Lines Matching +full:case +full:- +full:sensitive
81 bigNum *bn = (bigNum *)&Z->P; in RsaInitializeExponent()
86 bn[i] = (bigNum)&Z->entries[i]; in RsaInitializeExponent()
87 BnInit(bn[i], BYTES_TO_CRYPT_WORDS(sizeof(Z->entries[0].d))); in RsaInitializeExponent()
99 if(BnUnsignedCmp(Z->P, Z->Q) < 0) in MakePgreaterThanQ()
101 bigNum bnT = Z->P; in MakePgreaterThanQ()
102 Z->P = Z->Q; in MakePgreaterThanQ()
103 Z->Q = bnT; in MakePgreaterThanQ()
126 UINT16 primeSize = (UINT16)BITS_TO_BYTES(BnMsb(Z->P)); in PackExponent()
129 pAssert((primeSize * 5) <= sizeof(packed->t.buffer)); in PackExponent()
130 packed->t.size = (primeSize * 5) + RSA_prime_flag; in PackExponent()
132 if(!BnToBytes((bigNum)&Z->entries[i], &packed->t.buffer[primeSize * i], &pS)) in PackExponent()
151 UINT16 primeSize = b->t.size & ~RSA_prime_flag; in UnpackExponent()
153 bigNum *bn = &Z->P; in UnpackExponent()
155 VERIFY(b->t.size & RSA_prime_flag); in UnpackExponent()
160 VERIFY(BnFromBytes(bn[i], &b->t.buffer[primeSize * i], primeSize) in UnpackExponent()
187 //dP = (1/e) mod (p-1) in ComputePrivateExponent()
188 pOK = BnSubWord(pT, Z->P, 1); in ComputePrivateExponent()
189 pOK = pOK && BnModInverse(Z->dP, pubExp, pT); in ComputePrivateExponent()
190 //dQ = (1/e) mod (q-1) in ComputePrivateExponent()
191 qOK = BnSubWord(pT, Z->Q, 1); in ComputePrivateExponent()
192 qOK = qOK && BnModInverse(Z->dQ, pubExp, pT); in ComputePrivateExponent()
195 pOK = qOK = BnModInverse(Z->qInv, Z->Q, Z->P); in ComputePrivateExponent()
197 BnSetWord(Z->P, 0); in ComputePrivateExponent()
199 BnSetWord(Z->Q, 0); in ComputePrivateExponent()
223 VERIFY(BnModExp(M1, inOut, Z->dP, Z->P)); in RsaPrivateKeyOp()
225 VERIFY(BnModExp(M2, inOut, Z->dQ, Z->Q)); in RsaPrivateKeyOp()
226 // h = qInv * (m1 - m2) mod p = qInv * (m1 + P - m2) mod P because Q < P in RsaPrivateKeyOp()
228 VERIFY(BnSub(H, Z->P, M2)); in RsaPrivateKeyOp()
230 VERIFY(BnModMult(H, H, Z->qInv, Z->P)); in RsaPrivateKeyOp()
232 VERIFY(BnMult(M, H, Z->Q)); in RsaPrivateKeyOp()
259 UINT32 e = key->publicArea.parameters.rsaDetail.exponent; in RSAEP()
265 return ModExpB(dInOut->size, dInOut->buffer, dInOut->size, dInOut->buffer, in RSAEP()
266 e2B.t.size, e2B.t.buffer, key->publicArea.unique.rsa.t.size, in RSAEP()
267 key->publicArea.unique.rsa.t.buffer); in RSAEP()
290 if(UnsignedCompareB(inOut->size, inOut->buffer, in RSADP()
291 key->publicArea.unique.rsa.t.size, in RSADP()
292 key->publicArea.unique.rsa.t.buffer) >= 0) in RSADP()
295 // During self-test, this might not be the case so load it up if it hasn't in RSADP()
298 if((key->sensitive.sensitive.rsa.t.size & RSA_prime_flag) == 0) in RSADP()
300 if(CryptRsaLoadPrivateExponent(&key->publicArea, &key->sensitive) in RSADP()
304 VERIFY(UnpackExponent(&key->sensitive.sensitive.rsa, Z)); in RSADP()
306 VERIFY(BnTo2B(bnM, inOut, inOut->size)); in RSADP()
323 const TPM2B *label, // IN: null-terminated string (may be NULL) in OaepEncode()
348 if(padded->size < (2 * hLen) + 2) in OaepEncode()
351 // and that message will fit messageSize <= k - 2hLen - 2 in OaepEncode()
352 if(message->size > (padded->size - (2 * hLen) - 2)) in OaepEncode()
357 pp = &padded->buffer[hLen + 1]; in OaepEncode()
358 if(CryptHashBlock(hashAlg, label->size, (BYTE *)label->buffer, in OaepEncode()
