luna - wolfssl/wolfcrypt/src/rsa.c

   1/* rsa.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22/*
  23
  24DESCRIPTION
  25This library provides the interface to the RSA.
  26RSA keys can be used to encrypt, decrypt, sign and verify data.
  27
  28*/
  29
  30#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
  31
  32#ifndef NO_RSA
  33
  34#if FIPS_VERSION3_GE(2,0,0)
  35    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
  36    #define FIPS_NO_WRAPPERS
  37
  38       #ifdef USE_WINDOWS_API
  39               #pragma code_seg(".fipsA$j")
  40               #pragma const_seg(".fipsB$j")
  41       #endif
  42#endif
  43
  44#include <wolfssl/wolfcrypt/rsa.h>
  45#include <wolfssl/wolfcrypt/logging.h>
  46
  47#ifdef WOLFSSL_AFALG_XILINX_RSA
  48#include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
  49#endif
  50#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
  51#include <xsecure_rsaclient.h>
  52#endif
  53#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
  54#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
  55#endif
  56#ifdef WOLFSSL_HAVE_SP_RSA
  57#include <wolfssl/wolfcrypt/sp.h>
  58#endif
  59#if defined(WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD)
  60#include <wolfssl/wolfcrypt/port/nxp/casper_port.h>
  61#endif
  62
  63#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && !defined(WOLFSSL_SP_ASM)
  64    /* force off unneeded vector register save/restore. */
  65    #undef SAVE_VECTOR_REGISTERS
  66    #define SAVE_VECTOR_REGISTERS(fail_clause) SAVE_NO_VECTOR_REGISTERS(fail_clause)
  67    #undef RESTORE_VECTOR_REGISTERS
  68    #define RESTORE_VECTOR_REGISTERS() RESTORE_NO_VECTOR_REGISTERS()
  69#endif
  70
  71/*
  72 * RSA Build Options:
  73 *
  74 * Core:
  75 * NO_RSA:                  Disable RSA support entirely            default: off
  76 * WOLFSSL_RSA_PUBLIC_ONLY: Only include RSA public key operations  default: off
  77 * WOLFSSL_RSA_VERIFY_ONLY: Only include RSA verify operation       default: off
  78 * WOLFSSL_RSA_VERIFY_INLINE: RSA verify inline (no output copy)   default: off
  79 * WC_RSA_DIRECT:           Enable direct RSA encrypt/decrypt API   default: off
  80 * WC_RSA_NO_PADDING:       Enable no-padding RSA mode              default: off
  81 * WOLFSSL_RSA_KEY_CHECK:   Enable RSA key pair consistency check   default: off
  82 * WOLFSSL_RSA_CHECK_D_ON_DECRYPT: Validate private exponent d     default: off
  83 *                           before each decrypt operation
  84 * WOLFSSL_RSA_DECRYPT_TO_0_LEN: Allow RSA decrypt result of 0     default: off
  85 *                           length (empty plaintext)
  86 * NO_RSA_BOUNDS_CHECK:     Disable RSA bounds checking on input    default: off
  87 * SHOW_GEN:                Show key generation progress dots        default: off
  88 *
  89 * Padding:
  90 * WC_RSA_PSS:              Enable RSA-PSS signature support        default: off
  91 * WC_NO_RSA_OAEP:          Disable RSA OAEP padding                default: off
  92 * WOLFSSL_PSS_LONG_SALT:   Allow PSS salt longer than hash length  default: off
  93 * WOLFSSL_PSS_SALT_LEN_DISCOVER: Auto-discover PSS salt length    default: off
  94 *                           during verification
  95 *
  96 * Performance:
  97 * WC_RSA_BLINDING:         Use blinding with private key ops       default: on
  98 *                           Note: ~20% slower, protects against
  99 *                           timing side-channels
 100 * RSA_LOW_MEM:             Non-CRT private ops, less memory        default: off
 101 * WC_RSA_NONBLOCK:         Non-blocking RSA operations             default: off
 102 * WC_RSA_NONBLOCK_TIME:    Time-based non-blocking RSA             default: off
 103 * WOLFSSL_MP_INVMOD_CONSTANT_TIME: Constant-time modular inverse  default: off
 104 * WC_RSA_NO_FERMAT_CHECK:  Skip Fermat factorization check on     default: off
 105 *                           key generation (p and q closeness)
 106 *
 107 * Key Generation:
 108 * WOLFSSL_KEY_GEN:         Enable RSA private key generation       default: off
 109 * FP_MAX_BITS:             Max key bits with USE_FAST_MATH         default: 4096
 110 *                           Value is key size * 2 (e.g. RSA 3072 = 6144)
 111 *
 112 * SP Math:
 113 * WOLFSSL_HAVE_SP_RSA:     Use SP math for RSA operations          default: off
 114 * WOLFSSL_SP_MATH:         Use SP math only (no multi-precision)   default: off
 115 * WOLFSSL_SP_MATH_ALL:     SP math for all key sizes               default: off
 116 * WOLFSSL_SP_NO_2048:      Disable SP RSA 2048-bit support         default: off
 117 * WOLFSSL_SP_NO_3072:      Disable SP RSA 3072-bit support         default: off
 118 * WOLFSSL_SP_4096:         Enable SP RSA 4096-bit support          default: off
 119 * WOLFSSL_SP_ASM:          Use SP assembly optimizations           default: off
 120 *
 121 * Hardware Acceleration (RSA-specific):
 122 * WC_ASYNC_ENABLE_RSA:     Enable async RSA operations             default: off
 123 * WOLFSSL_KCAPI_RSA:       Linux kernel crypto API for RSA         default: off
 124 * WOLFSSL_AFALG_XILINX_RSA: AF_ALG Xilinx RSA acceleration        default: off
 125 * WOLFSSL_SE050_NO_RSA:    Disable SE050 RSA                       default: off
 126 * WOLFSSL_XILINX_CRYPT:    Xilinx crypto RSA acceleration          default: off
 127 */
 128
 129
 130#include <wolfssl/wolfcrypt/random.h>
 131#ifdef WOLF_CRYPTO_CB
 132    #include <wolfssl/wolfcrypt/cryptocb.h>
 133#endif
 134#ifdef NO_INLINE
 135    #include <wolfssl/wolfcrypt/misc.h>
 136#else
 137    #define WOLFSSL_MISC_INCLUDED
 138    #include <wolfcrypt/src/misc.c>
 139#endif
 140
 141#if FIPS_VERSION3_GE(6,0,0)
 142    const unsigned int wolfCrypt_FIPS_rsa_ro_sanity[2] =
 143                                                     { 0x1a2b3c4d, 0x00000012 };
 144    int wolfCrypt_FIPS_RSA_sanity(void)
 145    {
 146        return 0;
 147    }
 148#endif
 149
 150enum {
 151    RSA_STATE_NONE = 0,
 152
 153    RSA_STATE_ENCRYPT_PAD,
 154    RSA_STATE_ENCRYPT_EXPTMOD,
 155    RSA_STATE_ENCRYPT_RES,
 156
 157    RSA_STATE_DECRYPT_EXPTMOD,
 158    RSA_STATE_DECRYPT_UNPAD,
 159    RSA_STATE_DECRYPT_RES
 160};
 161
 162static void wc_RsaCleanup(RsaKey* key)
 163{
 164#if !defined(WOLFSSL_NO_MALLOC) && (defined(WOLFSSL_ASYNC_CRYPT) || \
 165    (!defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)))
 166    if (key != NULL) {
 167    #ifndef WOLFSSL_RSA_PUBLIC_ONLY
 168        /* if private operation zero temp buffer */
 169        if ((key->data != NULL && key->dataLen > 0) &&
 170            (key->type == RSA_PRIVATE_DECRYPT ||
 171             key->type == RSA_PRIVATE_ENCRYPT)) {
 172            ForceZero(key->data, key->dataLen);
 173        }
 174    #endif
 175        /* make sure any allocated memory is free'd */
 176        if (key->dataIsAlloc) {
 177            XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
 178            key->dataIsAlloc = 0;
 179        }
 180
 181        key->data = NULL;
 182        key->dataLen = 0;
 183    }
 184#else
 185    (void)key;
 186#endif
 187}
 188
 189#ifndef WC_NO_CONSTRUCTORS
 190
 191#define RSA_NEW_INIT_PLAIN  0
 192#ifdef WOLF_PRIVATE_KEY_ID
 193#define RSA_NEW_INIT_ID     1
 194#define RSA_NEW_INIT_LABEL  2
 195#endif
 196
 197static RsaKey* _NewRsaKey_common(void* heap, int devId, int *result_code,
 198                                  int rsaInitType, unsigned char* id,
 199                                  int idLen, const char* label)
 200{
 201    int ret;
 202    RsaKey* key = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
 203    if (key == NULL) {
 204        ret = MEMORY_E;
 205    }
 206    else {
 207        switch (rsaInitType) {
 208#ifdef WOLF_PRIVATE_KEY_ID
 209        case RSA_NEW_INIT_ID:
 210            if (id == NULL || idLen == 0 || label != NULL) {
 211                ret = BAD_FUNC_ARG;
 212            }
 213            else {
 214                ret = wc_InitRsaKey_Id(key, id, idLen, heap, devId);
 215            }
 216            break;
 217        case RSA_NEW_INIT_LABEL:
 218            if (label == NULL || id != NULL || idLen != 0) {
 219                ret = BAD_FUNC_ARG;
 220            }
 221            else {
 222                ret = wc_InitRsaKey_Label(key, label, heap, devId);
 223            }
 224            break;
 225#endif
 226        default:
 227            if (id != NULL || idLen != 0 || label != NULL) {
 228                ret = BAD_FUNC_ARG;
 229            }
 230            else {
 231                ret = wc_InitRsaKey_ex(key, heap, devId);
 232            }
 233            break;
 234        }
 235        if (ret != 0) {
 236            XFREE(key, heap, DYNAMIC_TYPE_RSA);
 237            key = NULL;
 238        }
 239    }
 240    (void)rsaInitType;
 241    (void)id;
 242    (void)idLen;
 243    (void)label;
 244
 245    if (result_code != NULL) {
 246        *result_code = ret;
 247    }
 248
 249    return key;
 250}
 251
 252RsaKey* wc_NewRsaKey(void* heap, int devId, int *result_code)
 253{
 254    return _NewRsaKey_common(heap, devId, result_code,
 255                             RSA_NEW_INIT_PLAIN, NULL, 0, NULL);
 256}
 257
 258#ifdef WOLF_PRIVATE_KEY_ID
 259RsaKey* wc_NewRsaKey_Id(unsigned char* id, int len, void* heap, int devId,
 260                         int *result_code)
 261{
 262    return _NewRsaKey_common(heap, devId, result_code,
 263                             RSA_NEW_INIT_ID, id, len, NULL);
 264}
 265
 266RsaKey* wc_NewRsaKey_Label(const char* label, void* heap, int devId,
 267                            int *result_code)
 268{
 269    return _NewRsaKey_common(heap, devId, result_code,
 270                             RSA_NEW_INIT_LABEL, NULL, 0, label);
 271}
 272#endif /* WOLF_PRIVATE_KEY_ID */
 273
 274int wc_DeleteRsaKey(RsaKey* key, RsaKey** key_p)
 275{
 276    void* heap;
 277    if (key == NULL) {
 278        return BAD_FUNC_ARG;
 279    }
 280    heap = key->heap;
 281    wc_FreeRsaKey(key);
 282    XFREE(key, heap, DYNAMIC_TYPE_RSA);
 283    if (key_p != NULL) {
 284        *key_p = NULL;
 285    }
 286    return 0;
 287}
 288#endif /* !WC_NO_CONSTRUCTORS */
 289
 290int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
 291{
 292    int ret = 0;
 293
 294    if (key == NULL) {
 295        return BAD_FUNC_ARG;
 296    }
 297
 298    XMEMSET(key, 0, sizeof(RsaKey));
 299
 300    key->type = RSA_TYPE_UNKNOWN;
 301    key->state = RSA_STATE_NONE;
 302    key->heap = heap;
 303#if !defined(WOLFSSL_NO_MALLOC) && (defined(WOLFSSL_ASYNC_CRYPT) || \
 304    (!defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)))
 305    key->dataIsAlloc = 0;
 306#endif
 307
 308#ifdef WOLF_CRYPTO_CB
 309    key->devId = devId;
 310#else
 311    (void)devId;
 312#endif
 313
 314#ifdef WOLFSSL_ASYNC_CRYPT
 315    #ifdef WOLFSSL_CERT_GEN
 316        XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
 317    #endif
 318
 319    #ifdef WC_ASYNC_ENABLE_RSA
 320        #ifdef WOLF_CRYPTO_CB
 321        /* prefer crypto callback */
 322        if (key->devId != INVALID_DEVID)
 323        #endif
 324        {
 325            /* handle as async */
 326            ret = wolfAsync_DevCtxInit(&key->asyncDev,
 327                    WOLFSSL_ASYNC_MARKER_RSA, key->heap, devId);
 328            if (ret != 0)
 329                return ret;
 330        }
 331    #endif /* WC_ASYNC_ENABLE_RSA */
 332#endif /* WOLFSSL_ASYNC_CRYPT */
 333
 334#ifndef WOLFSSL_RSA_PUBLIC_ONLY
 335    ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
 336    if (ret != MP_OKAY)
 337        return ret;
 338
 339#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
 340    ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
 341#else
 342    ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
 343#endif
 344    if (ret != MP_OKAY) {
 345        mp_clear(&key->n);
 346        mp_clear(&key->e);
 347        return ret;
 348    }
 349#else
 350    ret = mp_init(&key->n);
 351    if (ret != MP_OKAY)
 352        return ret;
 353    ret = mp_init(&key->e);
 354    if (ret != MP_OKAY) {
 355        mp_clear(&key->n);
 356        return ret;
 357    }
 358#endif
 359
 360#ifdef WOLFSSL_XILINX_CRYPT
 361    key->pubExp = 0;
 362    key->mod    = NULL;
 363#endif
 364
 365#ifdef WOLFSSL_AFALG_XILINX_RSA
 366    key->alFd = WC_SOCK_NOTSET;
 367    key->rdFd = WC_SOCK_NOTSET;
 368#endif
 369
 370#ifdef WOLFSSL_KCAPI_RSA
 371    key->handle = NULL;
 372#endif
 373
 374#if defined(WOLFSSL_RENESAS_FSPSM)
 375    key->ctx.wrapped_pri1024_key = NULL;
 376    key->ctx.wrapped_pub1024_key = NULL;
 377    key->ctx.wrapped_pri2048_key = NULL;
 378    key->ctx.wrapped_pub2048_key = NULL;
 379    key->ctx.keySz = 0;
 380#endif
 381
 382    return ret;
 383}
 384
 385int wc_InitRsaKey(RsaKey* key, void* heap)
 386{
 387    return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
 388}
 389
 390#ifdef WOLF_PRIVATE_KEY_ID
 391int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
 392                     int devId)
 393{
 394    int ret = 0;
 395#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
 396    /* SE050 TLS users store a word32 at id, need to cast back */
 397    word32* keyPtr = NULL;
 398#endif
 399
 400    if (key == NULL)
 401        ret = BAD_FUNC_ARG;
 402    if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
 403        ret = BUFFER_E;
 404    if (ret == 0)
 405        ret = wc_InitRsaKey_ex(key, heap, devId);
 406    if (ret == 0 && id != NULL && len != 0) {
 407        XMEMCPY(key->id, id, (size_t)len);
 408        key->idLen = len;
 409    #if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
 410        /* Set SE050 ID from word32, populate RsaKey with public from SE050 */
 411        if (len == (int)sizeof(word32)) {
 412            keyPtr = (word32*)key->id;
 413            ret = wc_RsaUseKeyId(key, *keyPtr, 0);
 414        }
 415    #endif
 416    }
 417
 418    return ret;
 419}
 420
 421int wc_InitRsaKey_Label(RsaKey* key, const char* label, void* heap, int devId)
 422{
 423    int ret = 0;
 424    int labelLen = 0;
 425
 426    if (key == NULL || label == NULL)
 427        ret = BAD_FUNC_ARG;
 428    if (ret == 0) {
 429        labelLen = (int)XSTRLEN(label);
 430        if (labelLen == 0 || labelLen > RSA_MAX_LABEL_LEN)
 431            ret = BUFFER_E;
 432    }
 433    if (ret == 0)
 434        ret = wc_InitRsaKey_ex(key, heap, devId);
 435    if (ret == 0) {
 436        XMEMCPY(key->label, label, (size_t)labelLen);
 437        key->labelLen = labelLen;
 438    }
 439
 440    return ret;
 441}
 442#endif /* WOLF_PRIVATE_KEY_ID */
 443
 444
 445#ifdef WOLFSSL_XILINX_CRYPT
 446#define MAX_E_SIZE 4
 447/* Used to setup hardware state
 448 *
 449 * key  the RSA key to setup
 450 *
 451 * returns 0 on success
 452 */
 453int wc_InitRsaHw(RsaKey* key)
 454{
 455    unsigned char* m; /* RSA modulus */
 456    word32 e = 0;     /* RSA public exponent */
 457    int mSz;
 458    int eSz;
 459    int ret;
 460
 461    if (key == NULL) {
 462        return BAD_FUNC_ARG;
 463    }
 464
 465    mSz = mp_unsigned_bin_size(&(key->n));
 466#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
 467    if (mSz > WOLFSSL_XSECURE_RSA_KEY_SIZE) {
 468        return BAD_FUNC_ARG;
 469    }
 470    /* Allocate 4 bytes more for the public exponent. */
 471    m = (unsigned char*) XMALLOC(WOLFSSL_XSECURE_RSA_KEY_SIZE + 4, key->heap,
 472                                 DYNAMIC_TYPE_KEY);
 473#else
 474    m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
 475#endif
 476    if (m == NULL) {
 477        return MEMORY_E;
 478    }
 479
 480    if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
 481        WOLFSSL_MSG("Unable to get RSA key modulus");
 482        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
 483        return MP_READ_E;
 484    }
 485#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
 486    XMEMSET(m + mSz, 0, WOLFSSL_XSECURE_RSA_KEY_SIZE + 4 - mSz);
 487#endif
 488
 489    eSz = mp_unsigned_bin_size(&(key->e));
 490    if (eSz > MAX_E_SIZE) {
 491        WOLFSSL_MSG("Exponent of size 4 bytes expected");
 492        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
 493        return BAD_FUNC_ARG;
 494    }
 495
 496    if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
 497                != MP_OKAY) {
 498        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
 499        WOLFSSL_MSG("Unable to get RSA key exponent");
 500        return MP_READ_E;
 501    }
 502
 503    /* check for existing mod buffer to avoid memory leak */
 504    XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
 505
 506    key->pubExp = e;
 507    key->mod    = m;
 508
 509#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
 510    ret = wc_InitXsecure(&(key->xSec));
 511    if (ret != 0) {
 512        WOLFSSL_MSG("Unable to initialize xSecure for RSA");
 513        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
 514        return ret;
 515    }
 516    XMEMCPY(&m[WOLFSSL_XSECURE_RSA_KEY_SIZE], &e, sizeof(e));
 517    key->mSz = mSz;
 518#else
 519    if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
 520                (byte*)&(key->pubExp)) != XST_SUCCESS) {
 521        WOLFSSL_MSG("Unable to initialize RSA on hardware");
 522        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
 523        return BAD_STATE_E;
 524    }
 525
 526#ifdef WOLFSSL_XILINX_PATCH
 527   /* currently a patch of xsecure_rsa.c for 2048 bit keys */
 528   if (wc_RsaEncryptSize(key) == 256) {
 529       if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
 530           WOLFSSL_MSG("Unable to set RSA key size on hardware");
 531           XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
 532           return BAD_STATE_E;
 533       }
 534   }
 535#endif
 536#endif
 537    return 0;
 538} /* WOLFSSL_XILINX_CRYPT*/
 539
 540#elif defined(WOLFSSL_CRYPTOCELL)
 541
 542int wc_InitRsaHw(RsaKey* key)
 543{
 544    CRYSError_t ret = 0;
 545    byte e[3];
 546    word32 eSz = sizeof(e);
 547    byte n[256];
 548    word32 nSz = sizeof(n);
 549    byte d[256];
 550    word32 dSz = sizeof(d);
 551    byte p[128];
 552    word32 pSz = sizeof(p);
 553    byte q[128];
 554    word32 qSz = sizeof(q);
 555
 556    if (key == NULL) {
 557        return BAD_FUNC_ARG;
 558    }
 559
 560    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
 561    if (ret != 0)
 562        return MP_READ_E;
 563
 564    ret = CRYS_RSA_Build_PubKey(&key->ctx.pubKey, e, eSz, n, nSz);
 565    if (ret != SA_SILIB_RET_OK){
 566        WOLFSSL_MSG("CRYS_RSA_Build_PubKey failed");
 567        return ret;
 568    }
 569
 570    ret =  CRYS_RSA_Build_PrivKey(&key->ctx.privKey, d, dSz, e, eSz, n, nSz);
 571
 572    if (ret != SA_SILIB_RET_OK){
 573        WOLFSSL_MSG("CRYS_RSA_Build_PrivKey failed");
 574        return ret;
 575    }
 576    key->type = RSA_PRIVATE;
 577    return 0;
 578}
 579
 580static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
 581{
 582    CRYSError_t             ret = 0;
 583    CRYS_RSAKGData_t        KeyGenData;
 584    CRYS_RSAKGFipsContext_t FipsCtx;
 585    byte ex[3];
 586    word16 eSz = sizeof(ex);
 587    byte n[256];
 588    word16 nSz = sizeof(n);
 589
 590    ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
 591                        wc_rndGenVectFunc,
 592                        (byte*)&e,
 593                        3*sizeof(byte),
 594                        size,
 595                        &key->ctx.privKey,
 596                        &key->ctx.pubKey,
 597                        &KeyGenData,
 598                        &FipsCtx);
 599
 600    if (ret != SA_SILIB_RET_OK){
 601        WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
 602        return ret;
 603    }
 604
 605    ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
 606    if (ret != SA_SILIB_RET_OK){
 607        WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
 608        return ret;
 609    }
 610    ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);
 611
 612    key->type = RSA_PRIVATE;
 613
 614    return ret;
 615}
 616#endif /* WOLFSSL_CRYPTOCELL */
 617
 618#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
 619/* Use specified hardware key ID with RsaKey operations. Unlike devId,
 620 * keyId is a word32 so can handle key IDs larger than an int.
 621 *
 622 * key    initialized RsaKey struct
 623 * keyId  hardware key ID which stores RSA key
 624 * flags  optional flags, currently unused
 625 *
 626 * Return 0 on success, negative on error */
 627int wc_RsaUseKeyId(RsaKey* key, word32 keyId, word32 flags)
 628{
 629    (void)flags;
 630
 631    if (key == NULL) {
 632        return BAD_FUNC_ARG;
 633    }
 634
 635    return se050_rsa_use_key_id(key, keyId);
 636}
 637
 638/* Get hardware key ID associated with this RsaKey structure.
 639 *
 640 * key    initialized RsaKey struct
 641 * keyId  [OUT] output for key ID associated with this structure
 642 *
 643 * Returns 0 on success, negative on error.
 644 */
 645int wc_RsaGetKeyId(RsaKey* key, word32* keyId)
 646{
 647    if (key == NULL || keyId == NULL) {
 648        return BAD_FUNC_ARG;
 649    }
 650
 651    return se050_rsa_get_key_id(key, keyId);
 652}
 653#endif /* WOLFSSL_SE050 */
 654
 655int wc_FreeRsaKey(RsaKey* key)
 656{
 657    int ret = 0;
 658
 659    if (key == NULL) {
 660        return BAD_FUNC_ARG;
 661    }
 662
 663#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
 664    #ifndef WOLF_CRYPTO_CB_FIND
 665    if (key->devId != INVALID_DEVID)
 666    #endif
 667    {
 668        ret = wc_CryptoCb_Free(key->devId, WC_ALGO_TYPE_PK,
 669                               WC_PK_TYPE_RSA, 0, key);
 670        /* If callback wants standard free, it returns CRYPTOCB_UNAVAILABLE.
