luna - wolfssl/src/pk

   1/* pk_rsa.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
  23
  24#include <wolfssl/internal.h>
  25#ifndef WC_NO_RNG
  26    #include <wolfssl/wolfcrypt/random.h>
  27#endif
  28
  29#if !defined(WOLFSSL_PK_RSA_INCLUDED)
  30    #ifndef WOLFSSL_IGNORE_FILE_WARN
  31        #warning pk_rsa.c does not need to be compiled separately from ssl.c
  32    #endif
  33#else
  34
  35#ifndef NO_RSA
  36    #include <wolfssl/wolfcrypt/rsa.h>
  37#endif
  38
  39/*******************************************************************************
  40 * START OF RSA API
  41 ******************************************************************************/
  42
  43#ifndef NO_RSA
  44
  45/*
  46 * RSA METHOD
  47 * Could be used to hold function pointers to implementations of RSA operations.
  48 */
  49
  50#if defined(OPENSSL_EXTRA)
  51/* Return a blank RSA method and set the name and flags.
  52 *
  53 * Only one implementation of RSA operations.
  54 * name is duplicated.
  55 *
  56 * @param [in] name   Name to use in method.
  57 * @param [in] flags  Flags to set into method.
  58 * @return  Newly allocated RSA method on success.
  59 * @return  NULL on failure.
  60 */
  61WOLFSSL_RSA_METHOD *wolfSSL_RSA_meth_new(const char *name, int flags)
  62{
  63    WOLFSSL_RSA_METHOD* meth = NULL;
  64    int name_len = 0;
  65    int err;
  66
  67    /* Validate name is not NULL. */
  68    if (name == NULL)
  69        return NULL;
  70    /* Allocate an RSA METHOD to return. */
  71    meth = (WOLFSSL_RSA_METHOD*)XMALLOC(sizeof(WOLFSSL_RSA_METHOD), NULL,
  72                                        DYNAMIC_TYPE_OPENSSL);
  73    if (meth == NULL)
  74        return NULL;
  75
  76    XMEMSET(meth, 0, sizeof(*meth));
  77    meth->flags = flags;
  78    meth->dynamic = 1;
  79
  80    name_len = (int)XSTRLEN(name);
  81    meth->name = (char*)XMALLOC((size_t)(name_len + 1), NULL,
  82        DYNAMIC_TYPE_OPENSSL);
  83    err = (meth->name == NULL);
  84
  85    if (!err) {
  86        XMEMCPY(meth->name, name, (size_t)(name_len + 1));
  87    }
  88
  89    if (err) {
  90        /* meth->name won't be allocated on error. */
  91        XFREE(meth, NULL, DYNAMIC_TYPE_OPENSSL);
  92        meth = NULL;
  93    }
  94    return meth;
  95}
  96
  97/* Default RSA method is one with wolfSSL name and no flags.
  98 *
  99 * @return  Newly allocated wolfSSL RSA method on success.
 100 * @return  NULL on failure.
 101 */
 102const WOLFSSL_RSA_METHOD* wolfSSL_RSA_get_default_method(void)
 103{
 104    static const WOLFSSL_RSA_METHOD wolfssl_rsa_meth = {
 105        0, /* No flags. */
 106        (char*)"wolfSSL RSA",
 107        0  /* Static definition. */
 108    };
 109    return &wolfssl_rsa_meth;
 110}
 111
 112/* Dispose of RSA method and allocated data.
 113 *
 114 * @param [in] meth  RSA method to free.
 115 */
 116void wolfSSL_RSA_meth_free(WOLFSSL_RSA_METHOD *meth)
 117{
 118    /* Free method if available and dynamically allocated. */
 119    if ((meth != NULL) && meth->dynamic) {
 120        /* Name was duplicated and must be freed. */
 121        XFREE(meth->name, NULL, DYNAMIC_TYPE_OPENSSL);
 122        /* Dispose of RSA method. */
 123        XFREE(meth, NULL, DYNAMIC_TYPE_OPENSSL);
 124    }
 125}
 126
 127#ifndef NO_WOLFSSL_STUB
 128/* Stub function for any RSA method setting function.
 129 *
 130 * Nothing is stored - not even flags or name.
 131 *
 132 * @param [in] meth  RSA method.
 133 * @param [in] p     A pointer.
 134 * @return  1 to indicate success.
 135 */
 136int wolfSSL_RSA_meth_set(WOLFSSL_RSA_METHOD *meth, void* p)
 137{
 138    WOLFSSL_STUB("RSA_METHOD is not implemented.");
 139
 140    (void)meth;
 141    (void)p;
 142
 143    return 1;
 144}
 145#endif /* !NO_WOLFSSL_STUB */
 146#endif /* OPENSSL_EXTRA */
 147
 148/*
 149 * RSA constructor/deconstructor APIs
 150 */
 151
 152#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 153/* Dispose of RSA key and allocated data.
 154 *
 155 * Cannot use rsa after this call.
 156 *
 157 * @param [in] rsa  RSA key to free.
 158 */
 159void wolfSSL_RSA_free(WOLFSSL_RSA* rsa)
 160{
 161    int doFree = 1;
 162
 163    WOLFSSL_ENTER("wolfSSL_RSA_free");
 164
 165    /* Validate parameter. */
 166    if (rsa == NULL) {
 167        doFree = 0;
 168    }
 169    if (doFree) {
 170        int err;
 171
 172        /* Decrement reference count. */
 173        wolfSSL_RefDec(&rsa->ref, &doFree, &err);
 174    #ifndef WOLFSSL_REFCNT_ERROR_RETURN
 175        (void)err;
 176    #endif
 177    }
 178    if (doFree) {
 179        void* heap = rsa->heap;
 180
 181        /* Dispose of allocated reference counting data. */
 182        wolfSSL_RefFree(&rsa->ref);
 183
 184    #ifdef HAVE_EX_DATA_CLEANUP_HOOKS
 185        wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data);
 186    #endif
 187
 188        if (rsa->internal != NULL) {
 189        #if !defined(HAVE_FIPS) && defined(WC_RSA_BLINDING)
 190            /* Check if RNG is owned before freeing it. */
 191            if (rsa->ownRng) {
 192                WC_RNG* rng = ((RsaKey*)(rsa->internal))->rng;
 193                if ((rng != NULL) && (rng != wolfssl_get_global_rng())) {
 194                    wc_FreeRng(rng);
 195                    XFREE(rng, heap, DYNAMIC_TYPE_RNG);
 196                }
 197                /* RNG isn't freed by wolfCrypt RSA free. */
 198            }
 199        #endif
 200            /* Dispose of allocated data in wolfCrypt RSA key. */
 201            wc_FreeRsaKey((RsaKey*)rsa->internal);
 202            /* Dispose of memory for wolfCrypt RSA key. */
 203            XFREE(rsa->internal, heap, DYNAMIC_TYPE_RSA);
 204        }
 205
 206        /* Dispose of external representation of RSA values. */
 207        wolfSSL_BN_clear_free(rsa->iqmp);
 208        wolfSSL_BN_clear_free(rsa->dmq1);
 209        wolfSSL_BN_clear_free(rsa->dmp1);
 210        wolfSSL_BN_clear_free(rsa->q);
 211        wolfSSL_BN_clear_free(rsa->p);
 212        wolfSSL_BN_clear_free(rsa->d);
 213        wolfSSL_BN_free(rsa->e);
 214        wolfSSL_BN_free(rsa->n);
 215
 216    #if defined(OPENSSL_EXTRA)
 217        if (rsa->meth) {
 218            wolfSSL_RSA_meth_free((WOLFSSL_RSA_METHOD*)rsa->meth);
 219        }
 220    #endif
 221
 222        /* Set back to NULLs for safety. */
 223        ForceZero(rsa, sizeof(*rsa));
 224
 225        XFREE(rsa, heap, DYNAMIC_TYPE_RSA);
 226        (void)heap;
 227    }
 228}
 229
 230/* Allocate and initialize a new RSA key.
 231 *
 232 * Not OpenSSL API.
 233 *
 234 * @param [in] heap   Heap hint for dynamic memory allocation.
 235 * @param [in] devId  Device identifier value.
 236 * @return  RSA key on success.
 237 * @return  NULL on failure.
 238 */
 239WOLFSSL_RSA* wolfSSL_RSA_new_ex(void* heap, int devId)
 240{
 241    WOLFSSL_RSA* rsa = NULL;
 242    RsaKey* key = NULL;
 243    int err = 0;
 244    int rsaKeyInited = 0;
 245
 246    WOLFSSL_ENTER("wolfSSL_RSA_new");
 247
 248    /* Allocate memory for new wolfCrypt RSA key. */
 249    key = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
 250    if (key == NULL) {
 251        WOLFSSL_ERROR_MSG("wolfSSL_RSA_new malloc RsaKey failure");
 252        err = 1;
 253    }
 254    if (!err) {
 255        /* Allocate memory for new RSA key. */
 256        rsa = (WOLFSSL_RSA*)XMALLOC(sizeof(WOLFSSL_RSA), heap,
 257            DYNAMIC_TYPE_RSA);
 258        if (rsa == NULL) {
 259            WOLFSSL_ERROR_MSG("wolfSSL_RSA_new malloc WOLFSSL_RSA failure");
 260            err = 1;
 261        }
 262    }
 263    if (!err) {
 264        /* Clear all fields of RSA key. */
 265        XMEMSET(rsa, 0, sizeof(WOLFSSL_RSA));
 266        /* Cache heap to use for all allocations. */
 267        rsa->heap = heap;
 268    #ifdef OPENSSL_EXTRA
 269        /* Always have a method set. */
 270        rsa->meth = wolfSSL_RSA_get_default_method();
 271    #endif
 272
 273        /* Initialize reference counting. */
 274        wolfSSL_RefInit(&rsa->ref, &err);
 275#ifdef WOLFSSL_REFCNT_ERROR_RETURN
 276    }
 277    if (!err) {
 278#endif
 279        /* Initialize wolfCrypt RSA key. */
 280        if (wc_InitRsaKey_ex(key, heap, devId) != 0) {
 281            WOLFSSL_ERROR_MSG("InitRsaKey WOLFSSL_RSA failure");
 282            err = 1;
 283        }
 284        else {
 285            rsaKeyInited = 1;
 286        }
 287    }
 288    #if !defined(HAVE_FIPS) && defined(WC_RSA_BLINDING)
 289    if (!err) {
 290        WC_RNG* rng;
 291
 292        /* Create a local RNG. */
 293        rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), heap, DYNAMIC_TYPE_RNG);
 294        if ((rng != NULL) && (wc_InitRng_ex(rng, heap, devId) != 0)) {
 295            WOLFSSL_MSG("InitRng failure, attempting to use global RNG");
 296            XFREE(rng, heap, DYNAMIC_TYPE_RNG);
 297            rng = NULL;
 298        }
 299
 300        rsa->ownRng = 1;
 301        if (rng == NULL) {
 302            /* Get the wolfSSL global RNG - not thread safe. */
 303            rng = wolfssl_get_global_rng();
 304            rsa->ownRng = 0;
 305        }
 306        if (rng == NULL) {
 307            /* Couldn't create global either. */
 308            WOLFSSL_ERROR_MSG("wolfSSL_RSA_new no WC_RNG for blinding");
 309            err = 1;
 310        }
 311        else {
 312            /* Set the local or global RNG into the wolfCrypt RSA key. */
 313            (void)wc_RsaSetRNG(key, rng);
 314            /* Won't fail as key and rng are not NULL. */
 315        }
 316    }
 317    #endif /* !HAVE_FIPS && WC_RSA_BLINDING */
 318    if (!err) {
 319        /* Set wolfCrypt RSA key into RSA key. */
 320        rsa->internal = key;
 321        /* Data from external RSA key has not been set into internal one. */
 322        rsa->inSet = 0;
 323    }
 324
 325    if (err) {
 326        /* Dispose of any allocated data on error. */
 327        /* No failure after RNG allocation - no need to free RNG. */
 328        if (rsaKeyInited) {
 329            wc_FreeRsaKey(key);
 330        }
 331        XFREE(key, heap, DYNAMIC_TYPE_RSA);
 332        XFREE(rsa, heap, DYNAMIC_TYPE_RSA);
 333        /* Return NULL. */
 334        rsa = NULL;
 335    }
 336    return rsa;
 337}
 338
 339/* Allocate and initialize a new RSA key.
 340 *
 341 * @return  RSA key on success.
 342 * @return  NULL on failure.
 343 */
 344WOLFSSL_RSA* wolfSSL_RSA_new(void)
 345{
 346    /* Call wolfSSL API to do work. */
 347    return wolfSSL_RSA_new_ex(NULL, INVALID_DEVID);
 348}
 349
 350/* Increments ref count of RSA key.
 351 *
 352 * @param [in, out] rsa  RSA key.
 353 * @return  1 on success
 354 * @return  0 on error
 355 */
 356int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa)
 357{
 358    int err = 0;
 359    if (rsa != NULL) {
 360        wolfSSL_RefInc(&rsa->ref, &err);
 361    }
 362    return !err;
 363}
 364
 365#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 366
 367#ifdef OPENSSL_EXTRA
 368
 369#if defined(WOLFSSL_KEY_GEN)
 370
 371/* Allocate a new RSA key and make it a copy.
 372 *
 373 * Encodes to and from DER to copy.
 374 *
 375 * @param [in] rsa  RSA key to duplicate.
 376 * @return  RSA key on success.
 377 * @return  NULL on error.
 378 */
 379WOLFSSL_RSA* wolfSSL_RSAPublicKey_dup(WOLFSSL_RSA *rsa)
 380{
 381    WOLFSSL_RSA* ret = NULL;
 382    int derSz = 0;
 383    byte* derBuf = NULL;
 384    int err;
 385
 386    WOLFSSL_ENTER("wolfSSL_RSAPublicKey_dup");
 387
 388    err = (rsa == NULL);
 389    if (!err) {
 390        /* Create a new RSA key to return. */
 391        ret = wolfSSL_RSA_new();
 392        if (ret == NULL) {
 393            WOLFSSL_ERROR_MSG("Error creating a new WOLFSSL_RSA structure");
 394            err = 1;
 395        }
 396    }
 397    if (!err) {
 398        /* Encode RSA public key to copy to DER - allocates DER buffer. */
 399        if ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 1, rsa->heap)) < 0) {
 400            WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed");
 401            err = 1;
 402        }
 403    }
 404    if (!err) {
 405        /* Decode DER of the RSA public key into new key. */
 406        if (wolfSSL_RSA_LoadDer_ex(ret, derBuf, derSz,
 407                WOLFSSL_RSA_LOAD_PUBLIC) != 1) {
 408            WOLFSSL_ERROR_MSG("wolfSSL_RSA_LoadDer_ex failed");
 409            err = 1;
 410        }
 411    }
 412
 413    /* Dispose of any allocated DER buffer. */
 414    XFREE(derBuf, rsa ? rsa->heap : NULL, DYNAMIC_TYPE_ASN1);
 415    if (err) {
 416        /* Disposes of any created RSA key - on error. */
 417        wolfSSL_RSA_free(ret);
 418        ret = NULL;
 419    }
 420    return ret;
 421}
 422
 423/* wolfSSL_RSAPrivateKey_dup not supported */
 424
 425#endif /* WOLFSSL_KEY_GEN */
 426
 427static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
 428    void* heap);
 429
 430/*
 431 * RSA to/from bin APIs
 432 */
 433
 434/* Convert RSA public key data to internal.
 435 *
 436 * Creates new RSA key from the DER encoded RSA public key.
 437 *
 438 * @param [out]     out      Pointer to RSA key to return through. May be NULL.
 439 * @param [in, out] derBuf   Pointer to start of DER encoded data.
 440 * @param [in]      derSz    Length of the data in the DER buffer.
 441 * @return  RSA key on success.
 442 * @return  NULL on failure.
 443 */
 444WOLFSSL_RSA *wolfSSL_d2i_RSAPublicKey(WOLFSSL_RSA **out,
 445    const unsigned char **derBuf, long derSz)
 446{
 447    WOLFSSL_RSA *rsa = NULL;
 448    int err = 0;
 449
 450    WOLFSSL_ENTER("wolfSSL_d2i_RSAPublicKey");
 451
 452    /* Validate parameters. */
 453    if (derBuf == NULL) {
 454        WOLFSSL_ERROR_MSG("Bad argument");
 455        err = 1;
 456    }
 457    /* Create a new RSA key to return. */
 458    if ((!err) && ((rsa = wolfSSL_RSA_new()) == NULL)) {
 459        WOLFSSL_ERROR_MSG("RSA_new failed");
 460        err = 1;
 461    }
 462    /* Decode RSA key from DER. */
 463    if ((!err) && (wolfSSL_RSA_LoadDer_ex(rsa, *derBuf, (int)derSz,
 464            WOLFSSL_RSA_LOAD_PUBLIC) != 1)) {
 465        WOLFSSL_ERROR_MSG("RSA_LoadDer failed");
 466        err = 1;
 467    }
 468    if ((!err) && (out != NULL)) {
 469        /* Return through parameter too. */
 470        *out = rsa;
 471        /* Move buffer on by the used amount. */
 472        *derBuf += wolfssl_der_length(*derBuf, (int)derSz);
 473    }
 474
 475    if (err) {
 476        /* Dispose of any created RSA key. */
 477        wolfSSL_RSA_free(rsa);
 478        rsa = NULL;
 479    }
 480    return rsa;
 481}
 482
 483/* Convert RSA private key data to internal.
 484 *
 485 * Create a new RSA key from the DER encoded RSA private key.
 486 *
 487 * @param [out]     out      Pointer to RSA key to return through. May be NULL.
 488 * @param [in, out] derBuf   Pointer to start of DER encoded data.
 489 * @param [in]      derSz    Length of the data in the DER buffer.
 490 * @return  RSA key on success.
 491 * @return  NULL on failure.
 492 */
 493WOLFSSL_RSA *wolfSSL_d2i_RSAPrivateKey(WOLFSSL_RSA **out,
 494    const unsigned char **derBuf, long derSz)
 495{
 496    WOLFSSL_RSA *rsa = NULL;
 497    int err = 0;
 498
 499    WOLFSSL_ENTER("wolfSSL_d2i_RSAPublicKey");
 500
 501    /* Validate parameters. */
 502    if (derBuf == NULL) {
 503        WOLFSSL_ERROR_MSG("Bad argument");
 504        err = 1;
 505    }
 506    /* Create a new RSA key to return. */
 507    if ((!err) && ((rsa = wolfSSL_RSA_new()) == NULL)) {
 508        WOLFSSL_ERROR_MSG("RSA_new failed");
 509        err = 1;
 510    }
 511    /* Decode RSA key from DER. */
 512    if ((!err) && (wolfSSL_RSA_LoadDer_ex(rsa, *derBuf, (int)derSz,
 513            WOLFSSL_RSA_LOAD_PRIVATE) != 1)) {
 514        WOLFSSL_ERROR_MSG("RSA_LoadDer failed");
 515        err = 1;
 516    }
 517    if ((!err) && (out != NULL)) {
 518        /* Return through parameter too. */
 519        *out = rsa;
 520        /* Move buffer on by the used amount. */
 521        *derBuf += wolfssl_der_length(*derBuf, (int)derSz);
 522    }
 523
 524    if (err) {
 525        /* Dispose of any created RSA key. */
 526        wolfSSL_RSA_free(rsa);
 527        rsa = NULL;
 528    }
 529    return rsa;
 530}
 531
 532/* Converts an internal RSA structure to DER format for the private key.
 533 *
 534 * If "pp" is null then buffer size only is returned.
 535 * If "*pp" is null then a created buffer is set in *pp and the caller is
 536 *  responsible for free'ing it.
