wolfSSL 13:f67a6c6013ca 47 * FP_MAX_BITS: With USE_FAST_MATH only default: 4096
wolfSSL 13:f67a6c6013ca 48 If USE_FAST_MATH then use this to override default.
wolfSSL 13:f67a6c6013ca 49 Value is key size * 2. Example: RSA 3072 = 6144
wolfSSL 13:f67a6c6013ca 50 */
wolfSSL 13:f67a6c6013ca 51
wolfSSL 13:f67a6c6013ca 52
wolfSSL 13:f67a6c6013ca 53 #ifdef HAVE_FIPS
wolfSSL 13:f67a6c6013ca 54 int wc_InitRsaKey(RsaKey* key, void* ptr)
wolfSSL 13:f67a6c6013ca 55 {
wolfSSL 13:f67a6c6013ca 56 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 57 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 58 }
wolfSSL 13:f67a6c6013ca 59
wolfSSL 13:f67a6c6013ca 60 return InitRsaKey_fips(key, ptr);
wolfSSL 13:f67a6c6013ca 61 }
wolfSSL 13:f67a6c6013ca 62
wolfSSL 13:f67a6c6013ca 63 int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
wolfSSL 13:f67a6c6013ca 64 {
wolfSSL 13:f67a6c6013ca 65 (void)devId;
wolfSSL 13:f67a6c6013ca 66 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 67 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 68 }
wolfSSL 13:f67a6c6013ca 69 return InitRsaKey_fips(key, ptr);
wolfSSL 13:f67a6c6013ca 70 }
wolfSSL 13:f67a6c6013ca 71
wolfSSL 13:f67a6c6013ca 72 int wc_FreeRsaKey(RsaKey* key)
wolfSSL 13:f67a6c6013ca 73 {
wolfSSL 13:f67a6c6013ca 74 return FreeRsaKey_fips(key);
wolfSSL 13:f67a6c6013ca 75 }
wolfSSL 13:f67a6c6013ca 76
wolfSSL 13:f67a6c6013ca 77
wolfSSL 13:f67a6c6013ca 78 int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 79 word32 outLen, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 80 {
wolfSSL 13:f67a6c6013ca 81 if (in == NULL || out == NULL || key == NULL || rng == NULL) {
wolfSSL 13:f67a6c6013ca 82 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 83 }
wolfSSL 13:f67a6c6013ca 84 return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
wolfSSL 13:f67a6c6013ca 85 }
wolfSSL 13:f67a6c6013ca 86
wolfSSL 13:f67a6c6013ca 87
wolfSSL 13:f67a6c6013ca 88 int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
wolfSSL 13:f67a6c6013ca 89 RsaKey* key)
wolfSSL 13:f67a6c6013ca 90 {
wolfSSL 13:f67a6c6013ca 91 if (in == NULL || out == NULL || key == NULL) {
wolfSSL 13:f67a6c6013ca 92 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 93 }
wolfSSL 13:f67a6c6013ca 94 return RsaPrivateDecryptInline_fips(in, inLen, out, key);
wolfSSL 13:f67a6c6013ca 95 }
wolfSSL 13:f67a6c6013ca 96
wolfSSL 13:f67a6c6013ca 97
wolfSSL 13:f67a6c6013ca 98 int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 99 word32 outLen, RsaKey* key)
wolfSSL 13:f67a6c6013ca 100 {
wolfSSL 13:f67a6c6013ca 101 if (in == NULL || out == NULL || key == NULL) {
wolfSSL 13:f67a6c6013ca 102 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 103 }
wolfSSL 13:f67a6c6013ca 104 return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
wolfSSL 13:f67a6c6013ca 105 }
wolfSSL 13:f67a6c6013ca 106
wolfSSL 13:f67a6c6013ca 107
wolfSSL 13:f67a6c6013ca 108 int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 109 word32 outLen, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 110 {
wolfSSL 13:f67a6c6013ca 111 if (in == NULL || out == NULL || key == NULL || inLen == 0) {
wolfSSL 13:f67a6c6013ca 112 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 113 }
wolfSSL 13:f67a6c6013ca 114 return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
wolfSSL 13:f67a6c6013ca 115 }
wolfSSL 13:f67a6c6013ca 116
wolfSSL 13:f67a6c6013ca 117
wolfSSL 13:f67a6c6013ca 118 int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
wolfSSL 13:f67a6c6013ca 119 {
wolfSSL 13:f67a6c6013ca 120 if (in == NULL || out == NULL || key == NULL) {
wolfSSL 13:f67a6c6013ca 121 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 122 }
wolfSSL 13:f67a6c6013ca 123 return RsaSSL_VerifyInline_fips(in, inLen, out, key);
wolfSSL 13:f67a6c6013ca 124 }
wolfSSL 13:f67a6c6013ca 125
wolfSSL 13:f67a6c6013ca 126
wolfSSL 13:f67a6c6013ca 127 int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 128 word32 outLen, RsaKey* key)
wolfSSL 13:f67a6c6013ca 129 {
wolfSSL 13:f67a6c6013ca 130 if (in == NULL || out == NULL || key == NULL || inLen == 0) {
wolfSSL 13:f67a6c6013ca 131 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 132 }
wolfSSL 13:f67a6c6013ca 133 return RsaSSL_Verify_fips(in, inLen, out, outLen, key);
wolfSSL 13:f67a6c6013ca 134 }
wolfSSL 13:f67a6c6013ca 135
wolfSSL 13:f67a6c6013ca 136
wolfSSL 13:f67a6c6013ca 137 int wc_RsaEncryptSize(RsaKey* key)
wolfSSL 13:f67a6c6013ca 138 {
wolfSSL 13:f67a6c6013ca 139 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 140 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 141 }
wolfSSL 13:f67a6c6013ca 142 return RsaEncryptSize_fips(key);
wolfSSL 13:f67a6c6013ca 143 }
wolfSSL 13:f67a6c6013ca 144
wolfSSL 13:f67a6c6013ca 145
wolfSSL 13:f67a6c6013ca 146 int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
wolfSSL 13:f67a6c6013ca 147 word32* bSz)
wolfSSL 13:f67a6c6013ca 148 {
wolfSSL 13:f67a6c6013ca 149
wolfSSL 13:f67a6c6013ca 150 /* not specified as fips so not needing _fips */
wolfSSL 13:f67a6c6013ca 151 return RsaFlattenPublicKey(key, a, aSz, b, bSz);
wolfSSL 13:f67a6c6013ca 152 }
wolfSSL 13:f67a6c6013ca 153 #ifdef WOLFSSL_KEY_GEN
wolfSSL 13:f67a6c6013ca 154 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 155 {
wolfSSL 13:f67a6c6013ca 156 return MakeRsaKey(key, size, e, rng);
wolfSSL 13:f67a6c6013ca 157 }
wolfSSL 13:f67a6c6013ca 158 #endif
wolfSSL 13:f67a6c6013ca 159
wolfSSL 13:f67a6c6013ca 160
wolfSSL 13:f67a6c6013ca 161 /* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c
wolfSSL 13:f67a6c6013ca 162 * wc_RsaPrivateKeyDecode
wolfSSL 13:f67a6c6013ca 163 * wc_RsaPublicKeyDecode
wolfSSL 13:f67a6c6013ca 164 */
wolfSSL 13:f67a6c6013ca 165
wolfSSL 13:f67a6c6013ca 166 #else /* else build without fips */
wolfSSL 13:f67a6c6013ca 167
wolfSSL 13:f67a6c6013ca 168 #include <wolfssl/wolfcrypt/random.h>
wolfSSL 13:f67a6c6013ca 169 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 13:f67a6c6013ca 170 #ifdef NO_INLINE
wolfSSL 13:f67a6c6013ca 171 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 13:f67a6c6013ca 172 #else
wolfSSL 13:f67a6c6013ca 173 #define WOLFSSL_MISC_INCLUDED
wolfSSL 13:f67a6c6013ca 174 #include <wolfcrypt/src/misc.c>
wolfSSL 13:f67a6c6013ca 175 #endif
wolfSSL 13:f67a6c6013ca 176
wolfSSL 13:f67a6c6013ca 177 #define ERROR_OUT(x) { ret = (x); goto done;}
wolfSSL 13:f67a6c6013ca 178
wolfSSL 13:f67a6c6013ca 179
wolfSSL 13:f67a6c6013ca 180 enum {
wolfSSL 13:f67a6c6013ca 181 RSA_STATE_NONE = 0,
wolfSSL 13:f67a6c6013ca 182
wolfSSL 13:f67a6c6013ca 183 RSA_STATE_ENCRYPT_PAD,
wolfSSL 13:f67a6c6013ca 184 RSA_STATE_ENCRYPT_EXPTMOD,
wolfSSL 13:f67a6c6013ca 185 RSA_STATE_ENCRYPT_RES,
wolfSSL 13:f67a6c6013ca 186
wolfSSL 13:f67a6c6013ca 187 RSA_STATE_DECRYPT_EXPTMOD,
wolfSSL 13:f67a6c6013ca 188 RSA_STATE_DECRYPT_UNPAD,
wolfSSL 13:f67a6c6013ca 189 RSA_STATE_DECRYPT_RES,
wolfSSL 13:f67a6c6013ca 190 };
wolfSSL 13:f67a6c6013ca 191
wolfSSL 13:f67a6c6013ca 192 static void wc_RsaCleanup(RsaKey* key)
wolfSSL 13:f67a6c6013ca 193 {
wolfSSL 13:f67a6c6013ca 194 if (key && key->data) {
wolfSSL 13:f67a6c6013ca 195 /* make sure any allocated memory is free'd */
wolfSSL 13:f67a6c6013ca 196 if (key->dataIsAlloc) {
wolfSSL 13:f67a6c6013ca 197 if (key->type == RSA_PRIVATE_DECRYPT ||
wolfSSL 13:f67a6c6013ca 198 key->type == RSA_PRIVATE_ENCRYPT) {
wolfSSL 13:f67a6c6013ca 199 ForceZero(key->data, key->dataLen);
wolfSSL 13:f67a6c6013ca 200 }
wolfSSL 13:f67a6c6013ca 201 XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
wolfSSL 13:f67a6c6013ca 202 key->dataIsAlloc = 0;
wolfSSL 13:f67a6c6013ca 203 }
wolfSSL 13:f67a6c6013ca 204 key->data = NULL;
wolfSSL 13:f67a6c6013ca 205 key->dataLen = 0;
wolfSSL 13:f67a6c6013ca 206 }
wolfSSL 13:f67a6c6013ca 207 }
wolfSSL 13:f67a6c6013ca 208
wolfSSL 13:f67a6c6013ca 209 int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
wolfSSL 13:f67a6c6013ca 210 {
wolfSSL 13:f67a6c6013ca 211 int ret = 0;
wolfSSL 13:f67a6c6013ca 212
wolfSSL 13:f67a6c6013ca 213 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 214 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 215 }
wolfSSL 13:f67a6c6013ca 216
wolfSSL 13:f67a6c6013ca 217 key->type = RSA_TYPE_UNKNOWN;
wolfSSL 13:f67a6c6013ca 218 key->state = RSA_STATE_NONE;
wolfSSL 13:f67a6c6013ca 219 key->heap = heap;
wolfSSL 13:f67a6c6013ca 220 key->data = NULL;
wolfSSL 13:f67a6c6013ca 221 key->dataLen = 0;
wolfSSL 13:f67a6c6013ca 222 key->dataIsAlloc = 0;
wolfSSL 13:f67a6c6013ca 223 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 224 key->rng = NULL;
wolfSSL 13:f67a6c6013ca 225 #endif
wolfSSL 13:f67a6c6013ca 226
wolfSSL 13:f67a6c6013ca 227 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 13:f67a6c6013ca 228 #ifdef WOLFSSL_CERT_GEN
wolfSSL 13:f67a6c6013ca 229 XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
wolfSSL 13:f67a6c6013ca 230 #endif
wolfSSL 13:f67a6c6013ca 231
wolfSSL 13:f67a6c6013ca 232 #ifdef WC_ASYNC_ENABLE_RSA
wolfSSL 13:f67a6c6013ca 233 /* handle as async */
wolfSSL 13:f67a6c6013ca 234 ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA,
wolfSSL 13:f67a6c6013ca 235 key->heap, devId);
wolfSSL 13:f67a6c6013ca 236 if (ret != 0)
wolfSSL 13:f67a6c6013ca 237 return ret;
wolfSSL 13:f67a6c6013ca 238 #endif /* WC_ASYNC_ENABLE_RSA */
wolfSSL 13:f67a6c6013ca 239 #else
wolfSSL 13:f67a6c6013ca 240 (void)devId;
wolfSSL 13:f67a6c6013ca 241 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 13:f67a6c6013ca 242
wolfSSL 13:f67a6c6013ca 243 ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
wolfSSL 13:f67a6c6013ca 244 if (ret != MP_OKAY)
wolfSSL 13:f67a6c6013ca 245 return ret;
wolfSSL 13:f67a6c6013ca 246
wolfSSL 13:f67a6c6013ca 247 ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
wolfSSL 13:f67a6c6013ca 248 if (ret != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 249 mp_clear(&key->n);
wolfSSL 13:f67a6c6013ca 250 mp_clear(&key->e);
wolfSSL 13:f67a6c6013ca 251 return ret;
wolfSSL 13:f67a6c6013ca 252 }
wolfSSL 13:f67a6c6013ca 253
wolfSSL 13:f67a6c6013ca 254 #ifdef WOLFSSL_XILINX_CRYPT
wolfSSL 13:f67a6c6013ca 255 key->pubExp = 0;
wolfSSL 13:f67a6c6013ca 256 key->mod = NULL;
wolfSSL 13:f67a6c6013ca 257 #endif
wolfSSL 13:f67a6c6013ca 258
wolfSSL 13:f67a6c6013ca 259 return ret;
wolfSSL 13:f67a6c6013ca 260 }
wolfSSL 13:f67a6c6013ca 261
wolfSSL 13:f67a6c6013ca 262 int wc_InitRsaKey(RsaKey* key, void* heap)
wolfSSL 13:f67a6c6013ca 263 {
wolfSSL 13:f67a6c6013ca 264 return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
wolfSSL 13:f67a6c6013ca 265 }
wolfSSL 13:f67a6c6013ca 266
wolfSSL 13:f67a6c6013ca 267
wolfSSL 13:f67a6c6013ca 268 #ifdef WOLFSSL_XILINX_CRYPT
wolfSSL 13:f67a6c6013ca 269 #define MAX_E_SIZE 4
wolfSSL 13:f67a6c6013ca 270 /* Used to setup hardware state
wolfSSL 13:f67a6c6013ca 271 *
wolfSSL 13:f67a6c6013ca 272 * key the RSA key to setup
wolfSSL 13:f67a6c6013ca 273 *
wolfSSL 13:f67a6c6013ca 274 * returns 0 on success
wolfSSL 13:f67a6c6013ca 275 */
wolfSSL 13:f67a6c6013ca 276 int wc_InitRsaHw(RsaKey* key)
wolfSSL 13:f67a6c6013ca 277 {
wolfSSL 13:f67a6c6013ca 278 unsigned char* m; /* RSA modulous */
wolfSSL 13:f67a6c6013ca 279 word32 e = 0; /* RSA public exponent */
wolfSSL 13:f67a6c6013ca 280 int mSz;
wolfSSL 13:f67a6c6013ca 281 int eSz;
wolfSSL 13:f67a6c6013ca 282
wolfSSL 13:f67a6c6013ca 283 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 284 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 285 }
wolfSSL 13:f67a6c6013ca 286
wolfSSL 13:f67a6c6013ca 287 mSz = mp_unsigned_bin_size(&(key->n));
wolfSSL 13:f67a6c6013ca 288 m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 289 if (m == 0) {
wolfSSL 13:f67a6c6013ca 290 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 291 }
wolfSSL 13:f67a6c6013ca 292
wolfSSL 13:f67a6c6013ca 293 if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 294 WOLFSSL_MSG("Unable to get RSA key modulous");
wolfSSL 13:f67a6c6013ca 295 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 296 return MP_READ_E;
wolfSSL 13:f67a6c6013ca 297 }
wolfSSL 13:f67a6c6013ca 298
wolfSSL 13:f67a6c6013ca 299 eSz = mp_unsigned_bin_size(&(key->e));
wolfSSL 13:f67a6c6013ca 300 if (eSz > MAX_E_SIZE) {
wolfSSL 13:f67a6c6013ca 301 WOLFSSL_MSG("Expnonent of size 4 bytes expected");
wolfSSL 13:f67a6c6013ca 302 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 303 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 304 }
wolfSSL 13:f67a6c6013ca 305
wolfSSL 13:f67a6c6013ca 306 if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
wolfSSL 13:f67a6c6013ca 307 != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 308 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 309 WOLFSSL_MSG("Unable to get RSA key exponent");
wolfSSL 13:f67a6c6013ca 310 return MP_READ_E;
wolfSSL 13:f67a6c6013ca 311 }
wolfSSL 13:f67a6c6013ca 312
wolfSSL 13:f67a6c6013ca 313 /* check for existing mod buffer to avoid memory leak */
wolfSSL 13:f67a6c6013ca 314 if (key->mod != NULL) {
wolfSSL 13:f67a6c6013ca 315 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 316 }
wolfSSL 13:f67a6c6013ca 317
wolfSSL 13:f67a6c6013ca 318 key->pubExp = e;
wolfSSL 13:f67a6c6013ca 319 key->mod = m;
wolfSSL 13:f67a6c6013ca 320
wolfSSL 13:f67a6c6013ca 321 if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
wolfSSL 13:f67a6c6013ca 322 (byte*)&(key->pubExp)) != XST_SUCCESS) {
wolfSSL 13:f67a6c6013ca 323 WOLFSSL_MSG("Unable to initialize RSA on hardware");