 671         * Otherwise assume the callback handled cleanup. */
 672        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
 673            return ret;
 674        /* fall-through to software cleanup */
 675        ret = 0;
 676    }
 677#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_FREE */
 678
 679#if defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
 680    se050_rsa_free_key(key);
 681#endif
 682
 683    wc_RsaCleanup(key);
 684
 685#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
 686    wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
 687#endif
 688
 689#ifndef WOLFSSL_RSA_PUBLIC_ONLY
 690    /* Forcezero all private key fields that are present in this build
 691     * configuration, since they may contain residual sensitive data even when
 692     * key->type is not RSA_PRIVATE (e.g., after a partial key decode failure). */
 693#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
 694    mp_forcezero(&key->u);
 695    mp_forcezero(&key->dQ);
 696    mp_forcezero(&key->dP);
 697#endif
 698    mp_forcezero(&key->q);
 699    mp_forcezero(&key->p);
 700    mp_forcezero(&key->d);
 701#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
 702
 703    /* public part */
 704    mp_clear(&key->e);
 705    mp_clear(&key->n);
 706
 707#ifdef WOLFSSL_XILINX_CRYPT
 708    XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
 709    key->mod = NULL;
 710#endif
 711
 712#ifdef WOLFSSL_AFALG_XILINX_RSA
 713    /* make sure that sockets are closed on cleanup */
 714    if (key->alFd > 0) {
 715        close(key->alFd);
 716        key->alFd = WC_SOCK_NOTSET;
 717    }
 718    if (key->rdFd > 0) {
 719        close(key->rdFd);
 720        key->rdFd = WC_SOCK_NOTSET;
 721    }
 722#endif
 723
 724#ifdef WOLFSSL_KCAPI_RSA
 725    KcapiRsa_Free(key);
 726#endif
 727
 728#ifdef WOLFSSL_CHECK_MEM_ZERO
 729    wc_MemZero_Check(key, sizeof(RsaKey));
 730#endif
 731
 732#if defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY)
 733    wc_fspsm_RsaKeyFree(key);
 734#endif
 735#ifdef WOLFSSL_MICROCHIP_TA100
 736    wc_Microchip_rsa_free(key);
 737#endif
 738    return ret;
 739}
 740
 741#ifdef WOLFSSL_RSA_KEY_CHECK
 742/* Check the pair-wise consistency of the RSA key. */
 743static int _ifc_pairwise_consistency_test(RsaKey* key, WC_RNG* rng)
 744{
 745    static const char* msg = "Everyone gets Friday off.";
 746#ifndef WOLFSSL_NO_MALLOC
 747    byte* sig = NULL;
 748#else
 749    byte sig[RSA_MAX_SIZE/8];
 750#endif
 751    byte* plain;
 752    int ret = 0;
 753    word32 msgLen, plainLen, sigLen;
 754
 755    msgLen = (word32)XSTRLEN(msg);
 756    ret = wc_RsaEncryptSize(key);
 757    if (ret < 0)
 758        return ret;
 759    else if (ret == 0)
 760        return BAD_FUNC_ARG;
 761    sigLen = (word32)ret;
 762
 763    WOLFSSL_MSG("Doing RSA consistency test");
 764
 765#ifndef WOLFSSL_NO_MALLOC
 766    /* Sign and verify. */
 767    sig = (byte*)XMALLOC(sigLen, key->heap, DYNAMIC_TYPE_RSA);
 768    if (sig == NULL) {
 769        return MEMORY_E;
 770    }
 771#endif
 772    XMEMSET(sig, 0, sigLen);
 773#ifdef WOLFSSL_CHECK_MEM_ZERO
 774    wc_MemZero_Add("Pairwise CT sig", sig, sigLen);
 775#endif
 776    plain = sig;
 777
 778#ifdef WOLFSSL_ASYNC_CRYPT
 779    /* Do blocking async calls here, caller does not support WC_PENDING_E */
 780    do {
 781        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
 782            ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
 783        if (ret >= 0)
 784#endif
 785            ret = wc_RsaSSL_Sign((const byte*)msg, msgLen, sig, sigLen, key, rng);
 786#ifdef WOLFSSL_ASYNC_CRYPT
 787    } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
 788#endif
 789
 790    if (ret > 0) {
 791        sigLen = (word32)ret;
 792#ifdef WOLFSSL_ASYNC_CRYPT
 793        /* Do blocking async calls here, caller does not support WC_PENDING_E */
 794        do {
 795            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
 796                ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
 797            if (ret >= 0)
 798#endif
 799                ret = wc_RsaSSL_VerifyInline(sig, sigLen, &plain, key);
 800#ifdef WOLFSSL_ASYNC_CRYPT
 801        } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
 802#endif
 803    }
 804
 805    if (ret > 0) {
 806        plainLen = (word32)ret;
 807        ret = (msgLen != plainLen) || (XMEMCMP(plain, msg, msgLen) != 0);
 808    }
 809
 810    if (ret != 0)
 811        ret = RSA_KEY_PAIR_E;
 812
 813    ForceZero(sig, sigLen);
 814#ifndef WOLFSSL_NO_MALLOC
 815    XFREE(sig, key->heap, DYNAMIC_TYPE_RSA);
 816#endif
 817
 818    return ret;
 819}
 820
 821
 822int wc_CheckRsaKey(RsaKey* key)
 823{
 824    WC_RNG *rng = NULL;
 825#if !defined(WOLFSSL_SMALL_STACK) || defined(WOLFSSL_NO_MALLOC)
 826    WC_RNG rng_buf;
 827#endif
 828    int ret = 0;
 829    DECL_MP_INT_SIZE_DYN(tmp, (key)? mp_bitsused(&key->n) : 0, RSA_MAX_SIZE);
 830
 831    if (key == NULL) {
 832        return BAD_FUNC_ARG;
 833    }
 834
 835#ifdef WOLFSSL_CAAM
 836    /* can not perform these checks on an encrypted key */
 837    if (key->blackKey != 0) {
 838        return 0;
 839    }
 840#endif
 841
 842    NEW_MP_INT_SIZE(tmp, mp_bitsused(&key->n), NULL, DYNAMIC_TYPE_RSA);
 843#ifdef MP_INT_SIZE_CHECK_NULL
 844    if (tmp == NULL) {
 845        return MEMORY_E;
 846    }
 847#endif
 848
 849    if (key->rng)
 850        rng = key->rng;
 851    else {
 852#if !defined(WOLFSSL_SMALL_STACK) || defined(WOLFSSL_NO_MALLOC)
 853        rng = &rng_buf;
 854#else
 855        rng = (WC_RNG *)XMALLOC(sizeof(*rng), NULL, DYNAMIC_TYPE_RNG);
 856        if (rng == NULL) {
 857            FREE_MP_INT_SIZE(tmp, NULL, DYNAMIC_TYPE_RSA);
 858            return MEMORY_E;
 859        }
 860#endif
 861        ret = wc_InitRng(rng);
 862        if (ret != 0) {
 863#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
 864            XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
 865            FREE_MP_INT_SIZE(tmp, NULL, DYNAMIC_TYPE_RSA);
 866#endif
 867            return ret;
 868        }
 869    }
 870
 871    SAVE_VECTOR_REGISTERS(ret = _svr_ret;);
 872
 873    if (ret == 0) {
 874        if (INIT_MP_INT_SIZE(tmp, mp_bitsused(&key->n)) != MP_OKAY)
 875            ret = MP_INIT_E;
 876    }
 877
 878    if (ret == 0)
 879        ret = _ifc_pairwise_consistency_test(key, rng);
 880
 881    /* Check d is less than n. */
 882    if (ret == 0 ) {
 883        if (mp_cmp(&key->d, &key->n) != MP_LT) {
 884            ret = MP_EXPTMOD_E;
 885        }
 886    }
 887    /* Check p*q = n. */
 888    if (ret == 0 ) {
 889    #ifdef WOLFSSL_CHECK_MEM_ZERO
 890        mp_memzero_add("RSA CheckKey tmp", tmp);
 891    #endif
 892        if (mp_mul(&key->p, &key->q, tmp) != MP_OKAY) {
 893            ret = MP_EXPTMOD_E;
 894        }
 895    }
 896    if (ret == 0 ) {
 897        if (mp_cmp(&key->n, tmp) != MP_EQ) {
 898            ret = MP_EXPTMOD_E;
 899        }
 900    }
 901
 902#ifndef WC_RSA_NO_FERMAT_CHECK
 903    /* Fermat's Factorization works when difference between p and q
 904     * is less than (conservatively):
 905     *     n^(1/4) + 32
 906     *  ~= 2^(bit count of n)^(1/4) + 32) = 2^((bit count of n)/4 + 32)
 907     */
 908    if (ret == 0) {
 909        ret = mp_sub(&key->p, &key->q, tmp);
 910    }
 911    if (ret == 0) {
 912        if (mp_count_bits(tmp) <= (mp_count_bits(&key->n) / 4 + 32)) {
 913            ret = MP_EXPTMOD_E;
 914        }
 915    }
 916#endif
 917
 918    /* Check dP, dQ and u if they exist */
 919    if (ret == 0 && !mp_iszero(&key->dP)) {
 920        if (mp_sub_d(&key->p, 1, tmp) != MP_OKAY) {
 921            ret = MP_EXPTMOD_E;
 922        }
 923        /* Check dP <= p-1. */
 924        if (ret == 0) {
 925            if (mp_cmp(&key->dP, tmp) != MP_LT) {
 926                ret = MP_EXPTMOD_E;
 927            }
 928        }
 929        /* Check e*dP mod p-1 = 1. (dP = 1/e mod p-1) */
 930        if (ret == 0) {
 931            if (mp_mulmod(&key->dP, &key->e, tmp, tmp) != MP_OKAY) {
 932                ret = MP_EXPTMOD_E;
 933            }
 934        }
 935        if (ret == 0 ) {
 936            if (!mp_isone(tmp)) {
 937                ret = MP_EXPTMOD_E;
 938            }
 939        }
 940
 941        if (ret == 0) {
 942            if (mp_sub_d(&key->q, 1, tmp) != MP_OKAY) {
 943                ret = MP_EXPTMOD_E;
 944            }
 945        }
 946        /* Check dQ <= q-1. */
 947        if (ret == 0) {
 948            if (mp_cmp(&key->dQ, tmp) != MP_LT) {
 949                ret = MP_EXPTMOD_E;
 950            }
 951        }
 952        /* Check e*dP mod p-1 = 1. (dQ = 1/e mod q-1) */
 953        if (ret == 0) {
 954            if (mp_mulmod(&key->dQ, &key->e, tmp, tmp) != MP_OKAY) {
 955                ret = MP_EXPTMOD_E;
 956            }
 957        }
 958        if (ret == 0 ) {
 959            if (!mp_isone(tmp)) {
 960                ret = MP_EXPTMOD_E;
 961            }
 962        }
 963
 964        /* Check u <= p. */
 965        if (ret == 0) {
 966            if (mp_cmp(&key->u, &key->p) != MP_LT) {
 967                ret = MP_EXPTMOD_E;
 968            }
 969        }
 970        /* Check u*q mod p = 1. (u = 1/q mod p) */
 971        if (ret == 0) {
 972            if (mp_mulmod(&key->u, &key->q, &key->p, tmp) != MP_OKAY) {
 973                ret = MP_EXPTMOD_E;
 974            }
 975        }
 976        if (ret == 0 ) {
 977            if (!mp_isone(tmp)) {
 978                ret = MP_EXPTMOD_E;
 979            }
 980        }
 981    }
 982
 983    mp_forcezero(tmp);
 984
 985    RESTORE_VECTOR_REGISTERS();
 986
 987    if ((rng != NULL) && (rng != key->rng)) {
 988        wc_FreeRng(rng);
 989#ifdef WOLFSSL_SMALL_STACK
 990        XFREE(rng, NULL, DYNAMIC_TYPE_RNG);
 991#endif
 992    }
 993    FREE_MP_INT_SIZE(tmp, NULL, DYNAMIC_TYPE_RSA);
 994#ifdef WOLFSSL_CHECK_MEM_ZERO
 995    mp_memzero_check(tmp);
 996#endif
 997
 998    return ret;
 999}
1000#endif /* WOLFSSL_RSA_KEY_CHECK */
1001
1002
1003#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
1004/* Uses MGF1 standard as a mask generation function
1005   hType: hash type used
1006   seed:  seed to use for generating mask
1007   seedSz: size of seed buffer
1008   out:   mask output after generation
1009   outSz: size of output buffer
1010 */
1011#if !defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
1012static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
1013                                        byte* out, word32 outSz, void* heap)
1014{
1015#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1016    byte* tmp = NULL;
1017    byte   tmpF = 0;     /* 1 if dynamic memory needs freed */
1018#else
1019    byte tmp[RSA_MAX_SIZE/8];
1020#endif
1021    /* needs to be large enough for seed size plus counter(4) */
1022    byte  tmpA[WC_MAX_DIGEST_SIZE + 4];
1023    word32 tmpSz = 0;
1024    int hLen;
1025    int ret;
1026    word32 counter;
1027    word32 idx;
1028#ifdef WOLFSSL_SMALL_STACK_CACHE
1029    wc_HashAlg *hash;
1030#endif
1031    hLen    = wc_HashGetDigestSize(hType);
1032    counter = 0;
1033    idx     = 0;
1034
1035    (void)heap;
1036
1037    XMEMSET(tmpA, 0, sizeof(tmpA));
1038    /* check error return of wc_HashGetDigestSize */
1039    if (hLen < 0) {
1040        return hLen;
1041    }
1042
1043    /* if tmp is not large enough than use some dynamic memory */
1044    if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
1045        /* find largest amount of memory needed which will be the max of
1046         * hLen and (seedSz + 4) since tmp is used to store the hash digest */
1047        tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
1048#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1049        tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
1050        if (tmp == NULL) {
1051            return MEMORY_E;
1052        }
1053        tmpF = 1; /* make sure to free memory when done */
1054#else
1055        if (tmpSz > RSA_MAX_SIZE/8)
1056            return BAD_FUNC_ARG;
1057#endif
1058    }
1059    else {
1060        /* use array on the stack */
1061    #ifndef WOLFSSL_SMALL_STACK_CACHE
1062        tmpSz = sizeof(tmpA);
1063    #endif
1064#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1065        tmp  = tmpA;
1066        tmpF = 0; /* no need to free memory at end */
1067#endif
1068    }
1069
1070#ifdef WOLFSSL_SMALL_STACK_CACHE
1071    hash = (wc_HashAlg*)XMALLOC(sizeof(*hash), heap, DYNAMIC_TYPE_DIGEST);
1072    if (hash == NULL) {
1073    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1074        if (tmpF) {
1075            XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1076        }
1077    #endif
1078        return MEMORY_E;
1079    }
1080    ret = wc_HashInit_ex(hash, hType, heap, INVALID_DEVID);
1081    if (ret != 0) {
1082        XFREE(hash, heap, DYNAMIC_TYPE_DIGEST);
1083    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1084        if (tmpF) {
1085            XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1086        }
1087    #endif
1088        return ret;
1089    }
1090#endif
1091
1092    do {
1093        int i = 0;
1094        XMEMCPY(tmp, seed, seedSz);
1095
1096        /* counter to byte array appended to tmp */
1097        tmp[seedSz]     = (byte)((counter >> 24) & 0xFF);
1098        tmp[seedSz + 1] = (byte)((counter >> 16) & 0xFF);
1099        tmp[seedSz + 2] = (byte)((counter >>  8) & 0xFF);
1100        tmp[seedSz + 3] = (byte)((counter)       & 0xFF);
1101
1102        /* hash and append to existing output */
1103#ifdef WOLFSSL_SMALL_STACK_CACHE
1104        ret = wc_HashUpdate(hash, hType, tmp, (seedSz + 4));
1105        if (ret == 0) {
1106            ret = wc_HashFinal(hash, hType, tmp);
1107        }
1108#else
1109        ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz);
1110#endif
1111        if (ret != 0) {
1112            /* check for if dynamic memory was needed, then free */
1113#ifdef WOLFSSL_SMALL_STACK_CACHE
1114            wc_HashFree(hash, hType);
1115            XFREE(hash, heap, DYNAMIC_TYPE_DIGEST);
1116#endif
1117#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1118            if (tmpF) {
1119                XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1120            }
1121#endif
1122            return ret;
1123        }
1124
1125        for (i = 0; i < hLen && idx < outSz; i++) {
1126            out[idx++] = tmp[i];
1127        }
1128        counter++;
1129    } while (idx < outSz);
1130#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1131    /* check for if dynamic memory was needed, then free */
1132    if (tmpF) {
1133        XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1134    }
1135#endif
1136#ifdef WOLFSSL_SMALL_STACK_CACHE
1137    wc_HashFree(hash, hType);
1138    XFREE(hash, heap, DYNAMIC_TYPE_DIGEST);
1139#endif
1140
1141    return 0;
1142}
1143#endif /* SHA2 Hashes */
1144
1145#if defined(WOLFSSL_SHA3) && \
1146    (defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256))
1147/* SHAKE XOF used directly as mask generation function (not MGF1).
1148 * Per FIPS 186-5, SHAKE can be used as the MGF for RSA-PSS. */
1149static int RsaMGF_SHAKE(enum wc_HashType shakeType, byte* seed, word32 seedSz,
1150                         byte* out, word32 outSz, void* heap)
1151{
1152    WC_DECLARE_VAR(shake, wc_Shake, 1, heap);
1153    int ret;
1154
1155    (void)heap;
1156    (void)shakeType;
1157
1158    WC_ALLOC_VAR_EX(shake, wc_Shake, 1, heap, DYNAMIC_TYPE_TMP_BUFFER,
1159        return MEMORY_E);
1160
1161#ifdef WOLFSSL_SHAKE128
1162    if (shakeType == WC_HASH_TYPE_SHAKE128) {
1163        ret = wc_InitShake128(shake, heap, INVALID_DEVID);
1164        if (ret == 0) {
1165            ret = wc_Shake128_Update(shake, seed, seedSz);
1166            if (ret == 0)
1167                ret = wc_Shake128_Final(shake, out, outSz);
1168            wc_Shake128_Free(shake);
1169        }
1170    }
1171    else
1172#endif
1173#ifdef WOLFSSL_SHAKE256
1174    if (shakeType == WC_HASH_TYPE_SHAKE256) {
1175        ret = wc_InitShake256(shake, heap, INVALID_DEVID);
1176        if (ret == 0) {
1177            ret = wc_Shake256_Update(shake, seed, seedSz);
1178            if (ret == 0)
1179                ret = wc_Shake256_Final(shake, out, outSz);
1180            wc_Shake256_Free(shake);
1181        }
1182    }
1183    else
1184#endif
1185    {
1186        ret = BAD_FUNC_ARG;
1187    }
1188    WC_FREE_VAR_EX(shake, heap, DYNAMIC_TYPE_TMP_BUFFER);
1189    return ret;
1190}
1191#endif /* WOLFSSL_SHA3 && (WOLFSSL_SHAKE128 || WOLFSSL_SHAKE256) */
1192
1193/* helper function to direct which mask generation function is used
1194   switched on type input
1195 */
1196static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
1197                                                    word32 outSz, void* heap)
1198{
1199    int ret;
1200
1201    switch(type) {
1202    #ifndef NO_SHA
1203        case WC_MGF1SHA1:
1204            ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
1205            break;
1206    #endif
1207    #ifndef NO_SHA256
1208    #ifdef WOLFSSL_SHA224
1209        case WC_MGF1SHA224:
1210            ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
1211            break;
1212    #endif
1213        case WC_MGF1SHA256:
1214            ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
1215            break;
1216    #endif
1217    #ifdef WOLFSSL_SHA384
1218        case WC_MGF1SHA384:
1219            ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
1220            break;
1221    #endif
1222    #ifdef WOLFSSL_SHA512
1223        case WC_MGF1SHA512:
1224            ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
1225            break;
1226        #ifndef WOLFSSL_NOSHA512_224
1227        case WC_MGF1SHA512_224:
1228            ret = RsaMGF1(WC_HASH_TYPE_SHA512_224, seed, seedSz, out, outSz,
1229                heap);
1230            break;
1231        #endif
1232        #ifndef WOLFSSL_NOSHA512_256
1233        case WC_MGF1SHA512_256:
1234            ret = RsaMGF1(WC_HASH_TYPE_SHA512_256, seed, seedSz, out, outSz,
1235                heap);
1236            break;
1237        #endif
1238    #endif
1239    #ifdef WOLFSSL_SHA3
1240    #ifndef WOLFSSL_NOSHA3_224
1241        case WC_MGF1SHA3_224:
1242            ret = RsaMGF1(WC_HASH_TYPE_SHA3_224, seed, seedSz, out, outSz,
1243                heap);
1244            break;
1245    #endif
1246    #ifndef WOLFSSL_NOSHA3_256
1247        case WC_MGF1SHA3_256:
1248            ret = RsaMGF1(WC_HASH_TYPE_SHA3_256, seed, seedSz, out, outSz,
1249                heap);
1250            break;
1251    #endif
1252    #ifndef WOLFSSL_NOSHA3_384
1253        case WC_MGF1SHA3_384:
1254            ret = RsaMGF1(WC_HASH_TYPE_SHA3_384, seed, seedSz, out, outSz,
1255                heap);
1256            break;
1257    #endif
1258    #ifndef WOLFSSL_NOSHA3_512
1259        case WC_MGF1SHA3_512:
1260            ret = RsaMGF1(WC_HASH_TYPE_SHA3_512, seed, seedSz, out, outSz,
1261                heap);
1262            break;
1263    #endif
1264    #endif /* WOLFSSL_SHA3 */
1265    #if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
1266        case WC_MGF1SHAKE128:
1267            ret = RsaMGF1(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
1268                heap);
1269            break;
1270        case WC_MGFSHAKE128:
1271            ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE128, seed, seedSz, out, outSz,
1272                heap);
1273            break;
1274    #endif
1275    #if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
1276        case WC_MGF1SHAKE256:
1277            ret = RsaMGF1(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
1278                heap);
1279            break;
1280        case WC_MGFSHAKE256:
1281            ret = RsaMGF_SHAKE(WC_HASH_TYPE_SHAKE256, seed, seedSz, out, outSz,
1282                heap);
1283            break;
1284    #endif
1285        default:
1286            WOLFSSL_MSG("Unknown MGF type: check build options");
1287            ret = BAD_FUNC_ARG;
1288    }
1289
1290    /* in case of default avoid unused warning */
1291    (void)seed;
1292    (void)seedSz;
1293    (void)out;
1294    (void)outSz;
1295    (void)heap;
1296
1297    return ret;
1298}
1299#endif /* !WC_NO_RSA_OAEP || WC_RSA_PSS */
1300
1301
1302/* Padding */
1303#ifndef WOLFSSL_RSA_VERIFY_ONLY
1304#ifndef WC_NO_RNG
1305#ifndef WC_NO_RSA_OAEP
1306static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
1307        word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
1308        enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
1309        void* heap)
1310{
1311    int ret;
1312    word32 hLen;
1313    int psLen;
1314    word32 idx;
1315
1316    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1317        byte* dbMask = NULL;
1318        byte* lHash = NULL;
1319        byte* seed  = NULL;
1320    #else
1321        byte dbMask[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
1322        /* must be large enough to contain largest hash */
1323        byte lHash[WC_MAX_DIGEST_SIZE];
1324        byte seed[WC_MAX_DIGEST_SIZE];
1325    #endif
1326
1327    /* no label is allowed, but catch if no label provided and length > 0 */
1328    if (optLabel == NULL && labelLen > 0) {
1329        return BUFFER_E;
1330    }
1331
1332    /* limit of label is the same as limit of hash function which is massive */
1333    ret = wc_HashGetDigestSize(hType);
1334    if (ret < 0) {
1335        return ret;
1336    }
1337    hLen = (word32)ret;
1338
1339    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1340        lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1341        if (lHash == NULL) {
1342            return MEMORY_E;
1343        }
1344        seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1345        if (seed == NULL) {
1346            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1347            return MEMORY_E;
1348        }
1349    #else
1350        /* hLen should never be larger than lHash since size is max digest size,
1351           but check before blindly calling wc_Hash */
1352        if (hLen > sizeof(lHash)) {
1353            WOLFSSL_MSG("OAEP lHash to small for digest!!");
1354            return MEMORY_E;
1355        }
1356    #endif
1357
1358    if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
1359        WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
1360            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1361            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1362        return ret;
1363    }
1364
1365    /* handles check of location for idx as well as psLen, cast to int to check
1366       for pkcsBlockLen(k) - 2 * hLen - 2 being negative
1367       This check is similar to decryption where k > 2 * hLen + 2 as msg
1368       size approaches 0. In decryption if k is less than or equal -- then there
1369       is no possible room for msg.
1370       k = RSA key size
1371       hLen = hash digest size -- will always be >= 0 at this point
1372     */
1373    if ((2 * hLen + 2) > pkcsBlockLen) {
1374        WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
1375            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1376            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1377        return BAD_FUNC_ARG;
1378    }
1379
1380    if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
1381        WOLFSSL_MSG("OAEP pad error message too long");
1382            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1383            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1384        return BAD_FUNC_ARG;
1385    }
1386
1387    /* concatenate lHash || PS || 0x01 || msg */
1388    idx = pkcsBlockLen - 1 - inputLen;
1389    psLen = (int)pkcsBlockLen - (int)inputLen - 2 * (int)hLen - 2;
1390    if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
1391            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1392            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1393        return BUFFER_E;
1394    }
1395    XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
1396    pkcsBlock[idx--] = 0x01; /* PS and M separator */
1397    XMEMSET(pkcsBlock + idx - psLen + 1, 0, (size_t)psLen);
1398    idx -= (word32)psLen;
1399
1400    idx = idx - hLen + 1;
1401    XMEMCPY(pkcsBlock + idx, lHash, hLen);
1402
1403    /* generate random seed */
1404    if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
1405            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1406            ForceZero(seed, hLen);
1407            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1408        return ret;
1409    }
1410
1411#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1412    /* create maskedDB from dbMask */
1413    dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
1414    if (dbMask == NULL) {
1415
1416            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1417            ForceZero(seed, hLen);
1418            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
1419        return MEMORY_E;
1420    }
1421#else
1422    if (pkcsBlockLen - hLen - 1 > sizeof(dbMask)) {
1423        return MEMORY_E;
1424    }
1425#endif
1426    XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
1427    ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
1428    if (ret != 0) {
1429            WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA);
1430            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1431            ForceZero(seed, hLen);
1432            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1433        return ret;
1434    }
1435
1436    xorbuf(pkcsBlock + hLen + 1, dbMask,pkcsBlockLen - hLen - 1);
1437
1438    WC_FREE_VAR_EX(dbMask, heap, DYNAMIC_TYPE_RSA);
1439
1440    /* create maskedSeed from seedMask */
1441    pkcsBlock[0] = 0x00;
1442    /* create seedMask inline */
1443    if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
1444                                           pkcsBlock + 1, hLen, heap)) != 0) {
1445            WC_FREE_VAR_EX(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1446            ForceZero(seed, hLen);
1447            WC_FREE_VAR_EX(seed, heap, DYNAMIC_TYPE_RSA_BUFFER);
1448        return ret;
1449    }
1450
1451    /* xor created seedMask with seed to make maskedSeed */
1452    xorbuf(pkcsBlock + 1, seed, hLen);
1453#ifdef WOLFSSL_CHECK_MEM_ZERO
1454    /* Seed must be zeroized now that it has been used. */
1455    wc_MemZero_Add("Pad OAEP seed", seed, hLen);
1456#endif
1457
1458    /* Zeroize masking bytes so that padding can't be unmasked. */
1459    ForceZero(seed, hLen);
1460    #ifdef WOLFSSL_SMALL_STACK
1461        XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
1462        XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
1463    #elif defined(WOLFSSL_CHECK_MEM_ZERO)
1464        wc_MemZero_Check(seed, hLen);
1465    #endif
1466    (void)padValue;
1467
1468    return 0;
1469}
1470#endif /* !WC_NO_RSA_OAEP */
1471
1472#ifdef WC_RSA_PSS
1473
1474/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
1475 * XOR MGF over all bytes down to end of Salt
1476 * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
1477 *
1478 * input         Digest of the message.
1479 * inputLen      Length of digest.
1480 * pkcsBlock     Buffer to write to.
1481 * pkcsBlockLen  Length of buffer to write to.
1482 * rng           Random number generator (for salt).
1483 * htype         Hash function to use.
1484 * mgf           Mask generation function.
1485 * saltLen       Length of salt to put in padding.
1486 * bits          Length of key in bits.
1487 * heap          Used for dynamic memory allocation.
1488 * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
1489 * and other negative values on error.
1490 */
1491static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
1492        word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
1493        int saltLen, int bits, void* heap)
1494{
1495    int   ret = 0;
1496    int   hLen, o, maskLen, hiBits;
1497    byte* m;
1498    byte* s;
1499#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
1500    byte msg[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
1501#else
1502    byte* msg = NULL;
1503#endif
1504#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1505    byte* salt;
1506#else
1507    byte salt[WC_MAX_DIGEST_SIZE];
1508#endif
1509
1510#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1511    if (pkcsBlockLen > RSA_MAX_SIZE/8) {
1512        return MEMORY_E;
1513    }
1514#endif
1515
1516    hLen = wc_HashGetDigestSize(hType);
1517    if (hLen < 0)
1518        return hLen;
1519    if ((int)inputLen != hLen) {
1520        return BAD_FUNC_ARG;
1521    }
1522
1523    hiBits = (bits - 1) & 0x7;
1524    if (hiBits == 0) {
1525        /* Per RFC8017, set the leftmost 8emLen - emBits bits of the
1526           leftmost octet in DB to zero.
