1 /*
2 * Copyright (c) 2022 Rockchip Electronics Co. Ltd.
3 */
4
5 #include <stdlib.h>
6 #include <string.h>
7
8 #include "rkcrypto_core.h"
9 #include "rkcrypto_trace.h"
10 #include "rkcrypto_random.h"
11
12 #ifndef ARRAY_SIZE
13 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
14 #endif
15
16 #define RSA_PKCS1_TYPE_MIN_PAD_LEN (11)
17
18 /**< Identifier for RSA signature operations. */
19 #define MBEDTLS_RSA_SIGN 1
20
21 /**< Identifier for RSA encryption and decryption operations. */
22 #define MBEDTLS_RSA_CRYPT 2
23
24 #define ASN1_INTEGER ((uint8_t)0x02)
25 #define ASN1_BIT_STRING ((uint8_t)0x03)
26 #define ASN1_OCT_STRING ((uint8_t)0x04)
27 #define ASN1_NULL ((uint8_t)0x05)
28 #define ASN1_OBJ_IDENTIFIER ((uint8_t)0x06)
29 #define ASN1_SEQUENCE ((uint8_t)0x30)
30 #define ASN1_CONTEXT0 ((uint8_t)0xA0)
31 #define ASN1_CONTEXT1 ((uint8_t)0xA1)
32
33 typedef struct {
34 const uint8_t *data; //the buffer of data
35 uint16_t *data_len; //valid length of data
36 uint8_t tag; //ASN1 data type
37 uint8_t need_plus; //to identify weather the data is a positive number
38 } asn1_object_t;
39
40 struct hash_oid_item {
41 uint32_t hash_algo;
42 const uint8_t *oid;
43 uint32_t oid_size;
44 };
45
46 static const uint8_t sha1_oid[] = {0x2b, 0x0e, 0x03, 0x02, 0x1a};
47 static const uint8_t sha224_oid[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04};
48 static const uint8_t sha256_oid[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01};
49 static const uint8_t sha384_oid[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02};
50 static const uint8_t sha512_oid[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03};
51
52 struct hash_oid_item hash_oid_tbl[] = {
53 {RK_ALGO_SHA1, sha1_oid, sizeof(sha1_oid)},
54 {RK_ALGO_SHA224, sha224_oid, sizeof(sha224_oid)},
55 {RK_ALGO_SHA256, sha256_oid, sizeof(sha256_oid)},
56 {RK_ALGO_SHA384, sha384_oid, sizeof(sha384_oid)},
57 {RK_ALGO_SHA512, sha512_oid, sizeof(sha512_oid)},
58 };
59
get_oid_by_md(uint32_t hash_algo,const uint8_t ** oid,uint32_t * old_len)60 static RK_RES get_oid_by_md(uint32_t hash_algo, const uint8_t **oid, uint32_t *old_len)
61 {
62 uint32_t i;
63
64 for (i = 0; i < ARRAY_SIZE(hash_oid_tbl); i++) {
65 if (hash_oid_tbl[i].hash_algo == hash_algo) {
66 *oid = hash_oid_tbl[i].oid;
67 *old_len = hash_oid_tbl[i].oid_size;
68 return RK_CRYPTO_SUCCESS;
69 }
70 }
71
72 return RK_CRYPTO_ERR_PARAMETER;
73 }
74
asn1_compose_len(uint32_t len,uint8_t * field,uint32_t * field_len)75 static RK_RES asn1_compose_len(uint32_t len, uint8_t *field, uint32_t *field_len)
76 {
77 uint8_t tmp_field[4];
78
79 if (field == NULL || field_len == NULL)
80 return RK_CRYPTO_ERR_PARAMETER;
81
82 if (len < 0x80) {
83 *field = len;
84 *field_len = 1;
85 } else {
86 uint32_t i, j;
87
88 tmp_field[0] = (len >> 24) & 0xff;
89 tmp_field[1] = (len >> 16) & 0xff;
90 tmp_field[2] = (len >> 8) & 0xff;
91 tmp_field[3] = len & 0xff;
92
93 for (i = 0; i < sizeof(tmp_field); i++) {
94 if (tmp_field[i] == 0x00)
95 continue;
96
97 for (j = 0; j < sizeof(tmp_field) - i; j++)
98 field[j + 1] = tmp_field[j + i];
99
100 break;
101 }
102 field[0] = 0X80 + sizeof(tmp_field) - i;
103 *field_len = sizeof(tmp_field) - i + 1;
104 }
105
106 return RK_CRYPTO_SUCCESS;
107 }
108
asn1_set_object(const uint8_t * in,uint32_t in_len,uint8_t tag,uint8_t need_plus,uint8_t * out,uint32_t out_max,uint32_t * out_len)109 static RK_RES asn1_set_object(const uint8_t *in, uint32_t in_len, uint8_t tag, uint8_t need_plus,
110 uint8_t *out, uint32_t out_max, uint32_t *out_len)
111 {
112 RK_RES res;
113 uint8_t *pout = out;
114 uint32_t field_len;
115 uint8_t tmp_field[5];
116
117 if (in == NULL || out == NULL || out_len == NULL)
118 return RK_CRYPTO_ERR_PARAMETER;
119
120 *out_len = 0;
121
122 //padding tag field
123 if (out_max < 1) {
124 res = RK_CRYPTO_ERR_OUT_OF_MEMORY;
125 goto exit;
126 }
127
128 *pout = tag;
129 pout++;
130 out_max--;
131
132 //padding length field
133 if (need_plus && *in >= 0x80)
134 res = asn1_compose_len(in_len + 1, tmp_field, &field_len);
135 else
136 res = asn1_compose_len(in_len, tmp_field, &field_len);
137
138 if (res != RK_CRYPTO_SUCCESS) {
139 D_TRACE("asn1_compose_len error");
140 return res;
141 }
142
143 if (out_max < field_len) {
144 D_TRACE("out_max = %d, field_len = %d", out_max, field_len);
145 res = RK_CRYPTO_ERR_OUT_OF_MEMORY;
146 goto exit;
147 }
148
149 memmove(pout, tmp_field, field_len);
150 pout += field_len;
151 out_max -= field_len;
152
153 //padding value field
154 if (need_plus && *in >= 0x80) {
155 if (out_max < 1) {
156 res = RK_CRYPTO_ERR_OUT_OF_MEMORY;
157 goto exit;
158 }
159
160 *pout = 0x00;
161 pout++;
162 out_max--;
163 }
164
165 if (out_max < in_len) {
166 res = RK_CRYPTO_ERR_OUT_OF_MEMORY;
167 goto exit;
168 }
169
170 memmove(pout, in, in_len);
171 pout += in_len;
172
173 *out_len = pout-out;
174
175 exit:
176 return res;
177 }
178
179 /* PKCS #1: block type 0,1,2 message padding */
180 /*************************************************
181 *EB = 00 || BT || PS || 00 || D
182 *
183 *PS_LEN >= 8, mlen < key_len - 11
184 ************************************************/
rsa_padding_add_pkcs1_type(uint16_t key_len,uint8_t bt,const uint8_t * in,uint8_t in_len,uint8_t * out)185 static RK_RES rsa_padding_add_pkcs1_type(uint16_t key_len, uint8_t bt,
186 const uint8_t *in, uint8_t in_len, uint8_t *out)
