summaryrefslogtreecommitdiff
path: root/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
diff options
context:
space:
mode:
authorlundinc <lundinc@1d2547de-c912-0410-9cb9-b8ca96c0e9e2>2020-08-12 19:11:51 +0000
committerlundinc <lundinc@1d2547de-c912-0410-9cb9-b8ca96c0e9e2>2020-08-12 19:11:51 +0000
commit42255af1e27a3157d541f0812eaca447c569ca49 (patch)
tree5c8702c2f0dc1cb9be1a4d5ff285897d96b97dd2 /FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
parentf5221dff43de249079c2da081723cb7a456f981f (diff)
downloadfreertos-master.tar.gz
commit 70dcbe4527a45ab4fea6d58c016e7d3032f31e8cHEADmaster
Author: Ming Yue <mingyue86010@gmail.com> Date: Tue Aug 11 17:06:59 2020 -0700 Remove unused wolfSSL files. (#197) * Remove unused wolfSSL files. * Add back some removed ciphers. * Update VS project file. commit 0e0edd96e8236b2ea4a6e6018812807be828c77f Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Tue Aug 11 10:50:30 2020 -0700 Use new QEMU test project to improve stream/message buffer tests (#168) * Add Eclipse/GCC project that targets the LM3S8962 QEMU model. * Get the Cortex-M QEMU project working. * Continue working on making stream buffer demo more robust and QEMU project. * Rename directory CORTEX_LM3S8986_QEMU to CORTEX_LM3S6965_QEMU. Work on making the Stream Buffer tests more robust. Check in before adding in the trace recorder. * Rename CORTEX_LM3S6969_QEMU to CORTEX_LM3S6969_GCC_QEMU. * Make the StreamBufferDemo.c common demo file (test file) more robust to other test tasks running at an equally high priority. * Work in progress checkin only - comments in main.c are incorrect. * Correct comments at the top of FreeRTOS/Demo/CORTEX_LM3S6965_GCC_QEMU/main.c Make the message buffer tests more robust in the case the a message buffer becomes full when prvSenderTask() has a higher priority than the reader task. * Disable trace recorder in the LM3S6965 QEMU demo. * I'm dropping FreeRTOS-Kernel reference update, since this seems to break the CMBC CI. Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 157a7fc39f19583ac8481e93fa3e1c91b1e1860c Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Sun Aug 9 22:21:44 2020 -0700 Use chacheable RAM in IAR project for MPU_M7_NUCLEO_H743ZI2 project (#193) This change updates the IAR project for Nucleo H743ZI2 to use the cacheable DTC RAM and enables L1 cache. In order to ensure the correct functioning of cache, the project sets configTEX_S_C_B_SRAM in FreeRTOSConfig.h to not mark the RAM as shareable. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit f3e43556f90f01b82918ad533b0c616489331919 Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Sun Aug 9 16:23:53 2020 -0700 Add MPU demo projects for NUCLEO-H743ZI2 board (#155) * Add MPU demo projects for NUCLEO-H743ZI2 board It contains projects for Keil uVision, STM32CubeIDE and IAR EW. This demo shows the use of newly added support for 16 MPU regions. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> * Delete not needed CMSIS files Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit 94aa31c3cbae7c929b8a412768b74631f4a6b461 Author: TakayukiMatsuo <62984531+TakayukiMatsuo@users.noreply.github.com> Date: Sat Aug 8 07:58:14 2020 +0900 Update wolfSSL to the latest version(v.4.4.0) (#186) * deleted old version wolfSSL before updating * updated wolfSSL to the latest version(v4.4.0) * updated wolfSSL to the latest version(v4.4.0) * added macros for timing resistance Co-authored-by: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Co-authored-by: Ming Yue <mingyue86010@gmail.com> commit 68518f5866aac58793c737d9a46dd07a6a816aaf Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Fri Aug 7 14:59:24 2020 -0700 Removed a 16MByte flash image file that was checked in by mistake (several years ago). (#173) Remove the copies of lwIP that are no longer reference from demo projects. Co-authored-by: Carl Lundin <53273776+lundinc2@users.noreply.github.com> commit d4bf09480a2c77b1a25cce35b32293be61ab586f Author: m17336 <45935231+m17336@users.noreply.github.com> Date: Thu Aug 6 22:37:08 2020 +0300 Update previous AVR ATmega0 and AVR Dx projecs + addition of equivalent projects in MPLAB.X and IAR (#180) * Updated indentation in AVR_ATMega4809_Atmel_Studio and AVR_Dx_Atmel_Studio projects, plus small fixes in their readme files. * Added AVR_ATMega4809_IAR, AVR_ATMega4809_MPLAB.X, AVR_Dx_IAR and AVR_Dx_MPLAB.X demo projects. * Removed build artefacts and added .gitignore files in AVR_ATMega4809_MPLAB.X and AVR_Dx_MPLAB.X projects. Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit f32a0647c8228ddd066f5d69a85b2e49086e4c95 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Aug 3 16:45:10 2020 -0700 Remove CBMC patch which is not used anymore (#187) * Delete 0002-Change-FreeRTOS_IP_Private.h-union-to-struct.patch * Delete 0002-Change-FreeRTOS_IP_Private.h-union-to-struct.patch commit 08af68ef9049279b265c3d00e9c48fb9594129a8 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Sat Aug 1 16:38:23 2020 -0700 Remove dependency of CBMC on Patches (#181) * Changes to DHCP * CBMC DNS changes * Changes for TCP_IP * Changes to TCP_WIN * Define away static to nothing * Remove patches * Changes after Mark's comments v1 * Update MakefileCommon.json * Correction! commit a7fec906a415363338449447daf10d7517b78848 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 17:39:36 2020 -0700 Misc changes (#183) commit 07cf5e07e4a05d6775a2f9e753269f43f82cf6ba Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 16:15:38 2020 -0700 MISRA compliance changes for FreeRTOS+TCP headers (#165) * misra changes * Update FreeRTOS_IP_Private.h * Update FreeRTOS_IP_Private.h commit e903ac0fed7ce59916899e404f3e5ae5b08d1478 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 16:03:14 2020 -0700 UPD MISRA changes (#164) Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 97551bf44e7dc7dc1e4484a8fd30f699255e8569 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 15:52:00 2020 -0700 MISRA changes in FreeRTOS_TCP_WIN.c (#162) commit f2611cc5e5999c4c87e040a8c2d2e6b5e77a16a6 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 15:38:37 2020 -0700 MISRA compliance changes in FreeRTOS_Sockets{.c/.h} (#161) * MISRA changes Sockets * add other changes * Update FreeRTOSIPConfig.h * Update FreeRTOSIPConfig.h * Update FreeRTOSIPConfig.h * Update FreeRTOSIPConfig.h * correction * Add 'U' * Update FreeRTOS_Sockets.h * Update FreeRTOS_Sockets.h * Update FreeRTOS_Sockets.c * Update FreeRTOS_Sockets.h * Update after Gary's comments * Correction reverted commit ae4d4d38d9b2685bae159b4c87619cdb157c0bf7 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 13:56:57 2020 -0700 MISRA compliance changes for FreeRTOS_TCP_IP.c (#160) * MISRA tcp-ip changes * Changes after Hein's comments on original PR * Update FreeRTOS_TCP_IP.c Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit a457f43c66eb0f4be9d8f8678c0e3fb8d7ebd57b Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Tue Jul 28 13:01:38 2020 -0700 Add missing error state assignment. (#166) commit 915af50524e15a78ceb6c62b3d33f6562621ee46 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Mon Jul 27 17:30:53 2020 -0700 Add Atmel Studio projects for ATMega4809 and AVR128DA48 (#159) * Added explicit cast to allow roll over and avoid integer promotion during cycles counters comparison in recmutex.c. * Fixed type mismatch between declaration and definition of function xAreSemaphoreTasksStillRunning( void ). * Added Atmel Studio demo projects for ATMega4809 and AVR128DA48. * Per https://www.freertos.org/upgrading-to-FreeRTOS-V8.html, I'm updating portBASE_TYPE to BaseType_t. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * Update register test for ATmega4809 - to cover r28, r29, r31. - call public API taskYIELD() instead of portYIELD(). * Update ATmega4809 readme.md to include info for serial port setup, and minor wording fix. Co-authored-by: Alexandru Niculae - M17336 <alexandru.niculae@microchip.com> commit 4a7a48790d64127f85cc763721b575c51c452833 Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Thu Jul 23 10:22:33 2020 -0700 Add Uncrustify file used for Kernel. (#163) commit e0d62163b08769fd74f020709c398f994088ca96 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 22 18:06:23 2020 -0700 Sync with +TCP amazon-FreeRTOS (#158) * DNS.c commit * IP.c commit * Add various source & header files commit 8e36bee30eef2107e128edb58e83ee46e8241a91 Author: Nathan Chong <52972368+nchong-at-aws@users.noreply.github.com> Date: Tue Jul 21 12:51:20 2020 -0400 Prove buffer lemmas (#124) * Prove buffer lemmas * Update queue proofs to latest kernel source All changes were syntactic due to uncrustify code-formatting * Strengthen prvCopyDataToQueue proof * Add extract script for diff comparison Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit c720c18ada40b502436ea811e8d03dca919726d8 Author: Hein Tibosch <hein_tibosch@yahoo.es> Date: Tue Jul 14 05:35:44 2020 +0800 FreeRTOS+TCP Adding the combined driver for SAM4E and SAME70 v2 (#78) * Adding a combined +TCP driver for SAM4E and SAME70 * Changes after review from Aniruddha Co-authored-by: Hein Tibosch <hein@htibosch.net> Co-authored-by: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> commit 4237049b12d9bb6b03694fecf6ea26a353e637c8 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Jul 13 12:07:56 2020 -0700 Add changes from 2225-2227 amazon-FreeRTOS (#134) commit 7caa32863458c4470d3c620945c30824199f524c Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Jul 10 23:32:30 2020 -0700 Add Full TCP test suite - not using secure sockets (#131) * Add Full-TCP suite * delete unnecessary files * Change after Joshua's comments commit d7667a0034841f2968f9f9f805030cc608bfbce1 Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Fri Jul 3 15:45:44 2020 -0700 Remove unnecessary semicolon from the linker file (#121) This was creating problem with the onboard LPCLink debug probe. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit 529c481c39506d0b331bfd0cdea35e5d1aeaaad0 Author: Nathan Chong <52972368+nchong-at-aws@users.noreply.github.com> Date: Thu Jul 2 15:55:20 2020 -0400 Add VeriFast kernel queue proofs (#117) commit d5fedeaa96b5b1d3c0f6b9b52a8064ab72ff2821 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 1 13:56:27 2020 -0700 Add checks in FreeRTOS_Socket.c (#104) * Add fail-safes to FreeRTOS_Socket.c * Use all 'pd' errors * Correction after Hein's comments * Correction after Hein's comments v2 * Changes after Hein's comments * Update after Gary's comments commit a9b2aac4e9fda2a259380156df9cc0af51384d2d Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Jun 26 12:09:36 2020 -0700 Folder structure change + Fix broken Projects (#103) * Update folder structure * Correct project files * Move test folder * Some changes after Yuki's comments commit 98bfc38bf3404414878dc68ea41753bea4e24c8e Author: Hein Tibosch <hein_tibosch@yahoo.es> Date: Thu Jun 25 13:01:45 2020 +0800 FreeRTOS+TCP : add memory statistics and dump packets, v3 (#83) * FreeRTOS+TCP : add memory statistics and dump packets, v3 * Two changes as requested by Aniruddha Co-authored-by: Hein Tibosch <hein@htibosch.net> Co-authored-by: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> commit 072a173c9df31c75ff64bde440f3f316cedb9033 Author: S.Burch <8697966+wholl0p@users.noreply.github.com> Date: Mon Jun 22 23:39:26 2020 +0200 Fixed Imports for Infineon XMC1100 Board (#88) Co-authored-by: RichardBarry <3073890+RichardBarry@users.noreply.github.com> commit 2df5eeef5763045c4c74ff0e2a4091b7d19bea89 Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Mon Jun 8 14:22:46 2020 -0700 Feature/multiple direct to task notifications (#73) * Add TaskNotifyArray.c with the single task tests updated to use the task notification array up to the point where the timer is created. * Continue working on TaskNotifyArray.c to test the new task notification indexes. Next TaskNotifyArray.c will be refactored to break the tests up a bit. * Refactor and update the comments in TaskNotifyArray.c - no functional changes. * Change from the task notify "array" to task notification "indexed" nomenclature in the new task notification API functions that work on one particular task notification with the array of task notifications. * Update the implementation of the taskNOTIFY_TAKE() and taskNOTIFY_WAIT() trace macros to take the array index of the task notification they are acting on. Rename configNUMBER_OF_TASK_NOTIFICATIONS to configTASK_NOTIFICATION_ARRAY_ENTRIES. Add FreeRTOS/Demo/Common/Minimal/TaskNotifyArray.c to the Visual Studio project - the file implements tests specific to the behaviour of the indexed task notification functions and should be used in addition to the tests already provided in FreeRTOS/Demo/Common/Minimal/TaskNotify.c. commit b9e4ecfaf7286d8493d4a96a93fbb325534ad97b Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Jun 5 11:10:58 2020 -0700 Remove Empty and Un-referenced folder from Demo (#86) commit f11bcc8acc57a23fb03603762e758c25b9d0efb7 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jun 3 16:52:31 2020 -0700 Fix a Bug and corresponding CBMC patch (#84) * Update remove-static-in-freertos-tcp-ip.patch * Update FreeRTOS_TCP_IP.c * Update remove-static-in-freertos-tcp-ip.patch * Update remove-static-in-freertos-tcp-ip.patch Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit bb9f92f771e5f6ea2b9b09c7e89130a75e562eb7 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Wed Jun 3 10:46:55 2020 -0700 Submodule FreeRTOS/Source 10bbbcf0b..6199b72fb (#82) commit 6efc39f44be5b269168836e95aebbdb8ae77dce3 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Tue Jun 2 15:09:25 2020 -0700 Add Project for running integration tests v2 (#80) * Project for integration tests * relative paths in project files * relative paths in project files-1 * relative paths in project files-2 * addressed comments * addressed comments v2 Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 0eb5909fb02bac9dc074ff1bc2fe338d77f73764 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Thu May 28 17:05:24 2020 -0700 readme.md for ATmega328PB Xplained Mini. (#76) readme.md to get users jump started. commit cb7edd2323a77f3dbea144c1f48f95582becc99e Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu May 28 10:11:58 2020 -0700 Sync with a:FR (#75) * AFR sync * AFR sync: CBMC * AFR sync: CBMC: remove .bak files * AFR sync: CBMC: more cleanup * Corrected CBMC proofs * Corrected CBMC patches * Corrected CBMC patches-1 * Corrected CBMC patches-2 * remove .bak files (3) Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 6557291e5407ca7ec6beca53fced1aaa620c5c02 Author: alfred gedeon <alfred2g@hotmail.com> Date: Wed May 27 14:44:33 2020 -0700 Test: Add Linux Networking support with demo application (#71) * Test: Add Linux Networking support with demo application * Test: revert files affected by uncrustify * Test: revert files affected by uncrustify Co-authored-by: Alfred Gedeon <gedeonag@amazon.com> Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 8b079bc394e7b205d72210ce9e052404d782938f Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Wed May 27 10:44:03 2020 -0700 ATmega328PB Xplained Mini -- demo project for ATmega port. (#70) * Bootstrap a demo from START. No driver is added in this commit. * Add FreeRTOS source code to project. Remove unnecessary folder nesting. Heap_4 is used here. * Copy over main.c, FreeRTOSConfig.h, and regtest.{c, h}. This commit compiles, but will need some work on timer used. * This port has 2KB RAM. We are using 1KB for heap. Further decreasing minimum stack size, and also use stack overflow check 1 to save some stack space. * Preserve EEPROM set to false. * End of the line. * Reduce register test stack size. 32 8-bit register + 10 bytes for stack frame cost. Round up to 50. * Adding Queue test in Integer test. - g3 to easy debugging. - mainCHECK_PERIOD is set to 1000 ticks. Note that this port for now use WDT as tick timer, and period is set to 15ms. - vErrorChecks, is of highest priority. So if this task gets run before other tasks, the very first check will fail. * Avoid false alarm. Since we don't know in which order the tasks are scheduled, clearing any error for the first entry of vErrorChecks. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * ParTest.c to init, set, toggle onboard user LED at PB5. * Added a task to blink onboard user LED. Need a magic number for stack size. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * Explicitly setting timing slicing to 0. This is to avoid unecessary context switch when multiple tasks are of the same priority. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * Add taskYIELD() at the end of the loop in each register test task. This is to give other tasks of the same priority a chance to run, regardless of scheduling algorithm. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * minor, update comment in main.c. commit 95a3a02f95749fb7a600723076e291f9dee7426c Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri May 22 16:26:59 2020 -0700 FreeRTOS-Plus: Unit testing Infrastructure and examples (#72) * Added CMock as submodule * Makefile added * Removed TEMP from Makefile * Added configuration files and header files * Update Makefile * Test runner working * make clean * Example added with README * Update README.md * Restored +TCP files * Cleared +TCP changes * removed comments from Makefile * Update README.md * Update README.md * Update README.md * Updated Test/Unit-test/readme.md commit 5003d17feda25490e655c0f1c15d2b13e395c9f7 Author: Hein Tibosch <hein_tibosch@yahoo.es> Date: Wed May 6 14:16:56 2020 -0400 FreeRTOS+TCP : renewing DHCP lease while network is down (#53) Co-authored-by: Hein Tibosch <hein@htibosch.net> Co-authored-by: Gary Wicker <14828980+gkwicker@users.noreply.github.com> commit d95624c5d6ba95ec0474867d7165de2c28ed41b7 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Tue May 5 09:57:18 2020 -0700 Move CBMC proofs to FreeRTOS+ directory (#64) * move CBMC proofs to FreeRTOS+ directory * Failing proofs corrected * ParseDNSReply proof added back * removed queue_init.h from -Plus/Test Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 95ae7c65758a9473ea16ab08182f056f72331de2 Author: markrtuttle <tuttle@acm.org> Date: Wed Apr 29 04:27:45 2020 +0000 Change cbmc-viewer invocation in CBMC makefile (#63) * Exclude FreeRTOS/Demo from CBMC proof reports. The script cbmc-viewer generates the CBMC proof reports. The script searches source files for symbol definitions and annotates source files with coverage information. This patch causes cbmc-viewer to ignore the directory FreeRTOS/Demo containing 348M of data. The script now terminates in a few seconds. * Make report default target for CBMC Makefile. Modify the Makefile for CBMC proofs to generate the report by default (and not just property checking) and modify property checking to ignore failures (due to property assertions failing) and terminating report generation. Co-authored-by: Mark R. Tuttle <mrtuttle@amazon.com> commit d421ccc89f6f6473dfdd566a00567b0e1fd4cfc3 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Sat Apr 25 16:57:35 2020 -0700 Reword readme.md under ./Test. (#61) commit 38412865985235b90dbd9da9708b68c4de5918f5 Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Sat Apr 25 16:56:54 2020 -0700 Removed a:FR reference. (#60) commit 4db195c916c7b13c82ab3a34a499fe606f266810 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Tue Apr 21 15:40:08 2020 -0700 Adding FreeRTOS+TCP CBMC proofs to FreeRTOS/FreeRTOS (#56) ParseDNSReply is to be added in the next PR. commit 40a31b6d35a866a3a6c551d95bf08dae855da5bd Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Apr 13 13:58:33 2020 -0700 'uL' -> 'UL' commit 5b3a289b69fc92089aa8bd4d1b44ab816f326f73 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Apr 13 13:50:53 2020 -0700 Changes after Gary's comments commit edf68637dd22470a8d4f59fecc15b51379bcfeda Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Apr 10 16:26:03 2020 -0700 Update FreeRTOS_ARP.c commit 35f3ac32a8899dd714a8a48952a4224fbcebc4aa Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Apr 10 15:56:18 2020 -0700 correct debug output commit 5e12a70db4b6a8e68a434489683306f040252efa Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Apr 10 15:44:45 2020 -0700 Debugging flag check added commit 4e8ac8de25ac4088b9c789b88a77cd39df4d9167 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu Apr 9 16:57:19 2020 -0700 Comment style consistency and Yuhui's suggestions commit e43f7cd086096ad60491fedba69927a1e1a82f20 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu Apr 9 16:47:41 2020 -0700 Cleanup commit ab3b51c7a0d880a6bf453ec63ae604e15050f310 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu Apr 9 16:33:03 2020 -0700 Update after Gary's comments commit 97f7009699ffb972c0745dfdb526d1fa4e0faf84 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 14:30:15 2020 -0700 Update after richard's comments commit a9fcafc074cec559dd67961ef44273df6180c2db Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 14:07:39 2020 -0700 Corrected the formatting - visual studio had messed up the formatting commit c381861014a8043ce30723fc5a8cf5107719c8df Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 13:01:12 2020 -0700 commit 2 after gary's comments commit 75677a8d85fa802cca9058d6e23796d5043a0982 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 12:51:10 2020 -0700 Commit after Gary's comments commit 666c0da366030109db2c0c5e7253cebb2f899db7 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 10:56:01 2020 -0700 Update after Yuhui's comments - removed (void) from before memcpy, memset etc. - corrected memcpy style as suggested by Yuhui - Added logging for xNetworkInterfaceOutput. No need to configASSERT commit 4a1148d15b6b8169d2412f8179f734683b179795 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 1 16:05:36 2020 -0700 Coverity + MISRA compliance Modified code to conform to the MISRA directives more closely. commit fa74f7dccf6b1a356993c6a894f8e1173b8c8157 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Thu Apr 2 20:26:10 2020 -0700 Removing writes to read-only PLIC interrupt pending registers. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 5b9777e11e16609648fb98d2f9a47553ab238950 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 31 10:45:23 2020 -0700 A readme file to introduce what ./Test directory is about. commit 211bb4cbd9ae6dfa95e8d8501f37d272bde5ab26 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 24 15:14:24 2020 -0700 Ignore whitespace when working with patches. commit 8156f64d1c45dd59ef12279f19a99f03e79e1f8a Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Feb 25 18:04:23 2020 -0800 Copying CBMC proofs from aws/amazon-freertos repo ./tools/cbmc to this repo ./FreeRTOS/Test/CBMC as is. The commit ID in aws/amazon-freertos is 0c8e0217f2a43bdeb364b58ae01c6c259e03ef1b. commit 9f316c246baafa15c542a5aea81a94f26e3d6507 Author: David Vrabel <david.vrabel@cambridgeconsultants.com> Date: Mon Mar 16 11:21:46 2020 +0000 Demo/Posix_GCC: add demo application for Posix port using GCC This is largely a copy of the Windows demo application with a few key changes: - heap_3 (use malloc()/free()) so tools like valgrind "just work". - printf() wrapped in a mutex to prevent deadlocks on the internal pthread mutexes inside printf(). SCons (https://scons.org/) is used as the build system. This will be built as a 64-bit application, but note that the memory allocation trace points only record the lower 32-bits of the address. commit f78f919b3e2f0d707531a301a8ca07cd02bc4778 Author: Markus Rinne <markus.ka.rinne@gmail.com> Date: Thu Mar 19 21:00:24 2020 +0200 Fix function comments commit 1cd2d38d960a3576addb224582c88489bade5141 Author: David Chalco <david@chalco.io> Date: Fri Mar 20 10:29:05 2020 -0700 unix separators for path and remove .exe suffix from risc compiler (works on windows/mac) commit 938b19419eded12817737ab0644e94ed2ba7e95d Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Thu Mar 19 18:23:09 2020 -0700 Removing ./FreeRTOS-Labs directory, since: - IoT libraries are now in LTS branch. - FAT/POSIX/Light-weight MQTT are in https://github.com/FreeRTOS/FreeRTOS-Labs. commit 1a4abbc9e91b13fd6394464ade59d5e048320c7c Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 17 19:30:02 2020 -0700 Maintenance -- clean up readme.txt and add url to GitHub. (#38) * Removing readme.txt, as now we have README.md in place. The only information missing from README.md is about FAQ. * Adding FAQ information in README.md. * Adding a .url to root to redict user to FreeRTOS github home page. commit 47bb466aa19395b7785bcb830e2e4dd35f6bafc5 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 17 13:07:44 2020 -0700 Update issue templates Template maintenance. - adding title prefix. - adding examples to "additional context" section. commit f506290041f56867765f8efa70ed2862125bdb7c Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 17 10:15:07 2020 -0700 Create SECURITY.md Apply the recommended SECURITY.md from AWS to our repo. commit 8982a2f80a80a2a0a47cf82de07b52101bd9d606 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 13 12:50:10 2020 -0700 Add ./lib directory to make sure Zynq project compiles. commit ecf0f12aa14ad6fdafe1ef37257cbb4e03e2abd5 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Mar 11 10:19:48 2020 -0700 Sync up with Amazon-freertos repo (10th March 2020) (#34) * Sync up with amazon-freertos * Sync up with amazon-freertos * Sync up with amazon-freertos commit 0acffef047973e2e61c2201fd69cd9bbd317f674 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 10 10:20:48 2020 -0700 GitHub PR template. (#29) commit c40a6da2e4cb8042b56d1b174051cbbe9813781a Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Mar 9 11:18:48 2020 -0700 pass payload length when calling UDP callback (#30) * pass payload length when calling UDP callback commit 12d580e93d4d9074b9a867632f0681a511b4ad12 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 6 18:16:51 2020 -0800 Update issue templates Initial issue template. Created following https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository#configuring-the-template-chooser. If change is needed, we could go another round. commit 9debffb5e0e42ff716f58b2270b3af09652294af Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 6 17:27:46 2020 -0800 Update README.md to remove dead link. See the conversation https://github.com/FreeRTOS/FreeRTOS/commit/42c627b2b88cb3b487fea983d8b566a8bbae54fa#comments . Linkage for both ```./FreeRTOS/Source``` and ```./FreeRTOS/Demo``` are removed, since it looks weird to only provide linkage to Demo. commit 7e1a4bf563240501fc45167aee9d929c533939dd Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Mar 6 15:18:09 2020 -0800 Fix DHCP option Client-identifier (#28) commit 42c627b2b88cb3b487fea983d8b566a8bbae54fa Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 6 09:15:11 2020 -0800 Update readme and revert relative URL. (#27) * Reordering: bumping cloning instruction up. * Rewording readme.md to be clear kernel code is a submodule of this repository. * Reverting relative URL, since user cannot click through on GitHub page. (With URL, user could still download the correct version of the code. Reverting simply due to UI issue.) commit 5751ae9b60e248ebd0b4dd7c58df54364d2bb9d5 Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Fri Mar 6 09:11:42 2020 -0800 Update CORTEX_MPU_M33F_NXP_LPC55S69_MCUXpresso project (#26) This commit updates the project for LPC55S69 so that it works with the latest version of MCUXpresso and SDK. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit a9ffffe1f01f45f79e127c15727784984077932f Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Thu Mar 5 17:16:13 2020 -0800 Using Relative URL For Submoduling. (#24) commit 52c82076b38fe73d1dc46c97abf74ae9b803696c Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Thu Mar 5 09:16:31 2020 -0800 use relative path to point to bundled toolchain instead (#25) commit b877e4ec478de2c24d07ab46241070d7c66f375c Author: lundinc2 <53273776+lundinc2@users.noreply.github.com> Date: Tue Feb 25 13:18:38 2020 -0800 Moved vulnerability reporting and code of conduct to top of CONTRIBUTING.md (#20) commit bef165d46799fb8faa58aaa224f80c16b6538e69 Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Feb 18 22:06:38 2020 -0800 Linking test source file from relative path. (#19) commit 89e7bbe292afd3912d1f0b2402cc506878bad869 Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Feb 18 17:47:55 2020 -0800 A preliminary .gitignore file, to prevent us checking in files unnecessary. (#18) https://github.com/github/gitignore. commit c2a98127acb48c4562233230e66ca5c282688579 Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Sun Feb 16 13:19:53 2020 -0800 Minor wording changes in the 'previous releases' section of the readme.me file. (#17) commit 24c772d1439e5c291c0a29fce0a46996ca8afaa9 Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Feb 14 12:47:01 2020 -0800 Submodule kernel directory. (#16) * Removing FreeRTOS/Source in readiness for submoduling. * Submoduling kernel. * README.md update due to submoduling. When releasing, please follow these steps: 1. in local directory, clean directory and check "git status" shows "nothing to commit, working tree clean" for ALL subdirectories. 2. copy source code and instructions only to an empty folder. Git related should not be in this folder -- this covers .git, .gitignore, .github, .gitmodules, gitmessages, ...... 3. zip the folder from step 2. (create both .zip and .7z) 4. attach .zip and .7z to the release. (e.g. attach these two in new release -- https://github.com/FreeRTOS/FreeRTOS/releases/new) 5. PLEASE download both, unzip, diff with your local git repo. (should not see any difference other than git related.) And, sanity check a couple of projects. commit c3f8b91652392dc55e0d7067b90a40de5f5f0837 Author: Rashed Talukder <9218468+rashedtalukder@users.noreply.github.com> Date: Thu Feb 13 17:47:14 2020 -0800 Update readme. Fixed typos and cli commands (#14) commit 4723b825f2989213c1cdb2ebf4d6793e0292e363 Author: Julian Poidevin <julian-poidevin@users.noreply.github.com> Date: Fri Feb 14 02:43:36 2020 +0100 Fixed wrong git clone SSH command (#13) Replaced bad https URL with proper SSH URL commit fc819b821715c42602819e58499846147a6394f5 Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Thu Feb 13 17:42:22 2020 -0800 Correct the xTimerCreate() documentation which said NULL was returned if the timer period was passed into the function as 0, whereas that is not the case. (#15) Add a note to the documentation for both the xTimerCreate() and xTimerCreateStatic() functions that the timer period must be greater than 0. commit 1c711ab530b5f0dbd811d7d62e0a3763706ffff4 Author: Rashed Talukder <9218468+rashedtalukder@users.noreply.github.com> Date: Wed Feb 12 23:00:18 2020 -0800 Updated contributions guidelines (#12) commit 84fcc0d5317d96c6b086034093c8c1c83e050819 Author: Cobus van Eeden <35851496+cobusve@users.noreply.github.com> Date: Wed Feb 12 15:05:06 2020 -0800 Updates to Markdown files and readme.txt (#11) git-svn-id: http://svn.code.sf.net/p/freertos/code/trunk@2826 1d2547de-c912-0410-9cb9-b8ca96c0e9e2
Diffstat (limited to 'FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c')
-rw-r--r--FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c4333
1 files changed, 3781 insertions, 552 deletions
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
index 1a5021783..69ab7b21b 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
@@ -1,8 +1,8 @@
/* rsa.c
*
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
*
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -16,22 +16,82 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
+
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
#ifndef NO_RSA
+#if defined(HAVE_FIPS) && \
+ defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+ /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+ #define FIPS_NO_WRAPPERS
+
+ #ifdef USE_WINDOWS_API
+ #pragma code_seg(".fipsA$e")
+ #pragma const_seg(".fipsB$e")
+ #endif
+#endif
+
#include <wolfssl/wolfcrypt/rsa.h>
-#ifdef HAVE_FIPS
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+#include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+#include <wolfssl/wolfcrypt/sp.h>
+#endif
+
+/*
+Possible RSA enable options:
+ * NO_RSA: Overall control of RSA default: on (not defined)
+ * WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: off
+ Note: slower by ~20%
+ * WOLFSSL_KEY_GEN: Allows Private Key Generation default: off
+ * RSA_LOW_MEM: NON CRT Private Operations, less memory default: off
+ * WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on (not defined)
+ * WC_RSA_NONBLOCK: Enables support for RSA non-blocking default: off
+ * WC_RSA_NONBLOCK_TIME:Enables support for time based blocking default: off
+ * time calculation.
+*/
+
+/*
+RSA Key Size Configuration:
+ * FP_MAX_BITS: With USE_FAST_MATH only default: 4096
+ If USE_FAST_MATH then use this to override default.
+ Value is key size * 2. Example: RSA 3072 = 6144
+*/
+
+
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+ (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
int wc_InitRsaKey(RsaKey* key, void* ptr)
{
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ return InitRsaKey_fips(key, ptr);
+}
+
+
+int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
+{
+ (void)devId;
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
return InitRsaKey_fips(key, ptr);
}
@@ -42,16 +102,25 @@ int wc_FreeRsaKey(RsaKey* key)
}
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key, RNG* rng)
+ word32 outLen, RsaKey* key, WC_RNG* rng)
{
+ if (in == NULL || out == NULL || key == NULL || rng == NULL) {
+ return BAD_FUNC_ARG;
+ }
return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
}
+#endif
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
RsaKey* key)
{
+ if (in == NULL || out == NULL || key == NULL) {
+ return BAD_FUNC_ARG;
+ }
return RsaPrivateDecryptInline_fips(in, inLen, out, key);
}
@@ -59,19 +128,29 @@ int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
+ if (in == NULL || out == NULL || key == NULL) {
+ return BAD_FUNC_ARG;
+ }
return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
}
int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key, RNG* rng)
+ word32 outLen, RsaKey* key, WC_RNG* rng)
{
+ if (in == NULL || out == NULL || key == NULL || inLen == 0) {
+ return BAD_FUNC_ARG;
+ }
return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
}
+#endif
int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
{
+ if (in == NULL || out == NULL || key == NULL) {
+ return BAD_FUNC_ARG;
+ }
return RsaSSL_VerifyInline_fips(in, inLen, out, key);
}
@@ -79,177 +158,1123 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out,
word32 outLen, RsaKey* key)
{
+ if (in == NULL || out == NULL || key == NULL || inLen == 0) {
+ return BAD_FUNC_ARG;
+ }
return RsaSSL_Verify_fips(in, inLen, out, outLen, key);
}
int wc_RsaEncryptSize(RsaKey* key)
{
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
return RsaEncryptSize_fips(key);
}
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
word32* bSz)
{
+
/* not specified as fips so not needing _fips */
return RsaFlattenPublicKey(key, a, aSz, b, bSz);
}
-#ifdef WOLFSSL_KEY_GEN
- int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
- {
- return MakeRsaKey(key, size, e, rng);
- }
#endif
-#ifdef HAVE_CAVIUM
- int wc_RsaInitCavium(RsaKey* key, int i)
- {
- return RsaInitCavium(key, i);
- }
-
-
- void wc_RsaFreeCavium(RsaKey* key)
+#ifdef WOLFSSL_KEY_GEN
+ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
{
- RsaFreeCavium(key);
+ return MakeRsaKey(key, size, e, rng);
}
#endif
+
/* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c
* wc_RsaPrivateKeyDecode
* wc_RsaPublicKeyDecode
*/
-#else /* else build without fips */
+#else /* else build without fips, or for new fips */
+
#include <wolfssl/wolfcrypt/random.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
+#ifdef WOLF_CRYPTO_CB
+ #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
+ #define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
#endif
-#ifdef SHOW_GEN
- #ifdef FREESCALE_MQX
- #include <fio.h>
- #else
- #include <stdio.h>
- #endif
+
+enum {
+ RSA_STATE_NONE = 0,
+
+ RSA_STATE_ENCRYPT_PAD,
+ RSA_STATE_ENCRYPT_EXPTMOD,
+ RSA_STATE_ENCRYPT_RES,
+
+ RSA_STATE_DECRYPT_EXPTMOD,
+ RSA_STATE_DECRYPT_UNPAD,
+ RSA_STATE_DECRYPT_RES,
+};
+
+
+static void wc_RsaCleanup(RsaKey* key)
+{
+#ifndef WOLFSSL_RSA_VERIFY_INLINE
+ if (key && key->data) {
+ /* make sure any allocated memory is free'd */
+ if (key->dataIsAlloc) {
+ #ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ if (key->type == RSA_PRIVATE_DECRYPT ||
+ key->type == RSA_PRIVATE_ENCRYPT) {
+ ForceZero(key->data, key->dataLen);
+ }
+ #endif
+ XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
+ key->dataIsAlloc = 0;
+ }
+ key->data = NULL;
+ key->dataLen = 0;
+ }
+#else
+ (void)key;
#endif
+}
+
+int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
+{
+ int ret = 0;
-#ifdef HAVE_CAVIUM
- static int InitCaviumRsaKey(RsaKey* key, void* heap);
- static int FreeCaviumRsaKey(RsaKey* key);
- static int CaviumRsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key);
- static int CaviumRsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key);
- static int CaviumRsaSSL_Sign(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key);
- static int CaviumRsaSSL_Verify(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key);
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ XMEMSET(key, 0, sizeof(RsaKey));
+
+ key->type = RSA_TYPE_UNKNOWN;
+ key->state = RSA_STATE_NONE;
+ key->heap = heap;
+#ifndef WOLFSSL_RSA_VERIFY_INLINE
+ key->dataIsAlloc = 0;
+ key->data = NULL;
+#endif
+ key->dataLen = 0;
+#ifdef WC_RSA_BLINDING
+ key->rng = NULL;
#endif
-enum {
- RSA_PUBLIC_ENCRYPT = 0,
- RSA_PUBLIC_DECRYPT = 1,
- RSA_PRIVATE_ENCRYPT = 2,
- RSA_PRIVATE_DECRYPT = 3,
+#ifdef WOLF_CRYPTO_CB
+ key->devId = devId;
+#else
+ (void)devId;
+#endif
