1 // This file was extracted from the TCG Published 2 // Trusted Platform Module Library 3 // Part 4: Supporting Routines 4 // Family "2.0" 5 // Level 00 Revision 01.16 6 // October 30, 2014 7 8 #include <string.h> 9 10 #include "OsslCryptoEngine.h" 11 #ifdef TPM_ALG_RSA 12 // 13 // 14 // Local Functions 15 // 16 // RsaPrivateExponent() 17 // 18 // This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus 19 // and one of the primes. 20 // The results are returned in the key->private structure. The size of that structure is expanded to hold the 21 // private exponent. If the computed value is smaller than the public modulus, the private exponent is de- 22 // normalized. 23 // 24 // Return Value Meaning 25 // 26 // CRYPT_SUCCESS private exponent computed 27 // CRYPT_PARAMETER prime is not half the size of the modulus, or the modulus is not evenly 28 // divisible by the prime, or no private exponent could be computed 29 // from the input parameters 30 // 31 CRYPT_RESULT 32 RsaPrivateExponent( 33 RSA_KEY *key // IN: the key to augment with the private 34 // exponent 35 ) 36 { 37 BN_CTX *context; 38 BIGNUM *bnD; 39 BIGNUM *bnN; 40 BIGNUM *bnP; 41 BIGNUM *bnE; 42 BIGNUM *bnPhi; 43 BIGNUM *bnQ; 44 BIGNUM *bnQr; 45 UINT32 fill; 46 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success 47 pAssert(key != NULL && key->privateKey != NULL && key->publicKey != NULL); 48 context = BN_CTX_new(); 49 if(context == NULL) 50 FAIL(FATAL_ERROR_ALLOCATION); 51 BN_CTX_start(context); 52 bnE = BN_CTX_get(context); 53 bnD = BN_CTX_get(context); 54 bnN = BN_CTX_get(context); 55 bnP = BN_CTX_get(context); 56 bnPhi = BN_CTX_get(context); 57 bnQ = BN_CTX_get(context); 58 bnQr = BN_CTX_get(context); 59 if(bnQr == NULL) 60 FAIL(FATAL_ERROR_ALLOCATION); 61 // Assume the size of the public key value is within range 62 pAssert(key->publicKey->size <= MAX_RSA_KEY_BYTES); 63 if( BN_bin2bn(key->publicKey->buffer, key->publicKey->size, bnN) == NULL 64 || BN_bin2bn(key->privateKey->buffer, key->privateKey->size, bnP) == NULL) 65 FAIL(FATAL_ERROR_INTERNAL); 66 // If P size is not 1/2 of n size, then this is not a valid value for this 67 // implementation. This will also catch the case were P is input as zero. 68 // This generates a return rather than an assert because the key being loaded 69 // might be SW generated and wrong. 70 if(BN_num_bits(bnP) < BN_num_bits(bnN)/2) 71 { 72 retVal = CRYPT_PARAMETER; 73 goto Cleanup; 74 } 75 // Get q = n/p; 76 if (BN_div(bnQ, bnQr, bnN, bnP, context) != 1) 77 FAIL(FATAL_ERROR_INTERNAL); 78 // If there is a remainder, then this is not a valid n 79 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP)) 80 { 81 retVal = CRYPT_PARAMETER; // problem may be recoverable 82 goto Cleanup; 83 } 84 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1 85 if( BN_copy(bnPhi, bnN) == NULL 86 || !BN_sub(bnPhi, bnPhi, bnP) 87 || !BN_sub(bnPhi, bnPhi, bnQ) 88 || !BN_add_word(bnPhi, 1)) 89 FAIL(FATAL_ERROR_INTERNAL); 90 // Compute the multiplicative inverse 91 BN_set_word(bnE, key->exponent); 92 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL) 93 { 94 // Going to assume that the error is caused by a bad 95 // set of parameters. Specifically, an exponent that is 96 // not compatible with the primes. In an implementation that 97 // has better visibility to the error codes, this might be 98 // refined so that failures in the library would return 99 // a more informative value. Should not assume here that 100 // the error codes will remain unchanged. 101 retVal = CRYPT_PARAMETER; 102 goto Cleanup; 103 } 104 fill = key->publicKey->size - BN_num_bytes(bnD); 105 BN_bn2bin(bnD, &key->privateKey->buffer[fill]); 106 memset(key->privateKey->buffer, 0, fill); 107 // Change the size of the private key so that it is known to contain 108 // a private exponent rather than a prime. 109 key->privateKey->size = key->publicKey->size; 110 Cleanup: 111 BN_CTX_end(context); 112 BN_CTX_free(context); 113 return retVal; 114 } 115 // 116 // 117 // _cpri__TestKeyRSA() 118 // 119 // This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus 120 // and one of the primes or two primes. 121 // If both primes are provided, the public modulus is computed. If only one prime is provided, the second 122 // prime is computed. In either case, a private exponent is produced and placed in d. 123 // If no modular inverse exists, then CRYPT_PARAMETER is returned. 124 // 125 // Return Value Meaning 126 // 127 // CRYPT_SUCCESS private exponent (d) was generated 128 // CRYPT_PARAMETER one or more parameters are invalid 129 // 130 LIB_EXPORT CRYPT_RESULT 131 _cpri__TestKeyRSA( 132 TPM2B *d, // OUT: the address to receive the private 133 // exponent 134 UINT32 exponent, // IN: the public modulu 135 TPM2B *publicKey, // IN/OUT: an input if only one prime is 136 // provided. an output if both primes are 137 // provided 138 TPM2B *prime1, // IN: a first prime 139 TPM2B *prime2 // IN: an optional second prime 140 ) 141 { 142 BN_CTX *context; 143 BIGNUM *bnD; 144 BIGNUM *bnN; 145 BIGNUM *bnP; 146 BIGNUM *bnE; 147 BIGNUM *bnPhi; 148 BIGNUM *bnQ; 149 BIGNUM *bnQr; 150 UINT32 fill; 151 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success 152 pAssert(publicKey != NULL && prime1 != NULL); 153 // Make sure that the sizes are within range 154 pAssert( prime1->size <= MAX_RSA_KEY_BYTES/2 155 && publicKey->size <= MAX_RSA_KEY_BYTES); 156 pAssert( prime2 == NULL || prime2->size < MAX_RSA_KEY_BYTES/2); 157 if(publicKey->size/2 != prime1->size) 158 return CRYPT_PARAMETER; 159 context = BN_CTX_new(); 160 if(context == NULL) 161 FAIL(FATAL_ERROR_ALLOCATION); 162 BN_CTX_start(context); 163 bnE = BN_CTX_get(context); // public exponent (e) 164 bnD = BN_CTX_get(context); // private exponent (d) 165 bnN = BN_CTX_get(context); // public modulus (n) 166 bnP = BN_CTX_get(context); // prime1 (p) 167 bnPhi = BN_CTX_get(context); // (p-1)(q-1) 168 bnQ = BN_CTX_get(context); // prime2 (q) 169 bnQr = BN_CTX_get(context); // n mod p 170 if(bnQr == NULL) 171 FAIL(FATAL_ERROR_ALLOCATION); 172 if(BN_bin2bn(prime1->buffer, prime1->size, bnP) == NULL) 173 FAIL(FATAL_ERROR_INTERNAL); 