 537 *
 538 * @param [in]      rsa  RSA key.
 539 * @param [in, out] pp   On in, pointer to allocated buffer or NULL.
 540 *                       May be NULL.
 541 *                       On out, newly allocated buffer or pointer to byte after
 542 *                       encoding in passed in buffer.
 543 *
 544 * @return  Size of DER encoding on success
 545 * @return  BAD_FUNC_ARG when rsa is NULL.
 546 * @return  0 on failure.
 547 */
 548int wolfSSL_i2d_RSAPrivateKey(WOLFSSL_RSA *rsa, unsigned char **pp)
 549{
 550    int ret;
 551
 552    WOLFSSL_ENTER("wolfSSL_i2d_RSAPrivateKey");
 553
 554    /* Validate parameters. */
 555    if (rsa == NULL) {
 556        WOLFSSL_ERROR_MSG("Bad Function Arguments");
 557        ret = BAD_FUNC_ARG;
 558    }
 559    /* Encode the RSA key as a DER. Call allocates buffer into pp.
 560     * No heap hint as this gets returned to the user */
 561    else if ((ret = wolfSSL_RSA_To_Der_ex(rsa, pp, 0, NULL)) < 0) {
 562        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed");
 563        ret = 0;
 564    }
 565
 566    /* Size of DER encoding. */
 567    return ret;
 568}
 569
 570/* Converts an internal RSA structure to DER format for the public key.
 571 *
 572 * If "pp" is null then buffer size only is returned.
 573 * If "*pp" is null then a created buffer is set in *pp and the caller is
 574 *  responsible for free'ing it.
 575 *
 576 * @param [in]      rsa  RSA key.
 577 * @param [in, out] pp   On in, pointer to allocated buffer or NULL.
 578 *                       May be NULL.
 579 *                       On out, newly allocated buffer or pointer to byte after
 580 *                       encoding in passed in buffer.
 581 * @return  Size of DER encoding on success
 582 * @return  BAD_FUNC_ARG when rsa is NULL.
 583 * @return  0 on failure.
 584 */
 585int wolfSSL_i2d_RSAPublicKey(WOLFSSL_RSA *rsa, unsigned char **pp)
 586{
 587    int ret;
 588
 589    WOLFSSL_ENTER("wolfSSL_i2d_RSAPublicKey");
 590
 591    /* check for bad functions arguments */
 592    if (rsa == NULL) {
 593        WOLFSSL_ERROR_MSG("Bad Function Arguments");
 594        ret = BAD_FUNC_ARG;
 595    }
 596    /* Encode the RSA key as a DER. Call allocates buffer into pp.
 597     * No heap hint as this gets returned to the user */
 598    else if ((ret = wolfSSL_RSA_To_Der_ex(rsa, pp, 1, NULL)) < 0) {
 599        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed");
 600        ret = 0;
 601    }
 602
 603    return ret;
 604}
 605
 606#endif /* OPENSSL_EXTRA */
 607
 608/*
 609 * RSA to/from BIO APIs
 610 */
 611
 612/* wolfSSL_d2i_RSAPublicKey_bio not supported */
 613
 614#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \
 615    || defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT)
 616
 617#if defined(WOLFSSL_KEY_GEN) && !defined(NO_BIO)
 618
 619/* Read DER data from a BIO.
 620 *
 621 * DER structures start with a constructed sequence. Use this to calculate the
 622 * total length of the DER data.
 623 *
 624 * @param [in]  bio   BIO object to read from.
 625 * @param [out] out   Buffer holding DER encoding.
 626 * @return  Number of bytes to DER encoding on success.
 627 * @return  0 on failure.
 628 */
 629static int wolfssl_read_der_bio(WOLFSSL_BIO* bio, unsigned char** out)
 630{
 631    int err = 0;
 632    unsigned char seq[MAX_SEQ_SZ];
 633    unsigned char* der = NULL;
 634    int derLen = 0;
 635
 636    /* Read in a minimal amount to get a SEQUENCE header of any size. */
 637    if (wolfSSL_BIO_read(bio, seq, sizeof(seq)) != sizeof(seq)) {
 638        WOLFSSL_ERROR_MSG("wolfSSL_BIO_read() of sequence failure");
 639        err = 1;
 640    }
 641    /* Calculate complete DER encoding length. */
 642    if ((!err) && ((derLen = wolfssl_der_length(seq, sizeof(seq))) <= 0)) {
 643        WOLFSSL_ERROR_MSG("DER SEQUENCE decode failed");
 644        err = 1;
 645    }
 646    /* Allocate a buffer to read DER data into. */
 647    if ((!err) && ((der = (unsigned char*)XMALLOC((size_t)derLen, bio->heap,
 648            DYNAMIC_TYPE_TMP_BUFFER)) == NULL)) {
 649        WOLFSSL_ERROR_MSG("Malloc failure");
 650        err = 1;
 651    }
 652    if ((!err) && (derLen <= (int)sizeof(seq))) {
 653        /* Copy the previously read data into the buffer. */
 654        XMEMCPY(der, seq, derLen);
 655    }
 656    else if (!err) {
 657        /* Calculate the unread amount. */
 658        int len = derLen - (int)sizeof(seq);
 659        /* Copy the previously read data into the buffer. */
 660        XMEMCPY(der, seq, sizeof(seq));
 661        /* Read rest of DER data from BIO. */
 662        if (wolfSSL_BIO_read(bio, der + sizeof(seq), len) != len) {
 663            WOLFSSL_ERROR_MSG("wolfSSL_BIO_read() failure");
 664            err = 1;
 665        }
 666    }
 667    if (!err) {
 668        /* Return buffer through parameter. */
 669        *out = der;
 670    }
 671
 672    if (err) {
 673        /* Dispose of any allocated buffer on error. */
 674        XFREE(der, bio->heap, DYNAMIC_TYPE_TMP_BUFFER);
 675        derLen = 0;
 676    }
 677    return derLen;
 678}
 679
 680/* Reads the RSA private key data from a BIO to the internal form.
 681 *
 682 * Creates new RSA key from the DER encoded RSA private key read from the BIO.
 683 *
 684 * @param [in]  bio  BIO object to read from.
 685 * @param [out] out  Pointer to RSA key to return through. May be NULL.
 686 * @return  RSA key on success.
 687 * @return  NULL on failure.
 688 */
 689WOLFSSL_RSA* wolfSSL_d2i_RSAPrivateKey_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out)
 690{
 691    WOLFSSL_RSA* key = NULL;
 692    unsigned char* der = NULL;
 693    int derLen = 0;
 694    int err;
 695
 696    WOLFSSL_ENTER("wolfSSL_d2i_RSAPrivateKey_bio");
 697
 698    /* Validate parameters. */
 699    err = (bio == NULL);
 700    /* Read just DER encoding from BIO - buffer allocated in call. */
 701    if ((!err) && ((derLen = wolfssl_read_der_bio(bio, &der)) == 0)) {
 702        err = 1;
 703    }
 704    if (!err) {
 705        /* Keep der for call to deallocate. */
 706        const unsigned char* cder = der;
 707        /* Create an RSA key from the data from the BIO. */
 708        key = wolfSSL_d2i_RSAPrivateKey(NULL, &cder, derLen);
 709        err = (key == NULL);
 710    }
 711    if ((!err) && (out != NULL)) {
 712        /* Return the created RSA key through the parameter. */
 713        *out = key;
 714    }
 715
 716    if (err) {
 717        /* Dispose of created key on error. */
 718        wolfSSL_RSA_free(key);
 719        key = NULL;
 720    }
 721    /* Dispose of allocated data. */
 722    if (der != NULL) {
 723        ForceZero(der, (word32)derLen);
 724    }
 725    XFREE(der, bio ? bio->heap : NULL, DYNAMIC_TYPE_TMP_BUFFER);
 726    return key;
 727}
 728#endif /* defined(WOLFSSL_KEY_GEN) && !NO_BIO */
 729
 730#endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_QT */
 731
 732/*
 733 * RSA DER APIs
 734 */
 735
 736#ifdef OPENSSL_EXTRA
 737
 738/* Create a DER encoding of key.
 739 *
 740 * Not OpenSSL API.
 741 *
 742 * @param [in]  rsa        RSA key.
 743 * @param [out] outBuf     Allocated buffer containing DER encoding.
 744 *                         May be NULL.
 745 * @param [in]  publicKey  Whether to encode as public key.
 746 * @param [in]  heap       Heap hint.
 747 * @return  Encoding size on success.
 748 * @return  Negative on failure.
 749 */
 750int wolfSSL_RSA_To_Der(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
 751    void* heap)
 752{
 753    byte* p = NULL;
 754    int ret;
 755
 756    if (outBuf != NULL) {
 757        p = *outBuf;
 758    }
 759    ret = wolfSSL_RSA_To_Der_ex(rsa, outBuf, publicKey, heap);
 760    if ((ret > 0) && (p != NULL)) {
 761        *outBuf = p;
 762    }
 763    return ret;
 764}
 765
 766/* Create a DER encoding of key.
 767 *
 768 * Buffer allocated with heap and DYNAMIC_TYPE_TMP_BUFFER.
 769 *
 770 * @param [in]      rsa        RSA key.
 771 * @param [in, out] outBuf     On in, pointer to allocated buffer or NULL.
 772 *                             May be NULL.
 773 *                             On out, newly allocated buffer or pointer to byte
 774 *                             after encoding in passed in buffer.
 775 * @param [in]      publicKey  Whether to encode as public key.
 776 * @param [in]      heap       Heap hint.
 777 * @return  Encoding size on success.
 778 * @return  Negative on failure.
 779 */
 780static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
 781    void* heap)
 782{
 783    int ret = 1;
 784    int derSz = 0;
 785    word32 derAllocSz = 0;
 786    byte* derBuf = NULL;
 787
 788    WOLFSSL_ENTER("wolfSSL_RSA_To_Der");
 789
 790    /* Unused if memory is disabled. */
 791    (void)heap;
 792
 793    /* Validate parameters. */
 794    if ((rsa == NULL) || ((publicKey != 0) && (publicKey != 1))) {
 795        WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", BAD_FUNC_ARG);
 796        ret = BAD_FUNC_ARG;
 797    }
 798    /* Push external RSA data into internal RSA key if not set. */
 799    if ((ret == 1) && (!rsa->inSet)) {
 800        ret = SetRsaInternal(rsa);
 801    }
 802    /* wc_RsaKeyToPublicDer encode regardless of values. */
 803    if ((ret == 1) && publicKey && (mp_iszero(&((RsaKey*)rsa->internal)->n) ||
 804            mp_iszero(&((RsaKey*)rsa->internal)->e))) {
 805        ret = BAD_FUNC_ARG;
 806    }
 807
 808    if (ret == 1) {
 809        if (publicKey) {
 810            /* Calculate length of DER encoded RSA public key. */
 811            derSz = wc_RsaPublicKeyDerSize((RsaKey*)rsa->internal, 1);
 812            if (derSz < 0) {
 813                WOLFSSL_ERROR_MSG("wc_RsaPublicKeyDerSize failed");
 814                ret = derSz;
 815            }
 816        }
 817        else {
 818            /* Calculate length of DER encoded RSA private key. */
 819            derSz = wc_RsaKeyToDer((RsaKey*)rsa->internal, NULL, 0);
 820            if (derSz < 0) {
 821                WOLFSSL_ERROR_MSG("wc_RsaKeyToDer failed");
 822                ret = derSz;
 823            }
 824        }
 825    }
 826
 827    if ((ret == 1) && (outBuf != NULL)) {
 828        derBuf = *outBuf;
 829        if (derBuf == NULL) {
 830            /* Allocate buffer to hold DER encoded RSA key. */
 831            derBuf = (byte*)XMALLOC((size_t)derSz, heap,
 832                DYNAMIC_TYPE_TMP_BUFFER);
 833            if (derBuf == NULL) {
 834                WOLFSSL_ERROR_MSG("Memory allocation failed");
 835                ret = MEMORY_ERROR;
 836            }
 837            else {
 838                derAllocSz = (word32)derSz;
 839            }
 840        }
 841    }
 842    if ((ret == 1) && (outBuf != NULL)) {
 843        if (publicKey > 0) {
 844            /* RSA public key to DER. */
 845            derSz = wc_RsaKeyToPublicDer((RsaKey*)rsa->internal, derBuf,
 846                (word32)derSz);
 847        }
 848        else {
 849            /* RSA private key to DER. */
 850            derSz = wc_RsaKeyToDer((RsaKey*)rsa->internal, derBuf,
 851                (word32)derSz);
 852        }
 853        if (derSz < 0) {
 854            WOLFSSL_ERROR_MSG("RSA key encoding failed");
 855            ret = derSz;
 856        }
 857        else if ((*outBuf) != NULL) {
 858            derBuf = NULL;
 859            *outBuf += derSz;
 860        }
 861        else {
 862            /* Return allocated buffer. */
 863            *outBuf = derBuf;
 864        }
 865    }
 866    if (ret == 1) {
 867        /* Success - return DER encoding size. */
 868        ret = derSz;
 869    }
 870
 871    if ((outBuf != NULL) && (*outBuf != derBuf)) {
 872        /* Not returning buffer, needs to be disposed of. */
 873        if ((derBuf != NULL) && (publicKey == 0) && (derAllocSz > 0)) {
 874            ForceZero(derBuf, derAllocSz);
 875        }
 876        XFREE(derBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
 877    }
 878    WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", ret);
 879    return ret;
 880}
 881
 882#endif /* OPENSSL_EXTRA */
 883
 884#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 885/* Load the DER encoded private RSA key.
 886 *
 887 * Not OpenSSL API.
 888 *
 889 * @param [in] rsa     RSA key.
 890 * @param [in] derBuf  Buffer holding DER encoding.
 891 * @param [in] derSz   Length of DER encoding.
 892 * @return  1 on success.
 893 * @return  -1 on failure.
 894 */
 895int wolfSSL_RSA_LoadDer(WOLFSSL_RSA* rsa, const unsigned char* derBuf,
 896    int derSz)
 897{
 898    /* Call implementation that handles both private and public keys. */
 899    return wolfSSL_RSA_LoadDer_ex(rsa, derBuf, derSz, WOLFSSL_RSA_LOAD_PRIVATE);
 900}
 901
 902/* Load the DER encoded public or private RSA key.
 903 *
 904 * Not OpenSSL API.
 905 *
 906 * @param [in] rsa     RSA key.
 907 * @param [in] derBuf  Buffer holding DER encoding.
 908 * @param [in] derSz   Length of DER encoding.
 909 * @param [in] opt     Indicates public or private key.
 910 *                     (WOLFSSL_RSA_LOAD_PUBLIC or WOLFSSL_RSA_LOAD_PRIVATE)
 911 * @return  1 on success.
 912 * @return  -1 on failure.
 913 */
 914int wolfSSL_RSA_LoadDer_ex(WOLFSSL_RSA* rsa, const unsigned char* derBuf,
 915    int derSz, int opt)
 916{
 917    int ret = 1;
 918    int res;
 919    word32 idx = 0;
 920    word32 algId;
 921
 922    WOLFSSL_ENTER("wolfSSL_RSA_LoadDer");
 923
 924    /* Validate parameters. */
 925    if ((rsa == NULL) || (rsa->internal == NULL) || (derBuf == NULL) ||
 926            (derSz <= 0)) {
 927        WOLFSSL_ERROR_MSG("Bad function arguments");
 928        ret = WOLFSSL_FATAL_ERROR;
 929    }
 930
 931    if (ret == 1) {
 932        rsa->pkcs8HeaderSz = 0;
 933        /* Check if input buffer has PKCS8 header. In the case that it does not
 934         * have a PKCS8 header then do not error out. */
 935        res = ToTraditionalInline_ex((const byte*)derBuf, &idx, (word32)derSz,
 936            &algId);
 937        if (res >= 0) {
 938            /* Store size of PKCS#8 header for encoding. */
 939            WOLFSSL_MSG("Found PKCS8 header");
 940            rsa->pkcs8HeaderSz = (word16)idx;
 941        }
 942        /* When decoding and not PKCS#8, return will be ASN_PARSE_E. */
 943        else if (res != WC_NO_ERR_TRACE(ASN_PARSE_E)) {
 944            /* Something went wrong while decoding. */
 945            WOLFSSL_ERROR_MSG("Unexpected error with trying to remove PKCS#8 "
 946                              "header");
 947            ret = WOLFSSL_FATAL_ERROR;
 948        }
 949    }
 950    if (ret == 1) {
 951        /* Decode private or public key data. */
 952        if (opt == WOLFSSL_RSA_LOAD_PRIVATE) {
 953            res = wc_RsaPrivateKeyDecode(derBuf, &idx, (RsaKey*)rsa->internal,
 954                (word32)derSz);
 955        }
 956        else {
 957            res = wc_RsaPublicKeyDecode(derBuf, &idx, (RsaKey*)rsa->internal,
 958                (word32)derSz);
 959        }
 960        /* Check for error. */
 961        if (res < 0) {
 962            if (opt == WOLFSSL_RSA_LOAD_PRIVATE) {
 963                 WOLFSSL_ERROR_MSG("RsaPrivateKeyDecode failed");
 964            }
 965            else {
 966                 WOLFSSL_ERROR_MSG("RsaPublicKeyDecode failed");
 967            }
 968            WOLFSSL_ERROR_VERBOSE(res);
 969            ret = WOLFSSL_FATAL_ERROR;
 970        }
 971    }
 972    if (ret == 1) {
 973        /* Set external RSA key data from wolfCrypt key. */
 974        if (SetRsaExternal(rsa) != 1) {
 975            ret = WOLFSSL_FATAL_ERROR;
 976        }
 977        else {
 978            rsa->inSet = 1;
 979        }
 980    }
 981
 982    return ret;
 983}
 984
 985#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 986
 987#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 988
 989#if !defined(NO_BIO) || !defined(NO_FILESYSTEM)
 990/* Load DER encoded data into WOLFSSL_RSA object.
 991 *
 992 * Creates a new WOLFSSL_RSA object if one is not passed in.
 993 *
 994 * @param [in, out] rsa   WOLFSSL_RSA object to load into.
 995 *                        When rsa or *rsa is NULL a new object is created.
 996 *                        When not NULL and *rsa is NULL then new object
 997 *                        returned through pointer.
 998 * @param [in]      in    DER encoded RSA key data.
 999 * @param [in]      inSz  Size of DER encoded data in bytes.
1000 * @param [in]      opt   Public or private key encoded in data. Valid values:
1001 *                        WOLFSSL_RSA_LOAD_PRIVATE, WOLFSSL_RSA_LOAD_PUBLIC.
1002 * @return  NULL on failure.
1003 * @return  WOLFSSL_RSA object on success.
1004 */
1005static WOLFSSL_RSA* wolfssl_rsa_d2i(WOLFSSL_RSA** rsa, const unsigned char* in,
1006    long inSz, int opt)
1007{
1008    WOLFSSL_RSA* ret = NULL;
1009
1010    if ((rsa != NULL) && (*rsa != NULL)) {
1011        ret = *rsa;
1012    }
1013    else {
1014        ret = wolfSSL_RSA_new();
1015    }
1016    if ((ret != NULL) && (wolfSSL_RSA_LoadDer_ex(ret, in, (int)inSz, opt)
1017            != 1)) {
1018        if ((rsa == NULL) || (ret != *rsa)) {
1019            wolfSSL_RSA_free(ret);
1020        }
1021        ret = NULL;
1022    }
1023
1024    if ((rsa != NULL) && (*rsa == NULL)) {
1025        *rsa = ret;
1026    }
1027    return ret;
1028}
1029#endif
1030
1031#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
1032
1033/*
1034 * RSA PEM APIs
1035 */
1036
1037#ifdef OPENSSL_EXTRA
1038
1039#ifndef NO_BIO
1040#if defined(WOLFSSL_KEY_GEN)
1041/* Writes PEM encoding of an RSA public key to a BIO.
