Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / tpm2 / 86c5281198fdc7e66c5113142a5c224cc643842e / . / CpriRSA.c
blob: 2bcb1ee467a32ade2b8a5e1d6e1d4017d1be380c [file] [log] [blame]
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1// This file was extracted from the TCG Published
2// Trusted Platform Module Library
3// Part 4: Supporting Routines
4// Family "2.0"
5// Level 00 Revision 01.16
6// October 30, 2014
7
Vadim Bendebury42c3ea12015-05-29 22:46:51 -0700[diff] [blame]8#include <string.h>
9
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]10#include "OsslCryptoEngine.h"
11#ifdef TPM_ALG_RSA
12//
13//
14// Local Functions
15//
16// RsaPrivateExponent()
17//
18// This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus
19// and one of the primes.
20// The results are returned in the key->private structure. The size of that structure is expanded to hold the
21// private exponent. If the computed value is smaller than the public modulus, the private exponent is de-
22// normalized.
23//
24// Return Value Meaning
25//
26// CRYPT_SUCCESS private exponent computed
27// CRYPT_PARAMETER prime is not half the size of the modulus, or the modulus is not evenly
28// divisible by the prime, or no private exponent could be computed
29// from the input parameters
30//
Vadim Bendebury42c3ea12015-05-29 22:46:51 -0700[diff] [blame]31CRYPT_RESULT
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]32RsaPrivateExponent(
33 RSA_KEY *key // IN: the key to augment with the private
34 // exponent
35 )
36{
37 BN_CTX *context;
38 BIGNUM *bnD;
39 BIGNUM *bnN;
40 BIGNUM *bnP;
41 BIGNUM *bnE;
42 BIGNUM *bnPhi;
43 BIGNUM *bnQ;
44 BIGNUM *bnQr;
45 UINT32 fill;
46 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success
47 pAssert(key != NULL && key->privateKey != NULL && key->publicKey != NULL);
48 context = BN_CTX_new();
49 if(context == NULL)
50 FAIL(FATAL_ERROR_ALLOCATION);
51 BN_CTX_start(context);
52 bnE = BN_CTX_get(context);
53 bnD = BN_CTX_get(context);
54 bnN = BN_CTX_get(context);
55 bnP = BN_CTX_get(context);
56 bnPhi = BN_CTX_get(context);
57 bnQ = BN_CTX_get(context);
58 bnQr = BN_CTX_get(context);
59 if(bnQr == NULL)
60 FAIL(FATAL_ERROR_ALLOCATION);
61 // Assume the size of the public key value is within range
62 pAssert(key->publicKey->size <= MAX_RSA_KEY_BYTES);
63 if( BN_bin2bn(key->publicKey->buffer, key->publicKey->size, bnN) == NULL
64 || BN_bin2bn(key->privateKey->buffer, key->privateKey->size, bnP) == NULL)
65 FAIL(FATAL_ERROR_INTERNAL);
66 // If P size is not 1/2 of n size, then this is not a valid value for this
67 // implementation. This will also catch the case were P is input as zero.
68 // This generates a return rather than an assert because the key being loaded
69 // might be SW generated and wrong.
70 if(BN_num_bits(bnP) < BN_num_bits(bnN)/2)
71 {
72 retVal = CRYPT_PARAMETER;
73 goto Cleanup;
74 }
75 // Get q = n/p;
76 if (BN_div(bnQ, bnQr, bnN, bnP, context) != 1)
77 FAIL(FATAL_ERROR_INTERNAL);
78 // If there is a remainder, then this is not a valid n
79 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP))
80 {
81 retVal = CRYPT_PARAMETER; // problem may be recoverable
82 goto Cleanup;
83 }
84 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1
85 if( BN_copy(bnPhi, bnN) == NULL
86 || !BN_sub(bnPhi, bnPhi, bnP)
87 || !BN_sub(bnPhi, bnPhi, bnQ)
88 || !BN_add_word(bnPhi, 1))
89 FAIL(FATAL_ERROR_INTERNAL);
90 // Compute the multiplicative inverse
91 BN_set_word(bnE, key->exponent);
92 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL)
93 {
94 // Going to assume that the error is caused by a bad
95 // set of parameters. Specifically, an exponent that is
96 // not compatible with the primes. In an implementation that
97 // has better visibility to the error codes, this might be
98 // refined so that failures in the library would return
99 // a more informative value. Should not assume here that
100 // the error codes will remain unchanged.
101 retVal = CRYPT_PARAMETER;
102 goto Cleanup;
103 }
104 fill = key->publicKey->size - BN_num_bytes(bnD);
105 BN_bn2bin(bnD, &key->privateKey->buffer[fill]);
106 memset(key->privateKey->buffer, 0, fill);
107 // Change the size of the private key so that it is known to contain
108 // a private exponent rather than a prime.
109 key->privateKey->size = key->publicKey->size;
110Cleanup:
111 BN_CTX_end(context);
112 BN_CTX_free(context);
113 return retVal;
114}
115//
116//
117// _cpri__TestKeyRSA()
118//
119// This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus
120// and one of the primes or two primes.
121// If both primes are provided, the public modulus is computed. If only one prime is provided, the second
122// prime is computed. In either case, a private exponent is produced and placed in d.
123// If no modular inverse exists, then CRYPT_PARAMETER is returned.
