mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1572 from dgarske/cryptodev 

Added crypto device framework
This commit is contained in:
toddouska 2018-05-31 10:28:58 -07:00 committed by GitHub
parent bca29395a3 33d416a060
commit c43a84547a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 669 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
configure.ac
View File

@ -3885,6 +3885,20 @@ else
fi
# Support for crypto device hardware
AC_ARG_ENABLE([cryptodev],
[AS_HELP_STRING([--enable-cryptodev],[Enable crypto hardware support (default: disabled)])],
[ ENABLED_CRYPTODEV=$enableval ],
[ ENABLED_CRYPTODEV=no ]
)
if test "$ENABLED_CRYPTODEV" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLF_CRYPTO_DEV"
fi
AM_CONDITIONAL([BUILD_CRYPTODEV], [test "x$ENABLED_CRYPTODEV" = "xyes"])
# Session Export
AC_ARG_ENABLE([sessionexport],
[AS_HELP_STRING([--enable-sessionexport],[Enable export and import of sessions (default: disabled)])],

3
tests/api.c
View File

@ -14732,6 +14732,9 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
}; /* END pkcs7EnvelopedVector */
printf(testingFmt, "wc_PKCS7_EncodeEnvelopedData()");
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, devId), 0);
testSz = (int)sizeof(testVectors)/(int)sizeof(pkcs7EnvelopedVector);
for (i = 0; i < testSz; i++) {
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (testVectors + i)->cert,

207
wolfcrypt/src/cryptodev.c Normal file
View File

@ -0,0 +1,207 @@
/* cryptodev.c
*
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* This framework provides a central place for crypto hardware integration
using the devId scheme. If not supported return `NOT_COMPILED_IN`. */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <wolfssl/wolfcrypt/settings.h>
#ifdef WOLF_CRYPTO_DEV
#include <wolfssl/wolfcrypt/cryptodev.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
/* TODO: Consider linked list with mutex */
#ifndef MAX_CRYPTO_DEVICES
#define MAX_CRYPTO_DEVICES 8
#endif
typedef struct CryptoDev {
int devId;
CryptoDevCallbackFunc cb;
void* ctx;
} CryptoDev;
static CryptoDev gCryptoDev[MAX_CRYPTO_DEVICES];
static CryptoDev* wc_CryptoDev_FindDevice(int devId)
{
int i;
for (i=0; i<MAX_CRYPTO_DEVICES; i++) {
if (gCryptoDev[i].devId == devId)
return &gCryptoDev[i];
}
return NULL;
}
void wc_CryptoDev_Init(void)
{
int i;
for (i=0; i<MAX_CRYPTO_DEVICES; i++)
gCryptoDev[i].devId = INVALID_DEVID;
}
int wc_CryptoDev_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx)
{
/* find existing or new */
CryptoDev* dev = wc_CryptoDev_FindDevice(devId);
if (dev == NULL)
dev = wc_CryptoDev_FindDevice(INVALID_DEVID);
if (dev == NULL)
return BUFFER_E; /* out of devices */
dev->devId = devId;
dev->cb = cb;
dev->ctx = ctx;
return 0;
}
void wc_CryptoDev_UnRegisterDevice(int devId)
{
CryptoDev* dev = wc_CryptoDev_FindDevice(devId);
if (dev) {
XMEMSET(dev, 0, sizeof(*dev));
dev->devId = INVALID_DEVID;
}
}
#ifndef NO_RSA
int wc_CryptoDev_Rsa(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng)
{
int ret = NOT_COMPILED_IN;
CryptoDev* dev;
/* locate registered callback */
dev = wc_CryptoDev_FindDevice(key->devId);
if (dev) {
if (dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
cryptoInfo.pk.type = WC_PK_TYPE_RSA;
cryptoInfo.pk.rsa.in = in;
cryptoInfo.pk.rsa.inLen = inLen;
cryptoInfo.pk.rsa.out = out;
cryptoInfo.pk.rsa.outLen = outLen;
cryptoInfo.pk.rsa.type = type;
cryptoInfo.pk.rsa.key = key;
cryptoInfo.pk.rsa.rng = rng;
ret = dev->cb(key->devId, &cryptoInfo, dev->ctx);
}
}
return ret;
}
#endif /* !NO_RSA */
#ifdef HAVE_ECC
int wc_CryptoDev_Ecdh(ecc_key* private_key, ecc_key* public_key,
byte* out, word32* outlen)
{
int ret = NOT_COMPILED_IN;
CryptoDev* dev;
/* locate registered callback */
dev = wc_CryptoDev_FindDevice(private_key->devId);
if (dev) {
if (dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
cryptoInfo.pk.type = WC_PK_TYPE_ECDH;
cryptoInfo.pk.ecdh.private_key = private_key;
cryptoInfo.pk.ecdh.public_key = public_key;
cryptoInfo.pk.ecdh.out = out;
cryptoInfo.pk.ecdh.outlen = outlen;
ret = dev->cb(private_key->devId, &cryptoInfo, dev->ctx);
}
}
return ret;
}
int wc_CryptoDev_EccSign(const byte* in, word32 inlen, byte* out,
word32 *outlen, WC_RNG* rng, ecc_key* key)
{
int ret = NOT_COMPILED_IN;
CryptoDev* dev;
/* locate registered callback */
dev = wc_CryptoDev_FindDevice(key->devId);
if (dev) {
if (dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
cryptoInfo.pk.type = WC_PK_TYPE_ECDSA_SIGN;
cryptoInfo.pk.eccsign.in = in;
cryptoInfo.pk.eccsign.inlen = inlen;
cryptoInfo.pk.eccsign.out = out;
cryptoInfo.pk.eccsign.outlen = outlen;
cryptoInfo.pk.eccsign.rng = rng;
cryptoInfo.pk.eccsign.key = key;
ret = dev->cb(key->devId, &cryptoInfo, dev->ctx);
}
}
return ret;
}
int wc_CryptoDev_EccVerify(const byte* sig, word32 siglen,
const byte* hash, word32 hashlen, int* res, ecc_key* key)
{
int ret = NOT_COMPILED_IN;
CryptoDev* dev;
/* locate registered callback */
dev = wc_CryptoDev_FindDevice(key->devId);
if (dev) {
if (dev->cb) {
wc_CryptoInfo cryptoInfo;
XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
cryptoInfo.pk.type = WC_PK_TYPE_ECDSA_VERIFY;
cryptoInfo.pk.eccverify.sig = sig;
cryptoInfo.pk.eccverify.siglen = siglen;
cryptoInfo.pk.eccverify.hash = hash;
cryptoInfo.pk.eccverify.hashlen = hashlen;
cryptoInfo.pk.eccverify.res = res;
cryptoInfo.pk.eccverify.key = key;
ret = dev->cb(key->devId, &cryptoInfo, dev->ctx);
}
}
return ret;
}
#endif /* HAVE_ECC */
#endif /* WOLF_CRYPTO_DEV */

