mirrors/v
1
0
Fork 0
mirror of https://github.com/vlang/v.git synced 2025-09-14 15:02:33 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

thirdparty,net.mbedtls: update mbedtls to latest compatible version v3.3.0 (#21118)

Browse source
This commit is contained in:
Turiiya 2024-03-28 07:46:21 +01:00 committed by GitHub
parent cb402a3340
commit 64a336932c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
156 changed files with 16293 additions and 4396 deletions
Download patch file Download diff file Expand all files Collapse all files

464
thirdparty/mbedtls/library/rsa.c vendored
View file

@ -46,6 +46,7 @@
#include "mbedtls/error.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
#include "hash_info.h"
#include <string.h>
@ -53,30 +54,25 @@
#include <stdlib.h>
#endif
#if defined(MBEDTLS_PLATFORM_C)
/* We use MD first if it's available (for compatibility reasons)
* and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
#if defined(MBEDTLS_PKCS1_V21)
#if !defined(MBEDTLS_MD_C)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PKCS1_V21 */
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#define mbedtls_calloc calloc
#define mbedtls_free free
#endif
#if !defined(MBEDTLS_RSA_ALT)
/* Parameter validation macros */
#define RSA_VALIDATE_RET( cond ) \
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
#define RSA_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
const mbedtls_mpi *N,
const mbedtls_mpi *P, const mbedtls_mpi *Q,
const mbedtls_mpi *D, const mbedtls_mpi *E )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
RSA_VALIDATE_RET( ctx != NULL );
if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
@ -101,7 +97,6 @@ int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
unsigned char const *E, size_t E_len )
{
int ret = 0;
RSA_VALIDATE_RET( ctx != NULL );
if( N != NULL )
{
@ -231,8 +226,6 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
#endif
int n_missing, pq_missing, d_missing, is_pub, is_priv;
RSA_VALIDATE_RET( ctx != NULL );
have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
@ -335,7 +328,6 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
{
int ret = 0;
int is_priv;
RSA_VALIDATE_RET( ctx != NULL );
/* Check if key is private or public */
is_priv =
@ -380,7 +372,6 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int is_priv;
RSA_VALIDATE_RET( ctx != NULL );
/* Check if key is private or public */
is_priv =
@ -424,7 +415,6 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int is_priv;
RSA_VALIDATE_RET( ctx != NULL );
/* Check if key is private or public */
is_priv =
@ -461,8 +451,6 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
*/
void mbedtls_rsa_init( mbedtls_rsa_context *ctx )
{
RSA_VALIDATE( ctx != NULL );
memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
ctx->padding = MBEDTLS_RSA_PKCS_V15;
@ -497,15 +485,15 @@ int mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
}
#if defined(MBEDTLS_PKCS1_V21)
if( ( padding == MBEDTLS_RSA_PKCS_V21 ) &&
( hash_id != MBEDTLS_MD_NONE ) )
{
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type( hash_id );
if( md_info == NULL )
/* Just make sure this hash is supported in this build. */
if( mbedtls_hash_info_psa_from_md( hash_id ) == PSA_ALG_NONE )
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
}
#endif /* MBEDTLS_PKCS1_V21 */
ctx->padding = padding;
ctx->hash_id = hash_id;
@ -539,8 +527,6 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi H, G, L;
int prime_quality = 0;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( f_rng != NULL );
/*
* If the modulus is 1024 bit long or shorter, then the security strength of
@ -653,8 +639,6 @@ cleanup:
*/
int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
{
RSA_VALIDATE_RET( ctx != NULL );
if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
@ -678,8 +662,6 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
*/
int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
{
RSA_VALIDATE_RET( ctx != NULL );
if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
{
@ -709,9 +691,6 @@ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
const mbedtls_rsa_context *prv )
{
RSA_VALIDATE_RET( pub != NULL );
RSA_VALIDATE_RET( prv != NULL );
if( mbedtls_rsa_check_pubkey( pub ) != 0 ||
mbedtls_rsa_check_privkey( prv ) != 0 )
{