1527        */
1528        *(pkcsBlock++) = 0;
1529        pkcsBlockLen--;
1530    }
1531
1532    if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
1533        saltLen = hLen;
1534        #ifdef WOLFSSL_SHA512
1535            /* See FIPS 186-4 section 5.5 item (e). */
1536            if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) {
1537                saltLen = RSA_PSS_SALT_MAX_SZ;
1538            }
1539        #endif
1540    }
1541#ifndef WOLFSSL_PSS_LONG_SALT
1542    else if (saltLen > hLen) {
1543        return PSS_SALTLEN_E;
1544    }
1545#endif
1546#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
1547    else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
1548        return PSS_SALTLEN_E;
1549    }
1550#else
1551    else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
1552        saltLen = (int)pkcsBlockLen - hLen - 2;
1553        if (saltLen < 0) {
1554            return PSS_SALTLEN_E;
1555        }
1556    }
1557    else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
1558        return PSS_SALTLEN_E;
1559    }
1560#endif
1561    if ((int)pkcsBlockLen - hLen < saltLen + 2) {
1562        return PSS_SALTLEN_E;
1563    }
1564    maskLen = (int)pkcsBlockLen - 1 - hLen;
1565
1566#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
1567    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1568        msg = (byte*)XMALLOC(
1569                          (size_t)(RSA_PSS_PAD_SZ + inputLen + (word32)saltLen),
1570                          heap, DYNAMIC_TYPE_RSA_BUFFER);
1571        if (msg == NULL) {
1572            return MEMORY_E;
1573        }
1574    #endif
1575    salt = s = m = msg;
1576    XMEMSET(m, 0, RSA_PSS_PAD_SZ);
1577    m += RSA_PSS_PAD_SZ;
1578    XMEMCPY(m, input, inputLen);
1579    m += inputLen;
1580    o = (int)(m - s);
1581    if (saltLen > 0) {
1582        ret = wc_RNG_GenerateBlock(rng, m, (word32)saltLen);
1583        if (ret == 0) {
1584            m += saltLen;
1585        }
1586    }
1587#else
1588    if ((int)pkcsBlockLen < RSA_PSS_PAD_SZ + (int)inputLen + saltLen) {
1589    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1590        msg = (byte*)XMALLOC(
1591                          (size_t)(RSA_PSS_PAD_SZ + inputLen + (word32)saltLen),
1592                          heap, DYNAMIC_TYPE_RSA_BUFFER);
1593        if (msg == NULL) {
1594            return MEMORY_E;
1595        }
1596    #endif
1597        m = msg;
1598    }
1599    else {
1600        m = pkcsBlock;
1601    }
1602    s = m;
1603    XMEMSET(m, 0, RSA_PSS_PAD_SZ);
1604    m += RSA_PSS_PAD_SZ;
1605    XMEMCPY(m, input, inputLen);
1606    m += inputLen;
1607    o = 0;
1608    if (saltLen > 0) {
1609        ret = wc_RNG_GenerateBlock(rng, salt, (word32)saltLen);
1610        if (ret == 0) {
1611            XMEMCPY(m, salt, (size_t)saltLen);
1612            m += saltLen;
1613        }
1614    }
1615#endif
1616    if (ret == 0) {
1617        /* Put Hash at end of pkcsBlock - 1 */
1618        ret = wc_Hash(hType, s, (word32)(m - s), pkcsBlock + maskLen, (word32)hLen);
1619    }
1620    if (ret == 0) {
1621       /* Set the last eight bits or trailer field to the octet 0xbc */
1622        pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
1623
1624        ret = RsaMGF(mgf, pkcsBlock + maskLen, (word32)hLen, pkcsBlock, (word32)maskLen, heap);
1625    }
1626    if (ret == 0) {
1627        /* Clear the first high bit when "8emLen - emBits" is non-zero.
1628           where emBits = n modBits - 1 */
1629        if (hiBits)
1630            pkcsBlock[0] &= (byte)((1 << hiBits) - 1);
1631
1632        m = pkcsBlock + maskLen - saltLen - 1;
1633        *(m++) ^= 0x01;
1634        xorbuf(m, salt + o, (word32)saltLen);
1635    }
1636
1637#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1638    /* msg is always not NULL as we bail on allocation failure */
1639    XFREE(msg, heap, DYNAMIC_TYPE_RSA_BUFFER);
1640#endif
1641    return ret;
1642}
1643#endif /* WC_RSA_PSS */
1644#endif /* !WC_NO_RNG */
1645
1646static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
1647                           word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
1648{
1649    if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
1650                                                        pkcsBlockLen == 0) {
1651        return BAD_FUNC_ARG;
1652    }
1653
1654    if (pkcsBlockLen - RSA_MIN_PAD_SZ < inputLen) {
1655        WOLFSSL_MSG("RsaPad error, invalid length");
1656        return RSA_PAD_E;
1657    }
1658    pkcsBlock[0] = 0x0;       /* set first byte to zero and advance */
1659    pkcsBlock++; pkcsBlockLen--;
1660    pkcsBlock[0] = padValue;  /* insert padValue */
1661
1662    if (padValue == RSA_BLOCK_TYPE_1) {
1663
1664        /* pad with 0xff bytes */
1665        XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
1666    }
1667    else {
1668#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WC_NO_RNG)
1669        /* pad with non-zero random bytes */
1670        word32 padLen, i;
1671        int    ret;
1672        padLen = pkcsBlockLen - inputLen - 1;
1673        ret    = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
1674        if (ret != 0) {
1675            return ret;
1676        }
1677
1678        /* remove zeros */
1679        for (i = 1; i < padLen; i++) {
1680            if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
1681        }
1682#else
1683        (void)rng;
1684        return RSA_WRONG_TYPE_E;
1685#endif
1686    }
1687
1688    pkcsBlock[pkcsBlockLen-inputLen-1] = 0;     /* separator */
1689    XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
1690
1691    return 0;
1692}
1693
1694/* helper function to direct which padding is used */
1695int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
1696    word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
1697    enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
1698    int saltLen, int bits, void* heap)
1699{
1700    int ret;
1701
1702    switch (padType)
1703    {
1704        case WC_RSA_PKCSV15_PAD:
1705            /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
1706            ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
1707                                                                 padValue, rng);
1708            break;
1709
1710#ifndef WC_NO_RNG
1711    #ifndef WC_NO_RSA_OAEP
1712        case WC_RSA_OAEP_PAD:
1713            WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
1714            ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
1715                           padValue, rng, hType, mgf, optLabel, labelLen, heap);
1716            break;
1717    #endif
1718
1719    #ifdef WC_RSA_PSS
1720        case WC_RSA_PSS_PAD:
1721            WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
1722            ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
1723                                               hType, mgf, saltLen, bits, heap);
1724            break;
1725    #endif
1726#endif /* !WC_NO_RNG */
1727
1728    #ifdef WC_RSA_NO_PADDING
1729        case WC_RSA_NO_PAD:
1730        {
1731            int bytes = (bits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;
1732
1733            WOLFSSL_MSG("wolfSSL Using NO padding");
1734
1735            /* In the case of no padding being used check that input is exactly
1736             * the RSA key length */
1737            if ((bits <= 0) || (inputLen != (word32)bytes)) {
1738                WOLFSSL_MSG("Bad input size");
1739                ret = RSA_PAD_E;
1740            }
1741            else {
1742                XMEMCPY(pkcsBlock, input, inputLen);
1743                ret = 0;
1744            }
1745            break;
1746        }
1747    #endif
1748
1749        default:
1750            WOLFSSL_MSG("Unknown RSA Pad Type");
1751            ret = RSA_PAD_E;
1752    }
1753
1754    /* silence warning if not used with padding scheme */
1755    (void)input;
1756    (void)inputLen;
1757    (void)pkcsBlock;
1758    (void)pkcsBlockLen;
1759    (void)padValue;
1760    (void)rng;
1761    (void)padType;
1762    (void)hType;
1763    (void)mgf;
1764    (void)optLabel;
1765    (void)labelLen;
1766    (void)saltLen;
1767    (void)bits;
1768    (void)heap;
1769
1770    return ret;
1771}
1772#endif /* WOLFSSL_RSA_VERIFY_ONLY */
1773
1774
1775/* UnPadding */
1776#if !defined(WC_NO_RSA_OAEP) && !defined(NO_HASH_WRAPPER)
1777/* UnPad plaintext, set start to *output, return length of plaintext,
1778 * < 0 on error */
1779static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
1780                            byte **output, enum wc_HashType hType, int mgf,
1781                            byte* optLabel, word32 labelLen, void* heap)
1782{
1783    word32 hLen;
1784    int ret;
1785    byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
1786    word32 idx;
1787    word32 i;
1788    volatile word32 inc;
1789
1790#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1791    byte* tmp  = NULL;
1792#else
1793    byte tmp[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
1794#endif
1795
1796    /* no label is allowed, but catch if no label provided and length > 0 */
1797    if (optLabel == NULL && labelLen > 0) {
1798        return BUFFER_E;
1799    }
1800
1801    ret = wc_HashGetDigestSize(hType);
1802    if ((ret < 0) || (pkcsBlockLen < (2 * (word32)ret + 2))) {
1803        return BAD_FUNC_ARG;
1804    }
1805    hLen = (word32)ret;
1806
1807#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
1808    tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1809    if (tmp == NULL) {
1810        return MEMORY_E;
1811    }
1812#endif
1813    XMEMSET(tmp, 0, pkcsBlockLen);
1814#ifdef WOLFSSL_CHECK_MEM_ZERO
1815    wc_MemZero_Add("OAEP UnPad temp", tmp, pkcsBlockLen);
1816#endif
1817
1818    /* find seedMask value */
1819    ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
1820                 pkcsBlockLen - hLen - 1, tmp, hLen, heap);
1821    if (ret != 0) {
1822        WC_FREE_VAR_EX(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1823        return ret;
1824    }
1825
1826    /* xor seedMask value with maskedSeed to get seed value */
1827    xorbuf(tmp, pkcsBlock + 1, hLen);
1828
1829    /* get dbMask value */
1830    ret = RsaMGF(mgf, tmp, hLen, tmp + hLen, pkcsBlockLen - hLen - 1, heap);
1831    if (ret != 0) {
1832        ForceZero(tmp, hLen);
1833#ifdef WOLFSSL_SMALL_STACK
1834        XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
1835#elif defined(WOLFSSL_CHECK_MEM_ZERO)
1836        wc_MemZero_Check(tmp, hLen);
1837#endif
1838        return ret;
1839    }
1840
1841    /* get DB value by doing maskedDB xor dbMask */
1842    xorbuf(pkcsBlock + hLen + 1, tmp + hLen, pkcsBlockLen - hLen - 1);
1843
1844    ForceZero(tmp, pkcsBlockLen);
1845#ifdef WOLFSSL_SMALL_STACK
1846    /* done with use of tmp buffer */
1847    XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1848#elif defined(WOLFSSL_CHECK_MEM_ZERO)
1849    wc_MemZero_Check(tmp, pkcsBlockLen);
1850#endif
1851
1852    /* advance idx to index of PS and msg separator, account for PS size of 0*/
1853    idx = hLen + 1 + hLen;
1854    /* Don't reveal length of message: look at every byte. */
1855    inc = 1;
1856    for (i = hLen + 1 + hLen; i < pkcsBlockLen - 1; i++) {
1857        /* Looking for non-zero byte. */
1858        inc &= 1 - (((word32)0 - pkcsBlock[i]) >> 31);
1859        idx += inc;
1860    }
1861
1862    /* create hash of label for comparison with hash sent */
1863    ret = wc_Hash(hType, optLabel, labelLen, h, hLen);
1864    if (ret != 0) {
1865        return ret;
1866    }
1867
1868    /* say no to chosen ciphertext attack.
1869       Comparison of lHash, Y, and separator value needs to all happen in
1870       constant time.
1871       Attackers should not be able to get error condition from the timing of
1872       these checks.
1873     */
1874    {
1875        volatile int c = ConstantCompare(pkcsBlock + hLen + 1, h, (int)hLen);
1876        c = c + (pkcsBlock[idx++] ^ 0x01); /* separator value is 0x01 */
1877        c = c + (pkcsBlock[0]     ^ 0x00); /* Y, the first value, should be 0 */
1878
1879        /* Return 0 data length on error. */
1880        idx = ctMaskSelWord32(ctMaskEq(c, 0), idx, pkcsBlockLen);
1881    }
1882
1883    /* adjust pointer to correct location in array and return size of M */
1884    *output = (byte*)(pkcsBlock + idx);
1885    return (int)(pkcsBlockLen - idx);
1886}
1887#endif /* !WC_NO_RSA_OAEP */
1888
1889#ifdef WC_RSA_PSS
1890/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
1891 * MGF over all bytes down to end of Salt
1892 *
1893 * pkcsBlock     Buffer holding decrypted data.
1894 * pkcsBlockLen  Length of buffer.
1895 * htype         Hash function to use.
1896 * mgf           Mask generation function.
1897 * saltLen       Length of salt to put in padding.
1898 * bits          Length of key in bits.
1899 * heap          Used for dynamic memory allocation.
1900 * returns       the sum of salt length and SHA-256 digest size on success.
1901 *               Otherwise, PSS_SALTLEN_E for an incorrect salt length,
1902 *               WC_KEY_SIZE_E for an incorrect encoded message (EM) size
1903                 and other negative values on error.
1904 */
1905static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
1906                        byte **output, enum wc_HashType hType, int mgf,
1907                        int saltLen, int bits, void* heap)
1908{
1909    int   ret;
1910    byte* tmp;
1911    int   hLen, i, maskLen;
1912#ifdef WOLFSSL_SHA512
1913    int orig_bits = bits;
1914#endif
1915#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
1916    byte tmp_buf[RSA_MAX_SIZE/8];
1917    tmp = tmp_buf;
1918
1919    if (pkcsBlockLen > RSA_MAX_SIZE/8) {
1920        return MEMORY_E;
1921    }
1922#endif
1923
1924    hLen = wc_HashGetDigestSize(hType);
1925    if (hLen < 0)
1926        return hLen;
1927    bits = (bits - 1) & 0x7;
1928    if ((pkcsBlock[0] & (0xff << bits)) != 0) {
1929        return BAD_PADDING_E;
1930    }
1931    if (bits == 0) {
1932        pkcsBlock++;
1933        pkcsBlockLen--;
1934    }
1935    maskLen = (int)pkcsBlockLen - 1 - hLen;
1936    if (maskLen < 0) {
1937        WOLFSSL_MSG("RsaUnPad_PSS: Hash too large");
1938        return WC_KEY_SIZE_E;
1939    }
1940
1941    if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
1942        saltLen = hLen;
1943        #ifdef WOLFSSL_SHA512
1944            /* See FIPS 186-4 section 5.5 item (e). */
1945            if (orig_bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
1946                saltLen = RSA_PSS_SALT_MAX_SZ;
1947        #endif
1948    }
1949#ifndef WOLFSSL_PSS_LONG_SALT
1950    else if (saltLen > hLen)
1951        return PSS_SALTLEN_E;
1952#endif
1953#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
1954    else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT)
1955        return PSS_SALTLEN_E;
1956    if (maskLen < saltLen + 1) {
1957        return PSS_SALTLEN_E;
1958    }
1959#else
1960    else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER)
1961        return PSS_SALTLEN_E;
1962    if (saltLen != RSA_PSS_SALT_LEN_DISCOVER && maskLen < saltLen + 1) {
1963        return WC_KEY_SIZE_E;
1964    }
1965#endif
1966
1967    if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
1968        WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
1969        return BAD_PADDING_E;
1970    }
1971
1972#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1973    tmp = (byte*)XMALLOC((size_t)maskLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
1974    if (tmp == NULL) {
1975        return MEMORY_E;
1976    }
1977    XMEMSET(tmp, 0, (size_t)maskLen);
1978#endif
1979
1980    if ((ret = RsaMGF(mgf, pkcsBlock + maskLen, (word32)hLen, tmp, (word32)maskLen,
1981                                                                  heap)) != 0) {
1982        #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1983        XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
1984        #endif
1985        return ret;
1986    }
1987
1988    tmp[0] &= (byte)((1 << bits) - 1);
1989    pkcsBlock[0] &= (byte)((1 << bits) - 1);
1990#ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
1991    if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
1992        for (i = 0; i < maskLen - 1; i++) {
1993            if (tmp[i] != pkcsBlock[i]) {
1994                break;
1995            }
1996        }
1997        if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
1998            #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
1999            XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2000            #endif
2001            WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
2002            return PSS_SALTLEN_RECOVER_E;
2003        }
2004        saltLen = maskLen - (i + 1);
2005    }
2006    else
2007#endif
2008    {
2009        for (i = 0; i < maskLen - 1 - saltLen; i++) {
2010            if (tmp[i] != pkcsBlock[i]) {
2011                #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2012                XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2013                #endif
2014                WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
2015                return PSS_SALTLEN_E;
2016            }
2017        }
2018        if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
2019            #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2020            XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2021            #endif
2022            WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
2023            return PSS_SALTLEN_E;
2024        }
2025    }
2026    xorbuf(pkcsBlock + i, tmp + i, (word32)(maskLen - i));
2027
2028#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
2029    XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
2030#endif
2031
2032    *output = pkcsBlock + maskLen - saltLen;
2033    return saltLen + hLen;
2034}
2035#endif
2036
2037/* UnPad plaintext, set start to *output, return length of plaintext,
2038 * < 0 on error */
2039static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
2040                    const byte **output, byte padValue)
2041{
2042    int    ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
2043    word16 i;
2044
2045    if (output == NULL || pkcsBlockLen < 2 || pkcsBlockLen > 0xFFFF) {
2046        return BAD_FUNC_ARG;
2047    }
2048
2049    if (padValue == RSA_BLOCK_TYPE_1) {
2050        /* First byte must be 0x00 and Second byte, block type, 0x01 */
2051        if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
2052            WOLFSSL_MSG("RsaUnPad error, invalid formatting");
2053            return RSA_PAD_E;
2054        }
2055
2056        /* check the padding until we find the separator */
2057        for (i = 2; i < pkcsBlockLen; ) {
2058            if (pkcsBlock[i++] != 0xFF) {
2059                break;
2060            }
2061        }
2062
2063        /* Minimum of 11 bytes of pre-message data and must have separator. */
2064        if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
2065            WOLFSSL_MSG("RsaUnPad error, bad formatting");
2066            return RSA_PAD_E;
2067        }
2068
2069        *output = (const byte *)(pkcsBlock + i);
2070        ret = (int)pkcsBlockLen - i;
2071    }
2072#ifndef WOLFSSL_RSA_VERIFY_ONLY
2073    else {
2074        unsigned int    j;
2075        volatile word16 pastSep = 0;
2076        volatile byte   invalid = 0;
2077        volatile byte   minPad;
2078        volatile int    invalidMask;
2079        byte inv;
2080        word16 sep;
2081
2082        i = 0;
2083        /* Decrypted with private key - unpad must be constant time. */
2084        for (j = 2; j < pkcsBlockLen; j++) {
2085           /* Update i if not passed the separator and at separator. */
2086            i |= (word16)(~pastSep) & ctMask16Eq(pkcsBlock[j], 0x00) &
2087                (word16)(j + 1);
2088            pastSep |= ctMask16Eq(pkcsBlock[j], 0x00);
2089        }
2090
2091        /* Snapshot volatiles to avoid multiple volatile accesses per
2092         * expression. */
2093        inv = invalid;
2094        sep = pastSep;
2095
2096        /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
2097        minPad = ctMaskLT(i, RSA_MIN_PAD_SZ);
2098        inv |= minPad;
2099        /* Must have seen separator. */
2100        inv |= (byte)~sep;
2101        /* First byte must be 0x00. */
2102        inv |= ctMaskNotEq(pkcsBlock[0], 0x00);
2103        /* Check against expected block type: padValue */
2104        inv |= ctMaskNotEq(pkcsBlock[1], padValue);
2105
2106        invalid = inv;
2107        *output = (const byte *)(pkcsBlock + i);
2108        invalidMask = (int)-1 + (int)(inv >> 7);
2109        ret = invalidMask & ((int)pkcsBlockLen - i);
2110    }
2111#endif
2112
2113    return ret;
2114}
2115
2116/* helper function to direct unpadding
2117 *
2118 * bits is the key modulus size in bits
2119 */
2120int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
2121                   byte padValue, int padType, enum wc_HashType hType,
2122                   int mgf, byte* optLabel, word32 labelLen, int saltLen,
2123                   int bits, void* heap)
2124{
2125    int ret;
2126
2127    switch (padType) {
2128        case WC_RSA_PKCSV15_PAD:
2129            /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
2130            ret = RsaUnPad(pkcsBlock, pkcsBlockLen, (const byte **)(void *)out,
2131                           padValue);
2132            break;
2133
2134    #ifndef WC_NO_RSA_OAEP
2135        case WC_RSA_OAEP_PAD:
2136            WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
2137            ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
2138                                        hType, mgf, optLabel, labelLen, heap);
2139            break;
2140    #endif
2141
2142    #ifdef WC_RSA_PSS
2143        case WC_RSA_PSS_PAD:
2144            WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
2145            ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
2146                                                           saltLen, bits, heap);
2147            break;
2148    #endif
2149
2150    #ifdef WC_RSA_NO_PADDING
2151        case WC_RSA_NO_PAD:
2152            WOLFSSL_MSG("wolfSSL Using NO un-padding");
2153
2154            /* In the case of no padding being used check that input is exactly
2155             * the RSA key length */
2156            if (bits <= 0 || pkcsBlockLen !=
2157                         ((word32)(bits+WOLFSSL_BIT_SIZE-1)/WOLFSSL_BIT_SIZE)) {
2158                WOLFSSL_MSG("Bad input size");
2159                ret = RSA_PAD_E;
2160            }
2161            else {
2162                if (out != NULL) {
2163                    *out = pkcsBlock;
2164                }
2165                ret = (int)pkcsBlockLen;
2166            }
2167            break;
2168    #endif /* WC_RSA_NO_PADDING */
2169
2170        default:
2171            WOLFSSL_MSG("Unknown RSA UnPad Type");
2172            ret = RSA_PAD_E;
2173    }
2174
2175    /* silence warning if not used with padding scheme */
2176    (void)hType;
2177    (void)mgf;
2178    (void)optLabel;
2179    (void)labelLen;
2180    (void)saltLen;
2181    (void)bits;
2182    (void)heap;
2183
2184    return ret;
2185}
2186
2187int wc_hash2mgf(enum wc_HashType hType)
2188{
2189    switch (hType) {
2190    case WC_HASH_TYPE_NONE:
2191        return WC_MGF1NONE;
2192    case WC_HASH_TYPE_SHA:
2193#ifndef NO_SHA
2194        return WC_MGF1SHA1;
2195#else
2196        break;
2197#endif
2198    case WC_HASH_TYPE_SHA224:
2199#ifdef WOLFSSL_SHA224
2200        return WC_MGF1SHA224;
2201#else
2202        break;
2203#endif
2204    case WC_HASH_TYPE_SHA256:
2205#ifndef NO_SHA256
2206        return WC_MGF1SHA256;
2207#else
2208        break;
2209#endif
2210    case WC_HASH_TYPE_SHA384:
2211#ifdef WOLFSSL_SHA384
2212        return WC_MGF1SHA384;
2213#else
2214        break;
2215#endif
2216    case WC_HASH_TYPE_SHA512:
2217#ifdef WOLFSSL_SHA512
2218        return WC_MGF1SHA512;
2219#else
2220        break;
2221#endif
2222    case WC_HASH_TYPE_SHA512_224:
2223#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
2224        return WC_MGF1SHA512_224;
2225#else
2226        break;
2227#endif
2228    case WC_HASH_TYPE_SHA512_256:
2229#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
2230        return WC_MGF1SHA512_256;
2231#else
2232        break;
2233#endif
2234    case WC_HASH_TYPE_MD2:
2235    case WC_HASH_TYPE_MD4:
2236    case WC_HASH_TYPE_MD5:
2237    case WC_HASH_TYPE_MD5_SHA:
2238    case WC_HASH_TYPE_SHA3_224:
2239#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
2240        return WC_MGF1SHA3_224;
2241#else
2242        break;
2243#endif
2244    case WC_HASH_TYPE_SHA3_256:
2245#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
2246        return WC_MGF1SHA3_256;
2247#else
2248        break;
2249#endif
2250    case WC_HASH_TYPE_SHA3_384:
2251#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
2252        return WC_MGF1SHA3_384;
2253#else
2254        break;
2255#endif
2256    case WC_HASH_TYPE_SHA3_512:
2257#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
2258        return WC_MGF1SHA3_512;
2259#else
2260        break;
2261#endif
2262    case WC_HASH_TYPE_BLAKE2B:
2263    case WC_HASH_TYPE_BLAKE2S:
2264    case WC_HASH_TYPE_SM3:
2265        break;
2266#ifdef WOLFSSL_SHAKE128
2267    case WC_HASH_TYPE_SHAKE128:
2268        return WC_MGF1SHAKE128;
2269#else
2270    case WC_HASH_TYPE_SHAKE128:
2271        break;
2272#endif
2273#ifdef WOLFSSL_SHAKE256
2274    case WC_HASH_TYPE_SHAKE256:
2275        return WC_MGF1SHAKE256;
2276#else
2277    case WC_HASH_TYPE_SHAKE256:
2278        break;
2279#endif
2280    default:
2281        break;
2282    }
2283    WOLFSSL_MSG("Unrecognized or unsupported hash function");
2284    return WC_MGF1NONE;
2285}
2286
2287#ifdef WC_RSA_NONBLOCK
2288static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
2289                          word32* outLen, int type, RsaKey* key)
2290{
2291    int    ret = 0;
2292#ifdef USE_FAST_MATH
2293    word32 keyLen, len;
2294#endif
2295    /* SP non-blocking RSA wrappers depend on sp_<N>_mod_exp_<W>_nb,
2296     * which the SP generator only emits when (!RSA_PUBLIC_ONLY ||
2297     * HAVE_SP_DH). Match that gate here so the dispatch is omitted when
2298     * those symbols are not available. */
2299#if defined(WOLFSSL_HAVE_SP_RSA) && defined(WOLFSSL_SP_NONBLOCK) && \
2300    defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP) && \
2301    (!defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_HAVE_SP_DH))
2302    int bits;
2303#endif
2304
2305    if (key == NULL || key->nb == NULL) {
2306        return BAD_FUNC_ARG;
2307    }
2308
2309#if defined(WOLFSSL_HAVE_SP_RSA) && defined(WOLFSSL_SP_NONBLOCK) && \
2310    defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP) && \
2311    (!defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_HAVE_SP_DH))
2312    bits = mp_count_bits(&key->n);
2313#ifndef WOLFSSL_SP_NO_2048
2314    if (bits == 2048) {
2315        if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
2316            return sp_RsaPublic_2048_nb(&key->nb->sp_ctx, in, inLen,
2317                       &key->e, &key->n, out, outLen);
2318        }
2319    #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
2320        (defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM))
2321        return sp_RsaPrivate_2048_nb(&key->nb->sp_ctx, in, inLen,
2322                   &key->d, &key->n, out, outLen);
2323    #endif
2324    }
2325#endif
2326#ifndef WOLFSSL_SP_NO_3072
2327    if (bits == 3072) {
2328        if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
2329            return sp_RsaPublic_3072_nb(&key->nb->sp_ctx, in, inLen,
2330                       &key->e, &key->n, out, outLen);
2331        }
2332    #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
2333        (defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM))
2334        return sp_RsaPrivate_3072_nb(&key->nb->sp_ctx, in, inLen,
2335                   &key->d, &key->n, out, outLen);
2336    #endif
2337    }
2338#endif
2339#ifdef WOLFSSL_SP_4096
2340    if (bits == 4096) {
2341        if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
2342            return sp_RsaPublic_4096_nb(&key->nb->sp_ctx, in, inLen,
2343                       &key->e, &key->n, out, outLen);
2344        }
2345    #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
2346        (defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM))
2347        return sp_RsaPrivate_4096_nb(&key->nb->sp_ctx, in, inLen,
2348                   &key->d, &key->n, out, outLen);
2349    #endif
2350    }
2351#endif
2352#endif /* SP nonblock RSA */
2353
2354#ifdef USE_FAST_MATH
2355    if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
2356        if (mp_init(&key->nb->tmp) != MP_OKAY) {
2357            ret = MP_INIT_E;
2358        }
2359
2360        if (ret == 0) {
2361            if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
2362                ret = MP_READ_E;
2363            }
2364        }
2365    }
2366
2367    if (ret == 0) {
2368        switch(type) {
2369#if !defined(WOLFSSL_RSA_PUBLIC_ONLY)
2370        case RSA_PRIVATE_DECRYPT:
2371        case RSA_PRIVATE_ENCRYPT:
2372            ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
2373                &key->n, &key->nb->tmp);
2374            if (ret == FP_WOULDBLOCK)
2375                return ret;
2376            if (ret != MP_OKAY)
2377                ret = MP_EXPTMOD_E;
2378            break;
2379#endif
2380        case RSA_PUBLIC_ENCRYPT:
2381        case RSA_PUBLIC_DECRYPT:
2382            ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
2383                &key->n, &key->nb->tmp);
2384            if (ret == FP_WOULDBLOCK)
2385                return ret;
2386            if (ret != MP_OKAY)
2387                ret = MP_EXPTMOD_E;
2388            break;
2389        default:
2390            ret = RSA_WRONG_TYPE_E;
2391            break;
2392        }
2393    }
2394
2395    if (ret == 0) {
2396        keyLen = wc_RsaEncryptSize(key);
2397        if (keyLen > *outLen)
2398            ret = RSA_BUFFER_E;
2399    }
2400    if (ret == 0) {
2401        len = mp_unsigned_bin_size(&key->nb->tmp);
2402
2403        /* pad front w/ zeros to match key length */
2404        while (len < keyLen) {
2405            *out++ = 0x00;
2406            len++;
2407        }
2408
2409        *outLen = keyLen;
2410
2411        /* convert */
2412        if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
2413             ret = MP_TO_E;
2414        }
2415    }
2416
2417    mp_clear(&key->nb->tmp);
2418#else
2419    /* No non-blocking backend available for this build. The SP non-block
2420     * dispatch above only matches enabled key sizes; if we reach this
2421     * point the key is not 2048/3072/4096 (or SP RSA itself isn't built)
2422     * and TFM fastmath isn't compiled in either. */
2423    (void)in;
2424    (void)inLen;
2425    (void)out;
2426    (void)outLen;
2427    (void)type;
2428    ret = NOT_COMPILED_IN;
2429#endif /* USE_FAST_MATH */
2430
2431    return ret;
2432}
2433#endif /* WC_RSA_NONBLOCK */
2434
2435#ifdef WOLFSSL_XILINX_CRYPT
2436/*
2437 * Xilinx hardened crypto acceleration.