34
wolfcrypt/src/ecc.c
View File

@ -122,6 +122,10 @@ ECC Curve Sizes:
#include <wolfssl/wolfcrypt/hash.h>
#endif
#ifdef WOLF_CRYPTO_DEV
#include <wolfssl/wolfcrypt/cryptodev.h>
#endif
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
@ -2793,6 +2797,14 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_DEV
if (private_key->devId != INVALID_DEVID) {
err = wc_CryptoDev_Ecdh(private_key, public_key, out, outlen);
if (err != NOT_COMPILED_IN)
return err;
}
#endif
/* type valid? */
if (private_key->type != ECC_PRIVATEKEY &&
private_key->type != ECC_PRIVATEKEY_ONLY) {
@ -3495,8 +3507,10 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
XMEMSET(key, 0, sizeof(ecc_key));
key->state = ECC_STATE_NONE;
#ifdef PLUTON_CRYPTO_ECC
#if defined(PLUTON_CRYPTO_ECC) || defined(WOLF_CRYPTO_DEV)
key->devId = devId;
#else
(void)devId;
#endif
#ifdef WOLFSSL_ATECC508A
@ -3532,8 +3546,6 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
/* handle as async */
ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_ECC,
key->heap, devId);
#else
(void)devId;
#endif
return ret;
@ -3641,6 +3653,14 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen,
return ECC_BAD_ARG_E;
}
#ifdef WOLF_CRYPTO_DEV
if (key->devId != INVALID_DEVID) {
err = wc_CryptoDev_EccSign(in, inlen, out, outlen, rng, key);
if (err != NOT_COMPILED_IN)
return err;
}
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
err = wc_ecc_alloc_async(key);
if (err != 0)
@ -4291,6 +4311,14 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
return ECC_BAD_ARG_E;
}
#ifdef WOLF_CRYPTO_DEV
if (key->devId != INVALID_DEVID) {
err = wc_CryptoDev_EccVerify(sig, siglen, hash, hashlen, res, key);
if (err != NOT_COMPILED_IN)
return err;
}
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
err = wc_ecc_alloc_async(key);
if (err != 0)

4
wolfcrypt/src/include.am
View File

@ -63,6 +63,10 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
wolfcrypt/src/port/caam/caam_doc.pdf \
wolfcrypt/src/port/st/stm32.c
if BUILD_CRYPTODEV
src_libwolfssl_la_SOURCES += wolfcrypt/src/cryptodev.c
endif
if BUILD_CAVIUM
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/cavium/cavium_nitrox.c

