1 // This file was extracted from the TCG Published
2 // Trusted Platform Module Library
3 // Part 4: Supporting Routines
4 // Family "2.0"
5 // Level 00 Revision 01.16
6 // October 30, 2014
7
8 #include <string.h>
9
10 #include "OsslCryptoEngine.h"
11 #ifdef TPM_ALG_RSA
12 //
13 //
14 // Local Functions
15 //
16 // RsaPrivateExponent()
17 //
18 // This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus
19 // and one of the primes.
20 // The results are returned in the key->private structure. The size of that structure is expanded to hold the
21 // private exponent. If the computed value is smaller than the public modulus, the private exponent is de-
22 // normalized.
23 //
24 // Return Value Meaning
25 //
26 // CRYPT_SUCCESS private exponent computed
27 // CRYPT_PARAMETER prime is not half the size of the modulus, or the modulus is not evenly
28 // divisible by the prime, or no private exponent could be computed
29 // from the input parameters
30 //
31 CRYPT_RESULT
RsaPrivateExponent(RSA_KEY * key)32 RsaPrivateExponent(
33 RSA_KEY *key // IN: the key to augment with the private
34 // exponent
35 )
36 {
37 BN_CTX *context;
38 BIGNUM *bnD;
39 BIGNUM *bnN;
40 BIGNUM *bnP;
41 BIGNUM *bnE;
42 BIGNUM *bnPhi;
43 BIGNUM *bnQ;
44 BIGNUM *bnQr;
45 UINT32 fill;
46 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success
47 pAssert(key != NULL && key->privateKey != NULL && key->publicKey != NULL);
48 context = BN_CTX_new();
49 if(context == NULL)
50 FAIL(FATAL_ERROR_ALLOCATION);
51 BN_CTX_start(context);
52 bnE = BN_CTX_get(context);
53 bnD = BN_CTX_get(context);
54 bnN = BN_CTX_get(context);
55 bnP = BN_CTX_get(context);
56 bnPhi = BN_CTX_get(context);
57 bnQ = BN_CTX_get(context);
58 bnQr = BN_CTX_get(context);
59 if(bnQr == NULL)
60 FAIL(FATAL_ERROR_ALLOCATION);
61 // Assume the size of the public key value is within range
62 pAssert(key->publicKey->size <= MAX_RSA_KEY_BYTES);
63 if( BN_bin2bn(key->publicKey->buffer, key->publicKey->size, bnN) == NULL
64 || BN_bin2bn(key->privateKey->buffer, key->privateKey->size, bnP) == NULL)
65 FAIL(FATAL_ERROR_INTERNAL);
66 // If P size is not 1/2 of n size, then this is not a valid value for this
67 // implementation. This will also catch the case were P is input as zero.
68 // This generates a return rather than an assert because the key being loaded
69 // might be SW generated and wrong.
70 if(BN_num_bits(bnP) < BN_num_bits(bnN)/2)
71 {
72 retVal = CRYPT_PARAMETER;
73 goto Cleanup;
74 }
75 // Get q = n/p;
76 if (BN_div(bnQ, bnQr, bnN, bnP, context) != 1)
77 FAIL(FATAL_ERROR_INTERNAL);
78 // If there is a remainder, then this is not a valid n
79 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP))
80 {
81 retVal = CRYPT_PARAMETER; // problem may be recoverable
82 goto Cleanup;
83 }
84 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1
85 if( BN_copy(bnPhi, bnN) == NULL
86 || !BN_sub(bnPhi, bnPhi, bnP)
87 || !BN_sub(bnPhi, bnPhi, bnQ)
88 || !BN_add_word(bnPhi, 1))
89 FAIL(FATAL_ERROR_INTERNAL);
90 // Compute the multiplicative inverse
91 BN_set_word(bnE, key->exponent);
92 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL)
93 {
94 // Going to assume that the error is caused by a bad
95 // set of parameters. Specifically, an exponent that is
96 // not compatible with the primes. In an implementation that
97 // has better visibility to the error codes, this might be
98 // refined so that failures in the library would return
99 // a more informative value. Should not assume here that
100 // the error codes will remain unchanged.
101 retVal = CRYPT_PARAMETER;
102 goto Cleanup;
103 }
104 fill = key->publicKey->size - BN_num_bytes(bnD);
105 BN_bn2bin(bnD, &key->privateKey->buffer[fill]);
106 memset(key->privateKey->buffer, 0, fill);
107 // Change the size of the private key so that it is known to contain
108 // a private exponent rather than a prime.
109 key->privateKey->size = key->publicKey->size;
110 Cleanup:
111 BN_CTX_end(context);
112 BN_CTX_free(context);
113 return retVal;
114 }
115 //
116 //
117 // _cpri__TestKeyRSA()
118 //
119 // This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus
120 // and one of the primes or two primes.
121 // If both primes are provided, the public modulus is computed. If only one prime is provided, the second
122 // prime is computed. In either case, a private exponent is produced and placed in d.
123 // If no modular inverse exists, then CRYPT_PARAMETER is returned.
124 //
125 // Return Value Meaning
126 //
127 // CRYPT_SUCCESS private exponent (d) was generated
128 // CRYPT_PARAMETER one or more parameters are invalid
129 //
130 LIB_EXPORT CRYPT_RESULT
_cpri__TestKeyRSA(TPM2B * d,UINT32 exponent,TPM2B * publicKey,TPM2B * prime1,TPM2B * prime2)131 _cpri__TestKeyRSA(
132 TPM2B *d, // OUT: the address to receive the private
133 // exponent
134 UINT32 exponent, // IN: the public modulu
135 TPM2B *publicKey, // IN/OUT: an input if only one prime is
136 // provided. an output if both primes are
137 // provided
138 TPM2B *prime1, // IN: a first prime
139 TPM2B *prime2 // IN: an optional second prime
140 )
141 {
142 BN_CTX *context;
143 BIGNUM *bnD;
144 BIGNUM *bnN;
145 BIGNUM *bnP;
146 BIGNUM *bnE;
147 BIGNUM *bnPhi;
148 BIGNUM *bnQ;
149 BIGNUM *bnQr;
150 UINT32 fill;
151 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success
152 pAssert(publicKey != NULL && prime1 != NULL);
153 // Make sure that the sizes are within range
154 pAssert( prime1->size <= MAX_RSA_KEY_BYTES/2
155 && publicKey->size <= MAX_RSA_KEY_BYTES);
156 pAssert( prime2 == NULL || prime2->size < MAX_RSA_KEY_BYTES/2);
157 if(publicKey->size/2 != prime1->size)
158 return CRYPT_PARAMETER;
159 context = BN_CTX_new();
160 if(context == NULL)
161 FAIL(FATAL_ERROR_ALLOCATION);
162 BN_CTX_start(context);
163 bnE = BN_CTX_get(context); // public exponent (e)
164 bnD = BN_CTX_get(context); // private exponent (d)
165 bnN = BN_CTX_get(context); // public modulus (n)
166 bnP = BN_CTX_get(context); // prime1 (p)
167 bnPhi = BN_CTX_get(context); // (p-1)(q-1)
168 bnQ = BN_CTX_get(context); // prime2 (q)
169 bnQr = BN_CTX_get(context); // n mod p
170 if(bnQr == NULL)
171 FAIL(FATAL_ERROR_ALLOCATION);
172 if(BN_bin2bn(prime1->buffer, prime1->size, bnP) == NULL)
173 FAIL(FATAL_ERROR_INTERNAL);
174 // If prime2 is provided, then compute n
175 if(prime2 != NULL)
176 {
177 // Two primes provided so use them to compute n
178 if(BN_bin2bn(prime2->buffer, prime2->size, bnQ) == NULL)
179 FAIL(FATAL_ERROR_INTERNAL);
180 // Make sure that the sizes of the primes are compatible
181 if(BN_num_bits(bnQ) != BN_num_bits(bnP))
182 {
183 retVal = CRYPT_PARAMETER;
184 goto Cleanup;
185 }
186 // Multiply the primes to get the public modulus
187 if(BN_mul(bnN, bnP, bnQ, context) != 1)
188 FAIL(FATAL_ERROR_INTERNAL);
189 // if the space provided for the public modulus is large enough,
190 // save the created value
191 if(BN_num_bits(bnN) != (publicKey->size * 8))
192 {
193 retVal = CRYPT_PARAMETER;
194 goto Cleanup;
195 }
196 BN_bn2bin(bnN, publicKey->buffer);
197 }
198 else
199 {
200 if (BN_is_zero(bnP))
201 {
202 retVal = CRYPT_PARAMETER;
203 goto Cleanup;
204 }
205 // One prime provided so find the second prime by division
206 BN_bin2bn(publicKey->buffer, publicKey->size, bnN);
207 // Get q = n/p;
208 if(BN_div(bnQ, bnQr, bnN, bnP, context) != 1)
209 FAIL(FATAL_ERROR_INTERNAL);
210 // If there is a remainder, then this is not a valid n
211 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP))
212 {
213 retVal = CRYPT_PARAMETER; // problem may be recoverable
214 goto Cleanup;
215 }
216 }
217 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1
218 BN_copy(bnPhi, bnN);
219 BN_sub(bnPhi, bnPhi, bnP);
220 BN_sub(bnPhi, bnPhi, bnQ);
221 BN_add_word(bnPhi, 1);
222 // Compute the multiplicative inverse
223 BN_set_word(bnE, exponent);
224 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL)
225 {
226 // Going to assume that the error is caused by a bad set of parameters.