- RSA_BLOCK_TYPE_1 = 1,
- RSA_BLOCK_TYPE_2 = 2,
+#ifdef WOLFSSL_ASYNC_CRYPT
+ #ifdef WOLFSSL_CERT_GEN
+ XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
+ #endif
- RSA_MIN_SIZE = 512,
- RSA_MAX_SIZE = 4096,
+ #ifdef WC_ASYNC_ENABLE_RSA
+ /* handle as async */
+ ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA,
+ key->heap, devId);
+ if (ret != 0)
+ return ret;
+ #endif /* WC_ASYNC_ENABLE_RSA */
+#endif /* WOLFSSL_ASYNC_CRYPT */
- RSA_MIN_PAD_SZ = 11 /* seperator + 0 + pad value + 8 pads */
-};
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
+ if (ret != MP_OKAY)
+ return ret;
+#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
+ ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
+#else
+ ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
+#endif
+ if (ret != MP_OKAY) {
+ mp_clear(&key->n);
+ mp_clear(&key->e);
+ return ret;
+ }
+#else
+ ret = mp_init(&key->n);
+ if (ret != MP_OKAY)
+ return ret;
+ ret = mp_init(&key->e);
+ if (ret != MP_OKAY) {
+ mp_clear(&key->n);
+ return ret;
+ }
+#endif
+
+#ifdef WOLFSSL_XILINX_CRYPT
+ key->pubExp = 0;
+ key->mod = NULL;
+#endif
+
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+ key->alFd = WC_SOCK_NOTSET;
+ key->rdFd = WC_SOCK_NOTSET;
+#endif
+
+ return ret;
+}
int wc_InitRsaKey(RsaKey* key, void* heap)
{
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return InitCaviumRsaKey(key, heap);
+ return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
+}
+
+#ifdef HAVE_PKCS11
+int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
+ int devId)
+{
+ int ret = 0;
+
+ if (key == NULL)
+ ret = BAD_FUNC_ARG;
+ if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
+ ret = BUFFER_E;
+
+ if (ret == 0)
+ ret = wc_InitRsaKey_ex(key, heap, devId);
+
+ if (ret == 0 && id != NULL && len != 0) {
+ XMEMCPY(key->id, id, len);
+ key->idLen = len;
+ }
+
+ return ret;
+}
#endif
- key->type = -1; /* haven't decided yet */
- key->heap = heap;
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
- key->n.dp = key->e.dp = 0; /* public alloc parts */
+#ifdef WOLFSSL_XILINX_CRYPT
+#define MAX_E_SIZE 4
+/* Used to setup hardware state
+ *
+ * key the RSA key to setup
+ *
+ * returns 0 on success
+ */
+int wc_InitRsaHw(RsaKey* key)
+{
+ unsigned char* m; /* RSA modulous */
+ word32 e = 0; /* RSA public exponent */
+ int mSz;
+ int eSz;
- key->d.dp = key->p.dp = 0; /* private alloc parts */
- key->q.dp = key->dP.dp = 0;
- key->u.dp = key->dQ.dp = 0;
-#else
- mp_init(&key->n);
- mp_init(&key->e);
- mp_init(&key->d);
- mp_init(&key->p);
- mp_init(&key->q);
- mp_init(&key->dP);
- mp_init(&key->dQ);
- mp_init(&key->u);
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ mSz = mp_unsigned_bin_size(&(key->n));
+ m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
+ if (m == 0) {
+ return MEMORY_E;
+ }
+
+ if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
+ WOLFSSL_MSG("Unable to get RSA key modulus");
+ XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+ return MP_READ_E;
+ }
+
+ eSz = mp_unsigned_bin_size(&(key->e));
+ if (eSz > MAX_E_SIZE) {
+ WOLFSSL_MSG("Exponent of size 4 bytes expected");
+ XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+ return BAD_FUNC_ARG;
+ }
+
+ if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
+ != MP_OKAY) {
+ XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+ WOLFSSL_MSG("Unable to get RSA key exponent");
+ return MP_READ_E;
+ }
+
+ /* check for existing mod buffer to avoid memory leak */
+ if (key->mod != NULL) {
+ XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
+ }
+
+ key->pubExp = e;
+ key->mod = m;
+
+ if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
+ (byte*)&(key->pubExp)) != XST_SUCCESS) {
+ WOLFSSL_MSG("Unable to initialize RSA on hardware");
+ XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+ return BAD_STATE_E;
+ }
+
+#ifdef WOLFSSL_XILINX_PATCH
+ /* currently a patch of xsecure_rsa.c for 2048 bit keys */
+ if (wc_RsaEncryptSize(key) == 256) {
+ if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
+ WOLFSSL_MSG("Unable to set RSA key size on hardware");
+ XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+ return BAD_STATE_E;
+ }
+ }
#endif
+ return 0;
+} /* WOLFSSL_XILINX_CRYPT*/
+
+#elif defined(WOLFSSL_CRYPTOCELL)
+
+int wc_InitRsaHw(RsaKey* key)
+{
+ CRYSError_t ret = 0;
+ byte e[3];
+ word32 eSz = sizeof(e);
+ byte n[256];
+ word32 nSz = sizeof(n);
+ byte d[256];
+ word32 dSz = sizeof(d);
+ byte p[128];
+ word32 pSz = sizeof(p);
+ byte q[128];
+ word32 qSz = sizeof(q);
+
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+ if (ret != 0)
+ return MP_READ_E;
+
+ ret = CRYS_RSA_Build_PubKey(&key->ctx.pubKey, e, eSz, n, nSz);
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_Build_PubKey failed");
+ return ret;
+ }
+
+ ret = CRYS_RSA_Build_PrivKey(&key->ctx.privKey, d, dSz, e, eSz, n, nSz);
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_Build_PrivKey failed");
+ return ret;
+ }
+ key->type = RSA_PRIVATE;
return 0;
}
+static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
+{
+ CRYSError_t ret = 0;
+ CRYS_RSAKGData_t KeyGenData;
+ CRYS_RSAKGFipsContext_t FipsCtx;
+ byte ex[3];
+ uint16_t eSz = sizeof(ex);
+ byte n[256];
+ uint16_t nSz = sizeof(n);
+
+ ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
+ wc_rndGenVectFunc,
+ (byte*)&e,
+ 3*sizeof(uint8_t),
+ size,
+ &key->ctx.privKey,
+ &key->ctx.pubKey,
+ &KeyGenData,
+ &FipsCtx);
+
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
+ return ret;
+ }
+ ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
+ return ret;
+ }
+ ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);
+
+ key->type = RSA_PRIVATE;
+
+ return ret;
+}
+#endif /* WOLFSSL_CRYPTOCELL */
int wc_FreeRsaKey(RsaKey* key)
{
- (void)key;
+ int ret = 0;
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return FreeCaviumRsaKey(key);
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ wc_RsaCleanup(key);
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+ wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
#endif
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
if (key->type == RSA_PRIVATE) {
- mp_clear(&key->u);
- mp_clear(&key->dQ);
- mp_clear(&key->dP);
- mp_clear(&key->q);
- mp_clear(&key->p);
- mp_clear(&key->d);
+#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
+ mp_forcezero(&key->u);
+ mp_forcezero(&key->dQ);
+ mp_forcezero(&key->dP);
+#endif
+ mp_forcezero(&key->q);
+ mp_forcezero(&key->p);
+ mp_forcezero(&key->d);
}
+ /* private part */
+#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
+ mp_clear(&key->u);
+ mp_clear(&key->dQ);
+ mp_clear(&key->dP);
+#endif
+ mp_clear(&key->q);
+ mp_clear(&key->p);
+ mp_clear(&key->d);
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+ /* public part */
mp_clear(&key->e);
mp_clear(&key->n);
+
+#ifdef WOLFSSL_XILINX_CRYPT
+ XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
+ key->mod = NULL;
+#endif
+
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+ /* make sure that sockets are closed on cleanup */
+ if (key->alFd > 0) {
+ close(key->alFd);
+ key->alFd = WC_SOCK_NOTSET;
+ }
+ if (key->rdFd > 0) {
+ close(key->rdFd);
+ key->rdFd = WC_SOCK_NOTSET;
+ }
+#endif
+
+ return ret;
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
+/* Check the pair-wise consistency of the RSA key.
+ * From NIST SP 800-56B, section 6.4.1.1.
+ * Verify that k = (k^e)^d, for some k: 1 < k < n-1. */
+int wc_CheckRsaKey(RsaKey* key)
+{
+#if defined(WOLFSSL_CRYPTOCELL)
+ return 0;
+#endif
+#ifdef WOLFSSL_SMALL_STACK
+ mp_int *k = NULL, *tmp = NULL;
+#else
+ mp_int k[1], tmp[1];
+#endif
+ int ret = 0;
+
+#ifdef WOLFSSL_SMALL_STACK
+ k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA);
+ if (k == NULL)
+ return MEMORY_E;
+ tmp = k + 1;
+#endif
+
+ if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY)
+ ret = MP_INIT_E;
+
+ if (ret == 0) {
+ if (key == NULL)
+ ret = BAD_FUNC_ARG;
+ }
+
+ if (ret == 0) {
+ if (mp_set_int(k, 0x2342) != MP_OKAY)
+ ret = MP_READ_E;
+ }
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+#ifndef WOLFSSL_SP_NO_2048
+ if (mp_count_bits(&key->n) == 2048) {
+ ret = sp_ModExp_2048(k, &key->e, &key->n, tmp);
+ if (ret != 0)
+ ret = MP_EXPTMOD_E;
+ ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp);
+ if (ret != 0)
+ ret = MP_EXPTMOD_E;
+ }
+ else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+ if (mp_count_bits(&key->n) == 3072) {
+ ret = sp_ModExp_3072(k, &key->e, &key->n, tmp);
+ if (ret != 0)
+ ret = MP_EXPTMOD_E;
+ ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp);
+ if (ret != 0)
+ ret = MP_EXPTMOD_E;
+ }
+ else
+#endif
+#ifdef WOLFSSL_SP_4096
+ if (mp_count_bits(&key->n) == 4096) {
+ ret = sp_ModExp_4096(k, &key->e, &key->n, tmp);
+ if (ret != 0)
+ ret = MP_EXPTMOD_E;
+ ret = sp_ModExp_4096(tmp, &key->d, &key->n, tmp);
+ if (ret != 0)
+ ret = MP_EXPTMOD_E;
+ }
+ else
+#endif
+#endif
+#ifdef WOLFSSL_SP_MATH
+ {
+ ret = WC_KEY_SIZE_E;
+ }
+#else
+ {
+ if (ret == 0) {
+ if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+ }
+
+ if (ret == 0) {
+ if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+ }
+ }
+#endif
+
+ if (ret == 0) {
+ if (mp_cmp(k, tmp) != MP_EQ)
+ ret = RSA_KEY_PAIR_E;
+ }
+
+ /* Check d is less than n. */
+ if (ret == 0 ) {
+ if (mp_cmp(&key->d, &key->n) != MP_LT) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ /* Check p*q = n. */
+ if (ret == 0 ) {
+ if (mp_mul(&key->p, &key->q, tmp) != MP_OKAY) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ if (ret == 0 ) {
+ if (mp_cmp(&key->n, tmp) != MP_EQ) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+
+ /* Check dP, dQ and u if they exist */
+ if (ret == 0 && !mp_iszero(&key->dP)) {
+ if (mp_sub_d(&key->p, 1, tmp) != MP_OKAY) {
+ ret = MP_EXPTMOD_E;
+ }
+ /* Check dP <= p-1. */
+ if (ret == 0) {
+ if (mp_cmp(&key->dP, tmp) != MP_LT) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ /* Check e*dP mod p-1 = 1. (dP = 1/e mod p-1) */
+ if (ret == 0) {
+ if (mp_mulmod(&key->dP, &key->e, tmp, tmp) != MP_OKAY) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ if (ret == 0 ) {
+ if (!mp_isone(tmp)) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+
+ if (ret == 0) {
+ if (mp_sub_d(&key->q, 1, tmp) != MP_OKAY) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ /* Check dQ <= q-1. */
+ if (ret == 0) {
+ if (mp_cmp(&key->dQ, tmp) != MP_LT) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ /* Check e*dP mod p-1 = 1. (dQ = 1/e mod q-1) */
+ if (ret == 0) {
+ if (mp_mulmod(&key->dQ, &key->e, tmp, tmp) != MP_OKAY) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ if (ret == 0 ) {
+ if (!mp_isone(tmp)) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+
+ /* Check u <= p. */
+ if (ret == 0) {
+ if (mp_cmp(&key->u, &key->p) != MP_LT) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ /* Check u*q mod p = 1. (u = 1/q mod p) */
+ if (ret == 0) {
+ if (mp_mulmod(&key->u, &key->q, &key->p, tmp) != MP_OKAY) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ if (ret == 0 ) {
+ if (!mp_isone(tmp)) {
+ ret = MP_EXPTMOD_E;
+ }
+ }
+ }
+
+ mp_forcezero(tmp);
+ mp_clear(tmp);
+ mp_clear(k);
+#ifdef WOLFSSL_SMALL_STACK
+ XFREE(k, NULL, DYNAMIC_TYPE_RSA);
+#endif
+
+ return ret;
+}
#endif
+#endif
+
+
+#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
+/* Uses MGF1 standard as a mask generation function
+ hType: hash type used
+ seed: seed to use for generating mask
+ seedSz: size of seed buffer
+ out: mask output after generation
+ outSz: size of output buffer
+ */
+#if !defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
+static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
+ byte* out, word32 outSz, void* heap)
+{
+ byte* tmp;
+ /* needs to be large enough for seed size plus counter(4) */
+ byte tmpA[WC_MAX_DIGEST_SIZE + 4];
+ byte tmpF; /* 1 if dynamic memory needs freed */
+ word32 tmpSz;
+ int hLen;
+ int ret;
+ word32 counter;
+ word32 idx;
+ hLen = wc_HashGetDigestSize(hType);
+ counter = 0;
+ idx = 0;
+
+ (void)heap;
+
+ /* check error return of wc_HashGetDigestSize */
+ if (hLen < 0) {
+ return hLen;
+ }
+
+ /* if tmp is not large enough than use some dynamic memory */
+ if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
+ /* find largest amount of memory needed which will be the max of
+ * hLen and (seedSz + 4) since tmp is used to store the hash digest */
+ tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
+ tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ if (tmp == NULL) {
+ return MEMORY_E;
+ }
+ tmpF = 1; /* make sure to free memory when done */
+ }
+ else {
+ /* use array on the stack */
+ tmpSz = sizeof(tmpA);
+ tmp = tmpA;
+ tmpF = 0; /* no need to free memory at end */
+ }
+
+ do {
+ int i = 0;
+ XMEMCPY(tmp, seed, seedSz);
+
+ /* counter to byte array appended to tmp */
+ tmp[seedSz] = (counter >> 24) & 0xFF;
+ tmp[seedSz + 1] = (counter >> 16) & 0xFF;
+ tmp[seedSz + 2] = (counter >> 8) & 0xFF;
+ tmp[seedSz + 3] = (counter) & 0xFF;
+
+ /* hash and append to existing output */
+ if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) {
+ /* check for if dynamic memory was needed, then free */
+ if (tmpF) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ }
+ return ret;
+ }
+
+ for (i = 0; i < hLen && idx < outSz; i++) {
+ out[idx++] = tmp[i];
+ }
+ counter++;
+ } while (idx < outSz);
+
+ /* check for if dynamic memory was needed, then free */
+ if (tmpF) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ }
return 0;
}
+#endif /* SHA2 Hashes */
-static int wc_RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
- word32 pkcsBlockLen, byte padValue, RNG* rng)
+/* helper function to direct which mask generation function is used
+ switched on type input
+ */
+static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
+ word32 outSz, void* heap)
{
- if (inputLen == 0)
- return 0;
+ int ret;
+
+ switch(type) {
+ #ifndef NO_SHA
+ case WC_MGF1SHA1:
+ ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
+ break;
+ #endif
+ #ifndef NO_SHA256
+ #ifdef WOLFSSL_SHA224
+ case WC_MGF1SHA224:
+ ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
+ break;
+ #endif
+ case WC_MGF1SHA256:
+ ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
+ break;
+ #endif
+ #ifdef WOLFSSL_SHA384
+ case WC_MGF1SHA384:
+ ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
+ break;
+ #endif
+ #ifdef WOLFSSL_SHA512
+ case WC_MGF1SHA512:
+ ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
+ break;
+ #endif
+ default:
+ WOLFSSL_MSG("Unknown MGF type: check build options");
+ ret = BAD_FUNC_ARG;
+ }
+
+ /* in case of default avoid unused warning */
+ (void)seed;
+ (void)seedSz;
+ (void)out;
+ (void)outSz;
+ (void)heap;
+
+ return ret;
+}
+#endif /* !WC_NO_RSA_OAEP || WC_RSA_PSS */
+
+
+/* Padding */
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+#ifndef WC_NO_RNG
+#ifndef WC_NO_RSA_OAEP
+static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
+ word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
+ enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
+ void* heap)
+{
+ int ret;
+ int hLen;
+ int psLen;
+ int i;
+ word32 idx;
+
+ byte* dbMask;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ byte* lHash = NULL;
+ byte* seed = NULL;
+ #else
+ /* must be large enough to contain largest hash */
+ byte lHash[WC_MAX_DIGEST_SIZE];
+ byte seed[ WC_MAX_DIGEST_SIZE];
+ #endif
+
+ /* no label is allowed, but catch if no label provided and length > 0 */
+ if (optLabel == NULL && labelLen > 0) {
+ return BUFFER_E;
+ }
+
+ /* limit of label is the same as limit of hash function which is massive */
+ hLen = wc_HashGetDigestSize(hType);
+ if (hLen < 0) {
+ return hLen;
+ }
+
+ #ifdef WOLFSSL_SMALL_STACK
+ lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ if (lHash == NULL) {
+ return MEMORY_E;
+ }
+ seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ if (seed == NULL) {
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ return MEMORY_E;
+ }
+ #else
+ /* hLen should never be larger than lHash since size is max digest size,
+ but check before blindly calling wc_Hash */
+ if ((word32)hLen > sizeof(lHash)) {
+ WOLFSSL_MSG("OAEP lHash to small for digest!!");
+ return MEMORY_E;
+ }
+ #endif
+
+ if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
+ WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return ret;
+ }
+
+ /* handles check of location for idx as well as psLen, cast to int to check
+ for pkcsBlockLen(k) - 2 * hLen - 2 being negative
+ This check is similar to decryption where k > 2 * hLen + 2 as msg
+ size approaches 0. In decryption if k is less than or equal -- then there
+ is no possible room for msg.
+ k = RSA key size
+ hLen = hash digest size -- will always be >= 0 at this point
+ */
+ if ((word32)(2 * hLen + 2) > pkcsBlockLen) {
+ WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return BAD_FUNC_ARG;
+ }
+
+ if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
+ WOLFSSL_MSG("OAEP pad error message too long");
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return BAD_FUNC_ARG;
+ }
+
+ /* concatenate lHash || PS || 0x01 || msg */
+ idx = pkcsBlockLen - 1 - inputLen;
+ psLen = pkcsBlockLen - inputLen - 2 * hLen - 2;
+ if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return BUFFER_E;
+ }
+ XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
+ pkcsBlock[idx--] = 0x01; /* PS and M separator */
+ while (psLen > 0 && idx > 0) {
+ pkcsBlock[idx--] = 0x00;
+ psLen--;
+ }
+
+ idx = idx - hLen + 1;
+ XMEMCPY(pkcsBlock + idx, lHash, hLen);
+
+ /* generate random seed */
+ if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return ret;
+ }
+
+ /* create maskedDB from dbMask */
+ dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
+ if (dbMask == NULL) {
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return MEMORY_E;
+ }
+ XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
+
+ ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
+ if (ret != 0) {
+ XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return ret;
+ }
+
+ i = 0;
+ idx = hLen + 1;
+ while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) {
+ pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx];
+ idx++;
+ }
+ XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
+
+
+ /* create maskedSeed from seedMask */
+ idx = 0;
+ pkcsBlock[idx++] = 0x00;
+ /* create seedMask inline */
+ if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
+ pkcsBlock + 1, hLen, heap)) != 0) {
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ return ret;
+ }
+
+ /* xor created seedMask with seed to make maskedSeed */
+ i = 0;
+ while (idx < (word32)(hLen + 1) && i < hLen) {
+ pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++];
+ idx++;
+ }
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ XFREE(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ #endif
+ (void)padValue;
+
+ return 0;
+}
+#endif /* !WC_NO_RSA_OAEP */
+
+#ifdef WC_RSA_PSS
+
+/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
+ * XOR MGF over all bytes down to end of Salt
+ * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
+ *
+ * input Digest of the message.
+ * inputLen Length of digest.
+ * pkcsBlock Buffer to write to.
+ * pkcsBlockLen Length of buffer to write to.
+ * rng Random number generator (for salt).
+ * htype Hash function to use.
+ * mgf Mask generation function.
+ * saltLen Length of salt to put in padding.
+ * bits Length of key in bits.
+ * heap Used for dynamic memory allocation.
+ * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
+ * and other negative values on error.
+ */
+static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
+ word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
+ int saltLen, int bits, void* heap)
+{
+ int ret = 0;
+ int hLen, i, o, maskLen, hiBits;
+ byte* m;
+ byte* s;
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+ #if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
+ byte salt[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
+ #else
+ byte* salt = NULL;
+ #endif
+#else
+ byte salt[WC_MAX_DIGEST_SIZE];
+#endif
+
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+ if (pkcsBlockLen > RSA_MAX_SIZE/8) {
+ return MEMORY_E;
+ }
+#endif
+
+ hLen = wc_HashGetDigestSize(hType);
+ if (hLen < 0)
+ return hLen;
+
+ hiBits = (bits - 1) & 0x7;
+ if (hiBits == 0) {
+ *(pkcsBlock++) = 0;
+ pkcsBlockLen--;
+ }
+
+ if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
+ saltLen = hLen;
+ #ifdef WOLFSSL_SHA512
+ /* See FIPS 186-4 section 5.5 item (e). */
+ if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) {
+ saltLen = RSA_PSS_SALT_MAX_SZ;
+ }
+ #endif
+ }
+#ifndef WOLFSSL_PSS_LONG_SALT
+ else if (saltLen > hLen) {
+ return PSS_SALTLEN_E;
+ }
+#endif
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+ else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
+ return PSS_SALTLEN_E;
+ }
+#else
+ else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
+ saltLen = (int)pkcsBlockLen - hLen - 2;
+ if (saltLen < 0) {
+ return PSS_SALTLEN_E;
+ }
+ }
+ else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
+ return PSS_SALTLEN_E;
+ }
+#endif
+ if ((int)pkcsBlockLen - hLen < saltLen + 2) {
+ return PSS_SALTLEN_E;
+ }
+
+ maskLen = pkcsBlockLen - 1 - hLen;
+
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+ #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+ salt = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap,
+ DYNAMIC_TYPE_RSA_BUFFER);
+ if (salt == NULL) {
+ return MEMORY_E;
+ }
+ #endif
+ s = m = salt;
+ XMEMSET(m, 0, RSA_PSS_PAD_SZ);
+ m += RSA_PSS_PAD_SZ;
+ XMEMCPY(m, input, inputLen);
+ m += inputLen;
+ o = (int)(m - s);
+ if (saltLen > 0) {
+ ret = wc_RNG_GenerateBlock(rng, m, saltLen);
+ if (ret == 0) {
+ m += saltLen;
+ }
+ }
+#else
+ s = m = pkcsBlock;
+ XMEMSET(m, 0, RSA_PSS_PAD_SZ);
+ m += RSA_PSS_PAD_SZ;
+ XMEMCPY(m, input, inputLen);
+ m += inputLen;
+ o = 0;
+ if (saltLen > 0) {
+ ret = wc_RNG_GenerateBlock(rng, salt, saltLen);
+ if (ret == 0) {
+ XMEMCPY(m, salt, saltLen);
+ m += saltLen;
+ }
+ }
+#endif
+ if (ret == 0) {
+ /* Put Hash at end of pkcsBlock - 1 */
+ ret = wc_Hash(hType, s, (word32)(m - s), pkcsBlock + maskLen, hLen);
+ }
+ if (ret == 0) {
+ pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
+
+ ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, pkcsBlock, maskLen, heap);
+ }
+ if (ret == 0) {
+ pkcsBlock[0] &= (1 << hiBits) - 1;
+
+ m = pkcsBlock + maskLen - saltLen - 1;
+ *(m++) ^= 0x01;
+ for (i = 0; i < saltLen; i++) {
+ m[i] ^= salt[o + i];
+ }
+ }
+
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+ #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+ if (salt != NULL) {
+ XFREE(salt, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ }
+ #endif
+#endif
+ return ret;
+}
+#endif /* WC_RSA_PSS */
+#endif /* !WC_NO_RNG */
+
+static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
+ word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
+{
+ if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
+ pkcsBlockLen == 0) {
+ return BAD_FUNC_ARG;
+ }
pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
pkcsBlock++; pkcsBlockLen--;
pkcsBlock[0] = padValue; /* insert padValue */
- if (padValue == RSA_BLOCK_TYPE_1)
+ if (padValue == RSA_BLOCK_TYPE_1) {
+ if (pkcsBlockLen < inputLen + 2) {
+ WOLFSSL_MSG("RsaPad error, invalid length");
+ return RSA_PAD_E;
+ }
+
/* pad with 0xff bytes */
XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
+ }
else {
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WC_NO_RNG)
/* pad with non-zero random bytes */
- word32 padLen = pkcsBlockLen - inputLen - 1, i;
- int ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
+ word32 padLen, i;
+ int ret;
- if (ret != 0)
+ if (pkcsBlockLen < inputLen + 1) {
+ WOLFSSL_MSG("RsaPad error, invalid length");
+ return RSA_PAD_E;
+ }
+
+ padLen = pkcsBlockLen - inputLen - 1;
+ ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
+ if (ret != 0) {
return ret;
+ }
/* remove zeros */
- for (i = 1; i < padLen; i++)
+ for (i = 1; i < padLen; i++) {
if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
+ }
+#else
+ (void)rng;
+ return RSA_WRONG_TYPE_E;
+#endif
}
pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
@@ -258,348 +1283,2300 @@ static int wc_RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
return 0;
}
+/* helper function to direct which padding is used */
+int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
+ word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
+ enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
+ int saltLen, int bits, void* heap)
+{
+ int ret;
+
+ switch (padType)
+ {
+ case WC_RSA_PKCSV15_PAD:
+ /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
+ ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
+ padValue, rng);
+ break;
+
+#ifndef WC_NO_RNG
+ #ifndef WC_NO_RSA_OAEP
+ case WC_RSA_OAEP_PAD:
+ WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
+ ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
+ padValue, rng, hType, mgf, optLabel, labelLen, heap);
+ break;
+ #endif
+
+ #ifdef WC_RSA_PSS
+ case WC_RSA_PSS_PAD:
+ WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
+ ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
+ hType, mgf, saltLen, bits, heap);
+ break;
+ #endif
+#endif /* !WC_NO_RNG */
+
+ #ifdef WC_RSA_NO_PADDING
+ case WC_RSA_NO_PAD:
+ WOLFSSL_MSG("wolfSSL Using NO padding");
+ /* In the case of no padding being used check that input is exactly
+ * the RSA key length */
+ if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) {
+ WOLFSSL_MSG("Bad input size");
+ ret = RSA_PAD_E;
+ }
+ else {
+ XMEMCPY(pkcsBlock, input, inputLen);
+ ret = 0;
+ }
+ break;
+ #endif
+
+ default:
+ WOLFSSL_MSG("Unknown RSA Pad Type");
+ ret = RSA_PAD_E;
+ }
+
+ /* silence warning if not used with padding scheme */
+ (void)input;
+ (void)inputLen;
+ (void)pkcsBlock;
+ (void)pkcsBlockLen;
+ (void)padValue;
+ (void)rng;
+ (void)padType;
+ (void)hType;
+ (void)mgf;
+ (void)optLabel;
+ (void)labelLen;
+ (void)saltLen;
+ (void)bits;
+ (void)heap;
+
+ return ret;
+}
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+
+/* UnPadding */
+#ifndef WC_NO_RSA_OAEP
/* UnPad plaintext, set start to *output, return length of plaintext,
* < 0 on error */
-static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
- byte **output, byte padValue)
+static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
+ byte **output, enum wc_HashType hType, int mgf,
+ byte* optLabel, word32 labelLen, void* heap)
{
- word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0,
- invalid = 0,
- i = 1,
- outputLen;
+ int hLen;
+ int ret;
+ byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
+ byte* tmp;
+ word32 idx;
- if (pkcsBlock[0] != 0x0) /* skip past zero */
- invalid = 1;
- pkcsBlock++; pkcsBlockLen--;
+ /* no label is allowed, but catch if no label provided and length > 0 */
+ if (optLabel == NULL && labelLen > 0) {
+ return BUFFER_E;
+ }
+
+ hLen = wc_HashGetDigestSize(hType);
+ if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) {
+ return BAD_FUNC_ARG;
+ }
+
+ tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ if (tmp == NULL) {
+ return MEMORY_E;
+ }
+ XMEMSET(tmp, 0, pkcsBlockLen);
+
+ /* find seedMask value */
+ if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
+ pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ return ret;
+ }
+
+ /* xor seedMask value with maskedSeed to get seed value */
+ for (idx = 0; idx < (word32)hLen; idx++) {
+ tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx];
+ }
+
+ /* get dbMask value */
+ if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen,
+ pkcsBlockLen - hLen - 1, heap)) != 0) {
+ XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
+ return ret;
+ }
+
+ /* get DB value by doing maskedDB xor dbMask */
+ for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) {
+ pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen];
+ }
+
+ /* done with use of tmp buffer */
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+
+ /* advance idx to index of PS and msg separator, account for PS size of 0*/
+ idx = hLen + 1 + hLen;
+ while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;}
+
+ /* create hash of label for comparison with hash sent */
+ if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) {
+ return ret;
+ }
+
+ /* say no to chosen ciphertext attack.
+ Comparison of lHash, Y, and separator value needs to all happen in
+ constant time.
+ Attackers should not be able to get error condition from the timing of
+ these checks.
+ */
+ ret = 0;
+ ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen);
+ ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
+ ret += pkcsBlock[0] ^ 0x00; /* Y, the first value, should be 0 */
+
+ /* Return 0 data length on error. */
+ idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen);
+
+ /* adjust pointer to correct location in array and return size of M */
+ *output = (byte*)(pkcsBlock + idx);
+ return pkcsBlockLen - idx;
+}
+#endif /* WC_NO_RSA_OAEP */
+
+#ifdef WC_RSA_PSS
+/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
+ * MGF over all bytes down to end of Salt
+ *
+ * pkcsBlock Buffer holding decrypted data.
+ * pkcsBlockLen Length of buffer.
+ * htype Hash function to use.
+ * mgf Mask generation function.
+ * saltLen Length of salt to put in padding.
+ * bits Length of key in bits.
+ * heap Used for dynamic memory allocation.
+ * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid,
+ * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails
+ * and other negative values on error.
+ */
+static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
+ byte **output, enum wc_HashType hType, int mgf,
+ int saltLen, int bits, void* heap)
+{
+ int ret;
+ byte* tmp;
+ int hLen, i, maskLen;
+#ifdef WOLFSSL_SHA512
+ int orig_bits = bits;
+#endif
+#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
+ byte tmp_buf[RSA_MAX_SIZE/8];
+ tmp = tmp_buf;
+
+ if (pkcsBlockLen > RSA_MAX_SIZE/8) {
+ return MEMORY_E;
+ }
+#endif
+
+ hLen = wc_HashGetDigestSize(hType);
+ if (hLen < 0)
+ return hLen;
+ bits = (bits - 1) & 0x7;
+ if ((pkcsBlock[0] & (0xff << bits)) != 0) {
+ return BAD_PADDING_E;
+ }
+ if (bits == 0) {
+ pkcsBlock++;
+ pkcsBlockLen--;
+ }
+ maskLen = (int)pkcsBlockLen - 1 - hLen;
+ if (maskLen < 0) {
+ WOLFSSL_MSG("RsaUnPad_PSS: Hash too large");
+ return WC_KEY_SIZE_E;
+ }
+
+ if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
+ saltLen = hLen;
+ #ifdef WOLFSSL_SHA512
+ /* See FIPS 186-4 section 5.5 item (e). */
+ if (orig_bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
+ saltLen = RSA_PSS_SALT_MAX_SZ;
+ #endif
+ }
+#ifndef WOLFSSL_PSS_LONG_SALT
+ else if (saltLen > hLen)
+ return PSS_SALTLEN_E;
+#endif
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+ else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT)
+ return PSS_SALTLEN_E;
+ if (maskLen < saltLen + 1) {
+ return PSS_SALTLEN_E;
+ }
+#else
+ else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER)
+ return PSS_SALTLEN_E;
+ if (saltLen != RSA_PSS_SALT_LEN_DISCOVER && maskLen < saltLen + 1) {
+ return WC_KEY_SIZE_E;
+ }
+#endif
- /* Require block type padValue */
- invalid = (pkcsBlock[0] != padValue) || invalid;
+ if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
+ WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
+ return BAD_PADDING_E;
+ }
+
+#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+ tmp = (byte*)XMALLOC(maskLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ if (tmp == NULL) {
+ return MEMORY_E;
+ }
+#endif
+
+ if ((ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, tmp, maskLen,
+ heap)) != 0) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ return ret;
+ }
+
+ tmp[0] &= (1 << bits) - 1;
+ pkcsBlock[0] &= (1 << bits) - 1;
+#ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
+ if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
+ for (i = 0; i < maskLen - 1; i++) {
+ if (tmp[i] != pkcsBlock[i]) {
+ break;
+ }
+ }
+ if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
+ return PSS_SALTLEN_RECOVER_E;
+ }
+ saltLen = maskLen - (i + 1);
+ }
+ else
+#endif
+ {
+ for (i = 0; i < maskLen - 1 - saltLen; i++) {
+ if (tmp[i] != pkcsBlock[i]) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
+ return PSS_SALTLEN_E;
+ }
+ }
+ if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+ WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
+ return PSS_SALTLEN_E;
+ }
+ }
+ for (i++; i < maskLen; i++)
+ pkcsBlock[i] ^= tmp[i];
+
+#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+ XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+#endif
+
+ *output = pkcsBlock + maskLen - saltLen;
+ return saltLen + hLen;
+}
+#endif
+
+/* UnPad plaintext, set start to *output, return length of plaintext,
+ * < 0 on error */
+static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
+ byte **output, byte padValue)
+{
+ int ret = BAD_FUNC_ARG;
+ word16 i;
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+ byte invalid = 0;
+#endif
+
+ if (output == NULL || pkcsBlockLen == 0 || pkcsBlockLen > 0xFFFF) {
+ return BAD_FUNC_ARG;
+ }
- /* verify the padding until we find the separator */
if (padValue == RSA_BLOCK_TYPE_1) {
- while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */}
+ /* First byte must be 0x00 and Second byte, block type, 0x01 */
+ if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
+ WOLFSSL_MSG("RsaUnPad error, invalid formatting");
+ return RSA_PAD_E;
+ }
+
+ /* check the padding until we find the separator */
+ for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { }
+
+ /* Minimum of 11 bytes of pre-message data and must have separator. */
+ if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
+ WOLFSSL_MSG("RsaUnPad error, bad formatting");
+ return RSA_PAD_E;
+ }
+
+ *output = (byte *)(pkcsBlock + i);
+ ret = pkcsBlockLen - i;
}
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
else {
- while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */}
- }
+ word16 j;
+ word16 pastSep = 0;
+
+ /* Decrypted with private key - unpad must be constant time. */
+ for (i = 0, j = 2; j < pkcsBlockLen; j++) {
+ /* Update i if not passed the separator and at separator. */
+ i |= (~pastSep) & ctMask16Eq(pkcsBlock[j], 0x00) & (j + 1);
+ pastSep |= ctMask16Eq(pkcsBlock[j], 0x00);
+ }
- if(!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) {
- WOLFSSL_MSG("RsaUnPad error, bad formatting");
- return RSA_PAD_E;
+ /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
+ invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
+ /* Must have seen separator. */
+ invalid |= ~pastSep;
+ /* First byte must be 0x00. */
+ invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
+ /* Check against expected block type: padValue */
+ invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
+
+ *output = (byte *)(pkcsBlock + i);
+ ret = ((int)~invalid) & (pkcsBlockLen - i);
}
+#endif
+
+ return ret;
+}
+
+/* helper function to direct unpadding
+ *
+ * bits is the key modulus size in bits
+ */
+int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
+ byte padValue, int padType, enum wc_HashType hType,
+ int mgf, byte* optLabel, word32 labelLen, int saltLen,
+ int bits, void* heap)
+{
+ int ret;
- outputLen = pkcsBlockLen - i;
- invalid = (outputLen > maxOutputLen) || invalid;
+ switch (padType) {
+ case WC_RSA_PKCSV15_PAD:
+ /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
+ ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue);
+ break;
+
+ #ifndef WC_NO_RSA_OAEP
+ case WC_RSA_OAEP_PAD:
+ WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
+ ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
+ hType, mgf, optLabel, labelLen, heap);
+ break;
+ #endif
+
+ #ifdef WC_RSA_PSS
+ case WC_RSA_PSS_PAD:
+ WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
+ ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
+ saltLen, bits, heap);
+ break;
+ #endif
+
+ #ifdef WC_RSA_NO_PADDING
+ case WC_RSA_NO_PAD:
+ WOLFSSL_MSG("wolfSSL Using NO un-padding");
+
+ /* In the case of no padding being used check that input is exactly
+ * the RSA key length */
+ if (bits <= 0 || pkcsBlockLen !=
+ ((word32)(bits+WOLFSSL_BIT_SIZE-1)/WOLFSSL_BIT_SIZE)) {
+ WOLFSSL_MSG("Bad input size");
+ ret = RSA_PAD_E;
+ }
+ else {
+ if (out != NULL) {
+ *out = pkcsBlock;
+ }
+ ret = pkcsBlockLen;
+ }
+ break;
+ #endif /* WC_RSA_NO_PADDING */
- if (invalid) {
- WOLFSSL_MSG("RsaUnPad error, bad formatting");
- return RSA_PAD_E;
+ default:
+ WOLFSSL_MSG("Unknown RSA UnPad Type");
+ ret = RSA_PAD_E;
}
- *output = (byte *)(pkcsBlock + i);
- return outputLen;
+ /* silence warning if not used with padding scheme */
+ (void)hType;
+ (void)mgf;
+ (void)optLabel;
+ (void)labelLen;
+ (void)saltLen;
+ (void)bits;
+ (void)heap;
+
+ return ret;
}
+#if defined(WOLFSSL_XILINX_CRYPT)
+/*
+ * Xilinx hardened crypto acceleration.
+ *
+ * Returns 0 on success and negative values on error.
+ */
+static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out,
+ word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+ int ret = 0;
+ word32 keyLen;
+ (void)rng;
+
+ keyLen = wc_RsaEncryptSize(key);
+ if (keyLen > *outLen) {
+ WOLFSSL_MSG("Output buffer is not big enough");
+ return BAD_FUNC_ARG;
+ }
+
+ if (inLen != keyLen) {
+ WOLFSSL_MSG("Expected that inLen equals RSA key length");
+ return BAD_FUNC_ARG;
+ }
-static int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
+ switch(type) {
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ /* Currently public exponent is loaded by default.
+ * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
+ * leading to private key operations with Xsecure_RsaDecrypt not being
+ * supported */
+ ret = RSA_WRONG_TYPE_E;
+ break;
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
+ ret = BAD_STATE_E;
+ }
+ break;
+ default:
+ ret = RSA_WRONG_TYPE_E;
+ }
+
+ *outLen = keyLen;
+
+ return ret;
+}
+#endif /* WOLFSSL_XILINX_CRYPT */
+
+#ifdef WC_RSA_NONBLOCK
+static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key)
{
- #define ERROR_OUT(x) { ret = (x); goto done;}
-
- mp_int tmp;
int ret = 0;
word32 keyLen, len;
- if (mp_init(&tmp) != MP_OKAY)
- return MP_INIT_E;
+ if (key == NULL || key->nb == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
+ if (mp_init(&key->nb->tmp) != MP_OKAY) {
+ ret = MP_INIT_E;
+ }
- if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
- ERROR_OUT(MP_READ_E);
+ if (ret == 0) {
+ if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
+ ret = MP_READ_E;
+ }
+ }
+ }
- if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
- #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
- if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)
- ERROR_OUT(MP_EXPTMOD_E);
- #else
- #define INNER_ERROR_OUT(x) { ret = (x); goto inner_done; }
+ if (ret == 0) {
+ switch(type) {
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
+ &key->n, &key->nb->tmp);
+ if (ret == FP_WOULDBLOCK)
+ return ret;
+ if (ret != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+ break;
+
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
+ &key->n, &key->nb->tmp);
+ if (ret == FP_WOULDBLOCK)
+ return ret;
+ if (ret != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+ break;
+ default:
+ ret = RSA_WRONG_TYPE_E;
+ break;
+ }
+ }
- mp_int tmpa, tmpb;
+ if (ret == 0) {
+ keyLen = wc_RsaEncryptSize(key);
+ if (keyLen > *outLen)
+ ret = RSA_BUFFER_E;
+ }
+ if (ret == 0) {
+ len = mp_unsigned_bin_size(&key->nb->tmp);
- if (mp_init(&tmpa) != MP_OKAY)
- ERROR_OUT(MP_INIT_E);
+ /* pad front w/ zeros to match key length */
+ while (len < keyLen) {
+ *out++ = 0x00;
+ len++;
+ }
- if (mp_init(&tmpb) != MP_OKAY) {
- mp_clear(&tmpa);
- ERROR_OUT(MP_INIT_E);
- }
+ *outLen = keyLen;
- /* tmpa = tmp^dP mod p */
- if (mp_exptmod(&tmp, &key->dP, &key->p, &tmpa) != MP_OKAY)
- INNER_ERROR_OUT(MP_EXPTMOD_E);
+ /* convert */
+ if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
+ ret = MP_TO_E;
+ }
+ }
- /* tmpb = tmp^dQ mod q */
- if (mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb) != MP_OKAY)
- INNER_ERROR_OUT(MP_EXPTMOD_E);
+ mp_clear(&key->nb->tmp);
- /* tmp = (tmpa - tmpb) * qInv (mod p) */
- if (mp_sub(&tmpa, &tmpb, &tmp) != MP_OKAY)
- INNER_ERROR_OUT(MP_SUB_E);
+ return ret;
+}
+#endif /* WC_RSA_NONBLOCK */
- if (mp_mulmod(&tmp, &key->u, &key->p, &tmp) != MP_OKAY)
- INNER_ERROR_OUT(MP_MULMOD_E);
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+#ifndef ERROR_OUT
+#define ERROR_OUT(x) ret = (x); goto done
+#endif
- /* tmp = tmpb + q * tmp */
- if (mp_mul(&tmp, &key->q, &tmp) != MP_OKAY)
- INNER_ERROR_OUT(MP_MUL_E);
+static const char WC_TYPE_ASYMKEY[] = "skcipher";
+static const char WC_NAME_RSA[] = "xilinx-zynqmp-rsa";
+#ifndef MAX_XILINX_RSA_KEY
+ /* max key size of 4096 bits / 512 bytes */
+ #define MAX_XILINX_RSA_KEY 512
+#endif
+static const byte XILINX_RSA_FLAG[] = {0x1};
- if (mp_add(&tmp, &tmpb, &tmp) != MP_OKAY)
- INNER_ERROR_OUT(MP_ADD_E);
- inner_done:
- mp_clear(&tmpa);
- mp_clear(&tmpb);
+/* AF_ALG implementation of RSA */
+static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
+ word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+ struct msghdr msg;
+ struct cmsghdr* cmsg;
+ struct iovec iov;
+ byte* keyBuf = NULL;
+ word32 keyBufSz = 0;
+ char cbuf[CMSG_SPACE(4) + CMSG_SPACE(sizeof(struct af_alg_iv) + 1)] = {0};
+ int ret = 0;
+ int op = 0; /* decryption vs encryption flag */
+ word32 keyLen;
- if (ret != 0) return ret;
+ /* input and output buffer need to be aligned */
+ ALIGN64 byte outBuf[MAX_XILINX_RSA_KEY];
+ ALIGN64 byte inBuf[MAX_XILINX_RSA_KEY];
- #endif /* RSA_LOW_MEM */
+ XMEMSET(&msg, 0, sizeof(struct msghdr));
+ (void)rng;
+
+ keyLen = wc_RsaEncryptSize(key);
+ if (keyLen > *outLen) {
+ ERROR_OUT(RSA_BUFFER_E);
+ }
+
+ if (keyLen > MAX_XILINX_RSA_KEY) {
+ WOLFSSL_MSG("RSA key size larger than supported");
+ ERROR_OUT(BAD_FUNC_ARG);
}
- else if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
- if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)
- ERROR_OUT(MP_EXPTMOD_E);
+
+ if ((keyBuf = (byte*)XMALLOC(keyLen * 2, key->heap, DYNAMIC_TYPE_KEY))
+ == NULL) {
+ ERROR_OUT(MEMORY_E);
}
- else
- ERROR_OUT(RSA_WRONG_TYPE_E);
- keyLen = mp_unsigned_bin_size(&key->n);
- if (keyLen > *outLen)
- ERROR_OUT(RSA_BUFFER_E);
+ if ((ret = mp_to_unsigned_bin(&(key->n), keyBuf)) != MP_OKAY) {
+ ERROR_OUT(MP_TO_E);
+ }
- len = mp_unsigned_bin_size(&tmp);
+ switch(type) {
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ op = 1; /* set as decrypt */
+ {
+ keyBufSz = mp_unsigned_bin_size(&(key->d));
+ if ((mp_to_unsigned_bin(&(key->d), keyBuf + keyLen))
+ != MP_OKAY) {
+ ERROR_OUT(MP_TO_E);
+ }
+ }
+ break;
+
+ case RSA_PUBLIC_DECRYPT:
+ case RSA_PUBLIC_ENCRYPT: {
+ word32 exp = 0;
+ word32 eSz = mp_unsigned_bin_size(&(key->e));
+ if ((mp_to_unsigned_bin(&(key->e), (byte*)&exp +
+ (sizeof(word32) - eSz))) != MP_OKAY) {
+ ERROR_OUT(MP_TO_E);
+ }
+ keyBufSz = sizeof(word32);
+ XMEMCPY(keyBuf + keyLen, (byte*)&exp, keyBufSz);
+ break;
+ }
- /* pad front w/ zeros to match key length */
- while (len < keyLen) {
- *out++ = 0x00;
- len++;
+ default:
+ ERROR_OUT(RSA_WRONG_TYPE_E);
}
+ keyBufSz += keyLen; /* add size of modulus */
- *outLen = keyLen;
+ /* check for existing sockets before creating new ones */
+ if (key->alFd > 0) {
+ close(key->alFd);
+ key->alFd = WC_SOCK_NOTSET;
+ }
+ if (key->rdFd > 0) {
+ close(key->rdFd);
+ key->rdFd = WC_SOCK_NOTSET;
+ }
- /* convert */
- if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
- ERROR_OUT(MP_TO_E);
+ /* create new sockets and set the key to use */
+ if ((key->alFd = wc_Afalg_Socket()) < 0) {
+ WOLFSSL_MSG("Unable to create socket");
+ ERROR_OUT(key->alFd);
+ }
+ if ((key->rdFd = wc_Afalg_CreateRead(key->alFd, WC_TYPE_ASYMKEY,
+ WC_NAME_RSA)) < 0) {
+ WOLFSSL_MSG("Unable to bind and create read/send socket");
+ ERROR_OUT(key->rdFd);
+ }
+ if ((ret = setsockopt(key->alFd, SOL_ALG, ALG_SET_KEY, keyBuf,
+ keyBufSz)) < 0) {
+ WOLFSSL_MSG("Error setting RSA key");
+ ERROR_OUT(ret);
+ }
+
+ msg.msg_control = cbuf;
+ msg.msg_controllen = sizeof(cbuf);
+ cmsg = CMSG_FIRSTHDR(&msg);
+ if ((ret = wc_Afalg_SetOp(cmsg, op)) < 0) {
+ ERROR_OUT(ret);
+ }
+
+ /* set flag in IV spot, needed for Xilinx hardware acceleration use */
+ cmsg = CMSG_NXTHDR(&msg, cmsg);
+ if ((ret = wc_Afalg_SetIv(cmsg, (byte*)XILINX_RSA_FLAG,
+ sizeof(XILINX_RSA_FLAG))) != 0) {
+ ERROR_OUT(ret);
+ }
+
+ /* compose and send msg */
+ XMEMCPY(inBuf, (byte*)in, inLen); /* for alignment */
+ iov.iov_base = inBuf;
+ iov.iov_len = inLen;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ if ((ret = sendmsg(key->rdFd, &msg, 0)) <= 0) {
+ ERROR_OUT(WC_AFALG_SOCK_E);
+ }
+
+ if ((ret = read(key->rdFd, outBuf, inLen)) <= 0) {
+ ERROR_OUT(WC_AFALG_SOCK_E);
+ }
+ XMEMCPY(out, outBuf, ret);
+ *outLen = keyLen;
done:
- mp_clear(&tmp);
- if (ret == MP_EXPTMOD_E) {
- WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
+ /* clear key data and free buffer */
+ if (keyBuf != NULL) {
+ ForceZero(keyBuf, keyBufSz);
}
+ XFREE(keyBuf, key->heap, DYNAMIC_TYPE_KEY);
+
+ if (key->alFd > 0) {
+ close(key->alFd);
+ key->alFd = WC_SOCK_NOTSET;
+ }
+ if (key->rdFd > 0) {
+ close(key->rdFd);
+ key->rdFd = WC_SOCK_NOTSET;
+ }
+
return ret;
}
-
-int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
- RsaKey* key, RNG* rng)
+#else
+static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
+ word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
- int sz, ret;
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+ mp_int* tmp;
+#ifdef WC_RSA_BLINDING
+ mp_int* rnd;
+ mp_int* rndi;
+#endif
+#else
+ mp_int tmp[1];
+#ifdef WC_RSA_BLINDING
+ mp_int rnd[1], rndi[1];
+#endif
+#endif
+ int ret = 0;
+ word32 keyLen = 0;
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+#ifndef WOLFSSL_SP_NO_2048
+ if (mp_count_bits(&key->n) == 2048) {
+ switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ #ifdef WC_RSA_BLINDING
+ if (rng == NULL)
+ return MISSING_RNG_E;
+ #endif
+ #ifndef RSA_LOW_MEM
+ return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
+ &key->dP, &key->dQ, &key->u, &key->n,
+ out, outLen);
+ #else
+ return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
+ NULL, NULL, NULL, &key->n, out, outLen);
+ #endif
+#endif
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
+ }
+ }
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+ if (mp_count_bits(&key->n) == 3072) {
+ switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ #ifdef WC_RSA_BLINDING
+ if (rng == NULL)
+ return MISSING_RNG_E;
+ #endif
+ #ifndef RSA_LOW_MEM
+ return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
+ &key->dP, &key->dQ, &key->u, &key->n,
+ out, outLen);
+ #else
+ return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
+ NULL, NULL, NULL, &key->n, out, outLen);
+ #endif
+#endif
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
+ }
+ }
+#endif
+#ifdef WOLFSSL_SP_4096
+ if (mp_count_bits(&key->n) == 4096) {
+ switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ #ifdef WC_RSA_BLINDING
+ if (rng == NULL)
+ return MISSING_RNG_E;
+ #endif
+ #ifndef RSA_LOW_MEM
+ return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
+ &key->dP, &key->dQ, &key->u, &key->n,
+ out, outLen);
+ #else
+ return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
+ NULL, NULL, NULL, &key->n, out, outLen);
+ #endif
+#endif
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ return sp_RsaPublic_4096(in, inLen, &key->e, &key->n, out, outLen);
+ }
+ }
+#endif
+#endif /* WOLFSSL_HAVE_SP_RSA */
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return CaviumRsaPublicEncrypt(in, inLen, out, outLen, key);
+#ifdef WOLFSSL_SP_MATH
+ (void)rng;
+ WOLFSSL_MSG("SP Key Size Error");
+ return WC_KEY_SIZE_E;
+#else
+ (void)rng;
+
+#ifdef WOLFSSL_SMALL_STACK
+ tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
+ if (tmp == NULL)
+ return MEMORY_E;
+#ifdef WC_RSA_BLINDING
+ rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
+ if (rnd == NULL) {
+ XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+ return MEMORY_E;
+ }
+ rndi = rnd + 1;
+#endif /* WC_RSA_BLINDING */
+#endif /* WOLFSSL_SMALL_STACK */
+
+ if (mp_init(tmp) != MP_OKAY)
+ ret = MP_INIT_E;
+
+#ifdef WC_RSA_BLINDING
+ if (ret == 0) {
+ if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
+ if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) {
+ mp_clear(tmp);
+ ret = MP_INIT_E;
+ }
+ }
+ }
#endif
- sz = mp_unsigned_bin_size(&key->n);
- if (sz > (int)outLen)
- return RSA_BUFFER_E;
+#ifndef TEST_UNPAD_CONSTANT_TIME
+ if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY)
+ ret = MP_READ_E;
+
+ if (ret == 0) {
+ switch(type) {
+ #ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ {
+ #if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
+ /* blind */
+ ret = mp_rand(rnd, get_digit_count(&key->n), rng);
+
+ /* rndi = 1/rnd mod n */
+ if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY)
+ ret = MP_INVMOD_E;
+
+ /* rnd = rnd^e */
+ if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+
+ /* tmp = tmp*rnd mod n */
+ if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY)
+ ret = MP_MULMOD_E;
+ #endif /* WC_RSA_BLINDING && !WC_NO_RNG */
- if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
- return RSA_BUFFER_E;
+ #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
+ if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+ #else
+ if (ret == 0) {
+ #ifdef WOLFSSL_SMALL_STACK
+ mp_int* tmpa;
+ mp_int* tmpb = NULL;
+ #else
+ mp_int tmpa[1], tmpb[1];
+ #endif
+ int cleara = 0, clearb = 0;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ tmpa = (mp_int*)XMALLOC(sizeof(mp_int) * 2,
+ key->heap, DYNAMIC_TYPE_RSA);
+ if (tmpa != NULL)
+ tmpb = tmpa + 1;
+ else
+ ret = MEMORY_E;
+ #endif
+
+ if (ret == 0) {
+ if (mp_init(tmpa) != MP_OKAY)
+ ret = MP_INIT_E;
+ else
+ cleara = 1;
+ }
+
+ if (ret == 0) {
+ if (mp_init(tmpb) != MP_OKAY)
+ ret = MP_INIT_E;
+ else
+ clearb = 1;
+ }
+
+ /* tmpa = tmp^dP mod p */
+ if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p,
+ tmpa) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+
+ /* tmpb = tmp^dQ mod q */
+ if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q,
+ tmpb) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+
+ /* tmp = (tmpa - tmpb) * qInv (mod p) */
+ if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
+ ret = MP_SUB_E;
+
+ if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p,
+ tmp) != MP_OKAY)
+ ret = MP_MULMOD_E;
+
+ /* tmp = tmpb + q * tmp */
+ if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
+ ret = MP_MUL_E;
+
+ if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
+ ret = MP_ADD_E;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ if (tmpa != NULL)
+ #endif
+ {
+ if (cleara)
+ mp_clear(tmpa);
+ if (clearb)
+ mp_clear(tmpb);
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA);
+ #endif
+ }
+ } /* tmpa/b scope */
+ #endif /* RSA_LOW_MEM */
- ret = wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_2, rng);
- if (ret != 0)
- return ret;
+ #ifdef WC_RSA_BLINDING
+ /* unblind */
+ if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY)
+ ret = MP_MULMOD_E;
+ #endif /* WC_RSA_BLINDING */
+
+ break;
+ }
+ #endif
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ #ifdef WOLFSSL_XILINX_CRYPT
+ ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng);
+ #else
+ if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY)
+ ret = MP_EXPTMOD_E;
+ #endif
+ break;
+ default:
+ ret = RSA_WRONG_TYPE_E;
+ break;
+ }
+ }
- if ((ret = wc_RsaFunction(out, sz, out, &outLen,
- RSA_PUBLIC_ENCRYPT, key)) < 0)
- sz = ret;
+ if (ret == 0) {
+ keyLen = wc_RsaEncryptSize(key);
+ if (keyLen > *outLen)
+ ret = RSA_BUFFER_E;
+ }
+ if (ret == 0) {
+ *outLen = keyLen;
+ if (mp_to_unsigned_bin_len(tmp, out, keyLen) != MP_OKAY)
+ ret = MP_TO_E;
+ }
+#else
+ (void)type;
+ (void)key;
+ (void)keyLen;
+ XMEMCPY(out, in, inLen);
+ *outLen = inLen;
+#endif
- return sz;
+ mp_clear(tmp);
+#ifdef WOLFSSL_SMALL_STACK
+ XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+#endif
+#ifdef WC_RSA_BLINDING
+ if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
+ mp_clear(rndi);
+ mp_clear(rnd);
+ }
+#ifdef WOLFSSL_SMALL_STACK
+ XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA);
+#endif
+#endif /* WC_RSA_BLINDING */
+ return ret;
+#endif /* WOLFSSL_SP_MATH */
}
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
+ word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+ int ret = 0;
+
+ (void)rng;
+
+#ifdef WOLFSSL_ASYNC_CRYPT_TEST
+ if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_FUNC)) {
+ WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+ testDev->rsaFunc.in = in;
+ testDev->rsaFunc.inSz = inLen;
+ testDev->rsaFunc.out = out;
+ testDev->rsaFunc.outSz = outLen;
+ testDev->rsaFunc.type = type;
+ testDev->rsaFunc.key = key;
+ testDev->rsaFunc.rng = rng;
+ return WC_PENDING_E;
+ }
+#endif /* WOLFSSL_ASYNC_CRYPT_TEST */
+
+ switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ case RSA_PRIVATE_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ #ifdef HAVE_CAVIUM
+ key->dataLen = key->n.raw.len;
+ ret = NitroxRsaExptMod(in, inLen,
+ key->d.raw.buf, key->d.raw.len,
+ key->n.raw.buf, key->n.raw.len,
+ out, outLen, key);
+ #elif defined(HAVE_INTEL_QA)
+ #ifdef RSA_LOW_MEM
+ ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
+ &key->d.raw, &key->n.raw,
+ out, outLen);
+ #else
+ ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
+ &key->p.raw, &key->q.raw,
+ &key->dP.raw, &key->dQ.raw,
+ &key->u.raw,
+ out, outLen);
+ #endif
+ #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+ ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
+ #endif
+ break;
+#endif
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ #ifdef HAVE_CAVIUM
+ key->dataLen = key->n.raw.len;
+ ret = NitroxRsaExptMod(in, inLen,
+ key->e.raw.buf, key->e.raw.len,
+ key->n.raw.buf, key->n.raw.len,
+ out, outLen, key);
+ #elif defined(HAVE_INTEL_QA)
+ ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
+ &key->e.raw, &key->n.raw,
+ out, outLen);
+ #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+ ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
+ #endif
+ break;
-int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+ default:
+ ret = RSA_WRONG_TYPE_E;
+ }
+
+ return ret;
+}
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
+
+#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
+/* Function that does the RSA operation directly with no padding.