123
wolfcrypt/src/pkcs7.c
View File

@ -247,8 +247,8 @@ int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId)
XMEMSET(pkcs7, 0, sizeof(PKCS7));
pkcs7->heap = heap;
pkcs7->devId = devId;
(void)devId; /* silence unused warning */
return 0;
}
@ -259,7 +259,7 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz)
{
int ret = 0;
void* heap;
int devId;
if (pkcs7 == NULL || (cert == NULL && certSz != 0)) {
return BAD_FUNC_ARG;
@ -270,9 +270,11 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz)
#else
heap = pkcs7->heap;
#endif
devId = pkcs7->devId;
XMEMSET(pkcs7, 0, sizeof(PKCS7));
pkcs7->heap = heap;
pkcs7->devId = devId;
if (cert != NULL && certSz > 0) {
#ifdef WOLFSSL_SMALL_STACK
@ -590,9 +592,9 @@ static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
RsaKey* privKey = &stack_privKey;
#endif
if (pkcs7 == NULL || pkcs7->privateKey == NULL || pkcs7->rng == NULL ||
in == NULL || esd == NULL)
if (pkcs7 == NULL || pkcs7->rng == NULL || in == NULL || esd == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLFSSL_SMALL_STACK
privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -600,14 +602,17 @@ static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
return MEMORY_E;
#endif
ret = wc_InitRsaKey(privKey, pkcs7->heap);
ret = wc_InitRsaKey_ex(privKey, pkcs7->heap, pkcs7->devId);
if (ret == 0) {
idx = 0;
ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
pkcs7->privateKeySz);
if (pkcs7->privateKey != NULL && pkcs7->privateKeySz > 0) {
idx = 0;
ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
pkcs7->privateKeySz);
}
else if (pkcs7->devId == INVALID_DEVID) {
ret = BAD_FUNC_ARG;
}
}
if (ret == 0) {
ret = wc_RsaSSL_Sign(in, inSz, esd->encContentDigest,
sizeof(esd->encContentDigest),
@ -639,9 +644,9 @@ static int wc_PKCS7_EcdsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
ecc_key* privKey = &stack_privKey;
#endif
if (pkcs7 == NULL || pkcs7->privateKey == NULL || pkcs7->rng == NULL ||
in == NULL || esd == NULL)
if (pkcs7 == NULL || pkcs7->rng == NULL || in == NULL || esd == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLFSSL_SMALL_STACK
privKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -649,14 +654,17 @@ static int wc_PKCS7_EcdsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
return MEMORY_E;
#endif
ret = wc_ecc_init_ex(privKey, pkcs7->heap, INVALID_DEVID);
ret = wc_ecc_init_ex(privKey, pkcs7->heap, pkcs7->devId);
if (ret == 0) {
idx = 0;
ret = wc_EccPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
pkcs7->privateKeySz);
if (pkcs7->privateKey != NULL && pkcs7->privateKeySz > 0) {
idx = 0;
ret = wc_EccPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
pkcs7->privateKeySz);
}
else if (pkcs7->devId == INVALID_DEVID) {
ret = BAD_FUNC_ARG;
}
}
if (ret == 0) {
outSz = sizeof(esd->encContentDigest);
ret = wc_ecc_sign_hash(in, inSz, esd->encContentDigest,
@ -1033,9 +1041,9 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0 ||
pkcs7->encryptOID == 0 || pkcs7->hashOID == 0 || pkcs7->rng == 0 ||
pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0 ||
pkcs7->privateKey == NULL || pkcs7->privateKeySz == 0 ||
output == NULL || outputSz == 0)
output == NULL || outputSz == 0) {
return BAD_FUNC_ARG;
}
#ifdef WOLFSSL_SMALL_STACK
esd = (ESD*)XMALLOC(sizeof(ESD), NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -1309,7 +1317,7 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
XMEMSET(digest, 0, MAX_PKCS7_DIGEST_SZ);
ret = wc_InitRsaKey(key, pkcs7->heap);
ret = wc_InitRsaKey_ex(key, pkcs7->heap, pkcs7->devId);
if (ret != 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -1384,7 +1392,7 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
XMEMSET(digest, 0, MAX_PKCS7_DIGEST_SZ);
ret = wc_ecc_init_ex(key, pkcs7->heap, INVALID_DEVID);
ret = wc_ecc_init_ex(key, pkcs7->heap, pkcs7->devId);
if (ret != 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -2124,6 +2132,7 @@ int wc_PKCS7_VerifySignedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz)
typedef struct WC_PKCS7_KARI {
DecodedCert* decoded; /* decoded recip cert */
void* heap; /* user heap, points to PKCS7->heap */
int devId; /* device ID for HW based private key */
ecc_key* recipKey; /* recip key (pub | priv) */
ecc_key* senderKey; /* sender key (pub | priv) */
byte* senderKeyExport; /* sender ephemeral key DER */
@ -2136,6 +2145,9 @@ typedef struct WC_PKCS7_KARI {
word32 sharedInfoSz; /* size of ECC-CMS-SharedInfo encoded */
byte ukmOwner; /* do we own ukm buffer? 1:yes, 0:no */
byte direction; /* WC_PKCS7_ENCODE | WC_PKCS7_DECODE */
byte decodedInit : 1; /* indicates decoded was initialized */
byte recipKeyInit : 1; /* indicates recipKey was initialized */
byte senderKeyInit : 1; /* indicates senderKey was initialized */
} WC_PKCS7_KARI;
@ -2247,8 +2259,12 @@ static WC_PKCS7_KARI* wc_PKCS7_KariNew(PKCS7* pkcs7, byte direction)
kari->sharedInfo = NULL;
kari->sharedInfoSz = 0;
kari->direction = direction;
kari->decodedInit = 0;
kari->recipKeyInit = 0;
kari->senderKeyInit = 0;
kari->heap = pkcs7->heap;
kari->devId = pkcs7->devId;
return kari;