227 // Specifically, an exponent that is not compatible with the primes.
228 // In an implementation that has better visibility to the error codes,
229 // this might be refined so that failures in the library would return
230 // a more informative value.
231 // Do not assume that the error codes will remain unchanged.
232 retVal = CRYPT_PARAMETER;
233 goto Cleanup;
234 }
235 // Return the private exponent.
236 // Make sure it is normalized to have the correct size.
237 d->size = publicKey->size;
238 fill = d->size - BN_num_bytes(bnD);
239 BN_bn2bin(bnD, &d->buffer[fill]);
240 memset(d->buffer, 0, fill);
241 Cleanup:
242 BN_CTX_end(context);
243 BN_CTX_free(context);
244 return retVal;
245 }
246 //
247 //
248 // RSAEP()
249 //
250 // This function performs the RSAEP operation defined in PKCS#1v2.1. It is an exponentiation of a value
251 // (m) with the public exponent (e), modulo the public (n).
252 //
253 // Return Value Meaning
254 //
255 // CRYPT_SUCCESS encryption complete
256 // CRYPT_PARAMETER number to exponentiate is larger than the modulus
257 //
258 static CRYPT_RESULT
RSAEP(UINT32 dInOutSize,BYTE * dInOut,RSA_KEY * key)259 RSAEP (
260 UINT32 dInOutSize, // OUT size of the encrypted block
261 BYTE *dInOut, // OUT: the encrypted data
262 RSA_KEY *key // IN: the key to use
263 )
264 {
265 UINT32 e;
266 BYTE exponent[4];
267 CRYPT_RESULT retVal;
268 e = key->exponent;
269 if(e == 0)
270 e = RSA_DEFAULT_PUBLIC_EXPONENT;
271 UINT32_TO_BYTE_ARRAY(e, exponent);
272 //!!! Can put check for test of RSA here
273 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut, 4, exponent,
274 key->publicKey->size, key->publicKey->buffer);
275 // Exponentiation result is stored in-place, thus no space shortage is possible.
276 pAssert(retVal != CRYPT_UNDERFLOW);
277 return retVal;
278 }
279 //
280 //
281 // RSADP()
282 //
283 // This function performs the RSADP operation defined in PKCS#1v2.1. It is an exponentiation of a value (c)
284 // with the private exponent (d), modulo the public modulus (n). The decryption is in place.
285 //
286 // This function also checks the size of the private key. If the size indicates that only a prime value is
287 // present, the key is converted to being a private exponent.
288 //
289 // Return Value Meaning
290 //
291 // CRYPT_SUCCESS decryption succeeded
292 // CRYPT_PARAMETER the value to decrypt is larger than the modulus
293 //
294 static CRYPT_RESULT
RSADP(UINT32 dInOutSize,BYTE * dInOut,RSA_KEY * key)295 RSADP (
296 UINT32 dInOutSize, // IN/OUT: size of decrypted data
297 BYTE *dInOut, // IN/OUT: the decrypted data
298 RSA_KEY *key // IN: the key
299 )
300 {
301 CRYPT_RESULT retVal;
302 //!!! Can put check for RSA tested here
303 // Make sure that the pointers are provided and that the private key is present
304 // If the private key is present it is assumed to have been created by
305 // so is presumed good _cpri__PrivateExponent
306 pAssert(key != NULL && dInOut != NULL &&
307 key->publicKey->size == key->publicKey->size);
308 // make sure that the value to be decrypted is smaller than the modulus
309 // note: this check is redundant as is also performed by _math__ModExp()
310 // which is optimized for use in RSA operations
311 if(_math__uComp(key->publicKey->size, key->publicKey->buffer,
312 dInOutSize, dInOut) <= 0)
313 return CRYPT_PARAMETER;
314 // _math__ModExp can return CRYPT_PARAMTER or CRYPT_UNDERFLOW but actual
315 // underflow is not possible because everything is in the same buffer.
316 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut,
317 key->privateKey->size, key->privateKey->buffer,
318 key->publicKey->size, key->publicKey->buffer);
319 // Exponentiation result is stored in-place, thus no space shortage is possible.
320 pAssert(retVal != CRYPT_UNDERFLOW);
321 return retVal;
322 }
323 //
324 //
325 // OaepEncode()
326 //
327 // This function performs OAEP padding. The size of the buffer to receive the OAEP padded data must
328 // equal the size of the modulus
329 //
330 // Return Value Meaning
331 //
332 // CRYPT_SUCCESS encode successful
333 // CRYPT_PARAMETER hashAlg is not valid
334 // CRYPT_FAIL message size is too large
335 //
336 static CRYPT_RESULT
OaepEncode(UINT32 paddedSize,BYTE * padded,TPM_ALG_ID hashAlg,const char * label,UINT32 messageSize,BYTE * message,BYTE * testSeed)337 OaepEncode(
338 UINT32 paddedSize, // IN: pad value size
339 BYTE *padded, // OUT: the pad data
340 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding
341 const char *label, // IN: null-terminated string (may be NULL)
342 UINT32 messageSize, // IN: the message size
343 BYTE *message // IN: the message being padded
344 #ifdef TEST_RSA //
345 , BYTE *testSeed // IN: optional seed used for testing.
346 #endif // TEST_RSA //
347 )
348 {
349 UINT32 padLen;
350 UINT32 dbSize;
351 UINT32 i;
352 BYTE mySeed[MAX_DIGEST_SIZE];
353 BYTE *seed = mySeed;
354 INT32 hLen = _cpri__GetDigestSize(hashAlg);
355 BYTE mask[MAX_RSA_KEY_BYTES];
356 BYTE *pp;
357 BYTE *pm;
358 UINT32 lSize = 0;
359 CRYPT_RESULT retVal = CRYPT_SUCCESS;
360 pAssert(padded != NULL && message != NULL);
361 // A value of zero is not allowed because the KDF can't produce a result
362 // if the digest size is zero.
