forked from wolfSSL/wolfssl
PKCS#7: fixes for building with AES disabled, smallstack
This commit is contained in:
Chris Conlon
@ -401,6 +401,9 @@ const char* wc_GetErrorString(int error)
|
|||||||
case ASN_PATHLEN_INV_E:
|
case ASN_PATHLEN_INV_E:
|
||||||
return "ASN CA path length larger than signer error";
|
return "ASN CA path length larger than signer error";
|
||||||
|
|
||||||
|
case BAD_KEYWRAP_ALG_E:
|
||||||
|
return "Unsupported key wrap algorithm error";
|
||||||
|
|
||||||
case BAD_KEYWRAP_IV_E:
|
case BAD_KEYWRAP_IV_E:
|
||||||
return "Decrypted AES key wrap IV does not match expected";
|
return "Decrypted AES key wrap IV does not match expected";
|
||||||
|
|
||||||
|
|||||||
@ -1079,6 +1079,7 @@ static int wc_PKCS7_KariKeyWrap(byte* cek, word32 cekSz, byte* kek,
|
|||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
switch (keyWrapAlgo) {
|
switch (keyWrapAlgo) {
|
||||||
|
#ifndef NO_AES
|
||||||
case AES128_WRAP:
|
case AES128_WRAP:
|
||||||
case AES192_WRAP:
|
case AES192_WRAP:
|
||||||
case AES256_WRAP:
|
case AES256_WRAP:
|
||||||
@ -1101,12 +1102,17 @@ static int wc_PKCS7_KariKeyWrap(byte* cek, word32 cekSz, byte* kek,
|
|||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
#endif /* NO_AES */
|
||||||
|
|
||||||
default:
|
default:
|
||||||
WOLFSSL_MSG("Unsupported key wrap algorithm");
|
WOLFSSL_MSG("Unsupported key wrap algorithm");
|
||||||
return BAD_FUNC_ARG;
|
return BAD_KEYWRAP_ALG_E;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
(void)cekSz;
|
||||||
|
(void)kekSz;
|
||||||
|
(void)outSz;
|
||||||
|
(void)direction;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1515,7 +1521,7 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert,
|
|||||||
int* keyEncSz, byte* out, word32 outSz)
|
int* keyEncSz, byte* out, word32 outSz)
|
||||||
{
|
{
|
||||||
int ret = 0, idx = 0;
|
int ret = 0, idx = 0;
|
||||||
int keySz;
|
int keySz, direction = 0;
|
||||||
|
|
||||||
/* ASN.1 layout */
|
/* ASN.1 layout */
|
||||||
int totalSz = 0;
|
int totalSz = 0;
|
||||||
@ -1561,6 +1567,20 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert,
|
|||||||
if (keyAgreeAlgo != ECDSAk)
|
if (keyAgreeAlgo != ECDSAk)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
|
/* set direction based on keyWrapAlgo */
|
||||||
|
switch (keyWrapAlgo) {
|
||||||
|
#ifndef NO_AES
|
||||||
|
case AES128_WRAP:
|
||||||
|
case AES192_WRAP:
|
||||||
|
case AES256_WRAP:
|
||||||
|
direction = AES_ENCRYPTION;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
default:
|
||||||
|
WOLFSSL_MSG("Unsupported key wrap algorithm");
|
||||||
|
return BAD_KEYWRAP_ALG_E;
|
||||||
|
}
|
||||||
|
|
||||||
kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_ENCODE);
|
kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_ENCODE);
|
||||||
if (kari == NULL)
|
if (kari == NULL)
|
||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
@ -1596,7 +1616,7 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert,
|
|||||||
/* encrypt CEK with KEK */
|
/* encrypt CEK with KEK */
|
||||||
keySz = wc_PKCS7_KariKeyWrap(contentKeyPlain, blockKeySz, kari->kek,
|
keySz = wc_PKCS7_KariKeyWrap(contentKeyPlain, blockKeySz, kari->kek,
|
||||||
kari->kekSz, contentKeyEnc, *keyEncSz, keyWrapAlgo,
|
kari->kekSz, contentKeyEnc, *keyEncSz, keyWrapAlgo,
|
||||||
AES_ENCRYPTION);
|
direction);
|
||||||
if (keySz <= 0) {
|
if (keySz <= 0) {
|
||||||