187 {
188 uint32_t plen = 0;
189 uint8_t *peb = NULL;
190
191 if (in_len > key_len - RSA_PKCS1_TYPE_MIN_PAD_LEN) {
192 E_TRACE("key_len is invalid.\n");
193 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
194 }
195
196 /* block type 0 first input data can't be zero */
197 if (bt == 0x00 && *in == 0)
198 return RK_CRYPTO_ERR_PADDING;
199
200 peb = out;
201
202 /* first byte is 0x00 */
203 *(peb++) = 0;
204
205 /* Private Key BT (Block Type) */
206 *(peb++) = bt;
207
208 /* The padding string PS shall consist of k-3-||D|| octets */
209 plen = key_len - 3 - in_len;
210 switch (bt) {
211 case 0x00: {
212 /* For block type 00, the octets shall have value 00 */
213 memset(peb, 0x00, plen);
214 break;
215 }
216 case 0x01: {
217 /* for block type 01, they shall have value FF */
218 memset(peb, 0xFF, plen);
219 break;
220 }
221 case 0x02: {
222 RK_RES res;
223 uint32_t i = 0;
224
225 /* for block type 02, they shall be pseudorandomly generated and nonzero. */
226 res = rk_get_random(peb, plen);
227 if (res)
228 return res;
229
230 /* make sure nonzero */
231 for (i = 0; i < plen; i++) {
232 if (peb[i] == 0x00)
233 peb[i] = 0x01;
234 }
235 break;
236 }
237 default: {
238 E_TRACE("BT(0x%x) is invalid.\n", plen);
239 return RK_CRYPTO_ERR_PADDING;
240 }
241 }
242
243 /* skip the padding string */
244 peb += plen;
245
246 /* set 0x00 follow PS */
247 *(peb++) = 0x00;
248
249 /* input data */
250 memcpy(peb, in, in_len);
251
252 return RK_CRYPTO_SUCCESS;
253 }
254
255 /* PKCS #1: block type 0,1,2 message padding */
256 /*************************************************
257 * EB = 00 || BT || PS || 00 || D
258 *
259 *PS_LEN >= 8, mlen < key_len - 11
260 *************************************************/
rsa_padding_check_pkcs1_type(uint32_t key_len,uint8_t bt,const uint8_t * in,uint8_t * out,uint32_t * outlen)261 static RK_RES rsa_padding_check_pkcs1_type(uint32_t key_len, uint8_t bt,
262 const uint8_t *in, uint8_t *out, uint32_t *outlen)
263 {
264 const uint8_t *peb = NULL;
265 uint32_t inlen = key_len;
266
267 *outlen = 0x00;
268 peb = in;
269
270 /* first byte must be 0x00 */
271 if (*peb != 0x00) {
272 E_TRACE("EB[0] != 0x00.\n");
273 goto error;
274 }
275 peb++;
276
277 /* Private Key BT (Block Type) */
278 if (*peb != bt) {
279 E_TRACE("EB[1] != BT(0x%x).\n", bt);
280 goto error;
281 }
282 peb++;
283
284 switch (bt) {
285 case 0x00:
286 /* For block type 00, the octets shall have value 00 */
287 for (; peb < in + inlen - 1; peb++) {
288 if ((*peb == 0x00) && (*(peb + 1) != 0))
289 break;
290 }
291 break;
292 case 0x01:
293 /* For block type 0x01 the octets shall have value 0xFF */
294 for (; peb < in + inlen - 1; peb++) {
295 if (*peb == 0xFF)
296 continue;
297
298 if (*peb == 0x00)
299 break;
300
301 peb = in + inlen - 1;
302 break;
303 }
304 break;
305 case 0x02:
306 /* for block type 02, they shall be pseudorandomly generated and nonzero. */
307 for (; peb < in + inlen - 1; peb++) {
308 if (*peb == 0x00)
309 break;
310 }
311 break;
312 default:
313 E_TRACE("BT(0x%x) is invalid.\n", bt);
314 goto error;
315 }
316
317 if (peb >= (in + inlen - 1)) {
318 E_TRACE("PS Error.\n");
319 goto error;
320 }
321
322 /* skip 0x00 after PS */
323 peb++;
324
325 /* get payload data */
326 *outlen = in + key_len - peb;
327 memcpy(out, peb, *outlen);
328
329 return RK_CRYPTO_SUCCESS;
330 error:
331 return RK_CRYPTO_ERR_PADDING;
332 }
333
334 /*
335 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
336 * 00 (01/02) [a bunch of non-zero random bytes] 00 [the message]
337 */
rsa_padding_add_pkcs15_type(uint16_t key_len,bool is_priv_key,const uint8_t * in,uint32_t in_len,uint8_t * out)338 RK_RES rsa_padding_add_pkcs15_type(uint16_t key_len, bool is_priv_key,
339 const uint8_t *in, uint32_t in_len, uint8_t *out)
340 {
341 uint32_t nb_pad, olen;
342 RK_RES res;
343 uint8_t *p = out;
344
345 // We don't check p_rng because it won't be dereferenced here
346 if (in == NULL || out == NULL)
347 return RK_CRYPTO_ERR_PADDING;
348
349 olen = key_len;
350
351 /* first comparison checks for overflow */
352 if (in_len + 11 < in_len || olen < in_len + 11)
353 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
354
355 nb_pad = olen - 3 - in_len;
356
357 *p++ = 0;
358 if (!is_priv_key) {
359 *p++ = MBEDTLS_RSA_CRYPT;
360
361 while (nb_pad-- > 0) {
362 int rng_dl = 100;
363
364 do {
365 res = rk_get_random(p, 1);
366 } while (*p == 0 && --rng_dl && res == 0);
367
368 /* Check if RNG failed to generate data */
369 if (rng_dl == 0 || res != 0)
370 return RK_CRYPTO_ERR_PADDING;
371
372 p++;
373 }
374 } else {
375 *p++ = MBEDTLS_RSA_SIGN;
376
377 while (nb_pad-- > 0)
378 *p++ = 0xFF;
379 }
380
381 *p++ = 0;
382 memcpy(p, in, in_len);
383
384 return RK_CRYPTO_SUCCESS;
385 }
386 /*
387 * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
388 */
rsa_padding_check_pkcs15_type(uint16_t key_len,bool is_priv_key,const uint8_t * in,uint8_t * out,uint32_t * out_len)389 static RK_RES rsa_padding_check_pkcs15_type(uint16_t key_len, bool is_priv_key,
390 const uint8_t *in, uint8_t *out, uint32_t *out_len)
391 {
392 uint32_t ilen, pad_count = 0, i;
393 const uint8_t *p;
394 uint8_t bad, pad_done = 0;
395
396 ilen = key_len;
397 p = in;
398 bad = 0;
399
400 /*
401 * Check and get padding len in "constant-time"
402 */
403 bad |= *p++; /* First byte must be 0 */
404
