1 /*
2 * Copyright (c) 2001-2022, Arm Limited and Contributors. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7 /************* Include Files ****************/
8 #ifdef CC_IOT
9 #include "mbedtls/build_info.h"
10 #endif
11
12 #if !defined(CC_IOT) || ( defined(CC_IOT) && defined(MBEDTLS_RSA_C))
13
14 #include "cc_pal_mem.h"
15 #include "cc_pal_types.h"
16 #include "cc_rsa_error.h"
17 #include "cc_hash_defs.h"
18 #include "cc_rsa_local.h"
19 #include "cc_rsa_prim.h"
20 #include "cc_fips_defs.h"
21
22 /************************ Defines ****************************/
23
24 /************************ Enums ******************************/
25
26 /************************ Typedefs ***************************/
27
28 /************************ Global Data *************************/
29
30 #ifdef DEBUG_OAEP_SEED
31 #include "CRYS_RSA_PSS21_defines.h"
32 extern uint8_t SaltDB[NUM_OF_SETS_TEST_VECTORS][NUM_OF_TEST_VECTOR_IN_SET][CC_RSA_PSS_SALT_LENGTH];
33 extern uint16_t Global_Set_Index;
34 extern uint16_t Global_vector_Index;
35 #endif
36
37 /************* Private function prototype ****************/
38
39 #if !defined(_INTERNAL_CC_NO_RSA_ENCRYPT_SUPPORT) && !defined(_INTERNAL_CC_NO_RSA_VERIFY_SUPPORT)
40
41 /**********************************************************************************************************/
42
43 /**
44 @brief
45 RSA_SCHEMES_Encrypt implements the RSAES-OAEP algorithm as defined
46 in PKCS#1 v2.1 8.1 and in PKCS#1 v1.5 8.1
47
48 This function combines the RSA encryption primitive and the
49 EME-OAEP encoding method, to provide an RSA-based encryption
50 method that is semantically secure against adaptive
51 chosen-ciphertext attacks. For more details, please refere to
52 the PKCS#1 standard.
53
54 The actual macro that will be used by the user is:
55 CC_RsaOaepEncrypt - for v2.1
56 CC_RsaPkcs1V15Encrypt - for v1.5
57
58 @param[in/out] rndContext_ptr - Pointer to the RND context buffer.
59 @param[in] UserPubKey_ptr - A pointer to the public key data structure of the User.
60 @param[in] PrimeData_ptr - A pointer to a CCRsaPrimeData_t
61 that is used for the Encryption operation
62 @param[in] hashFunc - The hash function to be used.
63 The hash functions supported: SHA1, SHA-256/284/512,
64 MD5 (MD5 - allowed only for PKCS#1 v1.5).
65 @param[in] L - The label input pointer. Relevant for PKCS#1 Ver2.1 only, may be NULL also.
66 For PKCS#1 Ver1.5 it is an empty string (NULL).
67 @param[in] Llen - The label length. Relevant for PKCS#1 Ver2.1 only (see notes above).
68 @param[in] MGF - the mask generation function. PKCS#1 v2.1
69 defines MGF1, so the currently allowed value is CC_PKCS1_MGF1.
70 @param[in] Data_ptr - Pointer to the data to encrypt.
71 @param[in] DataSize - The size, in bytes, of the data to encrypt.
72 \Note: The data size must be:
73 1. for PKCS #1 v.2.1 DataSize <= PrivKey_ptr->N.len - 2*HashLen - 2.
74 2. for PKCS #1 v.1.5 DataSize <= PrivKey_ptr->N.len - 11.
75 @param[out] Output_ptr - Pointer to the encrypted data. The size of the data is always
76 equal to the RSA key (modulus) size, in bytes. Therefore the size
77 of allocated buffer must be at least of this size.