wolfSSL 13:f67a6c6013ca 324 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 325 return BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 326 }
wolfSSL 13:f67a6c6013ca 327
wolfSSL 13:f67a6c6013ca 328 #ifdef WOLFSSL_XILINX_PATCH
wolfSSL 13:f67a6c6013ca 329 /* currently a patch of xsecure_rsa.c for 2048 bit keys */
wolfSSL 13:f67a6c6013ca 330 if (wc_RsaEncryptSize(key) == 256) {
wolfSSL 13:f67a6c6013ca 331 if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
wolfSSL 13:f67a6c6013ca 332 WOLFSSL_MSG("Unable to set RSA key size on hardware");
wolfSSL 13:f67a6c6013ca 333 XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 334 return BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 335 }
wolfSSL 13:f67a6c6013ca 336 }
wolfSSL 13:f67a6c6013ca 337 #endif
wolfSSL 13:f67a6c6013ca 338
wolfSSL 13:f67a6c6013ca 339 return 0;
wolfSSL 13:f67a6c6013ca 340 }
wolfSSL 13:f67a6c6013ca 341 #endif /* WOLFSSL_XILINX_CRYPT */
wolfSSL 13:f67a6c6013ca 342
wolfSSL 13:f67a6c6013ca 343 int wc_FreeRsaKey(RsaKey* key)
wolfSSL 13:f67a6c6013ca 344 {
wolfSSL 13:f67a6c6013ca 345 int ret = 0;
wolfSSL 13:f67a6c6013ca 346
wolfSSL 13:f67a6c6013ca 347 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 348 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 349 }
wolfSSL 13:f67a6c6013ca 350
wolfSSL 13:f67a6c6013ca 351 wc_RsaCleanup(key);
wolfSSL 13:f67a6c6013ca 352
wolfSSL 13:f67a6c6013ca 353 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
wolfSSL 13:f67a6c6013ca 354 wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
wolfSSL 13:f67a6c6013ca 355 #endif
wolfSSL 13:f67a6c6013ca 356
wolfSSL 13:f67a6c6013ca 357 if (key->type == RSA_PRIVATE) {
wolfSSL 13:f67a6c6013ca 358 mp_forcezero(&key->u);
wolfSSL 13:f67a6c6013ca 359 mp_forcezero(&key->dQ);
wolfSSL 13:f67a6c6013ca 360 mp_forcezero(&key->dP);
wolfSSL 13:f67a6c6013ca 361 mp_forcezero(&key->q);
wolfSSL 13:f67a6c6013ca 362 mp_forcezero(&key->p);
wolfSSL 13:f67a6c6013ca 363 mp_forcezero(&key->d);
wolfSSL 13:f67a6c6013ca 364 }
wolfSSL 13:f67a6c6013ca 365 /* private part */
wolfSSL 13:f67a6c6013ca 366 mp_clear(&key->u);
wolfSSL 13:f67a6c6013ca 367 mp_clear(&key->dQ);
wolfSSL 13:f67a6c6013ca 368 mp_clear(&key->dP);
wolfSSL 13:f67a6c6013ca 369 mp_clear(&key->q);
wolfSSL 13:f67a6c6013ca 370 mp_clear(&key->p);
wolfSSL 13:f67a6c6013ca 371 mp_clear(&key->d);
wolfSSL 13:f67a6c6013ca 372
wolfSSL 13:f67a6c6013ca 373 /* public part */
wolfSSL 13:f67a6c6013ca 374 mp_clear(&key->e);
wolfSSL 13:f67a6c6013ca 375 mp_clear(&key->n);
wolfSSL 13:f67a6c6013ca 376
wolfSSL 13:f67a6c6013ca 377 #ifdef WOLFSSL_XILINX_CRYPT
wolfSSL 13:f67a6c6013ca 378 XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
wolfSSL 13:f67a6c6013ca 379 key->mod = NULL;
wolfSSL 13:f67a6c6013ca 380 #endif
wolfSSL 13:f67a6c6013ca 381
wolfSSL 13:f67a6c6013ca 382 return ret;
wolfSSL 13:f67a6c6013ca 383 }
wolfSSL 13:f67a6c6013ca 384
wolfSSL 13:f67a6c6013ca 385
wolfSSL 13:f67a6c6013ca 386 #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
wolfSSL 13:f67a6c6013ca 387 /* Uses MGF1 standard as a mask generation function
wolfSSL 13:f67a6c6013ca 388 hType: hash type used
wolfSSL 13:f67a6c6013ca 389 seed: seed to use for generating mask
wolfSSL 13:f67a6c6013ca 390 seedSz: size of seed buffer
wolfSSL 13:f67a6c6013ca 391 out: mask output after generation
wolfSSL 13:f67a6c6013ca 392 outSz: size of output buffer
wolfSSL 13:f67a6c6013ca 393 */
wolfSSL 13:f67a6c6013ca 394 static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
wolfSSL 13:f67a6c6013ca 395 byte* out, word32 outSz, void* heap)
wolfSSL 13:f67a6c6013ca 396 {
wolfSSL 13:f67a6c6013ca 397 byte* tmp;
wolfSSL 13:f67a6c6013ca 398 /* needs to be large enough for seed size plus counter(4) */
wolfSSL 13:f67a6c6013ca 399 byte tmpA[WC_MAX_DIGEST_SIZE + 4];
wolfSSL 13:f67a6c6013ca 400 byte tmpF; /* 1 if dynamic memory needs freed */
wolfSSL 13:f67a6c6013ca 401 word32 tmpSz;
wolfSSL 13:f67a6c6013ca 402 int hLen;
wolfSSL 13:f67a6c6013ca 403 int ret;
wolfSSL 13:f67a6c6013ca 404 word32 counter;
wolfSSL 13:f67a6c6013ca 405 word32 idx;
wolfSSL 13:f67a6c6013ca 406 hLen = wc_HashGetDigestSize(hType);
wolfSSL 13:f67a6c6013ca 407 counter = 0;
wolfSSL 13:f67a6c6013ca 408 idx = 0;
wolfSSL 13:f67a6c6013ca 409
wolfSSL 13:f67a6c6013ca 410 (void)heap;
wolfSSL 13:f67a6c6013ca 411
wolfSSL 13:f67a6c6013ca 412 /* check error return of wc_HashGetDigestSize */
wolfSSL 13:f67a6c6013ca 413 if (hLen < 0) {
wolfSSL 13:f67a6c6013ca 414 return hLen;
wolfSSL 13:f67a6c6013ca 415 }
wolfSSL 13:f67a6c6013ca 416
wolfSSL 13:f67a6c6013ca 417 /* if tmp is not large enough than use some dynamic memory */
wolfSSL 13:f67a6c6013ca 418 if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
wolfSSL 13:f67a6c6013ca 419 /* find largest amount of memory needed which will be the max of
wolfSSL 13:f67a6c6013ca 420 * hLen and (seedSz + 4) since tmp is used to store the hash digest */
wolfSSL 13:f67a6c6013ca 421 tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
wolfSSL 13:f67a6c6013ca 422 tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 423 if (tmp == NULL) {
wolfSSL 13:f67a6c6013ca 424 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 425 }
wolfSSL 13:f67a6c6013ca 426 tmpF = 1; /* make sure to free memory when done */
wolfSSL 13:f67a6c6013ca 427 }
wolfSSL 13:f67a6c6013ca 428 else {
wolfSSL 13:f67a6c6013ca 429 /* use array on the stack */
wolfSSL 13:f67a6c6013ca 430 tmpSz = sizeof(tmpA);
wolfSSL 13:f67a6c6013ca 431 tmp = tmpA;
wolfSSL 13:f67a6c6013ca 432 tmpF = 0; /* no need to free memory at end */
wolfSSL 13:f67a6c6013ca 433 }
wolfSSL 13:f67a6c6013ca 434
wolfSSL 13:f67a6c6013ca 435 do {
wolfSSL 13:f67a6c6013ca 436 int i = 0;
wolfSSL 13:f67a6c6013ca 437 XMEMCPY(tmp, seed, seedSz);
wolfSSL 13:f67a6c6013ca 438
wolfSSL 13:f67a6c6013ca 439 /* counter to byte array appended to tmp */
wolfSSL 13:f67a6c6013ca 440 tmp[seedSz] = (counter >> 24) & 0xFF;
wolfSSL 13:f67a6c6013ca 441 tmp[seedSz + 1] = (counter >> 16) & 0xFF;
wolfSSL 13:f67a6c6013ca 442 tmp[seedSz + 2] = (counter >> 8) & 0xFF;
wolfSSL 13:f67a6c6013ca 443 tmp[seedSz + 3] = (counter) & 0xFF;
wolfSSL 13:f67a6c6013ca 444
wolfSSL 13:f67a6c6013ca 445 /* hash and append to existing output */
wolfSSL 13:f67a6c6013ca 446 if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) {
wolfSSL 13:f67a6c6013ca 447 /* check for if dynamic memory was needed, then free */
wolfSSL 13:f67a6c6013ca 448 if (tmpF) {
wolfSSL 13:f67a6c6013ca 449 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 450 }
wolfSSL 13:f67a6c6013ca 451 return ret;
wolfSSL 13:f67a6c6013ca 452 }
wolfSSL 13:f67a6c6013ca 453
wolfSSL 13:f67a6c6013ca 454 for (i = 0; i < hLen && idx < outSz; i++) {
wolfSSL 13:f67a6c6013ca 455 out[idx++] = tmp[i];
wolfSSL 13:f67a6c6013ca 456 }
wolfSSL 13:f67a6c6013ca 457 counter++;
wolfSSL 13:f67a6c6013ca 458 } while (idx < outSz);
wolfSSL 13:f67a6c6013ca 459
wolfSSL 13:f67a6c6013ca 460 /* check for if dynamic memory was needed, then free */
wolfSSL 13:f67a6c6013ca 461 if (tmpF) {
wolfSSL 13:f67a6c6013ca 462 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 463 }
wolfSSL 13:f67a6c6013ca 464
wolfSSL 13:f67a6c6013ca 465 return 0;
wolfSSL 13:f67a6c6013ca 466 }
wolfSSL 13:f67a6c6013ca 467
wolfSSL 13:f67a6c6013ca 468 /* helper function to direct which mask generation function is used
wolfSSL 13:f67a6c6013ca 469 switeched on type input
wolfSSL 13:f67a6c6013ca 470 */
wolfSSL 13:f67a6c6013ca 471 static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
wolfSSL 13:f67a6c6013ca 472 word32 outSz, void* heap)
wolfSSL 13:f67a6c6013ca 473 {
wolfSSL 13:f67a6c6013ca 474 int ret;
wolfSSL 13:f67a6c6013ca 475
wolfSSL 13:f67a6c6013ca 476 switch(type) {
wolfSSL 13:f67a6c6013ca 477 #ifndef NO_SHA
wolfSSL 13:f67a6c6013ca 478 case WC_MGF1SHA1:
wolfSSL 13:f67a6c6013ca 479 ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
wolfSSL 13:f67a6c6013ca 480 break;
wolfSSL 13:f67a6c6013ca 481 #endif
wolfSSL 13:f67a6c6013ca 482 #ifndef NO_SHA256
wolfSSL 13:f67a6c6013ca 483 #ifdef WOLFSSL_SHA224
wolfSSL 13:f67a6c6013ca 484 case WC_MGF1SHA224:
wolfSSL 13:f67a6c6013ca 485 ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
wolfSSL 13:f67a6c6013ca 486 break;
wolfSSL 13:f67a6c6013ca 487 #endif
wolfSSL 13:f67a6c6013ca 488 case WC_MGF1SHA256:
wolfSSL 13:f67a6c6013ca 489 ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
wolfSSL 13:f67a6c6013ca 490 break;
wolfSSL 13:f67a6c6013ca 491 #endif
wolfSSL 13:f67a6c6013ca 492 #ifdef WOLFSSL_SHA512
wolfSSL 13:f67a6c6013ca 493 #ifdef WOLFSSL_SHA384
wolfSSL 13:f67a6c6013ca 494 case WC_MGF1SHA384:
wolfSSL 13:f67a6c6013ca 495 ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
wolfSSL 13:f67a6c6013ca 496 break;
wolfSSL 13:f67a6c6013ca 497 #endif
wolfSSL 13:f67a6c6013ca 498 case WC_MGF1SHA512:
wolfSSL 13:f67a6c6013ca 499 ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
wolfSSL 13:f67a6c6013ca 500 break;
wolfSSL 13:f67a6c6013ca 501 #endif
wolfSSL 13:f67a6c6013ca 502 default:
wolfSSL 13:f67a6c6013ca 503 WOLFSSL_MSG("Unknown MGF type: check build options");
wolfSSL 13:f67a6c6013ca 504 ret = BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 505 }
wolfSSL 13:f67a6c6013ca 506
wolfSSL 13:f67a6c6013ca 507 /* in case of default avoid unused warning */
wolfSSL 13:f67a6c6013ca 508 (void)seed;
wolfSSL 13:f67a6c6013ca 509 (void)seedSz;
wolfSSL 13:f67a6c6013ca 510 (void)out;
wolfSSL 13:f67a6c6013ca 511 (void)outSz;
wolfSSL 13:f67a6c6013ca 512 (void)heap;
wolfSSL 13:f67a6c6013ca 513
wolfSSL 13:f67a6c6013ca 514 return ret;
wolfSSL 13:f67a6c6013ca 515 }
wolfSSL 13:f67a6c6013ca 516 #endif /* !WC_NO_RSA_OAEP */
wolfSSL 13:f67a6c6013ca 517
wolfSSL 13:f67a6c6013ca 518
wolfSSL 13:f67a6c6013ca 519 /* Padding */
wolfSSL 13:f67a6c6013ca 520 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 521 static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
wolfSSL 13:f67a6c6013ca 522 word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
wolfSSL 13:f67a6c6013ca 523 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
wolfSSL 13:f67a6c6013ca 524 void* heap)
wolfSSL 13:f67a6c6013ca 525 {
wolfSSL 13:f67a6c6013ca 526 int ret;
wolfSSL 13:f67a6c6013ca 527 int hLen;
wolfSSL 13:f67a6c6013ca 528 int psLen;
wolfSSL 13:f67a6c6013ca 529 int i;
wolfSSL 13:f67a6c6013ca 530 word32 idx;
wolfSSL 13:f67a6c6013ca 531
wolfSSL 13:f67a6c6013ca 532 byte* dbMask;
wolfSSL 13:f67a6c6013ca 533
wolfSSL 13:f67a6c6013ca 534 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 535 byte* lHash = NULL;
wolfSSL 13:f67a6c6013ca 536 byte* seed = NULL;
wolfSSL 13:f67a6c6013ca 537 #else
wolfSSL 13:f67a6c6013ca 538 /* must be large enough to contain largest hash */
wolfSSL 13:f67a6c6013ca 539 byte lHash[WC_MAX_DIGEST_SIZE];
wolfSSL 13:f67a6c6013ca 540 byte seed[ WC_MAX_DIGEST_SIZE];
wolfSSL 13:f67a6c6013ca 541 #endif
wolfSSL 13:f67a6c6013ca 542
wolfSSL 13:f67a6c6013ca 543 /* no label is allowed, but catch if no label provided and length > 0 */
wolfSSL 13:f67a6c6013ca 544 if (optLabel == NULL && labelLen > 0) {
wolfSSL 13:f67a6c6013ca 545 return BUFFER_E;
wolfSSL 13:f67a6c6013ca 546 }
wolfSSL 13:f67a6c6013ca 547
wolfSSL 13:f67a6c6013ca 548 /* limit of label is the same as limit of hash function which is massive */
wolfSSL 13:f67a6c6013ca 549 hLen = wc_HashGetDigestSize(hType);
wolfSSL 13:f67a6c6013ca 550 if (hLen < 0) {
wolfSSL 13:f67a6c6013ca 551 return hLen;
wolfSSL 13:f67a6c6013ca 552 }
wolfSSL 13:f67a6c6013ca 553
wolfSSL 13:f67a6c6013ca 554 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 555 lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 556 if (lHash == NULL) {
wolfSSL 13:f67a6c6013ca 557 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 558 }
wolfSSL 13:f67a6c6013ca 559 seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 560 if (seed == NULL) {
wolfSSL 13:f67a6c6013ca 561 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 562 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 563 }
wolfSSL 13:f67a6c6013ca 564 #else
wolfSSL 13:f67a6c6013ca 565 /* hLen should never be larger than lHash since size is max digest size,
wolfSSL 13:f67a6c6013ca 566 but check before blindly calling wc_Hash */
wolfSSL 13:f67a6c6013ca 567 if ((word32)hLen > sizeof(lHash)) {
wolfSSL 13:f67a6c6013ca 568 WOLFSSL_MSG("OAEP lHash to small for digest!!");
wolfSSL 13:f67a6c6013ca 569 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 570 }
wolfSSL 13:f67a6c6013ca 571 #endif
wolfSSL 13:f67a6c6013ca 572
wolfSSL 13:f67a6c6013ca 573 if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
wolfSSL 13:f67a6c6013ca 574 WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
wolfSSL 13:f67a6c6013ca 575 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 576 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 577 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 578 #endif
wolfSSL 13:f67a6c6013ca 579 return ret;
wolfSSL 13:f67a6c6013ca 580 }
wolfSSL 13:f67a6c6013ca 581
wolfSSL 13:f67a6c6013ca 582 /* handles check of location for idx as well as psLen, cast to int to check
wolfSSL 13:f67a6c6013ca 583 for pkcsBlockLen(k) - 2 * hLen - 2 being negative
wolfSSL 13:f67a6c6013ca 584 This check is similar to decryption where k > 2 * hLen + 2 as msg
wolfSSL 13:f67a6c6013ca 585 size aproaches 0. In decryption if k is less than or equal -- then there
wolfSSL 13:f67a6c6013ca 586 is no possible room for msg.