363 padLen = padded->size - message->size - (2 * hLen) - 2; in OaepEncode()
367 memcpy(&pp[hLen + padLen], message->buffer, message->size); in OaepEncode()
370 dbSize = hLen + padLen + message->size; in OaepEncode()
383 for(i = dbSize; i > 0; i--) in OaepEncode()
385 pp = &padded->buffer[hLen + 1]; in OaepEncode()
388 if(CryptMGF_KDF(hLen, &padded->buffer[1], hashAlg, dbSize, pp, 0) != (unsigned)hLen) in OaepEncode()
391 pp = &padded->buffer[1]; in OaepEncode()
393 for(i = hLen; i > 0; i--) in OaepEncode()
396 padded->buffer[0] = 0x00; in OaepEncode()
422 const TPM2B *label, // IN: null-terminated string (may be NULL) in OaepDecode()
437 if((padded->size < (unsigned)((2 * hLen) + 2)) || (padded->buffer[0] != 0)) in OaepDecode()
441 CryptMGF_KDF(hLen, seedMask, hashAlg, padded->size - hLen - 1, in OaepDecode()
442 &padded->buffer[hLen + 1], 0); in OaepDecode()
446 pp = &padded->buffer[1]; in OaepDecode()
448 for(i = hLen; i > 0; i--) in OaepDecode()
452 CryptMGF_KDF(padded->size - hLen - 1, mask, hashAlg, hLen, seedMask, 0); in OaepDecode()
455 pp = &padded->buffer[hLen + 1]; in OaepDecode()
457 for(i = (padded->size - hLen - 1); i > 0; i--) in OaepDecode()
462 if((CryptHashBlock(hashAlg, label->size, (BYTE *)label->buffer, in OaepDecode()
470 for(i = (UINT32)padded->size - (2 * hLen) - 1; i > 0; i--) in OaepDecode()
476 if(i == 0 || pm[-1] != 0x01) in OaepDecode()
481 i--; in OaepDecode()
482 if(i > dataOut->size) in OaepDecode()
485 memcpy(dataOut->buffer, pm, i); in OaepDecode()
486 dataOut->size = (UINT16)i; in OaepDecode()
489 dataOut->size = 0; in OaepDecode()
494 // This function performs the encoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in
506 UINT32 ps = padded->size - message->size - 3; in RSAES_PKCS1v1_5Encode()
508 if(message->size > padded->size - 11) in RSAES_PKCS1v1_5Encode()
511 memcpy(&padded->buffer[padded->size - message->size], message->buffer, in RSAES_PKCS1v1_5Encode()
512 message->size); in RSAES_PKCS1v1_5Encode()
514 padded->buffer[0] = 0; in RSAES_PKCS1v1_5Encode()
515 padded->buffer[1] = 2; in RSAES_PKCS1v1_5Encode()
518 DRBG_Generate(rand, &padded->buffer[2], (UINT16)ps); in RSAES_PKCS1v1_5Encode()
523 padded->buffer[2 + ps] = 0; in RSAES_PKCS1v1_5Encode()
525 // Now, the only messy part. Make sure that all the 'ps' bytes are non-zero in RSAES_PKCS1v1_5Encode()
527 for(ps++; ps > 1; ps--) in RSAES_PKCS1v1_5Encode()
529 if(padded->buffer[ps] == 0) in RSAES_PKCS1v1_5Encode()
530 padded->buffer[ps] = 0x55; // In the < 0.5% of the cases that the in RSAES_PKCS1v1_5Encode()
538 // This function performs the decoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in
553 fail = (coded->size < 11); in RSAES_Decode()
554 fail = (coded->buffer[0] != 0x00) | fail; in RSAES_Decode()
555 fail = (coded->buffer[1] != 0x02) | fail; in RSAES_Decode()
556 for(pSize = 2; pSize < coded->size; pSize++) in RSAES_Decode()
558 if(coded->buffer[pSize] == 0) in RSAES_Decode()
565 fail = (pSize > coded->size) | fail; in RSAES_Decode()
566 fail = ((pSize - 2) <= 8) | fail; in RSAES_Decode()
567 if((message->size < (UINT16)(coded->size - pSize)) || fail) in RSAES_Decode()
569 message->size = coded->size - pSize; in RSAES_Decode()
570 memcpy(message->buffer, &coded->buffer[pSize], coded->size - pSize); in RSAES_Decode()