@ -737,9 +716,6 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen;
mbedtls_mpi T;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( output != NULL );
if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@ -907,10 +883,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
* checked result; should be the same in the end. */
mbedtls_mpi I, C;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( output != NULL );
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@ -1092,23 +1064,43 @@ cleanup:
* \param dlen length of destination buffer
* \param src source of the mask generation
* \param slen length of the source buffer
* \param md_ctx message digest context to use
* \param md_alg message digest to use
*/
static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
size_t slen, mbedtls_md_context_t *md_ctx )
size_t slen, mbedtls_md_type_t md_alg )
{
unsigned char mask[MBEDTLS_MD_MAX_SIZE];
unsigned char counter[4];
unsigned char *p;
unsigned int hlen;
size_t i, use_len;
unsigned char mask[MBEDTLS_HASH_MAX_SIZE];
#if defined(MBEDTLS_MD_C)
int ret = 0;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
mbedtls_md_init( &md_ctx );
md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
goto exit;
hlen = mbedtls_md_get_size( md_info );
#else
psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
psa_status_t status = PSA_SUCCESS;
size_t out_len;
hlen = PSA_HASH_LENGTH( alg );
#endif
memset( mask, 0, sizeof( mask ) );
memset( counter, 0, 4 );
hlen = mbedtls_md_get_size( md_ctx->md_info );
/* Generate and apply dbMask */
p = dst;
@ -1118,14 +1110,26 @@ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
if( dlen < hlen )
use_len = dlen;
if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
#if defined(MBEDTLS_MD_C)
if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
if( ( ret = mbedtls_md_update( &md_ctx, src, slen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
if( ( ret = mbedtls_md_update( &md_ctx, counter, 4 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
if( ( ret = mbedtls_md_finish( &md_ctx, mask ) ) != 0 )
goto exit;
#else
if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS )
goto exit;
if( ( status = psa_hash_update( &op, src, slen ) ) != PSA_SUCCESS )
goto exit;
if( ( status = psa_hash_update( &op, counter, 4 ) ) != PSA_SUCCESS )
goto exit;
status = psa_hash_finish( &op, mask, sizeof( mask ), &out_len );
if( status != PSA_SUCCESS )
goto exit;
#endif
for( i = 0; i < use_len; ++i )
*p++ ^= mask[i];
@ -1137,8 +1141,115 @@ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
exit:
mbedtls_platform_zeroize( mask, sizeof( mask ) );
#if defined(MBEDTLS_MD_C)
mbedtls_md_free( &md_ctx );
return( ret );
#else
psa_hash_abort( &op );
return( mbedtls_md_error_from_psa( status ) );
#endif
}
/**
* Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
*
* \param hash the input hash
* \param hlen length of the input hash
* \param salt the input salt
* \param slen length of the input salt
* \param out the output buffer - must be large enough for \p md_alg
* \param md_alg message digest to use
*/
static int hash_mprime( const unsigned char *hash, size_t hlen,
const unsigned char *salt, size_t slen,
unsigned char *out, mbedtls_md_type_t md_alg )
{
const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
#if defined(MBEDTLS_MD_C)
mbedtls_md_context_t md_ctx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, zeros, sizeof( zeros ) ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, hash, hlen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_finish( &md_ctx, out ) ) != 0 )
goto exit;
exit:
mbedtls_md_free( &md_ctx );
return( ret );
#else
psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED ;
size_t out_size = PSA_HASH_LENGTH( alg );
size_t out_len;
if( ( status = psa_hash_setup( &op, alg ) ) != PSA_SUCCESS )
goto exit;
if( ( status = psa_hash_update( &op, zeros, sizeof( zeros ) ) ) != PSA_SUCCESS )
goto exit;
if( ( status = psa_hash_update( &op, hash, hlen ) ) != PSA_SUCCESS )
goto exit;
if( ( status = psa_hash_update( &op, salt, slen ) ) != PSA_SUCCESS )
goto exit;
status = psa_hash_finish( &op, out, out_size, &out_len );
if( status != PSA_SUCCESS )
goto exit;
exit:
psa_hash_abort( &op );
return( mbedtls_md_error_from_psa( status ) );
#endif /* !MBEDTLS_MD_C */
}
/**
* Compute a hash.