2438 *
2439 * Returns 0 on success and negative values on error.
2440 */
2441static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
2442                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2443{
2444    int    ret = 0;
2445    word32 keyLen;
2446    (void)rng;
2447
2448    keyLen = wc_RsaEncryptSize(key);
2449    if (keyLen > *outLen) {
2450        WOLFSSL_MSG("Output buffer is not big enough");
2451        return BAD_FUNC_ARG;
2452    }
2453
2454    if (inLen != keyLen) {
2455        WOLFSSL_MSG("Expected that inLen equals RSA key length");
2456        return BAD_FUNC_ARG;
2457    }
2458
2459    switch(type) {
2460    case RSA_PRIVATE_DECRYPT:
2461    case RSA_PRIVATE_ENCRYPT:
2462    #ifdef WOLFSSL_XILINX_CRYPTO_OLD
2463        /* Currently public exponent is loaded by default.
2464         * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
2465         * leading to private key operations with Xsecure_RsaDecrypt not being
2466         * supported */
2467        ret = RSA_WRONG_TYPE_E;
2468    #else
2469        {
2470            byte *d;
2471            int dSz;
2472#if !defined(WOLFSSL_XILINX_CRYPT_VERSAL)
2473            XSecure_Rsa rsa;
2474#endif
2475
2476#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
2477            dSz = WOLFSSL_XSECURE_RSA_KEY_SIZE * 2;
2478#else
2479            dSz = mp_unsigned_bin_size(&key->d);
2480#endif
2481            d = (byte*)XMALLOC(dSz, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
2482            if (d == NULL) {
2483                ret = MEMORY_E;
2484            } else {
2485#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
2486                XMEMSET(d, 0, dSz);
2487                XMEMCPY(d, key->mod, key->mSz);
2488                ret = mp_to_unsigned_bin(&key->d, &d[WOLFSSL_XSECURE_RSA_KEY_SIZE]);
2489#else
2490                ret = mp_to_unsigned_bin(&key->d, d);
2491                XSecure_RsaInitialize(&rsa, key->mod, NULL, d);
2492#endif
2493            }
2494
2495            if (ret == 0) {
2496#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
2497                WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)d, dSz);
2498                WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)in, inLen);
2499                if (XSecure_RsaPrivateDecrypt(&(key->xSec.cinst), XIL_CAST_U64(d),
2500                                              XIL_CAST_U64(in), inLen,
2501                                              XIL_CAST_U64(out)) != XST_SUCCESS) {
2502                    ret = BAD_STATE_E;
2503                }
2504                WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)out, inLen);
2505#else
2506                if (XSecure_RsaPrivateDecrypt(&rsa, (u8*)in, inLen, out) !=
2507                        XST_SUCCESS) {
2508                    ret = BAD_STATE_E;
2509                }
2510#endif
2511            }
2512
2513            if (d != NULL)
2514                ForceZero(d, dSz);
2515            XFREE(d, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
2516        }
2517    #endif
2518        break;
2519    case RSA_PUBLIC_ENCRYPT:
2520    case RSA_PUBLIC_DECRYPT:
2521#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
2522        WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)key->mod,
2523                                       WOLFSSL_XSECURE_RSA_KEY_SIZE + 4);
2524        WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)in, inLen);
2525        if (XSecure_RsaPublicEncrypt(&(key->xSec.cinst),
2526                                     XIL_CAST_U64(key->mod),
2527                                     XIL_CAST_U64(in), inLen,
2528                                     XIL_CAST_U64(out))) {
2529            WOLFSSL_MSG("RSA public operation failed");
2530            ret = BAD_STATE_E;
2531        }
2532        WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)out, inLen);
2533#elif defined(WOLFSSL_XILINX_CRYPTO_OLD)
2534        if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
2535            ret = BAD_STATE_E;
2536        }
2537#else
2538        /* starting at Xilinx release 2019 the function XSecure_RsaDecrypt was removed */
2539        if (XSecure_RsaPublicEncrypt(&(key->xRsa), (u8*)in, inLen, out) != XST_SUCCESS) {
2540            WOLFSSL_MSG("Error happened when calling hardware RSA public operation");
2541            ret = BAD_STATE_E;
2542        }
2543#endif
2544        break;
2545    default:
2546        ret = RSA_WRONG_TYPE_E;
2547    }
2548
2549    *outLen = keyLen;
2550
2551    return ret;
2552}
2553
2554#elif defined(WOLFSSL_AFALG_XILINX_RSA)
2555#ifndef ERROR_OUT
2556#define ERROR_OUT(x) ret = (x); goto done
2557#endif
2558
2559static const char WC_TYPE_ASYMKEY[] = "skcipher";
2560static const char WC_NAME_RSA[] = "xilinx-zynqmp-rsa";
2561#ifndef MAX_XILINX_RSA_KEY
2562    /* max key size of 4096 bits / 512 bytes */
2563    #define MAX_XILINX_RSA_KEY 512
2564#endif
2565static const byte XILINX_RSA_FLAG[] = {0x1};
2566
2567
2568/* AF_ALG implementation of RSA */
2569static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
2570                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2571{
2572    struct msghdr   msg;
2573    struct cmsghdr* cmsg;
2574    struct iovec      iov;
2575    byte*  keyBuf   = NULL;
2576    word32 keyBufSz = 0;
2577    char cbuf[CMSG_SPACE(4) + CMSG_SPACE(sizeof(struct af_alg_iv) + 1)] = {0};
2578    int    ret = 0;
2579    int    op  = 0;    /* decryption vs encryption flag */
2580    word32 keyLen;
2581
2582    /* input and output buffer need to be aligned */
2583    ALIGN64 byte outBuf[MAX_XILINX_RSA_KEY];
2584    ALIGN64 byte inBuf[MAX_XILINX_RSA_KEY];
2585
2586    XMEMSET(&msg, 0, sizeof(struct msghdr));
2587    (void)rng;
2588
2589    keyLen = wc_RsaEncryptSize(key);
2590    if (keyLen > *outLen) {
2591        ERROR_OUT(RSA_BUFFER_E);
2592    }
2593
2594    if (keyLen > MAX_XILINX_RSA_KEY) {
2595        WOLFSSL_MSG("RSA key size larger than supported");
2596        ERROR_OUT(BAD_FUNC_ARG);
2597    }
2598
2599    if (inLen != keyLen) {
2600        WOLFSSL_MSG("Expected that inLen equals RSA key length");
2601        ERROR_OUT(BAD_FUNC_ARG);
2602    }
2603
2604    if ((keyBuf = (byte*)XMALLOC(keyLen * 2, key->heap, DYNAMIC_TYPE_KEY))
2605            == NULL) {
2606        ERROR_OUT(MEMORY_E);
2607    }
2608
2609    if ((ret = mp_to_unsigned_bin(&(key->n), keyBuf)) != MP_OKAY) {
2610        ERROR_OUT(MP_TO_E);
2611    }
2612
2613    switch(type) {
2614        case RSA_PRIVATE_DECRYPT:
2615        case RSA_PRIVATE_ENCRYPT:
2616            op = 1; /* set as decrypt */
2617            {
2618                keyBufSz = mp_unsigned_bin_size(&(key->d));
2619                if ((mp_to_unsigned_bin(&(key->d), keyBuf + keyLen))
2620                        != MP_OKAY) {
2621                    ERROR_OUT(MP_TO_E);
2622                }
2623            #ifdef WOLFSSL_CHECK_MEM_ZERO
2624                /* Seed must be zeroized now that it has been used. */
2625                wc_MemZero_Add("RSA Sync Priv Enc/Dec keyBuf", keyBuf + keyLen,
2626                    keyBufSz);
2627            #endif
2628            }
2629            break;
2630
2631        case RSA_PUBLIC_DECRYPT:
2632        case RSA_PUBLIC_ENCRYPT: {
2633            word32 exp = 0;
2634            word32 eSz = mp_unsigned_bin_size(&(key->e));
2635            if ((mp_to_unsigned_bin(&(key->e), (byte*)&exp +
2636                            (sizeof(word32) - eSz))) != MP_OKAY) {
2637                ERROR_OUT(MP_TO_E);
2638            }
2639            keyBufSz = sizeof(word32);
2640            XMEMCPY(keyBuf + keyLen, (byte*)&exp, keyBufSz);
2641            break;
2642        }
2643
2644        default:
2645            ERROR_OUT(RSA_WRONG_TYPE_E);
2646    }
2647    keyBufSz += keyLen; /* add size of modulus */
2648
2649    /* check for existing sockets before creating new ones */
2650    if (key->alFd > 0) {
2651        close(key->alFd);
2652        key->alFd = WC_SOCK_NOTSET;
2653    }
2654    if (key->rdFd > 0) {
2655        close(key->rdFd);
2656        key->rdFd = WC_SOCK_NOTSET;
2657    }
2658
2659    /* create new sockets and set the key to use */
2660    if ((key->alFd = wc_Afalg_Socket()) < 0) {
2661        WOLFSSL_MSG("Unable to create socket");
2662        ERROR_OUT(key->alFd);
2663    }
2664    if ((key->rdFd = wc_Afalg_CreateRead(key->alFd, WC_TYPE_ASYMKEY,
2665                    WC_NAME_RSA)) < 0) {
2666        WOLFSSL_MSG("Unable to bind and create read/send socket");
2667        ERROR_OUT(key->rdFd);
2668    }
2669    if ((ret = setsockopt(key->alFd, SOL_ALG, ALG_SET_KEY, keyBuf,
2670                    keyBufSz)) < 0) {
2671        WOLFSSL_MSG("Error setting RSA key");
2672        ERROR_OUT(ret);
2673    }
2674
2675    msg.msg_control    = cbuf;
2676    msg.msg_controllen = sizeof(cbuf);
2677    cmsg = CMSG_FIRSTHDR(&msg);
2678    if ((ret = wc_Afalg_SetOp(cmsg, op)) < 0) {
2679        ERROR_OUT(ret);
2680    }
2681
2682    /* set flag in IV spot, needed for Xilinx hardware acceleration use */
2683    cmsg = CMSG_NXTHDR(&msg, cmsg);
2684    if ((ret = wc_Afalg_SetIv(cmsg, (byte*)XILINX_RSA_FLAG,
2685                    sizeof(XILINX_RSA_FLAG))) != 0) {
2686        ERROR_OUT(ret);
2687    }
2688
2689    /* compose and send msg */
2690    XMEMCPY(inBuf, (byte*)in, inLen); /* for alignment */
2691    iov.iov_base = inBuf;
2692    iov.iov_len  = inLen;
2693    msg.msg_iov  = &iov;
2694    msg.msg_iovlen = 1;
2695    if ((ret = sendmsg(key->rdFd, &msg, 0)) <= 0) {
2696        ERROR_OUT(WC_AFALG_SOCK_E);
2697    }
2698
2699    if ((ret = read(key->rdFd, outBuf, inLen)) <= 0) {
2700        ERROR_OUT(WC_AFALG_SOCK_E);
2701    }
2702    XMEMCPY(out, outBuf, ret);
2703    *outLen = keyLen;
2704
2705done:
2706    /* clear key data and free buffer */
2707    if (keyBuf != NULL) {
2708        ForceZero(keyBuf, keyBufSz);
2709    }
2710    XFREE(keyBuf, key->heap, DYNAMIC_TYPE_KEY);
2711
2712    if (key->alFd > 0) {
2713        close(key->alFd);
2714        key->alFd = WC_SOCK_NOTSET;
2715    }
2716    if (key->rdFd > 0) {
2717        close(key->rdFd);
2718        key->rdFd = WC_SOCK_NOTSET;
2719    }
2720
2721    return ret;
2722}
2723
2724#elif defined(WOLFSSL_KCAPI_RSA)
2725static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
2726                              word32* outLen, int type, RsaKey* key,
2727                              WC_RNG* rng)
2728{
2729    int ret;
2730
2731    (void)rng;
2732
2733    switch(type) {
2734        case RSA_PRIVATE_DECRYPT:
2735        case RSA_PRIVATE_ENCRYPT:
2736            ret = KcapiRsa_Decrypt(key, in, inLen, out, outLen);
2737            break;
2738
2739        case RSA_PUBLIC_DECRYPT:
2740        case RSA_PUBLIC_ENCRYPT:
2741            ret = KcapiRsa_Encrypt(key, in, inLen, out, outLen);
2742            break;
2743
2744        default:
2745            ret = RSA_WRONG_TYPE_E;
2746    }
2747
2748    return ret;
2749}
2750
2751#else
2752#ifndef WOLF_CRYPTO_CB_ONLY_RSA
2753#ifdef WOLFSSL_HAVE_SP_RSA
2754static int RsaFunction_SP(const byte* in, word32 inLen, byte* out,
2755    word32* outLen, int type, RsaKey* key, WC_RNG* rng)
2756{
2757    (void)rng;
2758
2759#ifndef WOLFSSL_SP_NO_2048
2760    if (mp_count_bits(&key->n) == 2048) {
2761        switch(type) {
2762#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2763        case RSA_PRIVATE_DECRYPT:
2764        case RSA_PRIVATE_ENCRYPT:
2765    #ifdef WC_RSA_BLINDING
2766            if (rng == NULL)
2767                return MISSING_RNG_E;
2768    #endif
2769    #ifndef RSA_LOW_MEM
2770            if ((mp_count_bits(&key->p) == 1024) &&
2771                    (mp_count_bits(&key->q) == 1024) &&
2772                    (mp_count_bits(&key->dP) > 0) &&
2773                    (mp_count_bits(&key->dQ) > 0) &&
2774                    (mp_count_bits(&key->u) > 0)) {
2775                return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
2776                                          &key->dP, &key->dQ, &key->u, &key->n,
2777                                          out, outLen);
2778            }
2779            break;
2780    #else
2781            return sp_RsaPrivate_2048(in, inLen, &key->d, NULL, NULL, NULL,
2782                                      NULL, NULL, &key->n, out, outLen);
2783    #endif
2784#endif
2785        case RSA_PUBLIC_ENCRYPT:
2786        case RSA_PUBLIC_DECRYPT:
2787            return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
2788        default:
2789            break;
2790        }
2791    }
2792#endif
2793#ifndef WOLFSSL_SP_NO_3072
2794    if (mp_count_bits(&key->n) == 3072) {
2795        switch(type) {
2796#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2797        case RSA_PRIVATE_DECRYPT:
2798        case RSA_PRIVATE_ENCRYPT:
2799    #ifdef WC_RSA_BLINDING
2800            if (rng == NULL)
2801                return MISSING_RNG_E;
2802    #endif
2803    #ifndef RSA_LOW_MEM
2804            if ((mp_count_bits(&key->p) == 1536) &&
2805                    (mp_count_bits(&key->q) == 1536) &&
2806                    (mp_count_bits(&key->dP) > 0) &&
2807                    (mp_count_bits(&key->dQ) > 0) &&
2808                    (mp_count_bits(&key->u) > 0)) {
2809                return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
2810                                          &key->dP, &key->dQ, &key->u, &key->n,
2811                                          out, outLen);
2812            }
2813            break;
2814    #else
2815            return sp_RsaPrivate_3072(in, inLen, &key->d, NULL, NULL, NULL,
2816                                      NULL, NULL, &key->n, out, outLen);
2817    #endif
2818#endif
2819        case RSA_PUBLIC_ENCRYPT:
2820        case RSA_PUBLIC_DECRYPT:
2821            return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
2822        default:
2823            break;
2824        }
2825    }
2826#endif
2827#ifdef WOLFSSL_SP_4096
2828    if (mp_count_bits(&key->n) == 4096) {
2829        switch(type) {
2830#ifndef WOLFSSL_RSA_PUBLIC_ONLY
2831        case RSA_PRIVATE_DECRYPT:
2832        case RSA_PRIVATE_ENCRYPT:
2833    #ifdef WC_RSA_BLINDING
2834            if (rng == NULL)
2835                return MISSING_RNG_E;
2836    #endif
2837    #ifndef RSA_LOW_MEM
2838            if ((mp_count_bits(&key->p) == 2048) &&
2839                    (mp_count_bits(&key->q) == 2048) &&
2840                    (mp_count_bits(&key->dP) > 0) &&
2841                    (mp_count_bits(&key->dQ) > 0) &&
2842                    (mp_count_bits(&key->u) > 0)) {
2843                return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
2844                                          &key->dP, &key->dQ, &key->u, &key->n,
2845                                          out, outLen);
2846            }
2847            break;
2848    #else
2849            return sp_RsaPrivate_4096(in, inLen, &key->d, NULL, NULL, NULL,
2850                                      NULL, NULL, &key->n, out, outLen);
2851    #endif
2852#endif
2853        case RSA_PUBLIC_ENCRYPT:
2854        case RSA_PUBLIC_DECRYPT:
2855            return sp_RsaPublic_4096(in, inLen, &key->e, &key->n, out, outLen);
2856        default:
2857            break;
2858        }
2859    }
2860#endif
2861
2862    /* SP not able to do operation. */
2863    return WC_KEY_SIZE_E;
2864}
2865#endif
2866
2867#if !defined(WOLFSSL_SP_MATH)
2868#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
2869static int RsaFunctionPrivate(mp_int* tmp, RsaKey* key, WC_RNG* rng)
2870{
2871    int    ret = 0;
2872#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2873    mp_digit mp = 0;
2874    DECL_MP_INT_SIZE_DYN(rnd, mp_bitsused(&key->n), RSA_MAX_SIZE);
2875    DECL_MP_INT_SIZE_DYN(rndi, mp_bitsused(&key->n), RSA_MAX_SIZE);
2876#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
2877
2878    (void)rng;
2879
2880#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2881    NEW_MP_INT_SIZE(rnd, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
2882    NEW_MP_INT_SIZE(rndi, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
2883#ifdef MP_INT_SIZE_CHECK_NULL
2884    if ((rnd == NULL) || (rndi == NULL)) {
2885        FREE_MP_INT_SIZE(rnd, key->heap, DYNAMIC_TYPE_RSA);
2886        FREE_MP_INT_SIZE(rndi, key->heap, DYNAMIC_TYPE_RSA);
2887        return MEMORY_E;
2888    }
2889#endif
2890
2891    if ((INIT_MP_INT_SIZE(rnd, mp_bitsused(&key->n)) != MP_OKAY) ||
2892            (INIT_MP_INT_SIZE(rndi, mp_bitsused(&key->n)) != MP_OKAY)) {
2893        ret = MP_INIT_E;
2894    }
2895
2896    if (ret == 0) {
2897        /* blind */
2898        ret = mp_rand(rnd, mp_get_digit_count(&key->n), rng);
2899    }
2900    if (ret == 0) {
2901        /* rndi = 1/rnd mod n */
2902        if (mp_invmod(rnd, &key->n, rndi) != MP_OKAY) {
2903            ret = MP_INVMOD_E;
2904        }
2905    }
2906    if (ret == 0) {
2907    #ifdef WOLFSSL_CHECK_MEM_ZERO
2908        mp_memzero_add("RSA Private rnd", rnd);
2909        mp_memzero_add("RSA Private rndi", rndi);
2910    #endif
2911
2912        /* rnd = rnd^e */
2913    #ifndef WOLFSSL_SP_MATH_ALL
2914        if (mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY) {
2915            ret = MP_EXPTMOD_E;
2916        }
2917    #else
2918        if (mp_exptmod_nct(rnd, &key->e, &key->n, rnd) != MP_OKAY) {
2919            ret = MP_EXPTMOD_E;
2920        }
2921    #endif
2922    }
2923
2924    if (ret == 0) {
2925        /* tmp = tmp*rnd mod n */
2926        if (mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY) {
2927            ret = MP_MULMOD_E;
2928        }
2929    }
2930#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
2931
2932#ifdef RSA_LOW_MEM      /* half as much memory but twice as slow */
2933    if (ret == 0) {
2934        if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) {
2935            ret = MP_EXPTMOD_E;
2936        }
2937    }
2938#else
2939    if (ret == 0 && (mp_iszero(&key->p) || mp_iszero(&key->q) ||
2940            mp_iszero(&key->dP) || mp_iszero(&key->dQ) || mp_iszero(&key->u))) {
2941        if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) {
2942            ret = MP_EXPTMOD_E;
2943        }
2944    }
2945    else if (ret == 0) {
2946        mp_int* tmpa = tmp;
2947#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
2948        mp_int* tmpb = rnd;
2949#else
2950        DECL_MP_INT_SIZE_DYN(tmpb, mp_bitsused(&key->n), RSA_MAX_SIZE);
2951#endif
2952
2953#if !defined(WC_RSA_BLINDING) || defined(WC_NO_RNG)
2954        NEW_MP_INT_SIZE(tmpb, mp_bitsused(&key->n), key->heap,
2955            DYNAMIC_TYPE_RSA);
2956    #ifdef MP_INT_SIZE_CHECK_NULL
2957        if (tmpb == NULL) {
2958            ret = MEMORY_E;
2959        }
2960    #endif
2961        if ((ret == 0) && INIT_MP_INT_SIZE(tmpb, mp_bitsused(&key->n)) !=
2962                MP_OKAY) {
2963            ret = MP_INIT_E;
2964        }
2965#endif
2966
2967    #ifdef WOLFSSL_CHECK_MEM_ZERO
2968        if (ret == 0) {
2969            mp_memzero_add("RSA Sync tmpb", tmpb);
2970        }
2971    #endif
2972
2973        /* tmpb = tmp^dQ mod q */
2974        if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q, tmpb) != MP_OKAY)
2975            ret = MP_EXPTMOD_E;
2976
2977        /* tmpa = tmp^dP mod p */
2978        if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p, tmpa) != MP_OKAY)
2979            ret = MP_EXPTMOD_E;
2980
2981        /* tmp = (tmp - tmpb) * qInv (mod p) */
2982    #if (defined(WOLFSSL_SP_MATH) || (defined(WOLFSSL_SP_MATH_ALL)) && \
2983                                              !defined(WOLFSSL_SP_INT_NEGATIVE))
2984        if (ret == 0 && mp_submod(tmpa, tmpb, &key->p, tmp) != MP_OKAY)
2985            ret = MP_SUB_E;
2986    #else
2987        if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
2988            ret = MP_SUB_E;
2989    #endif
2990
2991        if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p, tmp) != MP_OKAY)
2992            ret = MP_MULMOD_E;
2993
2994        /* tmp = tmpb + q * tmp */
2995        if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
2996            ret = MP_MUL_E;
2997
2998        if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
2999            ret = MP_ADD_E;
3000
3001#if !defined(WC_RSA_BLINDING) || defined(WC_NO_RNG)
3002        mp_forcezero(tmpb);
3003        FREE_MP_INT_SIZE(tmpb, key->heap, DYNAMIC_TYPE_RSA);
3004    #if !defined(MP_INT_SIZE_CHECK_NULL) && defined(WOLFSSL_CHECK_MEM_ZERO)
3005        mp_memzero_check(tmpb);
3006    #endif
3007#endif
3008    }
3009#endif   /* RSA_LOW_MEM */
3010
3011#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
3012    /* Multiply result (tmp) by blinding invertor (rndi).
3013     * Use Montgomery form to make operation more constant time.