124//
125// Return Value Meaning
126//
127// CRYPT_SUCCESS private exponent (d) was generated
128// CRYPT_PARAMETER one or more parameters are invalid
129//
130LIB_EXPORT CRYPT_RESULT
131_cpri__TestKeyRSA(
132 TPM2B *d, // OUT: the address to receive the private
133 // exponent
134 UINT32 exponent, // IN: the public modulu
135 TPM2B *publicKey, // IN/OUT: an input if only one prime is
136 // provided. an output if both primes are
137 // provided
138 TPM2B *prime1, // IN: a first prime
139 TPM2B *prime2 // IN: an optional second prime
140 )
141{
142 BN_CTX *context;
143 BIGNUM *bnD;
144 BIGNUM *bnN;
145 BIGNUM *bnP;
146 BIGNUM *bnE;
147 BIGNUM *bnPhi;
148 BIGNUM *bnQ;
149 BIGNUM *bnQr;
150 UINT32 fill;
151 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success
152 pAssert(publicKey != NULL && prime1 != NULL);
153 // Make sure that the sizes are within range
154 pAssert( prime1->size <= MAX_RSA_KEY_BYTES/2
155 && publicKey->size <= MAX_RSA_KEY_BYTES);
156 pAssert( prime2 == NULL || prime2->size < MAX_RSA_KEY_BYTES/2);
157 if(publicKey->size/2 != prime1->size)
158 return CRYPT_PARAMETER;
159 context = BN_CTX_new();
160 if(context == NULL)
161 FAIL(FATAL_ERROR_ALLOCATION);
162 BN_CTX_start(context);
163 bnE = BN_CTX_get(context); // public exponent (e)
164 bnD = BN_CTX_get(context); // private exponent (d)
165 bnN = BN_CTX_get(context); // public modulus (n)
166 bnP = BN_CTX_get(context); // prime1 (p)
167 bnPhi = BN_CTX_get(context); // (p-1)(q-1)
168 bnQ = BN_CTX_get(context); // prime2 (q)
169 bnQr = BN_CTX_get(context); // n mod p
170 if(bnQr == NULL)
171 FAIL(FATAL_ERROR_ALLOCATION);
172 if(BN_bin2bn(prime1->buffer, prime1->size, bnP) == NULL)
173 FAIL(FATAL_ERROR_INTERNAL);
174 // If prime2 is provided, then compute n
175 if(prime2 != NULL)
176 {
177 // Two primes provided so use them to compute n
178 if(BN_bin2bn(prime2->buffer, prime2->size, bnQ) == NULL)
179 FAIL(FATAL_ERROR_INTERNAL);
180 // Make sure that the sizes of the primes are compatible
181 if(BN_num_bits(bnQ) != BN_num_bits(bnP))
182 {
183 retVal = CRYPT_PARAMETER;
184 goto Cleanup;
185 }
186 // Multiply the primes to get the public modulus
187 if(BN_mul(bnN, bnP, bnQ, context) != 1)
188 FAIL(FATAL_ERROR_INTERNAL);
189 // if the space provided for the public modulus is large enough,
190 // save the created value
191 if(BN_num_bits(bnN) != (publicKey->size * 8))
192 {
193 retVal = CRYPT_PARAMETER;
194 goto Cleanup;
195 }
196 BN_bn2bin(bnN, publicKey->buffer);
197 }
198 else
199 {
200 // One prime provided so find the second prime by division
201 BN_bin2bn(publicKey->buffer, publicKey->size, bnN);
202 // Get q = n/p;
203 if(BN_div(bnQ, bnQr, bnN, bnP, context) != 1)
204 FAIL(FATAL_ERROR_INTERNAL);
205 // If there is a remainder, then this is not a valid n
206 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP))
207 {
208 retVal = CRYPT_PARAMETER; // problem may be recoverable
209 goto Cleanup;
210 }
211 }
212 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1
213 BN_copy(bnPhi, bnN);
214 BN_sub(bnPhi, bnPhi, bnP);
215 BN_sub(bnPhi, bnPhi, bnQ);
216 BN_add_word(bnPhi, 1);
217 // Compute the multiplicative inverse
218 BN_set_word(bnE, exponent);
219 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL)
220 {
221 // Going to assume that the error is caused by a bad set of parameters.
222 // Specifically, an exponent that is not compatible with the primes.
223 // In an implementation that has better visibility to the error codes,
224 // this might be refined so that failures in the library would return
225 // a more informative value.
226 // Do not assume that the error codes will remain unchanged.
227 retVal = CRYPT_PARAMETER;
228 goto Cleanup;
229 }
230 // Return the private exponent.
231 // Make sure it is normalized to have the correct size.
232 d->size = publicKey->size;
233 fill = d->size - BN_num_bytes(bnD);
234 BN_bn2bin(bnD, &d->buffer[fill]);
235 memset(d->buffer, 0, fill);
236Cleanup:
237 BN_CTX_end(context);
238 BN_CTX_free(context);
239 return retVal;
240}
241//
242//
243// RSAEP()
244//
245// This function performs the RSAEP operation defined in PKCS#1v2.1. It is an exponentiation of a value
246// (m) with the public exponent (e), modulo the public (n).
247//
248// Return Value Meaning
249//
250// CRYPT_SUCCESS encryption complete
251// CRYPT_PARAMETER number to exponentiate is larger than the modulus
252//
253static CRYPT_RESULT
254RSAEP (
255 UINT32 dInOutSize, // OUT size of the encrypted block
256 BYTE *dInOut, // OUT: the encrypted data
257 RSA_KEY *key // IN: the key to use
258 )
259{
260 UINT32 e;
261 BYTE exponent[4];
262 CRYPT_RESULT retVal;
263 e = key->exponent;
264 if(e == 0)
265 e = RSA_DEFAULT_PUBLIC_EXPONENT;
266 UINT32_TO_BYTE_ARRAY(e, exponent);
267 //!!! Can put check for test of RSA here
268 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut, 4, exponent,
269 key->publicKey->size, key->publicKey->buffer);
270 // Exponentiation result is stored in-place, thus no space shortage is possible.
271 pAssert(retVal != CRYPT_UNDERFLOW);
272 return retVal;
273}
274//
275//
276// RSADP()
277//
278// This function performs the RSADP operation defined in PKCS#1v2.1. It is an exponentiation of a value (c)
279// with the private exponent (d), modulo the public modulus (n). The decryption is in place.
280//
281// This function also checks the size of the private key. If the size indicates that only a prime value is
282// present, the key is converted to being a private exponent.
283//
284// Return Value Meaning
285//
286// CRYPT_SUCCESS decryption succeeded
287// CRYPT_PARAMETER the value to decrypt is larger than the modulus
288//
289static CRYPT_RESULT
290RSADP (
291 UINT32 dInOutSize, // IN/OUT: size of decrypted data
292 BYTE *dInOut, // IN/OUT: the decrypted data
293 RSA_KEY *key // IN: the key
294 )
295{
296 CRYPT_RESULT retVal;
297 //!!! Can put check for RSA tested here
298 // Make sure that the pointers are provided and that the private key is present
299 // If the private key is present it is assumed to have been created by
300 // so is presumed good _cpri__PrivateExponent
301 pAssert(key != NULL && dInOut != NULL &&
302 key->publicKey->size == key->publicKey->size);
303 // make sure that the value to be decrypted is smaller than the modulus
304 // note: this check is redundant as is also performed by _math__ModExp()
305 // which is optimized for use in RSA operations
306 if(_math__uComp(key->publicKey->size, key->publicKey->buffer,
307 dInOutSize, dInOut) <= 0)
308 return CRYPT_PARAMETER;
309 // _math__ModExp can return CRYPT_PARAMTER or CRYPT_UNDERFLOW but actual
310 // underflow is not possible because everything is in the same buffer.
311 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut,
312 key->privateKey->size, key->privateKey->buffer,
313 key->publicKey->size, key->publicKey->buffer);
314 // Exponentiation result is stored in-place, thus no space shortage is possible.
315 pAssert(retVal != CRYPT_UNDERFLOW);
316 return retVal;
317}
318//
319//
320// OaepEncode()
321//
322// This function performs OAEP padding. The size of the buffer to receive the OAEP padded data must
323// equal the size of the modulus
324//
325// Return Value Meaning
326//
327// CRYPT_SUCCESS encode successful
328// CRYPT_PARAMETER hashAlg is not valid
329// CRYPT_FAIL message size is too large
330//
331static CRYPT_RESULT
332OaepEncode(
333 UINT32 paddedSize, // IN: pad value size
334 BYTE *padded, // OUT: the pad data
335 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding
336 const char *label, // IN: null-terminated string (may be NULL)
337 UINT32 messageSize, // IN: the message size
338 BYTE *message // IN: the message being padded
339#ifdef TEST_RSA //
340 , BYTE *testSeed // IN: optional seed used for testing.
341#endif // TEST_RSA //
342)
343{
344 UINT32 padLen;
345 UINT32 dbSize;
346 UINT32 i;
347 BYTE mySeed[MAX_DIGEST_SIZE];
348 BYTE *seed = mySeed;
349 INT32 hLen = _cpri__GetDigestSize(hashAlg);
350 BYTE mask[MAX_RSA_KEY_BYTES];
351 BYTE *pp;
352 BYTE *pm;
353 UINT32 lSize = 0;
354 CRYPT_RESULT retVal = CRYPT_SUCCESS;
355 pAssert(padded != NULL && message != NULL);
356 // A value of zero is not allowed because the KDF can't produce a result
357 // if the digest size is zero.