174 // If prime2 is provided, then compute n 175 if(prime2 != NULL) 176 { 177 // Two primes provided so use them to compute n 178 if(BN_bin2bn(prime2->buffer, prime2->size, bnQ) == NULL) 179 FAIL(FATAL_ERROR_INTERNAL); 180 // Make sure that the sizes of the primes are compatible 181 if(BN_num_bits(bnQ) != BN_num_bits(bnP)) 182 { 183 retVal = CRYPT_PARAMETER; 184 goto Cleanup; 185 } 186 // Multiply the primes to get the public modulus 187 if(BN_mul(bnN, bnP, bnQ, context) != 1) 188 FAIL(FATAL_ERROR_INTERNAL); 189 // if the space provided for the public modulus is large enough, 190 // save the created value 191 if(BN_num_bits(bnN) != (publicKey->size * 8)) 192 { 193 retVal = CRYPT_PARAMETER; 194 goto Cleanup; 195 } 196 BN_bn2bin(bnN, publicKey->buffer); 197 } 198 else 199 { 200 // One prime provided so find the second prime by division 201 BN_bin2bn(publicKey->buffer, publicKey->size, bnN); 202 // Get q = n/p; 203 if(BN_div(bnQ, bnQr, bnN, bnP, context) != 1) 204 FAIL(FATAL_ERROR_INTERNAL); 205 // If there is a remainder, then this is not a valid n 206 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP)) 207 { 208 retVal = CRYPT_PARAMETER; // problem may be recoverable 209 goto Cleanup; 210 } 211 } 212 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1 213 BN_copy(bnPhi, bnN); 214 BN_sub(bnPhi, bnPhi, bnP); 215 BN_sub(bnPhi, bnPhi, bnQ); 216 BN_add_word(bnPhi, 1); 217 // Compute the multiplicative inverse 218 BN_set_word(bnE, exponent); 219 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL) 220 { 221 // Going to assume that the error is caused by a bad set of parameters. 222 // Specifically, an exponent that is not compatible with the primes. 223 // In an implementation that has better visibility to the error codes, 224 // this might be refined so that failures in the library would return 225 // a more informative value. 226 // Do not assume that the error codes will remain unchanged. 227 retVal = CRYPT_PARAMETER; 228 goto Cleanup; 229 } 230 // Return the private exponent. 231 // Make sure it is normalized to have the correct size. 232 d->size = publicKey->size; 233 fill = d->size - BN_num_bytes(bnD); 234 BN_bn2bin(bnD, &d->buffer[fill]); 235 memset(d->buffer, 0, fill); 236 Cleanup: 237 BN_CTX_end(context); 238 BN_CTX_free(context); 239 return retVal; 240 } 241 // 242 // 243 // RSAEP() 244 // 245 // This function performs the RSAEP operation defined in PKCS#1v2.1. It is an exponentiation of a value 246 // (m) with the public exponent (e), modulo the public (n). 247 // 248 // Return Value Meaning 249 // 250 // CRYPT_SUCCESS encryption complete 251 // CRYPT_PARAMETER number to exponentiate is larger than the modulus 252 // 253 static CRYPT_RESULT 254 RSAEP ( 255 UINT32 dInOutSize, // OUT size of the encrypted block 256 BYTE *dInOut, // OUT: the encrypted data 257 RSA_KEY *key // IN: the key to use 258 ) 259 { 260 UINT32 e; 261 BYTE exponent[4]; 262 CRYPT_RESULT retVal; 263 e = key->exponent; 264 if(e == 0) 265 e = RSA_DEFAULT_PUBLIC_EXPONENT; 266 UINT32_TO_BYTE_ARRAY(e, exponent); 267 //!!! Can put check for test of RSA here 268 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut, 4, exponent, 269 key->publicKey->size, key->publicKey->buffer); 270 // Exponentiation result is stored in-place, thus no space shortage is possible. 271 pAssert(retVal != CRYPT_UNDERFLOW); 272 return retVal; 273 } 274 // 275 // 276 // RSADP() 277 // 278 // This function performs the RSADP operation defined in PKCS#1v2.1. It is an exponentiation of a value (c) 279 // with the private exponent (d), modulo the public modulus (n). The decryption is in place. 280 // 281 // This function also checks the size of the private key. If the size indicates that only a prime value is 282 // present, the key is converted to being a private exponent. 283 // 284 // Return Value Meaning 285 // 286 // CRYPT_SUCCESS decryption succeeded 287 // CRYPT_PARAMETER the value to decrypt is larger than the modulus 288 // 289 static CRYPT_RESULT 290 RSADP ( 291 UINT32 dInOutSize, // IN/OUT: size of decrypted data 292 BYTE *dInOut, // IN/OUT: the decrypted data 293 RSA_KEY *key // IN: the key 294 ) 295 { 296 CRYPT_RESULT retVal; 297 //!!! Can put check for RSA tested here 298 // Make sure that the pointers are provided and that the private key is present 299 // If the private key is present it is assumed to have been created by 300 // so is presumed good _cpri__PrivateExponent 301 pAssert(key != NULL && dInOut != NULL && 302 key->publicKey->size == key->publicKey->size); 303 // make sure that the value to be decrypted is smaller than the modulus 304 // note: this check is redundant as is also performed by _math__ModExp() 305 // which is optimized for use in RSA operations 306 if(_math__uComp(key->publicKey->size, key->publicKey->buffer, 307 dInOutSize, dInOut) <= 0) 308 return CRYPT_PARAMETER; 309 // _math__ModExp can return CRYPT_PARAMTER or CRYPT_UNDERFLOW but actual 310 // underflow is not possible because everything is in the same buffer. 311 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut, 312 key->privateKey->size, key->privateKey->buffer, 313 key->publicKey->size, key->publicKey->buffer); 314 // Exponentiation result is stored in-place, thus no space shortage is possible. 315 pAssert(retVal != CRYPT_UNDERFLOW); 316 return retVal; 317 } 318 // 319 // 320 // OaepEncode() 321 // 322 // This function performs OAEP padding. The size of the buffer to receive the OAEP padded data must 323 // equal the size of the modulus 324 // 325 // Return Value Meaning 326 // 327 // CRYPT_SUCCESS encode successful 328 // CRYPT_PARAMETER hashAlg is not valid 329 // CRYPT_FAIL message size is too large 330 // 331 static CRYPT_RESULT 332 OaepEncode( 333 UINT32 paddedSize, // IN: pad value size 334 BYTE *padded, // OUT: the pad data 335 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding 336 const char *label, // IN: null-terminated string (may be NULL) 337 UINT32 messageSize, // IN: the message size 338 BYTE *message // IN: the message being padded 339 #ifdef TEST_RSA // 340 , BYTE *testSeed // IN: optional seed used for testing. 