78
79 @return CCError_t - CC_OK, or error
80 */
CC_RsaSchemesEncrypt(CCRndContext_t * rndContext_ptr,CCRsaUserPubKey_t * UserPubKey_ptr,CCRsaPrimeData_t * PrimeData_ptr,CCRsaHashOpMode_t hashFunc,uint8_t * L,size_t Llen,CCPkcs1Mgf_t MGF,uint8_t * DataIn_ptr,size_t DataInSize,uint8_t * Output_ptr,CCPkcs1Version_t PKCS1_ver)81 CEXPORT_C CCError_t CC_RsaSchemesEncrypt(
82 CCRndContext_t *rndContext_ptr,
83 CCRsaUserPubKey_t *UserPubKey_ptr,
84 CCRsaPrimeData_t *PrimeData_ptr,
85 CCRsaHashOpMode_t hashFunc,
86 uint8_t *L,
87 size_t Llen,
88 CCPkcs1Mgf_t MGF,
89 uint8_t *DataIn_ptr,
90 size_t DataInSize,
91 uint8_t *Output_ptr,
92 CCPkcs1Version_t PKCS1_ver)
93 {
94 /* FUNCTION DECLARATIONS */
95
96 /* The return error identifier */
97 CCError_t Error = CC_OK;
98
99 /*The modulus size in Bytes*/
100 uint16_t K;
101 uint8_t HashOutputSize;
102
103 /*In order to save stack memory place -
104 * It is required that the Output_ptr is at least the size of the modulus
105 * It is also required that the RSA computation is done in-place */
106 uint8_t *EB_buff = Output_ptr;
107
108 CCRsaPubKey_t *PubKey_ptr;
109 CCHashOperationMode_t hashOpMode;
110 uint32_t PSSize;
111
112 /* ............... checking the parameters validity ................... */
113 /* -------------------------------------------------------------------- */
114 CHECK_AND_RETURN_ERR_UPON_FIPS_ERROR();
115
116 /* if the users context pointer is NULL return an error */
117 if (UserPubKey_ptr == NULL)
118 return CC_RSA_INVALID_PUB_KEY_STRUCT_POINTER_ERROR;
119
120 /* checking the Prime Data pointer */
121 if (PrimeData_ptr == NULL)
122 return CC_RSA_PRIM_DATA_STRUCT_POINTER_INVALID;
123
124 /* check if the hash operation mode is legal */
125 if (hashFunc >= CC_RSA_HASH_NumOfModes)
126 return CC_RSA_HASH_ILLEGAL_OPERATION_MODE_ERROR;
127
128 /* check if the MGF operation mode is legal */
129 if (MGF >= CC_RSA_NumOfMGFFunctions)
130 return CC_RSA_MGF_ILLEGAL_ARG_ERROR;
131
132 /* check that the PKCS1 version argument is legal*/
133 if (PKCS1_ver >= CC_RSA_NumOf_PKCS1_versions)
134 return CC_RSA_PKCS1_VER_ARG_ERROR;
135
136 /* if the users Data In pointer is illegal return an error */
137 /* note - it is allowed to encrypt a message of size zero ; only on this case a NULL is allowed */
138 if (DataIn_ptr == NULL && DataInSize != 0)
139 return CC_RSA_DATA_POINTER_INVALID_ERROR;
140
141 /*If the output pointer is NULL return Error*/
142 if (Output_ptr == NULL)
143 return CC_RSA_INVALID_OUTPUT_POINTER_ERROR;
144
145 PubKey_ptr = (CCRsaPubKey_t *)UserPubKey_ptr->PublicKeyDbBuff;
146
147 if (UserPubKey_ptr->valid_tag != CC_RSA_PUB_KEY_VALIDATION_TAG)
148 return CC_RSA_PUB_KEY_VALIDATION_TAG_ERROR;
149
150 if (Llen == 0)
151 L = NULL;
152
153 /* .................. initializing local variables ................... */
154 /* ------------------------------------------------------------------- */
155
156 /*Initialize K with the modulus size in Bytes*/
157 K = (uint16_t)CALC_FULL_BYTES(PubKey_ptr->nSizeInBits);
158
159 #ifdef DEBUG
160 /*Initialize the Output_ptr to Zero*/
161 CC_PalMemSetZero(EB_buff, K);
162 #endif
163
164 /*-------------------------------------------------------*
165 * Perform Encoding and Encryption accordimg to PKCS1 *
166 * Versions: VER21 or VER15 *
167 *-------------------------------------------------------*/
168
169 switch (PKCS1_ver) {
170
171 #ifndef _INTERNAL_CC_NO_RSA_SCHEME_15_SUPPORT