358 if(hLen <= 0)
359 return CRYPT_PARAMETER;
360 // If a label is provided, get the length of the string, including the
361 // terminator
362 if(label != NULL)
363 lSize = (UINT32)strlen(label) + 1;
364 // Basic size check
365 // messageSize <= k 2hLen 2
366 if(messageSize > paddedSize - 2 * hLen - 2)
367 return CRYPT_FAIL;
368 // Hash L even if it is null
369 // Offset into padded leaving room for masked seed and byte of zero
370 pp = &padded[hLen + 1];
371 retVal = _cpri__HashBlock(hashAlg, lSize, (BYTE *)label, hLen, pp);
372 // concatenate PS of k mLen 2hLen 2
373 padLen = paddedSize - messageSize - (2 * hLen) - 2;
374 memset(&pp[hLen], 0, padLen);
375 pp[hLen+padLen] = 0x01;
376 padLen += 1;
377 memcpy(&pp[hLen+padLen], message, messageSize);
378 // The total size of db = hLen + pad + mSize;
379 dbSize = hLen+padLen+messageSize;
380 // If testing, then use the provided seed. Otherwise, use values
381 // from the RNG
382#ifdef TEST_RSA
383 if(testSeed != NULL)
384 seed = testSeed;
385 else
386#endif // TEST_RSA
387 _cpri__GenerateRandom(hLen, mySeed);
388 // mask = MGF1 (seed, nSize hLen 1)
389 if((retVal = _cpri__MGF1(dbSize, mask, hashAlg, hLen, seed)) < 0)
390 return retVal; // Don't expect an error because hash size is not zero
391 // was detected in the call to _cpri__HashBlock() above.
392 // Create the masked db
393 pm = mask;
394 for(i = dbSize; i > 0; i--)
395 *pp++ ^= *pm++;
396 pp = &padded[hLen + 1];
397 // Run the masked data through MGF1
398 if((retVal = _cpri__MGF1(hLen, &padded[1], hashAlg, dbSize, pp)) < 0)
399 return retVal; // Don't expect zero here as the only case for zero
400 // was detected in the call to _cpri__HashBlock() above.
401 // Now XOR the seed to create masked seed
402 pp = &padded[1];
403 pm = seed;
404 for(i = hLen; i > 0; i--)
405 *pp++ ^= *pm++;
406 // Set the first byte to zero
407 *padded = 0x00;
408 return CRYPT_SUCCESS;
409}
410//
411//
412// OaepDecode()
413//
414// This function performs OAEP padding checking. The size of the buffer to receive the recovered data. If
415// the padding is not valid, the dSize size is set to zero and the function returns CRYPT_NO_RESULTS.
416// The dSize parameter is used as an input to indicate the size available in the buffer. If insufficient space is
417// available, the size is not changed and the return code is CRYPT_FAIL.
418//
419// Return Value Meaning
420//
421// CRYPT_SUCCESS decode complete
422// CRYPT_PARAMETER the value to decode was larger than the modulus
423// CRYPT_FAIL the padding is wrong or the buffer to receive the results is too small
424//
425static CRYPT_RESULT
426OaepDecode(
427 UINT32 *dataOutSize, // IN/OUT: the recovered data size
428 BYTE *dataOut, // OUT: the recovered data
429 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding
430 const char *label, // IN: null-terminated string (may be NULL)
431 UINT32 paddedSize, // IN: the size of the padded data
432 BYTE *padded // IN: the padded data
433 )
434{
435 UINT32 dSizeSave;
436 UINT32 i;
437 BYTE seedMask[MAX_DIGEST_SIZE];
438 INT32 hLen = _cpri__GetDigestSize(hashAlg);
439 BYTE mask[MAX_RSA_KEY_BYTES];
440 BYTE *pp;
441 BYTE *pm;
442 UINT32 lSize = 0;
443 CRYPT_RESULT retVal = CRYPT_SUCCESS;
444 // Unknown hash
445 pAssert(hLen > 0 && dataOutSize != NULL && dataOut != NULL && padded != NULL);
446 // If there is a label, get its size including the terminating 0x00
447 if(label != NULL)
448 lSize = (UINT32)strlen(label) + 1;
449 // Set the return size to zero so that it doesn't have to be done on each
450 // failure
451 dSizeSave = *dataOutSize;
452 *dataOutSize = 0;
453 // Strange size (anything smaller can't be an OAEP padded block)
454 // Also check for no leading 0
455 if(paddedSize < (unsigned)((2 * hLen) + 2) || *padded != 0)
456 return CRYPT_FAIL;
457 // Use the hash size to determine what to put through MGF1 in order
458 // to recover the seedMask
459 if((retVal = _cpri__MGF1(hLen, seedMask, hashAlg,
460 paddedSize-hLen-1, &padded[hLen+1])) < 0)
461 return retVal;
462 // Recover the seed into seedMask
463 pp = &padded[1];
464 pm = seedMask;
465 for(i = hLen; i > 0; i--)
466 *pm++ ^= *pp++;
467 // Use the seed to generate the data mask
468 if((retVal = _cpri__MGF1(paddedSize-hLen-1, mask, hashAlg,
469 hLen, seedMask)) < 0)
470 return retVal;
471 // Use the mask generated from seed to recover the padded data
472 pp = &padded[hLen+1];
473 pm = mask;
474 for(i = paddedSize-hLen-1; i > 0; i--)
475 *pm++ ^= *pp++;
476 // Make sure that the recovered data has the hash of the label
477 // Put trial value in the seed mask
478 if((retVal=_cpri__HashBlock(hashAlg, lSize,(BYTE *)label, hLen, seedMask)) < 0)
479 return retVal;
480 if(memcmp(seedMask, mask, hLen) != 0)
481 return CRYPT_FAIL;
482 // find the start of the data
483 pm = &mask[hLen];
484 for(i = paddedSize-(2*hLen)-1; i > 0; i--)
485 {
486 if(*pm++ != 0)
487 break;
488 }
489 if(i == 0)
490 return CRYPT_PARAMETER;
491 // pm should be pointing at the first part of the data
492 // and i is one greater than the number of bytes to move
493 i--;
494 if(i > dSizeSave)
495 {
496 // Restore dSize
497 *dataOutSize = dSizeSave;
498 return CRYPT_FAIL;
499 }
500 memcpy(dataOut, pm, i);
501 *dataOutSize = i;
502 return CRYPT_SUCCESS;
503}
504//
505//
506// PKSC1v1_5Encode()
507//
508// This function performs the encoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1
509//
510// Return Value Meaning
511//
512// CRYPT_SUCCESS data encoded
513// CRYPT_PARAMETER message size is too large
514//
515static CRYPT_RESULT
516RSAES_PKSC1v1_5Encode(
517 UINT32 paddedSize, // IN: pad value size
518 BYTE *padded, // OUT: the pad data
519 UINT32 messageSize, // IN: the message size
520 BYTE *message // IN: the message being padded
521 )
522{
523 UINT32 ps = paddedSize - messageSize - 3;
524 if(messageSize > paddedSize - 11)
525 return CRYPT_PARAMETER;
526 // move the message to the end of the buffer
527 memcpy(&padded[paddedSize - messageSize], message, messageSize);
528 // Set the first byte to 0x00 and the second to 0x02
529 *padded = 0;
530 padded[1] = 2;
531 // Fill with random bytes
532 _cpri__GenerateRandom(ps, &padded[2]);
533 // Set the delimiter for the random field to 0
534 padded[2+ps] = 0;
535 // Now, the only messy part. Make sure that all the ps bytes are non-zero
536 // In this implementation, use the value of the current index
537 for(ps++; ps > 1; ps--)
538 {
539 if(padded[ps] == 0)
540 padded[ps] = 0x55; // In the < 0.5% of the cases that the random
541 // value is 0, just pick a value to put into
542 // the spot.
