Test Fixes

1. Modify RSA-PSS to be able to sign and verify SHA-384 and SHA-512 hashes with 1024-bit RSA keys.
This commit is contained in:
John Safranek 2018-03-29 17:04:59 -07:00
parent dc31dbaeaf
commit eea4d6da50
3 changed files with 41 additions and 35 deletions

View File

@ -765,7 +765,7 @@ static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
} }
else if (saltLen > hLen || saltLen < -1) else if (saltLen > hLen || saltLen < -1)
return PSS_SALTLEN_E; return PSS_SALTLEN_E;
if ((int)pkcsBlockLen - hLen - 1 < saltLen + 2) if ((int)pkcsBlockLen - hLen < saltLen + 2)
return PSS_SALTLEN_E; return PSS_SALTLEN_E;
s = m = pkcsBlock; s = m = pkcsBlock;
@ -1038,7 +1038,7 @@ static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
} }
else if (saltLen > hLen || saltLen < -1) else if (saltLen > hLen || saltLen < -1)
return PSS_SALTLEN_E; return PSS_SALTLEN_E;
if ((int)pkcsBlockLen - hLen - 1 < saltLen + 2) if ((int)pkcsBlockLen - hLen < saltLen + 2)
return PSS_SALTLEN_E; return PSS_SALTLEN_E;
if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) { if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
@ -1074,11 +1074,8 @@ static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER); XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
i = pkcsBlockLen - (RSA_PSS_PAD_SZ + saltLen + 2 * hLen + 1); *output = pkcsBlock + pkcsBlockLen - (hLen + saltLen + 1);
XMEMSET(pkcsBlock + i, 0, RSA_PSS_PAD_SZ); return saltLen + hLen;
*output = pkcsBlock + i;
return RSA_PSS_PAD_SZ + saltLen + 2 * hLen;
} }
#endif #endif
@ -2170,7 +2167,7 @@ int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen,
int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig, int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
word32 sigSz, enum wc_HashType hashType) word32 sigSz, enum wc_HashType hashType)
{ {
return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz); return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0);
} }
/* Checks the PSS data to ensure that the signature matches. /* Checks the PSS data to ensure that the signature matches.
@ -2188,33 +2185,46 @@ int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
*/ */
int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig, int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig,
word32 sigSz, enum wc_HashType hashType, word32 sigSz, enum wc_HashType hashType,
int saltLen) int saltLen, int bits)
{ {
int ret = 0; int ret = 0;
byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
(void)bits;
if (in == NULL || sig == NULL || if (in == NULL || sig == NULL ||
inSz != (word32)wc_HashGetDigestSize(hashType)) inSz != (word32)wc_HashGetDigestSize(hashType))
ret = BAD_FUNC_ARG; ret = BAD_FUNC_ARG;
if (ret == 0) { if (ret == 0) {
if (saltLen == -1) if (saltLen == -1) {
saltLen = inSz; saltLen = inSz;
#ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */
if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE)
saltLen = RSA_PSS_SALT_MAX_SZ;
#endif
}
else if (saltLen < -1 || (word32)saltLen > inSz) else if (saltLen < -1 || (word32)saltLen > inSz)
ret = PSS_SALTLEN_E; ret = PSS_SALTLEN_E;
} }
/* Sig = 8 * 0x00 | Space for Message Hash | Salt | Exp Hash */
/* Sig = Salt | Exp Hash */
if (ret == 0) { if (ret == 0) {
if (sigSz != RSA_PSS_PAD_SZ + inSz + (word32)saltLen + inSz) if (sigSz != inSz + saltLen)
ret = BAD_PADDING_E; ret = BAD_PADDING_E;
} }
/* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */ /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
if (ret == 0) { if (ret == 0) {
XMEMCPY(sig + RSA_PSS_PAD_SZ, in, inSz); XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
ret = wc_Hash(hashType, sig, RSA_PSS_PAD_SZ + inSz + saltLen, sig, XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
inSz); XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen);
ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen,
sigCheck, inSz);
} }
if (ret == 0) { if (ret == 0) {
if (XMEMCMP(sig, sig + RSA_PSS_PAD_SZ + inSz + saltLen, inSz) != 0) { if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error"); WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
ret = BAD_PADDING_E; ret = BAD_PADDING_E;
} }
@ -2242,7 +2252,7 @@ int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
const byte* digest, word32 digestLen, const byte* digest, word32 digestLen,
enum wc_HashType hash, int mgf, RsaKey* key) enum wc_HashType hash, int mgf, RsaKey* key)
{ {
int ret = 0, verify, saltLen, hLen; int ret = 0, verify, saltLen, hLen, bits = 0;
hLen = wc_HashGetDigestSize(hash); hLen = wc_HashGetDigestSize(hash);
if (hLen < 0) if (hLen < 0)
@ -2253,17 +2263,15 @@ int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
saltLen = hLen; saltLen = hLen;
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */ /* See FIPS 186-4 section 5.5 item (e). */
if (mp_unsigned_bin_size(&key->n) == 1024 && bits = mp_count_bits(&key->n);
hLen == WC_SHA512_DIGEST_SIZE) { if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
saltLen = RSA_PSS_SALT_MAX_SZ; saltLen = RSA_PSS_SALT_MAX_SZ;
}
#endif #endif
verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key); verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
if (verify > 0) if (verify > 0)
ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify, ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify,
hash, saltLen); hash, saltLen, bits);
if (ret == 0) if (ret == 0)
ret = verify; ret = verify;
@ -2290,7 +2298,7 @@ int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
enum wc_HashType hash, int mgf, enum wc_HashType hash, int mgf,
RsaKey* key) RsaKey* key)
{ {
int ret = 0, verify, saltLen, hLen; int ret = 0, verify, saltLen, hLen, bits = 0;
hLen = wc_HashGetDigestSize(hash); hLen = wc_HashGetDigestSize(hash);
if (hLen < 0) if (hLen < 0)
@ -2301,18 +2309,16 @@ int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
saltLen = hLen; saltLen = hLen;
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
/* See FIPS 186-4 section 5.5 item (e). */ /* See FIPS 186-4 section 5.5 item (e). */
if (mp_unsigned_bin_size(&key->n) == 1024 && bits = mp_count_bits(&key->n);
hLen == WC_SHA512_DIGEST_SIZE) { if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
saltLen = RSA_PSS_SALT_MAX_SZ; saltLen = RSA_PSS_SALT_MAX_SZ;
}
#endif #endif
verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
mgf, saltLen, key); mgf, saltLen, key);
if (verify > 0) if (verify > 0)
ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify, ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify,
hash, saltLen); hash, saltLen, bits);
if (ret == 0) if (ret == 0)
ret = verify; ret = verify;