341 #endif // TEST_RSA // 342 ) 343 { 344 UINT32 padLen; 345 UINT32 dbSize; 346 UINT32 i; 347 BYTE mySeed[MAX_DIGEST_SIZE]; 348 BYTE *seed = mySeed; 349 INT32 hLen = _cpri__GetDigestSize(hashAlg); 350 BYTE mask[MAX_RSA_KEY_BYTES]; 351 BYTE *pp; 352 BYTE *pm; 353 UINT32 lSize = 0; 354 CRYPT_RESULT retVal = CRYPT_SUCCESS; 355 pAssert(padded != NULL && message != NULL); 356 // A value of zero is not allowed because the KDF can't produce a result 357 // if the digest size is zero. 358 if(hLen <= 0) 359 return CRYPT_PARAMETER; 360 // If a label is provided, get the length of the string, including the 361 // terminator 362 if(label != NULL) 363 lSize = (UINT32)strlen(label) + 1; 364 // Basic size check 365 // messageSize <= k 2hLen 2 366 if(messageSize > paddedSize - 2 * hLen - 2) 367 return CRYPT_FAIL; 368 // Hash L even if it is null 369 // Offset into padded leaving room for masked seed and byte of zero 370 pp = &padded[hLen + 1]; 371 retVal = _cpri__HashBlock(hashAlg, lSize, (BYTE *)label, hLen, pp); 372 // concatenate PS of k mLen 2hLen 2 373 padLen = paddedSize - messageSize - (2 * hLen) - 2; 374 memset(&pp[hLen], 0, padLen); 375 pp[hLen+padLen] = 0x01; 376 padLen += 1; 377 memcpy(&pp[hLen+padLen], message, messageSize); 378 // The total size of db = hLen + pad + mSize; 379 dbSize = hLen+padLen+messageSize; 380 // If testing, then use the provided seed. Otherwise, use values 381 // from the RNG 382 #ifdef TEST_RSA 383 if(testSeed != NULL) 384 seed = testSeed; 385 else 386 #endif // TEST_RSA 387 _cpri__GenerateRandom(hLen, mySeed); 388 // mask = MGF1 (seed, nSize hLen 1) 389 if((retVal = _cpri__MGF1(dbSize, mask, hashAlg, hLen, seed)) < 0) 390 return retVal; // Don't expect an error because hash size is not zero 391 // was detected in the call to _cpri__HashBlock() above. 392 // Create the masked db 393 pm = mask; 394 for(i = dbSize; i > 0; i--) 395 *pp++ ^= *pm++; 396 pp = &padded[hLen + 1]; 397 // Run the masked data through MGF1 398 if((retVal = _cpri__MGF1(hLen, &padded[1], hashAlg, dbSize, pp)) < 0) 399 return retVal; // Don't expect zero here as the only case for zero 400 // was detected in the call to _cpri__HashBlock() above. 401 // Now XOR the seed to create masked seed 402 pp = &padded[1]; 403 pm = seed; 404 for(i = hLen; i > 0; i--) 405 *pp++ ^= *pm++; 406 // Set the first byte to zero 407 *padded = 0x00; 408 return CRYPT_SUCCESS; 409 } 410 // 411 // 412 // OaepDecode() 413 // 414 // This function performs OAEP padding checking. The size of the buffer to receive the recovered data. If 415 // the padding is not valid, the dSize size is set to zero and the function returns CRYPT_NO_RESULTS. 416 // The dSize parameter is used as an input to indicate the size available in the buffer. If insufficient space is 417 // available, the size is not changed and the return code is CRYPT_FAIL. 418 // 419 // Return Value Meaning 420 // 421 // CRYPT_SUCCESS decode complete 422 // CRYPT_PARAMETER the value to decode was larger than the modulus 423 // CRYPT_FAIL the padding is wrong or the buffer to receive the results is too small 424 // 425 static CRYPT_RESULT 426 OaepDecode( 427 UINT32 *dataOutSize, // IN/OUT: the recovered data size 428 BYTE *dataOut, // OUT: the recovered data 429 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding 430 const char *label, // IN: null-terminated string (may be NULL) 431 UINT32 paddedSize, // IN: the size of the padded data 432 BYTE *padded // IN: the padded data 433 ) 434 { 435 UINT32 dSizeSave; 436 UINT32 i; 437 BYTE seedMask[MAX_DIGEST_SIZE]; 438 INT32 hLen = _cpri__GetDigestSize(hashAlg); 439 BYTE mask[MAX_RSA_KEY_BYTES]; 440 BYTE *pp; 441 BYTE *pm; 442 UINT32 lSize = 0; 443 CRYPT_RESULT retVal = CRYPT_SUCCESS; 444 // Unknown hash 445 pAssert(hLen > 0 && dataOutSize != NULL && dataOut != NULL && padded != NULL); 446 // If there is a label, get its size including the terminating 0x00 447 if(label != NULL) 448 lSize = (UINT32)strlen(label) + 1; 449 // Set the return size to zero so that it doesn't have to be done on each 450 // failure 451 dSizeSave = *dataOutSize; 452 *dataOutSize = 0; 453 // Strange size (anything smaller can't be an OAEP padded block) 454 // Also check for no leading 0 455 if(paddedSize < (unsigned)((2 * hLen) + 2) || *padded != 0) 456 return CRYPT_FAIL; 457 // Use the hash size to determine what to put through MGF1 in order 458 // to recover the seedMask 459 if((retVal = _cpri__MGF1(hLen, seedMask, hashAlg, 460 paddedSize-hLen-1, &padded[hLen+1])) < 0) 461 return retVal; 462 // Recover the seed into seedMask 463 pp = &padded[1]; 464 pm = seedMask; 465 for(i = hLen; i > 0; i--) 466 *pm++ ^= *pp++; 467 // Use the seed to generate the data mask 468 if((retVal = _cpri__MGF1(paddedSize-hLen-1, mask, hashAlg, 469 hLen, seedMask)) < 0) 470 return retVal; 471 // Use the mask generated from seed to recover the padded data 472 pp = &padded[hLen+1]; 473 pm = mask; 474 for(i = paddedSize-hLen-1; i > 0; i--) 475 *pm++ ^= *pp++; 476 // Make sure that the recovered data has the hash of the label 477 // Put trial value in the seed mask 478 if((retVal=_cpri__HashBlock(hashAlg, lSize,(BYTE *)label, hLen, seedMask)) < 0) 479 return retVal; 480 if(memcmp(seedMask, mask, hLen) != 0) 481 return CRYPT_FAIL; 482 // find the start of the data 483 pm = &mask[hLen]; 484 for(i = paddedSize-(2*hLen)-1; i > 0; i--) 485 { 486 if(*pm++ != 0) 487 break; 488 } 489 490 // Magic value in the end of the fill area must be 1, anything else must be 491 // rejected. 