363 if(hLen <= 0)
364 return CRYPT_PARAMETER;
365 // If a label is provided, get the length of the string, including the
366 // terminator
367 if(label != NULL)
368 lSize = (UINT32)strlen(label) + 1;
369 // Basic size check
370 // messageSize <= k 2hLen 2
371 if(messageSize > paddedSize - 2 * hLen - 2)
372 return CRYPT_FAIL;
373 // Hash L even if it is null
374 // Offset into padded leaving room for masked seed and byte of zero
375 pp = &padded[hLen + 1];
376 retVal = _cpri__HashBlock(hashAlg, lSize, (BYTE *)label, hLen, pp);
377 // concatenate PS of k mLen 2hLen 2
378 padLen = paddedSize - messageSize - (2 * hLen) - 2;
379 memset(&pp[hLen], 0, padLen);
380 pp[hLen+padLen] = 0x01;
381 padLen += 1;
382 memcpy(&pp[hLen+padLen], message, messageSize);
383 // The total size of db = hLen + pad + mSize;
384 dbSize = hLen+padLen+messageSize;
385 // If testing, then use the provided seed. Otherwise, use values
386 // from the RNG
387 #ifdef TEST_RSA
388 if(testSeed != NULL)
389 seed = testSeed;
390 else
391 #endif // TEST_RSA
392 _cpri__GenerateRandom(hLen, mySeed);
393 // mask = MGF1 (seed, nSize hLen 1)
394 if((retVal = _cpri__MGF1(dbSize, mask, hashAlg, hLen, seed)) < 0)
395 return retVal; // Don't expect an error because hash size is not zero
396 // was detected in the call to _cpri__HashBlock() above.
397 // Create the masked db
398 pm = mask;
399 for(i = dbSize; i > 0; i--)
400 *pp++ ^= *pm++;
401 pp = &padded[hLen + 1];
402 // Run the masked data through MGF1
403 if((retVal = _cpri__MGF1(hLen, &padded[1], hashAlg, dbSize, pp)) < 0)
404 return retVal; // Don't expect zero here as the only case for zero
405 // was detected in the call to _cpri__HashBlock() above.
406 // Now XOR the seed to create masked seed
407 pp = &padded[1];
408 pm = seed;
409 for(i = hLen; i > 0; i--)
410 *pp++ ^= *pm++;
411 // Set the first byte to zero
412 *padded = 0x00;
413 return CRYPT_SUCCESS;
414 }
415 //
416 //
417 // OaepDecode()
418 //
419 // This function performs OAEP padding checking. The size of the buffer to receive the recovered data. If
420 // the padding is not valid, the dSize size is set to zero and the function returns CRYPT_NO_RESULTS.
421 // The dSize parameter is used as an input to indicate the size available in the buffer. If insufficient space is
422 // available, the size is not changed and the return code is CRYPT_FAIL.
423 //
424 // Return Value Meaning
425 //
426 // CRYPT_SUCCESS decode complete
427 // CRYPT_PARAMETER the value to decode was larger than the modulus
428 // CRYPT_FAIL the padding is wrong or the buffer to receive the results is too small
429 //
430 static CRYPT_RESULT
OaepDecode(UINT32 * dataOutSize,BYTE * dataOut,TPM_ALG_ID hashAlg,const char * label,UINT32 paddedSize,BYTE * padded)431 OaepDecode(
432 UINT32 *dataOutSize, // IN/OUT: the recovered data size
433 BYTE *dataOut, // OUT: the recovered data
434 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding
435 const char *label, // IN: null-terminated string (may be NULL)
436 UINT32 paddedSize, // IN: the size of the padded data
437 BYTE *padded // IN: the padded data
438 )
439 {
440 UINT32 dSizeSave;
441 UINT32 i;
442 BYTE seedMask[MAX_DIGEST_SIZE];
443 INT32 hLen = _cpri__GetDigestSize(hashAlg);
444 BYTE mask[MAX_RSA_KEY_BYTES];
445 BYTE *pp;
446 BYTE *pm;
447 UINT32 lSize = 0;
448 CRYPT_RESULT retVal = CRYPT_SUCCESS;
449 // Unknown hash
450 pAssert(hLen > 0 && dataOutSize != NULL && dataOut != NULL && padded != NULL);
451 // If there is a label, get its size including the terminating 0x00
452 if(label != NULL)
453 lSize = (UINT32)strlen(label) + 1;
454 // Set the return size to zero so that it doesn't have to be done on each
455 // failure
456 dSizeSave = *dataOutSize;
457 *dataOutSize = 0;
458 // Strange size (anything smaller can't be an OAEP padded block)
459 // Also check for no leading 0
460 if(paddedSize < (unsigned)((2 * hLen) + 2) || *padded != 0)
461 return CRYPT_FAIL;
462 // Use the hash size to determine what to put through MGF1 in order
463 // to recover the seedMask
464 if((retVal = _cpri__MGF1(hLen, seedMask, hashAlg,
465 paddedSize-hLen-1, &padded[hLen+1])) < 0)
466 return retVal;
467 // Recover the seed into seedMask
468 pp = &padded[1];
469 pm = seedMask;
470 for(i = hLen; i > 0; i--)
471 *pm++ ^= *pp++;
472 // Use the seed to generate the data mask
473 if((retVal = _cpri__MGF1(paddedSize-hLen-1, mask, hashAlg,
474 hLen, seedMask)) < 0)
475 return retVal;
476 // Use the mask generated from seed to recover the padded data
477 pp = &padded[hLen+1];
478 pm = mask;
479 for(i = paddedSize-hLen-1; i > 0; i--)
480 *pm++ ^= *pp++;
481 // Make sure that the recovered data has the hash of the label
482 // Put trial value in the seed mask
483 if((retVal=_cpri__HashBlock(hashAlg, lSize,(BYTE *)label, hLen, seedMask)) < 0)
484 return retVal;
485 if(memcmp(seedMask, mask, hLen) != 0)
486 return CRYPT_FAIL;
487 // find the start of the data
488 pm = &mask[hLen];
489 for(i = paddedSize-(2*hLen)-1; i > 0; i--)
490 {
491 if(*pm++ != 0)
492 break;
493 }
494
495 // Magic value in the end of the fill area must be 1, anything else must be
496 // rejected.
497 if (pm[-1] != 1)
498 return CRYPT_FAIL;
499
500 if(i == 0)
501 return CRYPT_PARAMETER;
502 // pm should be pointing at the first part of the data
503 // and i is one greater than the number of bytes to move
504 i--;
505 if(i > dSizeSave)
506 {
507 // Restore dSize
508 *dataOutSize = dSizeSave;
509 return CRYPT_FAIL;
510 }
511 memcpy(dataOut, pm, i);
512 *dataOutSize = i;
513 return CRYPT_SUCCESS;
514 }
515 //
516 //
517 // PKSC1v1_5Encode()
518 //
519 // This function performs the encoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1
520 //
521 // Return Value Meaning
522 //
523 // CRYPT_SUCCESS data encoded
524 // CRYPT_PARAMETER message size is too large
525 //
526 static CRYPT_RESULT
RSAES_PKSC1v1_5Encode(UINT32 paddedSize,BYTE * padded,UINT32 messageSize,BYTE * message)527 RSAES_PKSC1v1_5Encode(
528 UINT32 paddedSize, // IN: pad value size
529 BYTE *padded, // OUT: the pad data
530 UINT32 messageSize, // IN: the message size
531 BYTE *message // IN: the message being padded
532 )
533 {
534 UINT32 ps = paddedSize - messageSize - 3;
535 if(messageSize > paddedSize - 11)
536 return CRYPT_PARAMETER;
537 // move the message to the end of the buffer
538 memcpy(&padded[paddedSize - messageSize], message, messageSize);
539 // Set the first byte to 0x00 and the second to 0x02
540 *padded = 0;
541 padded[1] = 2;
542 // Fill with random bytes
543 _cpri__GenerateRandom(ps, &padded[2]);
544 // Set the delimiter for the random field to 0
545 padded[2+ps] = 0;
546 // Now, the only messy part. Make sure that all the ps bytes are non-zero
547 // In this implementation, use the value of the current index
548 for(ps++; ps > 1; ps--)
549 {
550 if(padded[ps] == 0)
551 padded[ps] = 0x55; // In the < 0.5% of the cases that the random
552 // value is 0, just pick a value to put into
553 // the spot.