1042 *
1043 * @param [in] bio  BIO object to write to.
1044 * @param [in] rsa  RSA key to write.
1045 * @return  1 on success.
1046 * @return  0 on failure.
1047 */
1048int wolfSSL_PEM_write_bio_RSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa)
1049{
1050    int ret = 1;
1051    int derSz = 0;
1052    byte* derBuf = NULL;
1053
1054    WOLFSSL_ENTER("wolfSSL_PEM_write_bio_RSA_PUBKEY");
1055
1056    /* Validate parameters. */
1057    if ((bio == NULL) || (rsa == NULL)) {
1058        WOLFSSL_ERROR_MSG("Bad Function Arguments");
1059        return 0;
1060    }
1061
1062    if ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 1, bio->heap)) < 0) {
1063        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed");
1064        ret = 0;
1065    }
1066    if (derBuf == NULL) {
1067        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed to get buffer");
1068        ret = 0;
1069    }
1070    if ((ret == 1) && (der_write_to_bio_as_pem(derBuf, derSz, bio,
1071            PUBLICKEY_TYPE) != 1)) {
1072        ret = 0;
1073    }
1074
1075    /* Dispose of DER buffer. */
1076    XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER);
1077    return ret;
1078}
1079
1080#endif /* WOLFSSL_KEY_GEN */
1081#endif /* !NO_BIO */
1082
1083#if defined(WOLFSSL_KEY_GEN)
1084#ifndef NO_FILESYSTEM
1085
1086/* Writes PEM encoding of an RSA public key to a file pointer.
1087 *
1088 * @param [in] fp    File pointer to write to.
1089 * @param [in] rsa   RSA key to write.
1090 * @param [in] type  PEM type to write out.
1091 * @return  1 on success.
1092 * @return  0 on failure.
1093 */
1094static int wolfssl_pem_write_rsa_public_key(XFILE fp, WOLFSSL_RSA* rsa,
1095    int type)
1096{
1097    int ret = 1;
1098    int derSz;
1099    byte* derBuf = NULL;
1100
1101    /* Validate parameters. */
1102    if ((fp == XBADFILE) || (rsa == NULL)) {
1103        WOLFSSL_ERROR_MSG("Bad Function Arguments");
1104        return 0;
1105    }
1106
1107    if ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 1, rsa->heap)) < 0) {
1108        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed");
1109        ret = 0;
1110    }
1111    if (derBuf == NULL) {
1112        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed to get buffer");
1113        ret = 0;
1114    }
1115    if ((ret == 1) && (der_write_to_file_as_pem(derBuf, derSz, fp, type,
1116            rsa->heap) != 1)) {
1117        ret = 0;
1118    }
1119
1120    /* Dispose of DER buffer. */
1121    XFREE(derBuf, rsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
1122
1123    return ret;
1124}
1125
1126/* Writes PEM encoding of an RSA public key to a file pointer.
1127 *
1128 * Header/footer will contain: PUBLIC KEY
1129 *
1130 * @param [in] fp   File pointer to write to.
1131 * @param [in] rsa  RSA key to write.
1132 * @return  1 on success.
1133 * @return  0 on failure.
1134 */
1135int wolfSSL_PEM_write_RSA_PUBKEY(XFILE fp, WOLFSSL_RSA* rsa)
1136{
1137    return wolfssl_pem_write_rsa_public_key(fp, rsa, PUBLICKEY_TYPE);
1138}
1139
1140/* Writes PEM encoding of an RSA public key to a file pointer.
1141 *
1142 * Header/footer will contain: RSA PUBLIC KEY
1143 *
1144 * @param [in] fp   File pointer to write to.
1145 * @param [in] rsa  RSA key to write.
1146 * @return  1 on success.
1147 * @return  0 on failure.
1148 */
1149int wolfSSL_PEM_write_RSAPublicKey(XFILE fp, WOLFSSL_RSA* rsa)
1150{
1151    return wolfssl_pem_write_rsa_public_key(fp, rsa, RSA_PUBLICKEY_TYPE);
1152}
1153#endif /* !NO_FILESYSTEM */
1154#endif /* WOLFSSL_KEY_GEN */
1155
1156#ifndef NO_BIO
1157/* Create an RSA public key by reading the PEM encoded data from the BIO.
1158 *
1159 * @param [in]  bio   BIO object to read from.
1160 * @param [out] out   RSA key created.
1161 * @param [in]  cb    Password callback when PEM encrypted.
1162 * @param [in]  pass  NUL terminated string for passphrase when PEM encrypted.
1163 * @return  RSA key on success.
1164 * @return  NULL on failure.
1165 */
1166WOLFSSL_RSA *wolfSSL_PEM_read_bio_RSA_PUBKEY(WOLFSSL_BIO* bio,
1167    WOLFSSL_RSA** out, wc_pem_password_cb* cb, void *pass)
1168{
1169    WOLFSSL_RSA* rsa = NULL;
1170    DerBuffer*   der = NULL;
1171    int          keyFormat = 0;
1172
1173    WOLFSSL_ENTER("wolfSSL_PEM_read_bio_RSA_PUBKEY");
1174
1175    if ((bio != NULL) && (pem_read_bio_key(bio, cb, pass, PUBLICKEY_TYPE,
1176            &keyFormat, &der) >= 0)) {
1177        rsa = wolfssl_rsa_d2i(out, der->buffer, der->length,
1178            WOLFSSL_RSA_LOAD_PUBLIC);
1179        if (rsa == NULL) {
1180            WOLFSSL_ERROR_MSG("Error loading DER buffer into WOLFSSL_RSA");
1181        }
1182    }
1183
1184    FreeDer(&der);
1185    if ((out != NULL) && (rsa != NULL)) {
1186        *out = rsa;
1187    }
1188    return rsa;
1189}
1190
1191WOLFSSL_RSA *wolfSSL_d2i_RSA_PUBKEY_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out)
1192{
1193    char* data = NULL;
1194    int dataSz = 0;
1195    int memAlloced = 0;
1196    WOLFSSL_RSA* rsa = NULL;
1197
1198    WOLFSSL_ENTER("wolfSSL_d2i_RSA_PUBKEY_bio");
1199
1200    if (bio == NULL)
1201        return NULL;
1202
1203    if (wolfssl_read_bio(bio, &data, &dataSz, &memAlloced) != 0) {
1204        if (memAlloced)
1205            XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
1206        return NULL;
1207    }
1208
1209    rsa = wolfssl_rsa_d2i(out, (const unsigned char*)data, dataSz,
1210            WOLFSSL_RSA_LOAD_PUBLIC);
1211    if (memAlloced)
1212        XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
1213
1214    return rsa;
1215}
1216#endif /* !NO_BIO */
1217
1218#ifndef NO_FILESYSTEM
1219/* Create an RSA public key by reading the PEM encoded data from the BIO.
1220 *
1221 * Header/footer should contain: PUBLIC KEY
1222 * PEM decoder supports either 'RSA PUBLIC KEY' or 'PUBLIC KEY'.
1223 *
1224 * @param [in]  fp    File pointer to read from.
1225 * @param [out] out   RSA key created.
1226 * @param [in]  cb    Password callback when PEM encrypted.
1227 * @param [in]  pass  NUL terminated string for passphrase when PEM encrypted.
1228 * @return  RSA key on success.
1229 * @return  NULL on failure.
1230 */
1231WOLFSSL_RSA *wolfSSL_PEM_read_RSA_PUBKEY(XFILE fp,
1232    WOLFSSL_RSA** out, wc_pem_password_cb* cb, void *pass)
1233{
1234    WOLFSSL_RSA* rsa = NULL;
1235    DerBuffer*   der = NULL;
1236    int          keyFormat = 0;
1237
1238    WOLFSSL_ENTER("wolfSSL_PEM_read_RSA_PUBKEY");
1239
1240    if ((fp != XBADFILE) && (pem_read_file_key(fp, cb, pass, PUBLICKEY_TYPE,
1241            &keyFormat, &der) >= 0)) {
1242        rsa = wolfssl_rsa_d2i(out, der->buffer, der->length,
1243            WOLFSSL_RSA_LOAD_PUBLIC);
1244        if (rsa == NULL) {
1245            WOLFSSL_ERROR_MSG("Error loading DER buffer into WOLFSSL_RSA");
1246        }
1247    }
1248
1249    FreeDer(&der);
1250    if ((out != NULL) && (rsa != NULL)) {
1251        *out = rsa;
1252    }
1253    return rsa;
1254}
1255
1256/* Create an RSA public key by reading the PEM encoded data from the BIO.
1257 *
1258 * Header/footer should contain: RSA PUBLIC KEY
1259 * PEM decoder supports either 'RSA PUBLIC KEY' or 'PUBLIC KEY'.
1260 *
1261 * @param [in]  fp    File pointer to read from.
1262 * @param [out] rsa   RSA key created.
1263 * @param [in]  cb    Password callback when PEM encrypted. May be NULL.
1264 * @param [in]  pass  NUL terminated string for passphrase when PEM encrypted.
1265 *                    May be NULL.
1266 * @return  RSA key on success.
1267 * @return  NULL on failure.
1268 */
1269WOLFSSL_RSA* wolfSSL_PEM_read_RSAPublicKey(XFILE fp, WOLFSSL_RSA** rsa,
1270    wc_pem_password_cb* cb, void* pass)
1271{
1272    return wolfSSL_PEM_read_RSA_PUBKEY(fp, rsa, cb, pass);
1273}
1274
1275#endif /* NO_FILESYSTEM */
1276
1277#if defined(WOLFSSL_KEY_GEN) && \
1278    (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM))
1279
1280/* Writes PEM encoding of an RSA private key to newly allocated buffer.
1281 *
1282 * Buffer returned was allocated with: DYNAMIC_TYPE_KEY.
1283 *
1284 * @param [in]  rsa       RSA key to write.
1285 * @param [in]  cipher    Cipher to use when PEM encrypted. May be NULL.
1286 * @param [in]  passwd    Password string when PEM encrypted. May be NULL.
1287 * @param [in]  passwdSz  Length of password string when PEM encrypted.
1288 * @param [out] pem       Allocated buffer with PEM encoding.
1289 * @param [out] pLen      Length of PEM encoding.
1290 * @return  1 on success.
1291 * @return  0 on failure.
1292 */
1293int wolfSSL_PEM_write_mem_RSAPrivateKey(WOLFSSL_RSA* rsa,
1294    const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz,
1295    unsigned char **pem, int *pLen)
1296{
1297    int ret = 1;
1298    byte* derBuf = NULL;
1299    int  derSz = 0;
1300
1301    WOLFSSL_ENTER("wolfSSL_PEM_write_mem_RSAPrivateKey");
1302
1303    /* Validate parameters. */
1304    if ((pem == NULL) || (pLen == NULL) || (rsa == NULL) ||
1305            (rsa->internal == NULL)) {
1306        WOLFSSL_ERROR_MSG("Bad function arguments");
1307        ret = 0;
1308    }
1309
1310    /* Set the RSA key data into the wolfCrypt RSA key if not done so. */
1311    if ((ret == 1) && (!rsa->inSet) && (SetRsaInternal(rsa) != 1)) {
1312        ret = 0;
1313    }
1314
1315    /* Encode wolfCrypt RSA key to DER - derBuf allocated in call. */
1316    if ((ret == 1) && ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 0,
1317            rsa->heap)) < 0)) {
1318        WOLFSSL_ERROR_MSG("wolfSSL_RSA_To_Der failed");
1319        ret = 0;
1320    }
1321
1322    if ((ret == 1) && (der_to_enc_pem_alloc(derBuf, derSz, cipher, passwd,
1323            passwdSz, PRIVATEKEY_TYPE, NULL, pem, pLen) != 1)) {
1324        WOLFSSL_ERROR_MSG("der_to_enc_pem_alloc failed");
1325        ret = 0;
1326    }
1327
1328    return ret;
1329}
1330
1331#ifndef NO_BIO
1332/* Writes PEM encoding of an RSA private key to a BIO.
1333 *
1334 * @param [in] bio     BIO object to write to.
1335 * @param [in] rsa     RSA key to write.
1336 * @param [in] cipher  Cipher to use when PEM encrypted.
1337 * @param [in] passwd  Password string when PEM encrypted.
1338 * @param [in] len     Length of password string when PEM encrypted.
1339 * @param [in] cb      Password callback to use when PEM encrypted.
1340 * @param [in] arg     NUL terminated string for passphrase when PEM encrypted.
1341 * @return  1 on success.
1342 * @return  0 on failure.
1343 */
1344int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa,
1345    const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int len,
1346    wc_pem_password_cb* cb, void* arg)
1347{
1348    int ret = 1;
1349    byte* pem = NULL;
1350    int pLen = 0;
1351
1352    (void)cb;
1353    (void)arg;
1354
1355    WOLFSSL_ENTER("wolfSSL_PEM_write_bio_RSAPrivateKey");
1356
1357    /* Validate parameters. */
1358    if ((bio == NULL) || (rsa == NULL) || (rsa->internal == NULL)) {
1359        WOLFSSL_ERROR_MSG("Bad function arguments");
1360        ret = 0;
1361    }
1362
1363    if (ret == 1) {
1364        /* Write PEM to buffer that is allocated in the call. */
1365        ret = wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, cipher, passwd, len,
1366            &pem, &pLen);
1367        if (ret != 1) {
1368            WOLFSSL_ERROR_MSG("wolfSSL_PEM_write_mem_RSAPrivateKey failed");
1369        }
1370    }
1371    /* Write PEM to BIO. */
1372    if ((ret == 1) && (wolfSSL_BIO_write(bio, pem, pLen) <= 0)) {
1373        WOLFSSL_ERROR_MSG("RSA private key BIO write failed");
1374        ret = 0;
1375    }
1376
1377    /* Dispose of any allocated PEM buffer. */
1378    XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
1379    return ret;
1380}
1381#endif /* !NO_BIO */
1382
1383#ifndef NO_FILESYSTEM
1384/* Writes PEM encoding of an RSA private key to a file pointer.
1385 *
1386 * TODO: Support use of the password callback and callback context.
1387 *
1388 * @param [in] fp        File pointer to write to.
1389 * @param [in] rsa       RSA key to write.
1390 * @param [in] cipher    Cipher to use when PEM encrypted. May be NULL.
1391 * @param [in] passwd    Password string when PEM encrypted. May be NULL.
1392 * @param [in] passwdSz  Length of password string when PEM encrypted.
1393 * @param [in] cb        Password callback to use when PEM encrypted. Unused.
1394 * @param [in] arg       NUL terminated string for passphrase when PEM
1395 *                       encrypted. Unused.
1396 * @return  1 on success.
1397 * @return  0 on failure.
1398 */
1399int wolfSSL_PEM_write_RSAPrivateKey(XFILE fp, WOLFSSL_RSA *rsa,
1400    const WOLFSSL_EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz,
1401    wc_pem_password_cb *cb, void *arg)
1402{
1403    int ret = 1;
1404    byte* pem = NULL;
1405    int pLen = 0;
1406
1407    (void)cb;
1408    (void)arg;
1409
1410    WOLFSSL_ENTER("wolfSSL_PEM_write_RSAPrivateKey");
1411
1412    /* Validate parameters. */
1413    if ((fp == XBADFILE) || (rsa == NULL) || (rsa->internal == NULL)) {
1414        WOLFSSL_ERROR_MSG("Bad function arguments");
1415        ret = 0;
1416    }
1417
1418    if (ret == 1) {
1419        /* Write PEM to buffer that is allocated in the call. */
1420        ret = wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, cipher, passwd, passwdSz,
1421            &pem, &pLen);
1422        if (ret != 1) {
1423            WOLFSSL_ERROR_MSG("wolfSSL_PEM_write_mem_RSAPrivateKey failed");
1424        }
1425    }
1426    /* Write PEM to file pointer. */
1427    if ((ret == 1) && ((int)XFWRITE(pem, 1, (size_t)pLen, fp) != pLen)) {
1428        WOLFSSL_ERROR_MSG("RSA private key file write failed");
1429        ret = 0;
1430    }
1431
1432    /* Dispose of any allocated PEM buffer. */
1433    XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
1434    return ret;
1435}
1436#endif /* NO_FILESYSTEM */
1437#endif /* WOLFSSL_KEY_GEN && WOLFSSL_PEM_TO_DER */
1438
1439#ifndef NO_BIO
1440/* Create an RSA private key by reading the PEM encoded data from the BIO.
1441 *
1442 * @param [in]  bio   BIO object to read from.
1443 * @param [out] out   RSA key created.
1444 * @param [in]  cb    Password callback when PEM encrypted.
1445 * @param [in]  pass  NUL terminated string for passphrase when PEM encrypted.
1446 * @return  RSA key on success.
1447 * @return  NULL on failure.
1448 */
1449WOLFSSL_RSA* wolfSSL_PEM_read_bio_RSAPrivateKey(WOLFSSL_BIO* bio,
1450    WOLFSSL_RSA** out, wc_pem_password_cb* cb, void* pass)
1451{
1452    WOLFSSL_RSA* rsa = NULL;
1453    DerBuffer*   der = NULL;
1454    int          keyFormat = 0;
1455
1456    WOLFSSL_ENTER("wolfSSL_PEM_read_bio_RSAPrivateKey");
1457
1458    if ((bio != NULL) && (pem_read_bio_key(bio, cb, pass, PRIVATEKEY_TYPE,
1459            &keyFormat, &der) >= 0)) {
1460        rsa = wolfssl_rsa_d2i(out, der->buffer, der->length,
1461            WOLFSSL_RSA_LOAD_PRIVATE);
1462        if (rsa == NULL) {
1463            WOLFSSL_ERROR_MSG("Error loading DER buffer into WOLFSSL_RSA");
1464        }
1465    }
1466
1467    FreeDer(&der);
1468    if ((out != NULL) && (rsa != NULL)) {
1469        *out = rsa;
1470    }
1471    return rsa;
1472}
1473#endif /* !NO_BIO */
1474
1475/* Create an RSA private key by reading the PEM encoded data from the file
1476 * pointer.
1477 *
1478 * @param [in]  fp    File pointer to read from.
1479 * @param [out] out   RSA key created.
1480 * @param [in]  cb    Password callback when PEM encrypted.
1481 * @param [in]  pass  NUL terminated string for passphrase when PEM encrypted.
1482 * @return  RSA key on success.
1483 * @return  NULL on failure.
1484 */
1485#ifndef NO_FILESYSTEM
1486WOLFSSL_RSA* wolfSSL_PEM_read_RSAPrivateKey(XFILE fp, WOLFSSL_RSA** out,
1487    wc_pem_password_cb* cb, void* pass)
1488{
1489    WOLFSSL_RSA* rsa = NULL;
1490    DerBuffer*   der = NULL;
1491    int          keyFormat = 0;
1492
1493    WOLFSSL_ENTER("wolfSSL_PEM_read_RSAPrivateKey");
1494
1495    if ((fp != XBADFILE) && (pem_read_file_key(fp, cb, pass, PRIVATEKEY_TYPE,
1496            &keyFormat, &der) >= 0)) {
1497        rsa = wolfssl_rsa_d2i(out, der->buffer, der->length,
1498            WOLFSSL_RSA_LOAD_PRIVATE);
1499        if (rsa == NULL) {
1500            WOLFSSL_ERROR_MSG("Error loading DER buffer into WOLFSSL_RSA");
1501        }
1502    }
1503
1504    FreeDer(&der);
1505    if ((out != NULL) && (rsa != NULL)) {
1506        *out = rsa;
1507    }
1508    return rsa;
1509}
1510#endif /* !NO_FILESYSTEM */
1511
1512/*
1513 * RSA print APIs
1514 */
1515
1516#if defined(XFPRINTF) && !defined(NO_FILESYSTEM) && \
1517    !defined(NO_STDIO_FILESYSTEM)
1518/* Print an RSA key to a file pointer.
