Update PKCS11 examples to set RNG for RSA operations

Author: ColtonWilley

pkcs11/pkcs11_rsa.c

@@ -187,6 +187,7 @@ static const unsigned char client_keypub_der_2048[] =
         0x03, 0x01, 0x00, 0x01
 };
 static const int sizeof_client_keypub_der_2048 = sizeof(client_keypub_der_2048);
+WC_RNG rng;
 
 static int decode_private_key(RsaKey* key, int devId)
 {
@@ -245,7 +246,7 @@ static int rsa_sign_verify(int devId)
     if (ret == 0) {
         fprintf(stderr, "Signing\n");
         sigSz = ret = wc_RsaSSL_Sign(hash, hashSz, sig, (int)sigSz, &priv,
-                                     NULL);
+                                     &rng);
         if (ret < 0)
             fprintf(stderr, "Failed to sign: %d\n", ret);
         else
@@ -282,18 +283,12 @@ static int rsa_sign_verify_pss(int devId)
     word32 hashSz, ptSz, sigSz;
     RsaKey priv;
     RsaKey pub;
-    WC_RNG rng;
 
     memset(hash, 9, sizeof(hash));
     hashSz = sizeof(hash);
     sigSz = sizeof(sig);
     ptSz = sizeof(pt);
 
-    ret = wc_InitRng(&rng);
-    if (ret != 0) {
-        fprintf(stderr, "Failed to initialize RNG: %d\n", ret);
-    }
-
     ret = decode_private_key(&priv, devId);
     if (ret == 0) {
         fprintf(stderr, "PSS Signing\n");
@@ -375,6 +370,12 @@ int main(int argc, char* argv[])
                 fprintf(stderr, "Failed to register PKCS#11 token\n");
                 ret = 2;
             }
+            if (ret == 0) {
+                ret = wc_InitRng(&rng);
+                if (ret != 0) {
+                    fprintf(stderr, "Failed to initialize RNG: %d\n", ret);
+                }
+            }
             if (ret == 0) {
             #ifndef NO_RSA
                 ret = rsa_sign_verify(devId);
@@ -394,6 +395,7 @@ int main(int argc, char* argv[])
         wc_Pkcs11_Finalize(&dev);
     }
 
+    wc_FreeRng(&rng);
     wolfCrypt_Cleanup();
 
     if (ret == 0)

pkcs11/pkcs11_test.c

@@ -429,6 +429,10 @@ int rsaenc_test(RsaKey* key)
     outSz = sizeof(out);
     decSz = sizeof(dec);
 
+#ifdef WC_RSA_BLINDING
+    ret = wc_RsaSetRNG(key, &rng);
+#endif
+
     if (ret == 0) {
         outSz = ret = wc_RsaPublicEncrypt_ex(plain, plainSz, out, (int)outSz,
             key, &rng, WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL,
@@ -460,27 +464,39 @@ int rsaenc_test(RsaKey* key)
 int rsasig_test(RsaKey* key)
 {
     int    ret = 0;
-    byte   plain[128], out[2048/8];
-    word32 plainSz, outSz;
+    byte   plain[128], sig[2048/8], pt[2048/8];
+    word32 plainSz, sigSz, ptSz;
 
     memset(plain, 9, sizeof(plain));
     plainSz = sizeof(plain);
-    outSz = sizeof(out);
+    sigSz = sizeof(sig);
+    ptSz = sizeof(pt);
 
     if (ret == 0) {
-        outSz = ret = wc_RsaSSL_Sign(plain, plainSz, out, (int)outSz, key,
-            NULL);
+        sigSz = ret = wc_RsaSSL_Sign(plain, plainSz, sig, (int)sigSz, key,
+            &rng);
         if (ret < 0)
             fprintf(stderr, "Failed to sign: %d\n", ret);
         else
             ret = 0;
     }
     if (ret == 0) {
-        ret = wc_RsaSSL_Verify(out, outSz, plain, (int)plainSz, key);
+        ret = wc_RsaSSL_Verify(sig, sigSz, pt, (int)ptSz, key);
         if (ret < 0)
             fprintf(stderr, "Failed to verify: %d\n", ret);
-        else
-            ret = 0;
+
+        if (ret != plainSz) {
+            fprintf(stderr, "Failed to verify: %d\n", ret);
+            ret = -1;
+        }
+        if (ret > 0) {
+            if (XMEMCMP(plain, pt, ret) != 0) {
+                ret = -1;
+            }
+            else {
+                ret = 0;
+            }
+        }
     }
 
     return ret;