554 }
555 return CRYPT_SUCCESS;
556 }
557 //
558 //
559 // RSAES_Decode()
560 //
561 // This function performs the decoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1
562 //
563 // Return Value Meaning
564 //
565 // CRYPT_SUCCESS decode successful
566 // CRYPT_FAIL decoding error or results would no fit into provided buffer
567 //
568 static CRYPT_RESULT
RSAES_Decode(UINT32 * messageSize,BYTE * message,UINT32 codedSize,BYTE * coded)569 RSAES_Decode(
570 UINT32 *messageSize, // IN/OUT: recovered message size
571 BYTE *message, // OUT: the recovered message
572 UINT32 codedSize, // IN: the encoded message size
573 BYTE *coded // IN: the encoded message
574 )
575 {
576 BOOL fail = FALSE;
577 UINT32 ps;
578 fail = (codedSize < 11);
579 fail |= (coded[0] != 0x00) || (coded[1] != 0x02);
580 for(ps = 2; ps < codedSize; ps++)
581 {
582 if(coded[ps] == 0)
583 break;
584 }
585 ps++;
586 // Make sure that ps has not gone over the end and that there are at least 8
587 // bytes of pad data.
588 fail |= ((ps >= codedSize) || ((ps-2) < 8));
589 if((*messageSize < codedSize - ps) || fail)
590 return CRYPT_FAIL;
591 *messageSize = codedSize - ps;
592 memcpy(message, &coded[ps], codedSize - ps);
593 return CRYPT_SUCCESS;
594 }
595 //
596 //
597 // PssEncode()
598 //
599 // This function creates an encoded block of data that is the size of modulus. The function uses the
600 // maximum salt size that will fit in the encoded block.
601 //
602 // Return Value Meaning
603 //
604 // CRYPT_SUCCESS encode successful
605 // CRYPT_PARAMETER hashAlg is not a supported hash algorithm
606 //
607 static CRYPT_RESULT
PssEncode(UINT32 eOutSize,BYTE * eOut,TPM_ALG_ID hashAlg,UINT32 hashInSize,BYTE * hashIn,BYTE * saltIn)608 PssEncode (
609 UINT32 eOutSize, // IN: size of the encode data buffer
610 BYTE *eOut, // OUT: encoded data buffer
611 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
612 UINT32 hashInSize, // IN: size of digest to encode
613 BYTE *hashIn // IN: the digest
614 #ifdef TEST_RSA //
615 , BYTE *saltIn // IN: optional parameter for testing
616 #endif // TEST_RSA //
617 )
618 {
619 INT32 hLen = _cpri__GetDigestSize(hashAlg);
620 BYTE salt[MAX_RSA_KEY_BYTES - 1];
621 UINT16 saltSize;
622 BYTE *ps = salt;
623 CRYPT_RESULT retVal;
624 UINT16 mLen;
625 CPRI_HASH_STATE hashState;
626 // These are fatal errors indicating bad TPM firmware
627 pAssert(eOut != NULL && hLen > 0 && hashIn != NULL );
628 // Get the size of the mask
629 mLen = (UINT16)(eOutSize - hLen - 1);
630 // Maximum possible salt size is mask length - 1
631 saltSize = mLen - 1;
632 // Use the maximum salt size allowed by FIPS 186-4
633 if(saltSize > hLen)
634 saltSize = (UINT16)hLen;
635 //using eOut for scratch space
636 // Set the first 8 bytes to zero
637 memset(eOut, 0, 8);
638 // Get set the salt
639 #ifdef TEST_RSA
640 if(saltIn != NULL)
641 {
642 saltSize = hLen;
643 memcpy(salt, saltIn, hLen);
644 }
645 else
646 #endif // TEST_RSA
647 _cpri__GenerateRandom(saltSize, salt);
648 // Create the hash of the pad || input hash || salt
649 _cpri__StartHash(hashAlg, FALSE, &hashState);
650 _cpri__UpdateHash(&hashState, 8, eOut);
651 _cpri__UpdateHash(&hashState, hashInSize, hashIn);
652 _cpri__UpdateHash(&hashState, saltSize, salt);
653 _cpri__CompleteHash(&hashState, hLen, &eOut[eOutSize - hLen - 1]);
654 // Create a mask
655 if((retVal = _cpri__MGF1(mLen, eOut, hashAlg, hLen, &eOut[mLen])) < 0)
656 {
657 // Currently _cpri__MGF1 is not expected to return a CRYPT_RESULT error.
658 pAssert(0);
659 }
660 // Since this implementation uses key sizes that are all even multiples of
661 // 8, just need to make sure that the most significant bit is CLEAR
662 eOut[0] &= 0x7f;
663 // Before we mess up the eOut value, set the last byte to 0xbc
664 eOut[eOutSize - 1] = 0xbc;
665 // XOR a byte of 0x01 at the position just before where the salt will be XOR'ed
666 eOut = &eOut[mLen - saltSize - 1];
667 *eOut++ ^= 0x01;
668 // XOR the salt data into the buffer
669 for(; saltSize > 0; saltSize--)
670 *eOut++ ^= *ps++;
671 // and we are done
672 return CRYPT_SUCCESS;
673 }
674 //
675 //
676 // PssDecode()
677 //
678 // This function checks that the PSS encoded block was built from the provided digest. If the check is
679 // successful, CRYPT_SUCCESS is returned. Any other value indicates an error.
680 // This implementation of PSS decoding is intended for the reference TPM implementation and is not at all
681 // generalized. It is used to check signatures over hashes and assumptions are made about the sizes of
682 // values. Those assumptions are enforce by this implementation. This implementation does allow for a
683 // variable size salt value to have been used by the creator of the signature.
684 //
685 //
686 //
687 //
688 // Return Value Meaning
689 //
690 // CRYPT_SUCCESS decode successful
691 // CRYPT_SCHEME hashAlg is not a supported hash algorithm
692 // CRYPT_FAIL decode operation failed
693 //
694 static CRYPT_RESULT
PssDecode(TPM_ALG_ID hashAlg,UINT32 dInSize,BYTE * dIn,UINT32 eInSize,BYTE * eIn,UINT32 saltSize)695 PssDecode(
696 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
697 UINT32 dInSize, // IN: size of the digest to compare
698 BYTE *dIn, // In: the digest to compare
699 UINT32 eInSize, // IN: size of the encoded data
700 BYTE *eIn, // IN: the encoded data
701 UINT32 saltSize // IN: the expected size of the salt
702 )
703 {
704 INT32 hLen = _cpri__GetDigestSize(hashAlg);
705 BYTE mask[MAX_RSA_KEY_BYTES];
706 BYTE *pm = mask;
707 BYTE pad[8] = {0};
708 UINT32 i;
709 UINT32 mLen;
710 BOOL fail = FALSE;
711 CRYPT_RESULT retVal;
712 CPRI_HASH_STATE hashState;
713 // These errors are indicative of failures due to programmer error
714 pAssert(dIn != NULL && eIn != NULL);
715 // check the hash scheme
716 if(hLen == 0)
717 return CRYPT_SCHEME;
718 // most significant bit must be zero
719 fail = ((eIn[0] & 0x80) != 0);
720 // last byte must be 0xbc
721 fail |= (eIn[eInSize - 1] != 0xbc);
722 // Use the hLen bytes at the end of the buffer to generate a mask
723 // Doesn't start at the end which is a flag byte
724 mLen = eInSize - hLen - 1;
725 if((retVal = _cpri__MGF1(mLen, mask, hashAlg, hLen, &eIn[mLen])) < 0)
726 return retVal;
727 if(retVal == 0)
728 return CRYPT_FAIL;
729 // Clear the MSO of the mask to make it consistent with the encoding.