}
@ -2263,15 +2279,18 @@ static int wc_PKCS7_KariFree(WC_PKCS7_KARI* kari)
heap = kari->heap;
if (kari->decoded) {
FreeDecodedCert(kari->decoded);
if (kari->decodedInit)
FreeDecodedCert(kari->decoded);
XFREE(kari->decoded, heap, DYNAMIC_TYPE_PKCS7);
}
if (kari->senderKey) {
wc_ecc_free(kari->senderKey);
if (kari->senderKeyInit)
wc_ecc_free(kari->senderKey);
XFREE(kari->senderKey, heap, DYNAMIC_TYPE_PKCS7);
}
if (kari->recipKey) {
wc_ecc_free(kari->recipKey);
if (kari->recipKeyInit)
wc_ecc_free(kari->recipKey);
XFREE(kari->recipKey, heap, DYNAMIC_TYPE_PKCS7);
}
if (kari->senderKeyExport) {
@ -2317,12 +2336,9 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
cert == NULL || certSz == 0)
return BAD_FUNC_ARG;
if (kari->direction == WC_PKCS7_DECODE &&
(key == NULL || keySz == 0))
return BAD_FUNC_ARG;
/* decode certificate */
InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap);
kari->decodedInit = 1;
ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0)
return ret;
@ -2333,10 +2349,12 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
return BAD_FUNC_ARG;
}
ret = wc_ecc_init_ex(kari->recipKey, kari->heap, INVALID_DEVID);
ret = wc_ecc_init_ex(kari->recipKey, kari->heap, kari->devId);
if (ret != 0)
return ret;
kari->recipKeyInit = 1;
/* get recip public key */
if (kari->direction == WC_PKCS7_ENCODE) {
@ -2348,9 +2366,13 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
}
/* get recip private key */
else if (kari->direction == WC_PKCS7_DECODE) {
idx = 0;
ret = wc_EccPrivateKeyDecode(key, &idx, kari->recipKey, keySz);
if (key != NULL && keySz > 0) {
idx = 0;
ret = wc_EccPrivateKeyDecode(key, &idx, kari->recipKey, keySz);
}
else if (kari->devId == INVALID_DEVID) {
ret = BAD_FUNC_ARG;
}
if (ret != 0)
return ret;
@ -2384,10 +2406,12 @@ static int wc_PKCS7_KariGenerateEphemeralKey(WC_PKCS7_KARI* kari, WC_RNG* rng)
kari->senderKeyExportSz = kari->decoded->pubKeySize;
ret = wc_ecc_init_ex(kari->senderKey, kari->heap, INVALID_DEVID);
ret = wc_ecc_init_ex(kari->senderKey, kari->heap, kari->devId);
if (ret != 0)
return ret;
kari->senderKeyInit = 1;
ret = wc_ecc_make_key_ex(rng, kari->recipKey->dp->size,
kari->senderKey, kari->recipKey->dp->id);
if (ret != 0)
@ -2986,7 +3010,7 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz,
#endif
/* EncryptedKey */
ret = wc_InitRsaKey(pubKey, 0);
ret = wc_InitRsaKey_ex(pubKey, heap, INVALID_DEVID);
if (ret != 0) {
FreeDecodedCert(decoded);
#ifdef WOLFSSL_SMALL_STACK
@ -3250,7 +3274,7 @@ static int wc_PKCS7_GenerateIV(PKCS7* pkcs7, WC_RNG* rng, byte* iv, word32 ivSz)
if (rnd == NULL)
return MEMORY_E;
ret = wc_InitRng_ex(rnd, pkcs7->heap, INVALID_DEVID);
ret = wc_InitRng_ex(rnd, pkcs7->heap, pkcs7->devId);
if (ret != 0) {
XFREE(rnd, pkcs7->heap, DYNAMIC_TYPE_RNG);
return ret;
@ -3384,7 +3408,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
}
/* generate random content encryption key */
ret = wc_InitRng_ex(&rng, pkcs7->heap, INVALID_DEVID);
ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
if (ret != 0)
return ret;
@ -3712,7 +3736,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
}
#endif
ret = wc_InitRsaKey(privKey, 0);
ret = wc_InitRsaKey_ex(privKey, NULL, INVALID_DEVID);
if (ret != 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -3721,9 +3745,14 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
return ret;
}
keyIdx = 0;
ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &keyIdx, privKey,
pkcs7->privateKeySz);
if (pkcs7->privateKey != NULL && pkcs7->privateKeySz > 0) {
keyIdx = 0;
ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &keyIdx, privKey,
pkcs7->privateKeySz);
}
else if (pkcs7->devId == INVALID_DEVID) {
ret = BAD_FUNC_ARG;
}
if (ret != 0) {
WOLFSSL_MSG("Failed to decode RSA private key");
#ifdef WOLFSSL_SMALL_STACK
@ -3735,7 +3764,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
/* decrypt encryptedKey */
#ifdef WC_RSA_BLINDING
ret = wc_InitRng_ex(&rng, pkcs7->heap, INVALID_DEVID);
ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
if (ret == 0) {
ret = wc_RsaSetRNG(privKey, &rng);
}
@ -3823,10 +3852,12 @@ static int wc_PKCS7_KariGetOriginatorIdentifierOrKey(WC_PKCS7_KARI* kari,
return ASN_EXPECT_0_E;
/* get sender ephemeral public ECDSA key */
ret = wc_ecc_init_ex(kari->senderKey, kari->heap, INVALID_DEVID);
ret = wc_ecc_init_ex(kari->senderKey, kari->heap, kari->devId);
if (ret != 0)
return ret;
kari->senderKeyInit = 1;
/* length-1 for unused bits counter */
ret = wc_ecc_import_x963(pkiMsg + (*idx), length - 1, kari->senderKey);
if (ret != 0)
@ -4155,6 +4186,9 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
pkcs7->privateKeySz);
if (ret != 0) {
wc_PKCS7_KariFree(kari);
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
#endif
return ret;
}
@ -4380,8 +4414,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
int explicitOctet;
if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
pkcs7->singleCertSz == 0 || pkcs7->privateKey == NULL ||
pkcs7->privateKeySz == 0)
pkcs7->singleCertSz == 0)
return BAD_FUNC_ARG;
if (pkiMsg == NULL || pkiMsgSz == 0 ||

