The hash algorithms used in the MGF and to create the hash of the Label
must not forcibly be the same. This change allows to use different
algorithms.
Unfortunately this breaks the API if you use one of:
* `rsa_decrypt_key_ex()`
* `rsa_encrypt_key_ex()`
* `pkcs_1_oaep_decode()`
* `pkcs_1_oaep_encode()`
The `rsa_decrypt_key()` and `rsa_encrypt_key()` macros are still the same.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
```
src/encauth/ccm/ccm_memory.c: In function ‘ccm_memory’:
src/encauth/ccm/ccm_memory.c:164:17: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
164 | PAD[x++] = (unsigned char)((len >> 24) & 255);
| ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/encauth/ccm/ccm_memory.c:43:19: note: at offset 16 into destination object ‘PAD’ of size 16
43 | unsigned char PAD[16], ctr[16], CTRPAD[16], ptTag[16], b, *pt_real;
| ^~~
```
Multiple reviews and tests determined that this can't happen, but most
likely computers are better in finding out such stuff (or it was a false
positive).
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
In order to memory-align the used buffers for keys, IVs etc. we re-order
the struct members of ciphers, modes and encauth.
There's no guarantee that this works, but it improves the chances.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
This is required
1. when cross-compiling
2. to enable/disable the specific compiler warnings
Tested on `bash`, `dash`, `zsh` and FreeBSD `sh`.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Aligning a `struct` member via `attribute(align(<n>))` is not guaranteed
to work.
Change the approach to use an opaque buffer and always manually align
the start pointers of the keys.
c.f. https://github.com/DCIT/perl-CryptX/issues/95
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
* use a separate `libtomcrypt` folder to install the headers to
* use `INCPATH` and `LIBPATH` when installing `libtomcrypt.pc`
* fix `libtomcrypt.pc` generation for `makefile.unix`
This fixes#625
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Fixes a missing mutex unlock on an out of memory error
in ltc_ecc_fp_save_state().
Originates from: 4af447d408Fixes#571
Comment by sj:
This patch version slightly deviates from the original patch to OP-TEE
since we don't call `XFREE(NULL)` as there exist implementations of
`free()` that don't support it.
Signed-off-by: Ryan Cai <ycaibb@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Modified-by: Steffen Jaeckel <s@jaeckel.eu>
`aes_desc` and `aes_enc_desc` now do auto-detection of the best suitable
AES implementation for the platform.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Clang creates now DWARFv5 debug infos which isn't supported in old Valgrind
versions. Instruct Clang to create DWARFv4 debug infos, so we can run our
tests in Valgrind.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
If we allow the length to be 0, we should also prepare for the case where
the user doesn't want to provide a valid input-data pointer.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
In case of EME-PKCS1-v1_5 decoding, the encoded message
format is as follow : EM = 0x00 || 0x02 || PS || 0x00 || M.
When using an empty message, the 0x00 octet that separates
the padding string and message is located at the end. Thus,
update the condition to pass the check in case of empty message.
This fixes the following AOSP cts test:
Module: CtsKeystoreTestCases
Test: testEmptyPlaintextEncryptsAndDecrypts
Link: https://android.googlesource.com/platform/cts/+/refs/tags/android-cts-12.0_r6/tests/tests/keystore/src/android/keystore/cts/CipherTest.java
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
