forked from wolfSSL/wolfssl
Merge pull request #5249 from dgarske/rsa_ifc
Cleanup the RSA consistency check
This commit is contained in:
John Safranek
GitHub
15
src/pk.c
15
src/pk.c
@ -2572,18 +2572,7 @@ int wolfSSL_RSA_set_ex_data_with_cleanup(WOLFSSL_RSA *rsa, int idx, void *data,
|
||||
* RSA check key APIs
|
||||
*/
|
||||
|
||||
/* If not using old FIPS or CAVP selftest or not using fast or user RSA, able
|
||||
* to check RSA key. */
|
||||
#if (defined(HAVE_USER_RSA) || defined(HAVE_FAST_RSA) || \
|
||||
defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(HAVE_INTEL_QA) || \
|
||||
!defined(WOLFSSL_KEY_GEN) || (defined(HAVE_FIPS) && \
|
||||
FIPS_VERSION_LT(2, 0)) || defined(HAVE_SELFTEST)) && \
|
||||
!defined(WOLFSSL_NO_RSA_KEY_CHECK)
|
||||
#define WOLFSSL_NO_RSA_KEY_CHECK
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef WOLFSSL_NO_RSA_KEY_CHECK
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
/* Check that the RSA key is valid using wolfCrypt.
|
||||
*
|
||||
* @param [in] rsa RSA key.
|
||||
@ -2612,7 +2601,7 @@ int wolfSSL_RSA_check_key(const WOLFSSL_RSA* rsa)
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* !WOLFSSL_NO_RSA_KEY_CHECK */
|
||||
#endif /* WOLFSSL_RSA_KEY_CHECK */
|
||||
|
||||
/*
|
||||
* RSA generate APIs
|
||||
|
||||
10
tests/api.c
10
tests/api.c
@ -51374,10 +51374,7 @@ static void test_wolfSSL_RSA(void)
|
||||
AssertIntEQ(RSA_set0_key(rsa, NULL, NULL, NULL), 0);
|
||||
AssertIntEQ(RSA_set0_crt_params(rsa, NULL, NULL, NULL), 0);
|
||||
AssertIntEQ(RSA_set0_factors(rsa, NULL, NULL), 0);
|
||||
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(HAVE_FAST_RSA) && \
|
||||
(!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
|
||||
(HAVE_FIPS_VERSION >= 2))) && !defined(HAVE_SELFTEST) && \
|
||||
!defined(HAVE_INTEL_QA) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
AssertIntEQ(RSA_check_key(rsa), 0);
|
||||
#endif
|
||||
|
||||
@ -51385,10 +51382,7 @@ static void test_wolfSSL_RSA(void)
|
||||
AssertNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
|
||||
AssertIntEQ(RSA_size(rsa), 256);
|
||||
|
||||
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(HAVE_FAST_RSA) && \
|
||||
(!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
|
||||
(HAVE_FIPS_VERSION >= 2))) && !defined(HAVE_SELFTEST) && \
|
||||
!defined(HAVE_INTEL_QA) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
AssertIntEQ(RSA_check_key(NULL), 0);
|
||||
AssertIntEQ(RSA_check_key(rsa), 1);
|
||||
#endif
|
||||
|
||||
@ -1765,12 +1765,7 @@ static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
|
||||
/* If not using old FIPS or CAVP selftest, or not using FAST,
|
||||
* or USER RSA, able to check RSA key. */
|
||||
if (ret == 0) {
|
||||
#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(HAVE_FAST_RSA) && \
|
||||
!defined(HAVE_USER_RSA) && (!defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
|
||||
!defined(HAVE_SELFTEST) && !defined(HAVE_INTEL_QA)
|
||||
|
||||
#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
/* verify imported private key is a valid key before using it */
|
||||
ret = wc_CheckRsaKey(privKey);
|
||||
if (ret != 0) {
|
||||
@ -1778,7 +1773,6 @@ static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
|
||||
"pkcs7->privateKey");
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
#ifdef WOLF_CRYPTO_CB
|
||||
else if (ret == ASN_PARSE_E && pkcs7->devId != INVALID_DEVID) {
|
||||
|
||||
@ -508,6 +508,7 @@ int wc_InitRsaHw(RsaKey* key)
|
||||
key->type = RSA_PRIVATE;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
|
||||
{
|
||||
CRYSError_t ret = 0;
|
||||
@ -612,9 +613,7 @@ int wc_FreeRsaKey(RsaKey* key)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_RSA_PUBLIC_ONLY