543 }
544 return CRYPT_SUCCESS;
545}
546//
547//
548// RSAES_Decode()
549//
550// This function performs the decoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1
551//
552// Return Value Meaning
553//
554// CRYPT_SUCCESS decode successful
555// CRYPT_FAIL decoding error or results would no fit into provided buffer
556//
557static CRYPT_RESULT
558RSAES_Decode(
559 UINT32 *messageSize, // IN/OUT: recovered message size
560 BYTE *message, // OUT: the recovered message
561 UINT32 codedSize, // IN: the encoded message size
562 BYTE *coded // IN: the encoded message
563 )
564{
565 BOOL fail = FALSE;
566 UINT32 ps;
567 fail = (codedSize < 11);
568 fail |= (coded[0] != 0x00) || (coded[1] != 0x02);
569 for(ps = 2; ps < codedSize; ps++)
570 {
571 if(coded[ps] == 0)
572 break;
573 }
574 ps++;
575 // Make sure that ps has not gone over the end and that there are at least 8
576 // bytes of pad data.
577 fail |= ((ps >= codedSize) || ((ps-2) < 8));
578 if((*messageSize < codedSize - ps) || fail)
579 return CRYPT_FAIL;
580 *messageSize = codedSize - ps;
581 memcpy(message, &coded[ps], codedSize - ps);
582 return CRYPT_SUCCESS;
583}
584//
585//
586// PssEncode()
587//
588// This function creates an encoded block of data that is the size of modulus. The function uses the
589// maximum salt size that will fit in the encoded block.
590//
591// Return Value Meaning
592//
593// CRYPT_SUCCESS encode successful
594// CRYPT_PARAMETER hashAlg is not a supported hash algorithm
595//
596static CRYPT_RESULT
597PssEncode (
598 UINT32 eOutSize, // IN: size of the encode data buffer
599 BYTE *eOut, // OUT: encoded data buffer
600 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
601 UINT32 hashInSize, // IN: size of digest to encode
602 BYTE *hashIn // IN: the digest
603#ifdef TEST_RSA //
604 , BYTE *saltIn // IN: optional parameter for testing
605#endif // TEST_RSA //
606)
607{
608 INT32 hLen = _cpri__GetDigestSize(hashAlg);
609 BYTE salt[MAX_RSA_KEY_BYTES - 1];
610 UINT16 saltSize;
611 BYTE *ps = salt;
612 CRYPT_RESULT retVal;
613 UINT16 mLen;
614 CPRI_HASH_STATE hashState;
615 // These are fatal errors indicating bad TPM firmware
616 pAssert(eOut != NULL && hLen > 0 && hashIn != NULL );
617 // Get the size of the mask
618 mLen = (UINT16)(eOutSize - hLen - 1);
619 // Maximum possible salt size is mask length - 1
620 saltSize = mLen - 1;
621 // Use the maximum salt size allowed by FIPS 186-4
622 if(saltSize > hLen)
623 saltSize = (UINT16)hLen;
624//using eOut for scratch space
625 // Set the first 8 bytes to zero
626 memset(eOut, 0, 8);
627 // Get set the salt
628#ifdef TEST_RSA
629 if(saltIn != NULL)
630 {
631 saltSize = hLen;
632 memcpy(salt, saltIn, hLen);
633 }
634 else
635#endif // TEST_RSA
636 _cpri__GenerateRandom(saltSize, salt);
637 // Create the hash of the pad || input hash || salt
638 _cpri__StartHash(hashAlg, FALSE, &hashState);
639 _cpri__UpdateHash(&hashState, 8, eOut);
640 _cpri__UpdateHash(&hashState, hashInSize, hashIn);
641 _cpri__UpdateHash(&hashState, saltSize, salt);
642 _cpri__CompleteHash(&hashState, hLen, &eOut[eOutSize - hLen - 1]);
643 // Create a mask
644 if((retVal = _cpri__MGF1(mLen, eOut, hashAlg, hLen, &eOut[mLen])) < 0)
645 {
646 // Currently _cpri__MGF1 is not expected to return a CRYPT_RESULT error.
647 pAssert(0);
648 }
649 // Since this implementation uses key sizes that are all even multiples of
650 // 8, just need to make sure that the most significant bit is CLEAR
651 eOut[0] &= 0x7f;
652 // Before we mess up the eOut value, set the last byte to 0xbc
653 eOut[eOutSize - 1] = 0xbc;
654 // XOR a byte of 0x01 at the position just before where the salt will be XOR'ed
655 eOut = &eOut[mLen - saltSize - 1];
656 *eOut++ ^= 0x01;
657 // XOR the salt data into the buffer
658 for(; saltSize > 0; saltSize--)
659 *eOut++ ^= *ps++;
660 // and we are done
661 return CRYPT_SUCCESS;
662}
663//
664//
665// PssDecode()
666//
667// This function checks that the PSS encoded block was built from the provided digest. If the check is
668// successful, CRYPT_SUCCESS is returned. Any other value indicates an error.
669// This implementation of PSS decoding is intended for the reference TPM implementation and is not at all
670// generalized. It is used to check signatures over hashes and assumptions are made about the sizes of
671// values. Those assumptions are enforce by this implementation. This implementation does allow for a
672// variable size salt value to have been used by the creator of the signature.
673//
674//
675//
676//
677// Return Value Meaning
678//
679// CRYPT_SUCCESS decode successful
680// CRYPT_SCHEME hashAlg is not a supported hash algorithm
681// CRYPT_FAIL decode operation failed
682//
683static CRYPT_RESULT
684PssDecode(
685 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
686 UINT32 dInSize, // IN: size of the digest to compare
687 BYTE *dIn, // In: the digest to compare
688 UINT32 eInSize, // IN: size of the encoded data
689 BYTE *eIn, // IN: the encoded data
690 UINT32 saltSize // IN: the expected size of the salt
691 )
692{
693 INT32 hLen = _cpri__GetDigestSize(hashAlg);
694 BYTE mask[MAX_RSA_KEY_BYTES];
695 BYTE *pm = mask;
696 BYTE pad[8] = {0};
697 UINT32 i;
698 UINT32 mLen;
699 BOOL fail = FALSE;
700 CRYPT_RESULT retVal;
701 CPRI_HASH_STATE hashState;
702 // These errors are indicative of failures due to programmer error
703 pAssert(dIn != NULL && eIn != NULL);
704 // check the hash scheme
705 if(hLen == 0)
706 return CRYPT_SCHEME;
707 // most significant bit must be zero
708 fail = ((eIn[0] & 0x80) != 0);
709 // last byte must be 0xbc
710 fail |= (eIn[eInSize - 1] != 0xbc);
711 // Use the hLen bytes at the end of the buffer to generate a mask
712 // Doesn't start at the end which is a flag byte
713 mLen = eInSize - hLen - 1;
714 if((retVal = _cpri__MGF1(mLen, mask, hashAlg, hLen, &eIn[mLen])) < 0)
715 return retVal;
716 if(retVal == 0)
717 return CRYPT_FAIL;
718 // Clear the MSO of the mask to make it consistent with the encoding.
