1 // This file was extracted from the TCG Published
2 // Trusted Platform Module Library
3 // Part 4: Supporting Routines
4 // Family "2.0"
5 // Level 00 Revision 01.16
6 // October 30, 2014
7
8 #include <string.h>
9
10 #include "OsslCryptoEngine.h"
11 #ifdef TPM_ALG_RSA
12 //
13 //
14 // Local Functions
15 //
16 // RsaPrivateExponent()
17 //
18 // This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus
19 // and one of the primes.
20 // The results are returned in the key->private structure. The size of that structure is expanded to hold the
21 // private exponent. If the computed value is smaller than the public modulus, the private exponent is de-
22 // normalized.
23 //
24 // Return Value Meaning
25 //
26 // CRYPT_SUCCESS private exponent computed
27 // CRYPT_PARAMETER prime is not half the size of the modulus, or the modulus is not evenly
28 // divisible by the prime, or no private exponent could be computed
29 // from the input parameters
30 //
31 CRYPT_RESULT
RsaPrivateExponent(RSA_KEY * key)32 RsaPrivateExponent(
33 RSA_KEY *key // IN: the key to augment with the private
34 // exponent
35 )
36 {
37 BN_CTX *context;
38 BIGNUM *bnD;
39 BIGNUM *bnN;
40 BIGNUM *bnP;
41 BIGNUM *bnE;
42 BIGNUM *bnPhi;
43 BIGNUM *bnQ;
44 BIGNUM *bnQr;
45 UINT32 fill;
46 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success
47 pAssert(key != NULL && key->privateKey != NULL && key->publicKey != NULL);
48 context = BN_CTX_new();
49 if(context == NULL)
50 FAIL(FATAL_ERROR_ALLOCATION);
51 BN_CTX_start(context);
52 bnE = BN_CTX_get(context);
53 bnD = BN_CTX_get(context);
54 bnN = BN_CTX_get(context);
55 bnP = BN_CTX_get(context);
56 bnPhi = BN_CTX_get(context);
57 bnQ = BN_CTX_get(context);
58 bnQr = BN_CTX_get(context);
59 if(bnQr == NULL)
60 FAIL(FATAL_ERROR_ALLOCATION);
61 // Assume the size of the public key value is within range
62 pAssert(key->publicKey->size <= MAX_RSA_KEY_BYTES);
63 if( BN_bin2bn(key->publicKey->buffer, key->publicKey->size, bnN) == NULL
64 || BN_bin2bn(key->privateKey->buffer, key->privateKey->size, bnP) == NULL)
65 FAIL(FATAL_ERROR_INTERNAL);
66 // If P size is not 1/2 of n size, then this is not a valid value for this
67 // implementation. This will also catch the case were P is input as zero.
68 // This generates a return rather than an assert because the key being loaded
69 // might be SW generated and wrong.
70 if(BN_num_bits(bnP) < BN_num_bits(bnN)/2)
71 {
72 retVal = CRYPT_PARAMETER;
73 goto Cleanup;
74 }
75 // Get q = n/p;
76 if (BN_div(bnQ, bnQr, bnN, bnP, context) != 1)
77 FAIL(FATAL_ERROR_INTERNAL);
78 // If there is a remainder, then this is not a valid n
79 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP))
80 {
81 retVal = CRYPT_PARAMETER; // problem may be recoverable
82 goto Cleanup;
83 }
84 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1
85 if( BN_copy(bnPhi, bnN) == NULL
86 || !BN_sub(bnPhi, bnPhi, bnP)
87 || !BN_sub(bnPhi, bnPhi, bnQ)
88 || !BN_add_word(bnPhi, 1))
89 FAIL(FATAL_ERROR_INTERNAL);
90 // Compute the multiplicative inverse
91 BN_set_word(bnE, key->exponent);
92 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL)
93 {
94 // Going to assume that the error is caused by a bad
95 // set of parameters. Specifically, an exponent that is
96 // not compatible with the primes. In an implementation that
97 // has better visibility to the error codes, this might be
98 // refined so that failures in the library would return
99 // a more informative value. Should not assume here that
100 // the error codes will remain unchanged.
101 retVal = CRYPT_PARAMETER;
102 goto Cleanup;
103 }
104 fill = key->publicKey->size - BN_num_bytes(bnD);
105 BN_bn2bin(bnD, &key->privateKey->buffer[fill]);
106 memset(key->privateKey->buffer, 0, fill);
107 // Change the size of the private key so that it is known to contain
108 // a private exponent rather than a prime.
109 key->privateKey->size = key->publicKey->size;
110 Cleanup:
111 BN_CTX_end(context);
112 BN_CTX_free(context);
113 return retVal;
114 }
115 //
116 //
117 // _cpri__TestKeyRSA()
118 //
119 // This function computes the private exponent de = 1 mod (p-1)*(q-1) The inputs are the public modulus
120 // and one of the primes or two primes.
121 // If both primes are provided, the public modulus is computed. If only one prime is provided, the second
122 // prime is computed. In either case, a private exponent is produced and placed in d.
123 // If no modular inverse exists, then CRYPT_PARAMETER is returned.
124 //
125 // Return Value Meaning
126 //
127 // CRYPT_SUCCESS private exponent (d) was generated
128 // CRYPT_PARAMETER one or more parameters are invalid
129 //
130 LIB_EXPORT CRYPT_RESULT
_cpri__TestKeyRSA(TPM2B * d,UINT32 exponent,TPM2B * publicKey,TPM2B * prime1,TPM2B * prime2)131 _cpri__TestKeyRSA(
132 TPM2B *d, // OUT: the address to receive the private
133 // exponent
134 UINT32 exponent, // IN: the public modulu
135 TPM2B *publicKey, // IN/OUT: an input if only one prime is
136 // provided. an output if both primes are
137 // provided
138 TPM2B *prime1, // IN: a first prime
139 TPM2B *prime2 // IN: an optional second prime
140 )
141 {
142 BN_CTX *context;
143 BIGNUM *bnD;
144 BIGNUM *bnN;
145 BIGNUM *bnP;
146 BIGNUM *bnE;
147 BIGNUM *bnPhi;
148 BIGNUM *bnQ;
149 BIGNUM *bnQr;
150 UINT32 fill;
151 CRYPT_RESULT retVal = CRYPT_SUCCESS; // Assume success
152 pAssert(publicKey != NULL && prime1 != NULL);
153 // Make sure that the sizes are within range
154 pAssert( prime1->size <= MAX_RSA_KEY_BYTES/2
155 && publicKey->size <= MAX_RSA_KEY_BYTES);
156 pAssert( prime2 == NULL || prime2->size < MAX_RSA_KEY_BYTES/2);
157 if(publicKey->size/2 != prime1->size)
158 return CRYPT_PARAMETER;
159 context = BN_CTX_new();
160 if(context == NULL)
161 FAIL(FATAL_ERROR_ALLOCATION);
162 BN_CTX_start(context);
163 bnE = BN_CTX_get(context); // public exponent (e)
164 bnD = BN_CTX_get(context); // private exponent (d)
165 bnN = BN_CTX_get(context); // public modulus (n)
166 bnP = BN_CTX_get(context); // prime1 (p)
167 bnPhi = BN_CTX_get(context); // (p-1)(q-1)
168 bnQ = BN_CTX_get(context); // prime2 (q)
169 bnQr = BN_CTX_get(context); // n mod p
170 if(bnQr == NULL)
171 FAIL(FATAL_ERROR_ALLOCATION);
172 if(BN_bin2bn(prime1->buffer, prime1->size, bnP) == NULL)
173 FAIL(FATAL_ERROR_INTERNAL);
174 // If prime2 is provided, then compute n
175 if(prime2 != NULL)
176 {
177 // Two primes provided so use them to compute n
178 if(BN_bin2bn(prime2->buffer, prime2->size, bnQ) == NULL)
179 FAIL(FATAL_ERROR_INTERNAL);
180 // Make sure that the sizes of the primes are compatible
181 if(BN_num_bits(bnQ) != BN_num_bits(bnP))
182 {
183 retVal = CRYPT_PARAMETER;
184 goto Cleanup;
185 }
186 // Multiply the primes to get the public modulus
187 if(BN_mul(bnN, bnP, bnQ, context) != 1)
188 FAIL(FATAL_ERROR_INTERNAL);
189 // if the space provided for the public modulus is large enough,
190 // save the created value
191 if(BN_num_bits(bnN) != (publicKey->size * 8))
192 {
193 retVal = CRYPT_PARAMETER;
194 goto Cleanup;
195 }
196 BN_bn2bin(bnN, publicKey->buffer);
197 }
198 else
199 {
200 // One prime provided so find the second prime by division
201 BN_bin2bn(publicKey->buffer, publicKey->size, bnN);
202 // Get q = n/p;
203 if(BN_div(bnQ, bnQr, bnN, bnP, context) != 1)
204 FAIL(FATAL_ERROR_INTERNAL);
205 // If there is a remainder, then this is not a valid n
206 if(BN_num_bytes(bnQr) != 0 || BN_num_bits(bnQ) != BN_num_bits(bnP))
207 {
208 retVal = CRYPT_PARAMETER; // problem may be recoverable
209 goto Cleanup;
210 }
211 }
212 // Get compute Phi = (p - 1)(q - 1) = pq - p - q + 1 = n - p - q + 1
213 BN_copy(bnPhi, bnN);
214 BN_sub(bnPhi, bnPhi, bnP);
215 BN_sub(bnPhi, bnPhi, bnQ);
216 BN_add_word(bnPhi, 1);
217 // Compute the multiplicative inverse
218 BN_set_word(bnE, exponent);
219 if(BN_mod_inverse(bnD, bnE, bnPhi, context) == NULL)
220 {
221 // Going to assume that the error is caused by a bad set of parameters.