*
* \param md_alg algorithm to use
* \param input input message to hash
* \param ilen input length
* \param output the output buffer - must be large enough for \p md_alg
*/
static int compute_hash( mbedtls_md_type_t md_alg,
const unsigned char *input, size_t ilen,
unsigned char *output )
{
#if defined(MBEDTLS_MD_C)
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
return( mbedtls_md( md_info, input, ilen, output ) );
#else
psa_algorithm_t alg = mbedtls_psa_translate_md( md_alg );
psa_status_t status;
size_t out_size = PSA_HASH_LENGTH( alg );
size_t out_len;
status = psa_hash_compute( alg, input, ilen, output, out_size, &out_len );
return( mbedtls_md_error_from_psa( status ) );
#endif /* !MBEDTLS_MD_C */
}
#endif /* MBEDTLS_PKCS1_V21 */
@ -1158,23 +1269,15 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = output;
unsigned int hlen;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( output != NULL );
RSA_VALIDATE_RET( ilen == 0 || input != NULL );
RSA_VALIDATE_RET( label_len == 0 || label != NULL );
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
if( md_info == NULL )
hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
if( hlen == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len;
hlen = mbedtls_md_get_size( md_info );
/* first comparison checks for overflow */
if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
@ -1191,7 +1294,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
p += hlen;
/* Construct DB */
if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id, label, label_len, p );
if( ret != 0 )
return( ret );
p += hlen;
p += olen - 2 * hlen - 2 - ilen;
@ -1199,24 +1303,14 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
if( ilen != 0 )
memcpy( p, input, ilen );
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
goto exit;
/* maskedDB: Apply dbMask to DB */
if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
&md_ctx ) ) != 0 )
goto exit;
ctx->hash_id ) ) != 0 )
return( ret );
/* maskedSeed: Apply seedMask to seed */
if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
&md_ctx ) ) != 0 )
goto exit;
exit:
mbedtls_md_free( &md_ctx );
if( ret != 0 )
ctx->hash_id ) ) != 0 )
return( ret );
return( mbedtls_rsa_public( ctx, output, output ) );
@ -1237,10 +1331,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = output;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( output != NULL );
RSA_VALIDATE_RET( ilen == 0 || input != NULL );
olen = ctx->len;
/* first comparison checks for overflow */
@ -1289,10 +1379,6 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
const unsigned char *input,
unsigned char *output )
{
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( output != NULL );
RSA_VALIDATE_RET( ilen == 0 || input != NULL );
switch( ctx->padding )
{
#if defined(MBEDTLS_PKCS1_V15)
@ -1329,16 +1415,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
size_t ilen, i, pad_len;
unsigned char *p, bad, pad_done;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
unsigned int hlen;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( label_len == 0 || label != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
/*
* Parameters sanity checks
@ -1351,12 +1429,10 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
if( ilen < 16 || ilen > sizeof( buf ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
if( md_info == NULL )
hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
if( hlen == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
hlen = mbedtls_md_get_size( md_info );
// checking for integer underflow
if( 2 * hlen + 2 > ilen )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@ -1372,28 +1448,20 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
/*
* Unmask data and generate lHash
*/
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
goto cleanup;
}
/* seed: Apply seedMask to maskedSeed */
if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
&md_ctx ) ) != 0 ||
ctx->hash_id ) ) != 0 ||
/* DB: Apply dbMask to maskedDB */
( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
&md_ctx ) ) != 0 )
ctx->hash_id ) ) != 0 )
{
mbedtls_md_free( &md_ctx );
goto cleanup;
}
mbedtls_md_free( &md_ctx );
/* Generate lHash */
if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
ret = compute_hash( (mbedtls_md_type_t) ctx->hash_id,
label, label_len, lhash );
if( ret != 0 )
goto cleanup;
/*
@ -1470,11 +1538,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
size_t ilen;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
ilen = ctx->len;
if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
@ -1509,11 +1572,6 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
unsigned char *output,
size_t output_max_len)
{
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
switch( ctx->padding )
{
#if defined(MBEDTLS_PKCS1_V15)
@ -1550,13 +1608,9 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
size_t slen, min_slen, hlen, offset = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t msb;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
RSA_VALIDATE_RET( sig != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
if( ctx->padding != MBEDTLS_RSA_PKCS_V21 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@ -1569,20 +1623,18 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
if( md_alg != MBEDTLS_MD_NONE )
{
/* Gather length of hash to sign */
md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg );
if( exp_hashlen == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( hashlen != mbedtls_md_get_size( md_info ) )
if( hashlen != exp_hashlen )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
}
md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
if( md_info == NULL )
hlen = mbedtls_hash_info_get_size( (mbedtls_md_type_t) ctx->hash_id );
if( hlen == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
hlen = mbedtls_md_get_size( md_info );
if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
{
/* Calculate the largest possible salt length, up to the hash size.