730 mask[0] &= 0x7F;
731 // XOR the data into the mask to recover the salt. This sequence
732 // advances eIn so that it will end up pointing to the seed data
733 // which is the hash of the signature data
734 for(i = mLen; i > 0; i--)
735 *pm++ ^= *eIn++;
736 // Find the first byte of 0x01 after a string of all 0x00
737 for(pm = mask, i = mLen; i > 0; i--)
738 {
739 if(*pm == 0x01)
740 break;
741 else
742 fail |= (*pm++ != 0);
743 }
744 fail |= (i == 0);
745 // if we have failed, will continue using the entire mask as the salt value so
746 // that the timing attacks will not disclose anything (I don't think that this
747 // is a problem for TPM applications but, usually, we don't fail so this
748 // doesn't cost anything).
749 if(fail)
750 {
751 i = mLen;
752 pm = mask;
753 }
754 else
755 {
756 pm++;
757 i--;
758 }
759 // If the salt size was provided, then the recovered size must match
760 fail |= (saltSize != 0 && i != saltSize);
761 // i contains the salt size and pm points to the salt. Going to use the input
762 // hash and the seed to recreate the hash in the lower portion of eIn.
763 _cpri__StartHash(hashAlg, FALSE, &hashState);
764 // add the pad of 8 zeros
765 _cpri__UpdateHash(&hashState, 8, pad);
766 // add the provided digest value
767 _cpri__UpdateHash(&hashState, dInSize, dIn);
768 // and the salt
769 _cpri__UpdateHash(&hashState, i, pm);
770 // get the result
771 retVal = _cpri__CompleteHash(&hashState, MAX_DIGEST_SIZE, mask);
772 // retVal will be the size of the digest or zero. If not equal to the indicated
773 // digest size, then the signature doesn't match
774 fail |= (retVal != hLen);
775 fail |= (memcmp(mask, eIn, hLen) != 0);
776 if(fail)
777 return CRYPT_FAIL;
778 else
779 return CRYPT_SUCCESS;
780 }
781 //
782 //
783 // PKSC1v1_5SignEncode()
784 //
785 // Encode a message using PKCS1v1().5 method.
786 //
787 // Return Value Meaning
788 //
789 // CRYPT_SUCCESS encode complete
790 // CRYPT_SCHEME hashAlg is not a supported hash algorithm
791 // CRYPT_PARAMETER eOutSize is not large enough or hInSize does not match the digest
792 // size of hashAlg
793 //
794 static CRYPT_RESULT
RSASSA_Encode(UINT32 eOutSize,BYTE * eOut,TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn)795 RSASSA_Encode(
796 UINT32 eOutSize, // IN: the size of the resulting block
797 BYTE *eOut, // OUT: the encoded block
798 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5
799 UINT32 hInSize, // IN: size of hash to be signed
800 BYTE *hIn // IN: hash buffer
801 )
802 {
803 const BYTE *der;
804 INT32 derSize = _cpri__GetHashDER(hashAlg, &der);
805 INT32 fillSize;
806 pAssert(eOut != NULL && hIn != NULL);
807 // Can't use this scheme if the algorithm doesn't have a DER string defined.
808 if(
809 #if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
810 hashAlg != TPM_ALG_NULL &&
811 #endif
812 derSize == 0)
813 return CRYPT_SCHEME;
814 // If the digest size of 'hashAl' doesn't match the input digest size, then
815 // the DER will misidentify the digest so return an error
816 if(
817 #if defined(SUPPORT_PADDING_ONLY_RSASSA) && SUPPORT_PADDING_ONLY_RSASSA == YES
818 hashAlg != TPM_ALG_NULL &&
819 #endif
820 (unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
821 return CRYPT_PARAMETER;
822 fillSize = eOutSize - derSize - hInSize - 3;
823 // Make sure that this combination will fit in the provided space
824 if(fillSize < 8)
825 return CRYPT_PARAMETER;
826 // Start filling
827 *eOut++ = 0; // initial byte of zero
828 *eOut++ = 1; // byte of 0x01
829 for(; fillSize > 0; fillSize--)
830 *eOut++ = 0xff; // bunch of 0xff
831 *eOut++ = 0; // another 0
832 for(; derSize > 0; derSize--)
833 *eOut++ = *der++; // copy the DER
834 for(; hInSize > 0; hInSize--)
835 *eOut++ = *hIn++; // copy the hash
836 return CRYPT_SUCCESS;
837 }
838 //
839 //
840 // RSASSA_Decode()
841 //
842 // This function performs the RSASSA decoding of a signature.
843 //
844 // Return Value Meaning
845 //
846 // CRYPT_SUCCESS decode successful
847 // CRYPT_FAIL decode unsuccessful
848 // CRYPT_SCHEME haslAlg is not supported
849 //
850 static CRYPT_RESULT
RSASSA_Decode(TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn,UINT32 eInSize,BYTE * eIn)851 RSASSA_Decode(
852 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
853 UINT32 hInSize, // IN: size of the digest to compare
854 BYTE *hIn, // In: the digest to compare
855 UINT32 eInSize, // IN: size of the encoded data
856 BYTE *eIn // IN: the encoded data
857 )
858 {
859 BOOL fail = FALSE;
860 const BYTE *der;
861 INT32 derSize = _cpri__GetHashDER(hashAlg, &der);
862 INT32 hashSize = _cpri__GetDigestSize(hashAlg);
863 INT32 fillSize;
864 pAssert(hIn != NULL && eIn != NULL);
865 // Can't use this scheme if the algorithm doesn't have a DER string
866 // defined or if the provided hash isn't the right size
867 if(derSize == 0 || (unsigned)hashSize != hInSize)
868 return CRYPT_SCHEME;
869 // Make sure that this combination will fit in the provided space
870 // Since no data movement takes place, can just walk though this
871 // and accept nearly random values. This can only be called from
872 // _cpri__ValidateSignature() so eInSize is known to be in range.
873 fillSize = eInSize - derSize - hashSize - 3;
874 // Start checking
875 fail |= (*eIn++ != 0); // initial byte of zero
876 fail |= (*eIn++ != 1); // byte of 0x01
877 for(; fillSize > 0; fillSize--)
878 fail |= (*eIn++ != 0xff); // bunch of 0xff
879 fail |= (*eIn++ != 0); // another 0
880 for(; derSize > 0; derSize--)
881 fail |= (*eIn++ != *der++); // match the DER
882 for(; hInSize > 0; hInSize--)
883 fail |= (*eIn++ != *hIn++); // match the hash
884 if(fail)
885 return CRYPT_FAIL;
886 return CRYPT_SUCCESS;
887 }
888 //
889 //
890 // Externally Accessible Functions
891 //
892 // _cpri__RsaStartup()
893 //
894 // Function that is called to initialize the hash service. In this implementation, this function does nothing but
895 // it is called by the CryptUtilStartup() function and must be present.
896 //
897 LIB_EXPORT BOOL
_cpri__RsaStartup(void)898 _cpri__RsaStartup(
899 void
900 )
901 {
902 return TRUE;
903 }
904 //
905 //
906 // _cpri__EncryptRSA()
907 //
908 // This is the entry point for encryption using RSA. Encryption is use of the public exponent. The padding
909 // parameter determines what padding will be used.
910 // The cOutSize parameter must be at least as large as the size of the key.