586 // (Mask Length) = (outSize - hashSize - 1); in CryptRsaPssSaltSize()
587 // Max saltSize is (Mask Length) - 1 in CryptRsaPssSaltSize()
588 saltSize = (outSize - hashSize - 1) - 1; in CryptRsaPssSaltSize()
589 // Use the maximum salt size allowed by FIPS 186-4 in CryptRsaPssSaltSize()
611 BYTE salt[MAX_RSA_KEY_BYTES - 1]; in PssEncode()
622 mLen = (UINT16)(out->size - hLen - 1); in PssEncode()
625 saltSize = CryptRsaPssSaltSize((INT16)hLen, (INT16)out->size); in PssEncode()
629 pOut = out->buffer; in PssEncode()
642 CryptHashEnd(&hashState, hLen, &pOut[out->size - hLen - 1]); in PssEncode()
653 pOut[out->size - 1] = 0xbc; in PssEncode()
656 pOut = &pOut[mLen - saltSize - 1]; in PssEncode()
660 for(; saltSize > 0; saltSize--) in PssEncode()
703 pe = eIn->buffer; in PssDecode()
713 fail |= pe[eIn->size - 1] ^ 0xbc; in PssDecode()
717 mLen = eIn->size - hLen - 1; in PssDecode()
727 for(i = mLen; i > 0; i--) in PssDecode()
731 for(pm = mask, i = mLen; i > 0; i--) in PssDecode()
753 i--; in PssDecode()
763 CryptDigestUpdate(&hashState, dIn->size, dIn->buffer); in PssDecode()
772 for(pm = mask; hLen > 0; hLen--) in PssDecode()
805 oidSize = 2 + (info->OID)[1]; in MakeDerTag()
811 *buffer++ = (BYTE)(6 + oidSize + info->digestSize); // in MakeDerTag()
815 MemoryCopy(buffer, info->OID, oidSize); in MakeDerTag()
821 *buffer++ = (BYTE)(info->digestSize); in MakeDerTag()
856 if(CryptHashGetDigestSize(hashAlg) != hIn->size) in RSASSA_Encode()
858 fillSize = pOut->size - derSize - hIn->size - 3; in RSASSA_Encode()
859 eOut = pOut->buffer; in RSASSA_Encode()
868 for(; fillSize > 0; fillSize--) in RSASSA_Encode()
871 for(; derSize > 0; derSize--) in RSASSA_Encode()
873 der = hIn->buffer; in RSASSA_Encode()
874 for(fillSize = hIn->size; fillSize > 0; fillSize--) in RSASSA_Encode()
906 pe = eIn->buffer; in RSASSA_Decode()
910 if(derSize == 0 || (unsigned)hashSize != hIn->size) in RSASSA_Decode()
917 fillSize = eIn->size - derSize - hashSize - 3; in RSASSA_Decode()
919 // Start checking (fail will become non-zero if any of the bytes do not have in RSASSA_Decode()
923 for(; fillSize > 0; fillSize--) in RSASSA_Decode()
926 for(; derSize > 0; derSize--) in RSASSA_Decode()
928 digestSize = hIn->size; in RSASSA_Decode()
929 digest = hIn->buffer; in RSASSA_Decode()
930 for(; digestSize > 0; digestSize--) in RSASSA_Decode()
945 // In the case that both the object and 'scheme' are not TPM_ALG_NULL, then
962 keyScheme = &rsaObject->publicArea.parameters.asymDetail.scheme; in CryptRsaSelectScheme()
966 if(keyScheme->scheme == TPM_ALG_NULL) in CryptRsaSelectScheme()
972 else if(scheme->scheme == TPM_ALG_NULL) in CryptRsaSelectScheme()
982 else if(keyScheme->scheme == scheme->scheme in CryptRsaSelectScheme()
983 && keyScheme->details.anySig.hashAlg == scheme->details.anySig.hashAlg) in CryptRsaSelectScheme()
998 TPMT_SENSITIVE *sensitive in CryptRsaLoadPrivateExponent() argument
1002 if((sensitive->sensitive.rsa.t.size & RSA_prime_flag) == 0) in CryptRsaLoadPrivateExponent()
1004 if((sensitive->sensitive.rsa.t.size * 2) == publicArea->unique.rsa.t.size) in CryptRsaLoadPrivateExponent()
1007 BN_RSA_INITIALIZED(bnN, &publicArea->unique.rsa); in CryptRsaLoadPrivateExponent()
1013 VERIFY((sensitive->sensitive.rsa.t.size * 2) in CryptRsaLoadPrivateExponent()
