wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

add TLS signature fault checks indpendent of build options, plugins, callbacks, etc

Browse Source
This commit is contained in:
toddouska
2015-09-09 09:59:10 -07:00
parent 7e2906de52
commit 5bbcda3c79
3 changed files with 78 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
src/internal.c
View File

@@ -1557,6 +1557,54 @@ void FreeX509(WOLFSSL_X509* x509)
XFREE(x509, NULL, DYNAMIC_TYPE_X509);
}
#ifndef NO_RSA
/* Verify RSA signature, 0 on success */
int VerifyRsaSign(const byte* sig, word32 sigSz,
const byte* plain, word32 plainSz, RsaKey* key)
{
#ifdef WOLFSSL_SMALL_STACK
byte* verifySig = NULL;
#else
byte verifySig[ENCRYPT_LEN];
#endif
byte* out = NULL; /* inline result */
int ret;
WOLFSSL_ENTER("VerifyRsaSign");
if (sigSz > ENCRYPT_LEN) {
WOLFSSL_MSG("Signature buffer too big");
return BUFFER_E;
}
#ifdef WOLFSSL_SMALL_STACK
verifySig = (byte*)XMALLOC(ENCRYPT_LEN, NULL,
DYNAMIC_TYPE_SIGNATURE);
if (verifySig == NULL)
return MEMORY_ERROR;
#endif
XMEMCPY(verifySig, sig, sigSz);
ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key);
if (ret != (int)plainSz || !out || XMEMCMP(plain, out, plainSz) != 0) {
WOLFSSL_MSG("RSA Signature verification failed");
ret = RSA_SIGN_FAULT;
} else {
ret = 0; /* RSA reset */
}
#ifdef WOLFSSL_SMALL_STACK
XFREE(verifySig, NULL, DYNAMIC_TYPE_SIGNATURE);
#endif
return ret;
}
#endif /* NO_RSA */
#endif /* NO_CERTS */
@@ -8443,6 +8491,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case SNI_ABSENT_ERROR:
return "No Server Name Indication extension Error";
case RSA_SIGN_FAULT:
return "RSA Signature Fault Error";
default :
return "unknown error number";
}
@@ -11832,6 +11883,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
}
#ifndef NO_CERTS
int SendCertificateVerify(WOLFSSL* ssl)
{
byte *output;
@@ -12104,8 +12157,11 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
VERIFY_HEADER, ENCRYPT_LEN, &key, ssl->rng);
}
if (ret > 0)
ret = 0; /* RSA reset */
if (ret > 0) {
/* check for signature faults */
ret = VerifyRsaSign(verify + extraSz + VERIFY_HEADER, ret,
signBuffer, signSz, &key);
}
}
#endif
#ifdef WOLFSSL_SMALL_STACK
@@ -13147,10 +13203,16 @@ int DoSessionTicket(WOLFSSL* ssl,
ssl->RsaSignCtx);
#endif /*HAVE_PK_CALLBACKS */
}
else
else {
ret = wc_RsaSSL_Sign(signBuffer, signSz, output + idx,
sigSz, &rsaKey, ssl->rng);
}
if (ret > 0) {
/* check for signature faults */
ret = VerifyRsaSign(output + idx, ret,
signBuffer, signSz, &rsaKey);
}
wc_FreeRsaKey(&rsaKey);
wc_ecc_free(&dsaKey);
@@ -13764,6 +13826,12 @@ int DoSessionTicket(WOLFSSL* ssl,
sigSz, &rsaKey, ssl->rng);
}
if (ret > 0) {
/* check for signature faults */
ret = VerifyRsaSign(output + idx, ret,
signBuffer, signSz, &rsaKey);
}
wc_FreeRsaKey(&rsaKey);
#ifdef WOLFSSL_SMALL_STACK
@@ -15527,4 +15595,4 @@ int DoSessionTicket(WOLFSSL* ssl,
return 0;
}
#endif /* HAVE_STUNNEL */
#endif /* NO_WOLFSSL_SERVER */
#endif /* NO_WOLFSSL_SERVER */

1
wolfssl/error-ssl.h
View File

@@ -135,6 +135,7 @@ enum wolfSSL_ErrorCodes {
DH_KEY_SIZE_E = -401, /* DH Key too small */
SNI_ABSENT_ERROR = -402, /* No SNI request. */
RSA_SIGN_FAULT = -403, /* RSA Sign fault */
/* add strings to SetErrorString !!!!! */

5
wolfssl/internal.h
View File

@@ -2572,6 +2572,11 @@ WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl);
WOLFSSL_LOCAL int VerifyClientSuite(WOLFSSL* ssl);
#ifndef NO_CERTS
#ifndef NO_RSA
WOLFSSL_LOCAL int VerifyRsaSign(const byte* sig, word32 sigSz,
const byte* plain, word32 plainSz,
RsaKey* key);
#endif
WOLFSSL_LOCAL Signer* GetCA(void* cm, byte* hash);
#ifndef NO_SKID
WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash);