3 * Copyright (C) 2006-2014 wolfSSL Inc.
5 * This file is part of CyaSSL.
7 * CyaSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * CyaSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
27 #include <cyassl/ctaocrypt/settings.h>
32 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
33 #define FIPS_NO_WRAPPERS
36 #include <cyassl/ctaocrypt/rsa.h>
37 #include <cyassl/ctaocrypt/random.h>
38 #include <cyassl/ctaocrypt/error-crypt.h>
39 #include <cyassl/ctaocrypt/logging.h>
50 static int InitCaviumRsaKey(RsaKey* key, void* heap);
51 static int FreeCaviumRsaKey(RsaKey* key);
52 static int CaviumRsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
53 word32 outLen, RsaKey* key);
54 static int CaviumRsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
55 word32 outLen, RsaKey* key);
56 static int CaviumRsaSSL_Sign(const byte* in, word32 inLen, byte* out,
57 word32 outLen, RsaKey* key);
58 static int CaviumRsaSSL_Verify(const byte* in, word32 inLen, byte* out,
59 word32 outLen, RsaKey* key);
63 RSA_PUBLIC_ENCRYPT = 0,
64 RSA_PUBLIC_DECRYPT = 1,
65 RSA_PRIVATE_ENCRYPT = 2,
66 RSA_PRIVATE_DECRYPT = 3,
74 RSA_MIN_PAD_SZ = 11 /* seperator + 0 + pad value + 8 pads */
78 int InitRsaKey(RsaKey* key, void* heap)
81 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
82 return InitCaviumRsaKey(key, heap);
85 key->type = -1; /* haven't decided yet */
88 /* TomsFastMath doesn't use memory allocation */
90 key->n.dp = key->e.dp = 0; /* public alloc parts */
92 key->d.dp = key->p.dp = 0; /* private alloc parts */
93 key->q.dp = key->dP.dp = 0;
94 key->u.dp = key->dQ.dp = 0;
101 int FreeRsaKey(RsaKey* key)
106 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
107 return FreeCaviumRsaKey(key);
110 /* TomsFastMath doesn't use memory allocation */
111 #ifndef USE_FAST_MATH
112 if (key->type == RSA_PRIVATE) {
127 static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
128 word32 pkcsBlockLen, byte padValue, RNG* rng)
133 pkcsBlock[0] = 0x0; /* set first byte to zero and advance */
134 pkcsBlock++; pkcsBlockLen--;
135 pkcsBlock[0] = padValue; /* insert padValue */
137 if (padValue == RSA_BLOCK_TYPE_1)
138 /* pad with 0xff bytes */
139 XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
141 /* pad with non-zero random bytes */
142 word32 padLen = pkcsBlockLen - inputLen - 1, i;
143 int ret = RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
149 for (i = 1; i < padLen; i++)
150 if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
153 pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */
154 XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
160 static word32 RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
161 byte **output, byte padValue)
163 word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0,
168 if (pkcsBlock[0] != 0x0) /* skip past zero */
170 pkcsBlock++; pkcsBlockLen--;
172 /* Require block type padValue */
173 invalid = (pkcsBlock[0] != padValue) || invalid;
175 /* skip past the padding until we find the separator */
176 while (i<pkcsBlockLen && pkcsBlock[i++]) { /* null body */
178 if(!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) {
179 CYASSL_MSG("RsaUnPad error, bad formatting");
183 outputLen = pkcsBlockLen - i;
184 invalid = (outputLen > maxOutputLen) || invalid;
187 CYASSL_MSG("RsaUnPad error, bad formatting");
191 *output = (byte *)(pkcsBlock + i);
196 static int RsaFunction(const byte* in, word32 inLen, byte* out, word32* outLen,
197 int type, RsaKey* key)
199 #define ERROR_OUT(x) { ret = x; goto done;}
205 if (mp_init(&tmp) != MP_OKAY)
208 if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
209 ERROR_OUT(MP_READ_E);
211 if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
212 #ifdef RSA_LOW_MEM /* half as much memory but twice as slow */
213 if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)
214 ERROR_OUT(MP_EXPTMOD_E);
216 #define INNER_ERROR_OUT(x) { ret = x; goto inner_done; }
220 if (mp_init(&tmpa) != MP_OKAY)
221 ERROR_OUT(MP_INIT_E);
223 if (mp_init(&tmpb) != MP_OKAY) {
225 ERROR_OUT(MP_INIT_E);
228 /* tmpa = tmp^dP mod p */
229 if (mp_exptmod(&tmp, &key->dP, &key->p, &tmpa) != MP_OKAY)
230 INNER_ERROR_OUT(MP_EXPTMOD_E);
232 /* tmpb = tmp^dQ mod q */
233 if (mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb) != MP_OKAY)
234 INNER_ERROR_OUT(MP_EXPTMOD_E);
236 /* tmp = (tmpa - tmpb) * qInv (mod p) */
237 if (mp_sub(&tmpa, &tmpb, &tmp) != MP_OKAY)
238 INNER_ERROR_OUT(MP_SUB_E);
240 if (mp_mulmod(&tmp, &key->u, &key->p, &tmp) != MP_OKAY)
241 INNER_ERROR_OUT(MP_MULMOD_E);
243 /* tmp = tmpb + q * tmp */
244 if (mp_mul(&tmp, &key->q, &tmp) != MP_OKAY)
245 INNER_ERROR_OUT(MP_MUL_E);
247 if (mp_add(&tmp, &tmpb, &tmp) != MP_OKAY)