911 // If the padding is RSA_PAD_NONE, dIn is treaded as a number. It must be lower in value than the key
912 // modulus.
913 //
914 //
915 //
916 // NOTE: If dIn has fewer bytes than cOut, then we don't add low-order zeros to dIn to make it the size of the RSA key for
917 // the call to RSAEP. This is because the high order bytes of dIn might have a numeric value that is greater than
918 // the value of the key modulus. If this had low-order zeros added, it would have a numeric value larger than the
919 // modulus even though it started out with a lower numeric value.
920 //
921 //
922 // Return Value Meaning
923 //
924 // CRYPT_SUCCESS encryption complete
925 // CRYPT_PARAMETER cOutSize is too small (must be the size of the modulus)
926 // CRYPT_SCHEME padType is not a supported scheme
927 //
928 LIB_EXPORT CRYPT_RESULT
_cpri__EncryptRSA(UINT32 * cOutSize,BYTE * cOut,RSA_KEY * key,TPM_ALG_ID padType,UINT32 dInSize,BYTE * dIn,TPM_ALG_ID hashAlg,const char * label)929 _cpri__EncryptRSA(
930 UINT32 *cOutSize, // OUT: the size of the encrypted data
931 BYTE *cOut, // OUT: the encrypted data
932 RSA_KEY *key, // IN: the key to use for encryption
933 TPM_ALG_ID padType, // IN: the type of padding
934 UINT32 dInSize, // IN: the amount of data to encrypt
935 BYTE *dIn, // IN: the data to encrypt
936 TPM_ALG_ID hashAlg, // IN: in case this is needed
937 const char *label // IN: in case it is needed
938 )
939 {
940 CRYPT_RESULT retVal = CRYPT_SUCCESS;
941 pAssert(cOutSize != NULL);
942 // All encryption schemes return the same size of data
943 if(*cOutSize < key->publicKey->size)
944 return CRYPT_PARAMETER;
945 *cOutSize = key->publicKey->size;
946 switch (padType)
947 {
948 case TPM_ALG_NULL: // 'raw' encryption
949 {
950 // dIn can have more bytes than cOut as long as the extra bytes
951 // are zero
952 for(; dInSize > *cOutSize; dInSize--)
953 {
954 if(*dIn++ != 0)
955 return CRYPT_PARAMETER;
956 }
957 // If dIn is smaller than cOut, fill cOut with zeros
958 if(dInSize < *cOutSize)
959 memset(cOut, 0, *cOutSize - dInSize);
960 // Copy the rest of the value
961 memcpy(&cOut[*cOutSize-dInSize], dIn, dInSize);
962 // If the size of dIn is the same as cOut dIn could be larger than
963 // the modulus. If it is, then RSAEP() will catch it.
964 }
965 break;
966 case TPM_ALG_RSAES:
967 retVal = RSAES_PKSC1v1_5Encode(*cOutSize, cOut, dInSize, dIn);
968 break;
969 case TPM_ALG_OAEP:
970 retVal = OaepEncode(*cOutSize, cOut, hashAlg, label, dInSize, dIn
971 #ifdef TEST_RSA
972 ,NULL
973 #endif
974 );
975 break;
976 default:
977 return CRYPT_SCHEME;
978 }
979 // All the schemes that do padding will come here for the encryption step
980 // Check that the Encoding worked
981 if(retVal != CRYPT_SUCCESS)
982 return retVal;
983 // Padding OK so do the encryption
984 return RSAEP(*cOutSize, cOut, key);
985 }
986 //
987 //
988 // _cpri__DecryptRSA()
989 //
990 // This is the entry point for decryption using RSA. Decryption is use of the private exponent. The padType
991 // parameter determines what padding was used.
992 //
993 // Return Value Meaning
994 //
995 // CRYPT_SUCCESS successful completion
996 // CRYPT_PARAMETER cInSize is not the same as the size of the public modulus of key; or
997 // numeric value of the encrypted data is greater than the modulus
998 // CRYPT_FAIL dOutSize is not large enough for the result
999 // CRYPT_SCHEME padType is not supported
1000 //
1001 LIB_EXPORT CRYPT_RESULT
_cpri__DecryptRSA(UINT32 * dOutSize,BYTE * dOut,RSA_KEY * key,TPM_ALG_ID padType,UINT32 cInSize,BYTE * cIn,TPM_ALG_ID hashAlg,const char * label)1002 _cpri__DecryptRSA(
1003 UINT32 *dOutSize, // OUT: the size of the decrypted data
1004 BYTE *dOut, // OUT: the decrypted data
1005 RSA_KEY *key, // IN: the key to use for decryption
1006 TPM_ALG_ID padType, // IN: the type of padding
1007 UINT32 cInSize, // IN: the amount of data to decrypt
1008 BYTE *cIn, // IN: the data to decrypt
1009 TPM_ALG_ID hashAlg, // IN: in case this is needed for the scheme
1010 const char *label // IN: in case it is needed for the scheme
1011 )
1012 {
1013 CRYPT_RESULT retVal;
1014 // Make sure that the necessary parameters are provided
1015 pAssert(cIn != NULL && dOut != NULL && dOutSize != NULL && key != NULL);
1016 // Size is checked to make sure that the decryption works properly
1017 if(cInSize != key->publicKey->size)
1018 return CRYPT_PARAMETER;
1019 // For others that do padding, do the decryption in place and then
1020 // go handle the decoding.
1021 if((retVal = RSADP(cInSize, cIn, key)) != CRYPT_SUCCESS)
1022 return retVal; // Decryption failed
1023 // Remove padding
1024 switch (padType)
1025 {
1026 case TPM_ALG_NULL:
1027 if(*dOutSize < key->publicKey->size)
1028 return CRYPT_FAIL;
1029 *dOutSize = key->publicKey->size;
1030 memcpy(dOut, cIn, *dOutSize);
1031 return CRYPT_SUCCESS;
1032 case TPM_ALG_RSAES:
1033 return RSAES_Decode(dOutSize, dOut, cInSize, cIn);
1034 break;
1035 case TPM_ALG_OAEP:
1036 return OaepDecode(dOutSize, dOut, hashAlg, label, cInSize, cIn);
1037 break;
1038 default:
1039 return CRYPT_SCHEME;
1040 break;
1041 }
1042 }
1043 //
1044 //
1045 // _cpri__SignRSA()
1046 //
1047 // This function is used to generate an RSA signature of the type indicated in scheme.
1048 //
1049 // Return Value Meaning
1050 //
1051 // CRYPT_SUCCESS sign operation completed normally
1052 // CRYPT_SCHEME scheme or hashAlg are not supported
1053 // CRYPT_PARAMETER hInSize does not match hashAlg (for RSASSA)
1054 //
1055 LIB_EXPORT CRYPT_RESULT
_cpri__SignRSA(UINT32 * sigOutSize,BYTE * sigOut,RSA_KEY * key,TPM_ALG_ID scheme,TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn)1056 _cpri__SignRSA(
1057 UINT32 *sigOutSize, // OUT: size of signature
1058 BYTE *sigOut, // OUT: signature
1059 RSA_KEY *key, // IN: key to use
1060 TPM_ALG_ID scheme, // IN: the scheme to use
1061 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5
1062 UINT32 hInSize, // IN: size of digest to be signed
1063 BYTE *hIn // IN: digest buffer
1064 )
1065 {
1066 CRYPT_RESULT retVal;
1067 // Parameter checks
1068 pAssert(sigOutSize != NULL && sigOut != NULL && key != NULL && hIn != NULL);
1069 // For all signatures the size is the size of the key modulus
1070 *sigOutSize = key->publicKey->size;
1071 switch (scheme)
1072 {
1073 case TPM_ALG_NULL:
1074 *sigOutSize = 0;
1075 return CRYPT_SUCCESS;
1076 case TPM_ALG_RSAPSS:
1077 // PssEncode can return CRYPT_PARAMETER
1078 retVal = PssEncode(*sigOutSize, sigOut, hashAlg, hInSize, hIn
1079 #ifdef TEST_RSA
1080 , NULL
1081 #endif
1082 );
1083 break;
1084 case TPM_ALG_RSASSA:
1085 // RSASSA_Encode can return CRYPT_PARAMETER or CRYPT_SCHEME
1086 retVal = RSASSA_Encode(*sigOutSize, sigOut, hashAlg, hInSize, hIn);
1087 break;
1088 default:
1089 return CRYPT_SCHEME;
1090 }
1091 if(retVal != CRYPT_SUCCESS)
1092 return retVal;
1093 // Do the encryption using the private key
1094 // RSADP can return CRYPT_PARAMETR
1095 return RSADP(*sigOutSize,sigOut, key);
1096 }
1097 //
1098 //
1099 // _cpri__ValidateSignatureRSA()
1100 //
1101 // This function is used to validate an RSA signature. If the signature is valid CRYPT_SUCCESS is
1102 // returned. If the signature is not valid, CRYPT_FAIL is returned. Other return codes indicate either
1103 // parameter problems or fatal errors.