405 /* This test does not depend on secret data */
406 if (is_priv_key) {
407 bad |= *p++ ^ MBEDTLS_RSA_CRYPT;
408
409 /* Get padding len, but always read till end of buffer
410 * (minus one, for the 00 byte)
411 */
412 for (i = 0; i < ilen - 3; i++) {
413 pad_done |= ((p[i] | (uint8_t)-p[i]) >> 7) ^ 1;
414 pad_count += ((pad_done | (uint8_t)-pad_done) >> 7) ^ 1;
415 }
416
417 p += pad_count;
418 bad |= *p++; /* Must be zero */
419 } else {
420 bad |= *p++ ^ MBEDTLS_RSA_SIGN;
421
422 /* Get padding len, but always read till end of buffer
423 * (minus one, for the 00 byte)
424 */
425 for (i = 0; i < ilen - 3; i++) {
426 pad_done |= (p[i] != 0xFF);
427 pad_count += (pad_done == 0);
428 }
429
430 p += pad_count;
431 bad |= *p++; /* Must be zero */
432 }
433
434 bad |= (pad_count < 8);
435
436 if (bad)
437 return RK_CRYPTO_ERR_PADDING;
438
439 *out_len = ilen - (p - in);
440 memcpy(out, p, *out_len);
441
442 return RK_CRYPTO_SUCCESS;
443 }
444
get_hash_algo_from_padding(uint32_t padding,uint32_t * hlen,uint32_t * hash_algo)445 static RK_RES get_hash_algo_from_padding(uint32_t padding,
446 uint32_t *hlen, uint32_t *hash_algo)
447 {
448 uint32_t shaalgo = RK_ALGO_SHA1;
449
450 switch (padding) {
451 case RK_RSA_CRYPT_PADDING_OAEP_SHA1:
452 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA1:
453 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA1:
454 *hlen = SHA1_HASH_SIZE;
455 shaalgo = RK_ALGO_SHA1;
456 break;
457 case RK_RSA_CRYPT_PADDING_OAEP_SHA224:
458 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA224:
459 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA224:
460 *hlen = SHA224_HASH_SIZE;
461 shaalgo = RK_ALGO_SHA224;
462 break;
463 case RK_RSA_CRYPT_PADDING_OAEP_SHA256:
464 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA256:
465 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA256:
466 *hlen = SHA256_HASH_SIZE;
467 shaalgo = RK_ALGO_SHA256;
468 break;
469 case RK_RSA_CRYPT_PADDING_OAEP_SHA384:
470 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA384:
471 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA384:
472 *hlen = SHA384_HASH_SIZE;
473 shaalgo = RK_ALGO_SHA384;
474 break;
475 case RK_RSA_CRYPT_PADDING_OAEP_SHA512:
476 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA512:
477 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA512:
478 *hlen = SHA512_HASH_SIZE;
479 shaalgo = RK_ALGO_SHA512;
480 break;
481 default:
482 D_TRACE("unknown padding %x", padding);
483 *hlen = 0;
484 shaalgo = 0;
485 return RK_CRYPTO_ERR_PADDING;
486 }
487
488 *hash_algo = shaalgo;
489
490 return RK_CRYPTO_SUCCESS;
491 }
492
calc_padding_digest(uint32_t algo,const uint8_t * data,uint32_t data_len,uint8_t * digest)493 static RK_RES calc_padding_digest(uint32_t algo, const uint8_t *data, uint32_t data_len,
494 uint8_t *digest)
495 {
496 RK_RES res;
497 rk_hash_config hash_cfg;
498 rk_handle hash_hdl = 0;
499
500 memset(&hash_cfg, 0x00, sizeof(hash_cfg));
501
502 hash_cfg.algo = algo;
503
504 res = rk_hash_init(&hash_cfg, &hash_hdl);
505 if (res)
506 goto exit;
507
508 if (data && data_len != 0) {
509 res = rk_hash_update_virt(hash_hdl, data, data_len);
510 if (res) {
511 rk_hash_final(hash_hdl, NULL);
512 goto exit;
513 }
514 }
515
516 res = rk_hash_final(hash_hdl, digest);
517 exit:
518 if (res)
519 D_TRACE("digest error.");
520
521 return res;
522 }
523
524 /**
525 * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
526 *
527 * \param dst buffer to mask
528 * \param dlen length of destination buffer
529 * \param src source of the mask generation
530 * \param slen length of the source buffer
531 * \param md_ctx message digest context to use
532 */
mgf_mask(uint8_t * dst,uint32_t dlen,uint8_t * src,uint32_t slen,uint32_t hash_algo,uint32_t hash_len)533 static RK_RES mgf_mask(uint8_t *dst, uint32_t dlen, uint8_t *src, uint32_t slen,
534 uint32_t hash_algo, uint32_t hash_len)
535 {
536 uint8_t mask[SHA512_HASH_SIZE];
537 uint8_t counter[4];
538 uint8_t *p;
539 uint32_t i, use_len;
540 RK_RES res = 0;
541 rk_handle hash_hdl;
542 rk_hash_config hash_cfg;
543
544
545 memset(&hash_cfg, 0x00, sizeof(hash_cfg));
546 hash_cfg.algo = hash_algo;
547
548 memset(mask, 0, sizeof(mask));
549 memset(counter, 0, sizeof(counter));
550
551 /* Generate and apply dbMask */
552 p = dst;
553
554 while (dlen > 0) {
555 use_len = hash_len;
556 if (dlen < hash_len)
557 use_len = dlen;
558
559 res = rk_hash_init(&hash_cfg, &hash_hdl);
560 if (res)
561 goto cleanup;
562
563 res = rk_hash_update_virt(hash_hdl, src, slen);
564 if (res) {
565 rk_hash_final(hash_hdl, NULL);
566 goto cleanup;
567 }
568
569 res = rk_hash_update_virt(hash_hdl, counter, 4);
570 if (res) {
571 rk_hash_final(hash_hdl, NULL);
572 goto cleanup;
573 }
574
575 res = rk_hash_final(hash_hdl, mask);
576 if (res)
577 goto cleanup;
578
579 for (i = 0; i < use_len; ++i)
580 *p++ ^= mask[i];
581
582 counter[3]++;
583
584 dlen -= use_len;
585 }
586
587 cleanup:
588 memset(mask, 0x00, sizeof(mask));
589
590 return res;
591 }
592
593 /*
594 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
595 */
rsa_padding_add_oaep_type(enum RK_RSA_CRYPT_PADDING padding,uint16_t key_len,const uint8_t * label,uint32_t label_len,const uint8_t * in,uint32_t in_len,uint8_t * out)596 static RK_RES rsa_padding_add_oaep_type(enum RK_RSA_CRYPT_PADDING padding, uint16_t key_len,
597 const uint8_t *label, uint32_t label_len,