wolfSSL 13:f67a6c6013ca 587 k = RSA key size
wolfSSL 13:f67a6c6013ca 588 hLen = hash digest size -- will always be >= 0 at this point
wolfSSL 13:f67a6c6013ca 589 */
wolfSSL 13:f67a6c6013ca 590 if ((word32)(2 * hLen + 2) > pkcsBlockLen) {
wolfSSL 13:f67a6c6013ca 591 WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
wolfSSL 13:f67a6c6013ca 592 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 593 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 594 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 595 #endif
wolfSSL 13:f67a6c6013ca 596 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 597 }
wolfSSL 13:f67a6c6013ca 598
wolfSSL 13:f67a6c6013ca 599 if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
wolfSSL 13:f67a6c6013ca 600 WOLFSSL_MSG("OAEP pad error message too long");
wolfSSL 13:f67a6c6013ca 601 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 602 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 603 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 604 #endif
wolfSSL 13:f67a6c6013ca 605 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 606 }
wolfSSL 13:f67a6c6013ca 607
wolfSSL 13:f67a6c6013ca 608 /* concatenate lHash || PS || 0x01 || msg */
wolfSSL 13:f67a6c6013ca 609 idx = pkcsBlockLen - 1 - inputLen;
wolfSSL 13:f67a6c6013ca 610 psLen = pkcsBlockLen - inputLen - 2 * hLen - 2;
wolfSSL 13:f67a6c6013ca 611 if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
wolfSSL 13:f67a6c6013ca 612 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 613 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 614 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 615 #endif
wolfSSL 13:f67a6c6013ca 616 return BUFFER_E;
wolfSSL 13:f67a6c6013ca 617 }
wolfSSL 13:f67a6c6013ca 618 XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
wolfSSL 13:f67a6c6013ca 619 pkcsBlock[idx--] = 0x01; /* PS and M separator */
wolfSSL 13:f67a6c6013ca 620 while (psLen > 0 && idx > 0) {
wolfSSL 13:f67a6c6013ca 621 pkcsBlock[idx--] = 0x00;
wolfSSL 13:f67a6c6013ca 622 psLen--;
wolfSSL 13:f67a6c6013ca 623 }
wolfSSL 13:f67a6c6013ca 624
wolfSSL 13:f67a6c6013ca 625 idx = idx - hLen + 1;
wolfSSL 13:f67a6c6013ca 626 XMEMCPY(pkcsBlock + idx, lHash, hLen);
wolfSSL 13:f67a6c6013ca 627
wolfSSL 13:f67a6c6013ca 628 /* generate random seed */
wolfSSL 13:f67a6c6013ca 629 if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
wolfSSL 13:f67a6c6013ca 630 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 631 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 632 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 633 #endif
wolfSSL 13:f67a6c6013ca 634 return ret;
wolfSSL 13:f67a6c6013ca 635 }
wolfSSL 13:f67a6c6013ca 636
wolfSSL 13:f67a6c6013ca 637 /* create maskedDB from dbMask */
wolfSSL 13:f67a6c6013ca 638 dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 639 if (dbMask == NULL) {
wolfSSL 13:f67a6c6013ca 640 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 641 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 642 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 643 #endif
wolfSSL 13:f67a6c6013ca 644 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 645 }
wolfSSL 13:f67a6c6013ca 646 XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
wolfSSL 13:f67a6c6013ca 647
wolfSSL 13:f67a6c6013ca 648 ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
wolfSSL 13:f67a6c6013ca 649 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 650 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 651 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 652 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 653 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 654 #endif
wolfSSL 13:f67a6c6013ca 655 return ret;
wolfSSL 13:f67a6c6013ca 656 }
wolfSSL 13:f67a6c6013ca 657
wolfSSL 13:f67a6c6013ca 658 i = 0;
wolfSSL 13:f67a6c6013ca 659 idx = hLen + 1;
wolfSSL 13:f67a6c6013ca 660 while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) {
wolfSSL 13:f67a6c6013ca 661 pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx];
wolfSSL 13:f67a6c6013ca 662 idx++;
wolfSSL 13:f67a6c6013ca 663 }
wolfSSL 13:f67a6c6013ca 664 XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
wolfSSL 13:f67a6c6013ca 665
wolfSSL 13:f67a6c6013ca 666
wolfSSL 13:f67a6c6013ca 667 /* create maskedSeed from seedMask */
wolfSSL 13:f67a6c6013ca 668 idx = 0;
wolfSSL 13:f67a6c6013ca 669 pkcsBlock[idx++] = 0x00;
wolfSSL 13:f67a6c6013ca 670 /* create seedMask inline */
wolfSSL 13:f67a6c6013ca 671 if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
wolfSSL 13:f67a6c6013ca 672 pkcsBlock + 1, hLen, heap)) != 0) {
wolfSSL 13:f67a6c6013ca 673 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 674 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 675 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 676 #endif
wolfSSL 13:f67a6c6013ca 677 return ret;
wolfSSL 13:f67a6c6013ca 678 }
wolfSSL 13:f67a6c6013ca 679
wolfSSL 13:f67a6c6013ca 680 /* xor created seedMask with seed to make maskedSeed */
wolfSSL 13:f67a6c6013ca 681 i = 0;
wolfSSL 13:f67a6c6013ca 682 while (idx < (word32)(hLen + 1) && i < hLen) {
wolfSSL 13:f67a6c6013ca 683 pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++];
wolfSSL 13:f67a6c6013ca 684 idx++;
wolfSSL 13:f67a6c6013ca 685 }
wolfSSL 13:f67a6c6013ca 686
wolfSSL 13:f67a6c6013ca 687 #ifdef WOLFSSL_SMALL_STACK
wolfSSL 13:f67a6c6013ca 688 XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 689 XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 690 #endif
wolfSSL 13:f67a6c6013ca 691 (void)padValue;
wolfSSL 13:f67a6c6013ca 692
wolfSSL 13:f67a6c6013ca 693 return 0;
wolfSSL 13:f67a6c6013ca 694 }
wolfSSL 13:f67a6c6013ca 695 #endif /* !WC_NO_RSA_OAEP */
wolfSSL 13:f67a6c6013ca 696
wolfSSL 13:f67a6c6013ca 697 #ifdef WC_RSA_PSS
wolfSSL 13:f67a6c6013ca 698 /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
wolfSSL 13:f67a6c6013ca 699 * XOR MGF over all bytes down to end of Salt
wolfSSL 13:f67a6c6013ca 700 * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
wolfSSL 13:f67a6c6013ca 701 */
wolfSSL 13:f67a6c6013ca 702 static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
wolfSSL 13:f67a6c6013ca 703 word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
wolfSSL 13:f67a6c6013ca 704 int bits, void* heap)
wolfSSL 13:f67a6c6013ca 705 {
wolfSSL 13:f67a6c6013ca 706 int ret;
wolfSSL 13:f67a6c6013ca 707 int hLen, i;
wolfSSL 13:f67a6c6013ca 708 byte* s;
wolfSSL 13:f67a6c6013ca 709 byte* m;
wolfSSL 13:f67a6c6013ca 710 byte* h;
wolfSSL 13:f67a6c6013ca 711 byte salt[WC_MAX_DIGEST_SIZE];
wolfSSL 13:f67a6c6013ca 712
wolfSSL 13:f67a6c6013ca 713 hLen = wc_HashGetDigestSize(hType);
wolfSSL 13:f67a6c6013ca 714 if (hLen < 0)
wolfSSL 13:f67a6c6013ca 715 return hLen;
wolfSSL 13:f67a6c6013ca 716
wolfSSL 13:f67a6c6013ca 717 s = m = pkcsBlock;
wolfSSL 13:f67a6c6013ca 718 XMEMSET(m, 0, 8);
wolfSSL 13:f67a6c6013ca 719 m += 8;
wolfSSL 13:f67a6c6013ca 720 XMEMCPY(m, input, inputLen);
wolfSSL 13:f67a6c6013ca 721 m += inputLen;
wolfSSL 13:f67a6c6013ca 722 if ((ret = wc_RNG_GenerateBlock(rng, salt, hLen)) != 0)
wolfSSL 13:f67a6c6013ca 723 return ret;
wolfSSL 13:f67a6c6013ca 724 XMEMCPY(m, salt, hLen);
wolfSSL 13:f67a6c6013ca 725 m += hLen;
wolfSSL 13:f67a6c6013ca 726
wolfSSL 13:f67a6c6013ca 727 h = pkcsBlock + pkcsBlockLen - 1 - hLen;
wolfSSL 13:f67a6c6013ca 728 if ((ret = wc_Hash(hType, s, (word32)(m - s), h, hLen)) != 0)
wolfSSL 13:f67a6c6013ca 729 return ret;
wolfSSL 13:f67a6c6013ca 730 pkcsBlock[pkcsBlockLen - 1] = 0xbc;
wolfSSL 13:f67a6c6013ca 731
wolfSSL 13:f67a6c6013ca 732 ret = RsaMGF(mgf, h, hLen, pkcsBlock, pkcsBlockLen - hLen - 1, heap);
wolfSSL 13:f67a6c6013ca 733 if (ret != 0)
wolfSSL 13:f67a6c6013ca 734 return ret;
wolfSSL 13:f67a6c6013ca 735 pkcsBlock[0] &= (1 << ((bits - 1) & 0x7)) - 1;
wolfSSL 13:f67a6c6013ca 736
wolfSSL 13:f67a6c6013ca 737 m = pkcsBlock + pkcsBlockLen - 1 - hLen - hLen - 1;
wolfSSL 13:f67a6c6013ca 738 *(m++) ^= 0x01;
wolfSSL 13:f67a6c6013ca 739 for (i = 0; i < hLen; i++)
wolfSSL 13:f67a6c6013ca 740 m[i] ^= salt[i];
wolfSSL 13:f67a6c6013ca 741
wolfSSL 13:f67a6c6013ca 742 return 0;
wolfSSL 13:f67a6c6013ca 743 }
wolfSSL 13:f67a6c6013ca 744 #endif
wolfSSL 13:f67a6c6013ca 745
wolfSSL 13:f67a6c6013ca 746 static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
wolfSSL 13:f67a6c6013ca 747 word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 748 {
wolfSSL 13:f67a6c6013ca 749 if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
wolfSSL 13:f67a6c6013ca 750 pkcsBlockLen == 0) {
wolfSSL 13:f67a6c6013ca 751 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 752 }
wolfSSL 13:f67a6c6013ca 753
wolfSSL 13:f67a6c6013ca 754 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
wolfSSL 13:f67a6c6013ca 755 pkcsBlock++; pkcsBlockLen--;
wolfSSL 13:f67a6c6013ca 756 pkcsBlock[0] = padValue; /* insert padValue */
wolfSSL 13:f67a6c6013ca 757
wolfSSL 13:f67a6c6013ca 758 if (padValue == RSA_BLOCK_TYPE_1) {
wolfSSL 13:f67a6c6013ca 759 if (pkcsBlockLen < inputLen + 2) {
wolfSSL 13:f67a6c6013ca 760 WOLFSSL_MSG("RsaPad error, invalid length");
wolfSSL 13:f67a6c6013ca 761 return RSA_PAD_E;
wolfSSL 13:f67a6c6013ca 762 }
wolfSSL 13:f67a6c6013ca 763
wolfSSL 13:f67a6c6013ca 764 /* pad with 0xff bytes */
wolfSSL 13:f67a6c6013ca 765 XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
wolfSSL 13:f67a6c6013ca 766 }
wolfSSL 13:f67a6c6013ca 767 else {
wolfSSL 13:f67a6c6013ca 768 /* pad with non-zero random bytes */
wolfSSL 13:f67a6c6013ca 769 word32 padLen, i;
wolfSSL 13:f67a6c6013ca 770 int ret;
wolfSSL 13:f67a6c6013ca 771
wolfSSL 13:f67a6c6013ca 772 if (pkcsBlockLen < inputLen + 1) {
wolfSSL 13:f67a6c6013ca 773 WOLFSSL_MSG("RsaPad error, invalid length");
wolfSSL 13:f67a6c6013ca 774 return RSA_PAD_E;
wolfSSL 13:f67a6c6013ca 775 }
wolfSSL 13:f67a6c6013ca 776
wolfSSL 13:f67a6c6013ca 777 padLen = pkcsBlockLen - inputLen - 1;
wolfSSL 13:f67a6c6013ca 778 ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
wolfSSL 13:f67a6c6013ca 779 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 780 return ret;
wolfSSL 13:f67a6c6013ca 781 }
wolfSSL 13:f67a6c6013ca 782
wolfSSL 13:f67a6c6013ca 783 /* remove zeros */
wolfSSL 13:f67a6c6013ca 784 for (i = 1; i < padLen; i++) {
wolfSSL 13:f67a6c6013ca 785 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
wolfSSL 13:f67a6c6013ca 786 }
wolfSSL 13:f67a6c6013ca 787 }
wolfSSL 13:f67a6c6013ca 788
wolfSSL 13:f67a6c6013ca 789 pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
wolfSSL 13:f67a6c6013ca 790 XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
wolfSSL 13:f67a6c6013ca 791
wolfSSL 13:f67a6c6013ca 792 return 0;
wolfSSL 13:f67a6c6013ca 793 }
wolfSSL 13:f67a6c6013ca 794
wolfSSL 13:f67a6c6013ca 795 /* helper function to direct which padding is used */
wolfSSL 13:f67a6c6013ca 796 static int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
wolfSSL 13:f67a6c6013ca 797 word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
wolfSSL 13:f67a6c6013ca 798 enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen, int bits,
wolfSSL 13:f67a6c6013ca 799 void* heap)
wolfSSL 13:f67a6c6013ca 800 {
wolfSSL 13:f67a6c6013ca 801 int ret;
wolfSSL 13:f67a6c6013ca 802
wolfSSL 13:f67a6c6013ca 803 switch (padType)
wolfSSL 13:f67a6c6013ca 804 {
wolfSSL 13:f67a6c6013ca 805 case WC_RSA_PKCSV15_PAD:
wolfSSL 13:f67a6c6013ca 806 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
wolfSSL 13:f67a6c6013ca 807 ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
wolfSSL 13:f67a6c6013ca 808 padValue, rng);
wolfSSL 13:f67a6c6013ca 809 break;
wolfSSL 13:f67a6c6013ca 810
wolfSSL 13:f67a6c6013ca 811 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 812 case WC_RSA_OAEP_PAD:
wolfSSL 13:f67a6c6013ca 813 WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
wolfSSL 13:f67a6c6013ca 814 ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
wolfSSL 13:f67a6c6013ca 815 padValue, rng, hType, mgf, optLabel, labelLen, heap);
wolfSSL 13:f67a6c6013ca 816 break;
wolfSSL 13:f67a6c6013ca 817 #endif
wolfSSL 13:f67a6c6013ca 818
wolfSSL 13:f67a6c6013ca 819 #ifdef WC_RSA_PSS
wolfSSL 13:f67a6c6013ca 820 case WC_RSA_PSS_PAD:
wolfSSL 13:f67a6c6013ca 821 WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
wolfSSL 13:f67a6c6013ca 822 ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
wolfSSL 13:f67a6c6013ca 823 hType, mgf, bits, heap);
wolfSSL 13:f67a6c6013ca 824 break;
wolfSSL 13:f67a6c6013ca 825 #endif
wolfSSL 13:f67a6c6013ca 826
wolfSSL 13:f67a6c6013ca 827 default:
wolfSSL 13:f67a6c6013ca 828 WOLFSSL_MSG("Unknown RSA Pad Type");
wolfSSL 13:f67a6c6013ca 829 ret = RSA_PAD_E;
wolfSSL 13:f67a6c6013ca 830 }
wolfSSL 13:f67a6c6013ca 831
wolfSSL 13:f67a6c6013ca 832 /* silence warning if not used with padding scheme */
wolfSSL 13:f67a6c6013ca 833 (void)hType;