172 case CC_PKCS1_VER15:
173 /*-------------------------------------------------------*
174 * Step 1 : Check modulus and data sizes *
175 *-------------------------------------------------------*/
176 /*Check the modulus size is legal*/
177 if (K < 3 + PS_MIN_LEN)
178 return CC_RSA_INVALID_MODULUS_SIZE;
179
180 if (DataInSize + 3 + PS_MIN_LEN > K )
181 return CC_RSA_INVALID_MESSAGE_DATA_SIZE;
182 /* size of PS buffer, it is >= PS_MIN_LEN */
183 PSSize = K - 3 - DataInSize;
184
185 /*-------------------------------------------------------*
186 * Step 2 : Encode the message *
187 *-------------------------------------------------------*/
188
189 EB_buff[0]=0x00; /*set the 00 */
190 EB_buff[1]=0x02; /*Block type for EME-PKCS1-v1_5*/
191
192 /* Generate random non-zero bytes for PS */
193 Error = RsaGenRndNonZeroVect(rndContext_ptr, &EB_buff[2], PSSize);
194 if (Error != CC_OK) {
195 goto End;
196 }
197 /* 0-byte after PS */
198 EB_buff[K-DataInSize-1] = 0x00;
199 /* Copy the message data */
200 if (DataInSize > 0)
201 CC_PalMemCopy(&EB_buff[K-DataInSize], DataIn_ptr, DataInSize);
202
203 break;
204 #endif
205
206 #ifndef _INTERNAL_CC_NO_RSA_SCHEME_21_SUPPORT
207
208 /* get CC Hash parameters */
209 case CC_PKCS1_VER21:
210
211 switch (hashFunc) {
212 case CC_RSA_HASH_MD5_mode : /*MD5 is not reccomended in PKCS1 ver 2.1 standard,
213 hence it is not supported*/
214 return CC_RSA_HASH_ILLEGAL_OPERATION_MODE_ERROR;
215 case CC_RSA_HASH_SHA1_mode:
216 HashOutputSize = CC_HASH_SHA1_DIGEST_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE;
217 hashOpMode = CC_HASH_SHA1_mode;/*changing the hash mode to CC definition*/
218 break;
219 case CC_RSA_HASH_SHA224_mode:
220 HashOutputSize = CC_HASH_SHA224_DIGEST_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE;
221 hashOpMode = CC_HASH_SHA224_mode;/*changing the hash mode to CC definition*/
222 break;
223 case CC_RSA_HASH_SHA256_mode:
224 HashOutputSize = CC_HASH_SHA256_DIGEST_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE;
225 hashOpMode = CC_HASH_SHA256_mode;/*changing the hash mode to CC definition*/
226 break;
227 case CC_RSA_HASH_SHA384_mode:
228 HashOutputSize = CC_HASH_SHA384_DIGEST_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE;
229 hashOpMode = CC_HASH_SHA384_mode;/*changing the hash mode to CC definition*/
230 break;
231 case CC_RSA_HASH_SHA512_mode:
232 HashOutputSize = CC_HASH_SHA512_DIGEST_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE;
233 hashOpMode = CC_HASH_SHA512_mode;/*changing the hash mode to CC definition*/
234 break;
235 default:
236 return CC_RSA_HASH_ILLEGAL_OPERATION_MODE_ERROR;
237 }
238
239 /* if mLen>k-2*hLen-2 output message too long */
240 if ((uint32_t)DataInSize + 2 * HashOutputSize + 2 > K)
241 return CC_RSA_INVALID_MESSAGE_DATA_SIZE;
242
243 /*-------------------------------------------------------*
244 * Step 2 : Apply the EME-OAEP encoding operation to *
245 * the message M and the label L to produce a *
246 * ciphertext of length k octets. *
247 *-------------------------------------------------------*/
248
249 Error=RsaPssOaepEncode(
250 rndContext_ptr, /*! random functions comtext*/
251 hashOpMode, /*! hash operation mode enum */
252 MGF, /*! MGF function mode enum */
253 DataIn_ptr, /*! input data to be encrypted */
254 DataInSize, /*! input data size bytes */
255 L, /*! label */
256 Llen, /*! label length bytes */