598 const uint8_t *in, uint32_t in_len, uint8_t *out)
599 {
600 uint32_t olen;
601 RK_RES res;
602 uint8_t *p = out;
603 uint32_t hlen;
604 uint32_t hash_algo;
605
606 RK_CRYPTO_CHECK_PARAM(!out);
607 RK_CRYPTO_CHECK_PARAM(!in);
608 RK_CRYPTO_CHECK_PARAM(label_len != 0 || label);
609
610 olen = key_len;
611 res = get_hash_algo_from_padding(padding, &hlen, &hash_algo);
612 if (res)
613 goto error;
614
615 /* first comparison checks for overflow */
616 if (in_len + 2 * hlen + 2 < in_len || olen < in_len + 2 * hlen + 2) {
617 res = RK_CRYPTO_ERR_PADDING_OVERFLOW;
618 goto error;
619 }
620
621 memset(out, 0, olen);
622
623 *p++ = 0;
624
625 /* Generate a random octet string seed */
626 res = rk_get_random(p, hlen);
627 if (res)
628 goto error;
629
630 p += hlen;
631
632 /* Construct DB */
633 res = calc_padding_digest(hash_algo, label, label_len, p);
634 if (res)
635 goto error;
636
637 p += hlen;
638 p += olen - 2 * hlen - 2 - in_len;
639 *p++ = 1;
640 memcpy(p, in, in_len);
641
642 /* maskedDB: Apply dbMask to DB */
643 res = mgf_mask(out + hlen + 1, olen - hlen - 1, out + 1, hlen, hash_algo, hlen);
644 if (res)
645 goto error;
646
647 /* maskedSeed: Apply seedMask to seed */
648 res = mgf_mask(out + 1, hlen, out + hlen + 1, olen - hlen - 1, hash_algo, hlen);
649 if (res)
650 goto error;
651
652 return RK_CRYPTO_SUCCESS;
653
654 error:
655 return res;
656 }
657
658 /*
659 * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
660 */
rsa_padding_check_oaep_type(enum RK_RSA_CRYPT_PADDING padding,uint16_t key_len,const uint8_t * label,size_t label_len,const uint8_t * in,uint8_t * out,uint32_t * out_len)661 RK_RES rsa_padding_check_oaep_type(enum RK_RSA_CRYPT_PADDING padding, uint16_t key_len,
662 const uint8_t *label, size_t label_len,
663 const uint8_t *in, uint8_t *out, uint32_t *out_len)
664 {
665 RK_RES res = RK_CRYPTO_ERR_PADDING;
666 uint32_t ilen, i, pad_len;
667 uint8_t *p, bad, pad_done;
668 uint8_t *buf = NULL;
669 uint8_t lhash[SHA512_HASH_SIZE];
670 uint32_t hlen;
671 uint32_t hash_algo;
672
673 ilen = key_len;
674 res = get_hash_algo_from_padding(padding, &hlen, &hash_algo);
675 if (res)
676 return res;
677
678 buf = malloc(ilen);
679 if (!buf)
680 return RK_CRYPTO_ERR_OUT_OF_MEMORY;
681
682 memcpy(buf, in, ilen);
683
684 // checking for integer underflow
685 if (2 * hlen + 2 > ilen) {
686 res = RK_CRYPTO_ERR_PADDING;
687 goto exit;
688 }
689
690 /*
691 * Unmask data and generate lHash
692 */
693 res = calc_padding_digest(hash_algo, label, label_len, lhash);
694 if (res)
695 goto exit;
696
697 /* seed: Apply seedMask to maskedSeed */
698 res = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, hash_algo, hlen);
699 if (res)
700 goto exit;
701
702 /* DB: Apply dbMask to maskedDB */
703 res = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, hash_algo, hlen);
704 if (res)
705 goto exit;
706
707 /*
708 * Check contents, in "constant-time"
709 */
710 p = buf;
711 bad = 0;
712
713 bad |= *p++; /* First byte must be 0 */
714
715 p += hlen; /* Skip seed */
716
717 /* Check lHash */
718 for (i = 0; i < hlen; i++)
719 bad |= lhash[i] ^ *p++;
720
721 /* Get zero-padding len, but always read till end of buffer
722 * (minus one, for the 01 byte)
723 */
724 pad_len = 0;
725 pad_done = 0;
726 for (i = 0; i < ilen - 2 * hlen - 2; i++) {
727 pad_done |= p[i];
728 pad_len += ((pad_done | (uint8_t)-pad_done) >> 7) ^ 1;
729 }
730
731 p += pad_len;
732 bad |= *p++ ^ 0x01;
733
734 /*
735 * The only information "leaked" is whether the padding was correct or not
736 * (eg, no data is copied if it was not correct). This meets the
737 * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
738 * the different error conditions.
739 */
740 if (bad != 0) {
741 res = RK_CRYPTO_ERR_PADDING;
742 goto exit;
743 }
744
745 if (ilen - (p - buf) > key_len) {
746 res = RK_CRYPTO_ERR_PADDING;
747 goto exit;
748 }
749
750 *out_len = ilen - (p - buf);
751 memcpy(out, p, *out_len);
752
753 res = RK_CRYPTO_SUCCESS;
754 exit:
755 if (buf)
756 free(buf);
757
758 return res;
759 }
760
761 /*
762 * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
763 * Construct a PKCS v1.5 encoding of a hashed message
764 */
rsa_padding_add_pkcs15_sign_type(uint32_t hash_algo,uint16_t key_len,const uint8_t * hash,uint8_t hash_len,uint8_t * out)765 static int rsa_padding_add_pkcs15_sign_type(uint32_t hash_algo, uint16_t key_len,
766 const uint8_t *hash, uint8_t hash_len, uint8_t *out)
767 {
768 RK_RES res;
769 uint32_t oid_size = 0;
770 uint32_t nb_pad = key_len;
771 uint8_t *p = out;
772 const uint8_t *oid = NULL;
773
774 /* Gather length of hash to sign */
775 res = get_oid_by_md(hash_algo, &oid, &oid_size);
776 if (res)
777 return RK_CRYPTO_ERR_PADDING;
778
779 /* Double-check that 8 + hash_len + oid_size can be used as a
780 * 1-byte ASN.1 length encoding and that there's no overflow.
781 */
782 if (8 + hash_len + oid_size >= 0x80 ||
783 10 + hash_len < hash_len ||
784 10 + hash_len + oid_size < 10 + hash_len)
785 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
786
787 /*
788 * Static bounds check:
789 * - Need 10 bytes for five tag-length pairs.
790 * (Insist on 1-byte length encodings to protect against variants of
791 * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
792 * - Need hash_len bytes for hash
793 * - Need oid_size bytes for hash alg OID.