492 if (pm[-1] != 1) 493 return CRYPT_FAIL; 494 495 if(i == 0) 496 return CRYPT_PARAMETER; 497 // pm should be pointing at the first part of the data 498 // and i is one greater than the number of bytes to move 499 i--; 500 if(i > dSizeSave) 501 { 502 // Restore dSize 503 *dataOutSize = dSizeSave; 504 return CRYPT_FAIL; 505 } 506 memcpy(dataOut, pm, i); 507 *dataOutSize = i; 508 return CRYPT_SUCCESS; 509 } 510 // 511 // 512 // PKSC1v1_5Encode() 513 // 514 // This function performs the encoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1 515 // 516 // Return Value Meaning 517 // 518 // CRYPT_SUCCESS data encoded 519 // CRYPT_PARAMETER message size is too large 520 // 521 static CRYPT_RESULT 522 RSAES_PKSC1v1_5Encode( 523 UINT32 paddedSize, // IN: pad value size 524 BYTE *padded, // OUT: the pad data 525 UINT32 messageSize, // IN: the message size 526 BYTE *message // IN: the message being padded 527 ) 528 { 529 UINT32 ps = paddedSize - messageSize - 3; 530 if(messageSize > paddedSize - 11) 531 return CRYPT_PARAMETER; 532 // move the message to the end of the buffer 533 memcpy(&padded[paddedSize - messageSize], message, messageSize); 534 // Set the first byte to 0x00 and the second to 0x02 535 *padded = 0; 536 padded[1] = 2; 537 // Fill with random bytes 538 _cpri__GenerateRandom(ps, &padded[2]); 539 // Set the delimiter for the random field to 0 540 padded[2+ps] = 0; 541 // Now, the only messy part. Make sure that all the ps bytes are non-zero 542 // In this implementation, use the value of the current index 543 for(ps++; ps > 1; ps--) 544 { 545 if(padded[ps] == 0) 546 padded[ps] = 0x55; // In the < 0.5% of the cases that the random 547 // value is 0, just pick a value to put into 548 // the spot. 549 } 550 return CRYPT_SUCCESS; 551 } 552 // 553 // 554 // RSAES_Decode() 555 // 556 // This function performs the decoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1 557 // 558 // Return Value Meaning 559 // 560 // CRYPT_SUCCESS decode successful 561 // CRYPT_FAIL decoding error or results would no fit into provided buffer 562 // 563 static CRYPT_RESULT 564 RSAES_Decode( 565 UINT32 *messageSize, // IN/OUT: recovered message size 566 BYTE *message, // OUT: the recovered message 567 UINT32 codedSize, // IN: the encoded message size 568 BYTE *coded // IN: the encoded message 569 ) 570 { 571 BOOL fail = FALSE; 572 UINT32 ps; 573 fail = (codedSize < 11); 574 fail |= (coded[0] != 0x00) || (coded[1] != 0x02); 575 for(ps = 2; ps < codedSize; ps++) 576 { 577 if(coded[ps] == 0) 578 break; 579 } 580 ps++; 581 // Make sure that ps has not gone over the end and that there are at least 8 582 // bytes of pad data. 583 fail |= ((ps >= codedSize) || ((ps-2) < 8)); 584 if((*messageSize < codedSize - ps) || fail) 585 return CRYPT_FAIL; 586 *messageSize = codedSize - ps; 587 memcpy(message, &coded[ps], codedSize - ps); 588 return CRYPT_SUCCESS; 589 } 590 // 591 // 592 // PssEncode() 593 // 594 // This function creates an encoded block of data that is the size of modulus. The function uses the 595 // maximum salt size that will fit in the encoded block. 596 // 597 // Return Value Meaning 598 // 599 // CRYPT_SUCCESS encode successful 600 // CRYPT_PARAMETER hashAlg is not a supported hash algorithm 601 // 602 static CRYPT_RESULT 603 PssEncode ( 604 UINT32 eOutSize, // IN: size of the encode data buffer 605 BYTE *eOut, // OUT: encoded data buffer 606 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding 607 UINT32 hashInSize, // IN: size of digest to encode 608 BYTE *hashIn // IN: the digest 609 #ifdef TEST_RSA // 610 , BYTE *saltIn // IN: optional parameter for testing 611 #endif // TEST_RSA // 612 ) 613 { 614 INT32 hLen = _cpri__GetDigestSize(hashAlg); 615 BYTE salt[MAX_RSA_KEY_BYTES - 1]; 616 UINT16 saltSize; 617 BYTE *ps = salt; 618 CRYPT_RESULT retVal; 619 UINT16 mLen; 620 CPRI_HASH_STATE hashState; 621 // These are fatal errors indicating bad TPM firmware 622 pAssert(eOut != NULL && hLen > 0 && hashIn != NULL ); 623 // Get the size of the mask 624 mLen = (UINT16)(eOutSize - hLen - 1); 625 // Maximum possible salt size is mask length - 1 626 saltSize = mLen - 1; 627 // Use the maximum salt size allowed by FIPS 186-4 628 if(saltSize > hLen) 629 saltSize = (UINT16)hLen; 630 //using eOut for scratch space 631 // Set the first 8 bytes to zero 632 memset(eOut, 0, 8); 633 // Get set the salt 634 #ifdef TEST_RSA 635 if(saltIn != NULL) 636 { 637 saltSize = hLen; 638 memcpy(salt, saltIn, hLen); 639 } 640 else 641 #endif // TEST_RSA 642 _cpri__GenerateRandom(saltSize, salt); 643 // Create the hash of the pad || input hash || salt 644 _cpri__StartHash(hashAlg, FALSE, &hashState); 645 _cpri__UpdateHash(&hashState, 8, eOut); 646 _cpri__UpdateHash(&hashState, hashInSize, hashIn); 647 _cpri__UpdateHash(&hashState, saltSize, salt); 648 _cpri__CompleteHash(&hashState, hLen, &eOut[eOutSize - hLen - 1]); 649 // Create a mask 650 if((retVal = _cpri__MGF1(mLen, eOut, hashAlg, hLen, &eOut[mLen])) < 0) 651 { 652 // Currently _cpri__MGF1 is not expected to return a CRYPT_RESULT error. 653 pAssert(0); 654 } 655 // Since this implementation uses key sizes that are all even multiples of 656 // 8, just need to make sure that the most significant bit is CLEAR 657 eOut[0] &= 0x7f; 658 // Before we mess up the eOut value, set the last byte to 0xbc 659 eOut[eOutSize - 1] = 0xbc; 660 // XOR a byte of 0x01 at the position just before where the salt will be XOR'ed 661 eOut = &eOut[mLen - saltSize - 1]; 662 *eOut++ ^= 0x01; 663 // XOR the salt data into the buffer 664 for(; saltSize > 0; saltSize--) 665 *eOut++ ^= *ps++; 666 // and we are done 667 return CRYPT_SUCCESS; 668 } 669 // 670 // 671 // PssDecode() 672 // 673 // This function checks that the PSS encoded block was built from the provided digest. If the check is 674 // successful, CRYPT_SUCCESS is returned. Any other value indicates an error. 675 // This implementation of PSS decoding is intended for the reference TPM implementation and is not at all 676 // generalized. It is used to check signatures over hashes and assumptions are made about the sizes of 677 // values. Those assumptions are enforce by this implementation. This implementation does allow for a 678 // variable size salt value to have been used by the creator of the signature. 