719 mask[0] &= 0x7F;
720 // XOR the data into the mask to recover the salt. This sequence
721 // advances eIn so that it will end up pointing to the seed data
722 // which is the hash of the signature data
723 for(i = mLen; i > 0; i--)
724 *pm++ ^= *eIn++;
725 // Find the first byte of 0x01 after a string of all 0x00
726 for(pm = mask, i = mLen; i > 0; i--)
727 {
728 if(*pm == 0x01)
729 break;
730 else
731 fail |= (*pm++ != 0);
732 }
733 fail |= (i == 0);
734 // if we have failed, will continue using the entire mask as the salt value so
735 // that the timing attacks will not disclose anything (I don't think that this
736 // is a problem for TPM applications but, usually, we don't fail so this
737 // doesn't cost anything).
738 if(fail)
739 {
740 i = mLen;
741 pm = mask;
742 }
743 else
744 {
745 pm++;
746 i--;
747 }
748 // If the salt size was provided, then the recovered size must match
749 fail |= (saltSize != 0 && i != saltSize);
750 // i contains the salt size and pm points to the salt. Going to use the input
751 // hash and the seed to recreate the hash in the lower portion of eIn.
752 _cpri__StartHash(hashAlg, FALSE, &hashState);
753 // add the pad of 8 zeros
754 _cpri__UpdateHash(&hashState, 8, pad);
755 // add the provided digest value
756 _cpri__UpdateHash(&hashState, dInSize, dIn);
757 // and the salt
758 _cpri__UpdateHash(&hashState, i, pm);
759 // get the result
760 retVal = _cpri__CompleteHash(&hashState, MAX_DIGEST_SIZE, mask);
761 // retVal will be the size of the digest or zero. If not equal to the indicated
762 // digest size, then the signature doesn't match
763 fail |= (retVal != hLen);
764 fail |= (memcmp(mask, eIn, hLen) != 0);
765 if(fail)
766 return CRYPT_FAIL;
767 else
768 return CRYPT_SUCCESS;
769}
770//
771//
772// PKSC1v1_5SignEncode()
773//
774// Encode a message using PKCS1v1().5 method.
775//
776// Return Value Meaning
777//
778// CRYPT_SUCCESS encode complete
779// CRYPT_SCHEME hashAlg is not a supported hash algorithm
780// CRYPT_PARAMETER eOutSize is not large enough or hInSize does not match the digest
781// size of hashAlg
782//
783static CRYPT_RESULT
784RSASSA_Encode(
785 UINT32 eOutSize, // IN: the size of the resulting block
786 BYTE *eOut, // OUT: the encoded block
787 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5
788 UINT32 hInSize, // IN: size of hash to be signed
789 BYTE *hIn // IN: hash buffer
790 )
791{
Vadim Bendebury42c3ea12015-05-29 22:46:51 -0700[diff] [blame]792 const BYTE *der;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]793 INT32 derSize = _cpri__GetHashDER(hashAlg, &der);
794 INT32 fillSize;
795 pAssert(eOut != NULL && hIn != NULL);
796 // Can't use this scheme if the algorithm doesn't have a DER string defined.
797 if(derSize == 0 )
798 return CRYPT_SCHEME;
799 // If the digest size of 'hashAl' doesn't match the input digest size, then
800 // the DER will misidentify the digest so return an error
801 if((unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
802 return CRYPT_PARAMETER;
803 fillSize = eOutSize - derSize - hInSize - 3;
804 // Make sure that this combination will fit in the provided space
805 if(fillSize < 8)
806 return CRYPT_PARAMETER;
807 // Start filling
808 *eOut++ = 0; // initial byte of zero
809 *eOut++ = 1; // byte of 0x01
810 for(; fillSize > 0; fillSize--)
811 *eOut++ = 0xff; // bunch of 0xff
812 *eOut++ = 0; // another 0
813 for(; derSize > 0; derSize--)
814 *eOut++ = *der++; // copy the DER
815 for(; hInSize > 0; hInSize--)
816 *eOut++ = *hIn++; // copy the hash
817 return CRYPT_SUCCESS;
818}
819//
820//
821// RSASSA_Decode()
822//
823// This function performs the RSASSA decoding of a signature.
824//
825// Return Value Meaning
826//
827// CRYPT_SUCCESS decode successful
828// CRYPT_FAIL decode unsuccessful
829// CRYPT_SCHEME haslAlg is not supported
830//
831static CRYPT_RESULT
832RSASSA_Decode(
833 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
834 UINT32 hInSize, // IN: size of the digest to compare
835 BYTE *hIn, // In: the digest to compare
836 UINT32 eInSize, // IN: size of the encoded data
837 BYTE *eIn // IN: the encoded data
838 )
839{
840 BOOL fail = FALSE;
Vadim Bendebury42c3ea12015-05-29 22:46:51 -0700[diff] [blame]841 const BYTE *der;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]842 INT32 derSize = _cpri__GetHashDER(hashAlg, &der);
843 INT32 hashSize = _cpri__GetDigestSize(hashAlg);
844 INT32 fillSize;
845 pAssert(hIn != NULL && eIn != NULL);
846 // Can't use this scheme if the algorithm doesn't have a DER string
847 // defined or if the provided hash isn't the right size
848 if(derSize == 0 || (unsigned)hashSize != hInSize)
849 return CRYPT_SCHEME;
850 // Make sure that this combination will fit in the provided space
851 // Since no data movement takes place, can just walk though this
852 // and accept nearly random values. This can only be called from
853 // _cpri__ValidateSignature() so eInSize is known to be in range.
854 fillSize = eInSize - derSize - hashSize - 3;
855 // Start checking
856 fail |= (*eIn++ != 0); // initial byte of zero
857 fail |= (*eIn++ != 1); // byte of 0x01
858 for(; fillSize > 0; fillSize--)
859 fail |= (*eIn++ != 0xff); // bunch of 0xff
860 fail |= (*eIn++ != 0); // another 0
861 for(; derSize > 0; derSize--)
862 fail |= (*eIn++ != *der++); // match the DER
863 for(; hInSize > 0; hInSize--)
864 fail |= (*eIn++ != *hIn++); // match the hash
865 if(fail)
866 return CRYPT_FAIL;
867 return CRYPT_SUCCESS;
868}
869//
870//
871// Externally Accessible Functions
872//
873// _cpri__RsaStartup()
874//
875// Function that is called to initialize the hash service. In this implementation, this function does nothing but
876// it is called by the CryptUtilStartup() function and must be present.
877//
878LIB_EXPORT BOOL
879_cpri__RsaStartup(
880 void
881 )
882{
883 return TRUE;
884}
885//
886//
887// _cpri__EncryptRSA()
888//
889// This is the entry point for encryption using RSA. Encryption is use of the public exponent. The padding
890// parameter determines what padding will be used.