wolfSSL 13:f67a6c6013ca 834 (void)mgf;
wolfSSL 13:f67a6c6013ca 835 (void)optLabel;
wolfSSL 13:f67a6c6013ca 836 (void)labelLen;
wolfSSL 13:f67a6c6013ca 837 (void)bits;
wolfSSL 13:f67a6c6013ca 838 (void)heap;
wolfSSL 13:f67a6c6013ca 839
wolfSSL 13:f67a6c6013ca 840 return ret;
wolfSSL 13:f67a6c6013ca 841 }
wolfSSL 13:f67a6c6013ca 842
wolfSSL 13:f67a6c6013ca 843
wolfSSL 13:f67a6c6013ca 844 /* UnPadding */
wolfSSL 13:f67a6c6013ca 845 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 846 /* UnPad plaintext, set start to *output, return length of plaintext,
wolfSSL 13:f67a6c6013ca 847 * < 0 on error */
wolfSSL 13:f67a6c6013ca 848 static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
wolfSSL 13:f67a6c6013ca 849 byte **output, enum wc_HashType hType, int mgf,
wolfSSL 13:f67a6c6013ca 850 byte* optLabel, word32 labelLen, void* heap)
wolfSSL 13:f67a6c6013ca 851 {
wolfSSL 13:f67a6c6013ca 852 int hLen;
wolfSSL 13:f67a6c6013ca 853 int ret;
wolfSSL 13:f67a6c6013ca 854 byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
wolfSSL 13:f67a6c6013ca 855 byte* tmp;
wolfSSL 13:f67a6c6013ca 856 word32 idx;
wolfSSL 13:f67a6c6013ca 857
wolfSSL 13:f67a6c6013ca 858 /* no label is allowed, but catch if no label provided and length > 0 */
wolfSSL 13:f67a6c6013ca 859 if (optLabel == NULL && labelLen > 0) {
wolfSSL 13:f67a6c6013ca 860 return BUFFER_E;
wolfSSL 13:f67a6c6013ca 861 }
wolfSSL 13:f67a6c6013ca 862
wolfSSL 13:f67a6c6013ca 863 hLen = wc_HashGetDigestSize(hType);
wolfSSL 13:f67a6c6013ca 864 if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) {
wolfSSL 13:f67a6c6013ca 865 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 866 }
wolfSSL 13:f67a6c6013ca 867
wolfSSL 13:f67a6c6013ca 868 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 869 if (tmp == NULL) {
wolfSSL 13:f67a6c6013ca 870 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 871 }
wolfSSL 13:f67a6c6013ca 872 XMEMSET(tmp, 0, pkcsBlockLen);
wolfSSL 13:f67a6c6013ca 873
wolfSSL 13:f67a6c6013ca 874 /* find seedMask value */
wolfSSL 13:f67a6c6013ca 875 if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
wolfSSL 13:f67a6c6013ca 876 pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) {
wolfSSL 13:f67a6c6013ca 877 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 878 return ret;
wolfSSL 13:f67a6c6013ca 879 }
wolfSSL 13:f67a6c6013ca 880
wolfSSL 13:f67a6c6013ca 881 /* xor seedMask value with maskedSeed to get seed value */
wolfSSL 13:f67a6c6013ca 882 for (idx = 0; idx < (word32)hLen; idx++) {
wolfSSL 13:f67a6c6013ca 883 tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx];
wolfSSL 13:f67a6c6013ca 884 }
wolfSSL 13:f67a6c6013ca 885
wolfSSL 13:f67a6c6013ca 886 /* get dbMask value */
wolfSSL 13:f67a6c6013ca 887 if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen,
wolfSSL 13:f67a6c6013ca 888 pkcsBlockLen - hLen - 1, heap)) != 0) {
wolfSSL 13:f67a6c6013ca 889 XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 890 return ret;
wolfSSL 13:f67a6c6013ca 891 }
wolfSSL 13:f67a6c6013ca 892
wolfSSL 13:f67a6c6013ca 893 /* get DB value by doing maskedDB xor dbMask */
wolfSSL 13:f67a6c6013ca 894 for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) {
wolfSSL 13:f67a6c6013ca 895 pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen];
wolfSSL 13:f67a6c6013ca 896 }
wolfSSL 13:f67a6c6013ca 897
wolfSSL 13:f67a6c6013ca 898 /* done with use of tmp buffer */
wolfSSL 13:f67a6c6013ca 899 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 900
wolfSSL 13:f67a6c6013ca 901 /* advance idx to index of PS and msg separator, account for PS size of 0*/
wolfSSL 13:f67a6c6013ca 902 idx = hLen + 1 + hLen;
wolfSSL 13:f67a6c6013ca 903 while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;}
wolfSSL 13:f67a6c6013ca 904
wolfSSL 13:f67a6c6013ca 905 /* create hash of label for comparision with hash sent */
wolfSSL 13:f67a6c6013ca 906 if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) {
wolfSSL 13:f67a6c6013ca 907 return ret;
wolfSSL 13:f67a6c6013ca 908 }
wolfSSL 13:f67a6c6013ca 909
wolfSSL 13:f67a6c6013ca 910 /* say no to chosen ciphertext attack.
wolfSSL 13:f67a6c6013ca 911 Comparison of lHash, Y, and separator value needs to all happen in
wolfSSL 13:f67a6c6013ca 912 constant time.
wolfSSL 13:f67a6c6013ca 913 Attackers should not be able to get error condition from the timing of
wolfSSL 13:f67a6c6013ca 914 these checks.
wolfSSL 13:f67a6c6013ca 915 */
wolfSSL 13:f67a6c6013ca 916 ret = 0;
wolfSSL 13:f67a6c6013ca 917 ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen);
wolfSSL 13:f67a6c6013ca 918 ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
wolfSSL 13:f67a6c6013ca 919 ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */
wolfSSL 13:f67a6c6013ca 920
wolfSSL 13:f67a6c6013ca 921 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 922 return BAD_PADDING_E;
wolfSSL 13:f67a6c6013ca 923 }
wolfSSL 13:f67a6c6013ca 924
wolfSSL 13:f67a6c6013ca 925 /* adjust pointer to correct location in array and return size of M */
wolfSSL 13:f67a6c6013ca 926 *output = (byte*)(pkcsBlock + idx);
wolfSSL 13:f67a6c6013ca 927 return pkcsBlockLen - idx;
wolfSSL 13:f67a6c6013ca 928 }
wolfSSL 13:f67a6c6013ca 929 #endif /* WC_NO_RSA_OAEP */
wolfSSL 13:f67a6c6013ca 930
wolfSSL 13:f67a6c6013ca 931 #ifdef WC_RSA_PSS
wolfSSL 13:f67a6c6013ca 932 static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
wolfSSL 13:f67a6c6013ca 933 byte **output, enum wc_HashType hType, int mgf,
wolfSSL 13:f67a6c6013ca 934 int bits, void* heap)
wolfSSL 13:f67a6c6013ca 935 {
wolfSSL 13:f67a6c6013ca 936 int ret;
wolfSSL 13:f67a6c6013ca 937 byte* tmp;
wolfSSL 13:f67a6c6013ca 938 int hLen, i;
wolfSSL 13:f67a6c6013ca 939
wolfSSL 13:f67a6c6013ca 940 hLen = wc_HashGetDigestSize(hType);
wolfSSL 13:f67a6c6013ca 941 if (hLen < 0)
wolfSSL 13:f67a6c6013ca 942 return hLen;
wolfSSL 13:f67a6c6013ca 943
wolfSSL 13:f67a6c6013ca 944 if (pkcsBlock[pkcsBlockLen - 1] != 0xbc)
wolfSSL 13:f67a6c6013ca 945 return BAD_PADDING_E;
wolfSSL 13:f67a6c6013ca 946
wolfSSL 13:f67a6c6013ca 947 tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 948 if (tmp == NULL) {
wolfSSL 13:f67a6c6013ca 949 return MEMORY_E;
wolfSSL 13:f67a6c6013ca 950 }
wolfSSL 13:f67a6c6013ca 951
wolfSSL 13:f67a6c6013ca 952 if ((ret = RsaMGF(mgf, pkcsBlock + pkcsBlockLen - 1 - hLen, hLen,
wolfSSL 13:f67a6c6013ca 953 tmp, pkcsBlockLen - 1 - hLen, heap)) != 0) {
wolfSSL 13:f67a6c6013ca 954 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 955 return ret;
wolfSSL 13:f67a6c6013ca 956 }
wolfSSL 13:f67a6c6013ca 957
wolfSSL 13:f67a6c6013ca 958 tmp[0] &= (1 << ((bits - 1) & 0x7)) - 1;
wolfSSL 13:f67a6c6013ca 959 for (i = 0; i < (int)(pkcsBlockLen - 1 - hLen - hLen - 1); i++) {
wolfSSL 13:f67a6c6013ca 960 if (tmp[i] != pkcsBlock[i]) {
wolfSSL 13:f67a6c6013ca 961 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 962 return BAD_PADDING_E;
wolfSSL 13:f67a6c6013ca 963 }
wolfSSL 13:f67a6c6013ca 964 }
wolfSSL 13:f67a6c6013ca 965 if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
wolfSSL 13:f67a6c6013ca 966 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 967 return BAD_PADDING_E;
wolfSSL 13:f67a6c6013ca 968 }
wolfSSL 13:f67a6c6013ca 969 for (i++; i < (int)(pkcsBlockLen - 1 - hLen); i++)
wolfSSL 13:f67a6c6013ca 970 pkcsBlock[i] ^= tmp[i];
wolfSSL 13:f67a6c6013ca 971
wolfSSL 13:f67a6c6013ca 972 XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
wolfSSL 13:f67a6c6013ca 973
wolfSSL 13:f67a6c6013ca 974 i = pkcsBlockLen - (RSA_PSS_PAD_SZ + 3 * hLen + 1);
wolfSSL 13:f67a6c6013ca 975 XMEMSET(pkcsBlock + i, 0, RSA_PSS_PAD_SZ);
wolfSSL 13:f67a6c6013ca 976
wolfSSL 13:f67a6c6013ca 977 *output = pkcsBlock + i;
wolfSSL 13:f67a6c6013ca 978 return RSA_PSS_PAD_SZ + 3 * hLen;
wolfSSL 13:f67a6c6013ca 979 }
wolfSSL 13:f67a6c6013ca 980 #endif
wolfSSL 13:f67a6c6013ca 981
wolfSSL 13:f67a6c6013ca 982 /* UnPad plaintext, set start to *output, return length of plaintext,
wolfSSL 13:f67a6c6013ca 983 * < 0 on error */
wolfSSL 13:f67a6c6013ca 984 static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
wolfSSL 13:f67a6c6013ca 985 byte **output, byte padValue)
wolfSSL 13:f67a6c6013ca 986 {
wolfSSL 13:f67a6c6013ca 987 word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0;
wolfSSL 13:f67a6c6013ca 988 word32 invalid = 0;
wolfSSL 13:f67a6c6013ca 989 word32 i = 1;
wolfSSL 13:f67a6c6013ca 990 word32 outputLen;
wolfSSL 13:f67a6c6013ca 991
wolfSSL 13:f67a6c6013ca 992 if (output == NULL || pkcsBlockLen == 0) {
wolfSSL 13:f67a6c6013ca 993 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 994 }
wolfSSL 13:f67a6c6013ca 995
wolfSSL 13:f67a6c6013ca 996 if (pkcsBlock[0] != 0x0) { /* skip past zero */
wolfSSL 13:f67a6c6013ca 997 invalid = 1;
wolfSSL 13:f67a6c6013ca 998 }
wolfSSL 13:f67a6c6013ca 999 pkcsBlock++; pkcsBlockLen--;
wolfSSL 13:f67a6c6013ca 1000
wolfSSL 13:f67a6c6013ca 1001 /* Require block type padValue */
wolfSSL 13:f67a6c6013ca 1002 invalid = (pkcsBlock[0] != padValue) || invalid;
wolfSSL 13:f67a6c6013ca 1003
wolfSSL 13:f67a6c6013ca 1004 /* verify the padding until we find the separator */
wolfSSL 13:f67a6c6013ca 1005 if (padValue == RSA_BLOCK_TYPE_1) {
wolfSSL 13:f67a6c6013ca 1006 while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */}
wolfSSL 13:f67a6c6013ca 1007 }
wolfSSL 13:f67a6c6013ca 1008 else {
wolfSSL 13:f67a6c6013ca 1009 while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */}
wolfSSL 13:f67a6c6013ca 1010 }
wolfSSL 13:f67a6c6013ca 1011
wolfSSL 13:f67a6c6013ca 1012 if (!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) {
wolfSSL 13:f67a6c6013ca 1013 WOLFSSL_MSG("RsaUnPad error, bad formatting");
wolfSSL 13:f67a6c6013ca 1014 return RSA_PAD_E;
wolfSSL 13:f67a6c6013ca 1015 }
wolfSSL 13:f67a6c6013ca 1016
wolfSSL 13:f67a6c6013ca 1017 outputLen = pkcsBlockLen - i;
wolfSSL 13:f67a6c6013ca 1018 invalid = (outputLen > maxOutputLen) || invalid;
wolfSSL 13:f67a6c6013ca 1019
wolfSSL 13:f67a6c6013ca 1020 if (invalid) {
wolfSSL 13:f67a6c6013ca 1021 WOLFSSL_MSG("RsaUnPad error, invalid formatting");
wolfSSL 13:f67a6c6013ca 1022 return RSA_PAD_E;
wolfSSL 13:f67a6c6013ca 1023 }
wolfSSL 13:f67a6c6013ca 1024
wolfSSL 13:f67a6c6013ca 1025 *output = (byte *)(pkcsBlock + i);
wolfSSL 13:f67a6c6013ca 1026 return outputLen;
wolfSSL 13:f67a6c6013ca 1027 }
wolfSSL 13:f67a6c6013ca 1028
wolfSSL 13:f67a6c6013ca 1029 /* helper function to direct unpadding */
wolfSSL 13:f67a6c6013ca 1030 static int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
wolfSSL 13:f67a6c6013ca 1031 byte padValue, int padType, enum wc_HashType hType,
wolfSSL 13:f67a6c6013ca 1032 int mgf, byte* optLabel, word32 labelLen, int bits,
wolfSSL 13:f67a6c6013ca 1033 void* heap)
wolfSSL 13:f67a6c6013ca 1034 {
wolfSSL 13:f67a6c6013ca 1035 int ret;
wolfSSL 13:f67a6c6013ca 1036
wolfSSL 13:f67a6c6013ca 1037 switch (padType) {
wolfSSL 13:f67a6c6013ca 1038 case WC_RSA_PKCSV15_PAD:
wolfSSL 13:f67a6c6013ca 1039 /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
wolfSSL 13:f67a6c6013ca 1040 ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue);
wolfSSL 13:f67a6c6013ca 1041 break;
wolfSSL 13:f67a6c6013ca 1042
wolfSSL 13:f67a6c6013ca 1043 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 1044 case WC_RSA_OAEP_PAD:
wolfSSL 13:f67a6c6013ca 1045 WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
wolfSSL 13:f67a6c6013ca 1046 ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
wolfSSL 13:f67a6c6013ca 1047 hType, mgf, optLabel, labelLen, heap);
wolfSSL 13:f67a6c6013ca 1048 break;
wolfSSL 13:f67a6c6013ca 1049 #endif
wolfSSL 13:f67a6c6013ca 1050
wolfSSL 13:f67a6c6013ca 1051 #ifdef WC_RSA_PSS
wolfSSL 13:f67a6c6013ca 1052 case WC_RSA_PSS_PAD:
wolfSSL 13:f67a6c6013ca 1053 WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
wolfSSL 13:f67a6c6013ca 1054 ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
wolfSSL 13:f67a6c6013ca 1055 bits, heap);
wolfSSL 13:f67a6c6013ca 1056 break;
wolfSSL 13:f67a6c6013ca 1057 #endif
wolfSSL 13:f67a6c6013ca 1058
wolfSSL 13:f67a6c6013ca 1059 default:
wolfSSL 13:f67a6c6013ca 1060 WOLFSSL_MSG("Unknown RSA UnPad Type");
wolfSSL 13:f67a6c6013ca 1061 ret = RSA_PAD_E;
wolfSSL 13:f67a6c6013ca 1062 }
wolfSSL 13:f67a6c6013ca 1063
wolfSSL 13:f67a6c6013ca 1064 /* silence warning if not used with padding scheme */
wolfSSL 13:f67a6c6013ca 1065 (void)hType;
wolfSSL 13:f67a6c6013ca 1066 (void)mgf;
wolfSSL 13:f67a6c6013ca 1067 (void)optLabel;
wolfSSL 13:f67a6c6013ca 1068 (void)labelLen;
wolfSSL 13:f67a6c6013ca 1069 (void)bits;
wolfSSL 13:f67a6c6013ca 1070 (void)heap;
wolfSSL 13:f67a6c6013ca 1071
wolfSSL 13:f67a6c6013ca 1072 return ret;
wolfSSL 13:f67a6c6013ca 1073 }
wolfSSL 13:f67a6c6013ca 1074
wolfSSL 13:f67a6c6013ca 1075 #if defined(WOLFSSL_XILINX_CRYPT)
wolfSSL 13:f67a6c6013ca 1076 /*
wolfSSL 13:f67a6c6013ca 1077 * Xilinx hardened crypto acceleration.