39
wolfcrypt/src/rsa.c
View File

@ -190,6 +190,9 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/logging.h>
#ifdef WOLF_CRYPTO_DEV
#include <wolfssl/wolfcrypt/cryptodev.h>
#endif
#ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h>
#else
@ -237,8 +240,6 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
return BAD_FUNC_ARG;
}
(void)devId;
XMEMSET(key, 0, sizeof(RsaKey));
key->type = RSA_TYPE_UNKNOWN;
@ -251,6 +252,12 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
key->rng = NULL;
#endif
#ifdef WOLF_CRYPTO_DEV
key->devId = devId;
#else
(void)devId;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
#ifdef WOLFSSL_CERT_GEN
XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
@ -263,8 +270,6 @@ int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
if (ret != 0)
return ret;
#endif /* WC_ASYNC_ENABLE_RSA */
#else
(void)devId;
#endif /* WOLFSSL_ASYNC_CRYPT */
ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
@ -1512,7 +1517,7 @@ static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
}
#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
#ifdef WC_RSA_NO_PADDING
#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
/* Function that does the RSA operation directly with no padding.
*
* in buffer to do operation on
@ -1606,7 +1611,7 @@ int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
return ret;
}
#endif /* WC_RSA_NO_PADDING */
#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */
int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
@ -1619,6 +1624,15 @@ int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_DEV
if (key->devId != INVALID_DEVID) {
ret = wc_CryptoDev_Rsa(in, inLen, out, outLen, type, key, rng);
if (ret != NOT_COMPILED_IN)
return ret;
ret = 0; /* reset error code and try using software */
}
#endif
#ifndef NO_RSA_BOUNDS_CHECK
if (type == RSA_PRIVATE_DECRYPT &&
key->state == RSA_STATE_DECRYPT_EXPTMOD) {
@ -2268,10 +2282,21 @@ int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
int wc_RsaEncryptSize(RsaKey* key)
{
int ret;
if (key == NULL) {
return BAD_FUNC_ARG;
}
return mp_unsigned_bin_size(&key->n);
ret = mp_unsigned_bin_size(&key->n);
#ifdef WOLF_CRYPTO_DEV
if (ret == 0 && key->devId != INVALID_DEVID) {
ret = 2048/8; /* hardware handles, use 2048-bit as default */
}
#endif
return ret;
}