891// The cOutSize parameter must be at least as large as the size of the key.
892// If the padding is RSA_PAD_NONE, dIn is treaded as a number. It must be lower in value than the key
893// modulus.
894//
895//
896//
897// NOTE: If dIn has fewer bytes than cOut, then we don't add low-order zeros to dIn to make it the size of the RSA key for
898// the call to RSAEP. This is because the high order bytes of dIn might have a numeric value that is greater than
899// the value of the key modulus. If this had low-order zeros added, it would have a numeric value larger than the
900// modulus even though it started out with a lower numeric value.
901//
902//
903// Return Value Meaning
904//
905// CRYPT_SUCCESS encryption complete
906// CRYPT_PARAMETER cOutSize is too small (must be the size of the modulus)
907// CRYPT_SCHEME padType is not a supported scheme
908//
909LIB_EXPORT CRYPT_RESULT
910_cpri__EncryptRSA(
911 UINT32 *cOutSize, // OUT: the size of the encrypted data
912 BYTE *cOut, // OUT: the encrypted data
913 RSA_KEY *key, // IN: the key to use for encryption
914 TPM_ALG_ID padType, // IN: the type of padding
915 UINT32 dInSize, // IN: the amount of data to encrypt
916 BYTE *dIn, // IN: the data to encrypt
917 TPM_ALG_ID hashAlg, // IN: in case this is needed
918 const char *label // IN: in case it is needed
919 )
920{
921 CRYPT_RESULT retVal = CRYPT_SUCCESS;
922 pAssert(cOutSize != NULL);
923 // All encryption schemes return the same size of data
924 if(*cOutSize < key->publicKey->size)
925 return CRYPT_PARAMETER;
926 *cOutSize = key->publicKey->size;
927 switch (padType)
928 {
929 case TPM_ALG_NULL: // 'raw' encryption
930 {
931 // dIn can have more bytes than cOut as long as the extra bytes
932 // are zero
933 for(; dInSize > *cOutSize; dInSize--)
934 {
935 if(*dIn++ != 0)
936 return CRYPT_PARAMETER;
937 }
938 // If dIn is smaller than cOut, fill cOut with zeros
939 if(dInSize < *cOutSize)
940 memset(cOut, 0, *cOutSize - dInSize);
941 // Copy the rest of the value
942 memcpy(&cOut[*cOutSize-dInSize], dIn, dInSize);
943 // If the size of dIn is the same as cOut dIn could be larger than
944 // the modulus. If it is, then RSAEP() will catch it.
945 }
946 break;
947 case TPM_ALG_RSAES:
948 retVal = RSAES_PKSC1v1_5Encode(*cOutSize, cOut, dInSize, dIn);
949 break;
950 case TPM_ALG_OAEP:
951 retVal = OaepEncode(*cOutSize, cOut, hashAlg, label, dInSize, dIn
952#ifdef TEST_RSA
953 ,NULL
954#endif
955 );
956 break;
957 default:
958 return CRYPT_SCHEME;
959 }
960 // All the schemes that do padding will come here for the encryption step
961 // Check that the Encoding worked
962 if(retVal != CRYPT_SUCCESS)
963 return retVal;
964 // Padding OK so do the encryption
965 return RSAEP(*cOutSize, cOut, key);
966}
967//
968//
969// _cpri__DecryptRSA()
970//
971// This is the entry point for decryption using RSA. Decryption is use of the private exponent. The padType
972// parameter determines what padding was used.
973//
974// Return Value Meaning
975//
976// CRYPT_SUCCESS successful completion
977// CRYPT_PARAMETER cInSize is not the same as the size of the public modulus of key; or
978// numeric value of the encrypted data is greater than the modulus
979// CRYPT_FAIL dOutSize is not large enough for the result
980// CRYPT_SCHEME padType is not supported
981//
982LIB_EXPORT CRYPT_RESULT
983_cpri__DecryptRSA(
984 UINT32 *dOutSize, // OUT: the size of the decrypted data
985 BYTE *dOut, // OUT: the decrypted data
986 RSA_KEY *key, // IN: the key to use for decryption
987 TPM_ALG_ID padType, // IN: the type of padding
988 UINT32 cInSize, // IN: the amount of data to decrypt
989 BYTE *cIn, // IN: the data to decrypt
990 TPM_ALG_ID hashAlg, // IN: in case this is needed for the scheme
991 const char *label // IN: in case it is needed for the scheme
992 )
993{
994 CRYPT_RESULT retVal;
995 // Make sure that the necessary parameters are provided
996 pAssert(cIn != NULL && dOut != NULL && dOutSize != NULL && key != NULL);
997 // Size is checked to make sure that the decryption works properly
998 if(cInSize != key->publicKey->size)
999 return CRYPT_PARAMETER;
1000 // For others that do padding, do the decryption in place and then
1001 // go handle the decoding.
1002 if((retVal = RSADP(cInSize, cIn, key)) != CRYPT_SUCCESS)
1003 return retVal; // Decryption failed
1004 // Remove padding
1005 switch (padType)
1006 {
1007 case TPM_ALG_NULL:
1008 if(*dOutSize < key->publicKey->size)
1009 return CRYPT_FAIL;
1010 *dOutSize = key->publicKey->size;
1011 memcpy(dOut, cIn, *dOutSize);
1012 return CRYPT_SUCCESS;
1013 case TPM_ALG_RSAES:
1014 return RSAES_Decode(dOutSize, dOut, cInSize, cIn);
1015 break;
1016 case TPM_ALG_OAEP:
1017 return OaepDecode(dOutSize, dOut, hashAlg, label, cInSize, cIn);
1018 break;
1019 default:
1020 return CRYPT_SCHEME;
1021 break;
1022 }
1023}
1024//
1025//
1026// _cpri__SignRSA()
1027//
1028// This function is used to generate an RSA signature of the type indicated in scheme.
1029//
1030// Return Value Meaning
1031//
1032// CRYPT_SUCCESS sign operation completed normally
1033// CRYPT_SCHEME scheme or hashAlg are not supported
1034// CRYPT_PARAMETER hInSize does not match hashAlg (for RSASSA)
1035//
1036LIB_EXPORT CRYPT_RESULT
1037_cpri__SignRSA(
1038 UINT32 *sigOutSize, // OUT: size of signature
1039 BYTE *sigOut, // OUT: signature
1040 RSA_KEY *key, // IN: key to use
1041 TPM_ALG_ID scheme, // IN: the scheme to use
1042 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5
1043 UINT32 hInSize, // IN: size of digest to be signed
1044 BYTE *hIn // IN: digest buffer
1045 )
1046{
1047 CRYPT_RESULT retVal;
1048 // Parameter checks
1049 pAssert(sigOutSize != NULL && sigOut != NULL && key != NULL && hIn != NULL);
1050 // For all signatures the size is the size of the key modulus
1051 *sigOutSize = key->publicKey->size;
1052 switch (scheme)
1053 {
1054 case TPM_ALG_NULL:
1055 *sigOutSize = 0;
1056 return CRYPT_SUCCESS;
1057 case TPM_ALG_RSAPSS:
1058 // PssEncode can return CRYPT_PARAMETER
1059 retVal = PssEncode(*sigOutSize, sigOut, hashAlg, hInSize, hIn
1060#ifdef TEST_RSA
1061 , NULL
1062#endif
1063 );
1064 break;
1065 case TPM_ALG_RSASSA:
1066 // RSASSA_Encode can return CRYPT_PARAMETER or CRYPT_SCHEME
1067 retVal = RSASSA_Encode(*sigOutSize, sigOut, hashAlg, hInSize, hIn);
1068 break;
1069 default:
1070 return CRYPT_SCHEME;
1071 }
1072 if(retVal != CRYPT_SUCCESS)
1073 return retVal;
1074 // Do the encryption using the private key
1075 // RSADP can return CRYPT_PARAMETR
1076 return RSADP(*sigOutSize,sigOut, key);
1077}
1078//
1079//
1080// _cpri__ValidateSignatureRSA()
1081//
1082// This function is used to validate an RSA signature. If the signature is valid CRYPT_SUCCESS is
1083// returned. If the signature is not valid, CRYPT_FAIL is returned. Other return codes indicate either
1084// parameter problems or fatal errors.