679 // 680 // 681 // 682 // 683 // Return Value Meaning 684 // 685 // CRYPT_SUCCESS decode successful 686 // CRYPT_SCHEME hashAlg is not a supported hash algorithm 687 // CRYPT_FAIL decode operation failed 688 // 689 static CRYPT_RESULT 690 PssDecode( 691 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding 692 UINT32 dInSize, // IN: size of the digest to compare 693 BYTE *dIn, // In: the digest to compare 694 UINT32 eInSize, // IN: size of the encoded data 695 BYTE *eIn, // IN: the encoded data 696 UINT32 saltSize // IN: the expected size of the salt 697 ) 698 { 699 INT32 hLen = _cpri__GetDigestSize(hashAlg); 700 BYTE mask[MAX_RSA_KEY_BYTES]; 701 BYTE *pm = mask; 702 BYTE pad[8] = {0}; 703 UINT32 i; 704 UINT32 mLen; 705 BOOL fail = FALSE; 706 CRYPT_RESULT retVal; 707 CPRI_HASH_STATE hashState; 708 // These errors are indicative of failures due to programmer error 709 pAssert(dIn != NULL && eIn != NULL); 710 // check the hash scheme 711 if(hLen == 0) 712 return CRYPT_SCHEME; 713 // most significant bit must be zero 714 fail = ((eIn[0] & 0x80) != 0); 715 // last byte must be 0xbc 716 fail |= (eIn[eInSize - 1] != 0xbc); 717 // Use the hLen bytes at the end of the buffer to generate a mask 718 // Doesn't start at the end which is a flag byte 719 mLen = eInSize - hLen - 1; 720 if((retVal = _cpri__MGF1(mLen, mask, hashAlg, hLen, &eIn[mLen])) < 0) 721 return retVal; 722 if(retVal == 0) 723 return CRYPT_FAIL; 724 // Clear the MSO of the mask to make it consistent with the encoding. 725 mask[0] &= 0x7F; 726 // XOR the data into the mask to recover the salt. This sequence 727 // advances eIn so that it will end up pointing to the seed data 728 // which is the hash of the signature data 729 for(i = mLen; i > 0; i--) 730 *pm++ ^= *eIn++; 731 // Find the first byte of 0x01 after a string of all 0x00 732 for(pm = mask, i = mLen; i > 0; i--) 733 { 734 if(*pm == 0x01) 735 break; 736 else 737 fail |= (*pm++ != 0); 738 } 739 fail |= (i == 0); 740 // if we have failed, will continue using the entire mask as the salt value so 741 // that the timing attacks will not disclose anything (I don't think that this 742 // is a problem for TPM applications but, usually, we don't fail so this 743 // doesn't cost anything). 744 if(fail) 745 { 746 i = mLen; 747 pm = mask; 748 } 749 else 750 { 751 pm++; 752 i--; 753 } 754 // If the salt size was provided, then the recovered size must match 755 fail |= (saltSize != 0 && i != saltSize); 756 // i contains the salt size and pm points to the salt. Going to use the input 757 // hash and the seed to recreate the hash in the lower portion of eIn. 758 _cpri__StartHash(hashAlg, FALSE, &hashState); 759 // add the pad of 8 zeros 760 _cpri__UpdateHash(&hashState, 8, pad); 761 // add the provided digest value 762 _cpri__UpdateHash(&hashState, dInSize, dIn); 763 // and the salt 764 _cpri__UpdateHash(&hashState, i, pm); 765 // get the result 766 retVal = _cpri__CompleteHash(&hashState, MAX_DIGEST_SIZE, mask); 767 // retVal will be the size of the digest or zero. If not equal to the indicated 768 // digest size, then the signature doesn't match 769 fail |= (retVal != hLen); 770 fail |= (memcmp(mask, eIn, hLen) != 0); 771 if(fail) 772 return CRYPT_FAIL; 773 else 774 return CRYPT_SUCCESS; 775 } 776 // 777 // 778 // PKSC1v1_5SignEncode() 779 // 780 // Encode a message using PKCS1v1().5 method. 781 // 782 // Return Value Meaning 783 // 784 // CRYPT_SUCCESS encode complete 785 // CRYPT_SCHEME hashAlg is not a supported hash algorithm 786 // CRYPT_PARAMETER eOutSize is not large enough or hInSize does not match the digest 787 // size of hashAlg 788 // 789 static CRYPT_RESULT 790 RSASSA_Encode( 791 UINT32 eOutSize, // IN: the size of the resulting block 792 BYTE *eOut, // OUT: the encoded block 793 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5 794 UINT32 hInSize, // IN: size of hash to be signed 795 BYTE *hIn // IN: hash buffer 796 ) 797 { 798 const BYTE *der; 799 INT32 derSize = _cpri__GetHashDER(hashAlg, &der); 800 INT32 fillSize; 801 pAssert(eOut != NULL && hIn != NULL); 802 // Can't use this scheme if the algorithm doesn't have a DER string defined. 803 if(derSize == 0 ) 804 return CRYPT_SCHEME; 805 // If the digest size of 'hashAl' doesn't match the input digest size, then 806 // the DER will misidentify the digest so return an error 807 if((unsigned)_cpri__GetDigestSize(hashAlg) != hInSize) 808 return CRYPT_PARAMETER; 809 fillSize = eOutSize - derSize - hInSize - 3; 810 // Make sure that this combination will fit in the provided space 811 if(fillSize < 8) 812 return CRYPT_PARAMETER; 813 // Start filling 814 *eOut++ = 0; // initial byte of zero 815 *eOut++ = 1; // byte of 0x01 816 for(; fillSize > 0; fillSize--) 817 *eOut++ = 0xff; // bunch of 0xff 818 *eOut++ = 0; // another 0 819 for(; derSize > 0; derSize--) 820 *eOut++ = *der++; // copy the DER 821 for(; hInSize > 0; hInSize--) 822 *eOut++ = *hIn++; // copy the hash 823 return CRYPT_SUCCESS; 824 } 825 // 826 // 827 // RSASSA_Decode() 828 // 829 // This function performs the RSASSA decoding of a signature. 830 // 831 // Return Value Meaning 832 // 833 // CRYPT_SUCCESS decode successful 834 // CRYPT_FAIL decode unsuccessful 835 // CRYPT_SCHEME haslAlg is not supported 836 // 837 static CRYPT_RESULT 838 RSASSA_Decode( 839 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding 840 UINT32 hInSize, // IN: size of the digest to compare 841 BYTE *hIn, // In: the digest to compare 842 UINT32 eInSize, // IN: size of the encoded data 843 BYTE *eIn // IN: the encoded data 844 ) 845 { 846 BOOL fail = FALSE; 847 const BYTE *der; 848 INT32 derSize = _cpri__GetHashDER(hashAlg, &der); 849 INT32 hashSize = _cpri__GetDigestSize(hashAlg); 850 INT32 fillSize; 851 pAssert(hIn != NULL && eIn != NULL); 852 // Can't use this scheme if the algorithm doesn't have a DER string 853 // defined or if the provided hash isn't the right size 854 if(derSize == 0 || (unsigned)hashSize != hInSize) 855 return CRYPT_SCHEME; 856 // Make sure that this combination will fit in the provided space 857 // Since no data movement takes place, can just walk though this 858 // and accept nearly random values. This can only be called from 859 // _cpri__ValidateSignature() so eInSize is known to be in range. 