248 INNER_ERROR_OUT(MP_ADD_E);
254 if (ret != 0) return ret;
256 #endif /* RSA_LOW_MEM */
258 else if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
259 if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)
260 ERROR_OUT(MP_EXPTMOD_E);
263 ERROR_OUT(RSA_WRONG_TYPE_E);
265 keyLen = mp_unsigned_bin_size(&key->n);
266 if (keyLen > *outLen)
267 ERROR_OUT(RSA_BUFFER_E);
269 len = mp_unsigned_bin_size(&tmp);
271 /* pad front w/ zeros to match key length */
272 while (len < keyLen) {
280 if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
289 int RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
290 RsaKey* key, RNG* rng)
295 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
296 return CaviumRsaPublicEncrypt(in, inLen, out, outLen, key);
299 sz = mp_unsigned_bin_size(&key->n);
300 if (sz > (int)outLen)
303 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
306 ret = RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_2, rng);
310 if ((ret = RsaFunction(out, sz, out, &outLen, RSA_PUBLIC_ENCRYPT, key)) < 0)
317 int RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
322 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC) {
323 ret = CaviumRsaPrivateDecrypt(in, inLen, in, inLen, key);
330 if ((ret = RsaFunction(in, inLen, in, &inLen, RSA_PRIVATE_DECRYPT, key))
335 plainLen = RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_2);
341 int RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
349 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
350 return CaviumRsaPrivateDecrypt(in, inLen, out, outLen, key);
353 tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
358 XMEMCPY(tmp, in, inLen);
360 if ((ret = plainLen = RsaPrivateDecryptInline(tmp, inLen, &pad, key))
362 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
365 if (plainLen > (int)outLen)
366 plainLen = BAD_FUNC_ARG;
368 XMEMCPY(out, pad, plainLen);
369 XMEMSET(tmp, 0x00, inLen);
371 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
377 int RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
382 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC) {
383 ret = CaviumRsaSSL_Verify(in, inLen, in, inLen, key);
390 if ((ret = RsaFunction(in, inLen, in, &inLen, RSA_PUBLIC_DECRYPT, key))
395 plainLen = RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_1);
401 int RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
409 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
410 return CaviumRsaSSL_Verify(in, inLen, out, outLen, key);
413 tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
418 XMEMCPY(tmp, in, inLen);
420 if ((ret = plainLen = RsaSSL_VerifyInline(tmp, inLen, &pad, key))
422 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
426 if (plainLen > (int)outLen)
427 plainLen = BAD_FUNC_ARG;
429 XMEMCPY(out, pad, plainLen);
430 XMEMSET(tmp, 0x00, inLen);
432 XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
438 int RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
439 RsaKey* key, RNG* rng)
444 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
445 return CaviumRsaSSL_Sign(in, inLen, out, outLen, key);
448 sz = mp_unsigned_bin_size(&key->n);
449 if (sz > (int)outLen)
452 if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
455 ret = RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng);
459 if ((ret = RsaFunction(out, sz, out, &outLen, RSA_PRIVATE_ENCRYPT,key)) < 0)
466 int RsaEncryptSize(RsaKey* key)
469 if (key->magic == CYASSL_RSA_CAVIUM_MAGIC)
472 return mp_unsigned_bin_size(&key->n);
476 #ifdef CYASSL_KEY_GEN
478 static const int USE_BBS = 1;
480 static int rand_prime(mp_int* N, int len, RNG* rng, void* heap)
486 if (N == NULL || rng == NULL)
497 /* allow sizes between 2 and 512 bytes for a prime size */
498 if (len < 2 || len > 512) {
502 /* allocate buffer to work with */
503 buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
507 XMEMSET(buf, 0, len);
515 err = RNG_GenerateBlock(rng, buf, len);
517 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
522 buf[0] |= 0x80 | 0x40;
523 buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
526 if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) {
527 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
532 if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) {
533 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
536 } while (res == MP_NO);
538 #ifdef LTC_CLEAN_STACK
539 XMEMSET(buf, 0, len);
542 XFREE(buf, heap, DYNAMIC_TYPE_RSA);
547 /* Make an RSA key for size bits, with e specified, 65537 is a good e */
548 int MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
550 mp_int p, q, tmp1, tmp2, tmp3;
553 if (key == NULL || rng == NULL)
556 if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE)
