diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 4b903ddb7a..28015cbeb5 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -445,8 +445,8 @@ int wc_CryptoCb_Rsa(const byte* in, word32 inLen, byte* out, #ifdef WOLF_CRYPTO_CB_RSA_PAD int wc_CryptoCb_RsaPad(const byte* in, word32 inLen, byte* out, - word32* outLen, int type, RsaKey* key, WC_RNG* rng, - RsaPadding *padding) + word32* outLen, int type, RsaKey* key, WC_RNG* rng, + RsaPadding *padding) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); CryptoCb* dev; @@ -458,9 +458,8 @@ int wc_CryptoCb_RsaPad(const byte* in, word32 inLen, byte* out, /* locate registered callback */ dev = wc_CryptoCb_FindDevice(key->devId, WC_ALGO_TYPE_PK); - if (padding) { - switch(padding->pad_type) { -#ifndef NO_PKCS11_RSA_PKCS + if (padding != NULL) { + switch (padding->pad_type) { case WC_RSA_PKCSV15_PAD: pk_type = WC_PK_TYPE_RSA_PKCS; break; @@ -470,7 +469,6 @@ int wc_CryptoCb_RsaPad(const byte* in, word32 inLen, byte* out, case WC_RSA_OAEP_PAD: pk_type = WC_PK_TYPE_RSA_OAEP; break; -#endif /* NO_PKCS11_RSA_PKCS */ default: pk_type = WC_PK_TYPE_RSA; } @@ -497,7 +495,7 @@ int wc_CryptoCb_RsaPad(const byte* in, word32 inLen, byte* out, return wc_CryptoCb_TranslateErrorCode(ret); } -#endif +#endif /* WOLF_CRYPTO_CB_RSA_PAD */ #ifdef WOLFSSL_KEY_GEN int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) diff --git a/wolfcrypt/src/port/Renesas/renesas_common.c b/wolfcrypt/src/port/Renesas/renesas_common.c index 0d40f49816..b91b1f81e0 100644 --- a/wolfcrypt/src/port/Renesas/renesas_common.c +++ b/wolfcrypt/src/port/Renesas/renesas_common.c @@ -251,35 +251,33 @@ static int Renesas_cmn_CryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx) } if (info->algo_type == WC_ALGO_TYPE_PK) { - #if !defined(NO_RSA) && defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY) - #if defined(WOLFSSL_KEY_GEN) - if (info->pk.type == WC_PK_TYPE_RSA_KEYGEN && - (info->pk.rsakg.size == 1024 || info->pk.rsakg.size == 2048)) { + #if !defined(NO_RSA) + #if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY) + if (info->pk.type == WC_PK_TYPE_RSA_KEYGEN) { ret = wc_tsip_MakeRsaKey(info->pk.rsakg.size, (void*)ctx); - } else - #endif - if (info->pk.type == WC_PK_TYPE_RSA && - (info->pk.rsa.type == RSA_PRIVATE_DECRYPT || - info->pk.rsa.type == RSA_PUBLIC_ENCRYPT)) { - /* rsa public encrypt/private decrypt */ - ret = wc_tsip_RsaFunction(info, cbInfo); - } else - #endif - if (info->pk.type == WC_PK_TYPE_RSA && - info->pk.rsa.type == RSA_PRIVATE_ENCRYPT) { - /* RSA Signing - * Can handle only RSA PkCS#1v1.5 padding scheme here. - */ - ret = tsip_SignRsaPkcs(info, cbInfo); - } - #if defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY) - /* RSA Verify */ - else if (info->pk.type == WC_PK_TYPE_RSA && - info->pk.rsa.type == RSA_PUBLIC_DECRYPT) { - ret = wc_tsip_RsaVerifyPkcs(info, cbInfo); } #endif - + /* tsip only supports PKCSV15 padding scheme */ + if (info->pk.type == WC_PK_TYPE_RSA_PKCS) { + RsaPadding* pad = info->pk.rsa.padding; + if (pad && pad->pad_value == RSA_BLOCK_TYPE_1) { + /* sign / verify */ + if (info->pk.rsa.type == RSA_PRIVATE_ENCRYPT || + info->pk.rsa.type == RSA_PRIVATE_DECRYPT) { + ret = tsip_SignRsaPkcs(info, cbInfo); + } + else { + ret = wc_tsip_RsaVerifyPkcs(info, cbInfo); + } + } + #ifdef WOLFSSL_RENESAS_TSIP_CRYPTONLY + else if (pad && pad->pad_value == RSA_BLOCK_TYPE_2) { + /* encrypt/decrypt */ + ret = wc_tsip_RsaFunction(info, cbInfo); + } + #endif + } + #endif /* !NO_RSA */ #if defined(HAVE_ECC) #if defined(WOLFSSL_RENESAS_TSIP_TLS) if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) { @@ -468,7 +466,7 @@ int Renesas_cmn_usable(const struct WOLFSSL* ssl, byte session_key_generated) * Get Callback ctx by devId * * devId : devId to get its CTX - * return asocciated CTX when the method is successfully called. + * return associated CTX when the method is successfully called. * otherwise, NULL */ WOLFSSL_LOCAL void *Renesas_cmn_GetCbCtxBydevId(int devId) diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c index 778e5fff6f..459d70edc4 100644 --- a/wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c +++ b/wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c @@ -67,7 +67,7 @@ WOLFSSL_LOCAL void wc_fspsm_RsaKeyFree(RsaKey *key) /* Set Rsa key by pre-created wrapped user key * * key RsaKey object - * size desired keylenth, in bits. supports 1024 or 2048 bits + * size desired key length, in bits. supports 1024 or 2048 bits * ctx Callback context including pointer to hold generated key * return FSP_SUCCESS(0) on Success, otherwise negative value */ diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c b/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c index ae1f3aa786..f7fcf10164 100644 --- a/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c +++ b/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c @@ -42,11 +42,11 @@ /* Make RSA key for TSIP and set it to callback ctx * Assumes to be called by Crypt Callback * - * size desired keylenth, in bits. supports 1024 or 2048 bits + * size desired key length, in bits. supports 1024 or 2048 bits * ctx Callback context including pointer to hold generated key * return TSIP_SUCCESS(0) on Success, otherwise negative value */ -WOLFSSL_LOCAL int wc_tsip_MakeRsaKey(int size, void* ctx) +int wc_tsip_MakeRsaKey(int size, void* ctx) { e_tsip_err_t ret; TsipUserCtx *info = (TsipUserCtx*)ctx; @@ -249,6 +249,9 @@ int wc_tsip_RsaFunction(wc_CryptoInfo* info, TsipUserCtx* tuc) "1024 or 2048 bits."); return BAD_FUNC_ARG; } + if (ret == 0) { + info->pk.rsa.outLen = cipher.data_length; + } } else if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) { @@ -270,6 +273,9 @@ int wc_tsip_RsaFunction(wc_CryptoInfo* info, TsipUserCtx* tuc) "1024 or 2048 bits."); return BAD_FUNC_ARG; } + if (ret == 0) { + info->pk.rsa.outLen = plain.data_length; + } } tsip_hw_unlock(); } diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c index 102418f99f..435865346a 100644 --- a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c +++ b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c @@ -3632,6 +3632,7 @@ int wc_tsip_tls_RootCertVerify( return ret; } #endif /* WOLFSSL_RENESAS_TSIP_TLS */ + #if !defined(NO_RSA) /* Perform signing with the client's RSA private key on hash value of messages * exchanged with server. @@ -3646,7 +3647,7 @@ int wc_tsip_tls_RootCertVerify( * 0 on success, CRYPTOCB_UNAVAILABLE on unsupported key type specified. * */ -WOLFSSL_LOCAL int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) +int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) { int ret = 0; e_tsip_err_t err = TSIP_SUCCESS; @@ -3724,18 +3725,18 @@ WOLFSSL_LOCAL int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) #endif if (ret == 0) { - #ifdef WOLFSSL_RENESAS_TSIP_TLS + #ifdef WOLFSSL_RENESAS_TSIP_TLS hashData.pdata = (uint8_t*)ssl->buffers.digest.buffer; hashData.data_type = 1; sigData.pdata = (uint8_t*)info->pk.rsa.in; sigData.data_length = 0; /* signature size will be returned here */ - #else + #else hashData.pdata = (uint8_t*)info->pk.rsa.in; hashData.data_length= info->pk.rsa.inLen; hashData.data_type = tuc->keyflgs_crypt.bits.message_type; sigData.pdata = (uint8_t*)info->pk.rsa.out; sigData.data_length = 0; - #endif + #endif if ((ret = tsip_hw_lock()) == 0) { switch (tuc->wrappedKeyType) { #ifdef WOLFSSL_RENESAS_TSIP_CRYPTONLY @@ -3752,7 +3753,6 @@ WOLFSSL_LOCAL int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) break; #endif case TSIP_KEY_TYPE_RSA2048: - err = R_TSIP_RsassaPkcs2048SignatureGenerate( &hashData, &sigData, #ifdef WOLFSSL_RENESAS_TSIP_TLS diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 9e34599caf..59003d3c44 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -277,7 +277,6 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId) key->handle = NULL; #endif - #if defined(WOLFSSL_RENESAS_FSPSM) key->ctx.wrapped_pri1024_key = NULL; key->ctx.wrapped_pub1024_key = NULL; @@ -285,6 +284,7 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId) key->ctx.wrapped_pub2048_key = NULL; key->ctx.keySz = 0; #endif + return ret; } @@ -3374,24 +3374,7 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out, pad_value, pad_type, hash, mgf, label, labelSz, sz); } - #elif defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY) || \ - (!defined(WOLFSSL_RENESAS_TSIP_TLS) && \ - defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY)) - /* SCE needs wrapped key which is passed via - * user ctx object of crypt-call back. - */ - #ifdef WOLF_CRYPTO_CB - if (key->devId != INVALID_DEVID) { - /* SCE supports 1024 and 2048 bits */ - ret = wc_CryptoCb_Rsa(in, inLen, out, - &outLen, rsa_type, key, rng); - if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) - return ret; - /* fall-through when unavailable */ - ret = 0; /* reset error code and try using software */ - } - #endif - #endif /* WOLFSSL_SE050 */ + #endif /* RSA CRYPTO HW */ #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_RSA_PAD) if (key->devId != INVALID_DEVID) { @@ -3561,21 +3544,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out, } return ret; } - #elif defined(WOLFSSL_RENESAS_FSPSM_CRYPTONLY) || \ - (!defined(WOLFSSL_RENESAS_TSIP_TLS) && \ - defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY)) - #ifdef WOLF_CRYPTO_CB - if (key->devId != INVALID_DEVID) { - ret = wc_CryptoCb_Rsa(in, inLen, out, - &outLen, rsa_type, key, rng); - if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) - return ret; - /* fall-through when unavailable */ - ret = 0; /* reset error code and try using software */ - } - #endif - - #endif /* WOLFSSL_CRYPTOCELL */ + #endif /* RSA CRYPTO HW */ #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \ diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index 4a3b28adb1..42f71647eb 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -2198,7 +2198,7 @@ static int Pkcs11Rsa(Pkcs11Session* session, wc_CryptoInfo* info) case WC_PK_TYPE_RSA_OAEP: mechanism = CKM_RSA_PKCS_OAEP; break; -#endif /* NO_PKCS11_RSA_PKCS */ +#endif /* !NO_PKCS11_RSA_PKCS */ case WC_PK_TYPE_RSA: mechanism = CKM_RSA_X_509; break; diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index e02870c13b..4222af4c3e 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -994,6 +994,11 @@ #define TSIP_TLS_HMAC_KEY_INDEX_WORDSIZE 64 #define TSIP_TLS_MASTERSECRET_SIZE 80 /* 20 words */ #define TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY 560 /* in byte */ + + #ifdef WOLF_CRYPTO_CB + /* make sure RSA padding callbacks are enabled */ + #define WOLF_CRYPTO_CB_RSA_PAD + #endif #endif /* WOLFSSL_RENESAS_TSIP */ #if !defined(WOLFSSL_NO_HASH_RAW) && defined(WOLFSSL_RENESAS_RX64_HASH)