222 // Specifically, an exponent that is not compatible with the primes.
223 // In an implementation that has better visibility to the error codes,
224 // this might be refined so that failures in the library would return
225 // a more informative value.
226 // Do not assume that the error codes will remain unchanged.
227 retVal = CRYPT_PARAMETER;
228 goto Cleanup;
229 }
230 // Return the private exponent.
231 // Make sure it is normalized to have the correct size.
232 d->size = publicKey->size;
233 fill = d->size - BN_num_bytes(bnD);
234 BN_bn2bin(bnD, &d->buffer[fill]);
235 memset(d->buffer, 0, fill);
236 Cleanup:
237 BN_CTX_end(context);
238 BN_CTX_free(context);
239 return retVal;
240 }
241 //
242 //
243 // RSAEP()
244 //
245 // This function performs the RSAEP operation defined in PKCS#1v2.1. It is an exponentiation of a value
246 // (m) with the public exponent (e), modulo the public (n).
247 //
248 // Return Value Meaning
249 //
250 // CRYPT_SUCCESS encryption complete
251 // CRYPT_PARAMETER number to exponentiate is larger than the modulus
252 //
253 static CRYPT_RESULT
RSAEP(UINT32 dInOutSize,BYTE * dInOut,RSA_KEY * key)254 RSAEP (
255 UINT32 dInOutSize, // OUT size of the encrypted block
256 BYTE *dInOut, // OUT: the encrypted data
257 RSA_KEY *key // IN: the key to use
258 )
259 {
260 UINT32 e;
261 BYTE exponent[4];
262 CRYPT_RESULT retVal;
263 e = key->exponent;
264 if(e == 0)
265 e = RSA_DEFAULT_PUBLIC_EXPONENT;
266 UINT32_TO_BYTE_ARRAY(e, exponent);
267 //!!! Can put check for test of RSA here
268 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut, 4, exponent,
269 key->publicKey->size, key->publicKey->buffer);
270 // Exponentiation result is stored in-place, thus no space shortage is possible.
271 pAssert(retVal != CRYPT_UNDERFLOW);
272 return retVal;
273 }
274 //
275 //
276 // RSADP()
277 //
278 // This function performs the RSADP operation defined in PKCS#1v2.1. It is an exponentiation of a value (c)
279 // with the private exponent (d), modulo the public modulus (n). The decryption is in place.
280 //
281 // This function also checks the size of the private key. If the size indicates that only a prime value is
282 // present, the key is converted to being a private exponent.
283 //
284 // Return Value Meaning
285 //
286 // CRYPT_SUCCESS decryption succeeded
287 // CRYPT_PARAMETER the value to decrypt is larger than the modulus
288 //
289 static CRYPT_RESULT
RSADP(UINT32 dInOutSize,BYTE * dInOut,RSA_KEY * key)290 RSADP (
291 UINT32 dInOutSize, // IN/OUT: size of decrypted data
292 BYTE *dInOut, // IN/OUT: the decrypted data
293 RSA_KEY *key // IN: the key
294 )
295 {
296 CRYPT_RESULT retVal;
297 //!!! Can put check for RSA tested here
298 // Make sure that the pointers are provided and that the private key is present
299 // If the private key is present it is assumed to have been created by
300 // so is presumed good _cpri__PrivateExponent
301 pAssert(key != NULL && dInOut != NULL &&
302 key->publicKey->size == key->publicKey->size);
303 // make sure that the value to be decrypted is smaller than the modulus
304 // note: this check is redundant as is also performed by _math__ModExp()
305 // which is optimized for use in RSA operations
306 if(_math__uComp(key->publicKey->size, key->publicKey->buffer,
307 dInOutSize, dInOut) <= 0)
308 return CRYPT_PARAMETER;
309 // _math__ModExp can return CRYPT_PARAMTER or CRYPT_UNDERFLOW but actual
310 // underflow is not possible because everything is in the same buffer.
311 retVal = _math__ModExp(dInOutSize, dInOut, dInOutSize, dInOut,
312 key->privateKey->size, key->privateKey->buffer,
313 key->publicKey->size, key->publicKey->buffer);
314 // Exponentiation result is stored in-place, thus no space shortage is possible.
315 pAssert(retVal != CRYPT_UNDERFLOW);
316 return retVal;
317 }
318 //
319 //
320 // OaepEncode()
321 //
322 // This function performs OAEP padding. The size of the buffer to receive the OAEP padded data must
323 // equal the size of the modulus
324 //
325 // Return Value Meaning
326 //
327 // CRYPT_SUCCESS encode successful
328 // CRYPT_PARAMETER hashAlg is not valid
329 // CRYPT_FAIL message size is too large
330 //
331 static CRYPT_RESULT
OaepEncode(UINT32 paddedSize,BYTE * padded,TPM_ALG_ID hashAlg,const char * label,UINT32 messageSize,BYTE * message,BYTE * testSeed)332 OaepEncode(
333 UINT32 paddedSize, // IN: pad value size
334 BYTE *padded, // OUT: the pad data
335 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding
336 const char *label, // IN: null-terminated string (may be NULL)
337 UINT32 messageSize, // IN: the message size
338 BYTE *message // IN: the message being padded
339 #ifdef TEST_RSA //
340 , BYTE *testSeed // IN: optional seed used for testing.
341 #endif // TEST_RSA //
342 )
343 {
344 UINT32 padLen;
345 UINT32 dbSize;
346 UINT32 i;
347 BYTE mySeed[MAX_DIGEST_SIZE];
348 BYTE *seed = mySeed;
349 INT32 hLen = _cpri__GetDigestSize(hashAlg);
350 BYTE mask[MAX_RSA_KEY_BYTES];
351 BYTE *pp;
352 BYTE *pm;
353 UINT32 lSize = 0;
354 CRYPT_RESULT retVal = CRYPT_SUCCESS;
355 pAssert(padded != NULL && message != NULL);
356 // A value of zero is not allowed because the KDF can't produce a result
357 // if the digest size is zero.