1085//
1086// Return Value Meaning
1087//
1088// CRYPT_SUCCESS the signature checks
1089// CRYPT_FAIL the signature does not check
1090// CRYPT_SCHEME unsupported scheme or hash algorithm
1091//
1092LIB_EXPORT CRYPT_RESULT
1093_cpri__ValidateSignatureRSA(
1094 RSA_KEY *key, // IN: key to use
1095 TPM_ALG_ID scheme, // IN: the scheme to use
1096 TPM_ALG_ID hashAlg, // IN: hash algorithm
1097 UINT32 hInSize, // IN: size of digest to be checked
1098 BYTE *hIn, // IN: digest buffer
1099 UINT32 sigInSize, // IN: size of signature
1100 BYTE *sigIn, // IN: signature
1101 UINT16 saltSize // IN: salt size for PSS
1102 )
1103{
1104 CRYPT_RESULT retVal;
1105 // Fatal programming errors
1106 pAssert(key != NULL && sigIn != NULL && hIn != NULL);
1107 // Errors that might be caused by calling parameters
1108 if(sigInSize != key->publicKey->size)
1109 return CRYPT_FAIL;
1110 // Decrypt the block
1111 if((retVal = RSAEP(sigInSize, sigIn, key)) != CRYPT_SUCCESS)
1112 return CRYPT_FAIL;
1113 switch (scheme)
1114 {
1115 case TPM_ALG_NULL:
1116 return CRYPT_SCHEME;
1117 break;
1118 case TPM_ALG_RSAPSS:
1119 return PssDecode(hashAlg, hInSize, hIn, sigInSize, sigIn, saltSize);
1120 break;
1121 case TPM_ALG_RSASSA:
1122 return RSASSA_Decode(hashAlg, hInSize, hIn, sigInSize, sigIn);
1123 break;
1124 default:
1125 break;
1126 }
1127 return CRYPT_SCHEME;
1128}
1129#ifndef RSA_KEY_SIEVE
1130//
1131//
1132// _cpri__GenerateKeyRSA()
1133//
1134// Generate an RSA key from a provided seed
1135//
1136//
1137//
1138//
1139// Return Value Meaning
1140//
1141// CRYPT_FAIL exponent is not prime or is less than 3; or could not find a prime using
1142// the provided parameters
1143// CRYPT_CANCEL operation was canceled
1144//
1145LIB_EXPORT CRYPT_RESULT
1146_cpri__GenerateKeyRSA(
1147 TPM2B *n, // OUT: The public modulu
1148 TPM2B *p, // OUT: One of the prime factors of n
1149 UINT16 keySizeInBits, // IN: Size of the public modulus in bit
1150 UINT32 e, // IN: The public exponent
1151 TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key
1152 // generation proce
1153 TPM2B *seed, // IN: the seed to use
1154 const char *label, // IN: A label for the generation process.
1155 TPM2B *extra, // IN: Party 1 data for the KDF
1156 UINT32 *counter // IN/OUT: Counter value to allow KFD iteration
1157 // to be propagated across multiple routine
1158 )
1159{
1160 UINT32 lLen; // length of the label
1161 // (counting the terminating 0);
1162 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1163 TPM2B_HASH_BLOCK oPadKey;
1164 UINT32 outer;
1165 UINT32 inner;
1166 BYTE swapped[4];
1167 CRYPT_RESULT retVal;
1168 int i, fill;
1169 const static char defaultLabel[] = "RSA key";
1170 BYTE *pb;
1171 CPRI_HASH_STATE h1; // contains the hash of the
1172 // HMAC key w/ iPad
1173 CPRI_HASH_STATE h2; // contains the hash of the
1174 // HMAC key w/ oPad
1175 CPRI_HASH_STATE h; // the working hash context
1176 BIGNUM *bnP;
1177 BIGNUM *bnQ;
1178 BIGNUM *bnT;
1179 BIGNUM *bnE;
1180 BIGNUM *bnN;
1181 BN_CTX *context;
1182 UINT32 rem;
1183 // Make sure that hashAlg is valid hash
1184 pAssert(digestSize != 0);
1185 // if present, use externally provided counter
1186 if(counter != NULL)
1187 outer = *counter;
1188 else
1189 outer = 1;
1190 // Validate exponent
1191 UINT32_TO_BYTE_ARRAY(e, swapped);
1192 // Need to check that the exponent is prime and not less than 3
1193 if( e != 0 && (e < 3 || !_math__IsPrime(e)))
1194 return CRYPT_FAIL;
1195 // Get structures for the big number representations
1196 context = BN_CTX_new();
1197 if(context == NULL)
1198 FAIL(FATAL_ERROR_ALLOCATION);
1199 BN_CTX_start(context);
1200 bnP = BN_CTX_get(context);
1201 bnQ = BN_CTX_get(context);
1202 bnT = BN_CTX_get(context);
1203 bnE = BN_CTX_get(context);
1204 bnN = BN_CTX_get(context);
1205 if(bnN == NULL)
1206 FAIL(FATAL_ERROR_INTERNAL);
1207 // Set Q to zero. This is used as a flag. The prime is computed in P. When a
1208 // new prime is found, Q is checked to see if it is zero. If so, P is copied
1209 // to Q and a new P is found. When both P and Q are non-zero, the modulus and
1210 // private exponent are computed and a trial encryption/decryption is
1211 // performed. If the encrypt/decrypt fails, assume that at least one of the
1212 // primes is composite. Since we don't know which one, set Q to zero and start
1213 // over and find a new pair of primes.
1214 BN_zero(bnQ);
1215 // Need to have some label
1216 if(label == NULL)
1217 label = (const char *)&defaultLabel;
1218 // Get the label size
1219 for(lLen = 0; label[lLen++] != 0;);
1220 // Start the hash using the seed and get the intermediate hash value
1221 _cpri__StartHMAC(hashAlg, FALSE, &h1, seed->size, seed->buffer, &oPadKey.b);
1222 _cpri__StartHash(hashAlg, FALSE, &h2);
1223 _cpri__UpdateHash(&h2, oPadKey.b.size, oPadKey.b.buffer);
1224 n->size = (keySizeInBits +7)/8;
1225 pAssert(n->size <= MAX_RSA_KEY_BYTES);
1226 p->size = n->size / 2;
1227 if(e == 0)
1228 e = RSA_DEFAULT_PUBLIC_EXPONENT;
1229 BN_set_word(bnE, e);
1230 // The first test will increment the counter from zero.