wolfSSL 13:f67a6c6013ca 1078 *
wolfSSL 13:f67a6c6013ca 1079 * Returns 0 on success and negative values on error.
wolfSSL 13:f67a6c6013ca 1080 */
wolfSSL 13:f67a6c6013ca 1081 static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1082 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1083 {
wolfSSL 13:f67a6c6013ca 1084 int ret = 0;
wolfSSL 13:f67a6c6013ca 1085 word32 keyLen, len;
wolfSSL 13:f67a6c6013ca 1086 (void)rng;
wolfSSL 13:f67a6c6013ca 1087
wolfSSL 13:f67a6c6013ca 1088 keyLen = wc_RsaEncryptSize(key);
wolfSSL 13:f67a6c6013ca 1089 if (keyLen > *outLen) {
wolfSSL 13:f67a6c6013ca 1090 WOLFSSL_MSG("Output buffer is not big enough");
wolfSSL 13:f67a6c6013ca 1091 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1092 }
wolfSSL 13:f67a6c6013ca 1093
wolfSSL 13:f67a6c6013ca 1094 if (inLen != keyLen) {
wolfSSL 13:f67a6c6013ca 1095 WOLFSSL_MSG("Expected that inLen equals RSA key length");
wolfSSL 13:f67a6c6013ca 1096 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1097 }
wolfSSL 13:f67a6c6013ca 1098
wolfSSL 13:f67a6c6013ca 1099 switch(type) {
wolfSSL 13:f67a6c6013ca 1100 case RSA_PRIVATE_DECRYPT:
wolfSSL 13:f67a6c6013ca 1101 case RSA_PRIVATE_ENCRYPT:
wolfSSL 13:f67a6c6013ca 1102 /* Currently public exponent is loaded by default.
wolfSSL 13:f67a6c6013ca 1103 * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
wolfSSL 13:f67a6c6013ca 1104 * leading to private key operations with Xsecure_RsaDecrypt not being
wolfSSL 13:f67a6c6013ca 1105 * supported */
wolfSSL 13:f67a6c6013ca 1106 ret = RSA_WRONG_TYPE_E;
wolfSSL 13:f67a6c6013ca 1107 break;
wolfSSL 13:f67a6c6013ca 1108 case RSA_PUBLIC_ENCRYPT:
wolfSSL 13:f67a6c6013ca 1109 case RSA_PUBLIC_DECRYPT:
wolfSSL 13:f67a6c6013ca 1110 if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
wolfSSL 13:f67a6c6013ca 1111 ret = BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 1112 }
wolfSSL 13:f67a6c6013ca 1113 break;
wolfSSL 13:f67a6c6013ca 1114 default:
wolfSSL 13:f67a6c6013ca 1115 ret = RSA_WRONG_TYPE_E;
wolfSSL 13:f67a6c6013ca 1116 }
wolfSSL 13:f67a6c6013ca 1117
wolfSSL 13:f67a6c6013ca 1118 *outLen = keyLen;
wolfSSL 13:f67a6c6013ca 1119
wolfSSL 13:f67a6c6013ca 1120 return ret;
wolfSSL 13:f67a6c6013ca 1121 }
wolfSSL 13:f67a6c6013ca 1122 #endif /* WOLFSSL_XILINX_CRYPT */
wolfSSL 13:f67a6c6013ca 1123
wolfSSL 13:f67a6c6013ca 1124 static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1125 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1126 {
wolfSSL 13:f67a6c6013ca 1127 mp_int tmp;
wolfSSL 13:f67a6c6013ca 1128 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1129 mp_int rnd, rndi;
wolfSSL 13:f67a6c6013ca 1130 #endif
wolfSSL 13:f67a6c6013ca 1131 int ret = 0;
wolfSSL 13:f67a6c6013ca 1132 word32 keyLen, len;
wolfSSL 13:f67a6c6013ca 1133
wolfSSL 13:f67a6c6013ca 1134 (void)rng;
wolfSSL 13:f67a6c6013ca 1135
wolfSSL 13:f67a6c6013ca 1136 if (mp_init(&tmp) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1137 return MP_INIT_E;
wolfSSL 13:f67a6c6013ca 1138
wolfSSL 13:f67a6c6013ca 1139 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1140 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
wolfSSL 13:f67a6c6013ca 1141 if (mp_init_multi(&rnd, &rndi, NULL, NULL, NULL, NULL) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1142 mp_clear(&tmp);
wolfSSL 13:f67a6c6013ca 1143 return MP_INIT_E;
wolfSSL 13:f67a6c6013ca 1144 }
wolfSSL 13:f67a6c6013ca 1145 }
wolfSSL 13:f67a6c6013ca 1146 #endif
wolfSSL 13:f67a6c6013ca 1147
wolfSSL 13:f67a6c6013ca 1148 if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1149 ERROR_OUT(MP_READ_E);
wolfSSL 13:f67a6c6013ca 1150
wolfSSL 13:f67a6c6013ca 1151 switch(type) {
wolfSSL 13:f67a6c6013ca 1152 case RSA_PRIVATE_DECRYPT:
wolfSSL 13:f67a6c6013ca 1153 case RSA_PRIVATE_ENCRYPT:
wolfSSL 13:f67a6c6013ca 1154 {
wolfSSL 13:f67a6c6013ca 1155 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1156 /* blind */
wolfSSL 13:f67a6c6013ca 1157 ret = mp_rand(&rnd, get_digit_count(&key->n), rng);
wolfSSL 13:f67a6c6013ca 1158 if (ret != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1159 goto done;
wolfSSL 13:f67a6c6013ca 1160
wolfSSL 13:f67a6c6013ca 1161 /* rndi = 1/rnd mod n */
wolfSSL 13:f67a6c6013ca 1162 if (mp_invmod(&rnd, &key->n, &rndi) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1163 ERROR_OUT(MP_INVMOD_E);
wolfSSL 13:f67a6c6013ca 1164
wolfSSL 13:f67a6c6013ca 1165 /* rnd = rnd^e */
wolfSSL 13:f67a6c6013ca 1166 if (mp_exptmod(&rnd, &key->e, &key->n, &rnd) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1167 ERROR_OUT(MP_EXPTMOD_E);
wolfSSL 13:f67a6c6013ca 1168
wolfSSL 13:f67a6c6013ca 1169 /* tmp = tmp*rnd mod n */
wolfSSL 13:f67a6c6013ca 1170 if (mp_mulmod(&tmp, &rnd, &key->n, &tmp) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1171 ERROR_OUT(MP_MULMOD_E);
wolfSSL 13:f67a6c6013ca 1172 #endif /* WC_RSA_BLINGING */
wolfSSL 13:f67a6c6013ca 1173
wolfSSL 13:f67a6c6013ca 1174 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
wolfSSL 13:f67a6c6013ca 1175 if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1176 ERROR_OUT(MP_EXPTMOD_E);
wolfSSL 13:f67a6c6013ca 1177 #else
wolfSSL 13:f67a6c6013ca 1178 /* Return 0 when cond is false and n when cond is true. */
wolfSSL 13:f67a6c6013ca 1179 #define COND_N(cond, n) ((0 - (cond)) & (n))
wolfSSL 13:f67a6c6013ca 1180 /* If ret has an error value return it otherwise if r is OK then return
wolfSSL 13:f67a6c6013ca 1181 * 0 otherwise return e.
wolfSSL 13:f67a6c6013ca 1182 */
wolfSSL 13:f67a6c6013ca 1183 #define RET_ERR(ret, r, e) \
wolfSSL 13:f67a6c6013ca 1184 ((ret) | (COND_N((ret) == 0, COND_N((r) != MP_OKAY, (e)))))
wolfSSL 13:f67a6c6013ca 1185
wolfSSL 13:f67a6c6013ca 1186 { /* tmpa/b scope */
wolfSSL 13:f67a6c6013ca 1187 mp_int tmpa, tmpb;
wolfSSL 13:f67a6c6013ca 1188 int r;
wolfSSL 13:f67a6c6013ca 1189
wolfSSL 13:f67a6c6013ca 1190 if (mp_init(&tmpa) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1191 ERROR_OUT(MP_INIT_E);
wolfSSL 13:f67a6c6013ca 1192
wolfSSL 13:f67a6c6013ca 1193 if (mp_init(&tmpb) != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1194 mp_clear(&tmpa);
wolfSSL 13:f67a6c6013ca 1195 ERROR_OUT(MP_INIT_E);
wolfSSL 13:f67a6c6013ca 1196 }
wolfSSL 13:f67a6c6013ca 1197
wolfSSL 13:f67a6c6013ca 1198 /* tmpa = tmp^dP mod p */
wolfSSL 13:f67a6c6013ca 1199 r = mp_exptmod(&tmp, &key->dP, &key->p, &tmpa);
wolfSSL 13:f67a6c6013ca 1200 ret = RET_ERR(ret, r, MP_EXPTMOD_E);
wolfSSL 13:f67a6c6013ca 1201
wolfSSL 13:f67a6c6013ca 1202 /* tmpb = tmp^dQ mod q */
wolfSSL 13:f67a6c6013ca 1203 r = mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb);
wolfSSL 13:f67a6c6013ca 1204 ret = RET_ERR(ret, r, MP_EXPTMOD_E);
wolfSSL 13:f67a6c6013ca 1205
wolfSSL 13:f67a6c6013ca 1206 /* tmp = (tmpa - tmpb) * qInv (mod p) */
wolfSSL 13:f67a6c6013ca 1207 r = mp_sub(&tmpa, &tmpb, &tmp);
wolfSSL 13:f67a6c6013ca 1208 ret = RET_ERR(ret, r, MP_SUB_E);
wolfSSL 13:f67a6c6013ca 1209
wolfSSL 13:f67a6c6013ca 1210 r = mp_mulmod(&tmp, &key->u, &key->p, &tmp);
wolfSSL 13:f67a6c6013ca 1211 ret = RET_ERR(ret, r, MP_MULMOD_E);
wolfSSL 13:f67a6c6013ca 1212
wolfSSL 13:f67a6c6013ca 1213 /* tmp = tmpb + q * tmp */
wolfSSL 13:f67a6c6013ca 1214 r = mp_mul(&tmp, &key->q, &tmp);
wolfSSL 13:f67a6c6013ca 1215 ret = RET_ERR(ret, r, MP_MUL_E);
wolfSSL 13:f67a6c6013ca 1216
wolfSSL 13:f67a6c6013ca 1217 r = mp_add(&tmp, &tmpb, &tmp);
wolfSSL 13:f67a6c6013ca 1218 ret = RET_ERR(ret, r, MP_ADD_E);
wolfSSL 13:f67a6c6013ca 1219
wolfSSL 13:f67a6c6013ca 1220 mp_clear(&tmpa);
wolfSSL 13:f67a6c6013ca 1221 mp_clear(&tmpb);
wolfSSL 13:f67a6c6013ca 1222
wolfSSL 13:f67a6c6013ca 1223 if (ret != 0) {
wolfSSL 13:f67a6c6013ca 1224 goto done;
wolfSSL 13:f67a6c6013ca 1225 }
wolfSSL 13:f67a6c6013ca 1226 #undef RET_ERR
wolfSSL 13:f67a6c6013ca 1227 #undef COND_N
wolfSSL 13:f67a6c6013ca 1228 } /* tmpa/b scope */
wolfSSL 13:f67a6c6013ca 1229 #endif /* RSA_LOW_MEM */
wolfSSL 13:f67a6c6013ca 1230
wolfSSL 13:f67a6c6013ca 1231 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1232 /* unblind */
wolfSSL 13:f67a6c6013ca 1233 if (mp_mulmod(&tmp, &rndi, &key->n, &tmp) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1234 ERROR_OUT(MP_MULMOD_E);
wolfSSL 13:f67a6c6013ca 1235 #endif /* WC_RSA_BLINDING */
wolfSSL 13:f67a6c6013ca 1236
wolfSSL 13:f67a6c6013ca 1237 break;
wolfSSL 13:f67a6c6013ca 1238 }
wolfSSL 13:f67a6c6013ca 1239 case RSA_PUBLIC_ENCRYPT:
wolfSSL 13:f67a6c6013ca 1240 case RSA_PUBLIC_DECRYPT:
wolfSSL 13:f67a6c6013ca 1241 #ifdef WOLFSSL_XILINX_CRYPT
wolfSSL 13:f67a6c6013ca 1242 ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng);
wolfSSL 13:f67a6c6013ca 1243 goto done;
wolfSSL 13:f67a6c6013ca 1244 #else
wolfSSL 13:f67a6c6013ca 1245 if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1246 ERROR_OUT(MP_EXPTMOD_E);
wolfSSL 13:f67a6c6013ca 1247 break;
wolfSSL 13:f67a6c6013ca 1248 #endif
wolfSSL 13:f67a6c6013ca 1249 default:
wolfSSL 13:f67a6c6013ca 1250 ERROR_OUT(RSA_WRONG_TYPE_E);
wolfSSL 13:f67a6c6013ca 1251 }
wolfSSL 13:f67a6c6013ca 1252
wolfSSL 13:f67a6c6013ca 1253 keyLen = wc_RsaEncryptSize(key);
wolfSSL 13:f67a6c6013ca 1254 if (keyLen > *outLen) {
wolfSSL 13:f67a6c6013ca 1255 ERROR_OUT(RSA_BUFFER_E);
wolfSSL 13:f67a6c6013ca 1256 }
wolfSSL 13:f67a6c6013ca 1257
wolfSSL 13:f67a6c6013ca 1258 len = mp_unsigned_bin_size(&tmp);
wolfSSL 13:f67a6c6013ca 1259
wolfSSL 13:f67a6c6013ca 1260 /* pad front w/ zeros to match key length */
wolfSSL 13:f67a6c6013ca 1261 while (len < keyLen) {
wolfSSL 13:f67a6c6013ca 1262 *out++ = 0x00;
wolfSSL 13:f67a6c6013ca 1263 len++;
wolfSSL 13:f67a6c6013ca 1264 }
wolfSSL 13:f67a6c6013ca 1265
wolfSSL 13:f67a6c6013ca 1266 *outLen = keyLen;
wolfSSL 13:f67a6c6013ca 1267
wolfSSL 13:f67a6c6013ca 1268 /* convert */
wolfSSL 13:f67a6c6013ca 1269 if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1270 ERROR_OUT(MP_TO_E);
wolfSSL 13:f67a6c6013ca 1271
wolfSSL 13:f67a6c6013ca 1272 done:
wolfSSL 13:f67a6c6013ca 1273 mp_clear(&tmp);
wolfSSL 13:f67a6c6013ca 1274 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1275 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
wolfSSL 13:f67a6c6013ca 1276 mp_clear(&rndi);
wolfSSL 13:f67a6c6013ca 1277 mp_clear(&rnd);
wolfSSL 13:f67a6c6013ca 1278 }
wolfSSL 13:f67a6c6013ca 1279 #endif
wolfSSL 13:f67a6c6013ca 1280 return ret;
wolfSSL 13:f67a6c6013ca 1281 }
wolfSSL 13:f67a6c6013ca 1282
wolfSSL 13:f67a6c6013ca 1283 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
wolfSSL 13:f67a6c6013ca 1284 static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1285 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1286 {
wolfSSL 13:f67a6c6013ca 1287 int ret = 0;
wolfSSL 13:f67a6c6013ca 1288
wolfSSL 13:f67a6c6013ca 1289 (void)rng;
wolfSSL 13:f67a6c6013ca 1290
wolfSSL 13:f67a6c6013ca 1291 #ifdef WOLFSSL_ASYNC_CRYPT_TEST
wolfSSL 13:f67a6c6013ca 1292 WC_ASYNC_TEST* testDev = &key->asyncDev.test;
wolfSSL 13:f67a6c6013ca 1293 if (testDev->type == ASYNC_TEST_NONE) {
wolfSSL 13:f67a6c6013ca 1294 testDev->type = ASYNC_TEST_RSA_FUNC;
wolfSSL 13:f67a6c6013ca 1295 testDev->rsaFunc.in = in;
wolfSSL 13:f67a6c6013ca 1296 testDev->rsaFunc.inSz = inLen;
wolfSSL 13:f67a6c6013ca 1297 testDev->rsaFunc.out = out;
wolfSSL 13:f67a6c6013ca 1298 testDev->rsaFunc.outSz = outLen;
wolfSSL 13:f67a6c6013ca 1299 testDev->rsaFunc.type = type;
wolfSSL 13:f67a6c6013ca 1300 testDev->rsaFunc.key = key;
wolfSSL 13:f67a6c6013ca 1301 testDev->rsaFunc.rng = rng;
wolfSSL 13:f67a6c6013ca 1302 return WC_PENDING_E;
wolfSSL 13:f67a6c6013ca 1303 }
wolfSSL 13:f67a6c6013ca 1304 #endif /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 13:f67a6c6013ca 1305
wolfSSL 13:f67a6c6013ca 1306 switch(type) {
wolfSSL 13:f67a6c6013ca 1307 case RSA_PRIVATE_DECRYPT:
wolfSSL 13:f67a6c6013ca 1308 case RSA_PRIVATE_ENCRYPT:
wolfSSL 13:f67a6c6013ca 1309 #ifdef HAVE_CAVIUM
wolfSSL 13:f67a6c6013ca 1310 ret = NitroxRsaExptMod(in, inLen,
wolfSSL 13:f67a6c6013ca 1311 key->d.raw.buf, key->d.raw.len,
wolfSSL 13:f67a6c6013ca 1312 key->n.raw.buf, key->n.raw.len,
wolfSSL 13:f67a6c6013ca 1313 out, outLen, key);
wolfSSL 13:f67a6c6013ca 1314 #elif defined(HAVE_INTEL_QA)