1519 *
1520 * @param [in] fp      File pointer to write to.
1521 * @param [in] rsa     RSA key to write.
1522 * @param [in] indent  Number of spaces to prepend to each line.
1523 * @return  1 on success.
1524 * @return  0 on failure.
1525 */
1526int wolfSSL_RSA_print_fp(XFILE fp, WOLFSSL_RSA* rsa, int indent)
1527{
1528    int ret = 1;
1529
1530    WOLFSSL_ENTER("wolfSSL_RSA_print_fp");
1531
1532    /* Validate parameters. */
1533    if ((fp == XBADFILE) || (rsa == NULL)) {
1534        ret = 0;
1535    }
1536
1537    /* Set the external data from the wolfCrypt RSA key if not done. */
1538    if ((ret == 1) && (!rsa->exSet)) {
1539        ret = SetRsaExternal(rsa);
1540    }
1541
1542    /* Get the key size from modulus if available. */
1543    if ((ret == 1) && (rsa->n != NULL)) {
1544        int keySize = wolfSSL_BN_num_bits(rsa->n);
1545        if (keySize == 0) {
1546            ret = 0;
1547        }
1548        else {
1549            if (XFPRINTF(fp, "%*s", indent, "") < 0)
1550                ret = 0;
1551            else if (XFPRINTF(fp, "RSA Private-Key: (%d bit, 2 primes)\n",
1552                              keySize) < 0)
1553                ret = 0;
1554        }
1555    }
1556    /* Print out any components available. */
1557    if ((ret == 1) && (rsa->n != NULL)) {
1558        ret = pk_bn_field_print_fp(fp, indent, "modulus", rsa->n);
1559    }
1560    if ((ret == 1) && (rsa->d != NULL)) {
1561        ret = pk_bn_field_print_fp(fp, indent, "privateExponent", rsa->d);
1562    }
1563    if ((ret == 1) && (rsa->p != NULL)) {
1564        ret = pk_bn_field_print_fp(fp, indent, "prime1", rsa->p);
1565    }
1566    if ((ret == 1) && (rsa->q != NULL)) {
1567        ret = pk_bn_field_print_fp(fp, indent, "prime2", rsa->q);
1568    }
1569    if ((ret == 1) && (rsa->dmp1 != NULL)) {
1570        ret = pk_bn_field_print_fp(fp, indent, "exponent1", rsa->dmp1);
1571    }
1572    if ((ret == 1) && (rsa->dmq1 != NULL)) {
1573        ret = pk_bn_field_print_fp(fp, indent, "exponent2", rsa->dmq1);
1574    }
1575    if ((ret == 1) && (rsa->iqmp != NULL)) {
1576        ret = pk_bn_field_print_fp(fp, indent, "coefficient", rsa->iqmp);
1577    }
1578
1579    WOLFSSL_LEAVE("wolfSSL_RSA_print_fp", ret);
1580
1581    return ret;
1582}
1583#endif /* XFPRINTF && !NO_FILESYSTEM && !NO_STDIO_FILESYSTEM */
1584
1585#if defined(XSNPRINTF) && !defined(NO_BIO)
1586/* snprintf() must be available */
1587
1588/* Maximum size of a header line. */
1589#define RSA_PRINT_MAX_HEADER_LINE   PRINT_NUM_MAX_INDENT
1590
1591/* Writes the human readable form of RSA to a BIO.
1592 *
1593 * @param [in] bio     BIO object to write to.
1594 * @param [in] rsa     RSA key to write.
1595 * @param [in] indent  Number of spaces before each line.
1596 * @return  1 on success.
1597 * @return  0 on failure.
1598 */
1599int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int indent)
1600{
1601    int ret = 1;
1602    int sz = 0;
1603    RsaKey* key = NULL;
1604    char line[RSA_PRINT_MAX_HEADER_LINE];
1605    int i = 0;
1606    mp_int *num = NULL;
1607    /* Header strings. */
1608    const char *name[] = {
1609        "Modulus:", "Exponent:", "PrivateExponent:", "Prime1:", "Prime2:",
1610        "Exponent1:", "Exponent2:", "Coefficient:"
1611    };
1612
1613    WOLFSSL_ENTER("wolfSSL_RSA_print");
1614
1615    /* Validate parameters. */
1616    if ((bio == NULL) || (rsa == NULL) || (indent > PRINT_NUM_MAX_INDENT)) {
1617        ret = WOLFSSL_FATAL_ERROR;
1618    }
1619
1620    if (ret == 1) {
1621        key = (RsaKey*)rsa->internal;
1622
1623        /* Get size in bits of key for printing out. */
1624        sz = wolfSSL_RSA_bits(rsa);
1625        if (sz <= 0) {
1626            WOLFSSL_ERROR_MSG("Error getting RSA key size");
1627            ret = 0;
1628        }
1629    }
1630    if (ret == 1) {
1631        /* Print any indent spaces. */
1632        ret = wolfssl_print_indent(bio, line, sizeof(line), indent);
1633    }
1634    if (ret == 1) {
1635        /* Print header line. */
1636        int len = XSNPRINTF(line, sizeof(line), "\nRSA %s: (%d bit)\n",
1637            (!mp_iszero(&key->d)) ? "Private-Key" : "Public-Key", sz);
1638        if (len >= (int)sizeof(line)) {
1639            WOLFSSL_ERROR_MSG("Buffer overflow while formatting key preamble");
1640            ret = 0;
1641        }
1642        else {
1643            if (wolfSSL_BIO_write(bio, line, len) <= 0) {
1644                ret = 0;
1645            }
1646        }
1647    }
1648
1649    for (i = 0; (ret == 1) && (i < RSA_INTS); i++) {
1650        /* Get mp_int for index. */
1651        switch (i) {
1652            case 0:
1653                /* Print out modulus */
1654                num = &key->n;
1655                break;
1656            case 1:
1657                num = &key->e;
1658                break;
1659            case 2:
1660                num = &key->d;
1661                break;
1662            case 3:
1663                num = &key->p;
1664                break;
1665            case 4:
1666                num = &key->q;
1667                break;
1668            case 5:
1669                num = &key->dP;
1670                break;
1671            case 6:
1672                num = &key->dQ;
1673                break;
1674            case 7:
1675                num = &key->u;
1676                break;
1677            default:
1678                WOLFSSL_ERROR_MSG("Bad index value");
1679        }
1680
1681        if (i == 1) {
1682            /* Print exponent as a 32-bit value. */
1683            ret = wolfssl_print_value(bio, num, name[i], indent);
1684        }
1685        else if (!mp_iszero(num)) {
1686            /* Print name and MP integer. */
1687            ret = wolfssl_print_number(bio, num, name[i], indent);
1688        }
1689    }
1690
1691    return ret;
1692}
1693#endif /* XSNPRINTF && !NO_BIO */
1694
1695#endif /* OPENSSL_EXTRA */
1696
1697/*
1698 * RSA get/set/test APIs
1699 */
1700
1701#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
1702/* Set RSA key data (external) from wolfCrypt RSA key (internal).
1703 *
1704 * @param [in, out] rsa  RSA key.
1705 * @return  1 on success.
1706 * @return  0 on failure.
1707 */
1708int SetRsaExternal(WOLFSSL_RSA* rsa)
1709{
1710    int ret = 1;
1711
1712    WOLFSSL_ENTER("SetRsaExternal");
1713
1714    /* Validate parameters. */
1715    if ((rsa == NULL) || (rsa->internal == NULL)) {
1716        WOLFSSL_ERROR_MSG("rsa key NULL error");
1717        ret = WOLFSSL_FATAL_ERROR;
1718    }
1719
1720    if (ret == 1) {
1721        RsaKey* key = (RsaKey*)rsa->internal;
1722
1723        /* Copy modulus. */
1724        ret = wolfssl_bn_set_value(&rsa->n, &key->n);
1725        if (ret != 1) {
1726            WOLFSSL_ERROR_MSG("rsa n error");
1727        }
1728        if (ret == 1) {
1729            /* Copy public exponent. */
1730            ret = wolfssl_bn_set_value(&rsa->e, &key->e);
1731            if (ret != 1) {
1732                WOLFSSL_ERROR_MSG("rsa e error");
1733            }
1734        }
1735
1736        if (key->type == RSA_PRIVATE) {
1737    #ifndef WOLFSSL_RSA_PUBLIC_ONLY
1738            if (ret == 1) {
1739                /* Copy private exponent. */
1740                ret = wolfssl_bn_set_value(&rsa->d, &key->d);
1741                if (ret != 1) {
1742                    WOLFSSL_ERROR_MSG("rsa d error");
1743                }
1744            }
1745            if (ret == 1) {
1746                /* Copy first prime. */
1747                ret = wolfssl_bn_set_value(&rsa->p, &key->p);
1748                if (ret != 1) {
1749                    WOLFSSL_ERROR_MSG("rsa p error");
1750                }
1751            }
1752            if (ret == 1) {
1753                /* Copy second prime. */
1754                ret = wolfssl_bn_set_value(&rsa->q, &key->q);
1755                if (ret != 1) {
1756                    WOLFSSL_ERROR_MSG("rsa q error");
1757                }
1758            }
1759        #if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \
1760            !defined(RSA_LOW_MEM)
1761            if (ret == 1) {
1762                /* Copy d mod p-1. */
1763                ret = wolfssl_bn_set_value(&rsa->dmp1, &key->dP);
1764                if (ret != 1) {
1765                    WOLFSSL_ERROR_MSG("rsa dP error");
1766                }
1767            }
1768            if (ret == 1) {
1769                /* Copy d mod q-1. */
1770                ret = wolfssl_bn_set_value(&rsa->dmq1, &key->dQ);
1771                if (ret != 1) {
1772                    WOLFSSL_ERROR_MSG("rsa dq error");
1773                }
1774            }
1775            if (ret == 1) {
1776                /* Copy 1/q mod p. */
1777                ret = wolfssl_bn_set_value(&rsa->iqmp, &key->u);
1778                if (ret != 1) {
1779                    WOLFSSL_ERROR_MSG("rsa u error");
1780                }
1781            }
1782        #endif
1783    #else
1784            WOLFSSL_ERROR_MSG("rsa private key not compiled in ");
1785            ret = 0;
1786    #endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
1787        }
1788    }
1789    if (ret == 1) {
1790        /* External values set. */
1791        rsa->exSet = 1;
1792    }
1793    else {
1794        /* Return 0 on failure. */
1795        ret = 0;
1796    }
1797
1798    return ret;
1799}
1800#endif /* (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */
1801
1802#ifdef OPENSSL_EXTRA
1803
1804/* Set wolfCrypt RSA key data (internal) from RSA key (external).
1805 *
1806 * @param [in, out] rsa  RSA key.
1807 * @return  1 on success.
1808 * @return  0 on failure.
1809 */
1810int SetRsaInternal(WOLFSSL_RSA* rsa)
1811{
1812    int ret = 1;
1813
1814    WOLFSSL_ENTER("SetRsaInternal");
1815
1816    /* Validate parameters. */
1817    if ((rsa == NULL) || (rsa->internal == NULL)) {
1818        WOLFSSL_ERROR_MSG("rsa key NULL error");
1819        ret = WOLFSSL_FATAL_ERROR;
1820    }
1821
1822    if (ret == 1) {
1823        RsaKey* key = (RsaKey*)rsa->internal;
1824
1825        /* Copy down modulus if available. */
1826        if ((rsa->n != NULL) && (wolfssl_bn_get_value(rsa->n, &key->n) != 1)) {
1827            WOLFSSL_ERROR_MSG("rsa n key error");
1828            ret = WOLFSSL_FATAL_ERROR;
1829        }
1830
1831        /* Copy down public exponent if available. */
1832        if ((ret == 1) && (rsa->e != NULL) &&
1833                (wolfssl_bn_get_value(rsa->e, &key->e) != 1)) {
1834            WOLFSSL_ERROR_MSG("rsa e key error");
1835            ret = WOLFSSL_FATAL_ERROR;
1836        }
1837
1838        /* Enough numbers for public key */
1839        key->type = RSA_PUBLIC;
1840
1841#ifndef WOLFSSL_RSA_PUBLIC_ONLY
1842        /* Copy down private exponent if available. */
1843        if ((ret == 1) && (rsa->d != NULL)) {
1844            if (wolfssl_bn_get_value(rsa->d, &key->d) != 1) {
1845                WOLFSSL_ERROR_MSG("rsa d key error");
1846                ret = WOLFSSL_FATAL_ERROR;
1847            }
1848            else {
1849                /* Enough numbers for private key */
1850                key->type = RSA_PRIVATE;
1851           }
1852        }
1853
1854        /* Copy down first prime if available. */
1855        if ((ret == 1) && (rsa->p != NULL) &&
1856                (wolfssl_bn_get_value(rsa->p, &key->p) != 1)) {
1857            WOLFSSL_ERROR_MSG("rsa p key error");
1858            ret = WOLFSSL_FATAL_ERROR;
1859        }
1860
1861        /* Copy down second prime if available. */
1862        if ((ret == 1) && (rsa->q != NULL) &&
1863                (wolfssl_bn_get_value(rsa->q, &key->q) != 1)) {
1864            WOLFSSL_ERROR_MSG("rsa q key error");
1865            ret = WOLFSSL_FATAL_ERROR;
1866        }
1867
1868#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
1869        /* Copy down d mod p-1 if available. */
1870        if ((ret == 1) && (rsa->dmp1 != NULL) &&
1871                (wolfssl_bn_get_value(rsa->dmp1, &key->dP) != 1)) {
1872            WOLFSSL_ERROR_MSG("rsa dP key error");
1873            ret = WOLFSSL_FATAL_ERROR;
1874        }
1875
1876        /* Copy down d mod q-1 if available. */
1877        if ((ret == 1) && (rsa->dmq1 != NULL) &&
1878                (wolfssl_bn_get_value(rsa->dmq1, &key->dQ) != 1)) {
1879            WOLFSSL_ERROR_MSG("rsa dQ key error");
1880            ret = WOLFSSL_FATAL_ERROR;
1881        }
1882
1883        /* Copy down 1/q mod p if available. */
1884        if ((ret == 1) && (rsa->iqmp != NULL) &&
1885                (wolfssl_bn_get_value(rsa->iqmp, &key->u) != 1)) {
1886            WOLFSSL_ERROR_MSG("rsa u key error");
1887            ret = WOLFSSL_FATAL_ERROR;
1888        }
1889#endif
1890#endif
1891
1892        if (ret == 1) {
1893            /* All available numbers have been set down. */
1894            rsa->inSet = 1;
1895        }
1896    }
1897
1898    return ret;
1899}
1900
1901/* Set the RSA method into object.
1902 *
1903 * @param [in, out] rsa   RSA key.
1904 * @param [in]      meth  RSA method.
1905 * @return  1 always.
1906 */
1907int wolfSSL_RSA_set_method(WOLFSSL_RSA *rsa, WOLFSSL_RSA_METHOD *meth)
1908{
1909    if (rsa != NULL) {
1910        /* Store the method into object. */
1911        rsa->meth = meth;
1912        /* Copy over flags. */
1913        rsa->flags = meth->flags;
1914    }
1915    /* OpenSSL always assumes it will work. */
1916    return 1;
1917}
1918
1919/* Get the RSA method from the RSA object.
1920 *
1921 * @param [in] rsa  RSA key.
1922 * @return  RSA method on success.
1923 * @return  NULL when RSA is NULL or no method set.
1924 */
1925const WOLFSSL_RSA_METHOD* wolfSSL_RSA_get_method(const WOLFSSL_RSA *rsa)
1926{
1927    return (rsa != NULL) ? rsa->meth : NULL;
1928}
1929
1930/* Get the size in bytes of the RSA key.
1931 *
1932 * Return compliant with OpenSSL
1933 *
1934 * @param [in] rsa  RSA key.
1935 * @return  RSA modulus size in bytes.
1936 * @return  0 on error.
1937 */
1938int wolfSSL_RSA_size(const WOLFSSL_RSA* rsa)
1939{
1940    int ret = 0;
1941
1942    WOLFSSL_ENTER("wolfSSL_RSA_size");
1943
1944    if (rsa != NULL) {
1945        /* Make sure we have set the RSA values into wolfCrypt RSA key. */
1946        if (rsa->inSet || (SetRsaInternal((WOLFSSL_RSA*)rsa) == 1)) {
1947            /* Get key size in bytes using wolfCrypt RSA key. */
1948            ret = wc_RsaEncryptSize((RsaKey*)rsa->internal);
1949        }
1950    }
1951
1952    return ret;
1953}
1954
1955/* Get the size in bits of the RSA key.
1956 *
1957 * Uses external modulus field.
1958 *
1959 * @param [in] rsa  RSA key.
1960 * @return  RSA modulus size in bits.
1961 * @return  0 on error.
1962 */
1963int wolfSSL_RSA_bits(const WOLFSSL_RSA* rsa)
1964{
1965    int ret = 0;
1966
1967    WOLFSSL_ENTER("wolfSSL_RSA_bits");
1968
1969    if (rsa != NULL) {
1970        /* Get number of bits in external modulus. */
1971        ret = wolfSSL_BN_num_bits(rsa->n);
1972    }
1973
1974    return ret;
1975}
1976
1977/* Get the BN objects that are the Chinese-Remainder Theorem (CRT) parameters.
1978 *
1979 * Only for those that are not NULL parameters.
1980 *
1981 * @param [in]  rsa   RSA key.
1982 * @param [out] dmp1  BN that is d mod (p - 1). May be NULL.
1983 * @param [out] dmq1  BN that is d mod (q - 1). May be NULL.
1984 * @param [out] iqmp  BN that is 1/q mod p. May be NULL.
1985 */
1986void wolfSSL_RSA_get0_crt_params(const WOLFSSL_RSA *rsa,
1987    const WOLFSSL_BIGNUM **dmp1, const WOLFSSL_BIGNUM **dmq1,
1988    const WOLFSSL_BIGNUM **iqmp)
1989{
1990    WOLFSSL_ENTER("wolfSSL_RSA_get0_crt_params");
1991
1992    /* For any parameters not NULL, return the BN from the key or NULL. */
1993    if (dmp1 != NULL) {
1994        *dmp1 = (rsa != NULL) ? rsa->dmp1 : NULL;
1995    }
1996    if (dmq1 != NULL) {
1997        *dmq1 = (rsa != NULL) ? rsa->dmq1 : NULL;
1998    }
1999    if (iqmp != NULL) {
2000        *iqmp = (rsa != NULL) ? rsa->iqmp : NULL;
2001    }
2002}
2003
2004/* Set the BN objects that are the Chinese-Remainder Theorem (CRT) parameters
2005 * into RSA key.
2006 *
2007 * If CRT parameter is NULL then there must be one in the RSA key already.
2008 *
2009 * @param [in, out] rsa   RSA key.
2010 * @param [in]      dmp1  BN that is d mod (p - 1). May be NULL.
2011 * @param [in]      dmq1  BN that is d mod (q - 1). May be NULL.
2012 * @param [in]      iqmp  BN that is 1/q mod p. May be NULL.
2013 * @return  1 on success.
2014 * @return  0 on failure.