860 fillSize = eInSize - derSize - hashSize - 3; 861 // Start checking 862 fail |= (*eIn++ != 0); // initial byte of zero 863 fail |= (*eIn++ != 1); // byte of 0x01 864 for(; fillSize > 0; fillSize--) 865 fail |= (*eIn++ != 0xff); // bunch of 0xff 866 fail |= (*eIn++ != 0); // another 0 867 for(; derSize > 0; derSize--) 868 fail |= (*eIn++ != *der++); // match the DER 869 for(; hInSize > 0; hInSize--) 870 fail |= (*eIn++ != *hIn++); // match the hash 871 if(fail) 872 return CRYPT_FAIL; 873 return CRYPT_SUCCESS; 874 } 875 // 876 // 877 // Externally Accessible Functions 878 // 879 // _cpri__RsaStartup() 880 // 881 // Function that is called to initialize the hash service. In this implementation, this function does nothing but 882 // it is called by the CryptUtilStartup() function and must be present. 883 // 884 LIB_EXPORT BOOL 885 _cpri__RsaStartup( 886 void 887 ) 888 { 889 return TRUE; 890 } 891 // 892 // 893 // _cpri__EncryptRSA() 894 // 895 // This is the entry point for encryption using RSA. Encryption is use of the public exponent. The padding 896 // parameter determines what padding will be used. 897 // The cOutSize parameter must be at least as large as the size of the key. 898 // If the padding is RSA_PAD_NONE, dIn is treaded as a number. It must be lower in value than the key 899 // modulus. 900 // 901 // 902 // 903 // NOTE: If dIn has fewer bytes than cOut, then we don't add low-order zeros to dIn to make it the size of the RSA key for 904 // the call to RSAEP. This is because the high order bytes of dIn might have a numeric value that is greater than 905 // the value of the key modulus. If this had low-order zeros added, it would have a numeric value larger than the 906 // modulus even though it started out with a lower numeric value. 907 // 908 // 909 // Return Value Meaning 910 // 911 // CRYPT_SUCCESS encryption complete 912 // CRYPT_PARAMETER cOutSize is too small (must be the size of the modulus) 913 // CRYPT_SCHEME padType is not a supported scheme 914 // 915 LIB_EXPORT CRYPT_RESULT 916 _cpri__EncryptRSA( 917 UINT32 *cOutSize, // OUT: the size of the encrypted data 918 BYTE *cOut, // OUT: the encrypted data 919 RSA_KEY *key, // IN: the key to use for encryption 920 TPM_ALG_ID padType, // IN: the type of padding 921 UINT32 dInSize, // IN: the amount of data to encrypt 922 BYTE *dIn, // IN: the data to encrypt 923 TPM_ALG_ID hashAlg, // IN: in case this is needed 924 const char *label // IN: in case it is needed 925 ) 926 { 927 CRYPT_RESULT retVal = CRYPT_SUCCESS; 928 pAssert(cOutSize != NULL); 929 // All encryption schemes return the same size of data 930 if(*cOutSize < key->publicKey->size) 931 return CRYPT_PARAMETER; 932 *cOutSize = key->publicKey->size; 933 switch (padType) 934 { 935 case TPM_ALG_NULL: // 'raw' encryption 936 { 937 // dIn can have more bytes than cOut as long as the extra bytes 938 // are zero 939 for(; dInSize > *cOutSize; dInSize--) 940 { 941 if(*dIn++ != 0) 942 return CRYPT_PARAMETER; 943 } 944 // If dIn is smaller than cOut, fill cOut with zeros 945 if(dInSize < *cOutSize) 946 memset(cOut, 0, *cOutSize - dInSize); 947 // Copy the rest of the value 948 memcpy(&cOut[*cOutSize-dInSize], dIn, dInSize); 949 // If the size of dIn is the same as cOut dIn could be larger than 950 // the modulus. If it is, then RSAEP() will catch it. 951 } 952 break; 953 case TPM_ALG_RSAES: 954 retVal = RSAES_PKSC1v1_5Encode(*cOutSize, cOut, dInSize, dIn); 955 break; 956 case TPM_ALG_OAEP: 957 retVal = OaepEncode(*cOutSize, cOut, hashAlg, label, dInSize, dIn 958 #ifdef TEST_RSA 959 ,NULL 960 #endif 961 ); 962 break; 963 default: 964 return CRYPT_SCHEME; 965 } 966 // All the schemes that do padding will come here for the encryption step 967 // Check that the Encoding worked 968 if(retVal != CRYPT_SUCCESS) 969 return retVal; 970 // Padding OK so do the encryption 971 return RSAEP(*cOutSize, cOut, key); 972 } 973 // 974 // 975 // _cpri__DecryptRSA() 976 // 977 // This is the entry point for decryption using RSA. Decryption is use of the private exponent. The padType 978 // parameter determines what padding was used. 979 // 980 // Return Value Meaning 981 // 982 // CRYPT_SUCCESS successful completion 983 // CRYPT_PARAMETER cInSize is not the same as the size of the public modulus of key; or 984 // numeric value of the encrypted data is greater than the modulus 985 // CRYPT_FAIL dOutSize is not large enough for the result 986 // CRYPT_SCHEME padType is not supported 987 // 988 LIB_EXPORT CRYPT_RESULT 989 _cpri__DecryptRSA( 990 UINT32 *dOutSize, // OUT: the size of the decrypted data 991 BYTE *dOut, // OUT: the decrypted data 992 RSA_KEY *key, // IN: the key to use for decryption 993 TPM_ALG_ID padType, // IN: the type of padding 994 UINT32 cInSize, // IN: the amount of data to decrypt 995 BYTE *cIn, // IN: the data to decrypt 996 TPM_ALG_ID hashAlg, // IN: in case this is needed for the scheme 997 const char *label // IN: in case it is needed for the scheme 998 ) 999 { 1000 CRYPT_RESULT retVal; 1001 // Make sure that the necessary parameters are provided 1002 pAssert(cIn != NULL && dOut != NULL && dOutSize != NULL && key != NULL); 1003 // Size is checked to make sure that the decryption works properly 1004 if(cInSize != key->publicKey->size) 1005 return CRYPT_PARAMETER; 1006 // For others that do padding, do the decryption in place and then 1007 // go handle the decoding. 1008 if((retVal = RSADP(cInSize, cIn, key)) != CRYPT_SUCCESS) 1009 return retVal; // Decryption failed 1010 // Remove padding 1011 switch (padType) 1012 { 1013 case TPM_ALG_NULL: 1014 if(*dOutSize < key->publicKey->size) 1015 return CRYPT_FAIL; 1016 *dOutSize = key->publicKey->size; 1017 memcpy(dOut, cIn, *dOutSize); 1018 return CRYPT_SUCCESS; 1019 case TPM_ALG_RSAES: 1020 return RSAES_Decode(dOutSize, dOut, cInSize, cIn); 1021 break; 1022 case TPM_ALG_OAEP: 1023 return OaepDecode(dOutSize, dOut, hashAlg, label, cInSize, cIn); 1024 break; 1025 default: 1026 return CRYPT_SCHEME; 1027 break; 1028 } 1029 } 1030 // 1031 // 1032 // _cpri__SignRSA() 1033 // 1034 // This function is used to generate an RSA signature of the type indicated in scheme. 