+ *
+ * in buffer to do operation on
+ * inLen length of input buffer
+ * out buffer to hold results
+ * outSz gets set to size of result buffer. Should be passed in as length
+ * of out buffer. If the pointer "out" is null then outSz gets set to
+ * the expected buffer size needed and LENGTH_ONLY_E gets returned.
+ * key RSA key to use for encrypt/decrypt
+ * type if using private or public key {RSA_PUBLIC_ENCRYPT,
+ * RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT}
+ * rng wolfSSL RNG to use if needed
+ *
+ * returns size of result on success
+ */
+int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
+ RsaKey* key, int type, WC_RNG* rng)
{
int ret;
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC) {
- ret = CaviumRsaPrivateDecrypt(in, inLen, in, inLen, key);
- if (ret > 0)
- *out = in;
- return ret;
+ if (in == NULL || outSz == NULL || key == NULL) {
+ return BAD_FUNC_ARG;
}
-#endif
- if ((ret = wc_RsaFunction(in, inLen, in, &inLen, RSA_PRIVATE_DECRYPT, key))
- < 0) {
+ /* sanity check on type of RSA operation */
+ switch (type) {
+ case RSA_PUBLIC_ENCRYPT:
+ case RSA_PUBLIC_DECRYPT:
+ case RSA_PRIVATE_ENCRYPT:
+ case RSA_PRIVATE_DECRYPT:
+ break;
+ default:
+ WOLFSSL_MSG("Bad RSA type");
+ return BAD_FUNC_ARG;
+ }
+
+ if ((ret = wc_RsaEncryptSize(key)) < 0) {
+ return BAD_FUNC_ARG;
+ }
+
+ if (inLen != (word32)ret) {
+ WOLFSSL_MSG("Bad input length. Should be RSA key size");
+ return BAD_FUNC_ARG;
+ }
+
+ if (out == NULL) {
+ *outSz = inLen;
+ return LENGTH_ONLY_E;
+ }
+
+ switch (key->state) {
+ case RSA_STATE_NONE:
+ case RSA_STATE_ENCRYPT_PAD:
+ case RSA_STATE_ENCRYPT_EXPTMOD:
+ case RSA_STATE_DECRYPT_EXPTMOD:
+ case RSA_STATE_DECRYPT_UNPAD:
+ key->state = (type == RSA_PRIVATE_ENCRYPT ||
+ type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
+ RSA_STATE_DECRYPT_EXPTMOD;
+
+ key->dataLen = *outSz;
+
+ ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
+ if (ret >= 0 || ret == WC_PENDING_E) {
+ key->state = (type == RSA_PRIVATE_ENCRYPT ||
+ type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
+ RSA_STATE_DECRYPT_RES;
+ }
+ if (ret < 0) {
+ break;
+ }
+
+ FALL_THROUGH;
+
+ case RSA_STATE_ENCRYPT_RES:
+ case RSA_STATE_DECRYPT_RES:
+ ret = key->dataLen;
+ break;
+
+ default:
+ ret = BAD_STATE_E;
+ }
+
+ /* if async pending then skip cleanup*/
+ if (ret == WC_PENDING_E
+ #ifdef WC_RSA_NONBLOCK
+ || ret == FP_WOULDBLOCK
+ #endif
+ ) {
return ret;
}
-
- return RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_2);
+
+ key->state = RSA_STATE_NONE;
+ wc_RsaCleanup(key);
+
+ return ret;
}
+#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */
+#if defined(WOLFSSL_CRYPTOCELL)
+static int cc310_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key)
+{
+ CRYSError_t ret = 0;
+ CRYS_RSAPrimeData_t primeData;
+ int modulusSize = wc_RsaEncryptSize(key);
-int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
- RsaKey* key)
+ /* The out buffer must be at least modulus size bytes long. */
+ if (outLen < modulusSize)
+ return BAD_FUNC_ARG;
+
+ ret = CRYS_RSA_PKCS1v15_Encrypt(&wc_rndState,
+ wc_rndGenVectFunc,
+ &key->ctx.pubKey,
+ &primeData,
+ (byte*)in,
+ inLen,
+ out);
+
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Encrypt failed");
+ return -1;
+ }
+
+ return modulusSize;
+}
+static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key)
{
- int plainLen;
- byte* tmp;
- byte* pad = 0;
+ CRYSError_t ret = 0;
+ CRYS_RSAPrimeData_t primeData;
+ uint16_t actualOutLen = outLen;
+
+ ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey,
+ &primeData,
+ (byte*)in,
+ inLen,
+ out,
+ &actualOutLen);
+
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Decrypt failed");
+ return -1;
+ }
+ return actualOutLen;
+}
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return CaviumRsaPrivateDecrypt(in, inLen, out, outLen, key);
-#endif
+int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
+{
+ CRYSError_t ret = 0;
+ uint16_t actualOutLen = outLen*sizeof(byte);
+ CRYS_RSAPrivUserContext_t contextPrivate;
+
+ ret = CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
+ wc_rndGenVectFunc,
+ &contextPrivate,
+ &key->ctx.privKey,
+ mode,
+ (byte*)in,
+ inLen,
+ out,
+ &actualOutLen);
+
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Sign failed");
+ return -1;
+ }
+ return actualOutLen;
+}
- tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
- if (tmp == NULL) {
- return MEMORY_E;
+int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
+ RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
+{
+ CRYSError_t ret = 0;
+ CRYS_RSAPubUserContext_t contextPub;
+
+ /* verify the signature in the sig pointer */
+ ret = CRYS_RSA_PKCS1v15_Verify(&contextPub,
+ &key->ctx.pubKey,
+ mode,
+ (byte*)in,
+ inLen,
+ sig);
+
+ if (ret != SA_SILIB_RET_OK){
+ WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Verify failed");
+ return -1;
}
- XMEMCPY(tmp, in, inLen);
+ return ret;
+}
+#endif /* WOLFSSL_CRYPTOCELL */
- if ( (plainLen = wc_RsaPrivateDecryptInline(tmp, inLen, &pad, key) ) < 0) {
- XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
- return plainLen;
+int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
+ word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+ int ret = 0;
+
+ if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
+ outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
+ return BAD_FUNC_ARG;
+ }
+
+#ifdef WOLF_CRYPTO_CB
+ if (key->devId != INVALID_DEVID) {
+ ret = wc_CryptoCb_Rsa(in, inLen, out, outLen, type, key, rng);
+ if (ret != CRYPTOCB_UNAVAILABLE)
+ return ret;
+ /* fall-through when unavailable */
+ ret = 0; /* reset error code and try using software */
+ }
+#endif
+
+#ifndef TEST_UNPAD_CONSTANT_TIME
+#ifndef NO_RSA_BOUNDS_CHECK
+ if (type == RSA_PRIVATE_DECRYPT &&
+ key->state == RSA_STATE_DECRYPT_EXPTMOD) {
+
+ /* Check that 1 < in < n-1. (Requirement of 800-56B.) */
+#ifdef WOLFSSL_SMALL_STACK
+ mp_int* c;
+#else
+ mp_int c[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+ c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
+ if (c == NULL)
+ ret = MEMORY_E;
+#endif
+
+ if (mp_init(c) != MP_OKAY)
+ ret = MEMORY_E;
+ if (ret == 0) {
+ if (mp_read_unsigned_bin(c, in, inLen) != 0)
+ ret = MP_READ_E;
+ }
+ if (ret == 0) {
+ /* check c > 1 */
+ if (mp_cmp_d(c, 1) != MP_GT)
+ ret = RSA_OUT_OF_RANGE_E;
+ }
+ if (ret == 0) {
+ /* add c+1 */
+ if (mp_add_d(c, 1, c) != MP_OKAY)
+ ret = MP_ADD_E;
+ }
+ if (ret == 0) {
+ /* check c+1 < n */
+ if (mp_cmp(c, &key->n) != MP_LT)
+ ret = RSA_OUT_OF_RANGE_E;
+ }
+ mp_clear(c);
+
+#ifdef WOLFSSL_SMALL_STACK
+ XFREE(c, key->heap, DYNAMIC_TYPE_RSA);
+#endif
+
+ if (ret != 0)
+ return ret;
+ }
+#endif /* NO_RSA_BOUNDS_CHECK */
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+ if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+ key->n.raw.len > 0) {
+ ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
+ }
+ else
+#endif
+#ifdef WC_RSA_NONBLOCK
+ if (key->nb) {
+ ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
}
- if (plainLen > (int)outLen)
- plainLen = BAD_FUNC_ARG;
else
- XMEMCPY(out, pad, plainLen);
+#endif
+ {
+ ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
+ }
- ForceZero(tmp, inLen);
- XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+ /* handle error */
+ if (ret < 0 && ret != WC_PENDING_E
+ #ifdef WC_RSA_NONBLOCK
+ && ret != FP_WOULDBLOCK
+ #endif
+ ) {
+ if (ret == MP_EXPTMOD_E) {
+ /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
+ WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
+ }
+
+ key->state = RSA_STATE_NONE;
+ wc_RsaCleanup(key);
+ }
- return plainLen;
+ return ret;
}
-/* for Rsa Verify */
-int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+/* Internal Wrappers */
+/* Gives the option of choosing padding type
+ in : input to be encrypted
+ inLen: length of input buffer
+ out: encrypted output
+ outLen: length of encrypted output buffer
+ key : wolfSSL initialized RSA key struct
+ rng : wolfSSL initialized random number struct
+ rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
+ RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
+ pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
+ pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
+ WC_RSA_NO_PAD or WC_RSA_PSS_PAD
+ hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
+ mgf : type of mask generation function to use
+ label : optional label
+ labelSz : size of optional label buffer
+ saltLen : Length of salt used in PSS
+ rng : random number generator */
+static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key, int rsa_type,
+ byte pad_value, int pad_type,
+ enum wc_HashType hash, int mgf,
+ byte* label, word32 labelSz, int saltLen,
+ WC_RNG* rng)
{
- int ret;
+ int ret, sz;
+
+ if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ sz = wc_RsaEncryptSize(key);
+ if (sz > (int)outLen) {
+ return RSA_BUFFER_E;
+ }
+
+ if (sz < RSA_MIN_PAD_SZ) {
+ return WC_KEY_SIZE_E;
+ }
+
+ if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
+#ifdef WC_RSA_NO_PADDING
+ /* In the case that no padding is used the input length can and should
+ * be the same size as the RSA key. */
+ if (pad_type != WC_RSA_NO_PAD)
+#endif
+ return RSA_BUFFER_E;
+ }
+
+ switch (key->state) {
+ case RSA_STATE_NONE:
+ case RSA_STATE_ENCRYPT_PAD:
+ #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+ defined(HAVE_CAVIUM)
+ if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+ pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
+ /* Async operations that include padding */
+ if (rsa_type == RSA_PUBLIC_ENCRYPT &&
+ pad_value == RSA_BLOCK_TYPE_2) {
+ key->state = RSA_STATE_ENCRYPT_RES;
+ key->dataLen = key->n.raw.len;
+ return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
+ }
+ else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
+ pad_value == RSA_BLOCK_TYPE_1) {
+ key->state = RSA_STATE_ENCRYPT_RES;
+ key->dataLen = key->n.raw.len;
+ return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
+ }
+ }
+ #elif defined(WOLFSSL_CRYPTOCELL)
+ if (rsa_type == RSA_PUBLIC_ENCRYPT &&
+ pad_value == RSA_BLOCK_TYPE_2) {
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC) {
- ret = CaviumRsaSSL_Verify(in, inLen, in, inLen, key);
- if (ret > 0)
- *out = in;
+ return cc310_RsaPublicEncrypt(in, inLen, out, outLen, key);
+ }
+ else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
+ pad_value == RSA_BLOCK_TYPE_1) {
+ return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
+ cc310_hashModeRSA(hash, 0));
+ }
+ #endif /* WOLFSSL_CRYPTOCELL */
+
+ key->state = RSA_STATE_ENCRYPT_PAD;
+ ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash,
+ mgf, label, labelSz, saltLen, mp_count_bits(&key->n),
+ key->heap);
+ if (ret < 0) {
+ break;
+ }
+
+ key->state = RSA_STATE_ENCRYPT_EXPTMOD;
+ FALL_THROUGH;
+
+ case RSA_STATE_ENCRYPT_EXPTMOD:
+
+ key->dataLen = outLen;
+ ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng);
+
+ if (ret >= 0 || ret == WC_PENDING_E) {
+ key->state = RSA_STATE_ENCRYPT_RES;
+ }
+ if (ret < 0) {
+ break;
+ }
+
+ FALL_THROUGH;
+
+ case RSA_STATE_ENCRYPT_RES:
+ ret = key->dataLen;
+ break;
+
+ default:
+ ret = BAD_STATE_E;
+ break;
+ }
+
+ /* if async pending then return and skip done cleanup below */
+ if (ret == WC_PENDING_E
+ #ifdef WC_RSA_NONBLOCK
+ || ret == FP_WOULDBLOCK
+ #endif
+ ) {
return ret;
}
+
+ key->state = RSA_STATE_NONE;
+ wc_RsaCleanup(key);
+
+ return ret;
+}
+
#endif
- if ((ret = wc_RsaFunction(in, inLen, in, &inLen, RSA_PUBLIC_DECRYPT, key))
- < 0) {
+/* Gives the option of choosing padding type
+ in : input to be decrypted
+ inLen: length of input buffer
+ out: decrypted message
+ outLen: length of decrypted message in bytes
+ outPtr: optional inline output pointer (if provided doing inline)
+ key : wolfSSL initialized RSA key struct
+ rsa_type : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
+ RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
+ pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
+ pad_type : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
+ WC_RSA_NO_PAD, WC_RSA_PSS_PAD
+ hash : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
+ mgf : type of mask generation function to use
+ label : optional label
+ labelSz : size of optional label buffer
+ saltLen : Length of salt used in PSS
+ rng : random number generator */
+static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
+ word32 outLen, byte** outPtr, RsaKey* key,
+ int rsa_type, byte pad_value, int pad_type,
+ enum wc_HashType hash, int mgf,
+ byte* label, word32 labelSz, int saltLen,
+ WC_RNG* rng)
+{
+ int ret = RSA_WRONG_TYPE_E;
+ byte* pad = NULL;
+
+ if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ switch (key->state) {
+ case RSA_STATE_NONE:
+ key->dataLen = inLen;
+
+ #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+ defined(HAVE_CAVIUM)
+ /* Async operations that include padding */
+ if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+ pad_type != WC_RSA_PSS_PAD) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ if (rsa_type == RSA_PRIVATE_DECRYPT &&
+ pad_value == RSA_BLOCK_TYPE_2) {
+ key->state = RSA_STATE_DECRYPT_RES;
+ key->data = NULL;
+ return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
+ key);
+#endif
+ }
+ else if (rsa_type == RSA_PUBLIC_DECRYPT &&
+ pad_value == RSA_BLOCK_TYPE_1) {
+ key->state = RSA_STATE_DECRYPT_RES;
+ key->data = NULL;
+ return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
+ }
+ }
+ #elif defined(WOLFSSL_CRYPTOCELL)
+ if (rsa_type == RSA_PRIVATE_DECRYPT &&
+ pad_value == RSA_BLOCK_TYPE_2) {
+ ret = cc310_RsaPublicDecrypt(in, inLen, out, outLen, key);
+ if (outPtr != NULL)
+ *outPtr = out; /* for inline */
+ return ret;
+ }
+ else if (rsa_type == RSA_PUBLIC_DECRYPT &&
+ pad_value == RSA_BLOCK_TYPE_1) {
+ return cc310_RsaSSL_Verify(in, inLen, out, key,
+ cc310_hashModeRSA(hash, 0));
+ }
+ #endif /* WOLFSSL_CRYPTOCELL */
+
+
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+ /* verify the tmp ptr is NULL, otherwise indicates bad state */
+ if (key->data != NULL) {
+ ret = BAD_STATE_E;
+ break;
+ }
+
+ /* if not doing this inline then allocate a buffer for it */
+ if (outPtr == NULL) {
+ key->data = (byte*)XMALLOC(inLen, key->heap,
+ DYNAMIC_TYPE_WOLF_BIGINT);
+ key->dataIsAlloc = 1;
+ if (key->data == NULL) {
+ ret = MEMORY_E;
+ break;
+ }
+ XMEMCPY(key->data, in, inLen);
+ }
+ else {
+ key->data = out;
+ }
+#endif
+
+ key->state = RSA_STATE_DECRYPT_EXPTMOD;
+ FALL_THROUGH;
+
+ case RSA_STATE_DECRYPT_EXPTMOD:
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+ ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen,
+ rsa_type, key, rng);
+#else
+ ret = wc_RsaFunction(in, inLen, out, &key->dataLen, rsa_type, key, rng);
+#endif
+
+ if (ret >= 0 || ret == WC_PENDING_E) {
+ key->state = RSA_STATE_DECRYPT_UNPAD;
+ }
+ if (ret < 0) {
+ break;
+ }
+
+ FALL_THROUGH;
+
+ case RSA_STATE_DECRYPT_UNPAD:
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+ ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
+ hash, mgf, label, labelSz, saltLen,
+ mp_count_bits(&key->n), key->heap);
+#else
+ ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash,
+ mgf, label, labelSz, saltLen,
+ mp_count_bits(&key->n), key->heap);
+#endif
+ if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
+ ret = RSA_BUFFER_E;
+ else if (ret >= 0 && pad != NULL) {
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+ signed char c;
+#endif
+
+ /* only copy output if not inline */
+ if (outPtr == NULL) {
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+ if (rsa_type == RSA_PRIVATE_DECRYPT) {
+ word32 i, j;
+ int start = (int)((size_t)pad - (size_t)key->data);
+
+ for (i = 0, j = 0; j < key->dataLen; j++) {
+ out[i] = key->data[j];
+ c = ctMaskGTE(j, start);
+ c &= ctMaskLT(i, outLen);
+ /* 0 - no add, -1 add */
+ i += (word32)((byte)(-c));
+ }
+ }
+ else
+#endif
+ {
+ XMEMCPY(out, pad, ret);
+ }
+ }
+ else
+ *outPtr = pad;
+
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
+ ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
+ ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
+#else
+ if (outLen < (word32)ret)
+ ret = RSA_BUFFER_E;
+#endif
+ }
+
+ key->state = RSA_STATE_DECRYPT_RES;
+ FALL_THROUGH;
+
+ case RSA_STATE_DECRYPT_RES:
+ #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+ defined(HAVE_CAVIUM)
+ if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+ pad_type != WC_RSA_PSS_PAD) {
+ if (ret > 0) {
+ /* convert result */
+ byte* dataLen = (byte*)&key->dataLen;
+ ret = (dataLen[0] << 8) | (dataLen[1]);
+
+ if (outPtr)
+ *outPtr = in;
+ }
+ }
+ #endif
+ break;
+
+ default:
+ ret = BAD_STATE_E;
+ break;
+ }
+
+ /* if async pending then return and skip done cleanup below */
+ if (ret == WC_PENDING_E
+ #ifdef WC_RSA_NONBLOCK
+ || ret == FP_WOULDBLOCK
+ #endif
+ ) {
return ret;
}
-
- return RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_1);
+
+ key->state = RSA_STATE_NONE;
+ wc_RsaCleanup(key);
+
+ return ret;
+}
+
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+/* Public RSA Functions */
+int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
+ RsaKey* key, WC_RNG* rng)
+{
+ return RsaPublicEncryptEx(in, inLen, out, outLen, key,
+ RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
+ WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+
+
+#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
+int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key, WC_RNG* rng, int type,
+ enum wc_HashType hash, int mgf, byte* label,
+ word32 labelSz)
+{
+ return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
+ RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
+}
+#endif /* WC_NO_RSA_OAEP */
+#endif
+
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+ RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
+ WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
}
+#ifndef WC_NO_RSA_OAEP
+int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
+ RsaKey* key, int type, enum wc_HashType hash,
+ int mgf, byte* label, word32 labelSz)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+ RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
+ mgf, label, labelSz, 0, rng);
+}
+#endif /* WC_NO_RSA_OAEP */
+
+
+int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
+ RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
+ WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+
+#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
+int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
+ word32 outLen, RsaKey* key, int type,
+ enum wc_HashType hash, int mgf, byte* label,
+ word32 labelSz)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
+ RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
+ labelSz, 0, rng);
+}
+#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if !defined(WOLFSSL_CRYPTOCELL)
+int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+ RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
+ WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+#endif
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
- RsaKey* key)
+ RsaKey* key)
{
- int plainLen;
- byte* tmp;
- byte* pad = 0;
+ return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key , WC_RSA_PKCSV15_PAD);
+}
+
+int wc_RsaSSL_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
+ RsaKey* key, int pad_type)
+{
+ WC_RNG* rng;
+
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return CaviumRsaSSL_Verify(in, inLen, out, outLen, key);
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
#endif
- tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
- if (tmp == NULL) {
- return MEMORY_E;
+ return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
+ RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
+ WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+#endif
+
+#ifdef WC_RSA_PSS
+/* Verify the message signed with RSA-PSS.