8
wolfcrypt/src/wc_port.c
View File

@ -64,6 +64,10 @@
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
#endif
#ifdef WOLF_CRYPTO_DEV
#include <wolfssl/wolfcrypt/cryptodev.h>
#endif
#ifdef _MSC_VER
/* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */
#pragma warning(disable: 4996)
@ -82,6 +86,10 @@ int wolfCrypt_Init(void)
if (initRefCount == 0) {
WOLFSSL_ENTER("wolfCrypt_Init");
#ifdef WOLF_CRYPTO_DEV
wc_CryptoDev_Init();
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
ret = wolfAsync_HardwareStart();
if (ret != 0) {

138
wolfcrypt/test/test.c
View File

@ -119,6 +119,9 @@
#ifdef WOLFSSL_IMX6_CAAM_BLOB
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
#endif
#ifdef WOLF_CRYPTO_DEV
#include <wolfssl/wolfcrypt/cryptodev.h>
#endif
#define WOLFSSL_MISC_INCLUDED
#include <wolfcrypt/src/misc.c>
@ -341,6 +344,9 @@ int blob_test(void);
#endif
int misc_test(void);
#ifdef WOLF_CRYPTO_DEV
int cryptodev_test(void);
#endif
/* General big buffer size for many tests. */
#define FOURK_BUF 4096
@ -960,6 +966,13 @@ initDefaultName();
else
printf( "misc test passed!\n");
#ifdef WOLF_CRYPTO_DEV
if ( (ret = cryptodev_test()) != 0)
return err_sys("crypto dev test failed!\n", ret);
else
printf( "crypto dev test passed!\n");
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
wolfAsync_DevClose(&devId);
#endif
@ -8690,7 +8703,7 @@ static int rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng)
* -101 = USER_CRYPTO_ERROR
*/
if (ret == 0)
#elif defined(WOLFSSL_ASYNC_CRYPT)
#elif defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
/* async may not require RNG */
if (ret != 0 && ret != MISSING_RNG_E)
#elif defined(HAVE_FIPS) || defined(WOLFSSL_ASYNC_CRYPT) || \
@ -19247,6 +19260,129 @@ int misc_test(void)
return 0;
}
#ifdef WOLF_CRYPTO_DEV
/* Example custom context for crypto callback */
typedef struct {
int exampleVar; /* example, not used */
} myCryptoDevCtx;
/* Example crypto dev callback function that calls software version */
static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
{
int ret = NOT_COMPILED_IN; /* return this to bypass HW and use SW */
myCryptoDevCtx* myCtx = (myCryptoDevCtx*)ctx;
if (info == NULL)
return BAD_FUNC_ARG;
if (info->algo_type == WC_ALGO_TYPE_PK) {
#ifdef DEBUG_WOLFSSL
printf("CryptoDevCb: Pk Type %d\n", info->pk.type);
#endif
#ifndef NO_RSA
if (info->pk.type == WC_PK_TYPE_RSA) {
/* set devId to invalid, so software is used */
info->pk.rsa.key->devId = INVALID_DEVID;
switch (info->pk.rsa.type) {
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
/* perform software based RSA public op */
ret = wc_RsaFunction(
info->pk.rsa.in, info->pk.rsa.inLen,
info->pk.rsa.out, info->pk.rsa.outLen,
info->pk.rsa.type, info->pk.rsa.key, info->pk.rsa.rng);
break;
case RSA_PRIVATE_ENCRYPT:
case RSA_PRIVATE_DECRYPT:
/* perform software based RSA private op */
ret = wc_RsaFunction(
info->pk.rsa.in, info->pk.rsa.inLen,
info->pk.rsa.out, info->pk.rsa.outLen,
info->pk.rsa.type, info->pk.rsa.key, info->pk.rsa.rng);
break;
}
/* reset devId */
info->pk.rsa.key->devId = devIdArg;
}
#endif /* !NO_RSA */
#ifdef HAVE_ECC
if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
/* set devId to invalid, so software is used */
info->pk.eccsign.key->devId = INVALID_DEVID;
ret = wc_ecc_sign_hash(
info->pk.eccsign.in, info->pk.eccsign.inlen,
info->pk.eccsign.out, info->pk.eccsign.outlen,
info->pk.eccsign.rng, info->pk.eccsign.key);
/* reset devId */
info->pk.eccsign.key->devId = devIdArg;
}
else if (info->pk.type == WC_PK_TYPE_ECDSA_VERIFY) {
/* set devId to invalid, so software is used */
info->pk.eccverify.key->devId = INVALID_DEVID;
ret = wc_ecc_verify_hash(
info->pk.eccverify.sig, info->pk.eccverify.siglen,
info->pk.eccverify.hash, info->pk.eccverify.hashlen,
info->pk.eccverify.res, info->pk.eccverify.key);
/* reset devId */
info->pk.eccverify.key->devId = devIdArg;
}
else if (info->pk.type == WC_PK_TYPE_ECDH) {
/* set devId to invalid, so software is used */
info->pk.ecdh.private_key->devId = INVALID_DEVID;
ret = wc_ecc_shared_secret(
info->pk.ecdh.private_key, info->pk.ecdh.public_key,
info->pk.ecdh.out, info->pk.ecdh.outlen);
/* reset devId */
info->pk.ecdh.private_key->devId = devIdArg;
}
#endif /* HAVE_ECC */
}
(void)myCtx;
return ret;
}
int cryptodev_test(void)
{
int ret = 0;
myCryptoDevCtx myCtx;
/* example data for callback */
myCtx.exampleVar = 1;
/* set devId to something other than INVALID_DEVID */
devId = 1;
ret = wc_CryptoDev_RegisterDevice(devId, myCryptoDevCb, &myCtx);
#ifndef NO_RSA
if (ret == 0)
ret = rsa_test();
#endif
#ifdef HAVE_ECC
if (ret == 0)
ret = ecc_test();
#endif
/* reset devId */
devId = INVALID_DEVID;
return ret;
}
#endif /* WOLF_CRYPTO_DEV */
#undef ERROR_OUT
#else

