yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-08-08 06:41:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'mbedtls-1.3-restricted' into mbedtls-1.3

Browse source
This commit is contained in:
Jaeden Amero 2018-01-09 15:57:25 +00:00
parent 465c8b7827 ecd9f79edf
commit 1a6a2f7f0a
28 changed files with 337 additions and 155 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
ChangeLog
View file

@ -2,10 +2,41 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 1.3.22 branch released 2017-xx-xx
Security
* Fix heap corruption in implementation of truncated HMAC extension.
When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to crash or
remote code execution. This can be triggered remotely from either
side.
* Fix buffer overflow in RSA-PSS verification when the hash is too
large for the key size. Found by Seth Terashima, Qualcomm Product
Security Initiative, Qualcomm Technologies Inc.
* Fix buffer overflow in RSA-PSS verification when the unmasked
data is all zeros.
* Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding
64kB to the address of the SSL buffer wraps around.
* Tighten should-be-constant-time memcmp against compiler optimizations.
* Ensure that buffers are cleared after use if they contain sensitive data.
Changes were introduced in multiple places in the library.
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mpi_read_binary constant-time with respect to
the input data. Previously, trailing zero bytes were detected
and omitted for the sake of saving memory, but potentially
leading to slight timing differences.
Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent
after keypair generation.
Features
* Allow comments in test data files.
Bugfix
* Fix typo in ssl.h leading to a too small value of SSL_MAC_ADD
in case CBC is disabled but ARC4 is enabled.
* Fix memory leak in ssl_set_hostname() when called multiple times.
Found by projectgus and jethrogb, #836.
* Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
@ -17,6 +48,8 @@ Bugfix
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
dates on leap years with 100 and 400 intervals are handled correctly. Found
by Nicholas Wilson. #694
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
accepted. Generating these signatures required the private key.
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
Found independently by Florian in the mbed TLS forum and by Mishamax.
#878, #1019.

8
include/polarssl/ssl.h
View file

@ -303,7 +303,7 @@
#define SSL_COMPRESSION_ADD 0
#endif
#if defined(POLARSSL_RC4_C) || defined(POLARSSL_CIPHER_MODE_CBC)
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_MODE_CBC)
/* Ciphersuites using HMAC */
#if defined(POLARSSL_SHA512_C)
#define SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
@ -2061,9 +2061,9 @@ int ssl_check_cert_usage( const x509_crt *cert,
static inline int safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
const unsigned char *A = (const unsigned char *) a;
const unsigned char *B = (const unsigned char *) b;
unsigned char diff = 0;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
diff |= A[i] ^ B[i];

17
library/bignum.c
View file

@ -678,16 +678,20 @@ cleanup:
int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen )
{
int ret;
size_t i, j, n;
size_t i, j;
size_t const limbs = CHARS_TO_LIMBS( buflen );
for( n = 0; n < buflen; n++ )
if( buf[n] != 0 )
break;
/* Ensure that target MPI has exactly the necessary number of limbs */
if( X->n != limbs )
{
mpi_free( X );
mpi_init( X );
MPI_CHK( mpi_grow( X, limbs ) );
}
MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
MPI_CHK( mpi_lset( X, 0 ) );
for( i = buflen, j = 0; i > n; i--, j++ )
for( i = buflen, j = 0; i > 0; i--, j++ )
X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3);
cleanup:
@ -1880,6 +1884,7 @@ int mpi_fill_random( mpi *X, size_t size,
MPI_CHK( mpi_read_binary( X, buf, size ) );
cleanup:
polarssl_zeroize( buf, sizeof( buf ) );
return( ret );
}

24
library/ctr_drbg.c
View file

@ -402,20 +402,20 @@ int ctr_drbg_write_seed_file( ctr_drbg_context *ctx, const char *path )
goto exit;
if( fwrite( buf, 1, CTR_DRBG_MAX_INPUT, f ) != CTR_DRBG_MAX_INPUT )
{
ret = POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR;
goto exit;
}
else
ret = 0;
exit:
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( ret );
}
int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path )
{
int ret = 0;
FILE *f;
size_t n;
unsigned char buf[ CTR_DRBG_MAX_INPUT ];
@ -434,15 +434,17 @@ int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path )
}
if( fread( buf, 1, n, f ) != n )
{
fclose( f );
return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR );
}
fclose( f );
ret = POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR;
else
ctr_drbg_update( ctx, buf, n );
fclose( f );
polarssl_zeroize( buf, sizeof( buf ) );
if( ret != 0 )
return( ret );
return( ctr_drbg_write_seed_file( ctx, path ) );
}
#endif /* POLARSSL_FS_IO */