2015 */
2016int wolfSSL_RSA_set0_crt_params(WOLFSSL_RSA *rsa, WOLFSSL_BIGNUM *dmp1,
2017                                WOLFSSL_BIGNUM *dmq1, WOLFSSL_BIGNUM *iqmp)
2018{
2019    int ret = 1;
2020
2021    WOLFSSL_ENTER("wolfSSL_RSA_set0_crt_params");
2022
2023    /* If a param is NULL in rsa then it must be non-NULL in the
2024     * corresponding user input. */
2025    if ((rsa == NULL) || ((rsa->dmp1 == NULL) && (dmp1 == NULL)) ||
2026            ((rsa->dmq1 == NULL) && (dmq1 == NULL)) ||
2027            ((rsa->iqmp == NULL) && (iqmp == NULL))) {
2028        WOLFSSL_ERROR_MSG("Bad parameters");
2029        ret = 0;
2030    }
2031    if (ret == 1) {
2032        /* Replace the BNs. */
2033        if (dmp1 != NULL) {
2034            wolfSSL_BN_clear_free(rsa->dmp1);
2035            rsa->dmp1 = dmp1;
2036        }
2037        if (dmq1 != NULL) {
2038            wolfSSL_BN_clear_free(rsa->dmq1);
2039            rsa->dmq1 = dmq1;
2040        }
2041        if (iqmp != NULL) {
2042            wolfSSL_BN_clear_free(rsa->iqmp);
2043            rsa->iqmp = iqmp;
2044        }
2045
2046        /* Set the values into the wolfCrypt RSA key. */
2047        if (SetRsaInternal(rsa) != 1) {
2048            if (dmp1 != NULL) {
2049                rsa->dmp1 = NULL;
2050            }
2051            if (dmq1 != NULL) {
2052                rsa->dmq1 = NULL;
2053            }
2054            if (iqmp != NULL) {
2055                rsa->iqmp = NULL;
2056            }
2057            ret = 0;
2058        }
2059    }
2060
2061    return ret;
2062}
2063
2064/* Get the BN objects that are the factors of the RSA key (two primes p and q).
2065 *
2066 * @param [in]  rsa  RSA key.
2067 * @param [out] p    BN that is first prime. May be NULL.
2068 * @param [out] q    BN that is second prime. May be NULL.
2069 */
2070void wolfSSL_RSA_get0_factors(const WOLFSSL_RSA *rsa, const WOLFSSL_BIGNUM **p,
2071                              const WOLFSSL_BIGNUM **q)
2072{
2073    WOLFSSL_ENTER("wolfSSL_RSA_get0_factors");
2074
2075    /* For any primes not NULL, return the BN from the key or NULL. */
2076    if (p != NULL) {
2077        *p = (rsa != NULL) ? rsa->p : NULL;
2078    }
2079    if (q != NULL) {
2080        *q = (rsa != NULL) ? rsa->q : NULL;
2081    }
2082}
2083
2084/* Set the BN objects that are the factors of the RSA key (two primes p and q).
2085 *
2086 * If factor parameter is NULL then there must be one in the RSA key already.
2087 *
2088 * @param [in, out] rsa  RSA key.
2089 * @param [in]      p    BN that is first prime. May be NULL.
2090 * @param [in]      q    BN that is second prime. May be NULL.
2091 * @return  1 on success.
2092 * @return  0 on failure.
2093 */
2094int wolfSSL_RSA_set0_factors(WOLFSSL_RSA *rsa, WOLFSSL_BIGNUM *p,
2095    WOLFSSL_BIGNUM *q)
2096{
2097    int ret = 1;
2098
2099    WOLFSSL_ENTER("wolfSSL_RSA_set0_factors");
2100
2101    /* If a param is null in r then it must be non-null in the
2102     * corresponding user input. */
2103    if (rsa == NULL || ((rsa->p == NULL) && (p == NULL)) ||
2104            ((rsa->q == NULL) && (q == NULL))) {
2105        WOLFSSL_ERROR_MSG("Bad parameters");
2106        ret = 0;
2107    }
2108    if (ret == 1) {
2109        /* Replace the BNs. */
2110        if (p != NULL) {
2111            wolfSSL_BN_clear_free(rsa->p);
2112            rsa->p = p;
2113        }
2114        if (q != NULL) {
2115            wolfSSL_BN_clear_free(rsa->q);
2116            rsa->q = q;
2117        }
2118
2119        /* Set the values into the wolfCrypt RSA key. */
2120        if (SetRsaInternal(rsa) != 1) {
2121             if (p != NULL) {
2122                 rsa->p = NULL;
2123             }
2124             if (q != NULL) {
2125                 rsa->q = NULL;
2126             }
2127             ret = 0;
2128        }
2129    }
2130
2131    return ret;
2132}
2133
2134/* Get the BN objects for the basic key numbers of the RSA key (modulus, public
2135 * exponent, private exponent).
2136 *
2137 * @param [in]  rsa  RSA key.
2138 * @param [out] n    BN that is the modulus. May be NULL.
2139 * @param [out] e    BN that is the public exponent. May be NULL.
2140 * @param [out] d    BN that is the private exponent. May be NULL.
2141 */
2142void wolfSSL_RSA_get0_key(const WOLFSSL_RSA *rsa, const WOLFSSL_BIGNUM **n,
2143    const WOLFSSL_BIGNUM **e, const WOLFSSL_BIGNUM **d)
2144{
2145    WOLFSSL_ENTER("wolfSSL_RSA_get0_key");
2146
2147    /* For any parameters not NULL, return the BN from the key or NULL. */
2148    if (n != NULL) {
2149        *n = (rsa != NULL) ? rsa->n : NULL;
2150    }
2151    if (e != NULL) {
2152        *e = (rsa != NULL) ? rsa->e : NULL;
2153    }
2154    if (d != NULL) {
2155        *d = (rsa != NULL) ? rsa->d : NULL;
2156    }
2157}
2158
2159/* Set the BN objects for the basic key numbers into the RSA key (modulus,
2160 * public exponent, private exponent).
2161 *
2162 * If BN parameter is NULL then there must be one in the RSA key already.
2163 *
2164 * @param [in,out]  rsa  RSA key.
2165 * @param [in]      n    BN that is the modulus. May be NULL.
2166 * @param [in]      e    BN that is the public exponent. May be NULL.
2167 * @param [in]      d    BN that is the private exponent. May be NULL.
2168 * @return  1 on success.
2169 * @return  0 on failure.
2170 */
2171int wolfSSL_RSA_set0_key(WOLFSSL_RSA *rsa, WOLFSSL_BIGNUM *n, WOLFSSL_BIGNUM *e,
2172     WOLFSSL_BIGNUM *d)
2173{
2174    int ret = 1;
2175
2176    /* If the fields n and e in r are NULL, the corresponding input
2177     * parameters MUST be non-NULL for n and e.  d may be
2178     * left NULL (in case only the public key is used).
2179     */
2180    if ((rsa == NULL) || ((rsa->n == NULL) && (n == NULL)) ||
2181            ((rsa->e == NULL) && (e == NULL))) {
2182        ret = 0;
2183    }
2184    if (ret == 1) {
2185        /* Replace the BNs. */
2186        if (n != NULL) {
2187            wolfSSL_BN_free(rsa->n);
2188            rsa->n = n;
2189        }
2190        if (e != NULL) {
2191            wolfSSL_BN_free(rsa->e);
2192            rsa->e = e;
2193        }
2194        if (d != NULL) {
2195            /* Private key is sensitive data. */
2196            wolfSSL_BN_clear_free(rsa->d);
2197            rsa->d = d;
2198        }
2199
2200        /* Set the values into the wolfCrypt RSA key. */
2201        if (SetRsaInternal(rsa) != 1) {
2202            if (n != NULL) {
2203                rsa->n = NULL;
2204            }
2205            if (e != NULL) {
2206                rsa->e = NULL;
2207            }
2208            if (d != NULL) {
2209                rsa->d = NULL;
2210            }
2211            ret = 0;
2212        }
2213    }
2214
2215    return ret;
2216}
2217
2218/* Get the flags of the RSA key.
2219 *
2220 * @param [in] rsa  RSA key.
2221 * @return  Flags set in RSA key on success.
2222 * @return  0 when RSA key is NULL.
2223 */
2224int wolfSSL_RSA_flags(const WOLFSSL_RSA *rsa)
2225{
2226    int ret = 0;
2227
2228    /* Get flags from the RSA key if available. */
2229    if (rsa != NULL) {
2230        ret = rsa->flags;
2231    }
2232
2233    return ret;
2234}
2235
2236/* Set the flags into the RSA key.
2237 *
2238 * @param [in, out] rsa    RSA key.
2239 * @param [in]      flags  Flags to set.
2240 */
2241void wolfSSL_RSA_set_flags(WOLFSSL_RSA *rsa, int flags)
2242{
2243    /* Add the flags into RSA key if available. */
2244    if (rsa != NULL) {
2245        rsa->flags |= flags;
2246    }
2247}
2248
2249/* Clear the flags in the RSA key.
2250 *
2251 * @param [in, out] rsa    RSA key.
2252 * @param [in]      flags  Flags to clear.
2253 */
2254void wolfSSL_RSA_clear_flags(WOLFSSL_RSA *rsa, int flags)
2255{
2256    /* Clear the flags passed in that are on the RSA key if available. */
2257    if (rsa != NULL) {
2258        rsa->flags &= ~flags;
2259    }
2260}
2261
2262/* Test the flags in the RSA key.
2263 *
2264 * @param [in] rsa  RSA key.
2265 * @return  Matching flags of RSA key on success.
2266 * @return  0 when RSA key is NULL.
2267 */
2268int wolfSSL_RSA_test_flags(const WOLFSSL_RSA *rsa, int flags)
2269{
2270    /* Return the flags passed in that are set on the RSA key if available. */
2271    return (rsa != NULL) ?  (rsa->flags & flags) : 0;
2272}
2273
2274/* Get the extra data, by index, associated with the RSA key.
2275 *
2276 * @param [in] rsa  RSA key.
2277 * @param [in] idx  Index of extra data.
2278 * @return  Extra data (anonymous type) on success.
2279 * @return  NULL on failure.
2280 */
2281void* wolfSSL_RSA_get_ex_data(const WOLFSSL_RSA *rsa, int idx)
2282{
2283    WOLFSSL_ENTER("wolfSSL_RSA_get_ex_data");
2284
2285#ifdef HAVE_EX_DATA
2286    return (rsa == NULL) ? NULL :
2287        wolfSSL_CRYPTO_get_ex_data(&rsa->ex_data, idx);
2288#else
2289    (void)rsa;
2290    (void)idx;
2291
2292    return NULL;
2293#endif
2294}
2295
2296/* Set extra data against the RSA key at an index.
2297 *
2298 * @param [in, out] rsa   RSA key.
2299 * @param [in]      idx   Index set set extra data at.
2300 * @param [in]      data  Extra data of anonymous type.
2301 * @return 1 on success.
2302 * @return 0 on failure.
2303 */
2304int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data)
2305{
2306    WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data");
2307
2308#ifdef HAVE_EX_DATA
2309    return (rsa == NULL) ? 0 :
2310        wolfSSL_CRYPTO_set_ex_data(&rsa->ex_data, idx, data);
2311#else
2312    (void)rsa;
2313    (void)idx;
2314    (void)data;
2315
2316    return 0;
2317#endif
2318}
2319
2320#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
2321/* Set the extra data and cleanup callback against the RSA key at an index.
2322 *
2323 * Not OpenSSL API.
2324 *
2325 * @param [in, out] rsa     RSA key.
2326 * @param [in]      idx     Index set set extra data at.
2327 * @param [in]      data    Extra data of anonymous type.
2328 * @param [in]      freeCb  Callback function to free extra data.
2329 * @return 1 on success.
2330 * @return 0 on failure.
2331 */
2332int wolfSSL_RSA_set_ex_data_with_cleanup(WOLFSSL_RSA *rsa, int idx, void *data,
2333    wolfSSL_ex_data_cleanup_routine_t freeCb)
2334{
2335    WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data_with_cleanup");
2336
2337    return (rsa == NULL) ? 0 :
2338        wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, data,
2339            freeCb);
2340}
2341#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
2342
2343/*
2344 * RSA check key APIs
2345 */
2346
2347#ifdef WOLFSSL_RSA_KEY_CHECK
2348/* Check that the RSA key is valid using wolfCrypt.
2349 *
2350 * @param [in] rsa  RSA key.
2351 * @return  1 on success.
2352 * @return  0 on failure.
2353 */
2354int wolfSSL_RSA_check_key(const WOLFSSL_RSA* rsa)
2355{
2356    int ret = 1;
2357
2358    WOLFSSL_ENTER("wolfSSL_RSA_check_key");
2359
2360    /* Validate parameters. */
2361    if ((rsa == NULL) || (rsa->internal == NULL)) {
2362        ret = 0;
2363    }
2364
2365    /* Constant RSA - assume internal data has been set. */
2366
2367    /* Check wolfCrypt RSA key. */
2368    if ((ret == 1) && (wc_CheckRsaKey((RsaKey*)rsa->internal) != 0)) {
2369        ret = 0;
2370    }
2371
2372    WOLFSSL_LEAVE("wolfSSL_RSA_check_key", ret);
2373
2374    return ret;
2375}
2376#endif /* WOLFSSL_RSA_KEY_CHECK */
2377
2378/*
2379 * RSA generate APIs
2380 */
2381
2382/* Get a random number generator associated with the RSA key.
2383 *
2384 * If not able, then get the global if possible.
2385 * *tmpRng must not be an initialized RNG.
2386 * *tmpRng is allocated when WOLFSSL_SMALL_STACK is defined and an RNG isn't
2387 * associated with the wolfCrypt RSA key.
2388 *
2389 * @param [in]  rsa         RSA key.
2390 * @param [out] tmpRng      Temporary random number generator.
2391 * @param [out] initTmpRng  Temporary random number generator was initialized.
2392 *
2393 * @return  A wolfCrypt RNG to use on success.
2394 * @return  NULL on error.
2395 */
2396WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA* rsa, WC_RNG** tmpRng, int* initTmpRng)
2397{
2398    WC_RNG* rng = NULL;
2399    int err = 0;
2400
2401    /* Check validity of parameters. */
2402    if ((rsa == NULL) || (initTmpRng == NULL)) {
2403        err = 1;
2404    }
2405    if (!err) {
2406        /* Haven't initialized any RNG passed through tmpRng. */
2407        *initTmpRng = 0;
2408
2409    #if !defined(HAVE_FIPS) && defined(WC_RSA_BLINDING)
2410        /* Use wolfCrypt RSA key's RNG if available/set. */
2411        rng = ((RsaKey*)rsa->internal)->rng;
2412    #endif
2413    }
2414    if ((!err) && (rng == NULL) && (tmpRng != NULL)) {
2415        /* Make an RNG with tmpRng or get global. */
2416        rng = wolfssl_make_rng(*tmpRng, initTmpRng);
2417        if ((rng != NULL) && *initTmpRng) {
2418            *tmpRng = rng;
2419        }
2420    }
2421
2422    return rng;
2423}
2424
2425/* Use the wolfCrypt RSA APIs to generate a new RSA key.
2426 *
2427 * @param [in, out] rsa   RSA key.
2428 * @param [in]      bits  Number of bits that the modulus must have.
2429 * @param [in]      e     A BN object holding the public exponent to use.
2430 * @param [in]      cb    Status callback. Unused.
2431 * @return 0 on success.
2432 * @return wolfSSL native error code on error.
2433 */
2434static int wolfssl_rsa_generate_key_native(WOLFSSL_RSA* rsa, int bits,
2435    WOLFSSL_BIGNUM* e, void* cb)
2436{
2437#ifdef WOLFSSL_KEY_GEN
2438    int ret = 0;
2439#ifdef WOLFSSL_SMALL_STACK
2440    WC_RNG* tmpRng = NULL;
2441#else
2442    WC_RNG  _tmpRng[1];
2443    WC_RNG* tmpRng = _tmpRng;
2444#endif
2445    int initTmpRng = 0;
2446    WC_RNG* rng = NULL;
2447    long en = 0;
2448#endif
2449
2450    (void)cb;
2451
2452    WOLFSSL_ENTER("wolfssl_rsa_generate_key_native");
2453
2454#ifdef WOLFSSL_KEY_GEN
2455    /* Get RNG in wolfCrypt RSA key or initialize a new one (or global). */
2456    rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRng, &initTmpRng);
2457    if (rng == NULL) {
2458        /* Something went wrong so return memory error. */
2459        ret = MEMORY_E;
2460    }
2461    if ((ret == 0) && ((en = (long)wolfSSL_BN_get_word(e)) <= 0)) {
2462        ret = BAD_FUNC_ARG;
2463    }
2464    if (ret == 0) {
2465        /* Generate an RSA key. */
2466        ret = wc_MakeRsaKey((RsaKey*)rsa->internal, bits, en, rng);
2467        if (ret != MP_OKAY) {
2468            WOLFSSL_ERROR_MSG("wc_MakeRsaKey failed");
2469        }
2470    }
2471    if (ret == 0) {
2472        /* Get the values from wolfCrypt RSA key into external RSA key. */
2473        ret = SetRsaExternal(rsa);
2474        if (ret == 1) {
2475            /* Internal matches external. */
2476            rsa->inSet = 1;
2477            /* Return success. */
2478            ret = 0;
2479        }
2480        else {
2481            /* Something went wrong so return memory error. */
2482            ret = MEMORY_E;
2483        }
2484    }
2485
2486    /* Finalize RNG if initialized in WOLFSSL_RSA_GetRNG(). */
2487    if (initTmpRng) {
2488        wc_FreeRng(tmpRng);
2489    }
2490    WC_FREE_VAR_EX(tmpRng, NULL, DYNAMIC_TYPE_RNG);
2491
2492    return ret;
2493#else
2494    WOLFSSL_ERROR_MSG("No Key Gen built in");
2495
2496    (void)rsa;
2497    (void)e;
2498    (void)bits;
2499
2500    return NOT_COMPILED_IN;
2501#endif
2502}
2503
2504/* Generate an RSA key that has the specified modulus size and public exponent.
2505 *
2506 * Note: Because of wc_MakeRsaKey an RSA key size generated can be rounded
2507 *       down to nearest multiple of 8. For example generating a key of size
2508 *       2999 bits will make a key of size 374 bytes instead of 375 bytes.
2509 *
2510 * @param [in]      bits  Number of bits that the modulus must have i.e. 2048.
2511 * @param [in]      e     Public exponent to use i.e. 65537.
2512 * @param [in]      cb    Status callback. Unused.
2513 * @param [in]      data  Data to pass to status callback. Unused.
2514 * @return  A new RSA key on success.
2515 * @return  NULL on failure.