1231 for(outer += 1; outer != 0; outer++)
1232 {
1233 if(_plat__IsCanceled())
1234 {
1235 retVal = CRYPT_CANCEL;
1236 goto Cleanup;
1237 }
1238 // Need to fill in the candidate with the hash
1239 fill = digestSize;
1240 pb = p->buffer;
1241 // Reset the inner counter
1242 inner = 0;
1243 for(i = p->size; i > 0; i -= digestSize)
1244 {
1245 inner++;
1246 // Initialize the HMAC with saved state
1247 _cpri__CopyHashState(&h, &h1);
1248 // Hash the inner counter (the one that changes on each HMAC iteration)
1249 UINT32_TO_BYTE_ARRAY(inner, swapped);
1250 _cpri__UpdateHash(&h, 4, swapped);
1251 _cpri__UpdateHash(&h, lLen, (BYTE *)label);
1252 // Is there any party 1 data
1253 if(extra != NULL)
1254 _cpri__UpdateHash(&h, extra->size, extra->buffer);
1255 // Include the outer counter (the one that changes on each prime
1256 // prime candidate generation
1257 UINT32_TO_BYTE_ARRAY(outer, swapped);
1258 _cpri__UpdateHash(&h, 4, swapped);
1259 _cpri__UpdateHash(&h, 2, (BYTE *)&keySizeInBits);
1260 if(i < fill)
1261 fill = i;
1262 _cpri__CompleteHash(&h, fill, pb);
1263 // Restart the oPad hash
1264 _cpri__CopyHashState(&h, &h2);
1265 // Add the last hashed data
1266 _cpri__UpdateHash(&h, fill, pb);
1267 // gives a completed HMAC
1268 _cpri__CompleteHash(&h, fill, pb);
1269 pb += fill;
1270 }
1271 // Set the Most significant 2 bits and the low bit of the candidate
1272 p->buffer[0] |= 0xC0;
1273 p->buffer[p->size - 1] |= 1;
1274 // Convert the candidate to a BN
1275 BN_bin2bn(p->buffer, p->size, bnP);
1276 // If this is the second prime, make sure that it differs from the
1277 // first prime by at least 2^100
1278 if(!BN_is_zero(bnQ))
1279 {
1280 // bnQ is non-zero if we already found it
1281 if(BN_ucmp(bnP, bnQ) < 0)
1282 BN_sub(bnT, bnQ, bnP);
1283 else
1284 BN_sub(bnT, bnP, bnQ);
1285 if(BN_num_bits(bnT) < 100) // Difference has to be at least 100 bits
1286 continue;
1287 }
1288 // Make sure that the prime candidate (p) is not divisible by the exponent
1289 // and that (p-1) is not divisible by the exponent
1290 // Get the remainder after dividing by the modulus
1291 rem = BN_mod_word(bnP, e);
1292 if(rem == 0) // evenly divisible so add two keeping the number odd and
1293 // making sure that 1 != p mod e
1294 BN_add_word(bnP, 2);
1295 else if(rem == 1) // leaves a remainder of 1 so subtract two keeping the
1296 // number odd and making (e-1) = p mod e
1297 BN_sub_word(bnP, 2);
1298 // Have a candidate, check for primality
1299 if((retVal = (CRYPT_RESULT)BN_is_prime_ex(bnP,
1300 BN_prime_checks, NULL, NULL)) < 0)
1301 FAIL(FATAL_ERROR_INTERNAL);
1302 if(retVal != 1)
1303 continue;
1304 // Found a prime, is this the first or second.
1305 if(BN_is_zero(bnQ))
1306 {
1307 // copy p to q and compute another prime in p
1308 BN_copy(bnQ, bnP);
1309 continue;
1310 }
1311 //Form the public modulus
1312 BN_mul(bnN, bnP, bnQ, context);
1313 if(BN_num_bits(bnN) != keySizeInBits)
1314 FAIL(FATAL_ERROR_INTERNAL);
1315 // Save the public modulus
1316 BnTo2B(n, bnN, n->size); // Will pad the buffer to the correct size
1317 pAssert((n->buffer[0] & 0x80) != 0);
1318 // And one prime
1319 BnTo2B(p, bnP, p->size);
1320 pAssert((p->buffer[0] & 0x80) != 0);
1321 // Finish by making sure that we can form the modular inverse of PHI
1322 // with respect to the public exponent
1323 // Compute PHI = (p - 1)(q - 1) = n - p - q + 1
1324 // Make sure that we can form the modular inverse
1325 BN_sub(bnT, bnN, bnP);
1326 BN_sub(bnT, bnT, bnQ);
1327 BN_add_word(bnT, 1);
1328 // find d such that (Phi * d) mod e ==1
1329 // If there isn't then we are broken because we took the step
1330 // of making sure that the prime != 1 mod e so the modular inverse
1331 // must exist
1332 if(BN_mod_inverse(bnT, bnE, bnT, context) == NULL || BN_is_zero(bnT))
1333 FAIL(FATAL_ERROR_INTERNAL);
1334 // And, finally, do a trial encryption decryption
1335 {
1336 TPM2B_TYPE(RSA_KEY, MAX_RSA_KEY_BYTES);
1337 TPM2B_RSA_KEY r;
1338 r.t.size = sizeof(n->size);
1339 // If we are using a seed, then results must be reproducible on each
1340 // call. Otherwise, just get a random number
1341 if(seed == NULL)
1342 _cpri__GenerateRandom(n->size, r.t.buffer);
1343 else
1344 {
1345 // this this version does not have a deterministic RNG, XOR the
1346 // public key and private exponent to get a deterministic value
1347 // for testing.
1348 int i;
1349 // Generate a random-ish number starting with the public modulus
1350 // XORed with the MSO of the seed
1351 for(i = 0; i < n->size; i++)
1352 r.t.buffer[i] = n->buffer[i] ^ seed->buffer[0];
1353 }
1354 // Make sure that the number is smaller than the public modulus
1355 r.t.buffer[0] &= 0x7F;
1356 // Convert
1357 if( BN_bin2bn(r.t.buffer, r.t.size, bnP) == NULL
1358 // Encrypt with the public exponent
1359 || BN_mod_exp(bnQ, bnP, bnE, bnN, context) != 1
1360 // Decrypt with the private exponent
1361 || BN_mod_exp(bnQ, bnQ, bnT, bnN, context) != 1)
1362 FAIL(FATAL_ERROR_INTERNAL);
1363 // If the starting and ending values are not the same, start over )-;
1364 if(BN_ucmp(bnP, bnQ) != 0)
1365 {
1366 BN_zero(bnQ);
1367 continue;
1368 }
1369 }
1370 retVal = CRYPT_SUCCESS;
1371 goto Cleanup;
1372 }
1373 retVal = CRYPT_FAIL;
1374Cleanup:
1375 // Close out the hash sessions
1376 _cpri__CompleteHash(&h2, 0, NULL);
1377 _cpri__CompleteHash(&h1, 0, NULL);
1378 // Free up allocated BN values
1379 BN_CTX_end(context);
1380 BN_CTX_free(context);
1381 if(counter != NULL)
1382 *counter = outer;
1383 return retVal;
1384}
1385#endif // RSA_KEY_SIEVE
1386#endif // TPM_ALG_RSA