14
library/dhm.c
View file

@ -91,6 +91,9 @@ static int dhm_read_bignum( mpi *X,
*
* Parameter should be: 2 <= public_param <= P - 2
*
* This means that we need to return an error if
* public_param < 2 or public_param > P-2
*
* For more information on the attack, see:
* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
@ -98,17 +101,17 @@ static int dhm_read_bignum( mpi *X,
static int dhm_check_range( const mpi *param, const mpi *P )
{
mpi L, U;
int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
int ret = 0;
mpi_init( &L ); mpi_init( &U );
MPI_CHK( mpi_lset( &L, 2 ) );
MPI_CHK( mpi_sub_int( &U, P, 2 ) );
if( mpi_cmp_mpi( param, &L ) >= 0 &&
mpi_cmp_mpi( param, &U ) <= 0 )
if( mpi_cmp_mpi( param, &L ) < 0 ||
mpi_cmp_mpi( param, &U ) > 0 )
{
ret = 0;
ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
}
cleanup:
@ -532,7 +535,10 @@ static int load_file( const char *path, unsigned char **buf, size_t *n )
if( fread( *buf, 1, *n, f ) != *n )
{
fclose( f );
polarssl_zeroize( *buf, *n + 1 );
polarssl_free( *buf );
return( POLARSSL_ERR_DHM_FILE_IO_ERROR );
}

4
library/ecp.c
View file

@ -1854,7 +1854,6 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
{
/* SEC1 3.2.1: Generate d such that 1 <= n < N */
int count = 0;
unsigned char rnd[POLARSSL_ECP_MAX_BYTES];
/*
* Match the procedure given in RFC 6979 (deterministic ECDSA):
@ -1865,8 +1864,7 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
*/
do
{
MPI_CHK( f_rng( p_rng, rnd, n_size ) );
MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
MPI_CHK( mpi_fill_random( d, n_size, f_rng, p_rng ) );
MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );
/*

32
library/entropy.c
View file

@ -169,6 +169,8 @@ static int entropy_update( entropy_context *ctx, unsigned char source_id,
sha256_update( &ctx->accumulator, p, use_len );
#endif
polarssl_zeroize( tmp, sizeof( tmp ) );
return( 0 );
}
@ -197,13 +199,11 @@ int entropy_update_manual( entropy_context *ctx,
*/
static int entropy_gather_internal( entropy_context *ctx )
{
int ret, i;
int ret = POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED;
int i;
unsigned char buf[ENTROPY_MAX_GATHER];
size_t olen;
if( ctx->source_count == 0 )
return( POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED );
/*
* Run through our entropy sources
*/
@ -213,7 +213,7 @@ static int entropy_gather_internal( entropy_context *ctx )
if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
buf, ENTROPY_MAX_GATHER, &olen ) ) != 0 )
{
return( ret );
goto cleanup;
}
/*
@ -226,7 +226,10 @@ static int entropy_gather_internal( entropy_context *ctx )
}
}
return( 0 );
cleanup:
polarssl_zeroize( buf, sizeof( buf ) );
return( ret );
}
/*
@ -327,6 +330,8 @@ int entropy_func( void *data, unsigned char *output, size_t len )
ret = 0;
exit:
polarssl_zeroize( buf, sizeof( buf ) );
#if defined(POLARSSL_THREADING_C)
if( polarssl_mutex_unlock( &ctx->mutex ) != 0 )
return( POLARSSL_ERR_THREADING_MUTEX_ERROR );
@ -357,12 +362,15 @@ int entropy_write_seed_file( entropy_context *ctx, const char *path )
ret = 0;
exit:
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( ret );
}
int entropy_update_seed_file( entropy_context *ctx, const char *path )
{
int ret = 0;
FILE *f;
size_t n;
unsigned char buf[ ENTROPY_MAX_SEED_SIZE ];
@ -378,14 +386,16 @@ int entropy_update_seed_file( entropy_context *ctx, const char *path )
n = ENTROPY_MAX_SEED_SIZE;
if( fread( buf, 1, n, f ) != n )
{
fclose( f );
return( POLARSSL_ERR_ENTROPY_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_ENTROPY_FILE_IO_ERROR;
else
ret = entropy_update_manual( ctx, buf, n );
fclose( f );
entropy_update_manual( ctx, buf, n );
polarssl_zeroize( buf, sizeof( buf ) );
if( ret != 0 )
return( ret );
return( entropy_write_seed_file( ctx, path ) );
}