559 if (e < 3 || (e & 1) == 0)
562 if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY)
565 err = mp_set_int(&tmp3, e);
568 if (err == MP_OKAY) {
570 err = rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */
573 err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */
576 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(p-1, e) */
577 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divdes p-1 */
581 if (err == MP_OKAY) {
583 err = rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */
586 err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */
589 err = mp_gcd(&tmp1, &tmp3, &tmp2); /* tmp2 = gcd(q-1, e) */
590 } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0); /* e divdes q-1 */
594 err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
597 err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
600 err = mp_sub_d(&p, 1, &tmp2); /* tmp2 = p-1 */
603 err = mp_lcm(&tmp1, &tmp2, &tmp1); /* tmp1 = lcm(p-1, q-1),last loop */
607 err = mp_set_int(&key->e, e); /* key->e = e */
609 if (err == MP_OKAY) /* key->d = 1/e mod lcm(p-1, q-1) */
610 err = mp_invmod(&key->e, &tmp1, &key->d);
613 err = mp_mul(&p, &q, &key->n); /* key->n = pq */
616 err = mp_sub_d(&p, 1, &tmp1);
619 err = mp_sub_d(&q, 1, &tmp2);
622 err = mp_mod(&key->d, &tmp1, &key->dP);
625 err = mp_mod(&key->d, &tmp2, &key->dQ);
628 err = mp_invmod(&q, &p, &key->u);
631 err = mp_copy(&p, &key->p);
634 err = mp_copy(&q, &key->q);
637 key->type = RSA_PRIVATE;
645 if (err != MP_OKAY) {
654 #endif /* CYASSL_KEY_GEN */
659 #include <cyassl/ctaocrypt/logging.h>
660 #include "cavium_common.h"
662 /* Initiliaze RSA for use with Nitrox device */
663 int RsaInitCavium(RsaKey* rsa, int devId)
668 if (CspAllocContext(CONTEXT_SSL, &rsa->contextHandle, devId) != 0)
672 rsa->magic = CYASSL_RSA_CAVIUM_MAGIC;
678 /* Free RSA from use with Nitrox device */
679 void RsaFreeCavium(RsaKey* rsa)
684 CspFreeContext(CONTEXT_SSL, rsa->contextHandle, rsa->devId);
689 /* Initialize cavium RSA key */
690 static int InitCaviumRsaKey(RsaKey* key, void* heap)
696 key->type = -1; /* don't know yet */
720 /* Free cavium RSA key */
721 static int FreeCaviumRsaKey(RsaKey* key)
726 XFREE(key->c_n, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
727 XFREE(key->c_e, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
728 XFREE(key->c_d, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
729 XFREE(key->c_p, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
730 XFREE(key->c_q, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
731 XFREE(key->c_dP, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
732 XFREE(key->c_dQ, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
733 XFREE(key->c_u, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
735 return InitCaviumRsaKey(key, key->heap); /* reset pointers */
739 static int CaviumRsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
740 word32 outLen, RsaKey* key)
745 if (key == NULL || in == NULL || out == NULL || outLen < (word32)key->c_nSz)
748 ret = CspPkcs1v15Enc(CAVIUM_BLOCKING, BT2, key->c_nSz, key->c_eSz,
749 (word16)inLen, key->c_n, key->c_e, (byte*)in, out,
750 &requestId, key->devId);
752 CYASSL_MSG("Cavium Enc BT2 failed");
759 static INLINE void ato16(const byte* c, word16* u16)
761 *u16 = (c[0] << 8) | (c[1]);
765 static int CaviumRsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
766 word32 outLen, RsaKey* key)
770 word16 outSz = (word16)outLen;
772 if (key == NULL || in == NULL || out == NULL || inLen != (word32)key->c_nSz)
775 ret = CspPkcs1v15CrtDec(CAVIUM_BLOCKING, BT2, key->c_nSz, key->c_q,
776 key->c_dQ, key->c_p, key->c_dP, key->c_u,
777 (byte*)in, &outSz, out, &requestId, key->devId);
779 CYASSL_MSG("Cavium CRT Dec BT2 failed");
782 ato16((const byte*)&outSz, &outSz);
788 static int CaviumRsaSSL_Sign(const byte* in, word32 inLen, byte* out,
789 word32 outLen, RsaKey* key)
794 if (key == NULL || in == NULL || out == NULL || inLen == 0 || outLen <
798 ret = CspPkcs1v15CrtEnc(CAVIUM_BLOCKING, BT1, key->c_nSz, (word16)inLen,
799 key->c_q, key->c_dQ, key->c_p, key->c_dP, key->c_u,
800 (byte*)in, out, &requestId, key->devId);
802 CYASSL_MSG("Cavium CRT Enc BT1 failed");
809 static int CaviumRsaSSL_Verify(const byte* in, word32 inLen, byte* out,
810 word32 outLen, RsaKey* key)
814 word16 outSz = (word16)outLen;
816 if (key == NULL || in == NULL || out == NULL || inLen != (word32)key->c_nSz)
819 ret = CspPkcs1v15Dec(CAVIUM_BLOCKING, BT1, key->c_nSz, key->c_eSz,
820 key->c_n, key->c_e, (byte*)in, &outSz, out,
821 &requestId, key->devId);
823 CYASSL_MSG("Cavium Dec BT1 failed");
826 outSz = ntohs(outSz);
832 #endif /* HAVE_CAVIUM */