wc_PKCS7_KariFree(kari);
|
wc_PKCS7_KariFree(kari);
|
||||||
return ret;
|
return ret;
|
||||||
@ -2836,6 +2856,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
|
|||||||
{
|
{
|
||||||
int ret, keySz;
|
int ret, keySz;
|
||||||
int encryptedKeySz;
|
int encryptedKeySz;
|
||||||
|
int direction = 0;
|
||||||
word32 keyAgreeOID, keyWrapOID;
|
word32 keyAgreeOID, keyWrapOID;
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
@ -2908,6 +2929,24 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* set direction based on key wrap algorithm */
|
||||||
|
switch (keyWrapOID) {
|
||||||
|
#ifndef NO_AES
|
||||||
|
case AES128_WRAP:
|
||||||
|
case AES192_WRAP:
|
||||||
|
case AES256_WRAP:
|
||||||
|
direction = AES_DECRYPTION;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
default:
|
||||||
|
wc_PKCS7_KariFree(kari);
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
|
XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
|
||||||
|
#endif
|
||||||
|
WOLFSSL_MSG("AES key wrap algorithm unsupported");
|
||||||
|
return BAD_KEYWRAP_ALG_E;
|
||||||
|
}
|
||||||
|
|
||||||
/* remove RecipientEncryptedKeys */
|
/* remove RecipientEncryptedKeys */
|
||||||
ret = wc_PKCS7_KariGetRecipientEncryptedKeys(kari, pkiMsg, pkiMsgSz,
|
ret = wc_PKCS7_KariGetRecipientEncryptedKeys(kari, pkiMsg, pkiMsgSz,
|
||||||
idx, recipFound, encryptedKey, &encryptedKeySz);
|
idx, recipFound, encryptedKey, &encryptedKeySz);
|
||||||
@ -2932,7 +2971,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
|
|||||||
/* decrypt CEK with KEK */
|
/* decrypt CEK with KEK */
|
||||||
keySz = wc_PKCS7_KariKeyWrap(encryptedKey, encryptedKeySz, kari->kek,
|
keySz = wc_PKCS7_KariKeyWrap(encryptedKey, encryptedKeySz, kari->kek,
|
||||||
kari->kekSz, decryptedKey, *decryptedKeySz,
|
kari->kekSz, decryptedKey, *decryptedKeySz,
|
||||||
keyWrapOID, AES_DECRYPTION);
|
keyWrapOID, direction);
|
||||||
if (keySz <= 0) {
|
if (keySz <= 0) {
|
||||||
wc_PKCS7_KariFree(kari);
|
wc_PKCS7_KariFree(kari);
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
@ -3147,13 +3186,17 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
|
|||||||
|
|
||||||
blockKeySz = wc_PKCS7_GetOIDKeySize(encOID);
|
blockKeySz = wc_PKCS7_GetOIDKeySize(encOID);
|
||||||
if (blockKeySz < 0) {
|
if (blockKeySz < 0) {
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
|
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
|
||||||
|
#endif
|
||||||
return blockKeySz;
|
return blockKeySz;
|
||||||
}
|
}
|
||||||
|
|
||||||
expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID);
|
expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID);
|
||||||
if (expBlockSz < 0) {
|
if (expBlockSz < 0) {
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
|
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
|
||||||
|
#endif
|
||||||
return expBlockSz;
|
return expBlockSz;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -9099,9 +9099,11 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
|
|||||||
0x72,0x6c,0x64
|
0x72,0x6c,0x64
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#ifndef NO_AES
|
||||||
byte optionalUkm[] = {
|
byte optionalUkm[] = {
|
||||||
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
|
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
|
||||||
};
|
};
|
||||||
|
#endif /* NO_AES */
|
||||||
|
|
||||||
const pkcs7EnvelopedVector testVectors[] =
|