19
library/hmac_drbg.c
View file

@ -342,11 +342,14 @@ int hmac_drbg_write_seed_file( hmac_drbg_context *ctx, const char *path )
exit:
fclose( f );
polarssl_zeroize( buf, sizeof( buf ) );
return( ret );
}
int hmac_drbg_update_seed_file( hmac_drbg_context *ctx, const char *path )
{
int ret = 0;
FILE *f;
size_t n;
unsigned char buf[ POLARSSL_HMAC_DRBG_MAX_INPUT ];
@ -365,15 +368,17 @@ int hmac_drbg_update_seed_file( hmac_drbg_context *ctx, const char *path )
}
if( fread( buf, 1, n, f ) != n )
{
fclose( f );
return( POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR );
}
fclose( f );
ret = POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR;
else
hmac_drbg_update( ctx, buf, n );
fclose( f );
polarssl_zeroize( buf, sizeof( buf ) );
if( ret != 0 )
return( ret );
return( hmac_drbg_write_seed_file( ctx, path ) );
}
#endif /* POLARSSL_FS_IO */

16
library/md2.c
View file

@ -217,6 +217,7 @@ void md2( const unsigned char *input, size_t ilen, unsigned char output[16] )
*/
int md2_file( const char *path, unsigned char output[16] )
{
int ret = 0;
FILE *f;
size_t n;
md2_context ctx;
@ -231,17 +232,16 @@ int md2_file( const char *path, unsigned char output[16] )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
md2_update( &ctx, buf, n );
md2_finish( &ctx, output );
md2_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_MD2_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_MD2_FILE_IO_ERROR;
else
md2_finish( &ctx, output );
md2_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

16
library/md4.c
View file

@ -313,6 +313,7 @@ void md4( const unsigned char *input, size_t ilen, unsigned char output[16] )
*/
int md4_file( const char *path, unsigned char output[16] )
{
int ret = 0;
FILE *f;
size_t n;
md4_context ctx;
@ -327,17 +328,16 @@ int md4_file( const char *path, unsigned char output[16] )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
md4_update( &ctx, buf, n );
md4_finish( &ctx, output );
md4_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_MD4_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_MD4_FILE_IO_ERROR;
else
md4_finish( &ctx, output );
md4_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

16
library/md5.c
View file

@ -330,6 +330,7 @@ void md5( const unsigned char *input, size_t ilen, unsigned char output[16] )
*/
int md5_file( const char *path, unsigned char output[16] )
{
int ret = 0;
FILE *f;
size_t n;
md5_context ctx;
@ -344,17 +345,16 @@ int md5_file( const char *path, unsigned char output[16] )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
md5_update( &ctx, buf, n );
md5_finish( &ctx, output );
md5_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_MD5_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_MD5_FILE_IO_ERROR;
else
md5_finish( &ctx, output );
md5_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

6
library/pem.c
View file

@ -345,6 +345,7 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 )
{
polarssl_zeroize( buf, len );
polarssl_free( buf );
return( POLARSSL_ERR_PEM_INVALID_DATA + ret );
}
@ -355,6 +356,7 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
( defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C) )
if( pwd == NULL )
{
polarssl_zeroize( buf, len );
polarssl_free( buf );
return( POLARSSL_ERR_PEM_PASSWORD_REQUIRED );
}
@ -391,10 +393,12 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
*/
if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
{
polarssl_zeroize( buf, len );
polarssl_free( buf );
return( POLARSSL_ERR_PEM_PASSWORD_MISMATCH );
}
#else
polarssl_zeroize( buf, len );
polarssl_free( buf );
return( POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE );
#endif /* POLARSSL_MD5_C && POLARSSL_CIPHER_MODE_CBC &&
@ -409,6 +413,8 @@ int pem_read_buffer( pem_context *ctx, const char *header, const char *footer,
void pem_free( pem_context *ctx )
{
if ( ctx->buf != NULL )
polarssl_zeroize( ctx->buf, ctx->buflen );
polarssl_free( ctx->buf );
polarssl_free( ctx->info );

3
library/pkparse.c
View file

@ -101,7 +101,10 @@ int pk_load_file( const char *path, unsigned char **buf, size_t *n )
if( fread( *buf, 1, *n, f ) != *n )
{
fclose( f );
polarssl_zeroize( *buf, *n );
polarssl_free( *buf );
return( POLARSSL_ERR_PK_FILE_IO_ERROR );
}