358 if(hLen <= 0)
359 return CRYPT_PARAMETER;
360 // If a label is provided, get the length of the string, including the
361 // terminator
362 if(label != NULL)
363 lSize = (UINT32)strlen(label) + 1;
364 // Basic size check
365 // messageSize <= k 2hLen 2
366 if(messageSize > paddedSize - 2 * hLen - 2)
367 return CRYPT_FAIL;
368 // Hash L even if it is null
369 // Offset into padded leaving room for masked seed and byte of zero
370 pp = &padded[hLen + 1];
371 retVal = _cpri__HashBlock(hashAlg, lSize, (BYTE *)label, hLen, pp);
372 // concatenate PS of k mLen 2hLen 2
373 padLen = paddedSize - messageSize - (2 * hLen) - 2;
374 memset(&pp[hLen], 0, padLen);
375 pp[hLen+padLen] = 0x01;
376 padLen += 1;
377 memcpy(&pp[hLen+padLen], message, messageSize);
378 // The total size of db = hLen + pad + mSize;
379 dbSize = hLen+padLen+messageSize;
380 // If testing, then use the provided seed. Otherwise, use values
381 // from the RNG
382 #ifdef TEST_RSA
383 if(testSeed != NULL)
384 seed = testSeed;
385 else
386 #endif // TEST_RSA
387 _cpri__GenerateRandom(hLen, mySeed);
388 // mask = MGF1 (seed, nSize hLen 1)
389 if((retVal = _cpri__MGF1(dbSize, mask, hashAlg, hLen, seed)) < 0)
390 return retVal; // Don't expect an error because hash size is not zero
391 // was detected in the call to _cpri__HashBlock() above.
392 // Create the masked db
393 pm = mask;
394 for(i = dbSize; i > 0; i--)
395 *pp++ ^= *pm++;
396 pp = &padded[hLen + 1];
397 // Run the masked data through MGF1
398 if((retVal = _cpri__MGF1(hLen, &padded[1], hashAlg, dbSize, pp)) < 0)
399 return retVal; // Don't expect zero here as the only case for zero
400 // was detected in the call to _cpri__HashBlock() above.
401 // Now XOR the seed to create masked seed
402 pp = &padded[1];
403 pm = seed;
404 for(i = hLen; i > 0; i--)
405 *pp++ ^= *pm++;
406 // Set the first byte to zero
407 *padded = 0x00;
408 return CRYPT_SUCCESS;
409 }
410 //
411 //
412 // OaepDecode()
413 //
414 // This function performs OAEP padding checking. The size of the buffer to receive the recovered data. If
415 // the padding is not valid, the dSize size is set to zero and the function returns CRYPT_NO_RESULTS.
416 // The dSize parameter is used as an input to indicate the size available in the buffer. If insufficient space is
417 // available, the size is not changed and the return code is CRYPT_FAIL.
418 //
419 // Return Value Meaning
420 //
421 // CRYPT_SUCCESS decode complete
422 // CRYPT_PARAMETER the value to decode was larger than the modulus
423 // CRYPT_FAIL the padding is wrong or the buffer to receive the results is too small
424 //
425 static CRYPT_RESULT
OaepDecode(UINT32 * dataOutSize,BYTE * dataOut,TPM_ALG_ID hashAlg,const char * label,UINT32 paddedSize,BYTE * padded)426 OaepDecode(
427 UINT32 *dataOutSize, // IN/OUT: the recovered data size
428 BYTE *dataOut, // OUT: the recovered data
429 TPM_ALG_ID hashAlg, // IN: algorithm to use for padding
430 const char *label, // IN: null-terminated string (may be NULL)
431 UINT32 paddedSize, // IN: the size of the padded data
432 BYTE *padded // IN: the padded data
433 )
434 {
435 UINT32 dSizeSave;
436 UINT32 i;
437 BYTE seedMask[MAX_DIGEST_SIZE];
438 INT32 hLen = _cpri__GetDigestSize(hashAlg);
439 BYTE mask[MAX_RSA_KEY_BYTES];
440 BYTE *pp;
441 BYTE *pm;
442 UINT32 lSize = 0;
443 CRYPT_RESULT retVal = CRYPT_SUCCESS;
444 // Unknown hash
445 pAssert(hLen > 0 && dataOutSize != NULL && dataOut != NULL && padded != NULL);
446 // If there is a label, get its size including the terminating 0x00
447 if(label != NULL)
448 lSize = (UINT32)strlen(label) + 1;
449 // Set the return size to zero so that it doesn't have to be done on each
450 // failure
451 dSizeSave = *dataOutSize;
452 *dataOutSize = 0;
453 // Strange size (anything smaller can't be an OAEP padded block)
454 // Also check for no leading 0
455 if(paddedSize < (unsigned)((2 * hLen) + 2) || *padded != 0)
456 return CRYPT_FAIL;
457 // Use the hash size to determine what to put through MGF1 in order
458 // to recover the seedMask
459 if((retVal = _cpri__MGF1(hLen, seedMask, hashAlg,
460 paddedSize-hLen-1, &padded[hLen+1])) < 0)
461 return retVal;
462 // Recover the seed into seedMask
463 pp = &padded[1];
464 pm = seedMask;
465 for(i = hLen; i > 0; i--)
466 *pm++ ^= *pp++;
467 // Use the seed to generate the data mask
468 if((retVal = _cpri__MGF1(paddedSize-hLen-1, mask, hashAlg,
469 hLen, seedMask)) < 0)
470 return retVal;
471 // Use the mask generated from seed to recover the padded data
472 pp = &padded[hLen+1];
473 pm = mask;
474 for(i = paddedSize-hLen-1; i > 0; i--)
475 *pm++ ^= *pp++;
476 // Make sure that the recovered data has the hash of the label
477 // Put trial value in the seed mask
478 if((retVal=_cpri__HashBlock(hashAlg, lSize,(BYTE *)label, hLen, seedMask)) < 0)
479 return retVal;
480 if(memcmp(seedMask, mask, hLen) != 0)
481 return CRYPT_FAIL;
482 // find the start of the data
483 pm = &mask[hLen];
484 for(i = paddedSize-(2*hLen)-1; i > 0; i--)
485 {
486 if(*pm++ != 0)
487 break;
488 }
489
490 // Magic value in the end of the fill area must be 1, anything else must be
491 // rejected.
492 if (pm[-1] != 1)
493 return CRYPT_FAIL;
494
495 if(i == 0)
496 return CRYPT_PARAMETER;
497 // pm should be pointing at the first part of the data
498 // and i is one greater than the number of bytes to move
499 i--;
500 if(i > dSizeSave)
501 {
502 // Restore dSize
503 *dataOutSize = dSizeSave;
504 return CRYPT_FAIL;
505 }
506 memcpy(dataOut, pm, i);
507 *dataOutSize = i;
508 return CRYPT_SUCCESS;
509 }
510 //
511 //
512 // PKSC1v1_5Encode()
513 //
514 // This function performs the encoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1
515 //
516 // Return Value Meaning
517 //
518 // CRYPT_SUCCESS data encoded
519 // CRYPT_PARAMETER message size is too large
520 //
521 static CRYPT_RESULT
RSAES_PKSC1v1_5Encode(UINT32 paddedSize,BYTE * padded,UINT32 messageSize,BYTE * message)522 RSAES_PKSC1v1_5Encode(
523 UINT32 paddedSize, // IN: pad value size
524 BYTE *padded, // OUT: the pad data
525 UINT32 messageSize, // IN: the message size
526 BYTE *message // IN: the message being padded
527 )
528 {
529 UINT32 ps = paddedSize - messageSize - 3;
530 if(messageSize > paddedSize - 11)
531 return CRYPT_PARAMETER;
532 // move the message to the end of the buffer
533 memcpy(&padded[paddedSize - messageSize], message, messageSize);
534 // Set the first byte to 0x00 and the second to 0x02
535 *padded = 0;
536 padded[1] = 2;
537 // Fill with random bytes
538 _cpri__GenerateRandom(ps, &padded[2]);
539 // Set the delimiter for the random field to 0
540 padded[2+ps] = 0;
541 // Now, the only messy part. Make sure that all the ps bytes are non-zero
542 // In this implementation, use the value of the current index
543 for(ps++; ps > 1; ps--)
544 {
545 if(padded[ps] == 0)
546 padded[ps] = 0x55; // In the < 0.5% of the cases that the random
547 // value is 0, just pick a value to put into
548 // the spot.