|
||||
#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
|
||||
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
/* Check the pair-wise consistency of the RSA key. */
|
||||
static int _ifc_pairwise_consistency_test(RsaKey* key, WC_RNG* rng)
|
||||
{
|
||||
@ -627,6 +626,8 @@ static int _ifc_pairwise_consistency_test(RsaKey* key, WC_RNG* rng)
|
||||
msgLen = (word32)XSTRLEN(msg);
|
||||
sigLen = wc_RsaEncryptSize(key);
|
||||
|
||||
WOLFSSL_MSG("Doing RSA consistency test");
|
||||
|
||||
/* Sign and verify. */
|
||||
sig = (byte*)XMALLOC(sigLen, key->heap, DYNAMIC_TYPE_RSA);
|
||||
if (sig == NULL) {
|
||||
@ -679,9 +680,6 @@ static int _ifc_pairwise_consistency_test(RsaKey* key, WC_RNG* rng)
|
||||
|
||||
int wc_CheckRsaKey(RsaKey* key)
|
||||
{
|
||||
#if defined(WOLFSSL_CRYPTOCELL)
|
||||
return 0;
|
||||
#endif
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
mp_int *tmp = NULL;
|
||||
WC_RNG *rng = NULL;
|
||||
@ -838,8 +836,7 @@ int wc_CheckRsaKey(RsaKey* key)
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* WOLFSSL_KEY_GEN && !WOLFSSL_NO_RSA_KEY_CHECK */
|
||||
#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
|
||||
#endif /* WOLFSSL_RSA_KEY_CHECK */
|
||||
|
||||
|
||||
#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
|
||||
@ -4534,7 +4531,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
|
||||
err = cc310_RSA_GenerateKeyPair(key, size, e);
|
||||
goto out;
|
||||
|
||||
#endif /*WOLFSSL_CRYPTOCELL*/
|
||||
#endif /* WOLFSSL_CRYPTOCELL */
|
||||
|
||||
#ifdef WOLF_CRYPTO_CB
|
||||
if (key->devId != INVALID_DEVID) {
|
||||
@ -4797,7 +4794,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
|
||||
mp_forcezero(p);
|
||||
mp_forcezero(q);
|
||||
|
||||
#ifndef WOLFSSL_NO_RSA_KEY_CHECK
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
/* Perform the pair-wise consistency test on the new key. */
|
||||
if (err == 0)
|
||||
err = _ifc_pairwise_consistency_test(key, rng);
|
||||
|
||||
@ -14661,17 +14661,12 @@ static int rsa_keygen_test(WC_RNG* rng)
|
||||
}
|
||||
TEST_SLEEP();
|
||||
|
||||
/* If not using old FIPS, or not using FAST or USER RSA... */
|
||||
#if !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
|
||||
(!defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
|
||||
!defined(HAVE_SELFTEST) && !defined(HAVE_INTEL_QA) \
|
||||
&& !defined(WOLFSSL_NO_RSA_KEY_CHECK)
|
||||
#ifdef WOLFSSL_RSA_KEY_CHECK
|
||||
ret = wc_CheckRsaKey(genKey);
|
||||
if (ret != 0) {
|
||||
ERROR_OUT(-7872, exit_rsa);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (der == NULL) {
|
||||
ERROR_OUT(-7873, exit_rsa);
|
||||
|
||||
@ -2716,6 +2716,22 @@ extern void uITRON4_free(void *p) ;
|
||||
#error "DTLS v1.3 requires both WOLFSSL_TLS13 and WOLFSSL_DTLS"
|
||||
#endif
|
||||
|
||||
/* RSA Key Checking is disabled by default unless WOLFSSL_RSA_KEY_CHECK is
|
||||
* defined or FIPS v2 3389, FIPS v5 or later.
|
||||
* Not allowed for:
|
||||
* RSA public only, CAVP selftest, fast RSA, user RSA, QAT or CryptoCell */
|
||||
#if (defined(WOLFSSL_RSA_KEY_CHECK) || (defined(HAVE_FIPS) && FIPS_VERSION_GE(2,0))) && \
|
||||
!defined(WOLFSSL_NO_RSA_KEY_CHECK) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
|
||||
!defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) && \
|
||||
!defined(HAVE_INTEL_QA) && !defined(WOLFSSL_CRYPTOCELL) && \
|
||||
!defined(HAVE_SELFTEST)
|
||||
|
||||
#undef WOLFSSL_RSA_KEY_CHECK
|
||||
#define WOLFSSL_RSA_KEY_CHECK
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
|
||||
/* ---------------------------------------------------------------------------
|
||||
* Depricated Algorithm Handling
|
||||
|
||||
Reference in New Issue
Block a user