257 K, /*! modulus size in bytes */
258 PrimeData_ptr, /*! temp buffer 1 structure for imternal use */
259 EB_buff, /*! temp buffer 2 for imternal use */
260 PKCS1_ver /*! PKCS1 version enum */);
261 if (Error != CC_OK) {
262 goto End;
263 }
264 break;
265 #endif
266 default:
267 return CC_RSA_PKCS1_VER_ARG_ERROR;
268 }
269
270 /*-------------------------------------------*/
271 /* Step 3 : RSA computation */
272 /*-------------------------------------------*/
273
274 Error = CC_RsaPrimEncrypt(UserPubKey_ptr,
275 PrimeData_ptr,
276 EB_buff,
277 K,
278 Output_ptr);
279 End:
280 if (Error != CC_OK) {
281 CC_PalMemSetZero (Output_ptr, K);
282 }
283 /* clear the temp data buffer */
284 CC_PalMemSetZero(PrimeData_ptr, sizeof(CCRsaPrimeData_t));
285
286 return Error;
287
288
289 }/* END OF CC_RsaSchemesEncrypt */
290 #endif /*!defined(_INTERNAL_CC_NO_RSA_ENCRYPT_SUPPORT) && !defined(_INTERNAL_CC_NO_RSA_VERIFY_SUPPORT)*/
291
292 #if !defined(_INTERNAL_CC_NO_RSA_DECRYPT_SUPPORT) && !defined(_INTERNAL_CC_NO_RSA_SIGN_SUPPORT)
293 /**********************************************************************************************************/
294 /**
295 @brief
296 RSA_SCHEMES_Decrypt implements the RSAES-OAEP algorithm as defined
297 in PKCS#1 v2.1 8.1 and in PKCS#1 v1.5
298
299 This function combines the RSA decryption primitive and the
300 EME-OAEP decoding method, to provide an RSA-based decryption
301 method that is semantically secure against adaptive
302 chosen-ciphertext attacks. For more details, please refer to
303 the PKCS#1 standard.
304
305 @param[in] UserPrivKey_ptr - Pointer to the private key data structure.
306 \Note: The representation (pair or quintuple)
307 and hence the algorithm (CRT or not) is determined
308 by the Private Key data structure. Using CC_BuildPrivKey
309 or CC_BuildPrivKeyCRT determines which algorithm will be used.
310
311 @param[in] PrimeData_ptr - Pointer to a CCRsaPrimeData_t which is used for the
312 Encryption operation
313
314 @param[in] hashFunc - The hash function to be used.
315 The hash functions supported: SHA1, SHA-256/284/512,
316 MD5 (MD5 - allowed only for PKCS#1 v1.5).
317
318 @param[in] L - The label input pointer. Relevant for PKCS#1 Ver2.1 only, may be NULL also.
319 For PKCS#1 Ver1.5 it is an empty string (NULL).
320 @param[in] Llen - The label length. Relevant for PKCS#1 Ver2.1 only (see notes above).
321 @param[in] MGF - The mask generation function. PKCS#1 v2.1 defines MGF1,
322 so the only value allowed here is CC_PKCS1_MGF1.
323 @param[in] Data_ptr - Pointer to the data to decrypt.
324 @param[in] DataSize - The size, in bytes, of the data to decrypt.
325 \Note: The size must be = the size of the modulus.
326
327 @param[out] Output_ptr - Pointer to the decrypted data, the size of the buffer in bytes
328 must be not less than the actual size of Encrypted message, if it is known,
329 else the output buffer size must be :
330 1. for PKCS #1 v.2.1 *OutputSize_ptr >= PrivKey_ptr->N.len - 2*HashLen - 2.
331 2. for PKCS #1 v.1.5 *OutputSize_ptr >= PrivKey_ptr->N.len - 11.
332 @param[in/out] OutputSize_ptr - The size of the user passed Output_ptr buffer in bytes [in] and
333 actual size of decrypted message [out].
334 The minimal input size value of *OutputSize_ptr is described above.
335 This value is updated with the actual number of bytes that
336 are loaded to Output_ptr buffer byDecrypt function.