3014     */
3015    if ((ret == 0) && (mp_montgomery_setup(&key->n, &mp) != MP_OKAY)) {
3016        ret = MP_MULMOD_E;
3017    }
3018    if ((ret == 0) && (mp_montgomery_calc_normalization(rnd, &key->n) !=
3019            MP_OKAY)) {
3020        ret = MP_MULMOD_E;
3021    }
3022    /* Convert blinding invert to Montgomery form. */
3023    if ((ret == 0) && (mp_mul(rndi, rnd, rndi) != MP_OKAY)) {
3024        ret = MP_MULMOD_E;
3025    }
3026    if ((ret == 0) && (mp_mod(rndi, &key->n, rndi) != MP_OKAY)) {
3027        ret = MP_MULMOD_E;
3028    }
3029    /* Multiply result by blinding invert. */
3030    if ((ret == 0) && (mp_mul(tmp, rndi, tmp) != MP_OKAY)) {
3031        ret = MP_MULMOD_E;
3032    }
3033    /* Reduce result. */
3034    if ((ret == 0) && (mp_montgomery_reduce_ct(tmp, &key->n, mp) != MP_OKAY)) {
3035        ret = MP_MULMOD_E;
3036    }
3037
3038    mp_forcezero(rndi);
3039    mp_forcezero(rnd);
3040    FREE_MP_INT_SIZE(rndi, key->heap, DYNAMIC_TYPE_RSA);
3041    FREE_MP_INT_SIZE(rnd, key->heap, DYNAMIC_TYPE_RSA);
3042#if !defined(MP_INT_SIZE_CHECK_NULL) && defined(WOLFSSL_CHECK_MEM_ZERO)
3043    mp_memzero_check(rnd);
3044    mp_memzero_check(rndi);
3045#endif
3046#endif /* WC_RSA_BLINDING && !WC_NO_RNG */
3047    return ret;
3048}
3049#endif
3050
3051static int RsaFunctionSync(const byte* in, word32 inLen, byte* out,
3052    word32* outLen, int type, RsaKey* key, WC_RNG* rng)
3053{
3054    DECL_MP_INT_SIZE_DYN(tmp, mp_bitsused(&key->n), RSA_MAX_SIZE);
3055    int    ret = 0;
3056
3057    (void)rng;
3058
3059    NEW_MP_INT_SIZE(tmp, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
3060#ifdef MP_INT_SIZE_CHECK_NULL
3061    if (tmp == NULL) {
3062        WOLFSSL_MSG("NEW_MP_INT_SIZE tmp is NULL, return MEMORY_E");
3063        return MEMORY_E;
3064    }
3065#endif
3066
3067    if (INIT_MP_INT_SIZE(tmp, mp_bitsused(&key->n)) != MP_OKAY) {
3068        WOLFSSL_MSG("INIT_MP_INT_SIZE failed.");
3069        ret = MP_INIT_E;
3070    }
3071
3072#ifndef TEST_UNPAD_CONSTANT_TIME
3073    if (ret == 0 && mp_read_unsigned_bin(tmp, in, inLen) != MP_OKAY)
3074        ret = MP_READ_E;
3075
3076#ifdef WOLFSSL_CHECK_MEM_ZERO
3077    if (ret == 0) {
3078        mp_memzero_add("RSA sync tmp", tmp);
3079    }
3080#endif
3081
3082    if (ret == 0) {
3083        switch(type) {
3084    #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
3085        case RSA_PRIVATE_DECRYPT:
3086        case RSA_PRIVATE_ENCRYPT:
3087        {
3088            ret = RsaFunctionPrivate(tmp, key, rng);
3089            break;
3090        }
3091    #endif
3092        case RSA_PUBLIC_ENCRYPT:
3093        case RSA_PUBLIC_DECRYPT:
3094            if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY) {
3095                WOLFSSL_MSG_CERT_LOG("mp_exptmod_nct failed");
3096                ret = MP_EXPTMOD_E;
3097            }
3098            break;
3099        default:
3100            ret = RSA_WRONG_TYPE_E;
3101            break;
3102        }
3103    }
3104
3105    if (ret == 0) {
3106        WOLFSSL_MSG("mp_to_unsigned_bin_len_ct...");
3107        if (mp_to_unsigned_bin_len_ct(tmp, out, (int)*outLen) != MP_OKAY) {
3108            WOLFSSL_MSG("mp_to_unsigned_bin_len_ct failed");
3109            ret = MP_TO_E;
3110        }
3111    }
3112#ifdef WOLFSSL_RSA_CHECK_D_ON_DECRYPT
3113    if ((ret == 0) && (type == RSA_PRIVATE_DECRYPT)) {
3114        mp_sub(&key->n, &key->p, tmp);
3115        mp_sub(tmp, &key->q, tmp);
3116        mp_add_d(tmp, 1, tmp);
3117        mp_mulmod(&key->d, &key->e, tmp, tmp);
3118        if (!mp_isone(tmp)) {
3119            ret = MP_EXPTMOD_E;
3120        }
3121    }
3122#endif
3123#else
3124    (void)type;
3125    (void)key;
3126    XMEMCPY(out, in, inLen);
3127#endif
3128
3129    mp_forcezero(tmp);
3130    FREE_MP_INT_SIZE(tmp, key->heap, DYNAMIC_TYPE_RSA);
3131#if !defined(MP_INT_SIZE_CHECK_NULL) && defined(WOLFSSL_CHECK_MEM_ZERO)
3132    mp_memzero_check(tmp);
3133#endif
3134    return ret;
3135}
3136#endif /* !WOLFSSL_SP_MATH */
3137
3138static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
3139                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
3140{
3141    int ret;
3142    word32 keyLen;
3143
3144    ret = wc_RsaEncryptSize(key);
3145    if (ret < 0) {
3146#ifdef DEBUG_WOLFSSL
3147        WOLFSSL_MSG_EX("wc_RsaEncryptSize failed err = %d", ret);
3148#endif
3149        return ret;
3150    }
3151    keyLen = (word32)ret;
3152
3153    if (inLen > keyLen) {
3154        WOLFSSL_MSG("Expected that inLen be no longer RSA key length");
3155        return BAD_FUNC_ARG;
3156    }
3157    if (keyLen > *outLen) {
3158        WOLFSSL_MSG("Expected that outLen be no shorter RSA key length");
3159        return RSA_BUFFER_E;
3160    }
3161
3162    if (mp_iseven(&key->n)) {
3163        WOLFSSL_MSG("MP_VAL is even");
3164        return MP_VAL;
3165    }
3166
3167#if defined(WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD)
3168    if (type == RSA_PUBLIC_DECRYPT || type == RSA_PUBLIC_ENCRYPT) {
3169        ret = casper_rsa_public_exptmod(in, inLen, out, outLen, key);
3170        if (ret == 0)
3171            return MP_OKAY;
3172        /* else fall through for software fallback */
3173    }
3174#endif
3175
3176#ifdef WOLFSSL_HAVE_SP_RSA
3177    ret = RsaFunction_SP(in, inLen, out, outLen, type, key, rng);
3178    if (ret != WC_NO_ERR_TRACE(WC_KEY_SIZE_E))
3179        return ret;
3180#endif /* WOLFSSL_HAVE_SP_RSA */
3181
3182#if defined(WOLFSSL_SP_MATH)
3183    (void)rng;
3184#ifndef WOLFSSL_HAVE_SP_RSA
3185    (void)in;
3186    (void)inLen;
3187    (void)out;
3188    (void)outLen;
3189    (void)type;
3190    (void)key;
3191    #error RSA SP option invalid (enable WOLFSSL_HAVE_SP_RSA or disable WOLFSSL_SP_MATH)
3192    return NOT_COMPILED_IN;
3193#else
3194    WOLFSSL_MSG("SP Key Size Error");
3195    return WC_KEY_SIZE_E;
3196#endif
3197#else
3198    *outLen = keyLen;
3199    return RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
3200#endif /* WOLFSSL_SP_MATH */
3201} /* wc_RsaFunctionSync */
3202#endif /* WOLF_CRYPTO_CB_ONLY_RSA */
3203#endif
3204
3205#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
3206static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
3207                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
3208{
3209    int ret = 0;
3210
3211    (void)rng;
3212
3213#ifdef WOLFSSL_ASYNC_CRYPT_SW
3214    if (wc_AsyncSwInit(&key->asyncDev, ASYNC_SW_RSA_FUNC)) {
3215        WC_ASYNC_SW* sw = &key->asyncDev.sw;
3216        sw->rsaFunc.in = in;
3217        sw->rsaFunc.inSz = inLen;
3218        sw->rsaFunc.out = out;
3219        sw->rsaFunc.outSz = outLen;
3220        sw->rsaFunc.type = type;
3221        sw->rsaFunc.key = key;
3222        sw->rsaFunc.rng = rng;
3223        return WC_PENDING_E;
3224    }
3225#endif /* WOLFSSL_ASYNC_CRYPT_SW */
3226
3227#ifdef WC_RSA_NONBLOCK
3228    /* When a non-blocking context is attached and the SP nonblock backend
3229     * is available, drive the chunked state machine here. wolfAsync_DoSw
3230     * (line "if (ret == FP_WOULDBLOCK) ret = WC_PENDING_E;" at the bottom
3231     * of the SW switch in wolfcrypt/src/async.c, FP_WOULDBLOCK aliases
3232     * MP_WOULDBLOCK) translates per-yield MP_WOULDBLOCK into WC_PENDING_E
3233     * so the TLS / async event loop can drive the operation to completion. */
3234    if (key->nb != NULL) {
3235        return wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
3236    }
3237#endif
3238
3239    switch (type) {
3240#ifndef WOLFSSL_RSA_PUBLIC_ONLY
3241    case RSA_PRIVATE_DECRYPT:
3242    case RSA_PRIVATE_ENCRYPT:
3243    #ifdef HAVE_CAVIUM
3244        key->dataLen = key->n.raw.len;
3245        ret = NitroxRsaExptMod(in, inLen,
3246                               key->d.raw.buf, key->d.raw.len,
3247                               key->n.raw.buf, key->n.raw.len,
3248                               out, outLen, key);
3249    #elif defined(HAVE_INTEL_QA)
3250        #ifdef RSA_LOW_MEM
3251            ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
3252                                    &key->d.raw, &key->n.raw,
3253                                    out, outLen);
3254        #else
3255            ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
3256                                &key->p.raw, &key->q.raw,
3257                                &key->dP.raw, &key->dQ.raw,
3258                                &key->u.raw,
3259                                out, outLen);
3260        #endif
3261    #else
3262        ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
3263    #endif
3264        break;
3265#endif
3266
3267    case RSA_PUBLIC_ENCRYPT:
3268    case RSA_PUBLIC_DECRYPT:
3269    #ifdef HAVE_CAVIUM
3270        key->dataLen = key->n.raw.len;
3271        ret = NitroxRsaExptMod(in, inLen,
3272                               key->e.raw.buf, key->e.raw.len,
3273                               key->n.raw.buf, key->n.raw.len,
3274                               out, outLen, key);
3275    #elif defined(HAVE_INTEL_QA)
3276        ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
3277                               &key->e.raw, &key->n.raw,
3278                               out, outLen);
3279    #else
3280        ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
3281    #endif
3282        break;
3283
3284    default:
3285        ret = RSA_WRONG_TYPE_E;
3286    }
3287
3288    return ret;
3289}
3290#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
3291
3292#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING) || \
3293    defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
3294/* Performs direct RSA computation without padding. The input and output must
3295 * match the key size (ex: 2048-bits = 256 bytes). Returns the size of the
3296 * output on success or negative value on failure. */
3297int wc_RsaDirect(const byte* in, word32 inLen, byte* out, word32* outSz,
3298        RsaKey* key, int type, WC_RNG* rng)
3299{
3300    int ret;
3301
3302    if (in == NULL || outSz == NULL || key == NULL) {
3303        return BAD_FUNC_ARG;
3304    }
3305
3306    /* sanity check on type of RSA operation */
3307    switch (type) {
3308        case RSA_PUBLIC_ENCRYPT:
3309        case RSA_PUBLIC_DECRYPT:
3310        case RSA_PRIVATE_ENCRYPT:
3311        case RSA_PRIVATE_DECRYPT:
3312            break;
3313        default:
3314            WOLFSSL_MSG("Bad RSA type");
3315            return BAD_FUNC_ARG;
3316    }
3317
3318    if ((ret = wc_RsaEncryptSize(key)) < 0) {
3319        return BAD_FUNC_ARG;
3320    }
3321
3322    if (inLen != (word32)ret) {
3323        WOLFSSL_MSG("Bad input length. Should be RSA key size");
3324        return BAD_FUNC_ARG;
3325    }
3326
3327    if (out == NULL) {
3328        *outSz = inLen;
3329        return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
3330    }
3331
3332    switch (key->state) {
3333        case RSA_STATE_NONE:
3334        case RSA_STATE_ENCRYPT_PAD:
3335        case RSA_STATE_ENCRYPT_EXPTMOD:
3336        case RSA_STATE_DECRYPT_EXPTMOD:
3337        case RSA_STATE_DECRYPT_UNPAD:
3338            key->state = (type == RSA_PRIVATE_ENCRYPT ||
3339                    type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
3340                                                  RSA_STATE_DECRYPT_EXPTMOD;
3341
3342            key->dataLen = *outSz;
3343
3344            ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
3345            if (ret >= 0 || ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
3346                key->state = (type == RSA_PRIVATE_ENCRYPT ||
3347                    type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
3348                                                  RSA_STATE_DECRYPT_RES;
3349            }
3350            if (ret < 0) {
3351                break;
3352            }
3353
3354            FALL_THROUGH;
3355
3356        case RSA_STATE_ENCRYPT_RES:
3357        case RSA_STATE_DECRYPT_RES:
3358            ret = (int)key->dataLen;
3359            break;
3360
3361        default:
3362            ret = BAD_STATE_E;
3363    }
3364
3365    /* if async pending then skip cleanup*/
3366    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)
3367    #ifdef WC_RSA_NONBLOCK
3368        || ret == FP_WOULDBLOCK
3369    #endif
3370    ) {
3371        return ret;
3372    }
3373
3374    key->state = RSA_STATE_NONE;
3375    wc_RsaCleanup(key);
3376
3377    return ret;
3378}
3379#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING || OPENSSL_EXTRA || \
3380        * OPENSSL_EXTRA_X509_SMALL */
3381
3382#if defined(WOLFSSL_CRYPTOCELL)
3383static int cc310_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
3384                            word32 outLen, RsaKey* key)
3385{
3386    CRYSError_t ret = 0;
3387    CRYS_RSAPrimeData_t primeData;
3388    int modulusSize = wc_RsaEncryptSize(key);
3389
3390    /* The out buffer must be at least modulus size bytes long. */
3391    if (outLen < modulusSize)
3392        return BAD_FUNC_ARG;
3393
3394    ret = CRYS_RSA_PKCS1v15_Encrypt(&wc_rndState,
3395                                    wc_rndGenVectFunc,
3396                                    &key->ctx.pubKey,
3397                                    &primeData,
3398                                    (byte*)in,
3399                                    inLen,
3400                                    out);
3401
3402    if (ret != SA_SILIB_RET_OK){
3403        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Encrypt failed");
3404        return -1;
3405    }
3406
3407    return modulusSize;
3408}
3409static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
3410                            word32 outLen, RsaKey* key)
3411{
3412    CRYSError_t ret = 0;
3413    CRYS_RSAPrimeData_t primeData;
3414    word16 actualOutLen = outLen;
3415
3416    ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey,
3417                                    &primeData,
3418                                    (byte*)in,
3419                                    inLen,
3420                                    out,
3421                                    &actualOutLen);
3422
3423    if (ret != SA_SILIB_RET_OK){
3424        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Decrypt failed");
3425        return -1;
3426    }
3427    return actualOutLen;
3428}
3429
3430int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
3431                  word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
3432{
3433    CRYSError_t ret = 0;
3434    word16 actualOutLen = outLen*sizeof(byte);
3435    CRYS_RSAPrivUserContext_t  contextPrivate;
3436
3437    ret =  CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
3438                wc_rndGenVectFunc,
3439                &contextPrivate,
3440                &key->ctx.privKey,
3441                mode,
3442                (byte*)in,
3443                inLen,
3444                out,
3445                &actualOutLen);
3446
3447    if (ret != SA_SILIB_RET_OK){
3448        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Sign failed");
3449        return -1;
3450    }
3451    return actualOutLen;
3452}
3453
3454int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
3455                               RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
3456{
3457    CRYSError_t ret = 0;
3458    CRYS_RSAPubUserContext_t contextPub;
3459
3460    /* verify the signature in the sig pointer */
3461    ret =  CRYS_RSA_PKCS1v15_Verify(&contextPub,
3462                &key->ctx.pubKey,
3463                mode,
3464                (byte*)in,
3465                inLen,
3466                sig);
3467
3468    if (ret != SA_SILIB_RET_OK){
3469        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Verify failed");
3470        return -1;
3471    }
3472
3473    return ret;
3474}
3475#endif /* WOLFSSL_CRYPTOCELL */
3476
3477#ifndef WOLF_CRYPTO_CB_ONLY_RSA
3478#if !defined(NO_RSA_BOUNDS_CHECK)
3479/* Check that 1 < in < n-1. (Requirement of 800-56B.) */
3480int RsaFunctionCheckIn(const byte* in, word32 inLen, RsaKey* key,
3481    int checkSmallCt)
3482{
3483    int ret = 0;
3484    DECL_MP_INT_SIZE_DYN(c, mp_bitsused(&key->n), RSA_MAX_SIZE);
3485
3486    NEW_MP_INT_SIZE(c, mp_bitsused(&key->n), key->heap, DYNAMIC_TYPE_RSA);
3487#ifdef MP_INT_SIZE_CHECK_NULL
3488    if (c == NULL)
3489        ret = MEMORY_E;
3490#endif
3491
3492    if (ret == 0 && INIT_MP_INT_SIZE(c, mp_bitsused(&key->n)) != MP_OKAY) {
3493        ret = MP_INIT_E;
3494    }
3495    if (ret == 0) {
3496        if (mp_read_unsigned_bin(c, in, inLen) != 0)
3497            ret = MP_READ_E;
3498    }
3499    if (ret == 0) {
3500        /* check c > 1 */
3501        if (checkSmallCt && (mp_cmp_d(c, 1) != MP_GT))
3502            ret = RSA_OUT_OF_RANGE_E;
3503    }
3504    if (ret == 0) {
3505        /* add c+1 */
3506        if (mp_add_d(c, 1, c) != MP_OKAY)
3507            ret = MP_ADD_E;
3508    }
3509    if (ret == 0) {
3510        /* check c+1 < n */
3511        if (mp_cmp(c, &key->n) != MP_LT)
3512            ret = RSA_OUT_OF_RANGE_E;
3513    }
3514    mp_clear(c);
3515
3516    FREE_MP_INT_SIZE(c, key->heap, DYNAMIC_TYPE_RSA);
3517
3518    return ret;
3519}
3520#endif /* !NO_RSA_BOUNDS_CHECK */
3521#endif /* WOLF_CRYPTO_CB_ONLY_RSA */
3522
3523static int wc_RsaFunction_ex(const byte* in, word32 inLen, byte* out,
3524                             word32* outLen, int type, RsaKey* key, WC_RNG* rng,
3525                             int checkSmallCt)
3526{
3527    int ret = 0;
3528#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
3529    RsaPadding padding;
3530#endif
3531
3532    (void)rng;
3533    (void)checkSmallCt;
3534
3535    if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
3536            outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
3537        return BAD_FUNC_ARG;
3538    }
3539
3540#ifdef WOLF_CRYPTO_CB
3541    #ifndef WOLF_CRYPTO_CB_FIND
3542    if (key->devId != INVALID_DEVID)
3543    #endif
3544    {
3545    #if defined(WOLF_CRYPTO_CB_RSA_PAD)
3546        /* If we are here, either the RSA PAD callback was already called
3547         * and returned that it could not implement for that padding scheme,
3548         * or this is a public verify operation. Either way indicate to the
3549         * callback that this should be a raw RSA operation with no padding.*/
3550        XMEMSET(&padding, 0, sizeof(RsaPadding));
3551        padding.pad_type = WC_RSA_NO_PAD;
3552        ret = wc_CryptoCb_RsaPad(in, inLen, out,
3553                            outLen, type, key, rng, &padding);
3554    #else
3555        ret = wc_CryptoCb_Rsa(in, inLen, out, outLen, type, key, rng);
3556    #endif
3557        #ifndef WOLF_CRYPTO_CB_ONLY_RSA
3558        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
3559            return ret;
3560        /* fall-through when unavailable and try using software */
3561        #endif
3562        #ifdef WOLF_CRYPTO_CB_ONLY_RSA
3563        if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
3564            return NO_VALID_DEVID;
3565        }
3566        return ret;
3567        #endif
3568    }
3569#endif
3570
3571#ifdef WOLF_CRYPTO_CB_ONLY_RSA
3572    return NO_VALID_DEVID;
3573#else /* !WOLF_CRYPTO_CB_ONLY_RSA */
3574    SAVE_VECTOR_REGISTERS(return _svr_ret;);
3575
3576#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(TEST_UNPAD_CONSTANT_TIME) && \
3577    !defined(NO_RSA_BOUNDS_CHECK)
3578    if (type == RSA_PRIVATE_DECRYPT &&
3579        key->state == RSA_STATE_DECRYPT_EXPTMOD) {
3580
3581        ret = RsaFunctionCheckIn(in, inLen, key, checkSmallCt);
3582        if (ret != 0) {
3583            RESTORE_VECTOR_REGISTERS();
3584            return ret;
3585        }
3586    }
3587#endif /* !WOLFSSL_RSA_VERIFY_ONLY && !TEST_UNPAD_CONSTANT_TIME && \
3588        * !NO_RSA_BOUNDS_CHECK */
3589#if !defined(NO_RSA_BOUNDS_CHECK)
3590    if (type == RSA_PUBLIC_DECRYPT &&
3591        key->state == RSA_STATE_DECRYPT_EXPTMOD) {
3592
3593        ret = RsaFunctionCheckIn(in, inLen, key, checkSmallCt);
3594        if (ret != 0) {
3595            RESTORE_VECTOR_REGISTERS();
3596            return ret;
3597        }
3598    }
3599#endif
3600
3601#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
3602    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
3603                                                        key->n.raw.len > 0) {
3604        /* wc_RsaFunctionAsync dispatches to the SP nonblock state machine
3605         * in its compute path when key->nb is attached - wolfAsync_DoSw
3606         * (in wolfcrypt/src/async.c) translates per-yield FP_WOULDBLOCK
3607         * (alias of MP_WOULDBLOCK) into WC_PENDING_E so the TLS / async
3608         * event loop can drive completion. */
3609        ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
3610    }
3611    else
3612#endif
3613#ifdef WC_RSA_NONBLOCK
3614    if (key->nb) {
3615        /* Direct (non-async) nonblock dispatch - the caller (e.g. wolfcrypt
3616         * test) drives the loop on MP_WOULDBLOCK directly. Reached when no
3617         * async marker is set on the key. */
3618        ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
3619    }
3620    else
3621#endif
3622    {
3623        ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
3624    }
3625
3626    RESTORE_VECTOR_REGISTERS();
3627
3628    /* handle error */
3629    if (ret < 0 && ret != WC_NO_ERR_TRACE(WC_PENDING_E)
3630    #ifdef WC_RSA_NONBLOCK
3631        && ret != FP_WOULDBLOCK
3632    #endif
3633    ) {
3634        if (ret == WC_NO_ERR_TRACE(MP_EXPTMOD_E)) {
3635            /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
3636            WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
3637        }
3638
3639        key->state = RSA_STATE_NONE;
3640        wc_RsaCleanup(key);
3641    }
3642    return ret;
3643#endif /* !WOLF_CRYPTO_CB_ONLY_RSA */
3644}
3645
3646int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
3647                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
3648{
3649    /* Always check for ciphertext of 0 or 1. (Shouldn't for OAEP decrypt.) */
3650    return wc_RsaFunction_ex(in, inLen, out, outLen, type, key, rng, 1);
3651}
3652
3653#ifndef WOLFSSL_RSA_VERIFY_ONLY
3654/* Internal Wrappers */
3655/* Gives the option of choosing padding type
3656   in : input to be encrypted
3657   inLen: length of input buffer
3658   out: encrypted output
3659   outLen: length of encrypted output buffer
3660   key   : wolfSSL initialized RSA key struct
3661   rng   : wolfSSL initialized random number struct
3662   rsa_type  : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
3663        RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
3664   pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
3665   pad_type  : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
3666        WC_RSA_NO_PAD or WC_RSA_PSS_PAD
3667   hash  : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
3668   mgf   : type of mask generation function to use
3669   label : optional label
3670   labelSz : size of optional label buffer
3671   saltLen : Length of salt used in PSS
3672   rng : random number generator */
3673static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
3674                            word32 outLen, RsaKey* key, int rsa_type,
3675                            byte pad_value, int pad_type,
3676                            enum wc_HashType hash, int mgf,
3677                            byte* label, word32 labelSz, int saltLen,
3678                            WC_RNG* rng)
3679{
3680    int ret = 0;
3681    int sz;
3682    int state;
3683#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
3684    RsaPadding padding;
3685#endif
3686
3687    if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
3688        return BAD_FUNC_ARG;
3689    }
3690
3691    sz = wc_RsaEncryptSize(key);
3692    if (sz > (int)outLen) {
3693        return RSA_BUFFER_E;
3694    }
3695
3696    if (sz < RSA_MIN_PAD_SZ || sz > (int)RSA_MAX_SIZE/8) {
3697        return WC_KEY_SIZE_E;
3698    }
3699
3700    if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
3701#ifdef WC_RSA_NO_PADDING
3702        /* In the case that no padding is used the input length can and should
3703         * be the same size as the RSA key. */
3704        if (pad_type != WC_RSA_NO_PAD)
3705#endif
3706        return RSA_BUFFER_E;
3707    }
3708
3709#ifndef WOLFSSL_BIND
3710    state = key->state;
3711#else
3712    /* Bind9 shares the EVP_PKEY struct across multiple threads so let's just
3713     * force a restart on each RsaPublicEncryptEx call for it. */
3714    state = RSA_STATE_NONE;
3715#ifdef WOLFSSL_ASYNC_CRYPT
3716#error wolfSSL does not handle building bind support with async crypto
3717#endif
3718#endif
3719    switch (state) {
3720    case RSA_STATE_NONE:
3721    case RSA_STATE_ENCRYPT_PAD:
3722    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
3723            defined(HAVE_CAVIUM)
3724        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
3725                                 pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
3726            /* Async operations that include padding */
3727            if (rsa_type == RSA_PUBLIC_ENCRYPT &&
3728                                                pad_value == RSA_BLOCK_TYPE_2) {
3729                key->state = RSA_STATE_ENCRYPT_RES;
3730                key->dataLen = key->n.raw.len;
3731                return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
3732            }
3733            else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
3734                                                pad_value == RSA_BLOCK_TYPE_1) {
3735                key->state = RSA_STATE_ENCRYPT_RES;
3736                key->dataLen = key->n.raw.len;
3737                return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
3738            }
3739        }
3740    #elif defined(WOLFSSL_CRYPTOCELL)
3741        if (rsa_type == RSA_PUBLIC_ENCRYPT &&
3742                                            pad_value == RSA_BLOCK_TYPE_2) {
3743
3744            return cc310_RsaPublicEncrypt(in, inLen, out, outLen, key);
3745        }
3746        else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
3747                                         pad_value == RSA_BLOCK_TYPE_1) {
3748            return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
3749                                  cc310_hashModeRSA(hash, 0));
3750        }
3751    #elif defined(WOLFSSL_MICROCHIP_TA100)
3752        if (rsa_type == RSA_PUBLIC_ENCRYPT &&
3753                                            pad_value == RSA_BLOCK_TYPE_2) {
3754            if (key->uKeyH != 0) {
3755                return wc_Microchip_rsa_encrypt(in, inLen, out, outLen, key);
3756            }
3757            return WC_HW_E;
3758        }
3759        else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
3760                                         pad_value == RSA_BLOCK_TYPE_1) {
3761            if (key->rKeyH != 0) {
3762                if (pad_type != WC_RSA_PSS_PAD) {
3763                    return WC_HW_E;
3764                }
3765                return wc_Microchip_rsa_sign(in, inLen, out, outLen, key);
3766            }
3767            return WC_HW_E;
3768        }
3769    #elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
3770        if (rsa_type == RSA_PUBLIC_ENCRYPT && pad_value == RSA_BLOCK_TYPE_2) {
3771            return se050_rsa_public_encrypt(in, inLen, out, outLen, key,
3772                                            rsa_type, pad_value, pad_type, hash,
3773                                            mgf, label, labelSz, sz);
3774        }
3775        else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
3776                 pad_value == RSA_BLOCK_TYPE_1 &&
3777                 pad_type != WC_RSA_PSS_PAD) {
3778            /* SE050 handles PKCS#1 v1.5 signing directly. PSS signing falls
3779             * through to software path because the SE050 PSS sign API
3780             * (Se05x_API_RSASign) is hash-then-sign and does not support
3781             * signing a pre-computed digest without double-hashing. */
3782            return se050_rsa_sign(in, inLen, out, outLen, key, rsa_type,
3783                                  pad_value, pad_type, hash, mgf, label,
3784                                  labelSz, sz);
3785        }
3786    #endif /* RSA CRYPTO HW */
3787
3788    #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
3789        if (key->devId != INVALID_DEVID) {
3790            XMEMSET(&padding, 0, sizeof(RsaPadding));
3791            padding.pad_value = pad_value;
3792            padding.pad_type = pad_type;
3793            padding.hash = hash;
3794            padding.mgf = mgf;
3795            padding.label = label;
3796            padding.labelSz = labelSz;
3797            padding.saltLen = saltLen;
3798            ret = wc_CryptoCb_RsaPad(in, inLen, out, &outLen, rsa_type, key, rng,
3799                                     &padding);
3800
3801            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
3802                if (ret < 0) {
3803                    break;
3804                }
3805
3806                ret = outLen;
3807                break;
3808            }
3809        }
3810    #endif
3811        key->state = RSA_STATE_ENCRYPT_PAD;
3812        ret = wc_RsaPad_ex(in, inLen, out, (word32)sz, pad_value, rng, pad_type,
3813                           hash, mgf, label, labelSz, saltLen,
3814                           mp_count_bits(&key->n), key->heap);
3815        if (ret < 0) {
3816            break;
3817        }
3818
3819        key->state = RSA_STATE_ENCRYPT_EXPTMOD;
3820        FALL_THROUGH;
3821
3822    case RSA_STATE_ENCRYPT_EXPTMOD:
3823
3824        key->dataLen = outLen;
3825        ret = wc_RsaFunction(out, (word32)sz, out, &key->dataLen, rsa_type, key,
3826                             rng);
3827
3828        if (ret >= 0 || ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
3829            key->state = RSA_STATE_ENCRYPT_RES;
3830        }
3831        if (ret < 0) {
3832            break;
3833        }
3834
3835        FALL_THROUGH;
3836
3837    case RSA_STATE_ENCRYPT_RES:
3838        ret = (int)key->dataLen;
3839        break;
3840
3841    default:
3842        ret = BAD_STATE_E;
3843        break;
3844    }
3845
3846    /* if async pending then return and skip done cleanup below */