549 }
550 return CRYPT_SUCCESS;
551 }
552 //
553 //
554 // RSAES_Decode()
555 //
556 // This function performs the decoding for RSAES-PKCS1-V1_5-ENCRYPT as defined in PKCS#1V2.1
557 //
558 // Return Value Meaning
559 //
560 // CRYPT_SUCCESS decode successful
561 // CRYPT_FAIL decoding error or results would no fit into provided buffer
562 //
563 static CRYPT_RESULT
RSAES_Decode(UINT32 * messageSize,BYTE * message,UINT32 codedSize,BYTE * coded)564 RSAES_Decode(
565 UINT32 *messageSize, // IN/OUT: recovered message size
566 BYTE *message, // OUT: the recovered message
567 UINT32 codedSize, // IN: the encoded message size
568 BYTE *coded // IN: the encoded message
569 )
570 {
571 BOOL fail = FALSE;
572 UINT32 ps;
573 fail = (codedSize < 11);
574 fail |= (coded[0] != 0x00) || (coded[1] != 0x02);
575 for(ps = 2; ps < codedSize; ps++)
576 {
577 if(coded[ps] == 0)
578 break;
579 }
580 ps++;
581 // Make sure that ps has not gone over the end and that there are at least 8
582 // bytes of pad data.
583 fail |= ((ps >= codedSize) || ((ps-2) < 8));
584 if((*messageSize < codedSize - ps) || fail)
585 return CRYPT_FAIL;
586 *messageSize = codedSize - ps;
587 memcpy(message, &coded[ps], codedSize - ps);
588 return CRYPT_SUCCESS;
589 }
590 //
591 //
592 // PssEncode()
593 //
594 // This function creates an encoded block of data that is the size of modulus. The function uses the
595 // maximum salt size that will fit in the encoded block.
596 //
597 // Return Value Meaning
598 //
599 // CRYPT_SUCCESS encode successful
600 // CRYPT_PARAMETER hashAlg is not a supported hash algorithm
601 //
602 static CRYPT_RESULT
PssEncode(UINT32 eOutSize,BYTE * eOut,TPM_ALG_ID hashAlg,UINT32 hashInSize,BYTE * hashIn,BYTE * saltIn)603 PssEncode (
604 UINT32 eOutSize, // IN: size of the encode data buffer
605 BYTE *eOut, // OUT: encoded data buffer
606 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
607 UINT32 hashInSize, // IN: size of digest to encode
608 BYTE *hashIn // IN: the digest
609 #ifdef TEST_RSA //
610 , BYTE *saltIn // IN: optional parameter for testing
611 #endif // TEST_RSA //
612 )
613 {
614 INT32 hLen = _cpri__GetDigestSize(hashAlg);
615 BYTE salt[MAX_RSA_KEY_BYTES - 1];
616 UINT16 saltSize;
617 BYTE *ps = salt;
618 CRYPT_RESULT retVal;
619 UINT16 mLen;
620 CPRI_HASH_STATE hashState;
621 // These are fatal errors indicating bad TPM firmware
622 pAssert(eOut != NULL && hLen > 0 && hashIn != NULL );
623 // Get the size of the mask
624 mLen = (UINT16)(eOutSize - hLen - 1);
625 // Maximum possible salt size is mask length - 1
626 saltSize = mLen - 1;
627 // Use the maximum salt size allowed by FIPS 186-4
628 if(saltSize > hLen)
629 saltSize = (UINT16)hLen;
630 //using eOut for scratch space
631 // Set the first 8 bytes to zero
632 memset(eOut, 0, 8);
633 // Get set the salt
634 #ifdef TEST_RSA
635 if(saltIn != NULL)
636 {
637 saltSize = hLen;
638 memcpy(salt, saltIn, hLen);
639 }
640 else
641 #endif // TEST_RSA
642 _cpri__GenerateRandom(saltSize, salt);
643 // Create the hash of the pad || input hash || salt
644 _cpri__StartHash(hashAlg, FALSE, &hashState);
645 _cpri__UpdateHash(&hashState, 8, eOut);
646 _cpri__UpdateHash(&hashState, hashInSize, hashIn);
647 _cpri__UpdateHash(&hashState, saltSize, salt);
648 _cpri__CompleteHash(&hashState, hLen, &eOut[eOutSize - hLen - 1]);
649 // Create a mask
650 if((retVal = _cpri__MGF1(mLen, eOut, hashAlg, hLen, &eOut[mLen])) < 0)
651 {
652 // Currently _cpri__MGF1 is not expected to return a CRYPT_RESULT error.
653 pAssert(0);
654 }
655 // Since this implementation uses key sizes that are all even multiples of
656 // 8, just need to make sure that the most significant bit is CLEAR
657 eOut[0] &= 0x7f;
658 // Before we mess up the eOut value, set the last byte to 0xbc
659 eOut[eOutSize - 1] = 0xbc;
660 // XOR a byte of 0x01 at the position just before where the salt will be XOR'ed
661 eOut = &eOut[mLen - saltSize - 1];
662 *eOut++ ^= 0x01;
663 // XOR the salt data into the buffer
664 for(; saltSize > 0; saltSize--)
665 *eOut++ ^= *ps++;
666 // and we are done
667 return CRYPT_SUCCESS;
668 }
669 //
670 //
671 // PssDecode()
672 //
673 // This function checks that the PSS encoded block was built from the provided digest. If the check is
674 // successful, CRYPT_SUCCESS is returned. Any other value indicates an error.
675 // This implementation of PSS decoding is intended for the reference TPM implementation and is not at all
676 // generalized. It is used to check signatures over hashes and assumptions are made about the sizes of
677 // values. Those assumptions are enforce by this implementation. This implementation does allow for a
678 // variable size salt value to have been used by the creator of the signature.
679 //
680 //
681 //
682 //
683 // Return Value Meaning
684 //
685 // CRYPT_SUCCESS decode successful
686 // CRYPT_SCHEME hashAlg is not a supported hash algorithm
687 // CRYPT_FAIL decode operation failed
688 //
689 static CRYPT_RESULT
PssDecode(TPM_ALG_ID hashAlg,UINT32 dInSize,BYTE * dIn,UINT32 eInSize,BYTE * eIn,UINT32 saltSize)690 PssDecode(
691 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
692 UINT32 dInSize, // IN: size of the digest to compare
693 BYTE *dIn, // In: the digest to compare
694 UINT32 eInSize, // IN: size of the encoded data
695 BYTE *eIn, // IN: the encoded data
696 UINT32 saltSize // IN: the expected size of the salt
697 )
698 {
699 INT32 hLen = _cpri__GetDigestSize(hashAlg);
700 BYTE mask[MAX_RSA_KEY_BYTES];
701 BYTE *pm = mask;
702 BYTE pad[8] = {0};
703 UINT32 i;
704 UINT32 mLen;
705 BOOL fail = FALSE;
706 CRYPT_RESULT retVal;
707 CPRI_HASH_STATE hashState;
708 // These errors are indicative of failures due to programmer error
709 pAssert(dIn != NULL && eIn != NULL);
710 // check the hash scheme
711 if(hLen == 0)
712 return CRYPT_SCHEME;
713 // most significant bit must be zero
714 fail = ((eIn[0] & 0x80) != 0);
715 // last byte must be 0xbc
716 fail |= (eIn[eInSize - 1] != 0xbc);
717 // Use the hLen bytes at the end of the buffer to generate a mask
718 // Doesn't start at the end which is a flag byte
719 mLen = eInSize - hLen - 1;
720 if((retVal = _cpri__MGF1(mLen, mask, hashAlg, hLen, &eIn[mLen])) < 0)
721 return retVal;
722 if(retVal == 0)
723 return CRYPT_FAIL;
724 // Clear the MSO of the mask to make it consistent with the encoding.
725 mask[0] &= 0x7F;
726 // XOR the data into the mask to recover the salt. This sequence
727 // advances eIn so that it will end up pointing to the seed data
728 // which is the hash of the signature data
729 for(i = mLen; i > 0; i--)
730 *pm++ ^= *eIn++;
731 // Find the first byte of 0x01 after a string of all 0x00
732 for(pm = mask, i = mLen; i > 0; i--)
733 {
734 if(*pm == 0x01)
735 break;
736 else
737 fail |= (*pm++ != 0);
738 }
739 fail |= (i == 0);
740 // if we have failed, will continue using the entire mask as the salt value so
741 // that the timing attacks will not disclose anything (I don't think that this
742 // is a problem for TPM applications but, usually, we don't fail so this
743 // doesn't cost anything).
744 if(fail)
745 {
746 i = mLen;
747 pm = mask;
748 }
749 else
750 {
751 pm++;
752 i--;
753 }
754 // If the salt size was provided, then the recovered size must match
755 fail |= (saltSize != 0 && i != saltSize);
756 // i contains the salt size and pm points to the salt. Going to use the input
757 // hash and the seed to recreate the hash in the lower portion of eIn.
758 _cpri__StartHash(hashAlg, FALSE, &hashState);
759 // add the pad of 8 zeros
760 _cpri__UpdateHash(&hashState, 8, pad);
761 // add the provided digest value
762 _cpri__UpdateHash(&hashState, dInSize, dIn);
763 // and the salt
764 _cpri__UpdateHash(&hashState, i, pm);
765 // get the result
766 retVal = _cpri__CompleteHash(&hashState, MAX_DIGEST_SIZE, mask);
767 // retVal will be the size of the digest or zero. If not equal to the indicated
768 // digest size, then the signature doesn't match
769 fail |= (retVal != hLen);
770 fail |= (memcmp(mask, eIn, hLen) != 0);
771 if(fail)
772 return CRYPT_FAIL;
773 else
774 return CRYPT_SUCCESS;
775 }
776 //
777 //
778 // PKSC1v1_5SignEncode()
779 //
780 // Encode a message using PKCS1v1().5 method.
781 //
782 // Return Value Meaning
783 //
784 // CRYPT_SUCCESS encode complete
785 // CRYPT_SCHEME hashAlg is not a supported hash algorithm
786 // CRYPT_PARAMETER eOutSize is not large enough or hInSize does not match the digest
787 // size of hashAlg
788 //
789 static CRYPT_RESULT
RSASSA_Encode(UINT32 eOutSize,BYTE * eOut,TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn)790 RSASSA_Encode(
791 UINT32 eOutSize, // IN: the size of the resulting block
792 BYTE *eOut, // OUT: the encoded block
793 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5
794 UINT32 hInSize, // IN: size of hash to be signed
795 BYTE *hIn // IN: hash buffer
796 )
797 {
798 const BYTE *der;
799 INT32 derSize = _cpri__GetHashDER(hashAlg, &der);
800 INT32 fillSize;
801 pAssert(eOut != NULL && hIn != NULL);
802 // Can't use this scheme if the algorithm doesn't have a DER string defined.
803 if(derSize == 0 )
804 return CRYPT_SCHEME;
805 // If the digest size of 'hashAl' doesn't match the input digest size, then
806 // the DER will misidentify the digest so return an error
807 if((unsigned)_cpri__GetDigestSize(hashAlg) != hInSize)
808 return CRYPT_PARAMETER;
809 fillSize = eOutSize - derSize - hInSize - 3;
810 // Make sure that this combination will fit in the provided space
811 if(fillSize < 8)
812 return CRYPT_PARAMETER;
813 // Start filling
814 *eOut++ = 0; // initial byte of zero
815 *eOut++ = 1; // byte of 0x01
816 for(; fillSize > 0; fillSize--)
817 *eOut++ = 0xff; // bunch of 0xff
818 *eOut++ = 0; // another 0
819 for(; derSize > 0; derSize--)
820 *eOut++ = *der++; // copy the DER
821 for(; hInSize > 0; hInSize--)
822 *eOut++ = *hIn++; // copy the hash
823 return CRYPT_SUCCESS;
824 }
825 //
826 //
827 // RSASSA_Decode()
828 //
829 // This function performs the RSASSA decoding of a signature.
830 //
831 // Return Value Meaning
832 //
833 // CRYPT_SUCCESS decode successful
834 // CRYPT_FAIL decode unsuccessful
835 // CRYPT_SCHEME haslAlg is not supported
836 //
837 static CRYPT_RESULT
RSASSA_Decode(TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn,UINT32 eInSize,BYTE * eIn)838 RSASSA_Decode(
839 TPM_ALG_ID hashAlg, // IN: hash algorithm to use for the encoding
840 UINT32 hInSize, // IN: size of the digest to compare
841 BYTE *hIn, // In: the digest to compare
842 UINT32 eInSize, // IN: size of the encoded data
843 BYTE *eIn // IN: the encoded data
844 )
845 {
846 BOOL fail = FALSE;
847 const BYTE *der;
848 INT32 derSize = _cpri__GetHashDER(hashAlg, &der);
849 INT32 hashSize = _cpri__GetDigestSize(hashAlg);
850 INT32 fillSize;
851 pAssert(hIn != NULL && eIn != NULL);
852 // Can't use this scheme if the algorithm doesn't have a DER string
853 // defined or if the provided hash isn't the right size
854 if(derSize == 0 || (unsigned)hashSize != hInSize)
855 return CRYPT_SCHEME;
856 // Make sure that this combination will fit in the provided space
857 // Since no data movement takes place, can just walk though this
858 // and accept nearly random values. This can only be called from
859 // _cpri__ValidateSignature() so eInSize is known to be in range.
860 fillSize = eInSize - derSize - hashSize - 3;
861 // Start checking
862 fail |= (*eIn++ != 0); // initial byte of zero
863 fail |= (*eIn++ != 1); // byte of 0x01
864 for(; fillSize > 0; fillSize--)
865 fail |= (*eIn++ != 0xff); // bunch of 0xff
866 fail |= (*eIn++ != 0); // another 0
867 for(; derSize > 0; derSize--)
868 fail |= (*eIn++ != *der++); // match the DER
869 for(; hInSize > 0; hInSize--)
870 fail |= (*eIn++ != *hIn++); // match the hash
871 if(fail)
872 return CRYPT_FAIL;
873 return CRYPT_SUCCESS;
874 }
875 //
876 //
877 // Externally Accessible Functions
878 //
879 // _cpri__RsaStartup()
880 //
881 // Function that is called to initialize the hash service. In this implementation, this function does nothing but
882 // it is called by the CryptUtilStartup() function and must be present.
883 //
884 LIB_EXPORT BOOL
_cpri__RsaStartup(void)885 _cpri__RsaStartup(
886 void
887 )
888 {
889 return TRUE;
890 }
891 //
892 //
893 // _cpri__EncryptRSA()
894 //
895 // This is the entry point for encryption using RSA. Encryption is use of the public exponent. The padding
896 // parameter determines what padding will be used.
897 // The cOutSize parameter must be at least as large as the size of the key.
898 // If the padding is RSA_PAD_NONE, dIn is treaded as a number. It must be lower in value than the key
899 // modulus.
900 //
901 //
902 //
903 // NOTE: If dIn has fewer bytes than cOut, then we don't add low-order zeros to dIn to make it the size of the RSA key for
904 // the call to RSAEP. This is because the high order bytes of dIn might have a numeric value that is greater than
905 // the value of the key modulus. If this had low-order zeros added, it would have a numeric value larger than the
906 // modulus even though it started out with a lower numeric value.
907 //
908 //
909 // Return Value Meaning
910 //
911 // CRYPT_SUCCESS encryption complete
912 // CRYPT_PARAMETER cOutSize is too small (must be the size of the modulus)
913 // CRYPT_SCHEME padType is not a supported scheme
914 //
915 LIB_EXPORT CRYPT_RESULT
_cpri__EncryptRSA(UINT32 * cOutSize,BYTE * cOut,RSA_KEY * key,TPM_ALG_ID padType,UINT32 dInSize,BYTE * dIn,TPM_ALG_ID hashAlg,const char * label)916 _cpri__EncryptRSA(
917 UINT32 *cOutSize, // OUT: the size of the encrypted data
918 BYTE *cOut, // OUT: the encrypted data
919 RSA_KEY *key, // IN: the key to use for encryption
920 TPM_ALG_ID padType, // IN: the type of padding
921 UINT32 dInSize, // IN: the amount of data to encrypt
922 BYTE *dIn, // IN: the data to encrypt
923 TPM_ALG_ID hashAlg, // IN: in case this is needed
924 const char *label // IN: in case it is needed
925 )
926 {
927 CRYPT_RESULT retVal = CRYPT_SUCCESS;
928 pAssert(cOutSize != NULL);
929 // All encryption schemes return the same size of data
930 if(*cOutSize < key->publicKey->size)
931 return CRYPT_PARAMETER;
932 *cOutSize = key->publicKey->size;
933 switch (padType)
934 {
935 case TPM_ALG_NULL: // 'raw' encryption
936 {
937 // dIn can have more bytes than cOut as long as the extra bytes
938 // are zero
939 for(; dInSize > *cOutSize; dInSize--)
940 {
941 if(*dIn++ != 0)
942 return CRYPT_PARAMETER;
943 }
944 // If dIn is smaller than cOut, fill cOut with zeros
945 if(dInSize < *cOutSize)
946 memset(cOut, 0, *cOutSize - dInSize);
947 // Copy the rest of the value
948 memcpy(&cOut[*cOutSize-dInSize], dIn, dInSize);
949 // If the size of dIn is the same as cOut dIn could be larger than
950 // the modulus. If it is, then RSAEP() will catch it.
951 }
952 break;
953 case TPM_ALG_RSAES:
954 retVal = RSAES_PKSC1v1_5Encode(*cOutSize, cOut, dInSize, dIn);
955 break;
956 case TPM_ALG_OAEP:
957 retVal = OaepEncode(*cOutSize, cOut, hashAlg, label, dInSize, dIn
958 #ifdef TEST_RSA
959 ,NULL
960 #endif
961 );
962 break;
963 default:
964 return CRYPT_SCHEME;
965 }
966 // All the schemes that do padding will come here for the encryption step
967 // Check that the Encoding worked
968 if(retVal != CRYPT_SUCCESS)
969 return retVal;
970 // Padding OK so do the encryption
971 return RSAEP(*cOutSize, cOut, key);
972 }
973 //
974 //
975 // _cpri__DecryptRSA()
976 //
977 // This is the entry point for decryption using RSA. Decryption is use of the private exponent. The padType
978 // parameter determines what padding was used.
979 //
980 // Return Value Meaning
981 //
982 // CRYPT_SUCCESS successful completion
983 // CRYPT_PARAMETER cInSize is not the same as the size of the public modulus of key; or
984 // numeric value of the encrypted data is greater than the modulus
985 // CRYPT_FAIL dOutSize is not large enough for the result
986 // CRYPT_SCHEME padType is not supported
987 //
988 LIB_EXPORT CRYPT_RESULT
_cpri__DecryptRSA(UINT32 * dOutSize,BYTE * dOut,RSA_KEY * key,TPM_ALG_ID padType,UINT32 cInSize,BYTE * cIn,TPM_ALG_ID hashAlg,const char * label)989 _cpri__DecryptRSA(
990 UINT32 *dOutSize, // OUT: the size of the decrypted data
991 BYTE *dOut, // OUT: the decrypted data
992 RSA_KEY *key, // IN: the key to use for decryption
993 TPM_ALG_ID padType, // IN: the type of padding
994 UINT32 cInSize, // IN: the amount of data to decrypt
995 BYTE *cIn, // IN: the data to decrypt
996 TPM_ALG_ID hashAlg, // IN: in case this is needed for the scheme
997 const char *label // IN: in case it is needed for the scheme
998 )
999 {
1000 CRYPT_RESULT retVal;
1001 // Make sure that the necessary parameters are provided
1002 pAssert(cIn != NULL && dOut != NULL && dOutSize != NULL && key != NULL);
1003 // Size is checked to make sure that the decryption works properly
1004 if(cInSize != key->publicKey->size)
1005 return CRYPT_PARAMETER;
1006 // For others that do padding, do the decryption in place and then
1007 // go handle the decoding.
1008 if((retVal = RSADP(cInSize, cIn, key)) != CRYPT_SUCCESS)
1009 return retVal; // Decryption failed
1010 // Remove padding
1011 switch (padType)
1012 {
1013 case TPM_ALG_NULL:
1014 if(*dOutSize < key->publicKey->size)
1015 return CRYPT_FAIL;
1016 *dOutSize = key->publicKey->size;
1017 memcpy(dOut, cIn, *dOutSize);
1018 return CRYPT_SUCCESS;
1019 case TPM_ALG_RSAES:
1020 return RSAES_Decode(dOutSize, dOut, cInSize, cIn);
1021 break;
1022 case TPM_ALG_OAEP:
1023 return OaepDecode(dOutSize, dOut, hashAlg, label, cInSize, cIn);
1024 break;
1025 default:
1026 return CRYPT_SCHEME;
1027 break;
1028 }
1029 }
1030 //
1031 //
1032 // _cpri__SignRSA()
1033 //
1034 // This function is used to generate an RSA signature of the type indicated in scheme.
1035 //
1036 // Return Value Meaning
1037 //
1038 // CRYPT_SUCCESS sign operation completed normally
1039 // CRYPT_SCHEME scheme or hashAlg are not supported
1040 // CRYPT_PARAMETER hInSize does not match hashAlg (for RSASSA)
1041 //
1042 LIB_EXPORT CRYPT_RESULT
_cpri__SignRSA(UINT32 * sigOutSize,BYTE * sigOut,RSA_KEY * key,TPM_ALG_ID scheme,TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn)1043 _cpri__SignRSA(
1044 UINT32 *sigOutSize, // OUT: size of signature
1045 BYTE *sigOut, // OUT: signature
1046 RSA_KEY *key, // IN: key to use
1047 TPM_ALG_ID scheme, // IN: the scheme to use
1048 TPM_ALG_ID hashAlg, // IN: hash algorithm for PKSC1v1_5
1049 UINT32 hInSize, // IN: size of digest to be signed
1050 BYTE *hIn // IN: digest buffer
1051 )
1052 {
1053 CRYPT_RESULT retVal;
1054 // Parameter checks
1055 pAssert(sigOutSize != NULL && sigOut != NULL && key != NULL && hIn != NULL);
1056 // For all signatures the size is the size of the key modulus
1057 *sigOutSize = key->publicKey->size;
1058 switch (scheme)
1059 {
1060 case TPM_ALG_NULL:
1061 *sigOutSize = 0;
1062 return CRYPT_SUCCESS;
1063 case TPM_ALG_RSAPSS:
1064 // PssEncode can return CRYPT_PARAMETER
1065 retVal = PssEncode(*sigOutSize, sigOut, hashAlg, hInSize, hIn
1066 #ifdef TEST_RSA
1067 , NULL
1068 #endif
1069 );
1070 break;
1071 case TPM_ALG_RSASSA:
1072 // RSASSA_Encode can return CRYPT_PARAMETER or CRYPT_SCHEME
1073 retVal = RSASSA_Encode(*sigOutSize, sigOut, hashAlg, hInSize, hIn);
1074 break;
1075 default:
1076 return CRYPT_SCHEME;
1077 }
1078 if(retVal != CRYPT_SUCCESS)
1079 return retVal;
1080 // Do the encryption using the private key
1081 // RSADP can return CRYPT_PARAMETR
1082 return RSADP(*sigOutSize,sigOut, key);
1083 }
1084 //
1085 //
1086 // _cpri__ValidateSignatureRSA()
1087 //
1088 // This function is used to validate an RSA signature. If the signature is valid CRYPT_SUCCESS is
1089 // returned. If the signature is not valid, CRYPT_FAIL is returned. Other return codes indicate either
1090 // parameter problems or fatal errors.
