feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

wolfSSL_RSA_*_PKCS1_PSS rewrite

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2020-04-06 14:51:58 +02:00
parent 89f7a51838
commit 0ded4d4ccb
2 changed files with 78 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
src/ssl.c
View File

@@ -39054,7 +39054,7 @@ static int hash2mgf(enum wc_HashType hType)
case WC_HASH_TYPE_BLAKE2B: case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S: case WC_HASH_TYPE_BLAKE2S:
default: default:
WOLFSSL_MSG("Unrecognized hash function"); WOLFSSL_MSG("Unrecognized or unsupported hash function");
return WC_MGF1NONE; return WC_MGF1NONE;
} }
} }
@@ -39090,7 +39090,7 @@ int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *EM,
const unsigned char *mHash, const unsigned char *mHash,
const WOLFSSL_EVP_MD *hashAlg, int saltLen) const WOLFSSL_EVP_MD *hashAlg, int saltLen)
{ {
int hLen, emLen, mgf; int hashLen, emLen, mgf;
int ret = WOLFSSL_FAILURE; int ret = WOLFSSL_FAILURE;
int initTmpRng = 0; int initTmpRng = 0;
WC_RNG *rng = NULL; WC_RNG *rng = NULL;
@@ -39100,7 +39100,7 @@ int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *EM,
WC_RNG _tmpRNG[1]; WC_RNG _tmpRNG[1];
WC_RNG* tmpRNG = _tmpRNG; WC_RNG* tmpRNG = _tmpRNG;
#endif #endif
enum wc_HashType hType; enum wc_HashType hashType;
WOLFSSL_ENTER("wolfSSL_RSA_padding_add_PKCS1_PSS"); WOLFSSL_ENTER("wolfSSL_RSA_padding_add_PKCS1_PSS");
@@ -39108,46 +39108,54 @@ int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *EM,
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRNG, &initTmpRng); if (!(rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRNG, &initTmpRng))) {
WOLFSSL_MSG("WOLFSSL_RSA_GetRNG error");
goto cleanup;
}
if (!rsa->exSet && SetRsaExternal(rsa) != WOLFSSL_SUCCESS) { if (!rsa->exSet && SetRsaExternal(rsa) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("SetRsaExternal error");
goto cleanup; goto cleanup;
} }
hType = wolfSSL_EVP_MD_type(hashAlg); hashType = wolfSSL_EVP_MD_type(hashAlg);
if (hType < WC_HASH_TYPE_NONE || hType > WC_HASH_TYPE_MAX) { if (hashType < WC_HASH_TYPE_NONE || hashType > WC_HASH_TYPE_MAX) {
WOLFSSL_MSG("wolfSSL_EVP_MD_type error");
goto cleanup; goto cleanup;
} }
mgf = hash2mgf(hType); if ((mgf = hash2mgf(hashType)) == WC_MGF1NONE) {
WOLFSSL_MSG("hash2mgf error");
goto cleanup;
}
hLen = wolfSSL_EVP_MD_size(hashAlg); if ((hashLen = wolfSSL_EVP_MD_size(hashAlg)) < 0) {
if (hLen < 0) { WOLFSSL_MSG("wolfSSL_EVP_MD_size error");
goto cleanup; goto cleanup;
} }
/*
* Negative sLen has special meanings: if ((emLen = wolfSSL_RSA_size(rsa)) <= 0) {
* -1 sLen == hLen
* -2 salt length is maximized
* -3 same as above (on signing)
* -N reserved
*/
if (saltLen == RSA_PSS_SALTLEN_DIGEST) {
saltLen = hLen;
} else if (saltLen == RSA_PSS_SALTLEN_MAX_SIGN) {
saltLen = RSA_PSS_SALTLEN_MAX;
} else if (saltLen < RSA_PSS_SALTLEN_MAX) {
WOLFSSL_MSG("invalid saltLen");
goto cleanup;
}
emLen = wolfSSL_RSA_size(rsa);
if (emLen <= 0) {
WOLFSSL_MSG("wolfSSL_RSA_size error"); WOLFSSL_MSG("wolfSSL_RSA_size error");
goto cleanup; goto cleanup;
} }
if (saltLen == RSA_PSS_SALTLEN_MAX) {
saltLen = emLen - hLen - 2; switch (saltLen) {
/* Negative saltLen values are treated differently */
case RSA_PSS_SALTLEN_DIGEST:
saltLen = hashLen;
break;
case RSA_PSS_SALTLEN_MAX_SIGN:
case RSA_PSS_SALTLEN_MAX:
saltLen = emLen - hashLen - 2;
break;
default:
if (saltLen < 0) {
/* Not any currently implemented negative value */
WOLFSSL_MSG("invalid saltLen");
goto cleanup;
}
} }
if (wc_RsaPad_ex(mHash, wolfSSL_EVP_MD_size(hashAlg), EM, emLen, if (wc_RsaPad_ex(mHash, wolfSSL_EVP_MD_size(hashAlg), EM, emLen,
RSA_BLOCK_TYPE_1, rng, WC_RSA_PSS_PAD, RSA_BLOCK_TYPE_1, rng, WC_RSA_PSS_PAD,
wolfSSL_EVP_MD_type(hashAlg), mgf, NULL, 0, saltLen, wolfSSL_EVP_MD_type(hashAlg), mgf, NULL, 0, saltLen,
@@ -39176,8 +39184,8 @@ int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
const WOLFSSL_EVP_MD *hashAlg, const WOLFSSL_EVP_MD *hashAlg,
const unsigned char *EM, int saltLen) const unsigned char *EM, int saltLen)
{ {
int hLen, mgf, nLen, mPrimeLen; int hashLen, mgf, emLen, mPrimeLen;
enum wc_HashType hType; enum wc_HashType hashType;