114
wolfssl/wolfcrypt/cryptodev.h Normal file
View File

@ -0,0 +1,114 @@
/* cryptodev.h
*
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _WOLF_CRYPTO_DEV_H_
#define _WOLF_CRYPTO_DEV_H_
#include <wolfssl/wolfcrypt/types.h>
#ifdef __cplusplus
extern "C" {
#endif
#ifdef WOLF_CRYPTO_DEV
#ifndef NO_RSA
#include <wolfssl/wolfcrypt/rsa.h>
#endif
#ifdef HAVE_ECC
#include <wolfssl/wolfcrypt/ecc.h>
#endif
/* Crypto Information Structure for callbacks */
typedef struct wc_CryptoInfo {
int algo_type; /* enum wc_AlgoType */
struct {
int type; /* enum wc_PkType */
union {
#ifndef NO_RSA
struct {
const byte* in;
word32 inLen;
byte* out;
word32* outLen;
int type;
RsaKey* key;
WC_RNG* rng;
} rsa;
#endif
#ifdef HAVE_ECC
struct {
ecc_key* private_key;
ecc_key* public_key;
byte* out;
word32* outlen;
} ecdh;
struct {
const byte* in;
word32 inlen;
byte* out;
word32 *outlen;
WC_RNG* rng;
ecc_key* key;
} eccsign;
struct {
const byte* sig;
word32 siglen;
const byte* hash;
word32 hashlen;
int* res;
ecc_key* key;
} eccverify;
#endif
};
} pk;
} wc_CryptoInfo;
typedef int (*CryptoDevCallbackFunc)(int devId, wc_CryptoInfo* info, void* ctx);
WOLFSSL_LOCAL void wc_CryptoDev_Init(void);
WOLFSSL_API int wc_CryptoDev_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx);
WOLFSSL_API void wc_CryptoDev_UnRegisterDevice(int devId);
#ifndef NO_RSA
WOLFSSL_LOCAL int wc_CryptoDev_Rsa(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng);
#endif /* !NO_RSA */
#ifdef HAVE_ECC
WOLFSSL_LOCAL int wc_CryptoDev_Ecdh(ecc_key* private_key, ecc_key* public_key,
byte* out, word32* outlen);
WOLFSSL_LOCAL int wc_CryptoDev_EccSign(const byte* in, word32 inlen, byte* out,
word32 *outlen, WC_RNG* rng, ecc_key* key);
WOLFSSL_LOCAL int wc_CryptoDev_EccVerify(const byte* sig, word32 siglen,
const byte* hash, word32 hashlen, int* res, ecc_key* key);
#endif /* HAVE_ECC */
#endif /* WOLF_CRYPTO_DEV */
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* _WOLF_CRYPTO_DEV_H_ */

2
wolfssl/wolfcrypt/ecc.h
View File

@ -319,7 +319,7 @@ struct ecc_key {
int slot; /* Key Slot Number (-1 unknown) */
byte pubkey_raw[ECC_MAX_CRYPTO_HW_PUBKEY_SIZE];
#endif
#ifdef PLUTON_CRYPTO_ECC
#if defined(PLUTON_CRYPTO_ECC) || defined(WOLF_CRYPTO_DEV)
int devId;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT

3
wolfssl/wolfcrypt/include.am
View File

@ -61,7 +61,8 @@ nobase_include_HEADERS+= \
wolfssl/wolfcrypt/pkcs12.h \
wolfssl/wolfcrypt/wolfmath.h \
wolfssl/wolfcrypt/sha3.h \
wolfssl/wolfcrypt/cpuid.h
wolfssl/wolfcrypt/cpuid.h \
wolfssl/wolfcrypt/cryptodev.h
noinst_HEADERS+= \
wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h \