16
library/ripemd160.c
View file

@ -388,6 +388,7 @@ void ripemd160( const unsigned char *input, size_t ilen,
*/
int ripemd160_file( const char *path, unsigned char output[20] )
{
int ret = 0;
FILE *f;
size_t n;
ripemd160_context ctx;
@ -402,17 +403,16 @@ int ripemd160_file( const char *path, unsigned char output[20] )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
ripemd160_update( &ctx, buf, n );
ripemd160_finish( &ctx, output );
ripemd160_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_RIPEMD160_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_RIPEMD160_FILE_IO_ERROR;
else
ripemd160_finish( &ctx, output );
ripemd160_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

27
library/rsa.c
View file

@ -1325,10 +1325,11 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
size_t siglen;
unsigned char *p;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
unsigned char *hash_start;
unsigned char result[POLARSSL_MD_MAX_SIZE];
unsigned char zeros[8];
unsigned int hlen;
size_t slen, msb;
size_t observed_salt_len, msb;
const md_info_t *md_info;
md_context_t md_ctx;
@ -1368,7 +1369,6 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hlen = md_get_size( md_info );
slen = siglen - hlen - 1; /* Currently length of salt + padding */
memset( zeros, 0, 8 );
@ -1376,6 +1376,9 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
//
msb = mpi_msb( &ctx->N ) - 1;
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
// Compensate for boundary condition when applying mask
//
if( msb % 8 == 0 )
@ -1383,8 +1386,10 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
p++;
siglen -= 1;
}
if( buf[0] >> ( 8 - siglen * 8 + msb ) )
if( siglen < hlen + 2 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
hash_start = p + siglen - hlen - 1;
md_init( &md_ctx );
if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
@ -1393,25 +1398,23 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
return( ret );
}
mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
buf[0] &= 0xFF >> ( siglen * 8 - msb );
while( p < buf + siglen && *p == 0 )
while( p < hash_start - 1 && *p == 0 )
p++;
if( p == buf + siglen ||
*p++ != 0x01 )
if( *p++ != 0x01 )
{
md_free( &md_ctx );
return( POLARSSL_ERR_RSA_INVALID_PADDING );
}
/* Actual salt len */
slen -= p - buf;
observed_salt_len = hash_start - p;
if( expected_salt_len != RSA_SALT_LEN_ANY &&
slen != (size_t) expected_salt_len )
observed_salt_len != (size_t) expected_salt_len )
{
md_free( &md_ctx );
return( POLARSSL_ERR_RSA_INVALID_PADDING );
@ -1422,12 +1425,12 @@ int rsa_rsassa_pss_verify_ext( rsa_context *ctx,
md_starts( &md_ctx );
md_update( &md_ctx, zeros, 8 );
md_update( &md_ctx, hash, hashlen );
md_update( &md_ctx, p, slen );
md_update( &md_ctx, p, observed_salt_len );
md_finish( &md_ctx, result );
md_free( &md_ctx );
if( memcmp( p + slen, result, hlen ) == 0 )
if( memcmp( hash_start, result, hlen ) == 0 )
return( 0 );
else
return( POLARSSL_ERR_RSA_VERIFY_FAILED );

16
library/sha1.c
View file

@ -363,6 +363,7 @@ void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
*/
int sha1_file( const char *path, unsigned char output[20] )
{
int ret = 0;
FILE *f;
size_t n;
sha1_context ctx;
@ -377,17 +378,16 @@ int sha1_file( const char *path, unsigned char output[20] )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
sha1_update( &ctx, buf, n );
sha1_finish( &ctx, output );
sha1_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_SHA1_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_SHA1_FILE_IO_ERROR;
else
sha1_finish( &ctx, output );
sha1_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

16
library/sha256.c
View file

@ -366,6 +366,7 @@ void sha256( const unsigned char *input, size_t ilen,
*/
int sha256_file( const char *path, unsigned char output[32], int is224 )
{
int ret = 0;
FILE *f;
size_t n;
sha256_context ctx;
@ -380,17 +381,16 @@ int sha256_file( const char *path, unsigned char output[32], int is224 )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
sha256_update( &ctx, buf, n );
sha256_finish( &ctx, output );
sha256_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_SHA256_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_SHA256_FILE_IO_ERROR;
else
sha256_finish( &ctx, output );
sha256_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