+ * The input buffer is reused for the output buffer.
+ * Salt length is equal to hash length.
+ *
+ * in Buffer holding encrypted data.
+ * inLen Length of data in buffer.
+ * out Pointer to address containing the PSS data.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
+ enum wc_HashType hash, int mgf, RsaKey* key)
+{
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+ return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
+ RSA_PSS_SALT_LEN_DEFAULT, key);
+#else
+ return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
+ RSA_PSS_SALT_LEN_DISCOVER, key);
+#endif
+}
+
+/* Verify the message signed with RSA-PSS.
+ * The input buffer is reused for the output buffer.
+ *
+ * in Buffer holding encrypted data.
+ * inLen Length of data in buffer.
+ * out Pointer to address containing the PSS data.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ * indicates salt length is determined from the data.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
+ enum wc_HashType hash, int mgf, int saltLen,
+ RsaKey* key)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+ RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
+ hash, mgf, NULL, 0, saltLen, rng);
+}
+
+/* Verify the message signed with RSA-PSS.
+ * Salt length is equal to hash length.
+ *
+ * in Buffer holding encrypted data.
+ * inLen Length of data in buffer.
+ * out Pointer to address containing the PSS data.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen,
+ enum wc_HashType hash, int mgf, RsaKey* key)
+{
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+ return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
+ RSA_PSS_SALT_LEN_DEFAULT, key);
+#else
+ return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
+ RSA_PSS_SALT_LEN_DISCOVER, key);
+#endif
+}
+
+/* Verify the message signed with RSA-PSS.
+ *
+ * in Buffer holding encrypted data.
+ * inLen Length of data in buffer.
+ * out Pointer to address containing the PSS data.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ * indicates salt length is determined from the data.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen,
+ enum wc_HashType hash, int mgf, int saltLen,
+ RsaKey* key)
+{
+ WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+ rng = key->rng;
+#else
+ rng = NULL;
+#endif
+ return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
+ RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
+ hash, mgf, NULL, 0, saltLen, rng);
+}
+
+
+/* Checks the PSS data to ensure that the signature matches.
+ * Salt length is equal to hash length.
+ *
+ * in Hash of the data that is being verified.
+ * inSz Length of hash.
+ * sig Buffer holding PSS data.
+ * sigSz Size of PSS data.
+ * hashType Hash algorithm.
+ * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
+ * NULL is passed in to in or sig or inSz is not the same as the hash
+ * algorithm length and 0 on success.
+ */
+int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
+ word32 sigSz, enum wc_HashType hashType)
+{
+ return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0);
+}
+
+/* Checks the PSS data to ensure that the signature matches.
+ *
+ * in Hash of the data that is being verified.
+ * inSz Length of hash.
+ * sig Buffer holding PSS data.
+ * sigSz Size of PSS data.
+ * hashType Hash algorithm.
+ * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ * indicates salt length is determined from the data.
+ * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
+ * NULL is passed in to in or sig or inSz is not the same as the hash
+ * algorithm length and 0 on success.
+ */
+int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig,
+ word32 sigSz, enum wc_HashType hashType,
+ int saltLen, int bits)
+{
+ int ret = 0;
+#ifndef WOLFSSL_PSS_LONG_SALT
+ byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
+#else
+ byte *sigCheck = NULL;
+#endif
+
+ (void)bits;
+
+ if (in == NULL || sig == NULL ||
+ inSz != (word32)wc_HashGetDigestSize(hashType)) {
+ ret = BAD_FUNC_ARG;
}
- XMEMCPY(tmp, in, inLen);
+ if (ret == 0) {
+ if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
+ saltLen = inSz;
+ #ifdef WOLFSSL_SHA512
+ /* See FIPS 186-4 section 5.5 item (e). */
+ if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) {
+ saltLen = RSA_PSS_SALT_MAX_SZ;
+ }
+ #endif
+ }
+#ifndef WOLFSSL_PSS_LONG_SALT
+ else if ((word32)saltLen > inSz) {
+ ret = PSS_SALTLEN_E;
+ }
+#endif
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+ else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
+ ret = PSS_SALTLEN_E;
+ }
+#else
+ else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
+ saltLen = sigSz - inSz;
+ if (saltLen < 0) {
+ ret = PSS_SALTLEN_E;
+ }
+ }
+ else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
+ ret = PSS_SALTLEN_E;
+ }
+#endif
+ }
- if ( (plainLen = wc_RsaSSL_VerifyInline(tmp, inLen, &pad, key) ) < 0) {
- XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
- return plainLen;
+ /* Sig = Salt | Exp Hash */
+ if (ret == 0) {
+ if (sigSz != inSz + saltLen) {
+ ret = PSS_SALTLEN_E;
+ }
}
- if (plainLen > (int)outLen)
- plainLen = BAD_FUNC_ARG;
- else
- XMEMCPY(out, pad, plainLen);
+#ifdef WOLFSSL_PSS_LONG_SALT
+ if (ret == 0) {
+ sigCheck = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inSz + saltLen, NULL,
+ DYNAMIC_TYPE_RSA_BUFFER);
+ if (sigCheck == NULL) {
+ ret = MEMORY_E;
+ }
+ }
+#endif
- ForceZero(tmp, inLen);
- XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+ /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
+ if (ret == 0) {
+ XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
+ XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
+ XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen);
+ ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen,
+ sigCheck, inSz);
+ }
+ if (ret == 0) {
+ if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
+ WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
+ ret = BAD_PADDING_E;
+ }
+ }
- return plainLen;
+#ifdef WOLFSSL_PSS_LONG_SALT
+ if (sigCheck != NULL) {
+ XFREE(sigCheck, NULL, DYNAMIC_TYPE_RSA_BUFFER);
+ }
+#endif
+ return ret;
}
-/* for Rsa Sign */
-int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
- RsaKey* key, RNG* rng)
+/* Verify the message signed with RSA-PSS.
+ * The input buffer is reused for the output buffer.
+ * Salt length is equal to hash length.
+ *
+ * in Buffer holding encrypted data.
+ * inLen Length of data in buffer.
+ * out Pointer to address containing the PSS data.
+ * digest Hash of the data that is being verified.
+ * digestLen Length of hash.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
+ const byte* digest, word32 digestLen,
+ enum wc_HashType hash, int mgf, RsaKey* key)
{
- int sz, ret;
+ int ret = 0, verify, saltLen, hLen, bits = 0;
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return CaviumRsaSSL_Sign(in, inLen, out, outLen, key);
-#endif
+ hLen = wc_HashGetDigestSize(hash);
+ if (hLen < 0)
+ return hLen;
+ if ((word32)hLen != digestLen)
+ return BAD_FUNC_ARG;
- sz = mp_unsigned_bin_size(&key->n);
- if (sz > (int)outLen)
- return RSA_BUFFER_E;
+ saltLen = hLen;
+ #ifdef WOLFSSL_SHA512
+ /* See FIPS 186-4 section 5.5 item (e). */
+ bits = mp_count_bits(&key->n);
+ if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
+ saltLen = RSA_PSS_SALT_MAX_SZ;
+ #endif
- if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
- return RSA_BUFFER_E;
+ verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
+ if (verify > 0)
+ ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify,
+ hash, saltLen, bits);
+ if (ret == 0)
+ ret = verify;
- ret = wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng);
- if (ret != 0)
- return ret;
+ return ret;
+}
+
+
+/* Verify the message signed with RSA-PSS.
+ * Salt length is equal to hash length.
+ *
+ * in Buffer holding encrypted data.
+ * inLen Length of data in buffer.
+ * out Pointer to address containing the PSS data.
+ * outLen Length of the output.
+ * digest Hash of the data that is being verified.
+ * digestLen Length of hash.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
+ const byte* digest, word32 digestLen,
+ enum wc_HashType hash, int mgf,
+ RsaKey* key)
+{
+ int ret = 0, verify, saltLen, hLen, bits = 0;
+
+ hLen = wc_HashGetDigestSize(hash);
+ if (hLen < 0)
+ return hLen;
+ if ((word32)hLen != digestLen)
+ return BAD_FUNC_ARG;
- if ((ret = wc_RsaFunction(out, sz, out, &outLen,
- RSA_PRIVATE_ENCRYPT,key)) < 0)
- sz = ret;
-
- return sz;
+ saltLen = hLen;
+ #ifdef WOLFSSL_SHA512
+ /* See FIPS 186-4 section 5.5 item (e). */
+ bits = mp_count_bits(&key->n);
+ if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
+ saltLen = RSA_PSS_SALT_MAX_SZ;
+ #endif
+
+ verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
+ mgf, saltLen, key);
+ if (verify > 0)
+ ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify,
+ hash, saltLen, bits);
+ if (ret == 0)
+ ret = verify;
+
+ return ret;
+}
+
+#endif
+
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
+int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
+ RsaKey* key, WC_RNG* rng)
+{
+ return RsaPublicEncryptEx(in, inLen, out, outLen, key,
+ RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
+ WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
}
+#ifdef WC_RSA_PSS
+/* Sign the hash of a message using RSA-PSS.
+ * Salt length is equal to hash length.
+ *
+ * in Buffer holding hash of message.
+ * inLen Length of data in buffer (hash length).
+ * out Buffer to write encrypted signature into.
+ * outLen Size of buffer to write to.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * key Public RSA key.
+ * rng Random number generator.
+ * returns the length of the encrypted signature on success, a negative value
+ * indicates failure.
+ */
+int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
+ enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
+{
+ return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
+ RSA_PSS_SALT_LEN_DEFAULT, key, rng);
+}
+
+/* Sign the hash of a message using RSA-PSS.
+ *
+ * in Buffer holding hash of message.
+ * inLen Length of data in buffer (hash length).
+ * out Buffer to write encrypted signature into.
+ * outLen Size of buffer to write to.
+ * hash Hash algorithm.
+ * mgf Mask generation function.
+ * saltLen Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ * length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ * indicates salt length is determined from the data.
+ * key Public RSA key.
+ * rng Random number generator.
+ * returns the length of the encrypted signature on success, a negative value
+ * indicates failure.
+ */
+int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
+ enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
+ WC_RNG* rng)
+{
+ return RsaPublicEncryptEx(in, inLen, out, outLen, key,
+ RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
+ hash, mgf, NULL, 0, saltLen, rng);
+}
+#endif
+#endif
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(WOLFSSL_SP_MATH) || \
+ defined(WC_RSA_PSS)
int wc_RsaEncryptSize(RsaKey* key)
{
-#ifdef HAVE_CAVIUM
- if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
- return key->c_nSz;
+ int ret;
+
+ if (key == NULL) {
+ return BAD_FUNC_ARG;
+ }
+
+ ret = mp_unsigned_bin_size(&key->n);
+
+#ifdef WOLF_CRYPTO_CB
+ if (ret == 0 && key->devId != INVALID_DEVID) {
+ ret = 2048/8; /* hardware handles, use 2048-bit as default */
+ }
#endif
- return mp_unsigned_bin_size(&key->n);
+
+ return ret;
}
+#endif
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
/* flatten RsaKey structure into individual elements (e, n) */
int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
- word32* nSz)
+ word32* nSz)
{
int sz, ret;
- if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL)
- return BAD_FUNC_ARG;
+ if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
+ return BAD_FUNC_ARG;
+ }
sz = mp_unsigned_bin_size(&key->e);
- if ((word32)sz > *nSz)
+ if ((word32)sz > *eSz)
return RSA_BUFFER_E;
ret = mp_to_unsigned_bin(&key->e, e);
if (ret != MP_OKAY)
return ret;
*eSz = (word32)sz;
- sz = mp_unsigned_bin_size(&key->n);
+ sz = wc_RsaEncryptSize(key);
if ((word32)sz > *nSz)
return RSA_BUFFER_E;
ret = mp_to_unsigned_bin(&key->n, n);
@@ -609,364 +3586,616 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
return 0;
}
+#endif
+#endif /* HAVE_FIPS */
-#ifdef WOLFSSL_KEY_GEN
-static const int USE_BBS = 1;
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+static int RsaGetValue(mp_int* in, byte* out, word32* outSz)
+{
+ word32 sz;
+ int ret = 0;
+
+ /* Parameters ensured by calling function. */
+
+ sz = (word32)mp_unsigned_bin_size(in);
+ if (sz > *outSz)
+ ret = RSA_BUFFER_E;
-static int rand_prime(mp_int* N, int len, RNG* rng, void* heap)
+ if (ret == 0)
+ ret = mp_to_unsigned_bin(in, out);
+
+ if (ret == MP_OKAY)
+ *outSz = sz;
+
+ return ret;
+}
+
+
+int wc_RsaExportKey(RsaKey* key,
+ byte* e, word32* eSz, byte* n, word32* nSz,
+ byte* d, word32* dSz, byte* p, word32* pSz,
+ byte* q, word32* qSz)
{
- int err, res, type;
- byte* buf;
+ int ret = BAD_FUNC_ARG;
+
+ if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz)
+ ret = 0;
+
+ if (ret == 0)
+ ret = RsaGetValue(&key->e, e, eSz);
+ if (ret == 0)
+ ret = RsaGetValue(&key->n, n, nSz);
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+ if (ret == 0)
+ ret = RsaGetValue(&key->d, d, dSz);
+ if (ret == 0)
+ ret = RsaGetValue(&key->p, p, pSz);
+ if (ret == 0)
+ ret = RsaGetValue(&key->q, q, qSz);
+#else
+ /* no private parts to key */
+ if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
+ || qSz == NULL) {
+ ret = BAD_FUNC_ARG;
+ }
+ else {
+ *dSz = 0;
+ *pSz = 0;
+ *qSz = 0;
+ }
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
- (void)heap;
- if (N == NULL || rng == NULL)
- return BAD_FUNC_ARG;
+ return ret;
+}
+#endif
+
+
+#ifdef WOLFSSL_KEY_GEN
- /* get type */
- if (len < 0) {
- type = USE_BBS;
- len = -len;
- } else {
- type = 0;
+/* Check that |p-q| > 2^((size/2)-100) */
+static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
+{
+ mp_int c, d;
+ int ret;
+
+ if (p == NULL || q == NULL)
+ return BAD_FUNC_ARG;
+
+ ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL);
+
+ /* c = 2^((size/2)-100) */
+ if (ret == 0)
+ ret = mp_2expt(&c, (size/2)-100);
+
+ /* d = |p-q| */
+ if (ret == 0)
+ ret = mp_sub(p, q, &d);
+
+ if (ret == 0)
+ ret = mp_abs(&d, &d);
+
+ /* compare */
+ if (ret == 0)
+ ret = mp_cmp(&d, &c);
+
+ if (ret == MP_GT)
+ ret = MP_OKAY;
+
+ mp_clear(&d);
+ mp_clear(&c);
+
+ return ret;
+}
+
+
+/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
+ * This number was calculated using a small test tool written with a common
+ * large number math library. Other values of nlen may be checked with a subset
+ * of lower_bound. */
+static const byte lower_bound[] = {
+ 0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
+ 0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
+ 0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
+ 0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
+/* 512 */
+ 0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
+ 0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
+ 0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
+ 0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
+/* 1024 */
+ 0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
+ 0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
+ 0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
+ 0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
+ 0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
+ 0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
+ 0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
+ 0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
+/* 2048 */
+ 0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
+ 0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
+ 0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
+ 0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
+ 0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
+ 0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
+ 0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
+ 0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
+/* 3072 */
+ 0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
+ 0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
+ 0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
+ 0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
+ 0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
+ 0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
+ 0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
+ 0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
+/* 4096 */
+};
+
+
+/* returns 1 on key size ok and 0 if not ok */
+static WC_INLINE int RsaSizeCheck(int size)
+{
+ if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
+ return 0;
+ }
+
+#ifdef HAVE_FIPS
+ /* Key size requirements for CAVP */
+ switch (size) {
+ case 1024:
+ case 2048:
+ case 3072:
+ case 4096:
+ return 1;
}
- /* allow sizes between 2 and 512 bytes for a prime size */
- if (len < 2 || len > 512) {
+ return 0;
+#else
+ return 1; /* allow unusual key sizes in non FIPS mode */
+#endif /* HAVE_FIPS */
+}
+
+
+static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
+ int* isPrime, WC_RNG* rng)
+{
+ int ret;
+ mp_int tmp1, tmp2;
+ mp_int* prime;
+
+ if (p == NULL || e == NULL || isPrime == NULL)
+ return BAD_FUNC_ARG;
+
+ if (!RsaSizeCheck(nlen))
return BAD_FUNC_ARG;
+
+ *isPrime = MP_NO;
+
+ if (q != NULL) {
+ /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
+ ret = wc_CompareDiffPQ(p, q, nlen);
+ if (ret != MP_OKAY) goto notOkay;
+ prime = q;
}
-
- /* allocate buffer to work with */
- buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
- if (buf == NULL) {
- return MEMORY_E;
+ else
+ prime = p;
+
+ ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL);
+ if (ret != MP_OKAY) goto notOkay;
+
+ /* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1))
+ * This is a comparison against lowerBound */
+ ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16);
+ if (ret != MP_OKAY) goto notOkay;
+ ret = mp_cmp(prime, &tmp1);
+ if (ret == MP_LT) goto exit;
+
+ /* 4.5,5.6 - Check that GCD(p-1, e) == 1 */
+ ret = mp_sub_d(prime, 1, &tmp1); /* tmp1 = prime-1 */
+ if (ret != MP_OKAY) goto notOkay;
+ ret = mp_gcd(&tmp1, e, &tmp2); /* tmp2 = gcd(prime-1, e) */
+ if (ret != MP_OKAY) goto notOkay;
+ ret = mp_cmp_d(&tmp2, 1);
+ if (ret != MP_EQ) goto exit; /* e divides p-1 */
+
+ /* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
+ * mp_prime_is_prime_ex() performs test divisions against the first 256
+ * prime numbers. After that it performs 8 rounds of M-R using random
+ * bases between 2 and n-2.