794 */
795 if (nb_pad < 10 + hash_len + oid_size)
796 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
797
798 nb_pad -= 10 + hash_len + oid_size;
799
800 /* Need space for signature header and padding delimiter (3 bytes),
801 * and 8 bytes for the minimal padding
802 */
803 if (nb_pad < 3 + 8)
804 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
805
806 nb_pad -= 3;
807
808 /* Now nb_pad is the amount of memory to be filled
809 * with padding, and at least 8 bytes long.
810 */
811
812 /* Write signature header and padding */
813 *p++ = 0;
814 *p++ = MBEDTLS_RSA_SIGN;
815 memset(p, 0xFF, nb_pad);
816 p += nb_pad;
817 *p++ = 0;
818
819 /* Signing hashed data, add corresponding ASN.1 structure
820 *
821 * DigestInfo ::= SEQUENCE {
822 * digestAlgorithm DigestAlgorithmIdentifier,
823 * digest Digest }
824 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
825 * Digest ::= OCTET STRING
826 *
827 * Schematic:
828 * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
829 * TAG-NULL + LEN [ NULL ] ]
830 * TAG-OCTET + LEN [ HASH ] ]
831 */
832 *p++ = ASN1_SEQUENCE;
833 *p++ = (uint8_t)(0x08 + oid_size + hash_len);
834 *p++ = ASN1_SEQUENCE;
835 *p++ = (uint8_t)(0x04 + oid_size);
836 *p++ = ASN1_OBJ_IDENTIFIER;
837 *p++ = (uint8_t)oid_size;
838 memcpy(p, oid, oid_size);
839 p += oid_size;
840 *p++ = ASN1_NULL;
841 *p++ = 0x00;
842 *p++ = ASN1_OCT_STRING;
843 *p++ = (uint8_t)hash_len;
844 memcpy(p, hash, hash_len);
845 p += hash_len;
846
847 return RK_CRYPTO_SUCCESS;
848 }
849
850 /*
851 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
852 */
rsa_padding_add_pss_type(uint16_t key_len,uint16_t n_bits,uint32_t hash_algo,const uint8_t * hash,uint32_t hash_len,uint8_t * out)853 RK_RES rsa_padding_add_pss_type(uint16_t key_len, uint16_t n_bits,
854 uint32_t hash_algo, const uint8_t *hash,
855 uint32_t hash_len, uint8_t *out)
856 {
857 uint32_t olen;
858 uint8_t *p = out;
859 uint8_t salt[SHA512_HASH_SIZE];
860 uint32_t slen, hlen, min_slen, offset = 0;
861 RK_RES res;
862 uint32_t msb, ps_len;
863 rk_hash_config hash_cfg;
864 rk_handle hash_hdl;
865
866 olen = key_len;
867 hlen = hash_len;
868 slen = hlen;
869
870 /* Calculate the largest possible salt length. Normally this is the hash
871 * length, which is the maximum length the salt can have. If there is not
872 * enough room, use the maximum salt length that fits. The constraint is
873 * that the hash length plus the salt length plus 2 bytes must be at most
874 * the key length. This complies with FIPS 186-4.5.5 (e) and RFC 8017
875 * (PKCS#1 v2.2) 9.1.1 step 3.
876 */
877 min_slen = hlen - 2;
878 if (olen < hlen + min_slen + 2)
879 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
880 else if (olen >= hlen + hlen + 2)
881 slen = hlen;
882 else
883 slen = olen - hlen - 2;
884
885 if (olen < hlen * 2 + 2)
886 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
887
888 ps_len = olen - hlen * 2 - 2;
889
890 if (olen < ps_len + 1 + slen + hlen)
891 return RK_CRYPTO_ERR_PADDING_OVERFLOW;
892
893 memset(out, 0, olen);
894
895 /* Generate salt of length slen */
896 res = rk_get_random(salt, slen);
897 if (res)
898 return res;
899
900 /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
901 msb = n_bits - 1;
902 p += ps_len;
903 *p++ = 0x01;
904 memcpy(p, salt, slen);
905 p += slen;
906
907 /* Generate H = Hash( M' ) */
908 memset(&hash_cfg, 0x00, sizeof(hash_cfg));
909 hash_cfg.algo = hash_algo;
910
911 res = rk_hash_init(&hash_cfg, &hash_hdl);
912 if (res)
913 goto exit;
914
915 res = rk_hash_update_virt(hash_hdl, p, 8);
916 if (res) {
917 rk_hash_final(hash_hdl, NULL);
918 goto exit;
919 }
920
921 res = rk_hash_update_virt(hash_hdl, hash, hash_len);
922 if (res) {
923 rk_hash_final(hash_hdl, NULL);
924 goto exit;
925 }
926
927 res = rk_hash_update_virt(hash_hdl, salt, slen);
928 if (res) {
929 rk_hash_final(hash_hdl, NULL);
930 goto exit;
931 }
932
933 res = rk_hash_final(hash_hdl, p);
934 if (res)
935 goto exit;
936
937 /* Compensate for boundary condition when applying mask */
938 if (msb % 8 == 0)
939 offset = 1;
940
941 /* maskedDB: Apply dbMask to DB */
942 res = mgf_mask(out + offset, olen - hlen - 1 - offset, p, hlen, hash_algo, hash_len);
943 if (res)
944 goto exit;
945
946 msb = n_bits - 1;
947 out[0] &= 0xFF >> (olen * 8 - msb);
948
949 p += hlen;
950 *p++ = 0xBC;
951
952 exit:
953 return res;
954 }
955
956 /*
957 * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
958 */
rk_rsa_padding_check_pss_type(uint16_t key_len,uint16_t n_bits,uint32_t hash_algo,uint32_t hash_len,const uint8_t * hash,const uint8_t * dec)959 RK_RES rk_rsa_padding_check_pss_type(uint16_t key_len, uint16_t n_bits,
960 uint32_t hash_algo, uint32_t hash_len,
961 const uint8_t *hash, const uint8_t *dec)
962 {
963 RK_RES res = RK_CRYPTO_ERR_PADDING;
964 uint32_t siglen;
965 uint8_t *p;
966 uint8_t *buf = NULL;
967 uint8_t result[SHA512_HASH_SIZE];
968 uint8_t zeros[8];
969 uint32_t hlen;
970 uint32_t slen, msb;
971 rk_hash_config hash_cfg;