16
library/sha512.c
View file

@ -370,6 +370,7 @@ void sha512( const unsigned char *input, size_t ilen,
*/
int sha512_file( const char *path, unsigned char output[64], int is384 )
{
int ret = 0;
FILE *f;
size_t n;
sha512_context ctx;
@ -384,17 +385,16 @@ int sha512_file( const char *path, unsigned char output[64], int is384 )
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
sha512_update( &ctx, buf, n );
sha512_finish( &ctx, output );
sha512_free( &ctx );
if( ferror( f ) != 0 )
{
fclose( f );
return( POLARSSL_ERR_SHA512_FILE_IO_ERROR );
}
ret = POLARSSL_ERR_SHA512_FILE_IO_ERROR;
else
sha512_finish( &ctx, output );
sha512_free( &ctx );
polarssl_zeroize( buf, sizeof( buf ) );
fclose( f );
return( 0 );
return( ret );
}
#endif /* POLARSSL_FS_IO */

4
library/ssl_srv.c
View file

@ -3141,7 +3141,7 @@ static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
/*
* Receive client pre-shared key identity name
*/
if( *p + 2 > end )
if( end - *p < 2 )
{
SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
@ -3150,7 +3150,7 @@ static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
n = ( (*p)[0] << 8 ) | (*p)[1];
*p += 2;
if( n < 1 || n > 65535 || *p + n > end )
if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
{
SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );

70
library/ssl_tls.c
View file

@ -1050,9 +1050,12 @@ int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex )
/*
* SSLv3.0 MAC functions
*/
static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
unsigned char *buf, size_t len,
unsigned char *ctr, int type )
#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
static void ssl_mac( md_context_t *md_ctx,
const unsigned char *secret,
const unsigned char *buf, size_t len,
const unsigned char *ctr, int type,
unsigned char out[SSL_MAC_MAX_BYTES] )
{
unsigned char header[11];
unsigned char padding[48];
@ -1077,14 +1080,14 @@ static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
md_update( md_ctx, padding, padlen );
md_update( md_ctx, header, 11 );
md_update( md_ctx, buf, len );
md_finish( md_ctx, buf + len );
md_finish( md_ctx, out );
memset( padding, 0x5C, padlen );
md_starts( md_ctx );
md_update( md_ctx, secret, md_size );
md_update( md_ctx, padding, padlen );
md_update( md_ctx, buf + len, md_size );
md_finish( md_ctx, buf + len );
md_update( md_ctx, out, md_size );
md_finish( md_ctx, out );
}
#endif /* POLARSSL_SSL_PROTO_SSL3 */
@ -1130,10 +1133,15 @@ static int ssl_encrypt_buf( ssl_context *ssl )
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
unsigned char mac[SSL_MAC_MAX_BYTES];
ssl_mac( &ssl->transform_out->md_ctx_enc,
ssl->transform_out->mac_enc,
ssl->out_msg, ssl->out_msglen,
ssl->out_ctr, ssl->out_msgtype );
ssl->out_ctr, ssl->out_msgtype,
mac );
memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
}
else
#endif
@ -1141,12 +1149,16 @@ static int ssl_encrypt_buf( ssl_context *ssl )
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
{
unsigned char mac[SSL_MAC_ADD];
md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
md_hmac_update( &ssl->transform_out->md_ctx_enc,
ssl->out_msg, ssl->out_msglen );
md_hmac_finish( &ssl->transform_out->md_ctx_enc,
ssl->out_msg + ssl->out_msglen );
md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
md_hmac_reset( &ssl->transform_out->md_ctx_enc );
memcpy( ssl->out_msg + ssl->out_msglen, mac,
ssl->transform_out->maclen );
}
else
#endif
@ -1155,7 +1167,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
SSL_DEBUG_BUF( 4, "computed mac",
SSL_DEBUG_BUF( 4, "expected mac",
ssl->out_msg + ssl->out_msglen,
ssl->transform_out->maclen );
@ -1419,8 +1431,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
return( 0 );
}
#define POLARSSL_SSL_MAX_MAC_SIZE 48
static int ssl_decrypt_buf( ssl_context *ssl )
{
size_t i;
@ -1588,7 +1598,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED )
{
unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE];
unsigned char mac_expect[SSL_MAC_ADD];
unsigned char pseudo_hdr[13];
SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
@ -1606,15 +1616,15 @@ static int ssl_decrypt_buf( ssl_context *ssl )
md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec,
ssl->in_iv, ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
md_hmac_reset( &ssl->transform_in->md_ctx_dec );
SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
ssl->transform_in->maclen );
if( safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
if( safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
ssl->transform_in->maclen ) != 0 )
{
SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
@ -1775,22 +1785,21 @@ static int ssl_decrypt_buf( ssl_context *ssl )
#if defined(POLARSSL_SOME_MODES_USE_MAC)
if( auth_done == 0 )
{
unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
unsigned char mac_expect[SSL_MAC_ADD];
ssl->in_msglen -= ssl->transform_in->maclen;
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
ssl_mac( &ssl->transform_in->md_ctx_dec,
ssl->transform_in->mac_dec,
ssl->in_msg, ssl->in_msglen,
ssl->in_ctr, ssl->in_msgtype );
ssl->in_ctr, ssl->in_msgtype,
mac_expect );
}
else
#endif /* POLARSSL_SSL_PROTO_SSL3 */
@ -1820,8 +1829,8 @@ static int ssl_decrypt_buf( ssl_context *ssl )
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec,
ssl->in_msg + ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
/* Call md_process at least once due to cache attacks */
for( j = 0; j < extra_run + 1; j++ )
md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
@ -1836,11 +1845,11 @@ static int ssl_decrypt_buf( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen );
if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
if( safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
ssl->transform_in->maclen ) != 0 )
{
#if defined(POLARSSL_SSL_DEBUG_ALL)
@ -4140,12 +4149,19 @@ int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
}
if( ssl->psk != NULL || ssl->psk_identity != NULL )
if( ssl->psk != NULL )
{
polarssl_zeroize( ssl->psk, ssl->psk_len );
polarssl_free( ssl->psk );
polarssl_free( ssl->psk_identity );
ssl->psk = NULL;
ssl->psk_len = 0;
}
if( ssl->psk_identity != NULL )
{
polarssl_free( ssl->psk_identity );
ssl->psk_identity = NULL;
ssl->psk_identity_len = 0;
}
if( ( ssl->psk = polarssl_malloc( psk_len ) ) == NULL ||