wolfSSL 13:f67a6c6013ca 1315 #ifdef RSA_LOW_MEM
wolfSSL 13:f67a6c6013ca 1316 ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
wolfSSL 13:f67a6c6013ca 1317 &key->d.raw, &key->n.raw,
wolfSSL 13:f67a6c6013ca 1318 out, outLen);
wolfSSL 13:f67a6c6013ca 1319 #else
wolfSSL 13:f67a6c6013ca 1320 ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
wolfSSL 13:f67a6c6013ca 1321 &key->p.raw, &key->q.raw,
wolfSSL 13:f67a6c6013ca 1322 &key->dP.raw, &key->dQ.raw,
wolfSSL 13:f67a6c6013ca 1323 &key->u.raw,
wolfSSL 13:f67a6c6013ca 1324 out, outLen);
wolfSSL 13:f67a6c6013ca 1325 #endif
wolfSSL 13:f67a6c6013ca 1326 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 13:f67a6c6013ca 1327 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
wolfSSL 13:f67a6c6013ca 1328 #endif
wolfSSL 13:f67a6c6013ca 1329 break;
wolfSSL 13:f67a6c6013ca 1330
wolfSSL 13:f67a6c6013ca 1331 case RSA_PUBLIC_ENCRYPT:
wolfSSL 13:f67a6c6013ca 1332 case RSA_PUBLIC_DECRYPT:
wolfSSL 13:f67a6c6013ca 1333 #ifdef HAVE_CAVIUM
wolfSSL 13:f67a6c6013ca 1334 ret = NitroxRsaExptMod(in, inLen,
wolfSSL 13:f67a6c6013ca 1335 key->e.raw.buf, key->e.raw.len,
wolfSSL 13:f67a6c6013ca 1336 key->n.raw.buf, key->n.raw.len,
wolfSSL 13:f67a6c6013ca 1337 out, outLen, key);
wolfSSL 13:f67a6c6013ca 1338 #elif defined(HAVE_INTEL_QA)
wolfSSL 13:f67a6c6013ca 1339 ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
wolfSSL 13:f67a6c6013ca 1340 &key->e.raw, &key->n.raw,
wolfSSL 13:f67a6c6013ca 1341 out, outLen);
wolfSSL 13:f67a6c6013ca 1342 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 13:f67a6c6013ca 1343 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
wolfSSL 13:f67a6c6013ca 1344 #endif
wolfSSL 13:f67a6c6013ca 1345 break;
wolfSSL 13:f67a6c6013ca 1346
wolfSSL 13:f67a6c6013ca 1347 default:
wolfSSL 13:f67a6c6013ca 1348 ret = RSA_WRONG_TYPE_E;
wolfSSL 13:f67a6c6013ca 1349 }
wolfSSL 13:f67a6c6013ca 1350
wolfSSL 13:f67a6c6013ca 1351 return ret;
wolfSSL 13:f67a6c6013ca 1352 }
wolfSSL 13:f67a6c6013ca 1353 #endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
wolfSSL 13:f67a6c6013ca 1354
wolfSSL 13:f67a6c6013ca 1355 int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1356 word32* outLen, int type, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1357 {
wolfSSL 13:f67a6c6013ca 1358 int ret;
wolfSSL 13:f67a6c6013ca 1359
wolfSSL 13:f67a6c6013ca 1360 if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
wolfSSL 13:f67a6c6013ca 1361 outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
wolfSSL 13:f67a6c6013ca 1362 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1363 }
wolfSSL 13:f67a6c6013ca 1364
wolfSSL 13:f67a6c6013ca 1365 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
wolfSSL 13:f67a6c6013ca 1366 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
wolfSSL 13:f67a6c6013ca 1367 key->n.raw.len > 0) {
wolfSSL 13:f67a6c6013ca 1368 ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
wolfSSL 13:f67a6c6013ca 1369 }
wolfSSL 13:f67a6c6013ca 1370 else
wolfSSL 13:f67a6c6013ca 1371 #endif
wolfSSL 13:f67a6c6013ca 1372 {
wolfSSL 13:f67a6c6013ca 1373 ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
wolfSSL 13:f67a6c6013ca 1374 }
wolfSSL 13:f67a6c6013ca 1375
wolfSSL 13:f67a6c6013ca 1376 /* handle error */
wolfSSL 13:f67a6c6013ca 1377 if (ret < 0 && ret != WC_PENDING_E) {
wolfSSL 13:f67a6c6013ca 1378 if (ret == MP_EXPTMOD_E) {
wolfSSL 13:f67a6c6013ca 1379 /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
wolfSSL 13:f67a6c6013ca 1380 WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
wolfSSL 13:f67a6c6013ca 1381 }
wolfSSL 13:f67a6c6013ca 1382
wolfSSL 13:f67a6c6013ca 1383 key->state = RSA_STATE_NONE;
wolfSSL 13:f67a6c6013ca 1384 wc_RsaCleanup(key);
wolfSSL 13:f67a6c6013ca 1385 }
wolfSSL 13:f67a6c6013ca 1386
wolfSSL 13:f67a6c6013ca 1387 return ret;
wolfSSL 13:f67a6c6013ca 1388 }
wolfSSL 13:f67a6c6013ca 1389
wolfSSL 13:f67a6c6013ca 1390
wolfSSL 13:f67a6c6013ca 1391 /* Internal Wrappers */
wolfSSL 13:f67a6c6013ca 1392 /* Gives the option of choosing padding type
wolfSSL 13:f67a6c6013ca 1393 in : input to be encrypted
wolfSSL 13:f67a6c6013ca 1394 inLen: length of input buffer
wolfSSL 13:f67a6c6013ca 1395 out: encrypted output
wolfSSL 13:f67a6c6013ca 1396 outLen: length of encrypted output buffer
wolfSSL 13:f67a6c6013ca 1397 key : wolfSSL initialized RSA key struct
wolfSSL 13:f67a6c6013ca 1398 rng : wolfSSL initialized random number struct
wolfSSL 13:f67a6c6013ca 1399 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
wolfSSL 13:f67a6c6013ca 1400 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
wolfSSL 13:f67a6c6013ca 1401 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
wolfSSL 13:f67a6c6013ca 1402 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD or
wolfSSL 13:f67a6c6013ca 1403 WC_RSA_PSS_PAD
wolfSSL 13:f67a6c6013ca 1404 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
wolfSSL 13:f67a6c6013ca 1405 mgf : type of mask generation function to use
wolfSSL 13:f67a6c6013ca 1406 label : optional label
wolfSSL 13:f67a6c6013ca 1407 labelSz : size of optional label buffer */
wolfSSL 13:f67a6c6013ca 1408 static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1409 word32 outLen, RsaKey* key, int rsa_type,
wolfSSL 13:f67a6c6013ca 1410 byte pad_value, int pad_type,
wolfSSL 13:f67a6c6013ca 1411 enum wc_HashType hash, int mgf,
wolfSSL 13:f67a6c6013ca 1412 byte* label, word32 labelSz, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1413 {
wolfSSL 13:f67a6c6013ca 1414 int ret, sz;
wolfSSL 13:f67a6c6013ca 1415
wolfSSL 13:f67a6c6013ca 1416 if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
wolfSSL 13:f67a6c6013ca 1417 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1418 }
wolfSSL 13:f67a6c6013ca 1419
wolfSSL 13:f67a6c6013ca 1420 sz = wc_RsaEncryptSize(key);
wolfSSL 13:f67a6c6013ca 1421 if (sz > (int)outLen) {
wolfSSL 13:f67a6c6013ca 1422 return RSA_BUFFER_E;
wolfSSL 13:f67a6c6013ca 1423 }
wolfSSL 13:f67a6c6013ca 1424
wolfSSL 13:f67a6c6013ca 1425 if (sz < RSA_MIN_PAD_SZ) {
wolfSSL 13:f67a6c6013ca 1426 return WC_KEY_SIZE_E;
wolfSSL 13:f67a6c6013ca 1427 }
wolfSSL 13:f67a6c6013ca 1428
wolfSSL 13:f67a6c6013ca 1429 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
wolfSSL 13:f67a6c6013ca 1430 return RSA_BUFFER_E;
wolfSSL 13:f67a6c6013ca 1431 }
wolfSSL 13:f67a6c6013ca 1432
wolfSSL 13:f67a6c6013ca 1433 switch (key->state) {
wolfSSL 13:f67a6c6013ca 1434 case RSA_STATE_NONE:
wolfSSL 13:f67a6c6013ca 1435 case RSA_STATE_ENCRYPT_PAD:
wolfSSL 13:f67a6c6013ca 1436 key->state = RSA_STATE_ENCRYPT_PAD;
wolfSSL 13:f67a6c6013ca 1437
wolfSSL 13:f67a6c6013ca 1438 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
wolfSSL 13:f67a6c6013ca 1439 defined(HAVE_CAVIUM)
wolfSSL 13:f67a6c6013ca 1440 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA && key->n.raw.buf) {
wolfSSL 13:f67a6c6013ca 1441 /* Async operations that include padding */
wolfSSL 13:f67a6c6013ca 1442 if (rsa_type == RSA_PUBLIC_ENCRYPT &&
wolfSSL 13:f67a6c6013ca 1443 pad_value == RSA_BLOCK_TYPE_2) {
wolfSSL 13:f67a6c6013ca 1444 key->state = RSA_STATE_ENCRYPT_RES;
wolfSSL 13:f67a6c6013ca 1445 key->dataLen = key->n.raw.len;
wolfSSL 13:f67a6c6013ca 1446 return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
wolfSSL 13:f67a6c6013ca 1447 }
wolfSSL 13:f67a6c6013ca 1448 else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
wolfSSL 13:f67a6c6013ca 1449 pad_value == RSA_BLOCK_TYPE_1) {
wolfSSL 13:f67a6c6013ca 1450 key->state = RSA_STATE_ENCRYPT_RES;
wolfSSL 13:f67a6c6013ca 1451 key->dataLen = key->n.raw.len;
wolfSSL 13:f67a6c6013ca 1452 return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
wolfSSL 13:f67a6c6013ca 1453 }
wolfSSL 13:f67a6c6013ca 1454 }
wolfSSL 13:f67a6c6013ca 1455 #endif
wolfSSL 13:f67a6c6013ca 1456
wolfSSL 13:f67a6c6013ca 1457 ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash,
wolfSSL 13:f67a6c6013ca 1458 mgf, label, labelSz, mp_count_bits(&key->n),
wolfSSL 13:f67a6c6013ca 1459 key->heap);
wolfSSL 13:f67a6c6013ca 1460 if (ret < 0) {
wolfSSL 13:f67a6c6013ca 1461 break;
wolfSSL 13:f67a6c6013ca 1462 }
wolfSSL 13:f67a6c6013ca 1463
wolfSSL 13:f67a6c6013ca 1464 key->state = RSA_STATE_ENCRYPT_EXPTMOD;
wolfSSL 13:f67a6c6013ca 1465
wolfSSL 13:f67a6c6013ca 1466 FALL_THROUGH;
wolfSSL 13:f67a6c6013ca 1467
wolfSSL 13:f67a6c6013ca 1468 case RSA_STATE_ENCRYPT_EXPTMOD:
wolfSSL 13:f67a6c6013ca 1469
wolfSSL 13:f67a6c6013ca 1470 key->dataLen = outLen;
wolfSSL 13:f67a6c6013ca 1471 ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng);
wolfSSL 13:f67a6c6013ca 1472
wolfSSL 13:f67a6c6013ca 1473 if (ret >= 0 || ret == WC_PENDING_E) {
wolfSSL 13:f67a6c6013ca 1474 key->state = RSA_STATE_ENCRYPT_RES;
wolfSSL 13:f67a6c6013ca 1475 }
wolfSSL 13:f67a6c6013ca 1476 if (ret < 0) {
wolfSSL 13:f67a6c6013ca 1477 break;
wolfSSL 13:f67a6c6013ca 1478 }
wolfSSL 13:f67a6c6013ca 1479
wolfSSL 13:f67a6c6013ca 1480 FALL_THROUGH;
wolfSSL 13:f67a6c6013ca 1481
wolfSSL 13:f67a6c6013ca 1482 case RSA_STATE_ENCRYPT_RES:
wolfSSL 13:f67a6c6013ca 1483 ret = key->dataLen;
wolfSSL 13:f67a6c6013ca 1484 break;
wolfSSL 13:f67a6c6013ca 1485
wolfSSL 13:f67a6c6013ca 1486 default:
wolfSSL 13:f67a6c6013ca 1487 ret = BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 1488 break;
wolfSSL 13:f67a6c6013ca 1489 }
wolfSSL 13:f67a6c6013ca 1490
wolfSSL 13:f67a6c6013ca 1491 /* if async pending then return and skip done cleanup below */
wolfSSL 13:f67a6c6013ca 1492 if (ret == WC_PENDING_E) {
wolfSSL 13:f67a6c6013ca 1493 return ret;
wolfSSL 13:f67a6c6013ca 1494 }
wolfSSL 13:f67a6c6013ca 1495
wolfSSL 13:f67a6c6013ca 1496 key->state = RSA_STATE_NONE;
wolfSSL 13:f67a6c6013ca 1497 wc_RsaCleanup(key);
wolfSSL 13:f67a6c6013ca 1498
wolfSSL 13:f67a6c6013ca 1499 return ret;
wolfSSL 13:f67a6c6013ca 1500 }
wolfSSL 13:f67a6c6013ca 1501
wolfSSL 13:f67a6c6013ca 1502 /* Gives the option of choosing padding type
wolfSSL 13:f67a6c6013ca 1503 in : input to be decrypted
wolfSSL 13:f67a6c6013ca 1504 inLen: length of input buffer
wolfSSL 13:f67a6c6013ca 1505 out: decrypted message
wolfSSL 13:f67a6c6013ca 1506 outLen: length of decrypted message in bytes
wolfSSL 13:f67a6c6013ca 1507 outPtr: optional inline output pointer (if provided doing inline)
wolfSSL 13:f67a6c6013ca 1508 key : wolfSSL initialized RSA key struct
wolfSSL 13:f67a6c6013ca 1509 rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
wolfSSL 13:f67a6c6013ca 1510 RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
wolfSSL 13:f67a6c6013ca 1511 pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
wolfSSL 13:f67a6c6013ca 1512 pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD
wolfSSL 13:f67a6c6013ca 1513 WC_RSA_PSS_PAD
wolfSSL 13:f67a6c6013ca 1514 hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
wolfSSL 13:f67a6c6013ca 1515 mgf : type of mask generation function to use
wolfSSL 13:f67a6c6013ca 1516 label : optional label
wolfSSL 13:f67a6c6013ca 1517 labelSz : size of optional label buffer */
wolfSSL 13:f67a6c6013ca 1518 static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1519 word32 outLen, byte** outPtr, RsaKey* key,
wolfSSL 13:f67a6c6013ca 1520 int rsa_type, byte pad_value, int pad_type,
wolfSSL 13:f67a6c6013ca 1521 enum wc_HashType hash, int mgf,
wolfSSL 13:f67a6c6013ca 1522 byte* label, word32 labelSz, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1523 {
wolfSSL 13:f67a6c6013ca 1524 int ret = RSA_WRONG_TYPE_E;
wolfSSL 13:f67a6c6013ca 1525
wolfSSL 13:f67a6c6013ca 1526 if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
wolfSSL 13:f67a6c6013ca 1527 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1528 }
wolfSSL 13:f67a6c6013ca 1529
wolfSSL 13:f67a6c6013ca 1530 switch (key->state) {
wolfSSL 13:f67a6c6013ca 1531 case RSA_STATE_NONE:
wolfSSL 13:f67a6c6013ca 1532 case RSA_STATE_DECRYPT_EXPTMOD:
wolfSSL 13:f67a6c6013ca 1533 key->state = RSA_STATE_DECRYPT_EXPTMOD;
wolfSSL 13:f67a6c6013ca 1534 key->dataLen = inLen;
wolfSSL 13:f67a6c6013ca 1535
wolfSSL 13:f67a6c6013ca 1536 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