1091 //
1092 // Return Value Meaning
1093 //
1094 // CRYPT_SUCCESS the signature checks
1095 // CRYPT_FAIL the signature does not check
1096 // CRYPT_SCHEME unsupported scheme or hash algorithm
1097 //
1098 LIB_EXPORT CRYPT_RESULT
_cpri__ValidateSignatureRSA(RSA_KEY * key,TPM_ALG_ID scheme,TPM_ALG_ID hashAlg,UINT32 hInSize,BYTE * hIn,UINT32 sigInSize,BYTE * sigIn,UINT16 saltSize)1099 _cpri__ValidateSignatureRSA(
1100 RSA_KEY *key, // IN: key to use
1101 TPM_ALG_ID scheme, // IN: the scheme to use
1102 TPM_ALG_ID hashAlg, // IN: hash algorithm
1103 UINT32 hInSize, // IN: size of digest to be checked
1104 BYTE *hIn, // IN: digest buffer
1105 UINT32 sigInSize, // IN: size of signature
1106 BYTE *sigIn, // IN: signature
1107 UINT16 saltSize // IN: salt size for PSS
1108 )
1109 {
1110 CRYPT_RESULT retVal;
1111 // Fatal programming errors
1112 pAssert(key != NULL && sigIn != NULL && hIn != NULL);
1113 // Errors that might be caused by calling parameters
1114 if(sigInSize != key->publicKey->size)
1115 return CRYPT_FAIL;
1116 // Decrypt the block
1117 if((retVal = RSAEP(sigInSize, sigIn, key)) != CRYPT_SUCCESS)
1118 return CRYPT_FAIL;
1119 switch (scheme)
1120 {
1121 case TPM_ALG_NULL:
1122 return CRYPT_SCHEME;
1123 break;
1124 case TPM_ALG_RSAPSS:
1125 return PssDecode(hashAlg, hInSize, hIn, sigInSize, sigIn, saltSize);
1126 break;
1127 case TPM_ALG_RSASSA:
1128 return RSASSA_Decode(hashAlg, hInSize, hIn, sigInSize, sigIn);
1129 break;
1130 default:
1131 break;
1132 }
1133 return CRYPT_SCHEME;
1134 }
1135 #ifndef RSA_KEY_SIEVE
1136 //
1137 //
1138 // _cpri__GenerateKeyRSA()
1139 //
1140 // Generate an RSA key from a provided seed
1141 //
1142 //
1143 //
1144 //
1145 // Return Value Meaning
1146 //
1147 // CRYPT_FAIL exponent is not prime or is less than 3; or could not find a prime using
1148 // the provided parameters
1149 // CRYPT_CANCEL operation was canceled
1150 //
1151 LIB_EXPORT CRYPT_RESULT
_cpri__GenerateKeyRSA(TPM2B * n,TPM2B * p,UINT16 keySizeInBits,UINT32 e,TPM_ALG_ID hashAlg,TPM2B * seed,const char * label,TPM2B * extra,UINT32 * counter)1152 _cpri__GenerateKeyRSA(
1153 TPM2B *n, // OUT: The public modulu
1154 TPM2B *p, // OUT: One of the prime factors of n
1155 UINT16 keySizeInBits, // IN: Size of the public modulus in bit
1156 UINT32 e, // IN: The public exponent
1157 TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key
1158 // generation proce
1159 TPM2B *seed, // IN: the seed to use
1160 const char *label, // IN: A label for the generation process.
1161 TPM2B *extra, // IN: Party 1 data for the KDF
1162 UINT32 *counter // IN/OUT: Counter value to allow KFD iteration
1163 // to be propagated across multiple routine
1164 )
1165 {
1166 UINT32 lLen; // length of the label
1167 // (counting the terminating 0);
1168 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1169 TPM2B_HASH_BLOCK oPadKey;
1170 UINT32 outer;
1171 UINT32 inner;
1172 BYTE swapped[4];
1173 CRYPT_RESULT retVal;
1174 int i, fill;
1175 const static char defaultLabel[] = "RSA key";
1176 BYTE *pb;
1177 CPRI_HASH_STATE h1; // contains the hash of the
1178 // HMAC key w/ iPad
1179 CPRI_HASH_STATE h2; // contains the hash of the
1180 // HMAC key w/ oPad
1181 CPRI_HASH_STATE h; // the working hash context
1182 BIGNUM *bnP;
1183 BIGNUM *bnQ;
1184 BIGNUM *bnT;
1185 BIGNUM *bnE;
1186 BIGNUM *bnN;
1187 BN_CTX *context;
1188 UINT32 rem;
1189 // Make sure that hashAlg is valid hash
1190 pAssert(digestSize != 0);
1191 // if present, use externally provided counter
1192 if(counter != NULL)
1193 outer = *counter;
1194 else
1195 outer = 1;
1196 // Validate exponent
1197 UINT32_TO_BYTE_ARRAY(e, swapped);
1198 // Need to check that the exponent is prime and not less than 3
1199 if( e != 0 && (e < 3 || !_math__IsPrime(e)))
1200 return CRYPT_FAIL;
1201 // Get structures for the big number representations
1202 context = BN_CTX_new();
1203 if(context == NULL)
1204 FAIL(FATAL_ERROR_ALLOCATION);
1205 BN_CTX_start(context);
1206 bnP = BN_CTX_get(context);
1207 bnQ = BN_CTX_get(context);
1208 bnT = BN_CTX_get(context);
1209 bnE = BN_CTX_get(context);
1210 bnN = BN_CTX_get(context);
1211 if(bnN == NULL)
1212 FAIL(FATAL_ERROR_INTERNAL);
1213 // Set Q to zero. This is used as a flag. The prime is computed in P. When a
1214 // new prime is found, Q is checked to see if it is zero. If so, P is copied
1215 // to Q and a new P is found. When both P and Q are non-zero, the modulus and
1216 // private exponent are computed and a trial encryption/decryption is
1217 // performed. If the encrypt/decrypt fails, assume that at least one of the
1218 // primes is composite. Since we don't know which one, set Q to zero and start
1219 // over and find a new pair of primes.