337
338 @return CCError_t - CC_OK or appropriate Error message defined in the RSA module.
339 */
CC_RsaSchemesDecrypt(CCRsaUserPrivKey_t * UserPrivKey_ptr,CCRsaPrimeData_t * PrimeData_ptr,CCRsaHashOpMode_t hashFunc,uint8_t * L,size_t Llen,CCPkcs1Mgf_t MGF,uint8_t * DataIn_ptr,size_t DataInSize,uint8_t * Output_ptr,size_t * OutputSize_ptr,CCPkcs1Version_t PKCS1_ver)340 CEXPORT_C CCError_t CC_RsaSchemesDecrypt(
341 CCRsaUserPrivKey_t *UserPrivKey_ptr,
342 CCRsaPrimeData_t *PrimeData_ptr,
343 CCRsaHashOpMode_t hashFunc,
344 uint8_t *L,
345 size_t Llen,
346 CCPkcs1Mgf_t MGF,
347 uint8_t *DataIn_ptr,
348 size_t DataInSize,
349 uint8_t *Output_ptr,
350 size_t *OutputSize_ptr,
351 CCPkcs1Version_t PKCS1_ver)
352 {
353 /* FUNCTION DECLARATIONS */
354
355 /* The return error identifier */
356 CCError_t Error = CC_OK;
357 uint16_t K; /*The modulus size in Bytes*/
358 uint8_t EB_buff[CC_RSA_MAXIMUM_MOD_BUFFER_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE];
359 uint16_t HashOutputSizeBytes;
360 CCRsaPrivKey_t *PrivKey_ptr;
361 /*The Hash enum sent to the lower level functions*/
362 /*The initialization is to eliminate a warning of uninitialized variable*/
363 CCHashOperationMode_t hashOpMode = CC_HASH_NumOfModes;
364
365 int32_t PSSize, i;
366
367
368 /* FUNCTION LOGIC */
369
370 /* .................. initializing local variables ................... */
371 /* ------------------------------------------------------------------- */
372
373 CHECK_AND_RETURN_ERR_UPON_FIPS_ERROR();
374 /* initialize the HASH mode as SHA1 - default */
375 hashOpMode = CC_HASH_SHA1_mode;
376
377 /* ............... checking the parameters validity ................... */
378 /* -------------------------------------------------------------------- */
379
380 /* if the users context pointer is NULL return an error */
381 if (UserPrivKey_ptr == NULL)
382 return CC_RSA_INVALID_PRIV_KEY_STRUCT_POINTER_ERROR;
383
384 if (PrimeData_ptr == NULL)
385 return CC_RSA_PRIM_DATA_STRUCT_POINTER_INVALID;
386
387 /* check if the hash operation mode is legal */
388 if (hashFunc >= CC_RSA_HASH_NumOfModes)
389 return CC_RSA_HASH_ILLEGAL_OPERATION_MODE_ERROR;
390
391 /* check if the MGF operation mode is legal */
392 if (MGF >= CC_RSA_NumOfMGFFunctions)
393 return CC_RSA_MGF_ILLEGAL_ARG_ERROR;
394
395 /* check that the PKCS1 version argument is legal*/
396 if (PKCS1_ver >= CC_RSA_NumOf_PKCS1_versions)
397 return CC_RSA_PKCS1_VER_ARG_ERROR;
398
399 /* if the users Data In pointer is illegal return an error */
400 if (DataIn_ptr == NULL)
401 return CC_RSA_DATA_POINTER_INVALID_ERROR;
402
403 /* if the data size is zero or larger then 2^29 (to prevent an overflow on the transition to bits )
404 return error */
405 if (DataInSize == 0)
406 return CC_RSA_INVALID_MESSAGE_DATA_SIZE;
407
408 /*If the output pointer is NULL return Error*/
409 if (Output_ptr == NULL)
410 return CC_RSA_INVALID_OUTPUT_POINTER_ERROR;
411
412 /*If the output size pointer is NULL return error*/
413 if (OutputSize_ptr ==NULL)