const pkcs7EnvelopedVector testVectors[] =
|
||||||
{
|
{
|
||||||
@ -9178,8 +9180,10 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
|
|||||||
/* encode envelopedData */
|
/* encode envelopedData */
|
||||||
envelopedSz = wc_PKCS7_EncodeEnvelopedData(&pkcs7, enveloped,
|
envelopedSz = wc_PKCS7_EncodeEnvelopedData(&pkcs7, enveloped,
|
||||||
sizeof(enveloped));
|
sizeof(enveloped));
|
||||||
if (envelopedSz <= 0)
|
if (envelopedSz <= 0) {
|
||||||
|
printf("DEBUG: i = %d, envelopedSz = %d\n", i, envelopedSz);
|
||||||
return -210;
|
return -210;
|
||||||
|
}
|
||||||
|
|
||||||
/* decode envelopedData */
|
/* decode envelopedData */
|
||||||
decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, enveloped, envelopedSz,
|
decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, enveloped, envelopedSz,
|
||||||
@ -9204,6 +9208,10 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
|
|||||||
wc_PKCS7_Free(&pkcs7);
|
wc_PKCS7_Free(&pkcs7);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
(void)eccCert;
|
||||||
|
(void)eccCertSz;
|
||||||
|
(void)eccPrivKey;
|
||||||
|
(void)eccPrivKeySz;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -9362,6 +9370,7 @@ int pkcs7encrypted_test(void)
|
|||||||
0x72,0x6c,0x64
|
0x72,0x6c,0x64
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#ifndef NO_DES3
|
||||||
byte desKey[] = {
|
byte desKey[] = {
|
||||||
0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
|
0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
|
||||||
};
|
};
|
||||||
@ -9370,6 +9379,9 @@ int pkcs7encrypted_test(void)
|
|||||||
0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
|
0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
|
||||||
0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
|
0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
|
||||||
};
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef NO_AES
|
||||||
byte aes128Key[] = {
|
byte aes128Key[] = {
|
||||||
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
|
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
|
||||||
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
|
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
|
||||||
@ -9417,6 +9429,7 @@ int pkcs7encrypted_test(void)
|
|||||||
{ genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) },
|
{ genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) },
|
||||||
{ genAttrOid2, sizeof(genAttrOid2), genAttr2, sizeof(genAttr2) }
|
{ genAttrOid2, sizeof(genAttrOid2), genAttr2, sizeof(genAttr2) }
|
||||||
};
|
};
|
||||||
|
#endif /* NO_AES */
|
||||||
|
|
||||||
const pkcs7EncryptedVector testVectors[] =
|
const pkcs7EncryptedVector testVectors[] =
|
||||||
{
|
{
|
||||||
|
|||||||
@ -178,7 +178,8 @@ enum {
|
|||||||
ASN_PATHLEN_SIZE_E = -237, /* ASN CA path length too large error */
|
ASN_PATHLEN_SIZE_E = -237, /* ASN CA path length too large error */
|
||||||
ASN_PATHLEN_INV_E = -238, /* ASN CA path length inversion error */
|
ASN_PATHLEN_INV_E = -238, /* ASN CA path length inversion error */
|
||||||
|
|
||||||
BAD_KEYWRAP_IV_E = -239, /* Decrypted AES key wrap IV incorrect */
|
BAD_KEYWRAP_ALG_E = -239,
|
||||||
|
BAD_KEYWRAP_IV_E = -240, /* Decrypted AES key wrap IV incorrect */
|
||||||
|
|
||||||
MIN_CODE_E = -300 /* errors -101 - -299 */
|
MIN_CODE_E = -300 /* errors -101 - -299 */
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user