1035 // 1036 // Return Value Meaning 1037 // 1038 // CRYPT_SUCCESS sign operation completed normally 1039 // CRYPT_SCHEME scheme or hashAlg are not supported 1040 // CRYPT_PARAMETER hInSize does not match hashAlg (for RSASSA) 1041 // 1042 LIB_EXPORT CRYPT_RESULT 1043 _cpri__SignRSA( 1044 UINT32 *sigOutSize, // OUT: size of signature 1045 BYTE *sigOut, // OUT: signature 1046 RSA_KEY *key, // IN: key to use 1047 TPM_ALG_ID scheme, // IN: the scheme to use 1048 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5 1049 UINT32 hInSize, // IN: size of digest to be signed 1050 BYTE *hIn // IN: digest buffer 1051 ) 1052 { 1053 CRYPT_RESULT retVal; 1054 // Parameter checks 1055 pAssert(sigOutSize != NULL && sigOut != NULL && key != NULL && hIn != NULL); 1056 // For all signatures the size is the size of the key modulus 1057 *sigOutSize = key->publicKey->size; 1058 switch (scheme) 1059 { 1060 case TPM_ALG_NULL: 1061 *sigOutSize = 0; 1062 return CRYPT_SUCCESS; 1063 case TPM_ALG_RSAPSS: 1064 // PssEncode can return CRYPT_PARAMETER 1065 retVal = PssEncode(*sigOutSize, sigOut, hashAlg, hInSize, hIn 1066 #ifdef TEST_RSA 1067 , NULL 1068 #endif 1069 ); 1070 break; 1071 case TPM_ALG_RSASSA: 1072 // RSASSA_Encode can return CRYPT_PARAMETER or CRYPT_SCHEME 1073 retVal = RSASSA_Encode(*sigOutSize, sigOut, hashAlg, hInSize, hIn); 1074 break; 1075 default: 1076 return CRYPT_SCHEME; 1077 } 1078 if(retVal != CRYPT_SUCCESS) 1079 return retVal; 1080 // Do the encryption using the private key 1081 // RSADP can return CRYPT_PARAMETR 1082 return RSADP(*sigOutSize,sigOut, key); 1083 } 1084 // 1085 // 1086 // _cpri__ValidateSignatureRSA() 1087 // 1088 // This function is used to validate an RSA signature. If the signature is valid CRYPT_SUCCESS is 1089 // returned. If the signature is not valid, CRYPT_FAIL is returned. Other return codes indicate either 1090 // parameter problems or fatal errors. 1091 // 1092 // Return Value Meaning 1093 // 1094 // CRYPT_SUCCESS the signature checks 1095 // CRYPT_FAIL the signature does not check 1096 // CRYPT_SCHEME unsupported scheme or hash algorithm 1097 // 1098 LIB_EXPORT CRYPT_RESULT 1099 _cpri__ValidateSignatureRSA( 1100 RSA_KEY *key, // IN: key to use 1101 TPM_ALG_ID scheme, // IN: the scheme to use 1102 TPM_ALG_ID hashAlg, // IN: hash algorithm 1103 UINT32 hInSize, // IN: size of digest to be checked 1104 BYTE *hIn, // IN: digest buffer 1105 UINT32 sigInSize, // IN: size of signature 1106 BYTE *sigIn, // IN: signature 1107 UINT16 saltSize // IN: salt size for PSS 1108 ) 1109 { 1110 CRYPT_RESULT retVal; 1111 // Fatal programming errors 1112 pAssert(key != NULL && sigIn != NULL && hIn != NULL); 1113 // Errors that might be caused by calling parameters 1114 if(sigInSize != key->publicKey->size) 1115 return CRYPT_FAIL; 1116 // Decrypt the block 1117 if((retVal = RSAEP(sigInSize, sigIn, key)) != CRYPT_SUCCESS) 1118 return CRYPT_FAIL; 1119 switch (scheme) 1120 { 1121 case TPM_ALG_NULL: 1122 return CRYPT_SCHEME; 1123 break; 1124 case TPM_ALG_RSAPSS: 1125 return PssDecode(hashAlg, hInSize, hIn, sigInSize, sigIn, saltSize); 1126 break; 1127 case TPM_ALG_RSASSA: 1128 return RSASSA_Decode(hashAlg, hInSize, hIn, sigInSize, sigIn); 1129 break; 1130 default: 1131 break; 1132 } 1133 return CRYPT_SCHEME; 1134 } 1135 #ifndef RSA_KEY_SIEVE 1136 // 1137 // 1138 // _cpri__GenerateKeyRSA() 1139 // 1140 // Generate an RSA key from a provided seed 1141 // 1142 // 1143 // 1144 // 1145 // Return Value Meaning 1146 // 1147 // CRYPT_FAIL exponent is not prime or is less than 3; or could not find a prime using 1148 // the provided parameters 1149 // CRYPT_CANCEL operation was canceled 1150 // 1151 LIB_EXPORT CRYPT_RESULT 1152 _cpri__GenerateKeyRSA( 1153 TPM2B *n, // OUT: The public modulu 1154 TPM2B *p, // OUT: One of the prime factors of n 1155 UINT16 keySizeInBits, // IN: Size of the public modulus in bit 1156 UINT32 e, // IN: The public exponent 1157 TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key 1158 // generation proce 1159 TPM2B *seed, // IN: the seed to use 1160 const char *label, // IN: A label for the generation process. 1161 TPM2B *extra, // IN: Party 1 data for the KDF 1162 UINT32 *counter // IN/OUT: Counter value to allow KFD iteration 1163 // to be propagated across multiple routine 1164 ) 1165 { 1166 UINT32 lLen; // length of the label 1167 // (counting the terminating 0); 1168 UINT16 digestSize = _cpri__GetDigestSize(hashAlg); 1169 TPM2B_HASH_BLOCK oPadKey; 1170 UINT32 outer; 1171 UINT32 inner; 1172 BYTE swapped[4]; 1173 CRYPT_RESULT retVal; 1174 int i, fill; 1175 const static char defaultLabel[] = "RSA key"; 1176 BYTE *pb; 1177 CPRI_HASH_STATE h1; // contains the hash of the 1178 // HMAC key w/ iPad 1179 CPRI_HASH_STATE h2; // contains the hash of the 1180 // HMAC key w/ oPad 1181 CPRI_HASH_STATE h; // the working hash context 1182 BIGNUM *bnP; 1183 BIGNUM *bnQ; 1184 BIGNUM *bnT; 1185 BIGNUM *bnE; 1186 BIGNUM *bnN; 1187 BN_CTX *context; 1188 UINT32 rem; 1189 // Make sure that hashAlg is valid hash 1190 pAssert(digestSize != 0); 1191 // if present, use externally provided counter 1192 if(counter != NULL) 1193 outer = *counter; 1194 else 1195 outer = 1; 1196 // Validate exponent 1197 UINT32_TO_BYTE_ARRAY(e, swapped); 1198 // Need to check that the exponent is prime and not less than 3 1199 if( e != 0 && (e < 3 || !_math__IsPrime(e))) 1200 return CRYPT_FAIL; 1201 // Get structures for the big number representations 1202 context = BN_CTX_new(); 1203 if(context == NULL) 1204 FAIL(FATAL_ERROR_ALLOCATION); 1205 BN_CTX_start(context); 1206 bnP = BN_CTX_get(context); 1207 bnQ = BN_CTX_get(context); 1208 bnT = BN_CTX_get(context); 1209 bnE = BN_CTX_get(context); 1210 bnN = BN_CTX_get(context); 1211 if(bnN == NULL) 1212 FAIL(FATAL_ERROR_INTERNAL); 1213 // Set Q to zero. This is used as a flag. The prime is computed in P. When a 1214 // new prime is found, Q is checked to see if it is zero. If so, P is copied 1215 // to Q and a new P is found. When both P and Q are non-zero, the modulus and 1216 // private exponent are computed and a trial encryption/decryption is 1217 // performed. If the encrypt/decrypt fails, assume that at least one of the 1218 // primes is composite. Since we don't know which one, set Q to zero and start 1219 // over and find a new pair of primes. 