1014 == publicArea->unique.rsa.t.size); in CryptRsaLoadPrivateExponent()
1016 BnSetWord(bnE, publicArea->parameters.rsaDetail.exponent); in CryptRsaLoadPrivateExponent()
1020 VERIFY(BnFrom2B(Z->P, &sensitive->sensitive.rsa.b) != NULL); in CryptRsaLoadPrivateExponent()
1022 // Find the second prime by division. This uses 'bQ' rather than Z->Q in CryptRsaLoadPrivateExponent()
1025 VERIFY(BnDiv(Z->Q, bnQr, bnN, Z->P)); in CryptRsaLoadPrivateExponent()
1029 VERIFY(PackExponent(&sensitive->sensitive.rsa, Z)); in CryptRsaLoadPrivateExponent()
1032 VERIFY(((sensitive->sensitive.rsa.t.size / 5) * 2) in CryptRsaLoadPrivateExponent()
1033 == publicArea->unique.rsa.t.size); in CryptRsaLoadPrivateExponent()
1034 sensitive->sensitive.rsa.t.size |= RSA_prime_flag; in CryptRsaLoadPrivateExponent()
1050 // NOTE: If dIn has fewer bytes than cOut, then we don't add low-order zeros to
1053 // greater than the value of the key modulus. If this had low-order zeros
1069 const TPM2B *label, // IN: in case it is needed in CryptRsaEncrypt()
1079 if(dIn == &cOut->b) in CryptRsaEncrypt()
1085 cOut->t.size = key->publicArea.unique.rsa.t.size; in CryptRsaEncrypt()
1086 TEST(scheme->scheme); in CryptRsaEncrypt()
1088 switch(scheme->scheme) in CryptRsaEncrypt()
1090 case TPM_ALG_NULL: // 'raw' encryption in CryptRsaEncrypt()
1093 INT32 dSize = dIn->size; in CryptRsaEncrypt()
1097 for(i = 0; (i < dSize) && (dIn->buffer[i] == 0); i++); in CryptRsaEncrypt()
1098 dSize -= i; in CryptRsaEncrypt()
1099 if(dSize > cOut->t.size) in CryptRsaEncrypt()
1102 memset(cOut->t.buffer, 0, cOut->t.size - dSize); in CryptRsaEncrypt()
1104 memcpy(&cOut->t.buffer[cOut->t.size - dSize], &dIn->buffer[i], dSize); in CryptRsaEncrypt()
1110 case TPM_ALG_RSAES: in CryptRsaEncrypt()
1111 retVal = RSAES_PKCS1v1_5Encode(&cOut->b, dIn, rand); in CryptRsaEncrypt()
1113 case TPM_ALG_OAEP: in CryptRsaEncrypt()
1114 retVal = OaepEncode(&cOut->b, scheme->details.oaep.hashAlg, label, dIn, in CryptRsaEncrypt()
1125 retVal = RSAEP(&cOut->b, key); in CryptRsaEncrypt()
1148 const TPM2B *label // IN: in case it is needed for the scheme in CryptRsaDecrypt()
1157 if(cIn->size != key->publicArea.unique.rsa.t.size) in CryptRsaDecrypt()
1160 TEST(scheme->scheme); in CryptRsaDecrypt()
1168 switch(scheme->scheme) in CryptRsaDecrypt()
1170 case TPM_ALG_NULL: in CryptRsaDecrypt()
1171 if(dOut->size < cIn->size) in CryptRsaDecrypt()
1173 MemoryCopy2B(dOut, cIn, dOut->size); in CryptRsaDecrypt()
1175 case TPM_ALG_RSAES: in CryptRsaDecrypt()
1178 case TPM_ALG_OAEP: in CryptRsaDecrypt()
1179 retVal = OaepDecode(dOut, scheme->details.oaep.hashAlg, label, cIn); in CryptRsaDecrypt()
1213 modSize = key->publicArea.unique.rsa.t.size; in CryptRsaSign()
1215 // for all non-null signatures, the size is the size of the key modulus in CryptRsaSign()
1216 sigOut->signature.rsapss.sig.t.size = modSize; in CryptRsaSign()
1218 TEST(sigOut->sigAlg); in CryptRsaSign()
1220 switch(sigOut->sigAlg) in CryptRsaSign()
1222 case TPM_ALG_NULL: in CryptRsaSign()
1223 sigOut->signature.rsapss.sig.t.size = 0; in CryptRsaSign()
1225 case TPM_ALG_RSAPSS: in CryptRsaSign()
1226 retVal = PssEncode(&sigOut->signature.rsapss.sig.b, in CryptRsaSign()
1227 sigOut->signature.rsapss.hash, &hIn->b, rand); in CryptRsaSign()
1229 case TPM_ALG_RSASSA: in CryptRsaSign()