1104 //
1105 // Return Value Meaning
1106 //
1107 // CRYPT_SUCCESS the signature checks
1108 // CRYPT_FAIL the signature does not check
1109 // CRYPT_SCHEME unsupported scheme or hash algorithm
1110 //
1111 LIB_EXPORT CRYPT_RESULT
_cpri__ValidateSignatureRSA(RSA_KEY * key,TPM_ALG_ID scheme,TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn,UINT32 sigInSize,BYTE * sigIn,UINT16 saltSize)1112 _cpri__ValidateSignatureRSA(
1113 RSA_KEY *key, // IN: key to use
1114 TPM_ALG_ID scheme, // IN: the scheme to use
1115 TPM_ALG_ID hashAlg, // IN: hash algorithm
1116 UINT32 hInSize, // IN: size of digest to be checked
1117 BYTE *hIn, // IN: digest buffer
1118 UINT32 sigInSize, // IN: size of signature
1119 BYTE *sigIn, // IN: signature
1120 UINT16 saltSize // IN: salt size for PSS
1121 )
1122 {
1123 CRYPT_RESULT retVal;
1124 // Fatal programming errors
1125 pAssert(key != NULL && sigIn != NULL && hIn != NULL);
1126 // Errors that might be caused by calling parameters
1127 if(sigInSize != key->publicKey->size)
1128 return CRYPT_FAIL;
1129 // Decrypt the block
1130 if((retVal = RSAEP(sigInSize, sigIn, key)) != CRYPT_SUCCESS)
1131 return CRYPT_FAIL;
1132 switch (scheme)
1133 {
1134 case TPM_ALG_NULL:
1135 return CRYPT_SCHEME;
1136 break;
1137 case TPM_ALG_RSAPSS:
1138 return PssDecode(hashAlg, hInSize, hIn, sigInSize, sigIn, saltSize);
1139 break;
1140 case TPM_ALG_RSASSA:
1141 return RSASSA_Decode(hashAlg, hInSize, hIn, sigInSize, sigIn);
1142 break;
1143 default:
1144 break;
1145 }
1146 return CRYPT_SCHEME;
1147 }
1148 #ifndef RSA_KEY_SIEVE
1149 //
1150 //
1151 // _cpri__GenerateKeyRSA()
1152 //
1153 // Generate an RSA key from a provided seed
1154 //
1155 //
1156 //
1157 //
1158 // Return Value Meaning
1159 //
1160 // CRYPT_FAIL exponent is not prime or is less than 3; or could not find a prime using
1161 // the provided parameters
1162 // CRYPT_CANCEL operation was canceled
1163 //
1164 LIB_EXPORT CRYPT_RESULT
_cpri__GenerateKeyRSA(TPM2B * n,TPM2B * p,UINT16 keySizeInBits,UINT32 e,TPM_ALG_ID hashAlg,TPM2B * seed,const char * label,TPM2B * extra,UINT32 * counter)1165 _cpri__GenerateKeyRSA(
1166 TPM2B *n, // OUT: The public modulu
1167 TPM2B *p, // OUT: One of the prime factors of n
1168 UINT16 keySizeInBits, // IN: Size of the public modulus in bit
1169 UINT32 e, // IN: The public exponent
1170 TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key
1171 // generation proce
1172 TPM2B *seed, // IN: the seed to use
1173 const char *label, // IN: A label for the generation process.
1174 TPM2B *extra, // IN: Party 1 data for the KDF
1175 UINT32 *counter // IN/OUT: Counter value to allow KFD iteration
1176 // to be propagated across multiple routine
1177 )
1178 {
1179 UINT32 lLen; // length of the label
1180 // (counting the terminating 0);
1181 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1182 TPM2B_HASH_BLOCK oPadKey;
1183 UINT32 outer;
1184 UINT32 inner;
1185 BYTE swapped[4];
1186 CRYPT_RESULT retVal;
1187 int i, fill;
1188 const static char defaultLabel[] = "RSA key";
1189 BYTE *pb;
1190 CPRI_HASH_STATE h1; // contains the hash of the
1191 // HMAC key w/ iPad
1192 CPRI_HASH_STATE h2; // contains the hash of the
1193 // HMAC key w/ oPad
1194 CPRI_HASH_STATE h; // the working hash context
1195 BIGNUM *bnP;
1196 BIGNUM *bnQ;
1197 BIGNUM *bnT;
1198 BIGNUM *bnE;
1199 BIGNUM *bnN;
1200 BN_CTX *context;
1201 UINT32 rem;
1202 // Make sure that hashAlg is valid hash
1203 pAssert(digestSize != 0);
1204 // if present, use externally provided counter
1205 if(counter != NULL)
1206 outer = *counter;
1207 else
1208 outer = 1;
1209 // Validate exponent
1210 UINT32_TO_BYTE_ARRAY(e, swapped);
1211 // Need to check that the exponent is prime and not less than 3
1212 if( e != 0 && (e < 3 || !_math__IsPrime(e)))
1213 return CRYPT_FAIL;
1214 // Get structures for the big number representations
1215 context = BN_CTX_new();
1216 if(context == NULL)
1217 FAIL(FATAL_ERROR_ALLOCATION);
1218 BN_CTX_start(context);
1219 bnP = BN_CTX_get(context);
1220 bnQ = BN_CTX_get(context);
1221 bnT = BN_CTX_get(context);
1222 bnE = BN_CTX_get(context);
1223 bnN = BN_CTX_get(context);
1224 if(bnN == NULL)
1225 FAIL(FATAL_ERROR_INTERNAL);
1226 // Set Q to zero. This is used as a flag. The prime is computed in P. When a
1227 // new prime is found, Q is checked to see if it is zero. If so, P is copied
1228 // to Q and a new P is found. When both P and Q are non-zero, the modulus and
1229 // private exponent are computed and a trial encryption/decryption is
1230 // performed. If the encrypt/decrypt fails, assume that at least one of the
1231 // primes is composite. Since we don't know which one, set Q to zero and start
1232 // over and find a new pair of primes.