972 rk_handle hash_hdl;
973
974 buf = malloc(key_len);
975 if (!buf)
976 return RK_CRYPTO_ERR_OUT_OF_MEMORY;
977
978 memcpy(buf, dec, key_len);
979
980 siglen = key_len;
981
982 if (siglen < 16) {
983 res = RK_CRYPTO_ERR_PADDING;
984 goto error;
985 }
986
987 p = buf;
988
989 if (buf[siglen - 1] != 0xBC) {
990 res = RK_CRYPTO_ERR_PADDING;
991 goto error;
992 }
993
994 hlen = hash_len;
995 slen = siglen - hlen - 1; /* Currently length of salt + padding */
996
997 memset(zeros, 0, 8);
998
999 /*
1000 * Note: EMSA-PSS verification is over the length of N - 1 bits
1001 */
1002 msb = n_bits - 1;
1003
1004 /* Compensate for boundary condition when applying mask */
1005 if (msb % 8 == 0) {
1006 p++;
1007 siglen -= 1;
1008 }
1009 if (buf[0] >> (8 - siglen * 8 + msb)) {
1010 res = RK_CRYPTO_ERR_PADDING;
1011 goto error;
1012 }
1013
1014 res = mgf_mask(p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, hash_algo, hash_len);
1015 if (res)
1016 goto error;
1017
1018 buf[0] &= 0xFF >> (siglen * 8 - msb);
1019
1020 while (p < buf + siglen && *p == 0)
1021 p++;
1022
1023 if (p == buf + siglen || *p++ != 0x01) {
1024 res = RK_CRYPTO_ERR_PADDING;
1025 goto error;
1026 }
1027
1028 /* Actual salt len */
1029 slen -= p - buf;
1030
1031 /*
1032 * Generate H = Hash( M' )
1033 */
1034
1035 memset(&hash_cfg, 0x00, sizeof(hash_cfg));
1036 hash_cfg.algo = hash_algo;
1037
1038 res = rk_hash_init(&hash_cfg, &hash_hdl);
1039 if (res)
1040 goto error;
1041
1042 res = rk_hash_update_virt(hash_hdl, zeros, 8);
1043 if (res) {
1044 rk_hash_final(hash_hdl, NULL);
1045 goto error;
1046 }
1047
1048 res = rk_hash_update_virt(hash_hdl, hash, hash_len);
1049 if (res) {
1050 rk_hash_final(hash_hdl, NULL);
1051 goto error;
1052 }
1053
1054 res = rk_hash_update_virt(hash_hdl, p, slen);
1055 if (res) {
1056 rk_hash_final(hash_hdl, NULL);
1057 goto error;
1058 }
1059
1060 res = rk_hash_final(hash_hdl, result);
1061 if (res)
1062 goto error;
1063
1064 free(buf);
1065
1066 if (memcmp(p + slen, result, hlen) == 0)
1067 return RK_CRYPTO_SUCCESS;
1068 else
1069 return RK_CRYPTO_ERR_VERIFY;
1070
1071 error:
1072 if (buf)
1073 free(buf);
1074
1075 return RK_CRYPTO_ERR_PADDING;
1076 }
1077
rk_rsa_pubkey_encode(rk_rsa_pub_key_pack * pub,uint8_t * asn1_key,uint16_t * asn1_key_len,uint16_t * key_bits)1078 RK_RES rk_rsa_pubkey_encode(rk_rsa_pub_key_pack *pub,
1079 uint8_t *asn1_key, uint16_t *asn1_key_len, uint16_t *key_bits)
1080 {
1081 RK_RES res;
1082 rk_rsa_pub_key *rsa_key = &pub->key;
1083 uint8_t tmp_field[8];
1084 uint32_t total_len = 0, tmp_len = 0, out_max;
1085
1086 RK_CRYPTO_CHECK_PARAM(!asn1_key || !asn1_key_len || !pub || !key_bits);
1087 RK_CRYPTO_CHECK_PARAM(!rsa_key->n || rsa_key->n_len == 0);
1088 RK_CRYPTO_CHECK_PARAM(!rsa_key->e || rsa_key->e_len == 0);
1089 RK_CRYPTO_CHECK_PARAM(rsa_key->n_len != 1024 / 8 &&
1090 rsa_key->n_len != 2048 / 8 &&
1091 rsa_key->n_len != 3072 / 8 &&
1092 rsa_key->n_len != 4096 / 8);
1093 RK_CRYPTO_CHECK_PARAM(pub->key_type != RK_RSA_KEY_TYPE_PLAIN);
1094
1095 out_max = *asn1_key_len;
1096
1097 //padding n
1098 res = asn1_set_object(rsa_key->n, rsa_key->n_len, ASN1_INTEGER, 1,
1099 asn1_key + total_len, out_max, &tmp_len);
1100 if (res != RK_CRYPTO_SUCCESS) {
1101 D_TRACE("set rsa_key->n object error!");
1102 goto exit;
1103 }
1104
1105 total_len += tmp_len;
1106 out_max -= tmp_len;
1107
1108 //padding e
1109 res = asn1_set_object(rsa_key->e, rsa_key->e_len, ASN1_INTEGER, 0,
1110 asn1_key + total_len, out_max, &tmp_len);
1111 if (res != RK_CRYPTO_SUCCESS) {
1112 D_TRACE("set rsa_key->e object error!");
1113 goto exit;
1114 }
1115 total_len += tmp_len;
1116 out_max -= tmp_len;
1117
1118 //add SEQUENCE info in head
1119 res = asn1_compose_len(total_len, tmp_field, &tmp_len);
1120 if (res != RK_CRYPTO_SUCCESS) {
1121 D_TRACE("set asn1_compose_len error!");
1122 goto exit;
1123 }
1124
1125 if (out_max < tmp_len + 1) {
1126 res = RK_CRYPTO_ERR_OUT_OF_MEMORY;
1127 goto exit;
1128 }
1129
1130 memmove(asn1_key + tmp_len + 1, asn1_key, total_len);
1131 *asn1_key = ASN1_SEQUENCE;
1132 total_len++;
1133 memmove(asn1_key + 1, tmp_field, tmp_len);
1134 total_len += tmp_len;
1135
1136 *asn1_key_len = total_len;
1137 *key_bits = rsa_key->n_len * 8;
1138 exit:
1139 return res;
1140 }
1141
rk_rsa_privkey_encode(rk_rsa_priv_key_pack * priv,uint8_t * asn1_key,uint16_t * asn1_key_len,uint16_t * key_bits)1142 RK_RES rk_rsa_privkey_encode(rk_rsa_priv_key_pack *priv,
1143 uint8_t *asn1_key, uint16_t *asn1_key_len, uint16_t *key_bits)
1144 {
1145 RK_RES res;
1146 uint8_t *empty_data = NULL;
1147 uint8_t tmp_field[5];
1148 uint32_t total_len = 0, tmp_len = 0;
1149 uint8_t version[1] = {0};
1150 uint16_t ver_len = 1;
1151 rk_rsa_priv_key *rsa_key = &priv->key;
1152 uint32_t i, out_max, empty_data_len;
1153 asn1_object_t object_list[] = {
1154 {version, &ver_len, ASN1_INTEGER, 0},
1155 {rsa_key->n, &rsa_key->n_len, ASN1_INTEGER, 1},
1156 {rsa_key->e, &rsa_key->e_len, ASN1_INTEGER, 0},
1157 {rsa_key->d, &rsa_key->d_len, ASN1_INTEGER, 1},