1230 retVal = RSASSA_Encode(&sigOut->signature.rsassa.sig.b, in CryptRsaSign()
1231 sigOut->signature.rsassa.hash, &hIn->b); in CryptRsaSign()
1239 retVal = RSADP(&sigOut->signature.rsapss.sig.b, key); in CryptRsaSign()
1264 switch(sig->sigAlg) in CryptRsaValidateSignature()
1266 case TPM_ALG_RSAPSS: in CryptRsaValidateSignature()
1267 case TPM_ALG_RSASSA: in CryptRsaValidateSignature()
1274 if(sig->signature.rsassa.sig.t.size != key->publicArea.unique.rsa.t.size) in CryptRsaValidateSignature()
1277 TEST(sig->sigAlg); in CryptRsaValidateSignature()
1280 retVal = RSAEP(&sig->signature.rsassa.sig.b, key); in CryptRsaValidateSignature()
1283 switch(sig->sigAlg) in CryptRsaValidateSignature()
1285 case TPM_ALG_RSAPSS: in CryptRsaValidateSignature()
1286 retVal = PssDecode(sig->signature.any.hashAlg, &digest->b, in CryptRsaValidateSignature()
1287 &sig->signature.rsassa.sig.b); in CryptRsaValidateSignature()
1289 case TPM_ALG_RSASSA: in CryptRsaValidateSignature()
1290 retVal = RSASSA_Decode(sig->signature.any.hashAlg, &digest->b, in CryptRsaValidateSignature()
1291 &sig->signature.rsassa.sig.b); in CryptRsaValidateSignature()
1303 int GetCachedRsaKey(TPMT_PUBLIC *publicArea, TPMT_SENSITIVE *sensitive,
1305 #define GET_CACHED_KEY(publicArea, sensitive, rand) \ argument
1306 (s_rsaKeyCacheEnabled && GetCachedRsaKey(publicArea, sensitive, rand))
1320 // vendor-assigned part number for the TPM.
1323 // Counter a 32-bit integer that is incremented each time the KDF is
1325 // can be a 32-bit integer in host format and does not need
1347 TPMT_SENSITIVE *sensitive, in CryptRsaGenerateKey() argument
1356 UINT32 e = publicArea->parameters.rsaDetail.exponent; in CryptRsaGenerateKey()
1364 e = publicArea->parameters.rsaDetail.exponent; in CryptRsaGenerateKey()
1378 keySizeInBits = publicArea->parameters.rsaDetail.keyBits; in CryptRsaGenerateKey()
1388 if(GET_CACHED_KEY(publicArea, sensitive, rand)) in CryptRsaGenerateKey()
1398 // When both P and Q are non-zero, the modulus and in CryptRsaGenerateKey()
1409 if(BnGeneratePrimeForRSA(Z->P, keySizeInBits / 2, e, rand) == TPM_RC_FAILURE) in CryptRsaGenerateKey()
1419 if(BnEqualZero(Z->Q)) in CryptRsaGenerateKey()
1422 BnCopy(Z->Q, Z->P); in CryptRsaGenerateKey()
1427 if(BnUnsignedCmp(Z->P, Z->Q) < 0) in CryptRsaGenerateKey()
1428 BnSub(bnD, Z->Q, Z->P); in CryptRsaGenerateKey()
1430 BnSub(bnD, Z->P, Z->Q); in CryptRsaGenerateKey()
1435 BnMult(bnN, Z->P, Z->Q); in CryptRsaGenerateKey()
1436 BnTo2B(bnN, &publicArea->unique.rsa.b, in CryptRsaGenerateKey()
1439 if(((publicArea->unique.rsa.t.buffer[0] & 0x80) == 0) in CryptRsaGenerateKey()
1440 || (publicArea->unique.rsa.t.size in CryptRsaGenerateKey()
1451 if(BnEqualZero(Z->Q)) in CryptRsaGenerateKey()
1452 BnCopy(Z->Q, Z->P); in CryptRsaGenerateKey()
1456 // Pack the private exponent into the sensitive area in CryptRsaGenerateKey()
1457 PackExponent(&sensitive->sensitive.rsa, Z); in CryptRsaGenerateKey()
1459 if(((publicArea->unique.rsa.t.buffer[0] & 0x80) == 0) in CryptRsaGenerateKey()
1460 || ((sensitive->sensitive.rsa.t.buffer[0] & 0x80) == 0)) in CryptRsaGenerateKey()
1465 if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, sign)) in CryptRsaGenerateKey()
1477 // start over )-; in CryptRsaGenerateKey()
1480 BnSetWord(Z->Q, 0); in CryptRsaGenerateKey()