3847    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)
3848    #ifdef WC_RSA_NONBLOCK
3849        || ret == FP_WOULDBLOCK
3850    #endif
3851    ) {
3852        return ret;
3853    }
3854
3855    key->state = RSA_STATE_NONE;
3856    wc_RsaCleanup(key);
3857
3858    return ret;
3859}
3860
3861#endif
3862
3863/* Gives the option of choosing padding type
3864   in : input to be decrypted
3865   inLen: length of input buffer
3866   out:  decrypted message
3867   outLen: length of decrypted message in bytes
3868   outPtr: optional inline output pointer (if provided doing inline)
3869   key   : wolfSSL initialized RSA key struct
3870   rsa_type  : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
3871        RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
3872   pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
3873   pad_type  : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
3874        WC_RSA_NO_PAD, WC_RSA_PSS_PAD
3875   hash  : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
3876   mgf   : type of mask generation function to use
3877   label : optional label
3878   labelSz : size of optional label buffer
3879   saltLen : Length of salt used in PSS
3880   rng : random number generator */
3881static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
3882                            word32 outLen, byte** outPtr, RsaKey* key,
3883                            int rsa_type, byte pad_value, int pad_type,
3884                            enum wc_HashType hash, int mgf,
3885                            byte* label, word32 labelSz, int saltLen,
3886                            WC_RNG* rng)
3887{
3888    int ret = WC_NO_ERR_TRACE(RSA_WRONG_TYPE_E);
3889    byte* pad = NULL;
3890#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
3891    RsaPadding padding;
3892#endif
3893
3894    if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
3895        return BAD_FUNC_ARG;
3896    }
3897
3898    switch (key->state) {
3899    case RSA_STATE_NONE:
3900        key->dataLen = inLen;
3901
3902    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
3903            defined(HAVE_CAVIUM)
3904        /* Async operations that include padding */
3905        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
3906                                                   pad_type != WC_RSA_PSS_PAD) {
3907#ifndef WOLFSSL_RSA_PUBLIC_ONLY
3908            if (rsa_type == RSA_PRIVATE_DECRYPT &&
3909                                                pad_value == RSA_BLOCK_TYPE_2) {
3910                key->state = RSA_STATE_DECRYPT_RES;
3911                key->data = NULL;
3912                return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
3913                                               key);
3914#endif
3915            }
3916            else if (rsa_type == RSA_PUBLIC_DECRYPT &&
3917                                                pad_value == RSA_BLOCK_TYPE_1) {
3918                key->state = RSA_STATE_DECRYPT_RES;
3919                key->data = NULL;
3920                return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
3921            }
3922        }
3923    #elif defined(WOLFSSL_CRYPTOCELL)
3924        if (rsa_type == RSA_PRIVATE_DECRYPT &&
3925                                            pad_value == RSA_BLOCK_TYPE_2) {
3926            ret = cc310_RsaPublicDecrypt(in, inLen, out, outLen, key);
3927            if (outPtr != NULL)
3928                *outPtr = out; /* for inline */
3929            return ret;
3930        }
3931        else if (rsa_type == RSA_PUBLIC_DECRYPT &&
3932                                            pad_value == RSA_BLOCK_TYPE_1) {
3933            return cc310_RsaSSL_Verify(in, inLen, out, key,
3934                                       cc310_hashModeRSA(hash, 0));
3935        }
3936    #elif defined(WOLFSSL_MICROCHIP_TA100)
3937        if (rsa_type == RSA_PRIVATE_DECRYPT &&
3938                                            pad_value == RSA_BLOCK_TYPE_2) {
3939            if (key->rKeyH != 0) {
3940                return wc_Microchip_rsa_decrypt(in, inLen, out, outLen, key);
3941            }
3942            return WC_HW_E;
3943        }
3944        /* Note: RSA_PUBLIC_DECRYPT (verify) is intentionally not intercepted
3945         * here. wc_Microchip_rsa_verify takes a digest as input, not a raw
3946         * signature blob; the proper TA100 short-circuit lives in the
3947         * wc_RsaPSS_CheckPadding / wc_RsaPSS_VerifyCheck path which has the
3948         * digest available. */
3949    #elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
3950        if (rsa_type == RSA_PRIVATE_DECRYPT && pad_value == RSA_BLOCK_TYPE_2) {
3951            ret = se050_rsa_private_decrypt(in, inLen, out, outLen, key,
3952                                            rsa_type, pad_value, pad_type, hash,
3953                                            mgf, label, labelSz);
3954            if (outPtr != NULL) {
3955                *outPtr = out;
3956            }
3957            return ret;
3958        }
3959    #if !defined(WOLFSSL_SE050_NO_RSA_VERIFY)
3960        else if (rsa_type == RSA_PUBLIC_DECRYPT &&
3961                 pad_value == RSA_BLOCK_TYPE_1 &&
3962                 pad_type != WC_RSA_PSS_PAD) {
3963            /* SE050 handles PKCS#1 v1.5 verification directly. PSS
3964             * verification falls through to software path to match the
3965             * software PSS signing path (SE050 PSS sign uses hash-then-sign
3966             * which double-hashes a pre-computed digest). */
3967            ret = se050_rsa_verify(in, inLen, out, outLen, key, rsa_type,
3968                                   pad_value, pad_type, hash, mgf, label,
3969                                   labelSz);
3970            if (outPtr != NULL) {
3971                *outPtr = out;
3972            }
3973            return ret;
3974        }
3975    #endif /* !WOLFSSL_SE050_NO_RSA_VERIFY */
3976    #endif /* RSA CRYPTO HW */
3977
3978
3979#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
3980    !defined(WOLFSSL_NO_MALLOC)
3981        /* verify the tmp ptr is NULL, otherwise indicates bad state */
3982        if (key->data != NULL) {
3983            ret = BAD_STATE_E;
3984            break;
3985        }
3986
3987        /* if not doing this inline then allocate a buffer for it */
3988        if (outPtr == NULL) {
3989            key->data = (byte*)XMALLOC(inLen, key->heap,
3990                                                      DYNAMIC_TYPE_WOLF_BIGINT);
3991            key->dataIsAlloc = 1;
3992            if (key->data == NULL) {
3993                ret = MEMORY_E;
3994                break;
3995            }
3996            XMEMCPY(key->data, in, inLen);
3997            key->dataLen = inLen;
3998        }
3999        else {
4000            key->dataIsAlloc = 0;
4001            key->data = out;
4002        }
4003#endif
4004
4005        key->state = RSA_STATE_DECRYPT_EXPTMOD;
4006        FALL_THROUGH;
4007
4008    case RSA_STATE_DECRYPT_EXPTMOD:
4009#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD)
4010    if ((key->devId != INVALID_DEVID)
4011    #if !defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY) && \
4012        !defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY)
4013    && (rsa_type != RSA_PUBLIC_DECRYPT)
4014    #endif
4015    ) {
4016        /* Everything except verify goes to crypto cb if
4017         * WOLF_CRYPTO_CB_RSA_PAD defined */
4018        XMEMSET(&padding, 0, sizeof(RsaPadding));
4019        padding.pad_value = pad_value;
4020        padding.pad_type = pad_type;
4021        padding.hash = hash;
4022        padding.mgf = mgf;
4023        padding.label = label;
4024        padding.labelSz = labelSz;
4025        padding.saltLen = saltLen;
4026        ret = wc_CryptoCb_RsaPad(in, inLen, out,
4027                            &outLen, rsa_type, key, rng, &padding);
4028        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
4029            if (outPtr != NULL) {
4030                *outPtr = out;
4031            }
4032            if (ret == 0) {
4033                ret = (int)outLen;
4034            }
4035            break;
4036        }
4037    }
4038#endif
4039#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
4040    !defined(WOLFSSL_NO_MALLOC)
4041        ret = wc_RsaFunction_ex(key->data, inLen, key->data, &key->dataLen,
4042                                                   rsa_type, key, rng,
4043                                                   pad_type != WC_RSA_OAEP_PAD);
4044#else
4045        ret = wc_RsaFunction_ex(in, inLen, out, &key->dataLen, rsa_type, key,
4046                                              rng, pad_type != WC_RSA_OAEP_PAD);
4047#endif
4048
4049        if (ret >= 0 || ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
4050            key->state = RSA_STATE_DECRYPT_UNPAD;
4051        }
4052        if (ret < 0) {
4053            break;
4054        }
4055
4056        FALL_THROUGH;
4057
4058    case RSA_STATE_DECRYPT_UNPAD:
4059#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
4060    !defined(WOLFSSL_NO_MALLOC)
4061        ret = wc_RsaUnPad_ex(key->data,
4062            key->dataLen, &pad, pad_value, pad_type, hash, mgf,
4063            label, labelSz, saltLen, mp_count_bits(&key->n), key->heap);
4064#else
4065        ret = wc_RsaUnPad_ex(out,
4066            key->dataLen, &pad, pad_value, pad_type, hash, mgf, label,
4067            labelSz, saltLen, mp_count_bits(&key->n), key->heap);
4068#endif
4069        if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen) {
4070            ret = RSA_BUFFER_E;
4071        }
4072        else if (ret >= 0 && pad != NULL) {
4073            /* only copy output if not inline */
4074            if (outPtr == NULL) {
4075#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
4076    !defined(WOLFSSL_NO_MALLOC)
4077                if (rsa_type == RSA_PRIVATE_DECRYPT) {
4078                    word32 i = 0;
4079                    word32 j;
4080                    byte last = 0;
4081                    int start = (int)((size_t)pad - (size_t)key->data);
4082
4083                    for (j = 0; j < key->dataLen; j++) {
4084                        signed char incMask;
4085                        signed char maskData;
4086
4087                        /* When j < start + outLen then out[i] = key->data[j]
4088                         *                         else out[i] = last
4089                         */
4090                        maskData = (signed char)ctMaskLT((int)j,
4091                            start + (int)outLen);
4092                        out[i] = (byte)(key->data[j] &   maskData ) |
4093                                 (byte)(last         & (~maskData));
4094                        last = out[i];
4095
4096                        /* Increment i when j is in range:
4097                         *   [start..(start + outLen - 1)]. */
4098                        incMask  = (signed char)ctMaskGTE((int)j, start);
4099                        incMask &= (signed char)ctMaskLT((int)j,
4100                            start + (int)outLen - 1);
4101                        i += (word32)((byte)(-incMask));
4102                    }
4103                }
4104                else
4105#endif
4106                {
4107                    XMEMCPY(out, pad, (size_t)ret);
4108                }
4109            }
4110            else {
4111                *outPtr = pad;
4112            }
4113
4114#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
4115            ret = ctMaskSelInt(ctMaskLTE(ret, (int)outLen), ret,
4116                               WC_NO_ERR_TRACE(RSA_BUFFER_E));
4117    #ifndef WOLFSSL_RSA_DECRYPT_TO_0_LEN
4118            ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret,
4119                               WC_NO_ERR_TRACE(RSA_BUFFER_E));
4120    #endif
4121#else
4122            if (outLen < (word32)ret)
4123                ret = RSA_BUFFER_E;
4124#endif
4125        }
4126
4127        key->state = RSA_STATE_DECRYPT_RES;
4128        FALL_THROUGH;
4129
4130    case RSA_STATE_DECRYPT_RES:
4131    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
4132            defined(HAVE_CAVIUM)
4133        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
4134                                                   pad_type != WC_RSA_PSS_PAD) {
4135            ret = key->asyncDev.event.ret;
4136            if (ret >= 0) {
4137                /* convert result */
4138                byte* dataLen = (byte*)&key->dataLen;
4139                ret = (dataLen[0] << 8) | (dataLen[1]);
4140
4141                if (outPtr)
4142                    *outPtr = in;
4143            }
4144        }
4145    #endif
4146        break;
4147
4148    default:
4149        ret = BAD_STATE_E;
4150        break;
4151    }
4152
4153    /* if async pending then return and skip done cleanup below */
4154    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)
4155    #ifdef WC_RSA_NONBLOCK
4156        || ret == FP_WOULDBLOCK
4157    #endif
4158    ) {
4159        return ret;
4160    }
4161
4162    key->state = RSA_STATE_NONE;
4163    wc_RsaCleanup(key);
4164
4165    return ret;
4166}
4167
4168
4169#ifndef WOLFSSL_RSA_VERIFY_ONLY
4170/* Public RSA Functions */
4171int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
4172                                                     RsaKey* key, WC_RNG* rng)
4173{
4174    int ret;
4175    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4176    ret = RsaPublicEncryptEx(in, inLen, out, outLen, key,
4177        RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
4178        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
4179    RESTORE_VECTOR_REGISTERS();
4180    return ret;
4181}
4182
4183
4184#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
4185int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
4186                    word32 outLen, RsaKey* key, WC_RNG* rng, int type,
4187                    enum wc_HashType hash, int mgf, byte* label,
4188                    word32 labelSz)
4189{
4190    int ret;
4191    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4192    ret = RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
4193        RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
4194    RESTORE_VECTOR_REGISTERS();
4195    return ret;
4196}
4197#endif /* WC_NO_RSA_OAEP */
4198#endif
4199
4200
4201#ifndef WOLFSSL_RSA_PUBLIC_ONLY
4202int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
4203{
4204    WC_RNG* rng;
4205    int ret;
4206#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4207    if (key == NULL) {
4208        return BAD_FUNC_ARG;
4209    }
4210    rng = key->rng;
4211#else
4212    rng = NULL;
4213#endif
4214    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4215    ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
4216        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
4217        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
4218    RESTORE_VECTOR_REGISTERS();
4219    return ret;
4220}
4221
4222
4223#ifndef WC_NO_RSA_OAEP
4224int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
4225                                  RsaKey* key, int type, enum wc_HashType hash,
4226                                  int mgf, byte* label, word32 labelSz)
4227{
4228    WC_RNG* rng;
4229    int ret;
4230#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4231    if (key == NULL) {
4232        return BAD_FUNC_ARG;
4233    }
4234    rng = key->rng;
4235#else
4236    rng = NULL;
4237#endif
4238    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4239    ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
4240        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
4241        mgf, label, labelSz, 0, rng);
4242    RESTORE_VECTOR_REGISTERS();
4243    return ret;
4244}
4245#endif /* WC_NO_RSA_OAEP */
4246
4247
4248int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
4249                                                 word32 outLen, RsaKey* key)
4250{
4251    WC_RNG* rng;
4252    int ret;
4253#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4254    if (key == NULL) {
4255        return BAD_FUNC_ARG;
4256    }
4257    rng = key->rng;
4258#else
4259    rng = NULL;
4260#endif
4261    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4262    ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
4263        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
4264        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
4265    RESTORE_VECTOR_REGISTERS();
4266    return ret;
4267}
4268
4269#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
4270int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
4271                            word32 outLen, RsaKey* key, int type,
4272                            enum wc_HashType hash, int mgf, byte* label,
4273                            word32 labelSz)
4274{
4275    WC_RNG* rng;
4276    int ret;
4277#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4278    if (key == NULL) {
4279        return BAD_FUNC_ARG;
4280    }
4281    rng = key->rng;
4282#else
4283    rng = NULL;
4284#endif
4285    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4286    ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
4287        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
4288        labelSz, 0, rng);
4289    RESTORE_VECTOR_REGISTERS();
4290    return ret;
4291}
4292#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
4293#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
4294
4295#if !defined(WOLFSSL_CRYPTOCELL)
4296int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
4297{
4298    WC_RNG* rng;
4299    int ret;
4300#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4301    if (key == NULL) {
4302        return BAD_FUNC_ARG;
4303    }
4304    rng = key->rng;
4305#else
4306    rng = NULL;
4307#endif
4308    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4309    ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
4310        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
4311        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
4312    RESTORE_VECTOR_REGISTERS();
4313    return ret;
4314}
4315#endif
4316
4317#ifndef WOLFSSL_RSA_VERIFY_INLINE
4318int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
4319                                                                 RsaKey* key)
4320{
4321    return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key, WC_RSA_PKCSV15_PAD);
4322}
4323
4324int  wc_RsaSSL_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
4325                         RsaKey* key, int pad_type)
4326{
4327    int ret;
4328    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4329    ret = wc_RsaSSL_Verify_ex2(in, inLen, out, outLen, key, pad_type,
4330            WC_HASH_TYPE_NONE);
4331    RESTORE_VECTOR_REGISTERS();
4332    return ret;
4333}
4334
4335int  wc_RsaSSL_Verify_ex2(const byte* in, word32 inLen, byte* out, word32 outLen,
4336                         RsaKey* key, int pad_type, enum wc_HashType hash)
4337{
4338    WC_RNG* rng;
4339    int ret;
4340
4341    if (key == NULL) {
4342        return BAD_FUNC_ARG;
4343    }
4344
4345#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4346    rng = key->rng;
4347#else
4348    rng = NULL;
4349#endif
4350
4351    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4352#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
4353    ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
4354        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
4355        hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DEFAULT, rng);
4356#else
4357    ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
4358        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
4359        hash, wc_hash2mgf(hash), NULL, 0, RSA_PSS_SALT_LEN_DISCOVER, rng);
4360#endif
4361    RESTORE_VECTOR_REGISTERS();
4362    return ret;
4363}
4364#endif
4365
4366#ifdef WC_RSA_PSS
4367/* Verify the message signed with RSA-PSS.
4368 * The input buffer is reused for the output buffer.
4369 * Salt length is equal to hash length.
4370 *
4371 * in     Buffer holding encrypted data.
4372 * inLen  Length of data in buffer.
4373 * out    Pointer to address containing the PSS data.
4374 * hash   Hash algorithm.
4375 * mgf    Mask generation function.
4376 * key    Public RSA key.
4377 * returns the length of the PSS data on success and negative indicates failure.
4378 */
4379int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
4380                           enum wc_HashType hash, int mgf, RsaKey* key)
4381{
4382#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
4383    return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
4384                                                 RSA_PSS_SALT_LEN_DEFAULT, key);
4385#else
4386    return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
4387                                                RSA_PSS_SALT_LEN_DISCOVER, key);
4388#endif
4389}
4390
4391/* Verify the message signed with RSA-PSS.
4392 * The input buffer is reused for the output buffer.
4393 *
4394 * in       Buffer holding encrypted data.
4395 * inLen    Length of data in buffer.
4396 * out      Pointer to address containing the PSS data.
4397 * hash     Hash algorithm.
4398 * mgf      Mask generation function.
4399 * key      Public RSA key.
4400 * saltLen  Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
4401 *          length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
4402 *          indicates salt length is determined from the data.
4403 * returns the length of the PSS data on success and negative indicates failure.
4404 */
4405int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
4406                              enum wc_HashType hash, int mgf, int saltLen,
4407                              RsaKey* key)
4408{
4409    WC_RNG* rng;
4410    int ret;
4411#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4412    if (key == NULL) {
4413        return BAD_FUNC_ARG;
4414    }
4415    rng = key->rng;
4416#else
4417    rng = NULL;
4418#endif
4419    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4420    ret = RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
4421        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
4422        hash, mgf, NULL, 0, saltLen, rng);
4423    RESTORE_VECTOR_REGISTERS();
4424    return ret;
4425}
4426
4427/* Verify the message signed with RSA-PSS.
4428 * Salt length is equal to hash length.
4429 *
4430 * in     Buffer holding encrypted data.
4431 * inLen  Length of data in buffer.
4432 * out    Pointer to address containing the PSS data.
4433 * hash   Hash algorithm.
4434 * mgf    Mask generation function.
4435 * key    Public RSA key.
4436 * returns the length of the PSS data on success and negative indicates failure.
4437 */
4438int wc_RsaPSS_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
4439                     enum wc_HashType hash, int mgf, RsaKey* key)
4440{
4441#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
4442    return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
4443                                                 RSA_PSS_SALT_LEN_DEFAULT, key);
4444#else
4445    return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
4446                                                RSA_PSS_SALT_LEN_DISCOVER, key);
4447#endif
4448}
4449
4450/* Verify the message signed with RSA-PSS.
4451 *
4452 * in       Buffer holding encrypted data.
4453 * inLen    Length of data in buffer.
4454 * out      Pointer to address containing the PSS data.
4455 * hash     Hash algorithm.
4456 * mgf      Mask generation function.
4457 * key      Public RSA key.
4458 * saltLen  Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
4459 *          length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
4460 *          indicates salt length is determined from the data.
4461 * returns the length of the PSS data on success and negative indicates failure.
4462 */
4463int wc_RsaPSS_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
4464                        enum wc_HashType hash, int mgf, int saltLen,
4465                        RsaKey* key)
4466{
4467    WC_RNG* rng;
4468    int ret;
4469#if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
4470    if (key == NULL) {
4471        return BAD_FUNC_ARG;
4472    }
4473    rng = key->rng;
4474#else
4475    rng = NULL;
4476#endif
4477    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4478    ret = RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
4479        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
4480        hash, mgf, NULL, 0, saltLen, rng);
4481    RESTORE_VECTOR_REGISTERS();
4482    return ret;
4483}
4484
4485
4486/* Checks the PSS data to ensure that the signature matches.
4487 * Salt length is equal to hash length.
4488 *
4489 * in        Hash of the data that is being verified.
4490 * inSz      Length of hash.
4491 * sig       Buffer holding PSS data.
4492 * sigSz     Size of PSS data.
4493 * hashType  Hash algorithm.
4494 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
4495 * NULL is passed in to in or sig or inSz is not the same as the hash
4496 * algorithm length and 0 on success.
4497 */
4498int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, const byte* sig,
4499                           word32 sigSz, enum wc_HashType hashType)
4500{
4501#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
4502    return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, RSA_PSS_SALT_LEN_DEFAULT, 0);
4503#else
4504    return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, RSA_PSS_SALT_LEN_DISCOVER, 0);
4505#endif
4506}
4507
4508/* Checks the PSS data to ensure that the signature matches.
4509 *
4510 * in        Hash of the data that is being verified.
4511 * inSz      Length of hash.
4512 * sig       Buffer holding PSS data.
4513 * sigSz     Size of PSS data.
4514 * hashType  Hash algorithm.
4515 * saltLen   Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
4516 *           length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
4517 *           indicates salt length is determined from the data.
4518 * bits      Can be used to calculate salt size in FIPS case
4519 * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
4520 * NULL is passed in to in or sig or inSz is not the same as the hash
4521 * algorithm length and 0 on success.
4522 */
4523int wc_RsaPSS_CheckPadding_ex2(const byte* in, word32 inSz, const byte* sig,
4524                               word32 sigSz, enum wc_HashType hashType,
4525                               int saltLen, int bits, void* heap)
4526{
4527    int ret = 0;
4528    byte sigCheckBuf[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
4529    byte *sigCheck = sigCheckBuf;
4530    int digSz;
4531    (void)bits;
4532
4533    digSz = wc_HashGetDigestSize(hashType);
4534
4535    if (in == NULL || sig == NULL || digSz < 0 || inSz != (word32)digSz) {
4536        ret = BAD_FUNC_ARG;
4537    }
4538
4539    if (ret == 0) {
4540        if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
4541            saltLen = (int)inSz;
4542            #ifdef WOLFSSL_SHA512
4543                /* See FIPS 186-4 section 5.5 item (e). */
4544                if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) {
4545                    saltLen = RSA_PSS_SALT_MAX_SZ;
4546                }
4547            #endif
4548        }
4549#ifndef WOLFSSL_PSS_LONG_SALT
4550        else if (saltLen > (int)inSz) {
4551            ret = PSS_SALTLEN_E;
4552        }
4553#endif
4554#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
4555        else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
4556            ret = PSS_SALTLEN_E;
4557        }
4558#else
4559        else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
4560            saltLen = sigSz - inSz;
4561            if (saltLen < 0) {
4562                ret = PSS_SALTLEN_E;
4563            }
4564        }
4565        else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
4566            ret = PSS_SALTLEN_E;
4567        }
4568#endif
4569    }
4570
4571    /* Sig = Salt | Exp Hash */
4572    if (ret == 0) {
4573        word32 totalSz = 0;
4574        if ((WC_SAFE_SUM_WORD32(inSz, (word32)saltLen, totalSz) == 0) ||
4575            (sigSz != totalSz))
4576        {
4577            ret = PSS_SALTLEN_E;
4578        }
4579    }
4580
4581#ifdef WOLFSSL_PSS_LONG_SALT
4582    /* if long salt is larger then default maximum buffer then allocate a buffer */
4583    if ((ret == 0) &&
4584            (sizeof(sigCheckBuf) < (RSA_PSS_PAD_SZ + inSz + (word32)saltLen))) {
4585        sigCheck = (byte*)XMALLOC(
4586                              (size_t)(RSA_PSS_PAD_SZ + inSz + (word32)saltLen),
4587                              heap, DYNAMIC_TYPE_RSA_BUFFER);
4588        if (sigCheck == NULL) {
4589            ret = MEMORY_E;
4590        }
4591    }
4592#else
4593    if (ret == 0 && sizeof(sigCheckBuf) < (RSA_PSS_PAD_SZ + inSz + (word32)saltLen)) {
4594        ret = BUFFER_E;
4595    }
4596#endif
4597
4598    /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
4599    if (ret == 0) {
4600        XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
4601        XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
4602        XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, (size_t)saltLen);
4603        ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + (word32)saltLen,
4604                      sigCheck, inSz);
4605    }
4606    if (ret == 0) {
4607        if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
4608            WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
4609            ret = BAD_PADDING_E;
4610        }
4611    }
4612
4613#ifdef WOLFSSL_PSS_LONG_SALT
4614    if (sigCheck != NULL && sigCheck != sigCheckBuf) {
4615        XFREE(sigCheck, heap, DYNAMIC_TYPE_RSA_BUFFER);
4616    }
4617#endif
4618
4619    (void)heap; /* unused if memory is disabled */
4620    return ret;
4621}
4622int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, const byte* sig,
4623                               word32 sigSz, enum wc_HashType hashType,
4624                               int saltLen, int bits)
4625{
4626    return wc_RsaPSS_CheckPadding_ex2(in, inSz, sig, sigSz, hashType, saltLen,
4627        bits, NULL);
4628}
4629
4630
4631/* Verify the message signed with RSA-PSS.