wolfSSL 13:f67a6c6013ca 1537 defined(HAVE_CAVIUM)
wolfSSL 13:f67a6c6013ca 1538 /* Async operations that include padding */
wolfSSL 13:f67a6c6013ca 1539 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
wolfSSL 13:f67a6c6013ca 1540 if (rsa_type == RSA_PRIVATE_DECRYPT &&
wolfSSL 13:f67a6c6013ca 1541 pad_value == RSA_BLOCK_TYPE_2) {
wolfSSL 13:f67a6c6013ca 1542 key->state = RSA_STATE_DECRYPT_RES;
wolfSSL 13:f67a6c6013ca 1543 key->data = NULL;
wolfSSL 13:f67a6c6013ca 1544 if (outPtr)
wolfSSL 13:f67a6c6013ca 1545 *outPtr = in;
wolfSSL 13:f67a6c6013ca 1546 return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen, key);
wolfSSL 13:f67a6c6013ca 1547 }
wolfSSL 13:f67a6c6013ca 1548 else if (rsa_type == RSA_PUBLIC_DECRYPT &&
wolfSSL 13:f67a6c6013ca 1549 pad_value == RSA_BLOCK_TYPE_1) {
wolfSSL 13:f67a6c6013ca 1550 key->state = RSA_STATE_DECRYPT_RES;
wolfSSL 13:f67a6c6013ca 1551 key->data = NULL;
wolfSSL 13:f67a6c6013ca 1552 return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
wolfSSL 13:f67a6c6013ca 1553 }
wolfSSL 13:f67a6c6013ca 1554 }
wolfSSL 13:f67a6c6013ca 1555 #endif
wolfSSL 13:f67a6c6013ca 1556
wolfSSL 13:f67a6c6013ca 1557 /* verify the tmp ptr is NULL, otherwise indicates bad state */
wolfSSL 13:f67a6c6013ca 1558 if (key->data != NULL) {
wolfSSL 13:f67a6c6013ca 1559 ret = BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 1560 break;
wolfSSL 13:f67a6c6013ca 1561 }
wolfSSL 13:f67a6c6013ca 1562
wolfSSL 13:f67a6c6013ca 1563 /* if not doing this inline then allocate a buffer for it */
wolfSSL 13:f67a6c6013ca 1564 if (outPtr == NULL) {
wolfSSL 13:f67a6c6013ca 1565 key->data = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
wolfSSL 13:f67a6c6013ca 1566 key->dataIsAlloc = 1;
wolfSSL 13:f67a6c6013ca 1567 if (key->data == NULL) {
wolfSSL 13:f67a6c6013ca 1568 ret = MEMORY_E;
wolfSSL 13:f67a6c6013ca 1569 break;
wolfSSL 13:f67a6c6013ca 1570 }
wolfSSL 13:f67a6c6013ca 1571 XMEMCPY(key->data, in, inLen);
wolfSSL 13:f67a6c6013ca 1572 }
wolfSSL 13:f67a6c6013ca 1573 else {
wolfSSL 13:f67a6c6013ca 1574 key->data = out;
wolfSSL 13:f67a6c6013ca 1575 }
wolfSSL 13:f67a6c6013ca 1576 ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen, rsa_type,
wolfSSL 13:f67a6c6013ca 1577 key, rng);
wolfSSL 13:f67a6c6013ca 1578
wolfSSL 13:f67a6c6013ca 1579 if (ret >= 0 || ret == WC_PENDING_E) {
wolfSSL 13:f67a6c6013ca 1580 key->state = RSA_STATE_DECRYPT_UNPAD;
wolfSSL 13:f67a6c6013ca 1581 }
wolfSSL 13:f67a6c6013ca 1582 if (ret < 0) {
wolfSSL 13:f67a6c6013ca 1583 break;
wolfSSL 13:f67a6c6013ca 1584 }
wolfSSL 13:f67a6c6013ca 1585
wolfSSL 13:f67a6c6013ca 1586 FALL_THROUGH;
wolfSSL 13:f67a6c6013ca 1587
wolfSSL 13:f67a6c6013ca 1588 case RSA_STATE_DECRYPT_UNPAD:
wolfSSL 13:f67a6c6013ca 1589 {
wolfSSL 13:f67a6c6013ca 1590 byte* pad = NULL;
wolfSSL 13:f67a6c6013ca 1591 ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
wolfSSL 13:f67a6c6013ca 1592 hash, mgf, label, labelSz, mp_count_bits(&key->n),
wolfSSL 13:f67a6c6013ca 1593 key->heap);
wolfSSL 13:f67a6c6013ca 1594 if (ret > 0 && ret <= (int)outLen && pad != NULL) {
wolfSSL 13:f67a6c6013ca 1595 /* only copy output if not inline */
wolfSSL 13:f67a6c6013ca 1596 if (outPtr == NULL) {
wolfSSL 13:f67a6c6013ca 1597 XMEMCPY(out, pad, ret);
wolfSSL 13:f67a6c6013ca 1598 }
wolfSSL 13:f67a6c6013ca 1599 else {
wolfSSL 13:f67a6c6013ca 1600 *outPtr = pad;
wolfSSL 13:f67a6c6013ca 1601 }
wolfSSL 13:f67a6c6013ca 1602 }
wolfSSL 13:f67a6c6013ca 1603 else if (ret >= 0) {
wolfSSL 13:f67a6c6013ca 1604 ret = RSA_BUFFER_E;
wolfSSL 13:f67a6c6013ca 1605 }
wolfSSL 13:f67a6c6013ca 1606 if (ret < 0) {
wolfSSL 13:f67a6c6013ca 1607 break;
wolfSSL 13:f67a6c6013ca 1608 }
wolfSSL 13:f67a6c6013ca 1609
wolfSSL 13:f67a6c6013ca 1610 key->state = RSA_STATE_DECRYPT_RES;
wolfSSL 13:f67a6c6013ca 1611
wolfSSL 13:f67a6c6013ca 1612 FALL_THROUGH;
wolfSSL 13:f67a6c6013ca 1613 }
wolfSSL 13:f67a6c6013ca 1614 case RSA_STATE_DECRYPT_RES:
wolfSSL 13:f67a6c6013ca 1615 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
wolfSSL 13:f67a6c6013ca 1616 defined(HAVE_CAVIUM)
wolfSSL 13:f67a6c6013ca 1617 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
wolfSSL 13:f67a6c6013ca 1618 /* return event ret */
wolfSSL 13:f67a6c6013ca 1619 ret = key->asyncDev.event.ret;
wolfSSL 13:f67a6c6013ca 1620 if (ret == 0) {
wolfSSL 13:f67a6c6013ca 1621 /* convert result */
wolfSSL 13:f67a6c6013ca 1622 byte* dataLen = (byte*)&key->dataLen;
wolfSSL 13:f67a6c6013ca 1623 ret = (dataLen[0] << 8) | (dataLen[1]);
wolfSSL 13:f67a6c6013ca 1624 }
wolfSSL 13:f67a6c6013ca 1625 }
wolfSSL 13:f67a6c6013ca 1626 #endif
wolfSSL 13:f67a6c6013ca 1627 break;
wolfSSL 13:f67a6c6013ca 1628
wolfSSL 13:f67a6c6013ca 1629 default:
wolfSSL 13:f67a6c6013ca 1630 ret = BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 1631 break;
wolfSSL 13:f67a6c6013ca 1632 }
wolfSSL 13:f67a6c6013ca 1633
wolfSSL 13:f67a6c6013ca 1634 /* if async pending then return and skip done cleanup below */
wolfSSL 13:f67a6c6013ca 1635 if (ret == WC_PENDING_E) {
wolfSSL 13:f67a6c6013ca 1636 return ret;
wolfSSL 13:f67a6c6013ca 1637 }
wolfSSL 13:f67a6c6013ca 1638
wolfSSL 13:f67a6c6013ca 1639 key->state = RSA_STATE_NONE;
wolfSSL 13:f67a6c6013ca 1640 wc_RsaCleanup(key);
wolfSSL 13:f67a6c6013ca 1641
wolfSSL 13:f67a6c6013ca 1642 return ret;
wolfSSL 13:f67a6c6013ca 1643 }
wolfSSL 13:f67a6c6013ca 1644
wolfSSL 13:f67a6c6013ca 1645
wolfSSL 13:f67a6c6013ca 1646 /* Public RSA Functions */
wolfSSL 13:f67a6c6013ca 1647 int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
wolfSSL 13:f67a6c6013ca 1648 RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1649 {
wolfSSL 13:f67a6c6013ca 1650 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
wolfSSL 13:f67a6c6013ca 1651 RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
wolfSSL 13:f67a6c6013ca 1652 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1653 }
wolfSSL 13:f67a6c6013ca 1654
wolfSSL 13:f67a6c6013ca 1655
wolfSSL 13:f67a6c6013ca 1656 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 1657 int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1658 word32 outLen, RsaKey* key, WC_RNG* rng, int type,
wolfSSL 13:f67a6c6013ca 1659 enum wc_HashType hash, int mgf, byte* label,
wolfSSL 13:f67a6c6013ca 1660 word32 labelSz)
wolfSSL 13:f67a6c6013ca 1661 {
wolfSSL 13:f67a6c6013ca 1662 return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
wolfSSL 13:f67a6c6013ca 1663 RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, rng);
wolfSSL 13:f67a6c6013ca 1664 }
wolfSSL 13:f67a6c6013ca 1665 #endif /* WC_NO_RSA_OAEP */
wolfSSL 13:f67a6c6013ca 1666
wolfSSL 13:f67a6c6013ca 1667
wolfSSL 13:f67a6c6013ca 1668 int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
wolfSSL 13:f67a6c6013ca 1669 {
wolfSSL 13:f67a6c6013ca 1670 WC_RNG* rng = NULL;
wolfSSL 13:f67a6c6013ca 1671 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1672 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1673 #endif
wolfSSL 13:f67a6c6013ca 1674 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
wolfSSL 13:f67a6c6013ca 1675 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
wolfSSL 13:f67a6c6013ca 1676 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1677 }
wolfSSL 13:f67a6c6013ca 1678
wolfSSL 13:f67a6c6013ca 1679
wolfSSL 13:f67a6c6013ca 1680 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 1681 int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
wolfSSL 13:f67a6c6013ca 1682 RsaKey* key, int type, enum wc_HashType hash,
wolfSSL 13:f67a6c6013ca 1683 int mgf, byte* label, word32 labelSz)
wolfSSL 13:f67a6c6013ca 1684 {
wolfSSL 13:f67a6c6013ca 1685 WC_RNG* rng = NULL;
wolfSSL 13:f67a6c6013ca 1686 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1687 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1688 #endif
wolfSSL 13:f67a6c6013ca 1689 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
wolfSSL 13:f67a6c6013ca 1690 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
wolfSSL 13:f67a6c6013ca 1691 mgf, label, labelSz, rng);
wolfSSL 13:f67a6c6013ca 1692 }
wolfSSL 13:f67a6c6013ca 1693 #endif /* WC_NO_RSA_OAEP */
wolfSSL 13:f67a6c6013ca 1694
wolfSSL 13:f67a6c6013ca 1695
wolfSSL 13:f67a6c6013ca 1696 int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1697 word32 outLen, RsaKey* key)
wolfSSL 13:f67a6c6013ca 1698 {
wolfSSL 13:f67a6c6013ca 1699 WC_RNG* rng = NULL;
wolfSSL 13:f67a6c6013ca 1700 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1701 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1702 #endif
wolfSSL 13:f67a6c6013ca 1703 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
wolfSSL 13:f67a6c6013ca 1704 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
wolfSSL 13:f67a6c6013ca 1705 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1706 }
wolfSSL 13:f67a6c6013ca 1707
wolfSSL 13:f67a6c6013ca 1708 #ifndef WC_NO_RSA_OAEP
wolfSSL 13:f67a6c6013ca 1709 int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
wolfSSL 13:f67a6c6013ca 1710 word32 outLen, RsaKey* key, int type,
wolfSSL 13:f67a6c6013ca 1711 enum wc_HashType hash, int mgf, byte* label,
wolfSSL 13:f67a6c6013ca 1712 word32 labelSz)
wolfSSL 13:f67a6c6013ca 1713 {
wolfSSL 13:f67a6c6013ca 1714 WC_RNG* rng = NULL;
wolfSSL 13:f67a6c6013ca 1715 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1716 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1717 #endif
wolfSSL 13:f67a6c6013ca 1718 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
wolfSSL 13:f67a6c6013ca 1719 RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
wolfSSL 13:f67a6c6013ca 1720 labelSz, rng);
wolfSSL 13:f67a6c6013ca 1721 }
wolfSSL 13:f67a6c6013ca 1722 #endif /* WC_NO_RSA_OAEP */
wolfSSL 13:f67a6c6013ca 1723
wolfSSL 13:f67a6c6013ca 1724
wolfSSL 13:f67a6c6013ca 1725 int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
wolfSSL 13:f67a6c6013ca 1726 {
wolfSSL 13:f67a6c6013ca 1727 WC_RNG* rng = NULL;
wolfSSL 13:f67a6c6013ca 1728 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1729 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1730 #endif
wolfSSL 13:f67a6c6013ca 1731 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
wolfSSL 13:f67a6c6013ca 1732 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
wolfSSL 13:f67a6c6013ca 1733 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1734 }
wolfSSL 13:f67a6c6013ca 1735
wolfSSL 13:f67a6c6013ca 1736 int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
wolfSSL 13:f67a6c6013ca 1737 RsaKey* key)
wolfSSL 13:f67a6c6013ca 1738 {
wolfSSL 13:f67a6c6013ca 1739 WC_RNG* rng;
wolfSSL 13:f67a6c6013ca 1740
wolfSSL 13:f67a6c6013ca 1741 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 1742 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1743 }
wolfSSL 13:f67a6c6013ca 1744
wolfSSL 13:f67a6c6013ca 1745 rng = NULL;
wolfSSL 13:f67a6c6013ca 1746 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1747 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1748 #endif
wolfSSL 13:f67a6c6013ca 1749 return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
wolfSSL 13:f67a6c6013ca 1750 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
wolfSSL 13:f67a6c6013ca 1751 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1752 }
wolfSSL 13:f67a6c6013ca 1753
wolfSSL 13:f67a6c6013ca 1754 #ifdef WC_RSA_PSS
wolfSSL 13:f67a6c6013ca 1755 int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
wolfSSL 13:f67a6c6013ca 1756 enum wc_HashType hash, int mgf, RsaKey* key)
wolfSSL 13:f67a6c6013ca 1757 {
wolfSSL 13:f67a6c6013ca 1758 WC_RNG* rng = NULL;
wolfSSL 13:f67a6c6013ca 1759 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1760 rng = key->rng;
wolfSSL 13:f67a6c6013ca 1761 #endif
wolfSSL 13:f67a6c6013ca 1762 return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
wolfSSL 13:f67a6c6013ca 1763 RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
wolfSSL 13:f67a6c6013ca 1764 hash, mgf, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1765 }
wolfSSL 13:f67a6c6013ca 1766
wolfSSL 13:f67a6c6013ca 1767 /* Sig = 8 * 0x00 | Space for Message Hash | Salt | Exp Hash
wolfSSL 13:f67a6c6013ca 1768 * Exp Hash = HASH(8 * 0x00 | Message Hash | Salt)