2516 */
2517WOLFSSL_RSA* wolfSSL_RSA_generate_key(int bits, unsigned long e,
2518    void(*cb)(int, int, void*), void* data)
2519{
2520    WOLFSSL_RSA*    rsa = NULL;
2521    WOLFSSL_BIGNUM* bn  = NULL;
2522    int             err = 0;
2523
2524    WOLFSSL_ENTER("wolfSSL_RSA_generate_key");
2525
2526    (void)cb;
2527    (void)data;
2528
2529    /* Validate bits. */
2530    if (bits < 0) {
2531        WOLFSSL_ERROR_MSG("Bad argument: bits was less than 0");
2532        err = 1;
2533    }
2534    /* Create a new BN to hold public exponent - for when wolfCrypt supports
2535     * longer values. */
2536    if ((!err) && ((bn = wolfSSL_BN_new()) == NULL)) {
2537        WOLFSSL_ERROR_MSG("Error creating big number");
2538        err = 1;
2539    }
2540    /* Set public exponent. */
2541    if ((!err) && (wolfSSL_BN_set_word(bn, e) != 1)) {
2542        WOLFSSL_ERROR_MSG("Error using e value");
2543        err = 1;
2544    }
2545
2546    /* Create an RSA key object to hold generated key. */
2547    if ((!err) && ((rsa = wolfSSL_RSA_new()) == NULL)) {
2548        WOLFSSL_ERROR_MSG("memory error");
2549        err = 1;
2550    }
2551    while (!err) {
2552        int ret;
2553
2554        /* Use wolfCrypt to generate RSA key. */
2555        ret = wolfssl_rsa_generate_key_native(rsa, bits, bn, NULL);
2556    #ifdef HAVE_FIPS
2557        /* Keep trying if failed to find a prime. */
2558        if (ret == WC_NO_ERR_TRACE(PRIME_GEN_E)) {
2559            continue;
2560        }
2561    #endif
2562        if (ret != WOLFSSL_ERROR_NONE) {
2563            /* Unrecoverable error in generation. */
2564            err = 1;
2565        }
2566        /* Done generating - unrecoverable error or success. */
2567        break;
2568    }
2569    if (err) {
2570        /* Dispose of RSA key object if generation didn't work. */
2571        wolfSSL_RSA_free(rsa);
2572        /* Returning NULL on error. */
2573        rsa = NULL;
2574    }
2575    /* Dispose of the temporary BN used for the public exponent. */
2576    wolfSSL_BN_free(bn);
2577
2578    return rsa;
2579}
2580
2581/* Generate an RSA key that has the specified modulus size and public exponent.
2582 *
2583 * Note: Because of wc_MakeRsaKey an RSA key size generated can be rounded
2584 *       down to nearest multiple of 8. For example generating a key of size
2585 *       2999 bits will make a key of size 374 bytes instead of 375 bytes.
2586 *
2587 * @param [in]      bits  Number of bits that the modulus must have i.e. 2048.
2588 * @param [in]      e     Public exponent to use, i.e. 65537, as a BN.
2589 * @param [in]      cb    Status callback. Unused.
2590 * @return 1 on success.
2591 * @return 0 on failure.
2592 */
2593int wolfSSL_RSA_generate_key_ex(WOLFSSL_RSA* rsa, int bits, WOLFSSL_BIGNUM* e,
2594    void* cb)
2595{
2596    int ret = 1;
2597
2598    /* Validate parameters. */
2599    if ((rsa == NULL) || (rsa->internal == NULL)) {
2600        WOLFSSL_ERROR_MSG("bad arguments");
2601        ret = 0;
2602    }
2603    else {
2604        for (;;) {
2605            /* Use wolfCrypt to generate RSA key. */
2606            int gen_ret = wolfssl_rsa_generate_key_native(rsa, bits, e, cb);
2607        #ifdef HAVE_FIPS
2608            /* Keep trying again if public key value didn't work. */
2609            if (gen_ret == WC_NO_ERR_TRACE(PRIME_GEN_E)) {
2610                continue;
2611            }
2612        #endif
2613            if (gen_ret != WOLFSSL_ERROR_NONE) {
2614                /* Unrecoverable error in generation. */
2615                ret = 0;
2616            }
2617            /* Done generating - unrecoverable error or success. */
2618            break;
2619        }
2620    }
2621
2622    return ret;
2623}
2624
2625#endif /* OPENSSL_EXTRA */
2626
2627/*
2628 * RSA padding APIs
2629 */
2630
2631#ifdef WC_RSA_PSS
2632
2633#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && \
2634    (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
2635static int rsa_pss_calc_salt(int saltLen, int hashLen, int emLen)
2636{
2637    /* Calculate the salt length to use for special cases. */
2638    switch (saltLen) {
2639        /* Negative saltLen values are treated differently. */
2640        case WC_RSA_PSS_SALTLEN_DIGEST:
2641            saltLen = hashLen;
2642            break;
2643        case WC_RSA_PSS_SALTLEN_MAX_SIGN:
2644        case WC_RSA_PSS_SALTLEN_MAX:
2645        #ifdef WOLFSSL_PSS_LONG_SALT
2646            saltLen = emLen - hashLen - 2;
2647        #else
2648            saltLen = hashLen;
2649            (void)emLen;
2650        #endif
2651            break;
2652        default:
2653            break;
2654    }
2655    if (saltLen < 0) {
2656        /* log invalid salt, let wolfCrypt handle error */
2657        WOLFSSL_ERROR_MSG("invalid saltLen");
2658        saltLen = -3; /* for wolfCrypt to produce error must be < -2 */
2659    }
2660    return saltLen;
2661}
2662#endif /* OPENSSL_EXTRA && !HAVE_SELFTEST */
2663
2664#if (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || \
2665     defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)) && \
2666    (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
2667
2668/* Add PKCS#1 PSS padding to hash.
2669 *
2670 *
2671 *                                +-----------+
2672 *                                |     M     |
2673 *                                +-----------+
2674 *                                      |
2675 *                                      V
2676 *                                    Hash
2677 *                                      |
2678 *                                      V
2679 *                        +--------+----------+----------+
2680 *                   M' = |Padding1|  mHash   |   salt   |
2681 *                        +--------+----------+----------+
2682 *                                       |
2683 *             +--------+----------+     V
2684 *       DB =  |Padding2|maskedseed|   Hash
2685 *             +--------+----------+     |
2686 *                       |               |
2687 *                       V               |    +--+
2688 *                      xor <--- MGF <---|    |bc|
2689 *                       |               |    +--+
2690 *                       |               |      |
2691 *                       V               V      V
2692 *             +-------------------+----------+--+
2693 *       EM =  |    maskedDB       |maskedseed|bc|
2694 *             +-------------------+----------+--+
2695 * Diagram taken from https://tools.ietf.org/html/rfc3447#section-9.1
2696 *
2697 * @param [in]  rsa      RSA key.
2698 * @param [out] em       Encoded message.
2699 * @param [in[  mHash    Message hash.
2700 * @param [in]  hashAlg  Hash algorithm.
2701 * @param [in]  mgf1Hash MGF algorithm.
2702 * @param [in]  saltLen  Length of salt to generate.
2703 * @return  1 on success.
2704 * @return  0 on failure.
2705 */
2706
2707int wolfSSL_RSA_padding_add_PKCS1_PSS_mgf1(WOLFSSL_RSA *rsa, unsigned char *em,
2708        const unsigned char *mHash, const WOLFSSL_EVP_MD *hashAlg,
2709        const WOLFSSL_EVP_MD *mgf1Hash, int saltLen)
2710{
2711    int ret = 1;
2712    enum wc_HashType hashType = WC_HASH_TYPE_NONE;
2713    int hashLen = 0;
2714    int emLen = 0;
2715    int mgf = 0;
2716    int initTmpRng = 0;
2717    WC_RNG *rng = NULL;
2718#ifdef WOLFSSL_SMALL_STACK
2719    WC_RNG* tmpRng = NULL;
2720#else
2721    WC_RNG  _tmpRng[1];
2722    WC_RNG* tmpRng = _tmpRng;
2723#endif
2724
2725    WOLFSSL_ENTER("wolfSSL_RSA_padding_add_PKCS1_PSS");
2726
2727    /* Validate parameters. */
2728    if ((rsa == NULL) || (em == NULL) || (mHash == NULL) || (hashAlg == NULL)) {
2729        ret = 0;
2730    }
2731
2732    if (mgf1Hash == NULL)
2733        mgf1Hash = hashAlg;
2734
2735    if (ret == 1) {
2736        /* Get/create an RNG. */
2737        rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRng, &initTmpRng);
2738        if (rng == NULL) {
2739            WOLFSSL_ERROR_MSG("WOLFSSL_RSA_GetRNG error");
2740            ret = 0;
2741        }
2742    }
2743
2744    /* TODO: use wolfCrypt RSA key to get emLen and bits? */
2745    /* Set the external data from the wolfCrypt RSA key if not done. */
2746    if ((ret == 1) && (!rsa->exSet)) {
2747        ret = SetRsaExternal(rsa);
2748    }
2749
2750    if (ret == 1) {
2751        /* Get the wolfCrypt hash algorithm type. */
2752        hashType = EvpMd2MacType(hashAlg);
2753        if (hashType > WC_HASH_TYPE_MAX) {
2754            WOLFSSL_ERROR_MSG("EvpMd2MacType error");
2755            ret = 0;
2756        }
2757    }
2758    if (ret == 1) {
2759        /* Get the wolfCrypt MGF algorithm from hash algorithm. */
2760        mgf = wc_hash2mgf(EvpMd2MacType(mgf1Hash));
2761        if (mgf == WC_MGF1NONE) {
2762            WOLFSSL_ERROR_MSG("wc_hash2mgf error");
2763            ret = 0;
2764        }
2765    }
2766    if (ret == 1) {
2767        /* Get the length of the hash output. */
2768        hashLen = wolfSSL_EVP_MD_size(hashAlg);
2769        if (hashLen < 0) {
2770            WOLFSSL_ERROR_MSG("wolfSSL_EVP_MD_size error");
2771            ret = 0;
2772        }
2773    }
2774
2775    if (ret == 1) {
2776        /* Get length of RSA key - encrypted message length. */
2777        emLen = wolfSSL_RSA_size(rsa);
2778        if (emLen <= 0) {
2779            WOLFSSL_ERROR_MSG("wolfSSL_RSA_size error");
2780            ret = 0;
2781        }
2782    }
2783
2784    if (ret == 1) {
2785        saltLen = rsa_pss_calc_salt(saltLen, hashLen, emLen);
2786    }
2787
2788    if (ret == 1) {
2789        /* Generate RSA PKCS#1 PSS padding for hash using wolfCrypt. */
2790        if (wc_RsaPad_ex(mHash, (word32)hashLen, em, (word32)emLen,
2791                RSA_BLOCK_TYPE_1, rng, WC_RSA_PSS_PAD, hashType, mgf, NULL, 0,
2792                saltLen, wolfSSL_BN_num_bits(rsa->n), NULL) != MP_OKAY) {
2793            WOLFSSL_ERROR_MSG("wc_RsaPad_ex error");
2794            ret = 0;
2795        }
2796    }
2797
2798    /* Finalize RNG if initialized in WOLFSSL_RSA_GetRNG(). */
2799    if (initTmpRng) {
2800        wc_FreeRng(tmpRng);
2801    }
2802    WC_FREE_VAR_EX(tmpRng, NULL, DYNAMIC_TYPE_RNG);
2803
2804    return ret;
2805}
2806
2807int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *em,
2808    const unsigned char *mHash, const WOLFSSL_EVP_MD *hashAlg, int saltLen)
2809{
2810    return wolfSSL_RSA_padding_add_PKCS1_PSS_mgf1(rsa, em, mHash, hashAlg, NULL,
2811            saltLen);
2812}
2813
2814/* Checks that the hash is valid for the RSA PKCS#1 PSS encoded message.
2815 *
2816 * Refer to wolfSSL_RSA_padding_add_PKCS1_PSS for a diagram.
2817 *
2818 * @param [in]  rsa      RSA key.
2819 * @param [in[  mHash    Message hash.
2820 * @param [in]  hashAlg  Hash algorithm.
2821 * @param [in]  mgf1Hash MGF algorithm.
2822 * @param [in]  em       Encoded message.
2823 * @param [in]  saltLen  Length of salt to generate.
2824 * @return  1 on success.
2825 * @return  0 on failure.
2826 */
2827int wolfSSL_RSA_verify_PKCS1_PSS_mgf1(WOLFSSL_RSA *rsa,
2828        const unsigned char *mHash, const WOLFSSL_EVP_MD *hashAlg,
2829        const WOLFSSL_EVP_MD *mgf1Hash, const unsigned char *em, int saltLen)
2830{
2831    int ret = 1;
2832    int hashLen = 0;
2833    int mgf = 0;
2834    int emLen = 0;
2835    int mPrimeLen = 0;
2836    enum wc_HashType hashType = WC_HASH_TYPE_NONE;
2837    byte *mPrime = NULL;
2838    byte *buf = NULL;
2839
2840    WOLFSSL_ENTER("wolfSSL_RSA_verify_PKCS1_PSS");
2841
2842    /* Validate parameters. */
2843    if ((rsa == NULL) || (mHash == NULL) || (hashAlg == NULL) || (em == NULL)) {
2844        ret = 0;
2845    }
2846
2847    if (mgf1Hash == NULL)
2848        mgf1Hash = hashAlg;
2849
2850    /* TODO: use wolfCrypt RSA key to get emLen and bits? */
2851    /* Set the external data from the wolfCrypt RSA key if not done. */
2852    if ((ret == 1) && (!rsa->exSet)) {
2853        ret = SetRsaExternal(rsa);
2854    }
2855
2856    if (ret == 1) {
2857        /* Get hash length for hash algorithm. */
2858        hashLen = wolfSSL_EVP_MD_size(hashAlg);
2859        if (hashLen < 0) {
2860            ret = 0;
2861        }
2862    }
2863
2864    if (ret == 1) {
2865        /* Get length of RSA key - encrypted message length. */
2866        emLen = wolfSSL_RSA_size(rsa);
2867        if (emLen <= 0) {
2868            WOLFSSL_ERROR_MSG("wolfSSL_RSA_size error");
2869            ret = 0;
2870        }
2871    }
2872
2873    if (ret == 1) {
2874        saltLen = rsa_pss_calc_salt(saltLen, hashLen, emLen);
2875    }
2876
2877    if (ret == 1) {
2878        /* Get the wolfCrypt hash algorithm type. */
2879        hashType = EvpMd2MacType(hashAlg);
2880        if (hashType > WC_HASH_TYPE_MAX) {
2881            WOLFSSL_ERROR_MSG("EvpMd2MacType error");
2882            ret = 0;
2883        }
2884    }
2885
2886    if (ret == 1) {
2887        /* Get the wolfCrypt MGF algorithm from hash algorithm. */
2888        if ((mgf = wc_hash2mgf(EvpMd2MacType(mgf1Hash))) == WC_MGF1NONE) {
2889            WOLFSSL_ERROR_MSG("wc_hash2mgf error");
2890            ret = 0;
2891        }
2892    }
2893
2894    if (ret == 1) {
2895        /* Allocate buffer to unpad inline with. */
2896        buf = (byte*)XMALLOC((size_t)emLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2897        if (buf == NULL) {
2898            WOLFSSL_ERROR_MSG("malloc error");
2899            ret = 0;
2900        }
2901    }
2902
2903    if (ret == 1) {
2904        /* Copy encrypted message to temp for inline unpadding. */
2905        XMEMCPY(buf, em, (size_t)emLen);
2906
2907        /* Remove and verify the PSS padding. */
2908        mPrimeLen = wc_RsaUnPad_ex(buf, (word32)emLen, &mPrime,
2909            RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, hashType, mgf, NULL, 0, saltLen,
2910            wolfSSL_BN_num_bits(rsa->n), NULL);
2911        if (mPrimeLen < 0) {
2912            WOLFSSL_ERROR_MSG("wc_RsaPad_ex error");
2913            ret = 0;
2914        }
2915    }
2916
2917    if (ret == 1) {
2918        /* Verify the hash is correct. */
2919        if (wc_RsaPSS_CheckPadding_ex(mHash, (word32)hashLen, mPrime,
2920                (word32)mPrimeLen, hashType, saltLen,
2921                wolfSSL_BN_num_bits(rsa->n)) != MP_OKAY) {
2922            WOLFSSL_ERROR_MSG("wc_RsaPSS_CheckPadding_ex error");
2923            ret = 0;
2924        }
2925    }
2926
2927    /* Dispose of any allocated buffer. */
2928    XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2929    return ret;
2930}
2931
2932int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
2933                                 const WOLFSSL_EVP_MD *hashAlg,
2934                                 const unsigned char *em, int saltLen)
2935{
2936    return wolfSSL_RSA_verify_PKCS1_PSS_mgf1(rsa, mHash, hashAlg, NULL, em,
2937            saltLen);
2938}
2939#endif /* (!HAVE_FIPS || FIPS_VERSION_GT(2,0)) && \
2940          (OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_NGINX) */
2941#endif /* WC_RSA_PSS */
2942
2943/*
2944 * RSA sign/verify APIs
2945 */
2946
2947#if defined(WC_RSA_PSS) && !defined(HAVE_SELFTEST) && \
2948    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,1))
2949    #ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
2950        #define DEF_PSS_SALT_LEN    RSA_PSS_SALT_LEN_DEFAULT
2951    #else
2952        #define DEF_PSS_SALT_LEN    RSA_PSS_SALT_LEN_DISCOVER
2953    #endif
2954#else
2955    #define DEF_PSS_SALT_LEN 0 /* not used */
2956#endif
2957
2958#if defined(OPENSSL_EXTRA)
2959
2960/* Encode the message hash.
2961 *
2962 * Used by signing and verification.
2963 *
2964 * @param [in]  hashAlg   Hash algorithm OID.
2965 * @param [in]  hash      Hash of message to encode for signing.
2966 * @param [in]  hLen      Length of hash of message.
2967 * @param [out] enc       Encoded message hash.
2968 * @param [out] encLen    Length of encoded message hash.
2969 * @param [in]  padding   Which padding scheme is being used.
2970 * @return  1 on success.
2971 * @return  0 on failure.
2972 */
2973static int wolfssl_rsa_sig_encode(int hashAlg, const unsigned char* hash,
2974    unsigned int hLen, unsigned char* enc, unsigned int* encLen, int padding)
2975{
2976    int ret = 1;
2977    int hType = WC_HASH_TYPE_NONE;
2978
2979    /* Validate parameters. */
2980    if ((hash == NULL) || (enc == NULL) || (encLen == NULL)) {
2981        ret = 0;
2982    }
2983
2984    if ((ret == 1) && (hashAlg != WC_NID_undef) &&
2985            (padding == WC_RSA_PKCS1_PADDING)) {
2986        /* Convert hash algorithm to hash type for PKCS#1.5 padding. */
2987        hType = (int)nid2oid(hashAlg, oidHashType);
2988        if (hType == -1) {
2989            ret = 0;
2990        }
2991    }
2992    if ((ret == 1) && (padding == WC_RSA_PKCS1_PADDING)) {
2993        /* PKCS#1.5 encoding. */
2994        word32 encSz = wc_EncodeSignature(enc, hash, hLen, hType);
2995        if (encSz == 0) {
2996            WOLFSSL_ERROR_MSG("Bad Encode Signature");
2997            ret = 0;
2998        }
2999        else  {
3000            *encLen = (unsigned int)encSz;
3001        }
3002    }
3003    /* Other padding schemes require the hash as is. */
3004    if ((ret == 1) && (padding != WC_RSA_PKCS1_PADDING)) {
3005        XMEMCPY(enc, hash, hLen);
3006        *encLen = hLen;
3007    }
3008
3009    return ret;
3010}
3011
3012/* Sign the message hash using hash algorithm and RSA key.
3013 *
3014 * @param [in]  hashAlg   Hash algorithm OID.
3015 * @param [in]  hash      Hash of message to encode for signing.
3016 * @param [in]  hLen      Length of hash of message.
3017 * @param [out] enc       Encoded message hash.
3018 * @param [out] encLen    Length of encoded message hash.
3019 * @param [in]  rsa       RSA key.
3020 * @return  1 on success.
3021 * @return  0 on failure.
3022 */
3023int wolfSSL_RSA_sign(int hashAlg, const unsigned char* hash, unsigned int hLen,
3024    unsigned char* sigRet, unsigned int* sigLen, WOLFSSL_RSA* rsa)
3025{
3026    if (sigLen != NULL) {
3027        /* No size checking in this API */
3028        *sigLen = RSA_MAX_SIZE / CHAR_BIT;
3029    }
3030    /* flag is 1: output complete signature. */
3031    return wolfSSL_RSA_sign_generic_padding(hashAlg, hash, hLen, sigRet,
3032        sigLen, rsa, 1, WC_RSA_PKCS1_PADDING);
3033}
3034
3035/* Sign the message hash using hash algorithm and RSA key.