4632 * The input buffer is reused for the output buffer.
4633 * Salt length is equal to hash length.
4634 *
4635 * in     Buffer holding encrypted data.
4636 * inLen  Length of data in buffer.
4637 * out    Pointer to address containing the PSS data.
4638 * digest Hash of the data that is being verified.
4639 * digestLen Length of hash.
4640 * hash   Hash algorithm.
4641 * mgf    Mask generation function.
4642 * key    Public RSA key.
4643 * returns the length of the PSS data on success and negative indicates failure.
4644 */
4645int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
4646                           const byte* digest, word32 digestLen,
4647                           enum wc_HashType hash, int mgf, RsaKey* key)
4648{
4649    int ret = 0, verify, saltLen, hLen, bits = 0;
4650#ifdef WOLFSSL_MICROCHIP_TA100
4651    if (key != NULL && key->uKeyH != 0) {
4652        int verified = 0;
4653        ret = wc_Microchip_rsa_verify(digest, digestLen, in, inLen, key,
4654                                      &verified);
4655        if (ret != 0) {
4656            return ret;
4657        }
4658        return verified ? (int)inLen : SIG_VERIFY_E;
4659    }
4660#endif
4661
4662    hLen = wc_HashGetDigestSize(hash);
4663    if (hLen < 0)
4664        return BAD_FUNC_ARG;
4665    if ((word32)hLen != digestLen)
4666        return BAD_FUNC_ARG;
4667
4668    saltLen = hLen;
4669    #ifdef WOLFSSL_SHA512
4670        if (key == NULL) {
4671            return BAD_FUNC_ARG;
4672        }
4673        /* See FIPS 186-4 section 5.5 item (e). */
4674        bits = mp_count_bits(&key->n);
4675        if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
4676            saltLen = RSA_PSS_SALT_MAX_SZ;
4677    #endif
4678
4679    verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
4680    if (verify > 0)
4681        ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, (word32)verify,
4682                                        hash, saltLen, bits);
4683    if (ret == 0)
4684        ret = verify;
4685
4686    return ret;
4687}
4688
4689
4690/* Verify the message signed with RSA-PSS.
4691 * Salt length is equal to hash length.
4692 *
4693 * in     Buffer holding encrypted data.
4694 * inLen  Length of data in buffer.
4695 * out    Pointer to address containing the PSS data.
4696 * outLen Length of the output.
4697 * digest Hash of the data that is being verified.
4698 * digestLen Length of hash.
4699 * hash   Hash algorithm.
4700 * mgf    Mask generation function.
4701 * key    Public RSA key.
4702 * returns the length of the PSS data on success and negative indicates failure.
4703 */
4704int wc_RsaPSS_VerifyCheck(const byte* in, word32 inLen, byte* out, word32 outLen,
4705                          const byte* digest, word32 digestLen,
4706                          enum wc_HashType hash, int mgf,
4707                          RsaKey* key)
4708{
4709    int ret = 0, verify, saltLen, hLen, bits = 0;
4710#ifdef WOLFSSL_MICROCHIP_TA100
4711    if (key != NULL && key->uKeyH != 0) {
4712        int verified = 0;
4713        ret = wc_Microchip_rsa_verify(digest, digestLen, (byte*)in, inLen,
4714                                      key, &verified);
4715        if (ret != 0) {
4716            return ret;
4717        }
4718        return verified ? (int)inLen : SIG_VERIFY_E;
4719    }
4720#endif
4721
4722    hLen = wc_HashGetDigestSize(hash);
4723    if (hLen < 0)
4724        return hLen;
4725    if ((word32)hLen != digestLen)
4726        return BAD_FUNC_ARG;
4727
4728    saltLen = hLen;
4729    #ifdef WOLFSSL_SHA512
4730        if (key == NULL) {
4731            return BAD_FUNC_ARG;
4732        }
4733        /* See FIPS 186-4 section 5.5 item (e). */
4734        bits = mp_count_bits(&key->n);
4735        if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
4736            saltLen = RSA_PSS_SALT_MAX_SZ;
4737    #endif
4738
4739    verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
4740                                 mgf, saltLen, key);
4741    if (verify > 0)
4742        ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, (word32)verify,
4743                                        hash, saltLen, bits);
4744    if (ret == 0)
4745        ret = verify;
4746
4747    return ret;
4748}
4749
4750#endif
4751
4752#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
4753int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
4754                                                   RsaKey* key, WC_RNG* rng)
4755{
4756    int ret;
4757    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4758    ret = RsaPublicEncryptEx(in, inLen, out, outLen, key,
4759        RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
4760        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
4761    RESTORE_VECTOR_REGISTERS();
4762    return ret;
4763}
4764
4765#ifdef WC_RSA_PSS
4766/* Sign the hash of a message using RSA-PSS.
4767 * Salt length is equal to hash length.
4768 *
4769 * in      Buffer holding hash of message.
4770 * inLen   Length of data in buffer (hash length).
4771 * out     Buffer to write encrypted signature into.
4772 * outLen  Size of buffer to write to.
4773 * hash    Hash algorithm.
4774 * mgf     Mask generation function.
4775 * key     Public RSA key.
4776 * rng     Random number generator.
4777 * returns the length of the encrypted signature on success, a negative value
4778 * indicates failure.
4779 */
4780int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
4781                       enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
4782{
4783    return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
4784                                            RSA_PSS_SALT_LEN_DEFAULT, key, rng);
4785}
4786
4787/* Sign the hash of a message using RSA-PSS.
4788 *
4789 * in       Buffer holding hash of message.
4790 * inLen    Length of data in buffer (hash length).
4791 * out      Buffer to write encrypted signature into.
4792 * outLen   Size of buffer to write to.
4793 * hash     Hash algorithm.
4794 * mgf      Mask generation function.
4795 * saltLen  Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
4796 *          length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
4797 *          indicates salt length is determined from the data.
4798 * key      Public RSA key.
4799 * rng      Random number generator.
4800 * returns the length of the encrypted signature on success, a negative value
4801 * indicates failure.
4802 */
4803int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
4804                      enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
4805                      WC_RNG* rng)
4806{
4807    int ret;
4808    SAVE_VECTOR_REGISTERS(return _svr_ret;);
4809    ret = RsaPublicEncryptEx(in, inLen, out, outLen, key,
4810        RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
4811        hash, mgf, NULL, 0, saltLen, rng);
4812    RESTORE_VECTOR_REGISTERS();
4813    return ret;
4814}
4815#endif
4816#endif
4817
4818int wc_RsaEncryptSize(const RsaKey* key)
4819{
4820    int ret;
4821
4822    if (key == NULL) {
4823        return BAD_FUNC_ARG;
4824    }
4825
4826    ret = mp_unsigned_bin_size(&key->n);
4827
4828#if defined(WOLFSSL_MICROCHIP_TA100)
4829    if (ret == 0 && (key->rKeyH != 0 || key->uKeyH != 0)) {
4830        ret = 2048 / 8;
4831    }
4832#endif
4833
4834#ifdef WOLF_CRYPTO_CB
4835    if (ret == 0 && key->devId != INVALID_DEVID) {
4836        if (wc_CryptoCb_RsaGetSize(key, &ret) == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
4837            ret = 2048/8; /* hardware handles, use 2048-bit as default */
4838        }
4839    }
4840#endif
4841
4842    return ret;
4843}
4844
4845#ifndef WOLFSSL_RSA_VERIFY_ONLY
4846/* Software-only export of RSA public key elements from RsaKey.
4847 * This internal helper avoids recursion when called from the EXPORT_KEY path. */
4848static int _RsaFlattenPublicKey(const RsaKey* key, byte* e, word32* eSz,
4849                                byte* n, word32* nSz)
4850{
4851    int sz, ret;
4852
4853    if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
4854        return BAD_FUNC_ARG;
4855    }
4856
4857    sz = mp_unsigned_bin_size(&key->e);
4858    if ((word32)sz > *eSz) {
4859        return RSA_BUFFER_E;
4860    }
4861    ret = mp_to_unsigned_bin(&key->e, e);
4862    if (ret != MP_OKAY) {
4863        return ret;
4864    }
4865    *eSz = (word32)sz;
4866
4867    sz = wc_RsaEncryptSize(key);
4868    if ((word32)sz > *nSz) {
4869        return RSA_BUFFER_E;
4870    }
4871    ret = mp_to_unsigned_bin(&key->n, n);
4872    if (ret != MP_OKAY) {
4873        return ret;
4874    }
4875    *nSz = (word32)sz;
4876
4877    return 0;
4878}
4879
4880/* flatten RsaKey structure into individual elements (e, n) */
4881int wc_RsaFlattenPublicKey(const RsaKey* key, byte* e, word32* eSz, byte* n,
4882                                                                   word32* nSz)
4883{
4884    if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
4885        return BAD_FUNC_ARG;
4886    }
4887
4888#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_EXPORT_KEY)
4889#ifndef WOLF_CRYPTO_CB_FIND
4890    if (key->devId != INVALID_DEVID)
4891#endif
4892    {
4893        int ret;
4894        WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
4895
4896        WC_ALLOC_VAR(tmpKey, RsaKey, 1, key->heap);
4897        if (!WC_VAR_OK(tmpKey)) {
4898            return MEMORY_E;
4899        }
4900        XMEMSET(tmpKey, 0, sizeof(RsaKey));
4901
4902        ret = wc_InitRsaKey_ex(tmpKey, key->heap, INVALID_DEVID);
4903        if (ret != 0) {
4904            WC_FREE_VAR(tmpKey, key->heap);
4905            return ret;
4906        }
4907
4908        ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_RSA,
4909                                     key, tmpKey);
4910        if (ret == 0) {
4911            /* Call software helper (no callback recursion) */
4912            ret = _RsaFlattenPublicKey(tmpKey, e, eSz, n, nSz);
4913        }
4914        /* wc_FreeRsaKey calls mp_forcezero on all private key components,
4915         * so no separate ForceZero of the struct is needed here. Calling
4916         * ForceZero before wc_FreeRsaKey would zero the mp_int metadata
4917         * and cause a crash. */
4918        wc_FreeRsaKey(tmpKey);
4919        WC_FREE_VAR(tmpKey, key->heap);
4920        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
4921            return ret;
4922        }
4923        /* fall through to software */
4924    }
4925#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_EXPORT_KEY */
4926
4927    return _RsaFlattenPublicKey(key, e, eSz, n, nSz);
4928}
4929#endif
4930
4931#ifndef WOLFSSL_RSA_VERIFY_ONLY
4932static int RsaGetValue(const mp_int* in, byte* out, word32* outSz)
4933{
4934    word32 sz;
4935    int ret = 0;
4936
4937    /* Parameters ensured by calling function. */
4938
4939    sz = (word32)mp_unsigned_bin_size(in);
4940    if (sz > *outSz)
4941        ret = RSA_BUFFER_E;
4942
4943    if (ret == 0)
4944        ret = mp_to_unsigned_bin(in, out);
4945
4946    if (ret == MP_OKAY)
4947        *outSz = sz;
4948
4949    return ret;
4950}
4951
4952
4953/* Software-only export of RSA key elements from RsaKey.
4954 * This internal helper avoids recursion when called from the EXPORT_KEY path. */
4955static int _RsaExportKey(const RsaKey* key,
4956                         byte* e, word32* eSz, byte* n, word32* nSz,
4957                         byte* d, word32* dSz, byte* p, word32* pSz,
4958                         byte* q, word32* qSz)
4959{
4960    int ret = 0;
4961
4962    if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL
4963            || d == NULL || dSz == NULL || p == NULL || pSz == NULL
4964            || q == NULL || qSz == NULL) {
4965        return BAD_FUNC_ARG;
4966    }
4967
4968    if (ret == 0) {
4969        ret = RsaGetValue(&key->e, e, eSz);
4970    }
4971    if (ret == 0) {
4972        ret = RsaGetValue(&key->n, n, nSz);
4973    }
4974#ifndef WOLFSSL_RSA_PUBLIC_ONLY
4975    if (ret == 0) {
4976        ret = RsaGetValue(&key->d, d, dSz);
4977    }
4978    if (ret == 0) {
4979        ret = RsaGetValue(&key->p, p, pSz);
4980    }
4981    if (ret == 0) {
4982        ret = RsaGetValue(&key->q, q, qSz);
4983    }
4984#else
4985    /* no private parts to key */
4986    if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
4987            || qSz == NULL) {
4988        ret = BAD_FUNC_ARG;
4989    }
4990    else {
4991        *dSz = 0;
4992        *pSz = 0;
4993        *qSz = 0;
4994    }
4995#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
4996
4997    return ret;
4998}
4999
5000int wc_RsaExportKey(const RsaKey* key,
5001                    byte* e, word32* eSz, byte* n, word32* nSz,
5002                    byte* d, word32* dSz, byte* p, word32* pSz,
5003                    byte* q, word32* qSz)
5004{
5005    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
5006
5007    if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz) {
5008        ret = 0;
5009    }
5010
5011#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_EXPORT_KEY)
5012    if (ret == 0) {
5013    #ifndef WOLF_CRYPTO_CB_FIND
5014        if (key->devId != INVALID_DEVID)
5015    #endif
5016        {
5017            WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
5018
5019            WC_ALLOC_VAR(tmpKey, RsaKey, 1, key->heap);
5020            if (!WC_VAR_OK(tmpKey)) {
5021                return MEMORY_E;
5022            }
5023            XMEMSET(tmpKey, 0, sizeof(RsaKey));
5024
5025            ret = wc_InitRsaKey_ex(tmpKey, key->heap, INVALID_DEVID);
5026            if (ret != 0) {
5027                WC_FREE_VAR(tmpKey, key->heap);
5028                return ret;
5029            }
5030
5031            ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_RSA,
5032                                         key, tmpKey);
5033            if (ret == 0) {
5034                /* Call software helper (no callback recursion) */
5035                ret = _RsaExportKey(tmpKey, e, eSz, n, nSz,
5036                                    d, dSz, p, pSz, q, qSz);
5037            }
5038            /* wc_FreeRsaKey calls mp_forcezero on all private key components,
5039             * so no separate ForceZero of the struct is needed here. */
5040            wc_FreeRsaKey(tmpKey);
5041            WC_FREE_VAR(tmpKey, key->heap);
5042            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
5043                return ret;
5044            }
5045            ret = 0; /* fall through to software */
5046        }
5047    }
5048#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_EXPORT_KEY */
5049
5050    if (ret == 0) {
5051        ret = _RsaExportKey(key, e, eSz, n, nSz, d, dSz, p, pSz, q, qSz);
5052    }
5053
5054    return ret;
5055}
5056#endif
5057
5058
5059#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
5060
5061/* Check that |p-q| > 2^((size/2)-100) */
5062static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size, int* valid)
5063{
5064#ifdef WOLFSSL_SMALL_STACK
5065    mp_int *c = NULL, *d = NULL;
5066#else
5067    mp_int c[1], d[1];
5068#endif
5069    int ret;
5070
5071    if (p == NULL || q == NULL)
5072        return BAD_FUNC_ARG;
5073
5074#ifdef WOLFSSL_SMALL_STACK
5075    if (((c = (mp_int *)XMALLOC(sizeof(*c), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL) ||
5076        ((d = (mp_int *)XMALLOC(sizeof(*d), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL))
5077        ret = MEMORY_E;
5078    else
5079        ret = 0;
5080
5081    if (ret == 0)
5082#endif
5083        ret = mp_init_multi(c, d, NULL, NULL, NULL, NULL);
5084
5085    /* c = 2^((size/2)-100) */
5086    if (ret == 0)
5087        ret = mp_2expt(c, (size/2)-100);
5088
5089    /* d = |p-q| */
5090    if (ret == 0)
5091        ret = mp_sub(p, q, d);
5092
5093#ifdef WOLFSSL_CHECK_MEM_ZERO
5094    if (ret == 0)
5095        mp_memzero_add("Compare PQ d", d);
5096#endif
5097
5098#if !defined(WOLFSSL_SP_MATH) && (!defined(WOLFSSL_SP_MATH_ALL) || \
5099                                               defined(WOLFSSL_SP_INT_NEGATIVE))
5100    if (ret == 0)
5101        ret = mp_abs(d, d);
5102#endif
5103
5104    /* compare */
5105    if (ret == 0)
5106        *valid = (mp_cmp(d, c) == MP_GT);
5107
5108#ifdef WOLFSSL_SMALL_STACK
5109    if (d != NULL) {
5110        mp_forcezero(d);
5111        XFREE(d, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
5112    }
5113    if (c != NULL) {
5114        mp_clear(c);
5115        XFREE(c, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
5116    }
5117#else
5118    mp_forcezero(d);
5119    mp_clear(c);
5120#ifdef WOLFSSL_CHECK_MEM_ZERO
5121    mp_memzero_check(d);
5122#endif
5123#endif
5124
5125    return ret;
5126}
5127
5128
5129/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
5130 * This number was calculated using a small test tool written with a common
5131 * large number math library. Other values of nlen may be checked with a subset
5132 * of lower_bound. */
5133static const byte lower_bound[] = {
5134    0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
5135    0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
5136    0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
5137    0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
5138/* 512 */
5139    0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
5140    0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
5141    0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
5142    0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
5143/* 1024 */
5144    0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
5145    0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
5146    0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
5147    0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
5148    0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
5149    0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
5150    0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
5151    0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
5152/* 2048 */
5153    0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
5154    0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
5155    0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
5156    0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
5157    0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
5158    0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
5159    0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
5160    0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
5161/* 3072 */
5162    0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
5163    0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
5164    0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
5165    0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
5166    0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
5167    0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
5168    0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
5169    0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
5170/* 4096 */
5171};
5172
5173
5174/* returns 1 on key size ok and 0 if not ok */
5175static WC_INLINE int RsaSizeCheck(int size)
5176{
5177    if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
5178        return 0;
5179    }
5180
5181#ifdef HAVE_FIPS
5182    /* Key size requirements for CAVP */
5183    switch (size) {
5184        case 1024:
5185        case 2048:
5186        case 3072:
5187        case 4096:
5188            return 1;
5189    }
5190
5191    return 0;
5192#else
5193    return 1; /* allow unusual key sizes in non FIPS mode */
5194#endif /* HAVE_FIPS */
5195}
5196
5197
5198static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
5199                                    int* isPrime, WC_RNG* rng)
5200{
5201    int ret;
5202#ifdef WOLFSSL_SMALL_STACK
5203    mp_int *tmp1 = NULL, *tmp2 = NULL;
5204#else
5205    mp_int tmp1[1], tmp2[2];
5206#endif
5207    mp_int* prime;
5208
5209    if (p == NULL || e == NULL || isPrime == NULL)
5210        return BAD_FUNC_ARG;
5211
5212    if (!RsaSizeCheck(nlen))
5213        return BAD_FUNC_ARG;
5214
5215    *isPrime = MP_NO;
5216
5217#ifdef WOLFSSL_SMALL_STACK
5218    if (((tmp1 = (mp_int *)XMALLOC(sizeof(*tmp1), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL) ||
5219        ((tmp2 = (mp_int *)XMALLOC(sizeof(*tmp2), NULL, DYNAMIC_TYPE_WOLF_BIGINT)) == NULL)) {
5220        ret = MEMORY_E;
5221        goto notOkay;
5222    }
5223#endif
5224
5225    ret = mp_init_multi(tmp1, tmp2, NULL, NULL, NULL, NULL);
5226    if (ret != MP_OKAY) goto notOkay;
5227
5228    if (q != NULL) {
5229        int valid = 0;
5230        /* 5.4 (186-4) 5.5 (186-5) -
5231         * check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
5232        ret = wc_CompareDiffPQ(p, q, nlen, &valid);
5233        if ((ret != MP_OKAY) || (!valid)) goto notOkay;
5234        prime = q;
5235    }
5236    else
5237        prime = p;
5238
5239    /* 4.4,5.5 (186-4) 4.4,5.4 (186-5) -
5240     * Check that prime >= (2^(1/2))(2^((nlen/2)-1))
5241     *           This is a comparison against lowerBound */
5242    ret = mp_read_unsigned_bin(tmp1, lower_bound, (word32)nlen/16);
5243    if (ret != MP_OKAY) goto notOkay;
5244    ret = mp_cmp(prime, tmp1);
5245    if (ret == MP_LT) goto exit;
5246
5247    /* 4.5,5.6 (186-4 & 186-5) - Check that GCD(p-1, e) == 1 */
5248    ret = mp_sub_d(prime, 1, tmp1);  /* tmp1 = prime-1 */
5249    if (ret != MP_OKAY) goto notOkay;
5250#ifdef WOLFSSL_CHECK_MEM_ZERO
5251    mp_memzero_add("Check Probable Prime tmp1", tmp1);
5252#endif
5253    ret = mp_gcd(tmp1, e, tmp2);  /* tmp2 = gcd(prime-1, e) */
5254    if (ret != MP_OKAY) goto notOkay;
5255    ret = mp_cmp_d(tmp2, 1);
5256    if (ret != MP_EQ) goto exit; /* e divides p-1 */
5257
5258    /* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
5259     * mp_prime_is_prime_ex() performs test divisions against the first 256
5260     * prime numbers. After that it performs 8 rounds of M-R using random
5261     * bases between 2 and n-2.