1158 {rsa_key->p, &rsa_key->p_len, ASN1_INTEGER, 1},
1159 {rsa_key->q, &rsa_key->q_len, ASN1_INTEGER, 1},
1160 {rsa_key->dp, &rsa_key->dp_len, ASN1_INTEGER, 1},
1161 {rsa_key->dq, &rsa_key->dq_len, ASN1_INTEGER, 1},
1162 {rsa_key->qp, &rsa_key->qp_len, ASN1_INTEGER, 1},
1163 };
1164
1165 RK_CRYPTO_CHECK_PARAM(!asn1_key || !asn1_key_len || !priv || !key_bits);
1166 RK_CRYPTO_CHECK_PARAM(!rsa_key->n || rsa_key->n_len == 0);
1167 RK_CRYPTO_CHECK_PARAM(!rsa_key->e || rsa_key->e_len == 0);
1168 RK_CRYPTO_CHECK_PARAM(rsa_key->n_len != 1024 / 8 &&
1169 rsa_key->n_len != 2048 / 8 &&
1170 rsa_key->n_len != 3072 / 8 &&
1171 rsa_key->n_len != 4096 / 8);
1172 RK_CRYPTO_CHECK_PARAM(!rsa_key->d || rsa_key->d_len == 0);
1173 RK_CRYPTO_CHECK_PARAM(rsa_key->n_len != rsa_key->d_len);
1174
1175 RK_CRYPTO_CHECK_PARAM(priv->key_type != RK_RSA_KEY_TYPE_PLAIN);
1176
1177 out_max = *asn1_key_len;
1178
1179 empty_data_len = rsa_key->n_len / 2;
1180 empty_data = malloc(empty_data_len);
1181 if (!empty_data)
1182 return RK_CRYPTO_ERR_OUT_OF_MEMORY;
1183
1184 memset(empty_data, 0xff, empty_data_len);
1185
1186 for (i = 0; i < ARRAY_SIZE(object_list); i++) {
1187 const uint8_t *data = object_list[i].data;
1188 uint32_t data_len = *(object_list[i].data_len);
1189
1190 data = data ? data : empty_data;
1191 data_len = data ? data_len : empty_data_len;
1192
1193 res = asn1_set_object(data, data_len,
1194 object_list[i].tag,
1195 object_list[i].need_plus,
1196 asn1_key + total_len, out_max, &tmp_len);
1197 if (res != RK_CRYPTO_SUCCESS) {
1198 D_TRACE("set %d object error!", i);
1199 goto exit;
1200 }
1201
1202 total_len += tmp_len;
1203 out_max -= tmp_len;
1204 }
1205
1206 res = asn1_compose_len(total_len, tmp_field, &tmp_len);
1207 if (res != RK_CRYPTO_SUCCESS) {
1208 D_TRACE("set asn1_compose_len error!");
1209 goto exit;
1210 }
1211
1212 if (out_max < tmp_len + 1) {
1213 res = RK_CRYPTO_ERR_OUT_OF_MEMORY;
1214 goto exit;
1215 }
1216
1217 memmove(asn1_key + tmp_len + 1, asn1_key, total_len);
1218 *asn1_key = ASN1_SEQUENCE;
1219 total_len++;
1220 memmove(asn1_key + 1, tmp_field, tmp_len);
1221 total_len += tmp_len;
1222
1223 *asn1_key_len = total_len;
1224 *key_bits = rsa_key->n_len * 8;
1225 exit:
1226 if (empty_data)
1227 free(empty_data);
1228
1229 return res;
1230 }
1231
rk_rsa_crypt_do_padding(enum RK_RSA_CRYPT_PADDING padding,uint16_t key_len,bool is_priv_key,const uint8_t * data,uint32_t data_len,uint8_t * pad,uint32_t * pad_len)1232 RK_RES rk_rsa_crypt_do_padding(enum RK_RSA_CRYPT_PADDING padding,
1233 uint16_t key_len, bool is_priv_key,
1234 const uint8_t *data, uint32_t data_len,
1235 uint8_t *pad, uint32_t *pad_len)
1236 {
1237 RK_RES res = RK_CRYPTO_SUCCESS;
1238
1239 RK_CRYPTO_CHECK_PARAM(key_len * 8 != RSA_BITS_1024 &&
1240 key_len * 8 != RSA_BITS_2048 &&
1241 key_len * 8 != RSA_BITS_3072 &&
1242 key_len * 8 != RSA_BITS_4096);
1243
1244 switch (padding) {
1245 case RK_RSA_CRYPT_PADDING_NONE:
1246 if (data_len != key_len) {
1247 D_TRACE("length not match %u != %u", data_len, key_len);
1248 return RK_CRYPTO_ERR_PARAMETER;
1249 }
1250
1251 memcpy(pad, data, data_len);
1252 break;
1253 case RK_RSA_CRYPT_PADDING_BLOCK_TYPE_0:
1254 case RK_RSA_CRYPT_PADDING_BLOCK_TYPE_1:
1255 case RK_RSA_CRYPT_PADDING_BLOCK_TYPE_2: {
1256 uint8_t bt = (uint8_t)(padding - RK_RSA_CRYPT_PADDING_BLOCK_TYPE_0);
1257
1258 res = rsa_padding_add_pkcs1_type(key_len, bt, data, data_len, pad);
1259 break;
1260 }
1261 case RK_RSA_CRYPT_PADDING_OAEP_SHA1:
1262 case RK_RSA_CRYPT_PADDING_OAEP_SHA224:
1263 case RK_RSA_CRYPT_PADDING_OAEP_SHA256:
1264 case RK_RSA_CRYPT_PADDING_OAEP_SHA384:
1265 case RK_RSA_CRYPT_PADDING_OAEP_SHA512:
1266 res = rsa_padding_add_oaep_type(padding, key_len, NULL, 0, data, data_len, pad);
1267 break;
1268 case RK_RSA_CRYPT_PADDING_PKCS1_V1_5:
1269 res = rsa_padding_add_pkcs15_type(key_len, is_priv_key, data, data_len, pad);
1270 break;
1271 default:
1272 D_TRACE("unknown padding %d", padding);
1273 res = RK_CRYPTO_ERR_PARAMETER;
1274 break;
1275 }
1276
1277 *pad_len = key_len;
1278
1279 return res;
1280 }
1281
rk_rsa_crypt_undo_padding(enum RK_RSA_CRYPT_PADDING padding,uint16_t key_len,bool is_priv_key,const uint8_t * pad,uint32_t pad_len,uint8_t * data,uint32_t * data_len)1282 RK_RES rk_rsa_crypt_undo_padding(enum RK_RSA_CRYPT_PADDING padding,
1283 uint16_t key_len, bool is_priv_key,
1284 const uint8_t *pad, uint32_t pad_len,
1285 uint8_t *data, uint32_t *data_len)
1286 {
1287 RK_RES res = RK_CRYPTO_SUCCESS;
1288
1289 RK_CRYPTO_CHECK_PARAM(key_len * 8 != RSA_BITS_1024 &&
1290 key_len * 8 != RSA_BITS_2048 &&
1291 key_len * 8 != RSA_BITS_3072 &&
1292 key_len * 8 != RSA_BITS_4096);
1293 RK_CRYPTO_CHECK_PARAM(key_len != pad_len);
1294
1295 switch (padding) {
1296 case RK_RSA_CRYPT_PADDING_NONE:
1297 if (pad_len != key_len) {
1298 D_TRACE("length not match %u != %u", pad_len, key_len);
1299 return RK_CRYPTO_ERR_PARAMETER;
1300 }
1301
1302 memcpy(data, pad, pad_len);
1303 *data_len = key_len;