3036 *
3037 * Not OpenSSL API.
3038 *
3039 * @param [in]  hashAlg   Hash algorithm NID.
3040 * @param [in]  hash      Hash of message to encode for signing.
3041 * @param [in]  hLen      Length of hash of message.
3042 * @param [out] enc       Encoded message hash.
3043 * @param [out] encLen    Length of encoded message hash.
3044 * @param [in]  rsa       RSA key.
3045 * @param [in]  flag      When 1: Output encrypted signature.
3046 *                        When 0: Output encoded hash.
3047 * @return  1 on success.
3048 * @return  0 on failure.
3049 */
3050int wolfSSL_RSA_sign_ex(int hashAlg, const unsigned char* hash,
3051    unsigned int hLen, unsigned char* sigRet, unsigned int* sigLen,
3052    WOLFSSL_RSA* rsa, int flag)
3053{
3054    int ret = 0;
3055
3056    if ((flag == 0) || (flag == 1)) {
3057        if (sigLen != NULL) {
3058            /* No size checking in this API */
3059            *sigLen = RSA_MAX_SIZE / CHAR_BIT;
3060        }
3061        ret = wolfSSL_RSA_sign_generic_padding(hashAlg, hash, hLen, sigRet,
3062            sigLen, rsa, flag, WC_RSA_PKCS1_PADDING);
3063    }
3064
3065    return ret;
3066}
3067
3068int wolfSSL_RSA_sign_generic_padding(int hashAlg, const unsigned char* hash,
3069    unsigned int hLen, unsigned char* sigRet, unsigned int* sigLen,
3070    WOLFSSL_RSA* rsa, int flag, int padding)
3071{
3072    return wolfSSL_RSA_sign_mgf(hashAlg, hash, hLen, sigRet, sigLen, rsa, flag,
3073        padding, hashAlg, DEF_PSS_SALT_LEN);
3074}
3075
3076/**
3077 * Sign a message hash with the chosen message digest, padding, and RSA key.
3078 *
3079 * Not OpenSSL API.
3080 *
3081 * @param [in]      hashAlg  Hash NID
3082 * @param [in]      hash     Message hash to sign.
3083 * @param [in]      mLen     Length of message hash to sign.
3084 * @param [out]     sigRet   Output buffer.
3085 * @param [in, out] sigLen   On Input: length of sigRet buffer.
3086 *                           On Output: length of data written to sigRet.
3087 * @param [in]      rsa      RSA key used to sign the input.
3088 * @param [in]      flag     1: Output the signature.
3089 *                           0: Output the value that the unpadded signature
3090 *                              should be compared to.
3091 * @param [in]      padding  Padding to use. Only RSA_PKCS1_PSS_PADDING and
3092 *                           WC_RSA_PKCS1_PADDING are currently supported for
3093 *                           signing.
3094 * @param [in]      mgf1Hash MGF1 Hash NID
3095 * @param [in]      saltLen  Length of RSA PSS salt
3096 * @return  1 on success.
3097 * @return  0 on failure.
3098 */
3099int wolfSSL_RSA_sign_mgf(int hashAlg, const unsigned char* hash,
3100    unsigned int hLen, unsigned char* sigRet, unsigned int* sigLen,
3101    WOLFSSL_RSA* rsa, int flag, int padding, int mgf1Hash, int saltLen)
3102{
3103    int     ret        = 1;
3104    word32  outLen     = 0;
3105    int     signSz     = 0;
3106    WC_RNG* rng        = NULL;
3107    int     initTmpRng = 0;
3108#ifdef WOLFSSL_SMALL_STACK
3109    WC_RNG* tmpRng     = NULL;
3110    byte*   encodedSig = NULL;
3111#else
3112    WC_RNG  _tmpRng[1];
3113    WC_RNG* tmpRng = _tmpRng;
3114    byte    encodedSig[MAX_ENCODED_SIG_SZ];
3115#endif
3116    unsigned int encSz = 0;
3117
3118    WOLFSSL_ENTER("wolfSSL_RSA_sign_mgf");
3119
3120    if (flag == 0) {
3121        /* Only encode message. */
3122        return wolfssl_rsa_sig_encode(hashAlg, hash, hLen, sigRet, sigLen,
3123            padding);
3124    }
3125
3126    /* Validate parameters. */
3127    if ((hash == NULL) || (sigRet == NULL) || sigLen == NULL || rsa == NULL) {
3128        WOLFSSL_ERROR_MSG("Bad function arguments");
3129        ret = 0;
3130    }
3131
3132    /* Set wolfCrypt RSA key data from external if not already done. */
3133    if ((ret == 1) && (!rsa->inSet) && (SetRsaInternal(rsa) != 1)) {
3134        ret = 0;
3135    }
3136
3137    if (ret == 1) {
3138        /* Get the maximum signature length. */
3139        outLen = (word32)wolfSSL_BN_num_bytes(rsa->n);
3140        /* Check not an error return. */
3141        if (outLen == 0) {
3142            WOLFSSL_ERROR_MSG("Bad RSA size");
3143            ret = 0;
3144        }
3145        /* Check signature buffer is big enough. */
3146        else if (outLen > *sigLen) {
3147            WOLFSSL_ERROR_MSG("Output buffer too small");
3148            ret = 0;
3149        }
3150    }
3151
3152#ifdef WOLFSSL_SMALL_STACK
3153    if (ret == 1) {
3154        /* Allocate encoded signature buffer if doing PKCS#1 padding. */
3155        encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
3156            DYNAMIC_TYPE_SIGNATURE);
3157        if (encodedSig == NULL) {
3158            ret = 0;
3159        }
3160    }
3161#endif
3162
3163    if (ret == 1) {
3164        /* Get/create an RNG. */
3165        rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRng, &initTmpRng);
3166        if (rng == NULL) {
3167            WOLFSSL_ERROR_MSG("WOLFSSL_RSA_GetRNG error");
3168            ret = 0;
3169        }
3170    }
3171
3172    /* Either encodes with PKCS#1.5 or copies hash into encodedSig. */
3173    if ((ret == 1) && (wolfssl_rsa_sig_encode(hashAlg, hash, hLen, encodedSig,
3174            &encSz, padding) == 0)) {
3175        WOLFSSL_ERROR_MSG("Bad Encode Signature");
3176        ret = 0;
3177    }
3178
3179    if (ret == 1) {
3180        switch (padding) {
3181    #if defined(WC_RSA_NO_PADDING) || defined(WC_RSA_DIRECT)
3182        case WC_RSA_NO_PAD:
3183            if ((signSz = wc_RsaDirect(encodedSig, encSz, sigRet, &outLen,
3184                (RsaKey*)rsa->internal, RSA_PRIVATE_ENCRYPT, rng)) <= 0) {
3185                WOLFSSL_ERROR_MSG("Bad RSA Sign no pad");
3186                ret = 0;
3187            }
3188            break;
3189    #endif
3190    #if defined(WC_RSA_PSS) && !defined(HAVE_SELFTEST) && \
3191        (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,1))
3192        case WC_RSA_PKCS1_PSS_PADDING:
3193        {
3194            RsaKey* key = (RsaKey*)rsa->internal;
3195            enum wc_HashType mgf1, hType;
3196            hType = wc_OidGetHash((int)nid2oid(hashAlg, oidHashType));
3197            if (mgf1Hash == WC_NID_undef)
3198                mgf1Hash = hashAlg;
3199            mgf1 = wc_OidGetHash((int)nid2oid(mgf1Hash, oidHashType));
3200            /* handle compat layer salt special cases */
3201            saltLen = rsa_pss_calc_salt(saltLen, wc_HashGetDigestSize(hType),
3202                wolfSSL_RSA_size(rsa));
3203
3204            /* Create RSA PSS signature. */
3205            if ((signSz = wc_RsaPSS_Sign_ex(encodedSig, encSz, sigRet, outLen,
3206                hType, wc_hash2mgf(mgf1), saltLen, key, rng)) <= 0) {
3207                WOLFSSL_ERROR_MSG("Bad RSA PSS Sign");
3208                ret = 0;
3209            }
3210            break;
3211        }
3212    #endif
3213    #ifndef WC_NO_RSA_OAEP
3214        case WC_RSA_PKCS1_OAEP_PADDING:
3215            /* Not a signature padding scheme. */
3216            WOLFSSL_ERROR_MSG("RSA_PKCS1_OAEP_PADDING not supported for "
3217                              "signing");
3218            ret = 0;
3219            break;
3220    #endif
3221        case WC_RSA_PKCS1_PADDING:
3222        {
3223            /* Sign (private encrypt) PKCS#1 encoded signature. */
3224            if ((signSz = wc_RsaSSL_Sign(encodedSig, encSz, sigRet, outLen,
3225                    (RsaKey*)rsa->internal, rng)) <= 0) {
3226                WOLFSSL_ERROR_MSG("Bad PKCS1 RSA Sign");
3227                ret = 0;
3228            }
3229            break;
3230        }
3231        default:
3232            WOLFSSL_ERROR_MSG("Unsupported padding");
3233            (void)mgf1Hash;
3234            (void)saltLen;
3235            ret = 0;
3236            break;
3237        }
3238    }
3239
3240    if (ret == 1) {
3241        /* Return the size of signature generated. */
3242        *sigLen = (unsigned int)signSz;
3243    }
3244
3245    /* Finalize RNG if initialized in WOLFSSL_RSA_GetRNG(). */
3246    if (initTmpRng) {
3247        wc_FreeRng(tmpRng);
3248    }
3249    WC_FREE_VAR_EX(tmpRng, NULL, DYNAMIC_TYPE_RNG);
3250    WC_FREE_VAR_EX(encodedSig, NULL, DYNAMIC_TYPE_SIGNATURE);
3251
3252    WOLFSSL_LEAVE("wolfSSL_RSA_sign_mgf", ret);
3253    return ret;
3254}
3255
3256/**
3257 * Verify a message hash with the chosen message digest, padding, and RSA key.
3258 *
3259 * @param [in]  hashAlg  Hash NID
3260 * @param [in]  hash     Message hash.
3261 * @param [in]  mLen     Length of message hash.
3262 * @param [in]  sigRet   Signature data.
3263 * @param [in]  sigLen   Length of signature data.
3264 * @param [in]  rsa      RSA key used to sign the input
3265 * @return  1 on success.
3266 * @return  0 on failure.
3267 */
3268int wolfSSL_RSA_verify(int hashAlg, const unsigned char* hash,
3269    unsigned int hLen, const unsigned char* sig, unsigned int sigLen,
3270    WOLFSSL_RSA* rsa)
3271{
3272    return wolfSSL_RSA_verify_ex(hashAlg, hash, hLen, sig, sigLen, rsa,
3273        WC_RSA_PKCS1_PADDING);
3274}
3275
3276int wolfSSL_RSA_verify_ex(int hashAlg, const unsigned char* hash,
3277    unsigned int hLen, const unsigned char* sig, unsigned int sigLen,
3278    WOLFSSL_RSA* rsa, int padding)
3279{
3280    return wolfSSL_RSA_verify_mgf(hashAlg, hash, hLen, sig, sigLen, rsa,
3281        padding, hashAlg, DEF_PSS_SALT_LEN);
3282}
3283
3284/**
3285 * Verify a message hash with the chosen message digest, padding, and RSA key.
3286 *
3287 * Not OpenSSL API.
3288 *
3289 * @param [in]  hashAlg  Hash NID
3290 * @param [in]  hash     Message hash.
3291 * @param [in]  mLen     Length of message hash.
3292 * @param [in]  sigRet   Signature data.
3293 * @param [in]  sigLen   Length of signature data.
3294 * @param [in]  rsa      RSA key used to sign the input
3295 * @param [in]  padding  Padding to use. Only RSA_PKCS1_PSS_PADDING and
3296 *                       WC_RSA_PKCS1_PADDING are currently supported for
3297 *                       signing.
3298 * @param [in]  mgf1Hash MGF1 Hash NID
3299 * @param [in]  saltLen  Length of RSA PSS salt
3300 * @return  1 on success.
3301 * @return  0 on failure.
3302 */
3303int wolfSSL_RSA_verify_mgf(int hashAlg, const unsigned char* hash,
3304    unsigned int hLen, const unsigned char* sig, unsigned int sigLen,
3305    WOLFSSL_RSA* rsa, int padding, int mgf1Hash, int saltLen)
3306{
3307    int              ret    = 1;
3308#ifdef WOLFSSL_SMALL_STACK
3309    unsigned char*   encodedSig = NULL;
3310#else
3311    unsigned char    encodedSig[MAX_ENCODED_SIG_SZ];
3312#endif
3313    unsigned char*   sigDec = NULL;
3314    unsigned int     len    = MAX_ENCODED_SIG_SZ;
3315    int              verLen = 0;
3316#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 1)) && !defined(HAVE_SELFTEST)
3317    enum wc_HashType hType = WC_HASH_TYPE_NONE;
3318#endif
3319
3320    WOLFSSL_ENTER("wolfSSL_RSA_verify_mgf");
3321
3322    /* Validate parameters. */
3323    if ((hash == NULL) || (sig == NULL) || (rsa == NULL)) {
3324        WOLFSSL_ERROR_MSG("Bad function arguments");
3325        ret = 0;
3326    }
3327
3328    if (ret == 1) {
3329        /* Allocate memory for decrypted signature. */
3330        sigDec = (unsigned char *)XMALLOC(sigLen, NULL,
3331            DYNAMIC_TYPE_TMP_BUFFER);
3332        if (sigDec == NULL) {
3333            WOLFSSL_ERROR_MSG("Memory allocation failure");
3334            ret = 0;
3335        }
3336    }
3337    if (ret == 1 && padding == WC_RSA_PKCS1_PSS_PADDING) {
3338        #if defined(WC_RSA_PSS) && !defined(HAVE_SELFTEST) && \
3339        (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,1))
3340        RsaKey* key = (RsaKey*)rsa->internal;
3341        enum wc_HashType mgf1;
3342        hType = wc_OidGetHash((int)nid2oid(hashAlg, oidHashType));
3343        if (mgf1Hash == WC_NID_undef)
3344            mgf1Hash = hashAlg;
3345        mgf1 = wc_OidGetHash((int)nid2oid(mgf1Hash, oidHashType));
3346
3347        /* handle compat layer salt special cases */
3348        saltLen = rsa_pss_calc_salt(saltLen, wc_HashGetDigestSize(hType),
3349            wolfSSL_RSA_size(rsa));
3350
3351        verLen = wc_RsaPSS_Verify_ex((byte*)sig, sigLen, sigDec, sigLen,
3352            hType, wc_hash2mgf(mgf1), saltLen, key);
3353        if (verLen > 0) {
3354            /* Check PSS padding is valid. */
3355            if (wc_RsaPSS_CheckPadding_ex(hash, hLen, sigDec, (word32)verLen,
3356                hType, saltLen, mp_count_bits(&key->n)) != 0) {
3357                WOLFSSL_ERROR_MSG("wc_RsaPSS_CheckPadding_ex error");
3358                ret = WOLFSSL_FAILURE;
3359            }
3360            else {
3361                /* Success! Free resources and return early */
3362                XFREE(sigDec, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3363                return WOLFSSL_SUCCESS;
3364            }
3365        }
3366        else {
3367            WOLFSSL_ERROR_MSG("wc_RsaPSS_Verify_ex failed!");
3368            ret = WOLFSSL_FAILURE;
3369        }
3370    #else
3371        (void)mgf1Hash;
3372        (void)saltLen;
3373        WOLFSSL_ERROR_MSG("RSA PSS not compiled in!");
3374        ret = WOLFSSL_FAILURE;
3375    #endif
3376    }
3377
3378#ifdef WOLFSSL_SMALL_STACK
3379    if (ret == 1) {
3380        /* Allocate memory for encoded signature. */
3381        encodedSig = (unsigned char *)XMALLOC(len, NULL,
3382            DYNAMIC_TYPE_TMP_BUFFER);
3383        if (encodedSig == NULL) {
3384            WOLFSSL_ERROR_MSG("Memory allocation failure");
3385            ret = 0;
3386        }
3387    }
3388#endif
3389    if (ret == 1) {
3390        /* Make encoded signature to compare with decrypted signature. */
3391        if (wolfssl_rsa_sig_encode(hashAlg, hash, hLen, encodedSig, &len,
3392                padding) <= 0) {
3393            WOLFSSL_ERROR_MSG("Message Digest Error");
3394            ret = 0;
3395        }
3396    }
3397    if (ret == 1) {
3398        /* Decrypt signature */
3399    #if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 1)) && \
3400        !defined(HAVE_SELFTEST)
3401        hType = wc_OidGetHash((int)nid2oid(hashAlg, oidHashType));
3402        if ((verLen = wc_RsaSSL_Verify_ex2(sig, sigLen, (unsigned char *)sigDec,
3403                sigLen, (RsaKey*)rsa->internal, padding, hType)) <= 0) {
3404            WOLFSSL_ERROR_MSG("RSA Decrypt error");
3405            ret = 0;
3406        }
3407    #else
3408        verLen = wc_RsaSSL_Verify(sig, sigLen, (unsigned char *)sigDec, sigLen,
3409            (RsaKey*)rsa->internal);
3410        if (verLen < 0) {
3411            ret = 0;
3412        }
3413    #endif
3414    }
3415    if (ret == 1) {
3416        /* Compare decrypted signature to encoded signature. */
3417        if (((int)len != verLen) ||
3418                (XMEMCMP(encodedSig, sigDec, (size_t)verLen) != 0)) {
3419            WOLFSSL_ERROR_MSG("wolfSSL_RSA_verify_ex failed");
3420            ret = 0;
3421        }
3422    }
3423
3424    /* Dispose of any allocated data. */
3425    WC_FREE_VAR_EX(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3426    XFREE(sigDec, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3427
3428    WOLFSSL_LEAVE("wolfSSL_RSA_verify_mgf", ret);
3429    return ret;
3430}
3431
3432/*
3433 * RSA public/private encrypt/decrypt APIs
3434 */
3435
3436/* Encrypt with the RSA public key.
3437 *
3438 * Return compliant with OpenSSL.
3439 *
3440 * @param [in]  len      Length of data to encrypt.
3441 * @param [in]  from     Data to encrypt.
3442 * @param [out] to       Encrypted data.
3443 * @param [in]  rsa      RSA key.
3444 * @param [in]  padding  Type of padding to place around plaintext.
3445 * @return  Size of encrypted data on success.
3446 * @return  -1 on failure.