1220 BN_zero(bnQ);
1221 // Need to have some label
1222 if(label == NULL)
1223 label = (const char *)&defaultLabel;
1224 // Get the label size
1225 for(lLen = 0; label[lLen++] != 0;);
1226 // Start the hash using the seed and get the intermediate hash value
1227 _cpri__StartHMAC(hashAlg, FALSE, &h1, seed->size, seed->buffer, &oPadKey.b);
1228 _cpri__StartHash(hashAlg, FALSE, &h2);
1229 _cpri__UpdateHash(&h2, oPadKey.b.size, oPadKey.b.buffer);
1230 n->size = (keySizeInBits +7)/8;
1231 pAssert(n->size <= MAX_RSA_KEY_BYTES);
1232 p->size = n->size / 2;
1233 if(e == 0)
1234 e = RSA_DEFAULT_PUBLIC_EXPONENT;
1235 BN_set_word(bnE, e);
1236 // The first test will increment the counter from zero.
1237 for(outer += 1; outer != 0; outer++)
1238 {
1239 if(_plat__IsCanceled())
1240 {
1241 retVal = CRYPT_CANCEL;
1242 goto Cleanup;
1243 }
1244 // Need to fill in the candidate with the hash
1245 fill = digestSize;
1246 pb = p->buffer;
1247 // Reset the inner counter
1248 inner = 0;
1249 for(i = p->size; i > 0; i -= digestSize)
1250 {
1251 inner++;
1252 // Initialize the HMAC with saved state
1253 _cpri__CopyHashState(&h, &h1);
1254 // Hash the inner counter (the one that changes on each HMAC iteration)
1255 UINT32_TO_BYTE_ARRAY(inner, swapped);
1256 _cpri__UpdateHash(&h, 4, swapped);
1257 _cpri__UpdateHash(&h, lLen, (BYTE *)label);
1258 // Is there any party 1 data
1259 if(extra != NULL)
1260 _cpri__UpdateHash(&h, extra->size, extra->buffer);
1261 // Include the outer counter (the one that changes on each prime
1262 // prime candidate generation
1263 UINT32_TO_BYTE_ARRAY(outer, swapped);
1264 _cpri__UpdateHash(&h, 4, swapped);
1265 _cpri__UpdateHash(&h, 2, (BYTE *)&keySizeInBits);
1266 if(i < fill)
1267 fill = i;
1268 _cpri__CompleteHash(&h, fill, pb);
1269 // Restart the oPad hash
1270 _cpri__CopyHashState(&h, &h2);
1271 // Add the last hashed data
1272 _cpri__UpdateHash(&h, fill, pb);
1273 // gives a completed HMAC
1274 _cpri__CompleteHash(&h, fill, pb);
1275 pb += fill;
1276 }
1277 // Set the Most significant 2 bits and the low bit of the candidate
1278 p->buffer[0] |= 0xC0;
1279 p->buffer[p->size - 1] |= 1;
1280 // Convert the candidate to a BN
1281 BN_bin2bn(p->buffer, p->size, bnP);
1282 // If this is the second prime, make sure that it differs from the
1283 // first prime by at least 2^100
1284 if(!BN_is_zero(bnQ))
1285 {
1286 // bnQ is non-zero if we already found it
1287 if(BN_ucmp(bnP, bnQ) < 0)
1288 BN_sub(bnT, bnQ, bnP);
1289 else
1290 BN_sub(bnT, bnP, bnQ);
1291 if(BN_num_bits(bnT) < 100) // Difference has to be at least 100 bits
1292 continue;
1293 }
1294 // Make sure that the prime candidate (p) is not divisible by the exponent
1295 // and that (p-1) is not divisible by the exponent
1296 // Get the remainder after dividing by the modulus
1297 rem = BN_mod_word(bnP, e);
1298 if(rem == 0) // evenly divisible so add two keeping the number odd and
1299 // making sure that 1 != p mod e
1300 BN_add_word(bnP, 2);
1301 else if(rem == 1) // leaves a remainder of 1 so subtract two keeping the
1302 // number odd and making (e-1) = p mod e
1303 BN_sub_word(bnP, 2);
1304 // Have a candidate, check for primality
1305 if((retVal = (CRYPT_RESULT)BN_is_prime_ex(bnP,
1306 BN_prime_checks, NULL, NULL)) < 0)
1307 FAIL(FATAL_ERROR_INTERNAL);
1308 if(retVal != 1)
1309 continue;
1310 // Found a prime, is this the first or second.
1311 if(BN_is_zero(bnQ))
1312 {
1313 // copy p to q and compute another prime in p
1314 BN_copy(bnQ, bnP);
1315 continue;
1316 }
1317 //Form the public modulus
1318 BN_mul(bnN, bnP, bnQ, context);
1319 if(BN_num_bits(bnN) != keySizeInBits)
1320 FAIL(FATAL_ERROR_INTERNAL);
1321 // Save the public modulus
1322 BnTo2B(n, bnN, n->size); // Will pad the buffer to the correct size
1323 pAssert((n->buffer[0] & 0x80) != 0);
1324 // And one prime
1325 BnTo2B(p, bnP, p->size);
1326 pAssert((p->buffer[0] & 0x80) != 0);
1327 // Finish by making sure that we can form the modular inverse of PHI
1328 // with respect to the public exponent
1329 // Compute PHI = (p - 1)(q - 1) = n - p - q + 1
1330 // Make sure that we can form the modular inverse
1331 BN_sub(bnT, bnN, bnP);
1332 BN_sub(bnT, bnT, bnQ);
1333 BN_add_word(bnT, 1);
1334 // find d such that (Phi * d) mod e ==1
1335 // If there isn't then we are broken because we took the step
1336 // of making sure that the prime != 1 mod e so the modular inverse
1337 // must exist
1338 if(BN_mod_inverse(bnT, bnE, bnT, context) == NULL || BN_is_zero(bnT))
1339 FAIL(FATAL_ERROR_INTERNAL);
1340 // And, finally, do a trial encryption decryption
1341 {
1342 TPM2B_TYPE(RSA_KEY, MAX_RSA_KEY_BYTES);
1343 TPM2B_RSA_KEY r;
1344 r.t.size = sizeof(n->size);
1345 // If we are using a seed, then results must be reproducible on each
1346 // call. Otherwise, just get a random number
1347 if(seed == NULL)
1348 _cpri__GenerateRandom(n->size, r.t.buffer);
1349 else
1350 {
1351 // this this version does not have a deterministic RNG, XOR the
1352 // public key and private exponent to get a deterministic value
1353 // for testing.
1354 int i;
1355 // Generate a random-ish number starting with the public modulus
1356 // XORed with the MSO of the seed
1357 for(i = 0; i < n->size; i++)
1358 r.t.buffer[i] = n->buffer[i] ^ seed->buffer[0];
1359 }
1360 // Make sure that the number is smaller than the public modulus
1361 r.t.buffer[0] &= 0x7F;
1362 // Convert
1363 if( BN_bin2bn(r.t.buffer, r.t.size, bnP) == NULL
1364 // Encrypt with the public exponent
1365 || BN_mod_exp(bnQ, bnP, bnE, bnN, context) != 1
1366 // Decrypt with the private exponent
1367 || BN_mod_exp(bnQ, bnQ, bnT, bnN, context) != 1)
1368 FAIL(FATAL_ERROR_INTERNAL);
1369 // If the starting and ending values are not the same, start over )-;
1370 if(BN_ucmp(bnP, bnQ) != 0)
1371 {
1372 BN_zero(bnQ);
1373 continue;
1374 }
1375 }
1376 retVal = CRYPT_SUCCESS;
1377 goto Cleanup;
1378 }
1379 retVal = CRYPT_FAIL;
1380 Cleanup:
1381 // Close out the hash sessions
1382 _cpri__CompleteHash(&h2, 0, NULL);
1383 _cpri__CompleteHash(&h1, 0, NULL);
1384 // Free up allocated BN values
1385 BN_CTX_end(context);
1386 BN_CTX_free(context);
1387 if(counter != NULL)
1388 *counter = outer;
1389 return retVal;
1390 }
1391 #endif // RSA_KEY_SIEVE
1392 #endif // TPM_ALG_RSA
1393