View File

@ -8873,8 +8873,8 @@ static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
ERROR_OUT(-5452, exit_rsa_pss); ERROR_OUT(-5452, exit_rsa_pss);
plainSz = ret; plainSz = ret;
ret = wc_RsaPSS_CheckPadding(digest, digestSz, plain, plainSz, ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
hash[j]); hash[j], -1, wc_RsaEncryptSize(key)*8);
if (ret != 0) if (ret != 0)
ERROR_OUT(-5453, exit_rsa_pss); ERROR_OUT(-5453, exit_rsa_pss);
@ -8942,7 +8942,7 @@ static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
#endif #endif
if (ret >= 0) { if (ret >= 0) {
ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, sig, plainSz, ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, sig, plainSz,
hash[0], 0); hash[0], 0, 0);
} }
} while (ret == WC_PENDING_E); } while (ret == WC_PENDING_E);
if (ret != 0) if (ret != 0)
@ -8965,7 +8965,7 @@ static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
plainSz = ret; plainSz = ret;
ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0], ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
0); 0, 0);
if (ret != 0) if (ret != 0)
ERROR_OUT(-5464, exit_rsa_pss); ERROR_OUT(-5464, exit_rsa_pss);
@ -9025,11 +9025,11 @@ static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
ERROR_OUT(-5473, exit_rsa_pss); ERROR_OUT(-5473, exit_rsa_pss);
ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0], ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
-2); -2, 0);
if (ret != PSS_SALTLEN_E) if (ret != PSS_SALTLEN_E)
ERROR_OUT(-5474, exit_rsa_pss); ERROR_OUT(-5474, exit_rsa_pss);
ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0], ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
digestSz + 1); digestSz + 1, 0);
if (ret != PSS_SALTLEN_E) if (ret != PSS_SALTLEN_E)
ERROR_OUT(-5475, exit_rsa_pss); ERROR_OUT(-5475, exit_rsa_pss);

View File

@ -190,7 +190,7 @@ WOLFSSL_API int wc_RsaPSS_CheckPadding(const byte* in, word32 inLen, byte* sig,
WOLFSSL_API int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inLen, WOLFSSL_API int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inLen,
byte* sig, word32 sigSz, byte* sig, word32 sigSz,
enum wc_HashType hashType, enum wc_HashType hashType,
int saltLen); int saltLen, int bits);
WOLFSSL_API int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out, WOLFSSL_API int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
const byte* digest, word32 digentLen, const byte* digest, word32 digentLen,
enum wc_HashType hash, int mgf, enum wc_HashType hash, int mgf,