+ * mp_prime_is_prime() performs the same test divisions and then does
+ * M-R with the first 8 primes. Both functions set isPrime as a
+ * side-effect. */
+ if (rng != NULL)
+ ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
+ else
+ ret = mp_prime_is_prime(prime, 8, isPrime);
+ if (ret != MP_OKAY) goto notOkay;
+
+exit:
+ ret = MP_OKAY;
+notOkay:
+ mp_clear(&tmp1);
+ mp_clear(&tmp2);
+ return ret;
+}
+
+
+int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
+ const byte* qRaw, word32 qRawSz,
+ const byte* eRaw, word32 eRawSz,
+ int nlen, int* isPrime, WC_RNG* rng)
+{
+ mp_int p, q, e;
+ mp_int* Q = NULL;
+ int ret;
+
+ if (pRaw == NULL || pRawSz == 0 ||
+ eRaw == NULL || eRawSz == 0 ||
+ isPrime == NULL) {
+
+ return BAD_FUNC_ARG;
}
- XMEMSET(buf, 0, len);
- do {
-#ifdef SHOW_GEN
- printf(".");
- fflush(stdout);
-#endif
- /* generate value */
- err = wc_RNG_GenerateBlock(rng, buf, len);
- if (err != 0) {
- XFREE(buf, heap, DYNAMIC_TYPE_RSA);
- return err;
- }
+ if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
+ return BAD_FUNC_ARG;
- /* munge bits */
- buf[0] |= 0x80 | 0x40;
- buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
-
- /* load value */
- if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) {
- XFREE(buf, heap, DYNAMIC_TYPE_RSA);
- return err;
- }
+ ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL);
+
+ if (ret == MP_OKAY)
+ ret = mp_read_unsigned_bin(&p, pRaw, pRawSz);
- /* test */
- if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) {
- XFREE(buf, heap, DYNAMIC_TYPE_RSA);
- return err;
+ if (ret == MP_OKAY) {
+ if (qRaw != NULL) {
+ ret = mp_read_unsigned_bin(&q, qRaw, qRawSz);
+ if (ret == MP_OKAY)
+ Q = &q;
}
- } while (res == MP_NO);
+ }
- ForceZero(buf, len);
- XFREE(buf, heap, DYNAMIC_TYPE_RSA);
+ if (ret == MP_OKAY)
+ ret = mp_read_unsigned_bin(&e, eRaw, eRawSz);
- return 0;
+ if (ret == MP_OKAY)
+ ret = _CheckProbablePrime(&p, Q, &e, nlen, isPrime, rng);
+
+ ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
+
+ mp_clear(&p);
+ mp_clear(&q);
+ mp_clear(&e);
+
+ return ret;
}
+int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
+ const byte* qRaw, word32 qRawSz,
+ const byte* eRaw, word32 eRawSz,
+ int nlen, int* isPrime)
+{
+ return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
+ eRaw, eRawSz, nlen, isPrime, NULL);
+}
+
+#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
+ defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
/* Make an RSA key for size bits, with e specified, 65537 is a good e */
-int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
+int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
{
+#ifndef WC_NO_RNG
mp_int p, q, tmp1, tmp2, tmp3;
- int err;
+ int err, i, failCount, primeSz, isPrime = 0;
+ byte* buf = NULL;
if (key == NULL || rng == NULL)
return BAD_FUNC_ARG;
- if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE)
+ if (!RsaSizeCheck(size))
return BAD_FUNC_ARG;
if (e < 3 || (e & 1) == 0)
return BAD_FUNC_ARG;
- if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY)
- return err;
+#if defined(WOLFSSL_CRYPTOCELL)
+
+ return cc310_RSA_GenerateKeyPair(key, size, e);
- err = mp_set_int(&tmp3, e);
+#endif /*WOLFSSL_CRYPTOCELL*/
+
+#ifdef WOLF_CRYPTO_CB
+ if (key->devId != INVALID_DEVID) {
+ int ret = wc_CryptoCb_MakeRsaKey(key, size, e, rng);
+ if (ret != CRYPTOCB_UNAVAILABLE)
+ return ret;
+ /* fall-through when unavailable */
+ }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+ defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
+ if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
+ #ifdef HAVE_CAVIUM
+ /* TODO: Not implemented */
+ #elif defined(HAVE_INTEL_QA)
+ return IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
+ #else
+ if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) {
+ WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+ testDev->rsaMake.rng = rng;
+ testDev->rsaMake.key = key;
+ testDev->rsaMake.size = size;
+ testDev->rsaMake.e = e;
+ return WC_PENDING_E;
+ }
+ #endif
+ }
+#endif
+
+ err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL);
+
+ if (err == MP_OKAY)
+ err = mp_set_int(&tmp3, e);
+
+ /* The failCount value comes from NIST FIPS 186-4, section B.3.3,
+ * process steps 4.7 and 5.8. */
+ failCount = 5 * (size / 2);
+ primeSz = size / 16; /* size is the size of n in bits.
+ primeSz is in bytes. */
+
+ /* allocate buffer to work with */
+ if (err == MP_OKAY) {
+ buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
+ if (buf == NULL)
+ err = MEMORY_E;
+ }
/* make p */
if (err == MP_OKAY) {
+ isPrime = 0;
+ i = 0;
do {
- err = rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */
+#ifdef SHOW_GEN
+ printf(".");
+ fflush(stdout);
+#endif
+ /* generate value */
+ err = wc_RNG_GenerateBlock(rng, buf, primeSz);
+ if (err == 0) {
+ /* prime lower bound has the MSB set, set it in candidate */
+ buf[0] |= 0x80;
+ /* make candidate odd */
+ buf[primeSz-1] |= 0x01;
+ /* load value */
+ err = mp_read_unsigned_bin(&p, buf, primeSz);
+ }
if (err == MP_OKAY)
- err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */
+ err = _CheckProbablePrime(&p, NULL, &tmp3, size, &isPrime, rng);
- if (err == MP_OKAY)
- err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(p-1, e) */
- } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divdes p-1 */
+#ifdef HAVE_FIPS
+ i++;
+#else
+ /* Keep the old retry behavior in non-FIPS build. */
+ (void)i;
+#endif
+ } while (err == MP_OKAY && !isPrime && i < failCount);
}
+ if (err == MP_OKAY && !isPrime)
+ err = PRIME_GEN_E;
+
/* make q */
if (err == MP_OKAY) {
+ isPrime = 0;
+ i = 0;
do {
- err = rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */
+#ifdef SHOW_GEN
+ printf(".");
+ fflush(stdout);
+#endif
+ /* generate value */
+ err = wc_RNG_GenerateBlock(rng, buf, primeSz);
+ if (err == 0) {
+ /* prime lower bound has the MSB set, set it in candidate */
+ buf[0] |= 0x80;
+ /* make candidate odd */
+ buf[primeSz-1] |= 0x01;
+ /* load value */
+ err = mp_read_unsigned_bin(&q, buf, primeSz);
+ }
if (err == MP_OKAY)
- err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */
+ err = _CheckProbablePrime(&p, &q, &tmp3, size, &isPrime, rng);
- if (err == MP_OKAY)
- err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(q-1, e) */
- } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divdes q-1 */
+#ifdef HAVE_FIPS
+ i++;
+#else
+ /* Keep the old retry behavior in non-FIPS build. */
+ (void)i;
+#endif
+ } while (err == MP_OKAY && !isPrime && i < failCount);
}
- if (err == MP_OKAY)
- err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
+ if (err == MP_OKAY && !isPrime)
+ err = PRIME_GEN_E;
- if (err == MP_OKAY)
- err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
+ if (buf) {
+ ForceZero(buf, primeSz);
+ XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
+ }
- if (err == MP_OKAY)
- err = mp_sub_d(&p, 1, &tmp2); /* tmp2 = p-1 */
+ if (err == MP_OKAY && mp_cmp(&p, &q) < 0) {
+ err = mp_copy(&p, &tmp1);
+ if (err == MP_OKAY)
+ err = mp_copy(&q, &p);
+ if (err == MP_OKAY)
+ mp_copy(&tmp1, &q);
+ }
+ /* Setup RsaKey buffers */
+ if (err == MP_OKAY)
+ err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
if (err == MP_OKAY)
- err = mp_lcm(&tmp1, &tmp2, &tmp1); /* tmp1 = lcm(p-1, q-1),last loop */
+ err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
+ /* Software Key Calculation */
+ if (err == MP_OKAY) /* tmp1 = p-1 */
+ err = mp_sub_d(&p, 1, &tmp1);
+ if (err == MP_OKAY) /* tmp2 = q-1 */
+ err = mp_sub_d(&q, 1, &tmp2);
+#ifdef WC_RSA_BLINDING
+ if (err == MP_OKAY) /* tmp3 = order of n */
+ err = mp_mul(&tmp1, &tmp2, &tmp3);
+#else
+ if (err == MP_OKAY) /* tmp3 = lcm(p-1, q-1), last loop */
+ err = mp_lcm(&tmp1, &tmp2, &tmp3);
+#endif
/* make key */
+ if (err == MP_OKAY) /* key->e = e */
+ err = mp_set_int(&key->e, (mp_digit)e);
+#ifdef WC_RSA_BLINDING
+ /* Blind the inverse operation with a value that is invertable */
+ if (err == MP_OKAY) {
+ do {
+ err = mp_rand(&key->p, get_digit_count(&tmp3), rng);
+ if (err == MP_OKAY)
+ err = mp_set_bit(&key->p, 0);
+ if (err == MP_OKAY)
+ err = mp_set_bit(&key->p, size - 1);
+ if (err == MP_OKAY)
+ err = mp_gcd(&key->p, &tmp3, &key->q);
+ }
+ while ((err == MP_OKAY) && !mp_isone(&key->q));
+ }
if (err == MP_OKAY)
- err = mp_set_int(&key->e, e); /* key->e = e */
-
+ err = mp_mul_d(&key->p, (mp_digit)e, &key->e);
+#endif
if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
- err = mp_invmod(&key->e, &tmp1, &key->d);
-
- if (err == MP_OKAY)
- err = mp_mul(&p, &q, &key->n); /* key->n = pq */
-
- if (err == MP_OKAY)
- err = mp_sub_d(&p, 1, &tmp1);
-
+ err = mp_invmod(&key->e, &tmp3, &key->d);
+#ifdef WC_RSA_BLINDING
+ /* Take off blinding from d and reset e */
if (err == MP_OKAY)
- err = mp_sub_d(&q, 1, &tmp2);
-
+ err = mp_mulmod(&key->d, &key->p, &tmp3, &key->d);
if (err == MP_OKAY)
+ err = mp_set_int(&key->e, (mp_digit)e);
+#endif
+ if (err == MP_OKAY) /* key->n = pq */
+ err = mp_mul(&p, &q, &key->n);
+ if (err == MP_OKAY) /* key->dP = d mod(p-1) */
err = mp_mod(&key->d, &tmp1, &key->dP);
-
- if (err == MP_OKAY)
+ if (err == MP_OKAY) /* key->dQ = d mod(q-1) */
err = mp_mod(&key->d, &tmp2, &key->dQ);
-
- if (err == MP_OKAY)
+#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
+ if (err == MP_OKAY) /* key->u = 1/q mod p */
err = mp_invmod(&q, &p, &key->u);
-
+#else
+ if (err == MP_OKAY)
+ err = mp_sub_d(&p, 2, &tmp3);
+ if (err == MP_OKAY) /* key->u = 1/q mod p = q^p-2 mod p */
+ err = mp_exptmod(&q, &tmp3 , &p, &key->u);
+#endif
if (err == MP_OKAY)
err = mp_copy(&p, &key->p);
-
if (err == MP_OKAY)
err = mp_copy(&q, &key->q);
+#ifdef HAVE_WOLF_BIGINT
+ /* make sure raw unsigned bin version is available */
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->n, &key->n.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->e, &key->e.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->d, &key->d.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->p, &key->p.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->q, &key->q.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
+ if (err == MP_OKAY)
+ err = wc_mp_to_bigint(&key->u, &key->u.raw);
+#endif
+
if (err == MP_OKAY)
- key->type = RSA_PRIVATE;
+ key->type = RSA_PRIVATE;
- mp_clear(&tmp3);
- mp_clear(&tmp2);
- mp_clear(&tmp1);
- mp_clear(&q);
+ mp_clear(&tmp1);
+ mp_clear(&tmp2);
+ mp_clear(&tmp3);
mp_clear(&p);
+ mp_clear(&q);
- if (err != MP_OKAY) {
- wc_FreeRsaKey(key);
+#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
+ /* Perform the pair-wise consistency test on the new key. */
+ if (err == 0)
+ err = wc_CheckRsaKey(key);
+#endif
+
+ if (err != 0) {
+ wc_FreeRsaKey(key);
return err;
}
+#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
+ if (wc_InitRsaHw(key) != 0) {
+ return BAD_STATE_E;
+ }
+#endif
return 0;
+#else
+ return NOT_COMPILED_IN;
+#endif
}
-
-
+#endif /* !FIPS || FIPS_VER >= 2 */
#endif /* WOLFSSL_KEY_GEN */
-#ifdef HAVE_CAVIUM
-
-#include <cyassl/ctaocrypt/logging.h>
-#include "cavium_common.h"
-
-/* Initiliaze RSA for use with Nitrox device */
-int RsaInitCavium(RsaKey* rsa, int devId)
-{
- if (rsa == NULL)
- return -1;
-
- if (CspAllocContext(CONTEXT_SSL, &rsa->contextHandle, devId) != 0)
- return -1;
-
- rsa->devId = devId;
- rsa->magic = WOLFSSL_RSA_CAVIUM_MAGIC;
-
- return 0;
-}
-
-
-/* Free RSA from use with Nitrox device */
-void wc_RsaFreeCavium(RsaKey* rsa)
-{
- if (rsa == NULL)
- return;
-
- CspFreeContext(CONTEXT_SSL, rsa->contextHandle, rsa->devId);
- rsa->magic = 0;
-}
-
-
-/* Initialize cavium RSA key */
-static int InitCaviumRsaKey(RsaKey* key, void* heap)
+#ifdef WC_RSA_BLINDING
+int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
{
if (key == NULL)
return BAD_FUNC_ARG;
- key->heap = heap;
- key->type = -1; /* don't know yet */
-
- key->c_n = NULL;
- key->c_e = NULL;
- key->c_d = NULL;
- key->c_p = NULL;
- key->c_q = NULL;
- key->c_dP = NULL;
- key->c_dQ = NULL;
- key->c_u = NULL;
-
- key->c_nSz = 0;
- key->c_eSz = 0;
- key->c_dSz = 0;
- key->c_pSz = 0;
- key->c_qSz = 0;
- key->c_dP_Sz = 0;
- key->c_dQ_Sz = 0;
- key->c_uSz = 0;
-
+ key->rng = rng;
+
return 0;
}
+#endif /* WC_RSA_BLINDING */
-
-/* Free cavium RSA key */
-static int FreeCaviumRsaKey(RsaKey* key)
+#ifdef WC_RSA_NONBLOCK
+int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
{
if (key == NULL)
return BAD_FUNC_ARG;
- XFREE(key->c_n, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_e, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_d, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_p, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_q, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_dP, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_dQ, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
- XFREE(key->c_u, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-
- return InitCaviumRsaKey(key, key->heap); /* reset pointers */
-}
-
-
-static int CaviumRsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key)
-{
- word32 requestId;
- word32 ret;
-
- if (key == NULL || in == NULL || out == NULL || outLen < (word32)key->c_nSz)
- return -1;
-
- ret = CspPkcs1v15Enc(CAVIUM_BLOCKING, BT2, key->c_nSz, key->c_eSz,
- (word16)inLen, key->c_n, key->c_e, (byte*)in, out,
- &requestId, key->devId);
- if (ret != 0) {
- WOLFSSL_MSG("Cavium Enc BT2 failed");
- return -1;
+ if (nb) {
+ XMEMSET(nb, 0, sizeof(RsaNb));
}
- return key->c_nSz;
-}
-
-
-static INLINE void ato16(const byte* c, word16* u16)
-{
- *u16 = (c[0] << 8) | (c[1]);
-}
-
-static int CaviumRsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key)
-{
- word32 requestId;
- word32 ret;
- word16 outSz = (word16)outLen;
-
- if (key == NULL || in == NULL || out == NULL || inLen != (word32)key->c_nSz)
- return -1;
-
- ret = CspPkcs1v15CrtDec(CAVIUM_BLOCKING, BT2, key->c_nSz, key->c_q,
- key->c_dQ, key->c_p, key->c_dP, key->c_u,
- (byte*)in, &outSz, out, &requestId, key->devId);
- if (ret != 0) {
- WOLFSSL_MSG("Cavium CRT Dec BT2 failed");
- return -1;
- }
- ato16((const byte*)&outSz, &outSz);
+ /* Allow nb == NULL to clear non-block mode */
+ key->nb = nb;
- return outSz;
+ return 0;
}
-
-
-static int CaviumRsaSSL_Sign(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key)
+#ifdef WC_RSA_NONBLOCK_TIME
+int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
{
- word32 requestId;
- word32 ret;
-
- if (key == NULL || in == NULL || out == NULL || inLen == 0 || outLen <
- (word32)key->c_nSz)
- return -1;
-
- ret = CspPkcs1v15CrtEnc(CAVIUM_BLOCKING, BT1, key->c_nSz, (word16)inLen,
- key->c_q, key->c_dQ, key->c_p, key->c_dP, key->c_u,
- (byte*)in, out, &requestId, key->devId);
- if (ret != 0) {
- WOLFSSL_MSG("Cavium CRT Enc BT1 failed");
- return -1;
+ if (key == NULL || key->nb == NULL) {
+ return BAD_FUNC_ARG;
}
- return key->c_nSz;
-}
-
-
-static int CaviumRsaSSL_Verify(const byte* in, word32 inLen, byte* out,
- word32 outLen, RsaKey* key)
-{
- word32 requestId;
- word32 ret;
- word16 outSz = (word16)outLen;
- if (key == NULL || in == NULL || out == NULL || inLen != (word32)key->c_nSz)
- return -1;
-
- ret = CspPkcs1v15Dec(CAVIUM_BLOCKING, BT1, key->c_nSz, key->c_eSz,
- key->c_n, key->c_e, (byte*)in, &outSz, out,
- &requestId, key->devId);
- if (ret != 0) {
- WOLFSSL_MSG("Cavium Dec BT1 failed");
- return -1;
- }
- outSz = ntohs(outSz);
+ /* calculate maximum number of instructions to block */
+ key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
- return outSz;
+ return 0;
}
+#endif /* WC_RSA_NONBLOCK_TIME */
+#endif /* WC_RSA_NONBLOCK */
-
-#endif /* HAVE_CAVIUM */
-
-#endif /* HAVE_FIPS */
#endif /* NO_RSA */
-
View Lorry Controller Status