414 return CC_RSA_DECRYPT_OUTPUT_SIZE_POINTER_ERROR;
415
416 PrivKey_ptr = (CCRsaPrivKey_t *)UserPrivKey_ptr->PrivateKeyDbBuff;
417 if (UserPrivKey_ptr->valid_tag != CC_RSA_PRIV_KEY_VALIDATION_TAG)
418 return CC_RSA_PRIV_KEY_VALIDATION_TAG_ERROR;
419
420 if (Llen == 0)
421 L = NULL;
422
423 /* .................. initializing local variables ................... */
424 /* ------------------------------------------------------------------- */
425
426 /*Initialize K with the modulus size in Bytes*/
427 K = (uint16_t)(CALC_FULL_BYTES(PrivKey_ptr->nSizeInBits));
428
429 /*Length Checking - both for Ver 1.5 and 2.1*/
430 if (DataInSize != K)
431 return CC_RSA_INVALID_MESSAGE_DATA_SIZE;
432
433 /*-------------------------------------------------*/
434 switch (PKCS1_ver) {
435
436 #ifndef _INTERNAL_CC_NO_RSA_SCHEME_15_SUPPORT
437 case CC_PKCS1_VER15:
438 /*Check the modulus size is legal*/
439 if (K < 11)
440 return CC_RSA_INVALID_MODULUS_SIZE;
441 break;
442 #endif
443
444 #ifndef _INTERNAL_CC_NO_RSA_SCHEME_21_SUPPORT
445 case CC_PKCS1_VER21:
446
447 switch (hashFunc) {
448 case CC_RSA_HASH_MD5_mode :
449 /*MD5 is not recommended in PKCS1 ver 2.1 standard, hence it is not supported*/
450 return CC_RSA_HASH_ILLEGAL_OPERATION_MODE_ERROR;
451 case CC_RSA_HASH_SHA1_mode:
452 hashOpMode = CC_HASH_SHA1_mode;/*changing the hash mode to CC definition*/
453 HashOutputSizeBytes = CC_HASH_SHA1_DIGEST_SIZE_IN_BYTES;
454 break;
455 case CC_RSA_HASH_SHA224_mode:
456 hashOpMode = CC_HASH_SHA224_mode;
457 HashOutputSizeBytes = CC_HASH_SHA224_DIGEST_SIZE_IN_BYTES;
458 break;
459 case CC_RSA_HASH_SHA256_mode:
460 hashOpMode = CC_HASH_SHA256_mode;
461 HashOutputSizeBytes = CC_HASH_SHA256_DIGEST_SIZE_IN_BYTES;
462 break;
463 case CC_RSA_HASH_SHA384_mode:
464 hashOpMode = CC_HASH_SHA384_mode;
465 HashOutputSizeBytes = CC_HASH_SHA384_DIGEST_SIZE_IN_BYTES;
466 break;
467 case CC_RSA_HASH_SHA512_mode:
468 hashOpMode = CC_HASH_SHA512_mode;
469 HashOutputSizeBytes = CC_HASH_SHA512_DIGEST_SIZE_IN_BYTES;
470 break;
471 default:
472 return CC_RSA_HASH_ILLEGAL_OPERATION_MODE_ERROR;
473 }
474
475 /*Checking that the modulus have enough large */
476 if (K < 2*HashOutputSizeBytes + 2)
477 return CC_RSA_INVALID_MODULUS_SIZE;
478 break;
479 #endif
480 default:
481 return CC_RSA_PKCS1_VER_ARG_ERROR;
482
483 }/* end of switch(PKCS1_ver) */
484
485
486 /*-------------------------------------------*/
487 /* Step 2 <b> : RSA computation */
488 /*-------------------------------------------*/
489 Error = CC_RsaPrimDecrypt(UserPrivKey_ptr,
490 PrimeData_ptr,
491 DataIn_ptr,
492 DataInSize,
493 EB_buff);
494 if (Error != CC_OK) {
495 goto End;
496 }
497
498 /*----------------------------------------------*
499 * Step 3 : EME-OAEP Decoding *
500 *----------------------------------------------*/
501
502 /* for all modes */
503 if (EB_buff[0] != 0x00) {
504 Error = CC_RSA_ERROR_IN_DECRYPTED_BLOCK_PARSING;
505 goto End;
506 }
507
508 /*------------------------------------------------*
509 * Perform decoding operation according to the *
510 * encoded message EM choosen PKCS1 version *
511 *------------------------------------------------*/
512
513 switch (PKCS1_ver) {
514
515 #ifndef _INTERNAL_CC_NO_RSA_SCHEME_15_SUPPORT
516 case CC_PKCS1_VER15:
517
518 /*------------------------------------------------*
519 * Check parameters of decrypted buffer, *
520 * EM= 0x00||0x02||PS||0x00||M *
521 * If EM[0] != 0 or EM[1] != 2 or no 0-byte *
522 * after PS or PS length < 8, then output "error" *
523 * and stop. Output the message M. *
524 *------------------------------------------------*/
525
526 if (EB_buff[1] != 0x02/*Block type for EME-PKCS1-v1_5*/) {
527 Error = CC_RSA_ERROR_IN_DECRYPTED_BLOCK_PARSING;
528 goto End;
529 }
530
531 /* find next 0-byte after PS */
532 for (i = 2; i < K; i++) {
533 if (EB_buff[i] == 0x00)
534 break;
535 }
536 /* if byte 0 not present */
537 if (i == K) {
538 Error = CC_RSA_ERROR_IN_DECRYPTED_BLOCK_PARSING;
539 goto End;
540 }
541
542 /* check PS size >= 8 */
543 PSSize = i - 2;
544 if (PSSize < PS_MIN_LEN) {
545 Error = CC_RSA_ERROR_IN_DECRYPTED_BLOCK_PARSING;
546 goto End;
547 }
548
549 if (PSSize + 3 > K) {
550 Error = CC_RSA_ERROR_IN_DECRYPTED_BLOCK_PARSING;
551 goto End;
552 }
553
554 /* check size of output buffer */
555 /* according to the previous check K - 3 > PSSize => it must be positive and therefor can be casted to unsigned */
556 if (*OutputSize_ptr < (uint32_t)(K - 3 - PSSize)) {
557 Error = CC_RSA_15_ERROR_IN_DECRYPTED_DATA_SIZE;
558 goto End;
559 } else {
560 *OutputSize_ptr = K - 3 - PSSize; /* output actual size of decrypted message*/
561 }
562
563 /* copy the message into output buffer */
564 CC_PalMemCopy(Output_ptr, &EB_buff[3 + PSSize], *OutputSize_ptr);
565
566 break;
567 #endif
568
569 #ifndef _INTERNAL_CC_NO_RSA_SCHEME_21_SUPPORT
570 case CC_PKCS1_VER21:
571
572 /*------------------------------------------------*
573 * Apply the EME-OAEP decoding operation to the *
574 * encoded message EM and the parameter *
575 * L to recover a message M: *
576 * M = EME-OAEP-DECODE (EM, L) *
577 * If the decoding operation outputs *
578 * "decoding error," then output *
579 * "decryption error" and stop. *
580 *------------------------------------------------*/
581 Error=RsaPssOaepDecode(
582 hashOpMode,
583 MGF,
584 &EB_buff[1],
585 (uint16_t)(K-1),
586 L,
587 Llen,
588 PrimeData_ptr,
589 Output_ptr,
590 OutputSize_ptr);
591 break;
592 #endif
593 default:
594 Error = CC_RSA_PKCS1_VER_ARG_ERROR;
595
596 }
597 End:
598 if (Error != CC_OK) {
599 CC_PalMemSetZero (Output_ptr ,*OutputSize_ptr);
600 *OutputSize_ptr = 0;
601 }
602 /* clear the temp data buffer */
603 CC_PalMemSetZero(PrimeData_ptr, sizeof(CCRsaPrimeData_t));
604
605 return Error;
606
607 }/* END OF CC_RsaSchemesDecrypt */
608
609
610 #endif /*!defined(_INTERNAL_CC_NO_RSA_ENCRYPT_SUPPORT) && !defined(_INTERNAL_CC_NO_RSA_VERIFY_SUPPORT)*/
611 #endif /*!defined(CC_IOT) || ( defined(CC_IOT) && defined(MBEDTLS_RSA_C)) */
612
613
614