9
tests/data_files/rsa512.key Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBALB20jJQgW+aqwIwfkUrl/DK51mDabQWJOivx5caWaE4kvZLB+qm
7JKMFgstbsj50N1bY8izrAdntPZciS9WwQ8CAwEAAQJAKYfNcIoB7II6PQmsrhrU
Z5dZW3fSKNANX7X/A1DwR0DlF8uZnpWsWbYcRoXX7QjvepZqc54wryhW55Wlm6yI
AQIhAOJIaLjSpbHjzzcJQ7mylxn2WGIlbJPPzJ9OaFZCZQvxAiEAx6OEAvl6JKa6
6a+N2Wvhtcgb4qqR6UHQGJQYGJz5nP8CIAvgoR6ScAAWZRoOcm+c4DGMrLb6H+ji
T2tNQkzEz2kBAiEAmw34GStU36STpa6RGJ4+tyZN6jWakDVqf7x+HpfFE1cCIQDc
KzXIxec2taye4OeIa1v4W/MigMmYE9w93Uw/Qi3azA==
-----END RSA PRIVATE KEY-----

9
tests/data_files/rsa521.key Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBPQIBAAJCATG2mGDzy5v4XqNY/fK9KZDxt3qA1qT9+BekPdiWvffdJq+KwCN/
Um4NM7EFyXH9vU/6ns6Z/EafMez0Kej1YsHDAgMBAAECQCdoYjwdMSHp4kksL5Aa
0kDc58ni0chy9IgXo+FHjTVmR9DkaZANrwfVvYMJxqYCZo0im1Dw7ZJBUDJQNXnl
ZokCIRiSk66I24AWa7XGUFvatVwXWi2ACE4QEKqzWQe1mQ24/wIhDHD1TCKpqucA
XDI+1N7EHs+fN4CfTSWe8FPGiK6q3VM9AiESrKKLi/q011U4KeS8SfR2blDcL2cg
XFkuQWqxzzLoGOUCIQmgl5E0+Ypwe0zc7NYZFDarf4+ZjqxKQnXCvk0irMHcGQIh
EVPli6RQb3Gcx7vXJHltzSTno7NElzBDRMBVUlBmVxAJ
-----END RSA PRIVATE KEY-----