1233 BN_zero(bnQ);
1234 // Need to have some label
1235 if(label == NULL)
1236 label = (const char *)&defaultLabel;
1237 // Get the label size
1238 for(lLen = 0; label[lLen++] != 0;);
1239 // Start the hash using the seed and get the intermediate hash value
1240 _cpri__StartHMAC(hashAlg, FALSE, &h1, seed->size, seed->buffer, &oPadKey.b);
1241 _cpri__StartHash(hashAlg, FALSE, &h2);
1242 _cpri__UpdateHash(&h2, oPadKey.b.size, oPadKey.b.buffer);
1243 n->size = (keySizeInBits +7)/8;
1244 pAssert(n->size <= MAX_RSA_KEY_BYTES);
1245 p->size = n->size / 2;
1246 if(e == 0)
1247 e = RSA_DEFAULT_PUBLIC_EXPONENT;
1248 BN_set_word(bnE, e);
1249 // The first test will increment the counter from zero.
1250 for(outer += 1; outer != 0; outer++)
1251 {
1252 if(_plat__IsCanceled())
1253 {
1254 retVal = CRYPT_CANCEL;
1255 goto Cleanup;
1256 }
1257 // Need to fill in the candidate with the hash
1258 fill = digestSize;
1259 pb = p->buffer;
1260 // Reset the inner counter
1261 inner = 0;
1262 for(i = p->size; i > 0; i -= digestSize)
1263 {
1264 inner++;
1265 // Initialize the HMAC with saved state
1266 _cpri__CopyHashState(&h, &h1);
1267 // Hash the inner counter (the one that changes on each HMAC iteration)
1268 UINT32_TO_BYTE_ARRAY(inner, swapped);
1269 _cpri__UpdateHash(&h, 4, swapped);
1270 _cpri__UpdateHash(&h, lLen, (BYTE *)label);
1271 // Is there any party 1 data
1272 if(extra != NULL)
1273 _cpri__UpdateHash(&h, extra->size, extra->buffer);
1274 // Include the outer counter (the one that changes on each prime
1275 // prime candidate generation
1276 UINT32_TO_BYTE_ARRAY(outer, swapped);
1277 _cpri__UpdateHash(&h, 4, swapped);
1278 _cpri__UpdateHash(&h, 2, (BYTE *)&keySizeInBits);
1279 if(i < fill)
1280 fill = i;
1281 _cpri__CompleteHash(&h, fill, pb);
1282 // Restart the oPad hash
1283 _cpri__CopyHashState(&h, &h2);
1284 // Add the last hashed data
1285 _cpri__UpdateHash(&h, fill, pb);
1286 // gives a completed HMAC
1287 _cpri__CompleteHash(&h, fill, pb);
1288 pb += fill;
1289 }
1290 // Set the Most significant 2 bits and the low bit of the candidate
1291 p->buffer[0] |= 0xC0;
1292 p->buffer[p->size - 1] |= 1;
1293 // Convert the candidate to a BN
1294 BN_bin2bn(p->buffer, p->size, bnP);
1295 // If this is the second prime, make sure that it differs from the
1296 // first prime by at least 2^100
1297 if(!BN_is_zero(bnQ))
1298 {
1299 // bnQ is non-zero if we already found it
1300 if(BN_ucmp(bnP, bnQ) < 0)
1301 BN_sub(bnT, bnQ, bnP);
1302 else
1303 BN_sub(bnT, bnP, bnQ);
1304 if(BN_num_bits(bnT) < 100) // Difference has to be at least 100 bits
1305 continue;
1306 }
1307 // Make sure that the prime candidate (p) is not divisible by the exponent
1308 // and that (p-1) is not divisible by the exponent
1309 // Get the remainder after dividing by the modulus
1310 rem = BN_mod_word(bnP, e);
1311 if(rem == 0) // evenly divisible so add two keeping the number odd and
1312 // making sure that 1 != p mod e
1313 BN_add_word(bnP, 2);
1314 else if(rem == 1) // leaves a remainder of 1 so subtract two keeping the
1315 // number odd and making (e-1) = p mod e
1316 BN_sub_word(bnP, 2);
1317 // Have a candidate, check for primality
1318 if((retVal = (CRYPT_RESULT)BN_is_prime_ex(bnP,
1319 BN_prime_checks, NULL, NULL)) < 0)
1320 FAIL(FATAL_ERROR_INTERNAL);
1321 if(retVal != 1)
1322 continue;
1323 // Found a prime, is this the first or second.
1324 if(BN_is_zero(bnQ))
1325 {
1326 // copy p to q and compute another prime in p
1327 BN_copy(bnQ, bnP);
1328 continue;
1329 }
1330 //Form the public modulus
1331 BN_mul(bnN, bnP, bnQ, context);
1332 if(BN_num_bits(bnN) != keySizeInBits)
1333 FAIL(FATAL_ERROR_INTERNAL);
1334 // Save the public modulus
1335 BnTo2B(n, bnN, n->size); // Will pad the buffer to the correct size
1336 pAssert((n->buffer[0] & 0x80) != 0);
1337 // And one prime
1338 BnTo2B(p, bnP, p->size);
1339 pAssert((p->buffer[0] & 0x80) != 0);
1340 // Finish by making sure that we can form the modular inverse of PHI
1341 // with respect to the public exponent
1342 // Compute PHI = (p - 1)(q - 1) = n - p - q + 1
1343 // Make sure that we can form the modular inverse
1344 BN_sub(bnT, bnN, bnP);
1345 BN_sub(bnT, bnT, bnQ);
1346 BN_add_word(bnT, 1);
1347 // find d such that (Phi * d) mod e ==1
1348 // If there isn't then we are broken because we took the step
1349 // of making sure that the prime != 1 mod e so the modular inverse
1350 // must exist
1351 if(BN_mod_inverse(bnT, bnE, bnT, context) == NULL || BN_is_zero(bnT))
1352 FAIL(FATAL_ERROR_INTERNAL);
1353 // And, finally, do a trial encryption decryption
1354 {
1355 TPM2B_TYPE(RSA_KEY, MAX_RSA_KEY_BYTES);
1356 TPM2B_RSA_KEY r;
1357 r.t.size = sizeof(n->size);
1358 // If we are using a seed, then results must be reproducible on each
1359 // call. Otherwise, just get a random number
1360 if(seed == NULL)
1361 _cpri__GenerateRandom(n->size, r.t.buffer);
1362 else
1363 {
1364 // this this version does not have a deterministic RNG, XOR the
1365 // public key and private exponent to get a deterministic value
1366 // for testing.
1367 int i;
1368 // Generate a random-ish number starting with the public modulus
1369 // XORed with the MSO of the seed
1370 for(i = 0; i < n->size; i++)
1371 r.t.buffer[i] = n->buffer[i] ^ seed->buffer[0];
1372 }
1373 // Make sure that the number is smaller than the public modulus
1374 r.t.buffer[0] &= 0x7F;
1375 // Convert
1376 if( BN_bin2bn(r.t.buffer, r.t.size, bnP) == NULL
1377 // Encrypt with the public exponent
1378 || BN_mod_exp(bnQ, bnP, bnE, bnN, context) != 1
1379 // Decrypt with the private exponent
1380 || BN_mod_exp(bnQ, bnQ, bnT, bnN, context) != 1)
1381 FAIL(FATAL_ERROR_INTERNAL);
1382 // If the starting and ending values are not the same, start over )-;
1383 if(BN_ucmp(bnP, bnQ) != 0)
1384 {
1385 BN_zero(bnQ);
1386 continue;
1387 }
1388 }
1389 retVal = CRYPT_SUCCESS;
1390 goto Cleanup;
1391 }
1392 retVal = CRYPT_FAIL;
1393 Cleanup:
1394 // Close out the hash sessions
1395 _cpri__CompleteHash(&h2, 0, NULL);
1396 _cpri__CompleteHash(&h1, 0, NULL);
1397 // Free up allocated BN values
1398 BN_CTX_end(context);
1399 BN_CTX_free(context);
1400 if(counter != NULL)
1401 *counter = outer;
1402 return retVal;
1403 }
1404 #endif // RSA_KEY_SIEVE
1405 #endif // TPM_ALG_RSA
1406