byte *mPrime = NULL; byte *mPrime = NULL;
byte *buf = NULL; byte *buf = NULL;
@@ -39187,56 +39195,61 @@ int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
hLen = wolfSSL_EVP_MD_size(hashAlg); if ((hashLen = wolfSSL_EVP_MD_size(hashAlg)) < 0) {
if (hLen < 0) {
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
/*
* Negative sLen has special meanings: if ((emLen = wolfSSL_RSA_size(rsa)) <= 0) {
* -1 sLen == hLen WOLFSSL_MSG("wolfSSL_RSA_size error");
* -2 salt length is maximized
* -3 same as above (on signing)
* -N reserved
*/
if (saltLen == RSA_PSS_SALTLEN_DIGEST) {
saltLen = hLen;
} else if (saltLen == RSA_PSS_SALTLEN_MAX_SIGN) {
saltLen = RSA_PSS_SALTLEN_MAX;
} else if (saltLen < RSA_PSS_SALTLEN_MAX) {
WOLFSSL_MSG("invalid saltLen");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
switch (saltLen) {
/* Negative saltLen values are treated differently */
case RSA_PSS_SALTLEN_DIGEST:
saltLen = hashLen;
break;
case RSA_PSS_SALTLEN_MAX_SIGN:
case RSA_PSS_SALTLEN_MAX:
saltLen = emLen - hashLen - 2;
break;
default:
if (saltLen < 0) {
/* Not any currently implemented negative value */
WOLFSSL_MSG("invalid saltLen");
return WOLFSSL_FAILURE;
}
}
if (!rsa->exSet && SetRsaExternal(rsa) != WOLFSSL_SUCCESS) { if (!rsa->exSet && SetRsaExternal(rsa) != WOLFSSL_SUCCESS) {
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
hType = wolfSSL_EVP_MD_type(hashAlg); hashType = wolfSSL_EVP_MD_type(hashAlg);
if (hType < WC_HASH_TYPE_NONE || hType > WC_HASH_TYPE_MAX) { if (hashType < WC_HASH_TYPE_NONE || hashType > WC_HASH_TYPE_MAX) {
WOLFSSL_MSG("wolfSSL_EVP_MD_type error");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
mgf = hash2mgf(hType); if ((mgf = hash2mgf(hashType)) == WC_MGF1NONE) {
WOLFSSL_MSG("hash2mgf error");
hLen = wolfSSL_EVP_MD_size(hashAlg);
if (hLen < 0) {
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
nLen = wolfSSL_BN_num_bytes(rsa->n); if ((hashLen = wolfSSL_EVP_MD_size(hashAlg)) < 0) {
if (nLen <= 0) { WOLFSSL_MSG("wolfSSL_EVP_MD_size error");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
buf = (byte*)XMALLOC(nLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (!(buf = (byte*)XMALLOC(emLen, NULL, DYNAMIC_TYPE_TMP_BUFFER))) {
if (!buf) { WOLFSSL_MSG("malloc error");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
XMEMCPY(buf, EM, nLen); XMEMCPY(buf, EM, emLen);
/* Remove and verify the PSS padding */ /* Remove and verify the PSS padding */
if ((mPrimeLen = wc_RsaUnPad_ex(buf, nLen, &mPrime, if ((mPrimeLen = wc_RsaUnPad_ex(buf, emLen, &mPrime,
RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, hType, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, hashType,
mgf, NULL, 0, saltLen, mgf, NULL, 0, saltLen,
wolfSSL_BN_num_bits(rsa->n), NULL)) < 0) { wolfSSL_BN_num_bits(rsa->n), NULL)) < 0) {
WOLFSSL_MSG("wc_RsaPad_ex error"); WOLFSSL_MSG("wc_RsaPad_ex error");
@@ -39245,7 +39258,7 @@ int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
} }
/* Verify the hash is correct */ /* Verify the hash is correct */
if (wc_RsaPSS_CheckPadding_ex(mHash, hLen, mPrime, mPrimeLen, hType, if (wc_RsaPSS_CheckPadding_ex(mHash, hashLen, mPrime, mPrimeLen, hashType,
saltLen, wolfSSL_BN_num_bits(rsa->n)) saltLen, wolfSSL_BN_num_bits(rsa->n))
!= MP_OKAY) { != MP_OKAY) {
WOLFSSL_MSG("wc_RsaPSS_CheckPadding_ex error"); WOLFSSL_MSG("wc_RsaPSS_CheckPadding_ex error");

14
wolfssl/openssl/rsa.h
View File

@@ -49,14 +49,12 @@
#define RSA_FLAG_NO_BLINDING (1 << 7) #define RSA_FLAG_NO_BLINDING (1 << 7)
#define RSA_FLAG_NO_CONSTTIME (1 << 8) #define RSA_FLAG_NO_CONSTTIME (1 << 8)
/* Salt length matches digest */ /* Salt length same as digest length */
#define RSA_PSS_SALTLEN_DIGEST -1 #define RSA_PSS_SALTLEN_DIGEST -1
/* Verify only: auto detect salt length */ /* Old max salt length */
#define RSA_PSS_SALTLEN_AUTO -2 #define RSA_PSS_SALTLEN_MAX_SIGN -2
/* Set salt length to maximum possible */ /* Max salt length */
#define RSA_PSS_SALTLEN_MAX -3 #define RSA_PSS_SALTLEN_MAX -3
/* Old compatible max salt length for sign only */
#define RSA_PSS_SALTLEN_MAX_SIGN -2
typedef struct WOLFSSL_RSA_METHOD { typedef struct WOLFSSL_RSA_METHOD {
int flags; int flags;