wolfSSL 13:f67a6c6013ca 1769 */
wolfSSL 13:f67a6c6013ca 1770 int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
wolfSSL 13:f67a6c6013ca 1771 word32 sigSz, enum wc_HashType hashType)
wolfSSL 13:f67a6c6013ca 1772 {
wolfSSL 13:f67a6c6013ca 1773 int ret;
wolfSSL 13:f67a6c6013ca 1774
wolfSSL 13:f67a6c6013ca 1775 if (in == NULL || sig == NULL ||
wolfSSL 13:f67a6c6013ca 1776 inSz != (word32)wc_HashGetDigestSize(hashType) ||
wolfSSL 13:f67a6c6013ca 1777 sigSz != RSA_PSS_PAD_SZ + inSz * 3)
wolfSSL 13:f67a6c6013ca 1778 ret = BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1779 else {
wolfSSL 13:f67a6c6013ca 1780 XMEMCPY(sig + RSA_PSS_PAD_SZ, in, inSz);
wolfSSL 13:f67a6c6013ca 1781 ret = wc_Hash(hashType, sig, RSA_PSS_PAD_SZ + inSz * 2, sig, inSz);
wolfSSL 13:f67a6c6013ca 1782 if (ret != 0)
wolfSSL 13:f67a6c6013ca 1783 return ret;
wolfSSL 13:f67a6c6013ca 1784 if (XMEMCMP(sig, sig + RSA_PSS_PAD_SZ + inSz * 2, inSz) != 0)
wolfSSL 13:f67a6c6013ca 1785 ret = BAD_PADDING_E;
wolfSSL 13:f67a6c6013ca 1786 else
wolfSSL 13:f67a6c6013ca 1787 ret = 0;
wolfSSL 13:f67a6c6013ca 1788 }
wolfSSL 13:f67a6c6013ca 1789
wolfSSL 13:f67a6c6013ca 1790 return ret;
wolfSSL 13:f67a6c6013ca 1791 }
wolfSSL 13:f67a6c6013ca 1792 #endif
wolfSSL 13:f67a6c6013ca 1793
wolfSSL 13:f67a6c6013ca 1794 int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
wolfSSL 13:f67a6c6013ca 1795 RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1796 {
wolfSSL 13:f67a6c6013ca 1797 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
wolfSSL 13:f67a6c6013ca 1798 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
wolfSSL 13:f67a6c6013ca 1799 WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1800 }
wolfSSL 13:f67a6c6013ca 1801
wolfSSL 13:f67a6c6013ca 1802 #ifdef WC_RSA_PSS
wolfSSL 13:f67a6c6013ca 1803 int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
wolfSSL 13:f67a6c6013ca 1804 enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1805 {
wolfSSL 13:f67a6c6013ca 1806 return RsaPublicEncryptEx(in, inLen, out, outLen, key,
wolfSSL 13:f67a6c6013ca 1807 RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
wolfSSL 13:f67a6c6013ca 1808 hash, mgf, NULL, 0, rng);
wolfSSL 13:f67a6c6013ca 1809 }
wolfSSL 13:f67a6c6013ca 1810 #endif
wolfSSL 13:f67a6c6013ca 1811
wolfSSL 13:f67a6c6013ca 1812 int wc_RsaEncryptSize(RsaKey* key)
wolfSSL 13:f67a6c6013ca 1813 {
wolfSSL 13:f67a6c6013ca 1814 if (key == NULL) {
wolfSSL 13:f67a6c6013ca 1815 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1816 }
wolfSSL 13:f67a6c6013ca 1817 return mp_unsigned_bin_size(&key->n);
wolfSSL 13:f67a6c6013ca 1818 }
wolfSSL 13:f67a6c6013ca 1819
wolfSSL 13:f67a6c6013ca 1820
wolfSSL 13:f67a6c6013ca 1821 /* flatten RsaKey structure into individual elements (e, n) */
wolfSSL 13:f67a6c6013ca 1822 int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
wolfSSL 13:f67a6c6013ca 1823 word32* nSz)
wolfSSL 13:f67a6c6013ca 1824 {
wolfSSL 13:f67a6c6013ca 1825 int sz, ret;
wolfSSL 13:f67a6c6013ca 1826
wolfSSL 13:f67a6c6013ca 1827 if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
wolfSSL 13:f67a6c6013ca 1828 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1829 }
wolfSSL 13:f67a6c6013ca 1830
wolfSSL 13:f67a6c6013ca 1831 sz = mp_unsigned_bin_size(&key->e);
wolfSSL 13:f67a6c6013ca 1832 if ((word32)sz > *eSz)
wolfSSL 13:f67a6c6013ca 1833 return RSA_BUFFER_E;
wolfSSL 13:f67a6c6013ca 1834 ret = mp_to_unsigned_bin(&key->e, e);
wolfSSL 13:f67a6c6013ca 1835 if (ret != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1836 return ret;
wolfSSL 13:f67a6c6013ca 1837 *eSz = (word32)sz;
wolfSSL 13:f67a6c6013ca 1838
wolfSSL 13:f67a6c6013ca 1839 sz = wc_RsaEncryptSize(key);
wolfSSL 13:f67a6c6013ca 1840 if ((word32)sz > *nSz)
wolfSSL 13:f67a6c6013ca 1841 return RSA_BUFFER_E;
wolfSSL 13:f67a6c6013ca 1842 ret = mp_to_unsigned_bin(&key->n, n);
wolfSSL 13:f67a6c6013ca 1843 if (ret != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1844 return ret;
wolfSSL 13:f67a6c6013ca 1845 *nSz = (word32)sz;
wolfSSL 13:f67a6c6013ca 1846
wolfSSL 13:f67a6c6013ca 1847 return 0;
wolfSSL 13:f67a6c6013ca 1848 }
wolfSSL 13:f67a6c6013ca 1849
wolfSSL 13:f67a6c6013ca 1850 #ifdef WOLFSSL_KEY_GEN
wolfSSL 13:f67a6c6013ca 1851 /* Make an RSA key for size bits, with e specified, 65537 is a good e */
wolfSSL 13:f67a6c6013ca 1852 int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1853 {
wolfSSL 13:f67a6c6013ca 1854 mp_int p, q, tmp1, tmp2, tmp3;
wolfSSL 13:f67a6c6013ca 1855 int err;
wolfSSL 13:f67a6c6013ca 1856
wolfSSL 13:f67a6c6013ca 1857 if (key == NULL || rng == NULL)
wolfSSL 13:f67a6c6013ca 1858 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1859
wolfSSL 13:f67a6c6013ca 1860 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE)
wolfSSL 13:f67a6c6013ca 1861 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1862
wolfSSL 13:f67a6c6013ca 1863 if (e < 3 || (e & 1) == 0)
wolfSSL 13:f67a6c6013ca 1864 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1865
wolfSSL 13:f67a6c6013ca 1866 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
wolfSSL 13:f67a6c6013ca 1867 if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
wolfSSL 13:f67a6c6013ca 1868 #ifdef HAVE_CAVIUM
wolfSSL 13:f67a6c6013ca 1869 /* TODO: Not implemented */
wolfSSL 13:f67a6c6013ca 1870 #elif defined(HAVE_INTEL_QA)
wolfSSL 13:f67a6c6013ca 1871 /* TODO: Not implemented */
wolfSSL 13:f67a6c6013ca 1872 #else
wolfSSL 13:f67a6c6013ca 1873 WC_ASYNC_TEST* testDev = &key->asyncDev.test;
wolfSSL 13:f67a6c6013ca 1874 if (testDev->type == ASYNC_TEST_NONE) {
wolfSSL 13:f67a6c6013ca 1875 testDev->type = ASYNC_TEST_RSA_MAKE;
wolfSSL 13:f67a6c6013ca 1876 testDev->rsaMake.rng = rng;
wolfSSL 13:f67a6c6013ca 1877 testDev->rsaMake.key = key;
wolfSSL 13:f67a6c6013ca 1878 testDev->rsaMake.size = size;
wolfSSL 13:f67a6c6013ca 1879 testDev->rsaMake.e = e;
wolfSSL 13:f67a6c6013ca 1880 return WC_PENDING_E;
wolfSSL 13:f67a6c6013ca 1881 }
wolfSSL 13:f67a6c6013ca 1882 #endif
wolfSSL 13:f67a6c6013ca 1883 }
wolfSSL 13:f67a6c6013ca 1884 #endif
wolfSSL 13:f67a6c6013ca 1885
wolfSSL 13:f67a6c6013ca 1886 if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY)
wolfSSL 13:f67a6c6013ca 1887 return err;
wolfSSL 13:f67a6c6013ca 1888
wolfSSL 13:f67a6c6013ca 1889 err = mp_set_int(&tmp3, e);
wolfSSL 13:f67a6c6013ca 1890
wolfSSL 13:f67a6c6013ca 1891 /* make p */
wolfSSL 13:f67a6c6013ca 1892 if (err == MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1893 do {
wolfSSL 13:f67a6c6013ca 1894 err = mp_rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */
wolfSSL 13:f67a6c6013ca 1895
wolfSSL 13:f67a6c6013ca 1896 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1897 err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */
wolfSSL 13:f67a6c6013ca 1898
wolfSSL 13:f67a6c6013ca 1899 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1900 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(p-1, e) */
wolfSSL 13:f67a6c6013ca 1901 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divides p-1 */
wolfSSL 13:f67a6c6013ca 1902 }
wolfSSL 13:f67a6c6013ca 1903
wolfSSL 13:f67a6c6013ca 1904 /* make q */
wolfSSL 13:f67a6c6013ca 1905 if (err == MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1906 do {
wolfSSL 13:f67a6c6013ca 1907 err = mp_rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */
wolfSSL 13:f67a6c6013ca 1908
wolfSSL 13:f67a6c6013ca 1909 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1910 err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */
wolfSSL 13:f67a6c6013ca 1911
wolfSSL 13:f67a6c6013ca 1912 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1913 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(q-1, e) */
wolfSSL 13:f67a6c6013ca 1914 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divides q-1 */
wolfSSL 13:f67a6c6013ca 1915 }
wolfSSL 13:f67a6c6013ca 1916
wolfSSL 13:f67a6c6013ca 1917 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1918 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
wolfSSL 13:f67a6c6013ca 1919
wolfSSL 13:f67a6c6013ca 1920 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1921 err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
wolfSSL 13:f67a6c6013ca 1922
wolfSSL 13:f67a6c6013ca 1923 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1924 err = mp_sub_d(&p, 1, &tmp2); /* tmp2 = p-1 */
wolfSSL 13:f67a6c6013ca 1925
wolfSSL 13:f67a6c6013ca 1926 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1927 err = mp_lcm(&tmp1, &tmp2, &tmp1); /* tmp1 = lcm(p-1, q-1),last loop */
wolfSSL 13:f67a6c6013ca 1928
wolfSSL 13:f67a6c6013ca 1929 /* make key */
wolfSSL 13:f67a6c6013ca 1930 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1931 err = mp_set_int(&key->e, (mp_digit)e); /* key->e = e */
wolfSSL 13:f67a6c6013ca 1932
wolfSSL 13:f67a6c6013ca 1933 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
wolfSSL 13:f67a6c6013ca 1934 err = mp_invmod(&key->e, &tmp1, &key->d);
wolfSSL 13:f67a6c6013ca 1935
wolfSSL 13:f67a6c6013ca 1936 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1937 err = mp_mul(&p, &q, &key->n); /* key->n = pq */
wolfSSL 13:f67a6c6013ca 1938
wolfSSL 13:f67a6c6013ca 1939 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1940 err = mp_sub_d(&p, 1, &tmp1);
wolfSSL 13:f67a6c6013ca 1941
wolfSSL 13:f67a6c6013ca 1942 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1943 err = mp_sub_d(&q, 1, &tmp2);
wolfSSL 13:f67a6c6013ca 1944
wolfSSL 13:f67a6c6013ca 1945 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1946 err = mp_mod(&key->d, &tmp1, &key->dP);
wolfSSL 13:f67a6c6013ca 1947
wolfSSL 13:f67a6c6013ca 1948 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1949 err = mp_mod(&key->d, &tmp2, &key->dQ);
wolfSSL 13:f67a6c6013ca 1950
wolfSSL 13:f67a6c6013ca 1951 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1952 err = mp_invmod(&q, &p, &key->u);
wolfSSL 13:f67a6c6013ca 1953
wolfSSL 13:f67a6c6013ca 1954 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1955 err = mp_copy(&p, &key->p);
wolfSSL 13:f67a6c6013ca 1956
wolfSSL 13:f67a6c6013ca 1957 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1958 err = mp_copy(&q, &key->q);
wolfSSL 13:f67a6c6013ca 1959
wolfSSL 13:f67a6c6013ca 1960 if (err == MP_OKAY)
wolfSSL 13:f67a6c6013ca 1961 key->type = RSA_PRIVATE;
wolfSSL 13:f67a6c6013ca 1962
wolfSSL 13:f67a6c6013ca 1963 mp_clear(&tmp3);
wolfSSL 13:f67a6c6013ca 1964 mp_clear(&tmp2);
wolfSSL 13:f67a6c6013ca 1965 mp_clear(&tmp1);
wolfSSL 13:f67a6c6013ca 1966 mp_clear(&q);
wolfSSL 13:f67a6c6013ca 1967 mp_clear(&p);
wolfSSL 13:f67a6c6013ca 1968
wolfSSL 13:f67a6c6013ca 1969 if (err != MP_OKAY) {
wolfSSL 13:f67a6c6013ca 1970 wc_FreeRsaKey(key);
wolfSSL 13:f67a6c6013ca 1971 return err;
wolfSSL 13:f67a6c6013ca 1972 }
wolfSSL 13:f67a6c6013ca 1973
wolfSSL 13:f67a6c6013ca 1974 #ifdef WOLFSSL_XILINX_CRYPT
wolfSSL 13:f67a6c6013ca 1975 if (wc_InitRsaHw(key) != 0) {
wolfSSL 13:f67a6c6013ca 1976 return BAD_STATE_E;
wolfSSL 13:f67a6c6013ca 1977 }
wolfSSL 13:f67a6c6013ca 1978 #endif
wolfSSL 13:f67a6c6013ca 1979
wolfSSL 13:f67a6c6013ca 1980 return 0;
wolfSSL 13:f67a6c6013ca 1981 }
wolfSSL 13:f67a6c6013ca 1982 #endif /* WOLFSSL_KEY_GEN */
wolfSSL 13:f67a6c6013ca 1983
wolfSSL 13:f67a6c6013ca 1984
wolfSSL 13:f67a6c6013ca 1985 #ifdef WC_RSA_BLINDING
wolfSSL 13:f67a6c6013ca 1986
wolfSSL 13:f67a6c6013ca 1987 int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
wolfSSL 13:f67a6c6013ca 1988 {
wolfSSL 13:f67a6c6013ca 1989 if (key == NULL)
wolfSSL 13:f67a6c6013ca 1990 return BAD_FUNC_ARG;
wolfSSL 13:f67a6c6013ca 1991
wolfSSL 13:f67a6c6013ca 1992 key->rng = rng;
wolfSSL 13:f67a6c6013ca 1993
wolfSSL 13:f67a6c6013ca 1994 return 0;
wolfSSL 13:f67a6c6013ca 1995 }
wolfSSL 13:f67a6c6013ca 1996
wolfSSL 13:f67a6c6013ca 1997 #endif /* WC_RSA_BLINDING */
wolfSSL 13:f67a6c6013ca 1998
wolfSSL 13:f67a6c6013ca 1999
wolfSSL 13:f67a6c6013ca 2000 #undef ERROR_OUT
wolfSSL 13:f67a6c6013ca 2001
wolfSSL 13:f67a6c6013ca 2002 #endif /* HAVE_FIPS */
wolfSSL 13:f67a6c6013ca 2003 #endif /* NO_RSA */
wolfSSL 13:f67a6c6013ca 2004