@ -1623,30 +1675,20 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
p += slen;
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
goto exit;
/* Generate H = Hash( M' ) */
if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
goto exit;
ret = hash_mprime( hash, hashlen, salt, slen, p, ctx->hash_id );
if( ret != 0 )
return( ret );
/* Compensate for boundary condition when applying mask */
if( msb % 8 == 0 )
offset = 1;
/* maskedDB: Apply dbMask to DB */
if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
&md_ctx ) ) != 0 )
goto exit;
ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
ctx->hash_id );
if( ret != 0 )
return( ret );
msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
sig[0] &= 0xFF >> ( olen * 8 - msb );
@ -1654,12 +1696,6 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
p += hlen;
*p++ = 0xBC;
exit:
mbedtls_md_free( &md_ctx );
if( ret != 0 )
return( ret );
return mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig );
}
@ -1733,14 +1769,14 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
/* Are we signing hashed or raw data? */
if( md_alg != MBEDTLS_MD_NONE )
{
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
unsigned char md_size = mbedtls_hash_info_get_size( md_alg );
if( md_size == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( hashlen != mbedtls_md_get_size( md_info ) )
if( hashlen != md_size )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
/* Double-check that 8 + hashlen + oid_size can be used as a
@ -1846,11 +1882,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *sig_try = NULL, *verif = NULL;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
RSA_VALIDATE_RET( sig != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
if( ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@ -1914,11 +1947,8 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
const unsigned char *hash,
unsigned char *sig )
{
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
RSA_VALIDATE_RET( sig != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
switch( ctx->padding )
{
@ -1955,19 +1985,13 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
size_t siglen;
unsigned char *p;
unsigned char *hash_start;
unsigned char result[MBEDTLS_MD_MAX_SIZE];
unsigned char zeros[8];
unsigned char result[MBEDTLS_HASH_MAX_SIZE];
unsigned int hlen;
size_t observed_salt_len, msb;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = {0};
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( sig != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
siglen = ctx->len;
@ -1987,22 +2011,18 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
if( md_alg != MBEDTLS_MD_NONE )
{
/* Gather length of hash to sign */
md_info = mbedtls_md_info_from_type( md_alg );
if( md_info == NULL )
size_t exp_hashlen = mbedtls_hash_info_get_size( md_alg );
if( exp_hashlen == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( hashlen != mbedtls_md_get_size( md_info ) )
if( hashlen != exp_hashlen )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
}
md_info = mbedtls_md_info_from_type( mgf1_hash_id );
if( md_info == NULL )
hlen = mbedtls_hash_info_get_size( mgf1_hash_id );
if( hlen == 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
hlen = mbedtls_md_get_size( md_info );
memset( zeros, 0, 8 );
/*
* Note: EMSA-PSS verification is over the length of N - 1 bits
*/
@ -2022,13 +2042,9 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
hash_start = p + siglen - hlen - 1;
mbedtls_md_init( &md_ctx );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
goto exit;
ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id );
if( ret != 0 )
goto exit;
return( ret );
buf[0] &= 0xFF >> ( siglen * 8 - msb );
@ -2036,49 +2052,28 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
p++;
if( *p++ != 0x01 )
{
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto exit;
}
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
observed_salt_len = hash_start - p;
if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
observed_salt_len != (size_t) expected_salt_len )
{
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto exit;
return( MBEDTLS_ERR_RSA_INVALID_PADDING );
}
/*
* Generate H = Hash( M' )
*/
ret = mbedtls_md_starts( &md_ctx );
if ( ret != 0 )
goto exit;
ret = mbedtls_md_update( &md_ctx, zeros, 8 );
if ( ret != 0 )
goto exit;
ret = mbedtls_md_update( &md_ctx, hash, hashlen );
if ( ret != 0 )
goto exit;
ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
if ( ret != 0 )
goto exit;
ret = mbedtls_md_finish( &md_ctx, result );
if ( ret != 0 )
goto exit;
ret = hash_mprime( hash, hashlen, p, observed_salt_len,
result, mgf1_hash_id );
if( ret != 0 )
return( ret );
if( memcmp( hash_start, result, hlen ) != 0 )
{
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
goto exit;
}
return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
exit:
mbedtls_md_free( &md_ctx );
return( ret );
return( 0 );
}
/*
@ -2091,11 +2086,8 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
const unsigned char *sig )
{
mbedtls_md_type_t mgf1_hash_id;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( sig != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
? (mbedtls_md_type_t) ctx->hash_id
@ -2124,11 +2116,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
size_t sig_len;
unsigned char *encoded = NULL, *encoded_expected = NULL;
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( sig != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
sig_len = ctx->len;
@ -2193,11 +2182,8 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
const unsigned char *hash,
const unsigned char *sig )
{
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( sig != NULL );
RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE &&
hashlen == 0 ) ||
hash != NULL );
if( ( md_alg != MBEDTLS_MD_NONE || hashlen != 0 ) && hash == NULL )
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
switch( ctx->padding )
{
@ -2224,8 +2210,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
RSA_VALIDATE_RET( dst != NULL );
RSA_VALIDATE_RET( src != NULL );
dst->len = src->len;