1
wolfssl/wolfcrypt/pkcs7.h
View File

@ -133,6 +133,7 @@ typedef struct PKCS7 {
int encryptOID; /* key encryption algorithm OID */
int keyWrapOID; /* key wrap algorithm OID */
int keyAgreeOID; /* key agreement algorithm OID */
int devId; /* device ID for HW based private key */
byte issuerHash[KEYID_SIZE]; /* hash of all alt Names */
byte issuerSn[MAX_SN_SZ]; /* singleCert's serial number */
byte publicKey[MAX_RSA_INT_SZ + MAX_RSA_E_SZ ];/*MAX RSA key size (m + e)*/

9
wolfssl/wolfcrypt/rsa.h
View File

@ -121,6 +121,9 @@ struct RsaKey {
#ifdef WC_RSA_BLINDING
WC_RNG* rng; /* for PrivateDecrypt blinding */
#endif
#ifdef WOLF_CRYPTO_DEV
int devId;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
WC_ASYNC_DEV asyncDev;
#ifdef WOLFSSL_CERT_GEN
@ -149,7 +152,7 @@ WOLFSSL_API int wc_FreeRsaKey(RsaKey* key);
WOLFSSL_LOCAL int wc_InitRsaHw(RsaKey* key);
#endif /* WOLFSSL_XILINX_CRYPT */
WOLFSSL_LOCAL int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
WOLFSSL_API int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
word32* outLen, int type, RsaKey* key, WC_RNG* rng);
WOLFSSL_API int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
@ -235,9 +238,13 @@ WOLFSSL_API int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen,
WOLFSSL_API int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen,
byte** out, RsaKey* key, int type, enum wc_HashType hash,
int mgf, byte* label, word32 lableSz);
#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
WOLFSSL_API int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
RsaKey* key, int type, WC_RNG* rng);
#endif
#endif /* HAVE_FIPS*/
WOLFSSL_API int wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*,
word32*);
WOLFSSL_API int wc_RsaExportKey(RsaKey* key,

32
wolfssl/wolfcrypt/types.h
View File

@ -102,7 +102,7 @@
(defined(LP64) || defined(_LP64))
/* LP64 with GNU GCC compiler is reserved for when long int is 64 bits
* and int uses 32 bits. When using Solaris Studio sparc and __sparc are
* avialable for 32 bit detection but __sparc64__ could be missed. This
* available for 32 bit detection but __sparc64__ could be missed. This
* uses LP64 for checking 64 bit CPU arch. */
typedef word64 wolfssl_word;
#define WC_64BIT_CPU
@ -201,7 +201,7 @@
/* idea to add global alloc override by Moises Guimaraes */
/* default to libc stuff */
/* XREALLOC is used once in normal math lib, not in fast math lib */
/* XFREE on some embeded systems doesn't like free(0) so test */
/* XFREE on some embedded systems doesn't like free(0) so test */
#if defined(HAVE_IO_POOL)
WOLFSSL_API void* XMALLOC(size_t n, void* heap, int type);
WOLFSSL_API void* XREALLOC(void *p, size_t n, void* heap, int type);
@ -496,6 +496,17 @@
MIN_STACK_BUFFER = 8
};
/* Algorithm Types */
enum wc_AlgoType {
WC_ALGO_TYPE_NONE = 0,
WC_ALGO_TYPE_HASH = 1,
WC_ALGO_TYPE_CIPHER = 2,
WC_ALGO_TYPE_PK = 3,
WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_PK
};
/* hash types */
enum wc_HashType {
WC_HASH_TYPE_NONE = 0,
@ -518,7 +529,7 @@
};
/* cipher types */
enum CipherTypes {
enum wc_CipherType {
WC_CIPHER_NONE = 0,
WC_CIPHER_AES = 1,
WC_CIPHER_AES_CBC = 2,
@ -530,10 +541,25 @@
WC_CIPHER_DES = 8,
WC_CIPHER_CHACHA = 9,
WC_CIPHER_HC128 = 10,
WC_CIPHER_IDEA = 11,
WC_CIPHER_MAX = WC_CIPHER_HC128
};
/* PK=public key (asymmetric) based algorithms */
enum wc_PkType {
WC_PK_TYPE_NONE = 0,
WC_PK_TYPE_RSA = 1,
WC_PK_TYPE_DH = 2,
WC_PK_TYPE_ECDH = 3,
WC_PK_TYPE_ECDSA_SIGN = 4,
WC_PK_TYPE_ECDSA_VERIFY = 5,
WC_PK_TYPE_ED25519 = 6,
WC_PK_TYPE_CURVE25519 = 7,
WC_PK_TYPE_MAX = WC_PK_TYPE_CURVE25519
};
/* settings detection for compile vs runtime math incompatibilities */
enum {