3447 */
3448int wolfSSL_RSA_public_encrypt(int len, const unsigned char* from,
3449    unsigned char* to, WOLFSSL_RSA* rsa, int padding)
3450{
3451    int ret = 0;
3452    int initTmpRng = 0;
3453    WC_RNG *rng = NULL;
3454#ifdef WOLFSSL_SMALL_STACK
3455    WC_RNG* tmpRng = NULL;
3456#else
3457    WC_RNG  _tmpRng[1];
3458    WC_RNG* tmpRng = _tmpRng;
3459#endif
3460#if !defined(HAVE_FIPS)
3461    int  mgf = WC_MGF1NONE;
3462    enum wc_HashType hash = WC_HASH_TYPE_NONE;
3463    int pad_type = WC_RSA_NO_PAD;
3464#endif
3465    int outLen = 0;
3466
3467    WOLFSSL_ENTER("wolfSSL_RSA_public_encrypt");
3468
3469    /* Validate parameters. */
3470    if ((len < 0) || (rsa == NULL) || (rsa->internal == NULL) ||
3471            (from == NULL)) {
3472        WOLFSSL_ERROR_MSG("Bad function arguments");
3473        ret = WOLFSSL_FATAL_ERROR;
3474    }
3475
3476    if (ret == 0) {
3477    #if !defined(HAVE_FIPS)
3478        /* Convert to wolfCrypt padding, hash and MGF. */
3479        switch (padding) {
3480        case WC_RSA_PKCS1_PADDING:
3481            pad_type = WC_RSA_PKCSV15_PAD;
3482            break;
3483        case WC_RSA_PKCS1_OAEP_PADDING:
3484            pad_type = WC_RSA_OAEP_PAD;
3485            hash = WC_HASH_TYPE_SHA;
3486            mgf = WC_MGF1SHA1;
3487            break;
3488        case WC_RSA_NO_PAD:
3489            pad_type = WC_RSA_NO_PAD;
3490            break;
3491        default:
3492            WOLFSSL_ERROR_MSG("RSA_public_encrypt doesn't support padding "
3493                              "scheme");
3494            ret = WOLFSSL_FATAL_ERROR;
3495        }
3496    #else
3497        /* Check for supported padding schemes in FIPS. */
3498        /* TODO: Do we support more schemes in later versions of FIPS? */
3499        if (padding != WC_RSA_PKCS1_PADDING) {
3500            WOLFSSL_ERROR_MSG("RSA_public_encrypt pad type not supported in "
3501                              "FIPS");
3502            ret = WOLFSSL_FATAL_ERROR;
3503        }
3504    #endif
3505    }
3506
3507    /* Set wolfCrypt RSA key data from external if not already done. */
3508    if ((ret == 0) && (!rsa->inSet) && (SetRsaInternal(rsa) != 1)) {
3509        ret = WOLFSSL_FATAL_ERROR;
3510    }
3511
3512    if (ret == 0) {
3513        /* Calculate maximum length of encrypted data. */
3514        outLen = wolfSSL_RSA_size(rsa);
3515        if (outLen == 0) {
3516            WOLFSSL_ERROR_MSG("Bad RSA size");
3517            ret = WOLFSSL_FATAL_ERROR;
3518        }
3519    }
3520
3521    if (ret == 0) {
3522        /* Get an RNG. */
3523        rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRng, &initTmpRng);
3524        if (rng == NULL) {
3525            ret = WOLFSSL_FATAL_ERROR;
3526        }
3527    }
3528
3529    if (ret == 0) {
3530        /* Use wolfCrypt to public-encrypt with RSA key. */
3531    #if !defined(HAVE_FIPS)
3532        ret = wc_RsaPublicEncrypt_ex(from, (word32)len, to, (word32)outLen,
3533            (RsaKey*)rsa->internal, rng, pad_type, hash, mgf, NULL, 0);
3534    #else
3535        ret = wc_RsaPublicEncrypt(from, (word32)len, to, (word32)outLen,
3536            (RsaKey*)rsa->internal, rng);
3537    #endif
3538    }
3539
3540    /* Finalize RNG if initialized in WOLFSSL_RSA_GetRNG(). */
3541    if (initTmpRng) {
3542        wc_FreeRng(tmpRng);
3543    }
3544    WC_FREE_VAR_EX(tmpRng, NULL, DYNAMIC_TYPE_RNG);
3545
3546    /* wolfCrypt error means return -1. */
3547    if (ret <= 0) {
3548        ret = WOLFSSL_FATAL_ERROR;
3549    }
3550    WOLFSSL_LEAVE("wolfSSL_RSA_public_encrypt", ret);
3551    return ret;
3552}
3553
3554/* Decrypt with the RSA public key.
3555 *
3556 * Return compliant with OpenSSL.
3557 *
3558 * @param [in]  len      Length of encrypted data.
3559 * @param [in]  from     Encrypted data.
3560 * @param [out] to       Decrypted data.
3561 * @param [in]  rsa      RSA key.
3562 * @param [in]  padding  Type of padding to around plaintext to remove.
3563 * @return  Size of decrypted data on success.
3564 * @return  -1 on failure.
3565 */
3566int wolfSSL_RSA_private_decrypt(int len, const unsigned char* from,
3567    unsigned char* to, WOLFSSL_RSA* rsa, int padding)
3568{
3569    int ret = 0;
3570#if !defined(HAVE_FIPS)
3571    int mgf = WC_MGF1NONE;
3572    enum wc_HashType hash = WC_HASH_TYPE_NONE;
3573    int pad_type = WC_RSA_NO_PAD;
3574#endif
3575    int outLen = 0;
3576
3577    WOLFSSL_ENTER("wolfSSL_RSA_private_decrypt");
3578
3579    /* Validate parameters. */
3580    if ((len < 0) || (rsa == NULL) || (rsa->internal == NULL) ||
3581            (from == NULL)) {
3582        WOLFSSL_ERROR_MSG("Bad function arguments");
3583        ret = WOLFSSL_FATAL_ERROR;
3584    }
3585
3586    if (ret == 0) {
3587    #if !defined(HAVE_FIPS)
3588        switch (padding) {
3589        case WC_RSA_PKCS1_PADDING:
3590            pad_type = WC_RSA_PKCSV15_PAD;
3591            break;
3592        case WC_RSA_PKCS1_OAEP_PADDING:
3593            pad_type = WC_RSA_OAEP_PAD;
3594            hash = WC_HASH_TYPE_SHA;
3595            mgf = WC_MGF1SHA1;
3596            break;
3597        case WC_RSA_NO_PAD:
3598            pad_type = WC_RSA_NO_PAD;
3599            break;
3600        default:
3601            WOLFSSL_ERROR_MSG("RSA_private_decrypt unsupported padding");
3602            ret = WOLFSSL_FATAL_ERROR;
3603        }
3604    #else
3605        /* Check for supported padding schemes in FIPS. */
3606        /* TODO: Do we support more schemes in later versions of FIPS? */
3607        if (padding != WC_RSA_PKCS1_PADDING) {
3608            WOLFSSL_ERROR_MSG("RSA_public_encrypt pad type not supported in "
3609                              "FIPS");
3610            ret = WOLFSSL_FATAL_ERROR;
3611        }
3612    #endif
3613    }
3614
3615    /* Set wolfCrypt RSA key data from external if not already done. */
3616    if ((ret == 0) && (!rsa->inSet) && (SetRsaInternal(rsa) != 1)) {
3617        ret = WOLFSSL_FATAL_ERROR;
3618    }
3619
3620    if (ret == 0) {
3621        /* Calculate maximum length of decrypted data. */
3622        outLen = wolfSSL_RSA_size(rsa);
3623        if (outLen == 0) {
3624            WOLFSSL_ERROR_MSG("Bad RSA size");
3625            ret = WOLFSSL_FATAL_ERROR;
3626        }
3627    }
3628
3629    if (ret == 0) {
3630        /* Use wolfCrypt to private-decrypt with RSA key.
3631         * Size of 'to' buffer must be size of RSA key */
3632    #if !defined(HAVE_FIPS)
3633        ret = wc_RsaPrivateDecrypt_ex(from, (word32)len, to, (word32)outLen,
3634            (RsaKey*)rsa->internal, pad_type, hash, mgf, NULL, 0);
3635    #else
3636        ret = wc_RsaPrivateDecrypt(from, (word32)len, to, (word32)outLen,
3637            (RsaKey*)rsa->internal);
3638    #endif
3639    }
3640
3641    /* wolfCrypt error means return -1. */
3642    if (ret <= 0) {
3643        ret = WOLFSSL_FATAL_ERROR;
3644    }
3645    WOLFSSL_LEAVE("wolfSSL_RSA_private_decrypt", ret);
3646    return ret;
3647}
3648
3649/* Decrypt with the RSA public key.
3650 *
3651 * @param [in]  len      Length of encrypted data.
3652 * @param [in]  from     Encrypted data.
3653 * @param [out] to       Decrypted data.
3654 * @param [in]  rsa      RSA key.
3655 * @param [in]  padding  Type of padding to around plaintext to remove.
3656 * @return  Size of decrypted data on success.
3657 * @return  -1 on failure.
3658 */
3659int wolfSSL_RSA_public_decrypt(int len, const unsigned char* from,
3660    unsigned char* to, WOLFSSL_RSA* rsa, int padding)
3661{
3662    int ret = 0;
3663#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
3664    int pad_type = WC_RSA_NO_PAD;
3665#endif
3666    int outLen = 0;
3667
3668    WOLFSSL_ENTER("wolfSSL_RSA_public_decrypt");
3669
3670    /* Validate parameters. */
3671    if ((len < 0) || (rsa == NULL) || (rsa->internal == NULL) ||
3672            (from == NULL)) {
3673        WOLFSSL_ERROR_MSG("Bad function arguments");
3674        ret = WOLFSSL_FATAL_ERROR;
3675    }
3676
3677    if (ret == 0) {
3678    #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
3679        switch (padding) {
3680        case WC_RSA_PKCS1_PADDING:
3681            pad_type = WC_RSA_PKCSV15_PAD;
3682            break;
3683        case WC_RSA_NO_PAD:
3684            pad_type = WC_RSA_NO_PAD;
3685            break;
3686        /* TODO: RSA_X931_PADDING not supported */
3687        default:
3688            WOLFSSL_ERROR_MSG("RSA_public_decrypt unsupported padding");
3689            ret = WOLFSSL_FATAL_ERROR;
3690        }
3691    #else
3692        if (padding != WC_RSA_PKCS1_PADDING) {
3693            WOLFSSL_ERROR_MSG("RSA_public_decrypt pad type not supported in "
3694                              "FIPS");
3695            ret = WOLFSSL_FATAL_ERROR;
3696        }
3697    #endif
3698    }
3699
3700    /* Set wolfCrypt RSA key data from external if not already done. */
3701    if ((ret == 0) && (!rsa->inSet) && (SetRsaInternal(rsa) != 1)) {
3702        ret = WOLFSSL_FATAL_ERROR;
3703    }
3704
3705    if (ret == 0) {
3706        /* Calculate maximum length of encrypted data. */
3707        outLen = wolfSSL_RSA_size(rsa);
3708        if (outLen == 0) {
3709            WOLFSSL_ERROR_MSG("Bad RSA size");
3710            ret = WOLFSSL_FATAL_ERROR;
3711        }
3712    }
3713
3714    if (ret == 0) {
3715        /* Use wolfCrypt to public-decrypt with RSA key. */
3716    #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
3717        /* Size of 'to' buffer must be size of RSA key. */
3718        ret = wc_RsaSSL_Verify_ex(from, (word32)len, to, (word32)outLen,
3719            (RsaKey*)rsa->internal, pad_type);
3720    #else
3721        /* For FIPS v1/v2 only PKCSV15 padding is supported */
3722        ret = wc_RsaSSL_Verify(from, (word32)len, to, (word32)outLen,
3723            (RsaKey*)rsa->internal);
3724    #endif
3725    }
3726
3727    /* wolfCrypt error means return -1. */
3728    if (ret <= 0) {
3729        ret = WOLFSSL_FATAL_ERROR;
3730    }
3731    WOLFSSL_LEAVE("wolfSSL_RSA_public_decrypt", ret);
3732    return ret;
3733}
3734
3735/* Encrypt with the RSA private key.
3736 *
3737 * Calls wc_RsaSSL_Sign.
3738 *
3739 * @param [in]  len      Length of data to encrypt.
3740 * @param [in]  from     Data to encrypt.
3741 * @param [out] to       Encrypted data.
3742 * @param [in]  rsa      RSA key.
3743 * @param [in]  padding  Type of padding to place around plaintext.
3744 * @return  Size of encrypted data on success.
3745 * @return  -1 on failure.
3746 */
3747int wolfSSL_RSA_private_encrypt(int len, const unsigned char* from,
3748    unsigned char* to, WOLFSSL_RSA* rsa, int padding)
3749{
3750    int ret = 0;
3751    int initTmpRng = 0;
3752    WC_RNG *rng = NULL;
3753#ifdef WOLFSSL_SMALL_STACK
3754    WC_RNG* tmpRng = NULL;
3755#else
3756    WC_RNG  _tmpRng[1];
3757    WC_RNG* tmpRng = _tmpRng;
3758#endif
3759
3760    WOLFSSL_ENTER("wolfSSL_RSA_private_encrypt");
3761
3762    /* Validate parameters. */
3763    if ((len < 0) || (rsa == NULL) || (rsa->internal == NULL) ||
3764            (from == NULL)) {
3765        WOLFSSL_ERROR_MSG("Bad function arguments");
3766        ret = WOLFSSL_FATAL_ERROR;
3767    }
3768
3769    if (ret == 0) {
3770        switch (padding) {
3771        case WC_RSA_PKCS1_PADDING:
3772    #ifdef WC_RSA_NO_PADDING
3773        case WC_RSA_NO_PAD:
3774    #endif
3775            break;
3776        /* TODO: RSA_X931_PADDING not supported */
3777        default:
3778            WOLFSSL_ERROR_MSG("RSA_private_encrypt unsupported padding");
3779            ret = WOLFSSL_FATAL_ERROR;
3780        }
3781    }
3782
3783    /* Set wolfCrypt RSA key data from external if not already done. */
3784    if ((ret == 0) && (!rsa->inSet) && (SetRsaInternal(rsa) != 1)) {
3785        ret = WOLFSSL_FATAL_ERROR;
3786    }
3787
3788    if (ret == 0) {
3789        /* Get an RNG. */
3790        rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRng, &initTmpRng);
3791        if (rng == NULL) {
3792            ret = WOLFSSL_FATAL_ERROR;
3793        }
3794    }
3795
3796    if (ret == 0) {
3797        /* Use wolfCrypt to private-encrypt with RSA key.
3798         * Size of output buffer must be size of RSA key. */
3799        if (padding == WC_RSA_PKCS1_PADDING) {
3800            ret = wc_RsaSSL_Sign(from, (word32)len, to,
3801                (word32)wolfSSL_RSA_size(rsa), (RsaKey*)rsa->internal, rng);
3802        }
3803    #ifdef WC_RSA_NO_PADDING
3804        else if (padding == WC_RSA_NO_PAD) {
3805            word32 outLen = (word32)wolfSSL_RSA_size(rsa);
3806            ret = wc_RsaFunction(from, (word32)len, to, &outLen,
3807                    RSA_PRIVATE_ENCRYPT, (RsaKey*)rsa->internal, rng);
3808            if (ret == 0)
3809                ret = (int)outLen;
3810        }
3811    #endif
3812    }
3813
3814    /* Finalize RNG if initialized in WOLFSSL_RSA_GetRNG(). */
3815    if (initTmpRng) {
3816        wc_FreeRng(tmpRng);
3817    }
3818    WC_FREE_VAR_EX(tmpRng, NULL, DYNAMIC_TYPE_RNG);
3819
3820    /* wolfCrypt error means return -1. */
3821    if (ret <= 0) {
3822        ret = WOLFSSL_FATAL_ERROR;
3823    }
3824    WOLFSSL_LEAVE("wolfSSL_RSA_private_encrypt", ret);
3825    return ret;
3826}
3827
3828/*
3829 * RSA misc operation APIs
3830 */
3831
3832/* Calculate d mod p-1 and q-1 into BNs.
3833 *
3834 * Not OpenSSL API.
3835 *
3836 * @param [in, out] rsa  RSA key.
3837 * @return 1 on success.
3838 * @return -1 on failure.
3839 */
3840int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa)
3841{
3842    int     ret = 1;
3843    int     err;
3844    mp_int* t = NULL;
3845    WC_DECLARE_VAR(tmp, mp_int, 1, 0);
3846
3847    WOLFSSL_ENTER("wolfSSL_RsaGenAdd");
3848
3849    /* Validate parameters. */
3850    if ((rsa == NULL) || (rsa->p == NULL) || (rsa->q == NULL) ||
3851            (rsa->d == NULL) || (rsa->dmp1 == NULL) || (rsa->dmq1 == NULL)) {
3852        WOLFSSL_ERROR_MSG("rsa no init error");
3853        ret = WOLFSSL_FATAL_ERROR;
3854    }
3855
3856#ifdef WOLFSSL_SMALL_STACK
3857    if (ret == 1) {
3858        tmp = (mp_int *)XMALLOC(sizeof(*tmp), rsa->heap,
3859                                     DYNAMIC_TYPE_TMP_BUFFER);
3860        if (tmp == NULL) {
3861            WOLFSSL_ERROR_MSG("Memory allocation failure");
3862            ret = WOLFSSL_FATAL_ERROR;
3863        }
3864    }
3865#endif
3866
3867    if (ret == 1) {
3868        /* Initialize temp MP integer. */
3869        if (mp_init(tmp) != MP_OKAY) {
3870            WOLFSSL_ERROR_MSG("mp_init error");
3871            ret = WOLFSSL_FATAL_ERROR;
3872        }
3873    }
3874
3875    if (ret == 1) {
3876        t = tmp;
3877
3878        /* Sub 1 from p into temp. */
3879        err = mp_sub_d((mp_int*)rsa->p->internal, 1, tmp);
3880        if (err != MP_OKAY) {
3881            WOLFSSL_ERROR_MSG("mp_sub_d error");
3882            ret = WOLFSSL_FATAL_ERROR;
3883        }
3884    }
3885    if (ret == 1) {
3886        /* Calculate d mod (p - 1) into dmp1 MP integer of BN. */
3887        err = mp_mod((mp_int*)rsa->d->internal, tmp,
3888            (mp_int*)rsa->dmp1->internal);
3889        if (err != MP_OKAY) {
3890            WOLFSSL_ERROR_MSG("mp_mod error");
3891            ret = WOLFSSL_FATAL_ERROR;
3892        }
3893    }
3894    if (ret == 1) {
3895        /* Sub 1 from q into temp. */
3896        err = mp_sub_d((mp_int*)rsa->q->internal, 1, tmp);
3897        if (err != MP_OKAY) {
3898            WOLFSSL_ERROR_MSG("mp_sub_d error");
3899            ret = WOLFSSL_FATAL_ERROR;
3900        }
3901    }
3902    if (ret == 1) {
3903        /* Calculate d mod (q - 1) into dmq1 MP integer of BN. */
3904        err = mp_mod((mp_int*)rsa->d->internal, tmp,
3905            (mp_int*)rsa->dmq1->internal);
3906        if (err != MP_OKAY) {
3907            WOLFSSL_ERROR_MSG("mp_mod error");
3908            ret = WOLFSSL_FATAL_ERROR;
3909        }
3910    }
3911
3912    mp_forcezero(t);
3913
3914#ifdef WOLFSSL_SMALL_STACK
3915    if (rsa != NULL) {
3916        XFREE(tmp, rsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
3917    }
3918#endif
3919
3920    return ret;
3921}
3922
3923
3924#ifndef NO_WOLFSSL_STUB
3925/* Enable blinding for RSA key operations.
3926 *
3927 * Blinding is a compile time option in wolfCrypt.
3928 *
3929 * @param [in] rsa    RSA key. Unused.
3930 * @param [in] bnCtx  BN context to use for blinding. Unused.
3931 * @return 1 always.
3932 */
3933int wolfSSL_RSA_blinding_on(WOLFSSL_RSA* rsa, WOLFSSL_BN_CTX* bnCtx)
3934{
3935    WOLFSSL_STUB("RSA_blinding_on");
3936    WOLFSSL_ENTER("wolfSSL_RSA_blinding_on");
3937
3938    (void)rsa;
3939    (void)bnCtx;
3940
3941    return 1;  /* on by default */
3942}
3943#endif
3944
3945#endif /* OPENSSL_EXTRA */
3946
3947#endif /* !NO_RSA */
3948
3949/*******************************************************************************
3950 * END OF RSA API
3951 ******************************************************************************/
3952
3953#endif /* !WOLFSSL_PK_RSA_INCLUDED */