1304 break;
1305 case RK_RSA_CRYPT_PADDING_BLOCK_TYPE_0:
1306 case RK_RSA_CRYPT_PADDING_BLOCK_TYPE_1:
1307 case RK_RSA_CRYPT_PADDING_BLOCK_TYPE_2: {
1308 uint8_t bt = (uint8_t)(padding - RK_RSA_CRYPT_PADDING_BLOCK_TYPE_0);
1309
1310 res = rsa_padding_check_pkcs1_type(key_len, bt, pad, data, data_len);
1311 break;
1312 }
1313 case RK_RSA_CRYPT_PADDING_OAEP_SHA1:
1314 case RK_RSA_CRYPT_PADDING_OAEP_SHA224:
1315 case RK_RSA_CRYPT_PADDING_OAEP_SHA256:
1316 case RK_RSA_CRYPT_PADDING_OAEP_SHA384:
1317 case RK_RSA_CRYPT_PADDING_OAEP_SHA512:
1318 res = rsa_padding_check_oaep_type(padding, key_len, NULL, 0, pad, data, data_len);
1319 break;
1320 case RK_RSA_CRYPT_PADDING_PKCS1_V1_5:
1321 res = rsa_padding_check_pkcs15_type(key_len, is_priv_key, pad, data, data_len);
1322 break;
1323 default:
1324 D_TRACE("unknown padding %d", padding);
1325 res = RK_CRYPTO_ERR_PARAMETER;
1326 break;
1327 }
1328
1329 return res;
1330 }
1331
rk_rsa_sign_do_padding(enum RK_RSA_SIGN_PADDING padding,uint16_t key_len,uint16_t n_bits,const uint8_t * data,uint32_t data_len,const uint8_t * hash,uint8_t * pad,uint32_t * pad_len)1332 RK_RES rk_rsa_sign_do_padding(enum RK_RSA_SIGN_PADDING padding, uint16_t key_len, uint16_t n_bits,
1333 const uint8_t *data, uint32_t data_len, const uint8_t *hash,
1334 uint8_t *pad, uint32_t *pad_len)
1335 {
1336 RK_RES res = RK_CRYPTO_SUCCESS;
1337 uint32_t hash_len, hash_algo;
1338 uint8_t tmp_hash[SHA512_HASH_SIZE];
1339
1340 res = get_hash_algo_from_padding(padding, &hash_len, &hash_algo);
1341 if (res)
1342 return res;
1343
1344 memset(tmp_hash, 0x00, sizeof(tmp_hash));
1345
1346 if (hash) {
1347 memcpy(tmp_hash, hash, hash_len);
1348 } else {
1349 res = calc_padding_digest(hash_algo, data, data_len, tmp_hash);
1350 if (res)
1351 return res;
1352 }
1353
1354 switch (padding) {
1355 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA1:
1356 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA224:
1357 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA256:
1358 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA384:
1359 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA512:
1360 res = rsa_padding_add_pkcs15_sign_type(hash_algo, key_len, tmp_hash, hash_len, pad);
1361 break;
1362 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA1:
1363 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA224:
1364 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA256:
1365 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA384:
1366 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA512:
1367 res = rsa_padding_add_pss_type(key_len, n_bits, hash_algo, tmp_hash, hash_len, pad);
1368 break;
1369 default:
1370 D_TRACE("unknown padding %d", padding);
1371 res = RK_CRYPTO_ERR_PARAMETER;
1372 break;
1373 }
1374
1375 *pad_len = key_len;
1376
1377 return res;
1378 }
1379
rk_rsa_sign_undo_padding(enum RK_RSA_SIGN_PADDING padding,uint16_t key_len,uint16_t n_bits,const uint8_t * data,uint32_t data_len,const uint8_t * hash,const uint8_t * dec)1380 RK_RES rk_rsa_sign_undo_padding(enum RK_RSA_SIGN_PADDING padding, uint16_t key_len, uint16_t n_bits,
1381 const uint8_t *data, uint32_t data_len,
1382 const uint8_t *hash, const uint8_t *dec)
1383 {
1384 RK_RES res = RK_CRYPTO_SUCCESS;
1385 uint32_t hash_len, hash_algo;
1386 uint8_t tmp_hash[SHA512_HASH_SIZE];
1387 uint8_t *pad = NULL;
1388
1389 res = get_hash_algo_from_padding(padding, &hash_len, &hash_algo);
1390 if (res)
1391 return res;
1392
1393 memset(tmp_hash, 0x00, sizeof(tmp_hash));
1394
1395 if (hash) {
1396 memcpy(tmp_hash, hash, hash_len);
1397 } else {
1398 res = calc_padding_digest(hash_algo, data, data_len, tmp_hash);
1399 if (res)
1400 goto exit;
1401 }
1402
1403 pad = malloc(key_len);
1404 if (!pad)
1405 return RK_CRYPTO_ERR_OUT_OF_MEMORY;
1406
1407 switch (padding) {
1408 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA1:
1409 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA224:
1410 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA256:
1411 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA384:
1412 case RK_RSA_SIGN_PADDING_PKCS1_V15_SHA512:
1413 res = rsa_padding_add_pkcs15_sign_type(hash_algo, key_len, tmp_hash, hash_len, pad);
1414 if (res) {
1415 D_TRACE("check pkcs V1.5 error.");
1416 goto exit;
1417 }
1418
1419 if (memcmp(pad, dec, key_len))
1420 res = RK_CRYPTO_ERR_VERIFY;
1421
1422 break;
1423 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA1:
1424 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA224:
1425 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA256:
1426 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA384:
1427 case RK_RSA_SIGN_PADDING_PKCS1_PSS_SHA512:
1428 res = rk_rsa_padding_check_pss_type(key_len, n_bits, hash_algo,
1429 hash_len, tmp_hash, dec);
1430 break;
1431 default:
1432 D_TRACE("unknown padding %d", padding);
1433 res = RK_CRYPTO_ERR_PARAMETER;
1434 break;
1435 }
1436
1437 exit:
1438 if (pad)
1439 free(pad);
1440
1441 return res;
1442 }
1443
1444