5262     * mp_prime_is_prime() performs the same test divisions and then does
5263     * M-R with the first 8 primes. Both functions set isPrime as a
5264     * side-effect. */
5265    if (rng != NULL)
5266        ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
5267    else
5268        ret = mp_prime_is_prime(prime, 8, isPrime);
5269    if (ret != MP_OKAY) goto notOkay;
5270
5271exit:
5272    ret = MP_OKAY;
5273
5274notOkay:
5275
5276#ifdef WOLFSSL_SMALL_STACK
5277    if (tmp1 != NULL) {
5278        mp_forcezero(tmp1);
5279        XFREE(tmp1, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
5280    }
5281    if (tmp2 != NULL) {
5282        mp_clear(tmp2);
5283        XFREE(tmp2, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
5284    }
5285#else
5286    mp_forcezero(tmp1);
5287    mp_clear(tmp2);
5288#ifdef WOLFSSL_CHECK_MEM_ZERO
5289    mp_memzero_check(tmp1);
5290#endif
5291#endif
5292
5293    return ret;
5294}
5295
5296
5297int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
5298                          const byte* qRaw, word32 qRawSz,
5299                          const byte* eRaw, word32 eRawSz,
5300                          int nlen, int* isPrime, WC_RNG* rng)
5301{
5302#ifdef WOLFSSL_SMALL_STACK
5303    mp_int *p = NULL, *q = NULL, *e = NULL;
5304#else
5305    mp_int p[1], q[1], e[1];
5306#endif
5307    mp_int* Q = NULL;
5308    int ret;
5309
5310    if (pRaw == NULL || pRawSz == 0 ||
5311        eRaw == NULL || eRawSz == 0 ||
5312        isPrime == NULL) {
5313
5314        return BAD_FUNC_ARG;
5315    }
5316
5317    if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
5318        return BAD_FUNC_ARG;
5319
5320#ifdef WOLFSSL_SMALL_STACK
5321
5322    if (((p = (mp_int *)XMALLOC(sizeof(*p), NULL, DYNAMIC_TYPE_RSA_BUFFER)) == NULL) ||
5323        ((q = (mp_int *)XMALLOC(sizeof(*q), NULL, DYNAMIC_TYPE_RSA_BUFFER)) == NULL) ||
5324        ((e = (mp_int *)XMALLOC(sizeof(*e), NULL, DYNAMIC_TYPE_RSA_BUFFER)) == NULL))
5325        ret = MEMORY_E;
5326    else
5327        ret = 0;
5328    if (ret == 0)
5329#endif
5330        ret = mp_init_multi(p, q, e, NULL, NULL, NULL);
5331
5332    if (ret == MP_OKAY)
5333        ret = mp_read_unsigned_bin(p, pRaw, pRawSz);
5334
5335    if (ret == MP_OKAY) {
5336    #ifdef WOLFSSL_CHECK_MEM_ZERO
5337        mp_memzero_add("wc_CheckProbablePrime_ex p", p);
5338    #endif
5339        if (qRaw != NULL) {
5340            ret = mp_read_unsigned_bin(q, qRaw, qRawSz);
5341            if (ret == MP_OKAY) {
5342            #ifdef WOLFSSL_CHECK_MEM_ZERO
5343                mp_memzero_add("wc_CheckProbablePrime_ex q", q);
5344            #endif
5345                Q = q;
5346            }
5347        }
5348    }
5349
5350    if (ret == MP_OKAY)
5351        ret = mp_read_unsigned_bin(e, eRaw, eRawSz);
5352
5353    if (ret == MP_OKAY)
5354        SAVE_VECTOR_REGISTERS(ret = _svr_ret;);
5355
5356    if (ret == 0) {
5357        ret = _CheckProbablePrime(p, Q, e, nlen, isPrime, rng);
5358        RESTORE_VECTOR_REGISTERS();
5359    }
5360
5361    ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
5362
5363#ifdef WOLFSSL_SMALL_STACK
5364    if (p != NULL) {
5365        mp_forcezero(p);
5366        XFREE(p, NULL, DYNAMIC_TYPE_RSA_BUFFER);
5367    }
5368    if (q != NULL) {
5369        mp_forcezero(q);
5370        XFREE(q, NULL, DYNAMIC_TYPE_RSA_BUFFER);
5371    }
5372    if (e != NULL) {
5373        mp_clear(e);
5374        XFREE(e, NULL, DYNAMIC_TYPE_RSA_BUFFER);
5375    }
5376#else
5377    mp_forcezero(p);
5378    mp_forcezero(q);
5379    mp_clear(e);
5380#ifdef WOLFSSL_CHECK_MEM_ZERO
5381    mp_memzero_check(p);
5382    mp_memzero_check(q);
5383#endif
5384#endif
5385
5386    return ret;
5387}
5388
5389
5390int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
5391                          const byte* qRaw, word32 qRawSz,
5392                          const byte* eRaw, word32 eRawSz,
5393                          int nlen, int* isPrime)
5394{
5395    return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
5396                          eRaw, eRawSz, nlen, isPrime, NULL);
5397}
5398
5399#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
5400        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
5401/* Make an RSA key for size bits, with e specified, 65537 is a good e */
5402int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
5403{
5404#ifndef WC_NO_RNG
5405#if !defined(WOLFSSL_CRYPTOCELL) && \
5406    (!defined(WOLFSSL_SE050) || defined(WOLFSSL_SE050_NO_RSA)) && \
5407    !defined(WOLF_CRYPTO_CB_ONLY_RSA) && \
5408    !defined(WOLFSSL_MICROCHIP_TA100)
5409#ifdef WOLFSSL_SMALL_STACK
5410    mp_int *p = NULL;
5411    mp_int *q = NULL;
5412    mp_int *tmp1 = NULL;
5413    mp_int *tmp2 = NULL;
5414    mp_int *tmp3 = NULL;
5415#else
5416    mp_int p_buf, *p = &p_buf;
5417    mp_int q_buf, *q = &q_buf;
5418    mp_int tmp1_buf, *tmp1 = &tmp1_buf;
5419    mp_int tmp2_buf, *tmp2 = &tmp2_buf;
5420    mp_int tmp3_buf, *tmp3 = &tmp3_buf;
5421#endif /* WOLFSSL_SMALL_STACK */
5422    int i, failCount, isPrime = 0;
5423    word32 primeSz;
5424#ifndef WOLFSSL_NO_MALLOC
5425    byte* buf = NULL;
5426#else
5427    /* RSA_MAX_SIZE is the size of n in bits. */
5428    byte buf[RSA_MAX_SIZE/16];
5429#endif
5430#endif /* !WOLFSSL_CRYPTOCELL && !WOLFSSL_SE050 */
5431    int err;
5432
5433    if (key == NULL || rng == NULL) {
5434        err = BAD_FUNC_ARG;
5435        goto out;
5436    }
5437
5438    if (!RsaSizeCheck(size)) {
5439        err = BAD_FUNC_ARG;
5440        goto out;
5441    }
5442
5443    if (e < 3 || (e & 1) == 0) {
5444        err = BAD_FUNC_ARG;
5445        goto out;
5446    }
5447
5448#if defined(WOLFSSL_CRYPTOCELL)
5449    err = cc310_RSA_GenerateKeyPair(key, size, e);
5450    goto out;
5451#elif defined(WOLFSSL_MICROCHIP_TA100)
5452    err = wc_Microchip_rsa_create_key(key, size, e);
5453    goto out;
5454#elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
5455    err = se050_rsa_create_key(key, size, e);
5456    goto out;
5457#else
5458    /* software crypto */
5459
5460#ifdef WOLFSSL_SMALL_STACK
5461    p = (mp_int *)XMALLOC(sizeof *p, key->heap, DYNAMIC_TYPE_RSA);
5462    q = (mp_int *)XMALLOC(sizeof *q, key->heap, DYNAMIC_TYPE_RSA);
5463    tmp1 = (mp_int *)XMALLOC(sizeof *tmp1, key->heap, DYNAMIC_TYPE_RSA);
5464    tmp2 = (mp_int *)XMALLOC(sizeof *tmp2, key->heap, DYNAMIC_TYPE_RSA);
5465    tmp3 = (mp_int *)XMALLOC(sizeof *tmp3, key->heap, DYNAMIC_TYPE_RSA);
5466
5467    if ((p == NULL) ||
5468        (q == NULL) ||
5469        (tmp1 == NULL) ||
5470        (tmp2 == NULL) ||
5471        (tmp3 == NULL)) {
5472      err = MEMORY_E;
5473      goto out;
5474    }
5475#endif
5476#ifdef WOLFSSL_CHECK_MEM_ZERO
5477    XMEMSET(p, 0, sizeof(*p));
5478    XMEMSET(q, 0, sizeof(*q));
5479    XMEMSET(tmp1, 0, sizeof(*tmp1));
5480    XMEMSET(tmp2, 0, sizeof(*tmp2));
5481    XMEMSET(tmp3, 0, sizeof(*tmp3));
5482#endif
5483
5484#ifdef WOLF_CRYPTO_CB
5485    #ifndef WOLF_CRYPTO_CB_FIND
5486    if (key->devId != INVALID_DEVID)
5487    #endif
5488    {
5489        err = wc_CryptoCb_MakeRsaKey(key, size, e, rng);
5490    #ifdef WOLF_CRYPTO_CB_ONLY_RSA
5491        if (err == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
5492            err = NO_VALID_DEVID;
5493            goto out;
5494        }
5495    #else
5496        if (err != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
5497            goto out;
5498        }
5499        /* fall-through when unavailable */
5500    #endif
5501    }
5502    #if !defined(WOLF_CRYPTO_CB_FIND) && defined(WOLF_CRYPTO_CB_ONLY_RSA)
5503    else {
5504        err = NO_VALID_DEVID;
5505    }
5506    #endif
5507#endif
5508
5509#ifndef WOLF_CRYPTO_CB_ONLY_RSA
5510#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
5511    defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
5512    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
5513    #ifdef HAVE_CAVIUM
5514        /* TODO: Not implemented */
5515    #elif defined(HAVE_INTEL_QA)
5516        err = IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
5517        goto out;
5518    #elif defined(WOLFSSL_ASYNC_CRYPT_SW)
5519        if (wc_AsyncSwInit(&key->asyncDev, ASYNC_SW_RSA_MAKE)) {
5520            WC_ASYNC_SW* sw = &key->asyncDev.sw;
5521            sw->rsaMake.rng = rng;
5522            sw->rsaMake.key = key;
5523            sw->rsaMake.size = size;
5524            sw->rsaMake.e = e;
5525            err = WC_PENDING_E;
5526            goto out;
5527        }
5528    #endif
5529    }
5530#endif
5531
5532    err = mp_init_multi(p, q, tmp1, tmp2, tmp3, NULL);
5533
5534    if (err == MP_OKAY)
5535        err = mp_set_int(tmp3, (unsigned long)e);
5536
5537    /* The failCount value comes from NIST FIPS 186-4, section B.3.3,
5538     * process steps 4.7 and 5.8. */
5539    failCount = 5 * (size / 2);
5540    primeSz = (word32)size / 16; /* size is the size of n in bits.
5541                            primeSz is in bytes. */
5542
5543#ifndef WOLFSSL_NO_MALLOC
5544    /* allocate buffer to work with */
5545    if (err == MP_OKAY) {
5546        buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
5547        if (buf == NULL)
5548            err = MEMORY_E;
5549    }
5550#endif
5551
5552    SAVE_VECTOR_REGISTERS(err = _svr_ret;);
5553
5554    /* make p */
5555    if (err == MP_OKAY) {
5556    #ifdef WOLFSSL_CHECK_MEM_ZERO
5557        wc_MemZero_Add("RSA gen buf", buf, primeSz);
5558        mp_memzero_add("RSA gen p", p);
5559        mp_memzero_add("RSA gen q", q);
5560        mp_memzero_add("RSA gen tmp1", tmp1);
5561        mp_memzero_add("RSA gen tmp2", tmp2);
5562        mp_memzero_add("RSA gen tmp3", tmp3);
5563    #endif
5564        isPrime = 0;
5565        i = 0;
5566        for (;;) {
5567#ifdef SHOW_GEN
5568            printf(".");
5569            fflush(stdout);
5570#endif
5571            /* generate value */
5572            err = wc_RNG_GenerateBlock(rng, buf, primeSz);
5573            if (err == 0) {
5574                /* prime lower bound has the MSB set, set it in candidate */
5575                buf[0] |= 0x80;
5576                /* make candidate odd */
5577                buf[primeSz-1] |= 0x01;
5578                /* load value */
5579                err = mp_read_unsigned_bin(p, buf, primeSz);
5580            }
5581
5582            if (err == MP_OKAY)
5583                err = _CheckProbablePrime(p, NULL, tmp3, size, &isPrime, rng);
5584
5585#ifdef HAVE_FIPS
5586            i++;
5587#else
5588            /* Keep the old retry behavior in non-FIPS build. */
5589#endif
5590
5591            if (err != MP_OKAY || isPrime || i >= failCount)
5592                break;
5593
5594            /* linuxkm: release the kernel for a moment before iterating. */
5595            RESTORE_VECTOR_REGISTERS();
5596            SAVE_VECTOR_REGISTERS(err = _svr_ret; break;);
5597        };
5598    }
5599
5600    if (err == MP_OKAY && !isPrime)
5601        err = PRIME_GEN_E;
5602
5603    /* make q */
5604    if (err == MP_OKAY) {
5605        isPrime = 0;
5606        i = 0;
5607        do {
5608#ifdef SHOW_GEN
5609            printf(".");
5610            fflush(stdout);
5611#endif
5612            /* generate value */
5613            err = wc_RNG_GenerateBlock(rng, buf, primeSz);
5614            if (err == 0) {
5615                /* prime lower bound has the MSB set, set it in candidate */
5616                buf[0] |= 0x80;
5617                /* make candidate odd */
5618                buf[primeSz-1] |= 0x01;
5619                /* load value */
5620                err = mp_read_unsigned_bin(q, buf, primeSz);
5621            }
5622
5623            if (err == MP_OKAY)
5624                err = _CheckProbablePrime(p, q, tmp3, size, &isPrime, rng);
5625
5626#ifndef WC_RSA_NO_FERMAT_CHECK
5627            if (err == MP_OKAY && isPrime) {
5628                /* Fermat's Factorization works when difference between p and q
5629                 * is less than (conservatively):
5630                 *     n^(1/4) + 32
5631                 *  ~= 2^(bit count of n)^(1/4) + 32)
5632                 *   = 2^((bit count of n)/4 + 32)
5633                 */
5634                err = mp_sub(p, q, tmp1);
5635                if (err == MP_OKAY && mp_count_bits(tmp1) <= (size / 4) + 32) {
5636                    isPrime = 0;
5637                }
5638            }
5639#endif
5640
5641#ifdef HAVE_FIPS
5642            i++;
5643#else
5644            /* Keep the old retry behavior in non-FIPS build. */
5645            (void)i;
5646#endif
5647        } while (err == MP_OKAY && !isPrime && i < failCount);
5648    }
5649
5650    if (err == MP_OKAY && !isPrime)
5651        err = PRIME_GEN_E;
5652
5653#ifndef WOLFSSL_NO_MALLOC
5654    if (buf) {
5655        ForceZero(buf, primeSz);
5656        XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
5657    }
5658#else
5659    ForceZero(buf, primeSz);
5660#endif
5661
5662    if (err == MP_OKAY && mp_cmp(p, q) < 0) {
5663        err = mp_copy(p, tmp1);
5664        if (err == MP_OKAY)
5665            err = mp_copy(q, p);
5666        if (err == MP_OKAY)
5667            mp_copy(tmp1, q);
5668    }
5669
5670    /* Setup RsaKey buffers */
5671    if (err == MP_OKAY)
5672        err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
5673    if (err == MP_OKAY)
5674        err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
5675
5676    /* Software Key Calculation */
5677    if (err == MP_OKAY)                /* tmp1 = p-1 */
5678        err = mp_sub_d(p, 1, tmp1);
5679    if (err == MP_OKAY)                /* tmp2 = q-1 */
5680        err = mp_sub_d(q, 1, tmp2);
5681#ifdef WC_RSA_BLINDING
5682    if (err == MP_OKAY)                /* tmp3 = order of n */
5683        err = mp_mul(tmp1, tmp2, tmp3);
5684#else
5685    if (err == MP_OKAY)                /* tmp3 = lcm(p-1, q-1), last loop */
5686        err = mp_lcm(tmp1, tmp2, tmp3);
5687#endif
5688    /* make key */
5689    if (err == MP_OKAY)                /* key->e = e */
5690        err = mp_set_int(&key->e, (unsigned long)e);
5691#ifdef WC_RSA_BLINDING
5692    /* Blind the inverse operation with a value that is invertable */
5693    if (err == MP_OKAY) {
5694        do {
5695            err = mp_rand(&key->p, mp_get_digit_count(tmp3), rng);
5696            if (err == MP_OKAY)
5697                err = mp_set_bit(&key->p, 0);
5698            if (err == MP_OKAY)
5699                err = mp_set_bit(&key->p, size - 1);
5700            if (err == MP_OKAY)
5701                err = mp_gcd(&key->p, tmp3, &key->q);
5702        }
5703        while ((err == MP_OKAY) && !mp_isone(&key->q));
5704    }
5705    /* 8/16-bit word size requires a full multiply when e=0x10001 */
5706    if (err == MP_OKAY)
5707        err = mp_mul(&key->p, &key->e, &key->e);
5708#endif
5709    if (err == MP_OKAY)                /* key->d = 1/e mod lcm(p-1, q-1) */
5710        err = mp_invmod(&key->e, tmp3, &key->d);
5711#ifdef WC_RSA_BLINDING
5712    /* Take off blinding from d and reset e */
5713    if (err == MP_OKAY)
5714        err = mp_mulmod(&key->d, &key->p, tmp3, &key->d);
5715    if (err == MP_OKAY)
5716        err = mp_set_int(&key->e, (unsigned long)e);
5717#endif
5718    if (err == MP_OKAY)                /* key->n = pq */
5719        err = mp_mul(p, q, &key->n);
5720    if (err == MP_OKAY)                /* key->dP = d mod(p-1) */
5721        err = mp_mod(&key->d, tmp1, &key->dP);
5722    if (err == MP_OKAY)                /* key->dQ = d mod(q-1) */
5723        err = mp_mod(&key->d, tmp2, &key->dQ);
5724#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
5725    if (err == MP_OKAY)                /* key->u = 1/q mod p */
5726        err = mp_invmod(q, p, &key->u);
5727#else
5728    if (err == MP_OKAY)
5729        err = mp_sub_d(p, 2, tmp3);
5730    if (err == MP_OKAY)                /* key->u = 1/q mod p = q^p-2 mod p */
5731        err = mp_exptmod(q, tmp3, p, &key->u);
5732#endif
5733    if (err == MP_OKAY)
5734        err = mp_copy(p, &key->p);
5735    if (err == MP_OKAY)
5736        err = mp_copy(q, &key->q);
5737
5738#ifdef HAVE_WOLF_BIGINT
5739    /* make sure raw unsigned bin version is available */
5740    if (err == MP_OKAY)
5741         err = wc_mp_to_bigint(&key->n, &key->n.raw);
5742    if (err == MP_OKAY)
5743         err = wc_mp_to_bigint(&key->e, &key->e.raw);
5744    if (err == MP_OKAY)
5745         err = wc_mp_to_bigint(&key->d, &key->d.raw);
5746    if (err == MP_OKAY)
5747         err = wc_mp_to_bigint(&key->p, &key->p.raw);
5748    if (err == MP_OKAY)
5749         err = wc_mp_to_bigint(&key->q, &key->q.raw);
5750    if (err == MP_OKAY)
5751         err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
5752    if (err == MP_OKAY)
5753         err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
5754    if (err == MP_OKAY)
5755         err = wc_mp_to_bigint(&key->u, &key->u.raw);
5756#endif
5757
5758    if (err == MP_OKAY)
5759        key->type = RSA_PRIVATE;
5760
5761#ifdef WOLFSSL_CHECK_MEM_ZERO
5762    if (err == MP_OKAY) {
5763        mp_memzero_add("Make RSA key d", &key->d);
5764        mp_memzero_add("Make RSA key p", &key->p);
5765        mp_memzero_add("Make RSA key q", &key->q);
5766        mp_memzero_add("Make RSA key dP", &key->dP);
5767        mp_memzero_add("Make RSA key dQ", &key->dQ);
5768        mp_memzero_add("Make RSA key u", &key->u);
5769    }
5770#endif
5771
5772    if (err != WC_NO_ERR_TRACE(WC_ACCEL_INHIBIT_E))
5773        RESTORE_VECTOR_REGISTERS();
5774
5775    /* Last value p - 1. */
5776    mp_forcezero(tmp1);
5777    /* Last value q - 1. */
5778    mp_forcezero(tmp2);
5779    /* Last value p - 2. */
5780    mp_forcezero(tmp3);
5781    mp_forcezero(p);
5782    mp_forcezero(q);
5783
5784#ifdef WOLFSSL_RSA_KEY_CHECK
5785    /* Perform the pair-wise consistency test on the new key. */
5786    if (err == 0)
5787        err = _ifc_pairwise_consistency_test(key, rng);
5788#endif
5789
5790    if (err != 0) {
5791        wc_FreeRsaKey(key);
5792        goto out;
5793    }
5794
5795#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
5796    if (wc_InitRsaHw(key) != 0) {
5797        return BAD_STATE_E;
5798    }
5799#endif
5800
5801    err = 0;
5802#endif /* WOLF_CRYPTO_CB_ONLY_RSA */
5803#endif /* WOLFSSL_CRYPTOCELL / SW only */
5804  out:
5805
5806#if !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050)
5807#ifdef WOLFSSL_SMALL_STACK
5808    if (key != NULL) {
5809        XFREE(p, key->heap, DYNAMIC_TYPE_RSA);
5810        XFREE(q, key->heap, DYNAMIC_TYPE_RSA);
5811        XFREE(tmp1, key->heap, DYNAMIC_TYPE_RSA);
5812        XFREE(tmp2, key->heap, DYNAMIC_TYPE_RSA);
5813        XFREE(tmp3, key->heap, DYNAMIC_TYPE_RSA);
5814    }
5815#elif defined(WOLFSSL_CHECK_MEM_ZERO)
5816    mp_memzero_check(p);
5817    mp_memzero_check(q);
5818    mp_memzero_check(tmp1);
5819    mp_memzero_check(tmp2);
5820    mp_memzero_check(tmp3);
5821#endif /* WOLFSSL_SMALL_STACK */
5822#endif /* !WOLFSSL_CRYPTOCELL && !WOLFSSL_SE050 */
5823
5824    return err;
5825
5826#else
5827    return NOT_COMPILED_IN;
5828#endif
5829}
5830#endif /* !FIPS || FIPS_VER >= 2 */
5831#endif /* WOLFSSL_KEY_GEN */
5832
5833#ifndef WC_NO_RNG
5834int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
5835{
5836    if (key == NULL || rng == NULL)
5837        return BAD_FUNC_ARG;
5838
5839    key->rng = rng;
5840
5841    return 0;
5842}
5843#endif /* !WC_NO_RNG */
5844
5845#ifdef WC_RSA_NONBLOCK
5846int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
5847{
5848    if (key == NULL)
5849        return BAD_FUNC_ARG;
5850
5851    if (nb) {
5852        XMEMSET(nb, 0, sizeof(RsaNb));
5853    }
5854
5855    /* Allow nb == NULL to clear non-block mode */
5856    key->nb = nb;
5857
5858    return 0;
5859}
5860#if defined(WC_RSA_NONBLOCK_TIME) && defined(USE_FAST_MATH)
5861int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
5862{
5863    if (key == NULL || key->nb == NULL) {
5864        return BAD_FUNC_ARG;
5865    }
5866
5867    /* calculate maximum number of instructions to block */
5868    key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
5869
5870    return 0;
5871}
5872#endif /* WC_RSA_NONBLOCK_TIME && USE_FAST_MATH */
5873#endif /* WC_RSA_NONBLOCK */
5874
5875#ifndef WOLFSSL_RSA_PUBLIC_ONLY
5876
5877#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
5878/*
5879 * Calculate  y = d mod(x-1)
5880 */
5881static int CalcDX(mp_int* y, mp_int* x, mp_int* d)
5882{
5883    int err;
5884#ifndef WOLFSSL_SMALL_STACK
5885    mp_int  m[1];
5886#else
5887    mp_int* m = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_WOLF_BIGINT);
5888    if (m == NULL)
5889        return MEMORY_E;
5890#endif
5891
5892    err = mp_init(m);
5893    if (err == MP_OKAY) {
5894        err = mp_sub_d(x, 1, m);
5895        if (err == MP_OKAY)
5896            err = mp_mod(d, m, y);
5897        mp_forcezero(m);
5898    }
5899
5900    WC_FREE_VAR_EX(m, NULL, DYNAMIC_TYPE_WOLF_BIGINT);
5901
5902    return err;
5903}
5904#endif
5905
5906/* Software-only import of RSA private key elements into RsaKey.
5907 * This internal helper avoids recursion when called from the SETKEY path. */
5908static int _RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
5909        const byte* e, word32 eSz, const byte* d, word32 dSz,
5910        const byte* u, word32 uSz, const byte* p, word32 pSz,
5911        const byte* q, word32 qSz, const byte* dP, word32 dPSz,
5912        const byte* dQ, word32 dQSz, RsaKey* key)
5913{
5914    int err = MP_OKAY;
5915
5916    if (n == NULL || nSz == 0 || e == NULL || eSz == 0
5917            || d == NULL || dSz == 0 || p == NULL || pSz == 0
5918            || q == NULL || qSz == 0 || key == NULL) {
5919        return BAD_FUNC_ARG;
5920    }
5921
5922#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
5923    if ((u == NULL || uSz == 0)
5924            || (dP != NULL && dPSz == 0)
5925            || (dQ != NULL && dQSz == 0)) {
5926        return BAD_FUNC_ARG;
5927    }
5928#else
5929    (void)u;
5930    (void)uSz;
5931    (void)dP;
5932    (void)dPSz;
5933    (void)dQ;
5934    (void)dQSz;
5935#endif
5936
5937    if (err == MP_OKAY) {
5938        err = mp_read_unsigned_bin(&key->n, n, nSz);
5939    }
5940    if (err == MP_OKAY) {
5941        err = mp_read_unsigned_bin(&key->e, e, eSz);
5942    }
5943    if (err == MP_OKAY) {
5944        err = mp_read_unsigned_bin(&key->d, d, dSz);
5945    }
5946    if (err == MP_OKAY) {
5947        err = mp_read_unsigned_bin(&key->p, p, pSz);
5948    }
5949    if (err == MP_OKAY) {
5950        err = mp_read_unsigned_bin(&key->q, q, qSz);
5951    }
5952#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
5953    if (err == MP_OKAY) {
5954        err = mp_read_unsigned_bin(&key->u, u, uSz);
5955    }
5956    if (err == MP_OKAY) {
5957        if (dP != NULL) {
5958            err = mp_read_unsigned_bin(&key->dP, dP, dPSz);
5959        }
5960        else {
5961            err = CalcDX(&key->dP, &key->p, &key->d);
5962        }
5963    }
5964    if (err == MP_OKAY) {
5965        if (dQ != NULL) {
5966            err = mp_read_unsigned_bin(&key->dQ, dQ, dQSz);
5967        }
5968        else {
5969            err = CalcDX(&key->dQ, &key->q, &key->d);
5970        }
5971    }
5972#endif
5973
5974    if (err == MP_OKAY) {
5975        key->type = RSA_PRIVATE;
5976    }
5977    else {
5978        mp_clear(&key->n);
5979        mp_clear(&key->e);
5980        mp_forcezero(&key->d);
5981        mp_forcezero(&key->p);
5982        mp_forcezero(&key->q);
5983#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
5984        mp_forcezero(&key->u);
5985        mp_forcezero(&key->dP);
5986        mp_forcezero(&key->dQ);
5987#endif
5988    }
5989
5990    return err;
5991}
5992
5993int wc_RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
5994        const byte* e, word32 eSz, const byte* d, word32 dSz,
5995        const byte* u, word32 uSz, const byte* p, word32 pSz,
5996        const byte* q, word32 qSz, const byte* dP, word32 dPSz,
5997        const byte* dQ, word32 dQSz, RsaKey* key)
5998{
5999    int err = MP_OKAY;
6000#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_SETKEY)
6001    int cbRet = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
6002    WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
6003#endif
6004
6005    if (n == NULL || nSz == 0 || e == NULL || eSz == 0
6006            || d == NULL || dSz == 0 || p == NULL || pSz == 0
6007            || q == NULL || qSz == 0 || key == NULL) {
6008        err = BAD_FUNC_ARG;
6009    }
6010
6011#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
6012    if (err == MP_OKAY) {
6013        if ((u == NULL || uSz == 0)
6014                || (dP != NULL && dPSz == 0)
6015                || (dQ != NULL && dQSz == 0)) {
6016            err = BAD_FUNC_ARG;
6017        }
6018    }
6019#else
6020    (void)u;
6021    (void)uSz;
6022    (void)dP;
6023    (void)dPSz;
6024    (void)dQ;
6025    (void)dQSz;
6026#endif
6027
6028#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_SETKEY)
6029    #ifndef WOLF_CRYPTO_CB_FIND
6030    if (err == MP_OKAY && key->devId != INVALID_DEVID)
6031    #else
6032    if (err == MP_OKAY)
6033    #endif
6034    {
6035        /* Allocate temp key for callback to export from */
6036        WC_ALLOC_VAR(tmpKey, RsaKey, 1, key->heap);
6037        if (!WC_VAR_OK(tmpKey)) {
6038            return MEMORY_E;
6039        }
6040        XMEMSET(tmpKey, 0, sizeof(RsaKey));
6041
6042        /* Init temp with INVALID_DEVID to prevent callback recursion */
6043        err = wc_InitRsaKey_ex(tmpKey, key->heap, INVALID_DEVID);
6044        if (err != MP_OKAY) {
6045            WC_FREE_VAR(tmpKey, key->heap);
6046            return err;
6047        }
6048
6049        /* Import into temp via software helper (no callback recursion) */
6050        err = _RsaPrivateKeyDecodeRaw(n, nSz, e, eSz, d, dSz,
6051            u, uSz, p, pSz, q, qSz, dP, dPSz, dQ, dQSz, tmpKey);
6052        if (err == MP_OKAY) {
6053            cbRet = wc_CryptoCb_SetKey(key->devId,
6054                WC_SETKEY_RSA_PRIV, key, tmpKey,
6055                wc_RsaEncryptSize(tmpKey), NULL, 0, 0);
6056        }
6057
6058        /* wc_FreeRsaKey calls mp_forcezero on all private key components,
6059         * so no separate ForceZero of the struct is needed here. */
6060        wc_FreeRsaKey(tmpKey);
6061        WC_FREE_VAR(tmpKey, key->heap);
6062
6063        if (err != MP_OKAY) {
6064            return err;
6065        }
6066        if (cbRet != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
6067            return cbRet;
6068        }
6069        /* CRYPTOCB_UNAVAILABLE: fall through to software import */
6070        err = MP_OKAY;
6071    }
6072#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_SETKEY */
6073
6074    if (err == MP_OKAY) {
6075        err = _RsaPrivateKeyDecodeRaw(n, nSz, e, eSz, d, dSz,
6076            u, uSz, p, pSz, q, qSz, dP, dPSz, dQ, dQSz, key);
6077    }
6078
6079    return err;
6080}
6081#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
6082
6083#endif /* NO_RSA */