1220 BN_zero(bnQ); 1221 // Need to have some label 1222 if(label == NULL) 1223 label = (const char *)&defaultLabel; 1224 // Get the label size 1225 for(lLen = 0; label[lLen++] != 0;); 1226 // Start the hash using the seed and get the intermediate hash value 1227 _cpri__StartHMAC(hashAlg, FALSE, &h1, seed->size, seed->buffer, &oPadKey.b); 1228 _cpri__StartHash(hashAlg, FALSE, &h2); 1229 _cpri__UpdateHash(&h2, oPadKey.b.size, oPadKey.b.buffer); 1230 n->size = (keySizeInBits +7)/8; 1231 pAssert(n->size <= MAX_RSA_KEY_BYTES); 1232 p->size = n->size / 2; 1233 if(e == 0) 1234 e = RSA_DEFAULT_PUBLIC_EXPONENT; 1235 BN_set_word(bnE, e); 1236 // The first test will increment the counter from zero. 1237 for(outer += 1; outer != 0; outer++) 1238 { 1239 if(_plat__IsCanceled()) 1240 { 1241 retVal = CRYPT_CANCEL; 1242 goto Cleanup; 1243 } 1244 // Need to fill in the candidate with the hash 1245 fill = digestSize; 1246 pb = p->buffer; 1247 // Reset the inner counter 1248 inner = 0; 1249 for(i = p->size; i > 0; i -= digestSize) 1250 { 1251 inner++; 1252 // Initialize the HMAC with saved state 1253 _cpri__CopyHashState(&h, &h1); 1254 // Hash the inner counter (the one that changes on each HMAC iteration) 1255 UINT32_TO_BYTE_ARRAY(inner, swapped); 1256 _cpri__UpdateHash(&h, 4, swapped); 1257 _cpri__UpdateHash(&h, lLen, (BYTE *)label); 1258 // Is there any party 1 data 1259 if(extra != NULL) 1260 _cpri__UpdateHash(&h, extra->size, extra->buffer); 1261 // Include the outer counter (the one that changes on each prime 1262 // prime candidate generation 1263 UINT32_TO_BYTE_ARRAY(outer, swapped); 1264 _cpri__UpdateHash(&h, 4, swapped); 1265 _cpri__UpdateHash(&h, 2, (BYTE *)&keySizeInBits); 1266 if(i < fill) 1267 fill = i; 1268 _cpri__CompleteHash(&h, fill, pb); 1269 // Restart the oPad hash 1270 _cpri__CopyHashState(&h, &h2); 1271 // Add the last hashed data 1272 _cpri__UpdateHash(&h, fill, pb); 1273 // gives a completed HMAC 1274 _cpri__CompleteHash(&h, fill, pb); 1275 pb += fill; 1276 } 1277 // Set the Most significant 2 bits and the low bit of the candidate 1278 p->buffer[0] |= 0xC0; 1279 p->buffer[p->size - 1] |= 1; 1280 // Convert the candidate to a BN 1281 BN_bin2bn(p->buffer, p->size, bnP); 1282 // If this is the second prime, make sure that it differs from the 1283 // first prime by at least 2^100 1284 if(!BN_is_zero(bnQ)) 1285 { 1286 // bnQ is non-zero if we already found it 1287 if(BN_ucmp(bnP, bnQ) < 0) 1288 BN_sub(bnT, bnQ, bnP); 1289 else 1290 BN_sub(bnT, bnP, bnQ); 1291 if(BN_num_bits(bnT) < 100) // Difference has to be at least 100 bits 1292 continue; 1293 } 1294 // Make sure that the prime candidate (p) is not divisible by the exponent 1295 // and that (p-1) is not divisible by the exponent 1296 // Get the remainder after dividing by the modulus 1297 rem = BN_mod_word(bnP, e); 1298 if(rem == 0) // evenly divisible so add two keeping the number odd and 1299 // making sure that 1 != p mod e 1300 BN_add_word(bnP, 2); 1301 else if(rem == 1) // leaves a remainder of 1 so subtract two keeping the 1302 // number odd and making (e-1) = p mod e 1303 BN_sub_word(bnP, 2); 1304 // Have a candidate, check for primality 1305 if((retVal = (CRYPT_RESULT)BN_is_prime_ex(bnP, 1306 BN_prime_checks, NULL, NULL)) < 0) 1307 FAIL(FATAL_ERROR_INTERNAL); 1308 if(retVal != 1) 1309 continue; 1310 // Found a prime, is this the first or second. 1311 if(BN_is_zero(bnQ)) 1312 { 1313 // copy p to q and compute another prime in p 1314 BN_copy(bnQ, bnP); 1315 continue; 1316 } 1317 //Form the public modulus 1318 BN_mul(bnN, bnP, bnQ, context); 1319 if(BN_num_bits(bnN) != keySizeInBits) 1320 FAIL(FATAL_ERROR_INTERNAL); 1321 // Save the public modulus 1322 BnTo2B(n, bnN, n->size); // Will pad the buffer to the correct size 1323 pAssert((n->buffer[0] & 0x80) != 0); 1324 // And one prime 1325 BnTo2B(p, bnP, p->size); 1326 pAssert((p->buffer[0] & 0x80) != 0); 1327 // Finish by making sure that we can form the modular inverse of PHI 1328 // with respect to the public exponent 1329 // Compute PHI = (p - 1)(q - 1) = n - p - q + 1 1330 // Make sure that we can form the modular inverse 1331 BN_sub(bnT, bnN, bnP); 1332 BN_sub(bnT, bnT, bnQ); 1333 BN_add_word(bnT, 1); 1334 // find d such that (Phi * d) mod e ==1 1335 // If there isn't then we are broken because we took the step 1336 // of making sure that the prime != 1 mod e so the modular inverse 1337 // must exist 1338 if(BN_mod_inverse(bnT, bnE, bnT, context) == NULL || BN_is_zero(bnT)) 1339 FAIL(FATAL_ERROR_INTERNAL); 1340 // And, finally, do a trial encryption decryption 1341 { 1342 TPM2B_TYPE(RSA_KEY, MAX_RSA_KEY_BYTES); 1343 TPM2B_RSA_KEY r; 1344 r.t.size = sizeof(n->size); 1345 // If we are using a seed, then results must be reproducible on each 1346 // call. Otherwise, just get a random number 1347 if(seed == NULL) 1348 _cpri__GenerateRandom(n->size, r.t.buffer); 1349 else 1350 { 1351 // this this version does not have a deterministic RNG, XOR the 1352 // public key and private exponent to get a deterministic value 1353 // for testing. 1354 int i; 1355 // Generate a random-ish number starting with the public modulus 1356 // XORed with the MSO of the seed 1357 for(i = 0; i < n->size; i++) 1358 r.t.buffer[i] = n->buffer[i] ^ seed->buffer[0]; 1359 } 1360 // Make sure that the number is smaller than the public modulus 1361 r.t.buffer[0] &= 0x7F; 1362 // Convert 1363 if( BN_bin2bn(r.t.buffer, r.t.size, bnP) == NULL 1364 // Encrypt with the public exponent 1365 || BN_mod_exp(bnQ, bnP, bnE, bnN, context) != 1 1366 // Decrypt with the private exponent 1367 || BN_mod_exp(bnQ, bnQ, bnT, bnN, context) != 1) 1368 FAIL(FATAL_ERROR_INTERNAL); 1369 // If the starting and ending values are not the same, start over )-; 1370 if(BN_ucmp(bnP, bnQ) != 0) 1371 { 1372 BN_zero(bnQ); 1373 continue; 1374 } 1375 } 1376 retVal = CRYPT_SUCCESS; 1377 goto Cleanup; 1378 } 1379 retVal = CRYPT_FAIL; 1380 Cleanup: 1381 // Close out the hash sessions 1382 _cpri__CompleteHash(&h2, 0, NULL); 1383 _cpri__CompleteHash(&h1, 0, NULL); 1384 // Free up allocated BN values 1385 BN_CTX_end(context); 1386 BN_CTX_free(context); 1387 if(counter != NULL) 1388 *counter = outer; 1389 return retVal; 1390 } 1391 #endif // RSA_KEY_SIEVE 1392 #endif // TPM_ALG_RSA 1393
