AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Change RSA to use new MD API and check return code

Browse Source
This commit is contained in:
Andres Amaya Garcia 2017-06-28 11:46:46 +01:00
parent 8d8204fc6f
commit 698089e07e
1 changed files with 91 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
library/rsa.c
View File

@ -566,7 +566,7 @@ cleanup:
* \param slen length of the source buffer
* \param md_ctx message digest context to use
*/
static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
size_t slen, mbedtls_md_context_t *md_ctx )
{
unsigned char mask[MBEDTLS_MD_MAX_SIZE];
@ -574,6 +574,7 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
unsigned char *p;
unsigned int hlen;
size_t i, use_len;
int ret;
memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
memset( counter, 0, 4 );
@ -589,10 +590,14 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
if( dlen < hlen )
use_len = dlen;
mbedtls_md_starts( md_ctx );
mbedtls_md_update( md_ctx, src, slen );
mbedtls_md_update( md_ctx, counter, 4 );
mbedtls_md_finish( md_ctx, mask );
if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
goto exit;
for( i = 0; i < use_len; ++i )
*p++ ^= mask[i];
@ -602,7 +607,10 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
dlen -= use_len;
}
exit:
mbedtls_zeroize( mask, sizeof( mask ) );
return( ret );
}
#endif /* MBEDTLS_PKCS1_V21 */
@ -654,7 +662,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
p += hlen;
/* Construct DB */
mbedtls_md( md_info, label, label_len, p );
if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
return( ret );
p += hlen;
p += olen - 2 * hlen - 2 - ilen;
*p++ = 1;
@ -662,21 +671,24 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
return( ret );
}
goto exit;
/* maskedDB: Apply dbMask to DB */
mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
&md_ctx );
if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
&md_ctx ) ) != 0 )
goto exit;
/* maskedSeed: Apply seedMask to seed */
mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
&md_ctx );
if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
&md_ctx ) ) != 0 )
goto exit;
exit:
mbedtls_md_free( &md_ctx );
if( ret != 0 )
return( ret );
return( ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, output, output )
: mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
@ -843,20 +855,23 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
goto cleanup;
}
/* Generate lHash */
mbedtls_md( md_info, label, label_len, lhash );
/* seed: Apply seedMask to maskedSeed */
mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
&md_ctx );
if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
&md_ctx ) ) != 0 ||
/* DB: Apply dbMask to maskedDB */
mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
&md_ctx );
( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
&md_ctx ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
goto cleanup;
}
mbedtls_md_free( &md_ctx );
/* Generate lHash */
if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
goto cleanup;
/*
* Check contents, in "constant-time"
*/
@ -1107,28 +1122,28 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
/* No need to zeroize salt: we didn't use it. */
return( ret );
}
goto exit;
/* Generate H = Hash( M' ) */
mbedtls_md_starts( &md_ctx );
mbedtls_md_update( &md_ctx, p, 8 );
mbedtls_md_update( &md_ctx, hash, hashlen );
mbedtls_md_update( &md_ctx, salt, slen );
mbedtls_md_finish( &md_ctx, p );
mbedtls_zeroize( salt, sizeof( salt ) );
if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
goto exit;
/* Compensate for boundary condition when applying mask */
if( msb % 8 == 0 )
offset = 1;
/* maskedDB: Apply dbMask to DB */
mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
mbedtls_md_free( &md_ctx );
if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
&md_ctx ) ) != 0 )
goto exit;
msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
sig[0] &= 0xFF >> ( olen * 8 - msb );
@ -1136,6 +1151,14 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
p += hlen;
*p++ = 0xBC;
mbedtls_zeroize( salt, sizeof( salt ) );
exit:
mbedtls_md_free( &md_ctx );
if( ret != 0 )
return( ret );
return( ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, sig, sig )
: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
@ -1382,23 +1405,21 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
return( ret );
}
goto exit;
mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
if( ( ret = mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen,
&md_ctx ) ) != 0 )
goto exit;
buf[0] &= 0xFF >> ( siglen * 8 - msb );
while( p < buf + siglen && *p == 0 )
p++;
if( p == buf + siglen ||
*p++ != 0x01 )
if( p == buf + siglen || *p++ != 0x01 )
{
mbedtls_md_free( &md_ctx );
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto exit;
}
/* Actual salt len */
@ -1407,25 +1428,31 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
slen != (size_t) expected_salt_len )
{
mbedtls_md_free( &md_ctx );
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto exit;
}
/*
* Generate H = Hash( M' )
*/
mbedtls_md_starts( &md_ctx );
mbedtls_md_update( &md_ctx, zeros, 8 );
mbedtls_md_update( &md_ctx, hash, hashlen );
mbedtls_md_update( &md_ctx, p, slen );
mbedtls_md_finish( &md_ctx, result );
if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, zeros, 8 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, p, slen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_finish( &md_ctx, result ) ) != 0 )
goto exit;
if( ( ret = memcmp( p + slen, result, hlen ) ) != 0 )
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
exit:
mbedtls_md_free( &md_ctx );
if( memcmp( p + slen, result, hlen ) == 0 )
return( 0 );
else
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
return( ret );
}
/*
@ -1829,7 +1856,13 @@ int mbedtls_rsa_self_test( int verbose )
if( verbose != 0 )
mbedtls_printf( " PKCS#1 data sign : " );
mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
if( mbedtls_sha1_ext( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( 1 );
}
if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
sha1sum, rsa_ciphertext ) != 0 )