9
tests/data_files/rsa522.key Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBPgIBAAJCAtMCdT492ij0L02fkshkdCDqb7yXwQ+EmLlmqVPzV2mNZYEGDf4y
yKuY20vFzirN8MHm5ASnWhMoJVDBqjfTzci/AgMBAAECQU05ffxf7uVg74yC9tKg
qCa746NpMh3OM+HZrUxiOXv0sJMRXNEPD5HNLtgcNY6MI5NYbUvkOXktnFZpxWYP
TH7BAiEeFJGs5Z6gRd2v/IbYLMFDHgjqho04INGTOvnyI7lGVKUCIRgJM7moFuoM
UrKTmJK1uOzauWEykCKgc6BGH6TGZoEWkwIhBzQn2v82qO1ydOYGKRk2w2sa+Yd1
pH5/kkHqf+m8QjKdAiEQ9eVW+4J30wxD0JyX4b1E/S5UpN5KYNhWX0US+6D3NBsC
IRxePzdQlutZWg0Cnku3QE1tOLBCFlP7QVVl5FbKcY5H5w==
-----END RSA PRIVATE KEY-----

9
tests/data_files/rsa528.key Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBRQIBAAJDAOMcJG1GSFmEJh/RdMqz1DVzRGAuzXk8R9vlQlLTe7NQvGNDWbGV
FVQggORySktnIpG+V8dkj1Finq7yNOhH2ZzGXwIDAQABAkMAsWYyLglQSlwnS4NZ
L1z4zieTqW3lomWr2+BgxkHbxl2w0Rx4L+Ezp+YK6mhtIQWNkoytPvWJJMS7Jrkg
agMAHQJBAiIA+F1y5GO0Bv+igsNLXwwtbCqs8hAkavU9W8egt/oDbhzbAiIA6hds
PZp/s1X7n7dwfmebSs+3vLZFuQfifN8XZLw0CXHNAiEuEzgDQrPdMIN3er96zImI
rYoUBgabiQ9u/WPFfa4xOU0CIgDDYC089Tfjy72pPgcr2PkpZVhqro5esg/8PI5f
yxx7TXkCIgCYoE8Y5IxomtL1ub1AQzPe9UyyUGzQB1yWeiloJh6LjxA=
-----END RSA PRIVATE KEY-----

20
tests/ssl-opt.sh
View file

@ -510,40 +510,40 @@ run_test "Truncated HMAC: client default, server default" \
"$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
-s "dumping 'computed mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)"
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client disabled, server default" \
"$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=0" \
0 \
-s "dumping 'computed mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)"
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server default" \
"$P_SRV debug_level=4" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \
0 \
-S "dumping 'computed mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)"
-S "dumping 'expected mac' (20 bytes)" \
-s "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server disabled" \
"$P_SRV debug_level=4 trunc_hmac=0" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \
0 \
-s "dumping 'computed mac' (20 bytes)" \
-S "dumping 'computed mac' (10 bytes)"
-s "dumping 'expected mac' (20 bytes)" \
-S "dumping 'expected mac' (10 bytes)"
run_test "Truncated HMAC: client enabled, server enabled" \
"$P_SRV debug_level=4 trunc_hmac=1" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
trunc_hmac=1" \
0 \
-S "dumping 'computed mac' (20 bytes)" \
-s "dumping 'computed mac' (10 bytes)"
-S "dumping 'expected mac' (20 bytes)" \
-s "dumping 'expected mac' (10 bytes)"
# Tests for Encrypt-then-MAC extension

18
tests/suites/test_suite_dhm.data
View file

@ -1,11 +1,23 @@
Diffie-Hellman full exchange #1
dhm_do_dhm:10:"23":10:"5"
dhm_do_dhm:10:"23":10:"5":0
Diffie-Hellman full exchange #2
dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622":0
Diffie-Hellman full exchange #3
dhm_do_dhm:10:"93450983094850938450983409623982317398171298719873918739182739712938719287391879381271":10:"9345098309485093845098340962223981329819812792137312973297123912791271"
dhm_do_dhm:10:"93450983094850938450983409623982317398171298719873918739182739712938719287391879381271":10:"9345098309485093845098340962223981329819812792137312973297123912791271":0
Diffie-Hellman trivial subgroup #1
dhm_do_dhm:10:"23":10:"1":POLARSSL_ERR_DHM_BAD_INPUT_DATA
Diffie-Hellman trivial subgroup #2
dhm_do_dhm:10:"23":10:"-1":POLARSSL_ERR_DHM_BAD_INPUT_DATA
Diffie-Hellman small modulus
dhm_do_dhm:10:"3":10:"5":POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED
Diffie-Hellman zero modulus
dhm_do_dhm:10:"0":10:"5":POLARSSL_ERR_DHM_BAD_INPUT_DATA
Diffie-Hallman load parameters from file
dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128

7
tests/suites/test_suite_dhm.function
View file

@ -9,7 +9,7 @@
/* BEGIN_CASE */
void dhm_do_dhm( int radix_P, char *input_P,
int radix_G, char *input_G )
int radix_G, char *input_G, int result )
{
dhm_context ctx_srv;
dhm_context ctx_cli;
@ -44,7 +44,10 @@ void dhm_do_dhm( int radix_P, char *input_P,
/*
* First key exchange
*/
TEST_ASSERT( dhm_make_params( &ctx_srv, x_size, ske, &ske_len, &rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( dhm_make_params( &ctx_srv, x_size, ske, &ske_len, &rnd_pseudo_rand, &rnd_info ) == result );
if ( result != 0 )
goto exit;
ske[ske_len++] = 0;
ske[ske_len++] = 0;
TEST_ASSERT( dhm_read_params( &ctx_cli, &p, ske + ske_len ) == 0 );

44
tests/suites/test_suite_pkcs1_v21.data
View file

@ -787,3 +787,47 @@ RSASSA-PSS Signature verify options #13 (MGF1 alg != MSG hash alg, arg wrong)
depends_on:POLARSSL_SHA256_C
pkcs1_rsassa_pss_verify_ext:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":POLARSSL_MD_NONE:POLARSSL_MD_SHA256:POLARSSL_MD_SHA1:RSA_SALT_LEN_ANY:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":"7fc506d26ca3b22922a1ce39faaedd273161b82d9443c56f1a034f131ae4a18cae1474271cb4b66a17d9707ca58b0bdbd3c406b7e65bbcc9bbbce94dc45de807b4989b23b3e4db74ca29298137837eb90cc83d3219249bc7d480fceaf075203a86e54c4ecfa4e312e39f8f69d76534089a36ed9049ca9cfd5ab1db1fa75fe5c8":0:POLARSSL_ERR_RSA_INVALID_PADDING
RSASSA-PSS verify ext, 512-bit key, empty salt, good signature
depends_on:POLARSSL_SHA256_C
pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":0:0
RSASSA-PSS verify ext, 512-bit key, empty salt, bad signature
depends_on:POLARSSL_SHA256_C
pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf247":POLARSSL_ERR_RSA_INVALID_PADDING:POLARSSL_ERR_RSA_INVALID_PADDING
RSASSA-PSS verify ext, 522-bit key, SHA-512, empty salt, good signature
depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:522:16:"02d302753e3dda28f42f4d9f92c8647420ea6fbc97c10f8498b966a953f357698d6581060dfe32c8ab98db4bc5ce2acdf0c1e6e404a75a13282550c1aa37d3cdc8bf":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"016752ae0b5dfbade6bbd3dd37868d48c8d741f92dca41c360aeda553204c2212a117b1a3d77e0d3f48723503c46e16c8a64de00f1dee3e37e478417452630859486":0:0
RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0
depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:POLARSSL_ERR_RSA_INVALID_PADDING
RSASSA-PSS verify ext, 528-bit key, SHA-512, empty salt, good signature
depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:0
RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0
depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:POLARSSL_ERR_RSA_INVALID_PADDING
RSASSA-PSS verify ext, 512-bit key, SHA-512 (hash too large)
depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":POLARSSL_ERR_RSA_BAD_INPUT_DATA:POLARSSL_ERR_RSA_BAD_INPUT_DATA
RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature
depends_on:POLARSSL_SHA512_C
pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:POLARSSL_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":POLARSSL_ERR_RSA_BAD_INPUT_DATA:POLARSSL_ERR_RSA_BAD_INPUT_DATA
RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, good signature
depends_on:POLARSSL_SHA256_C
pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:0:"41":"009c4941157fa36288e467310b198ab0c615c40963d611ffeef03000549ded809235955ecc57adba44782e9497c004f480ba2b3d58db8335fe0b391075c02c843a6d":0:0
RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, flipped-highest-bit signature
depends_on:POLARSSL_SHA256_C
pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:0:"41":"00e11a2403df681c44a1f73f014b6c9ad17847d0b673f7c2a801cee208d10ab5792c10cd0cd495a4b331aaa521409fca7cb1b0d978b3a84cd67e28078b98753e9466":POLARSSL_ERR_RSA_BAD_INPUT_DATA:POLARSSL_ERR_RSA_BAD_INPUT_DATA
RSASSA-PSS verify ext, all-zero padding, automatic salt length
depends_on:POLARSSL_SHA256_C
pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":POLARSSL_MD_NONE:POLARSSL_MD_SHA256:POLARSSL_MD_SHA256:RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":POLARSSL_ERR_RSA_INVALID_PADDING:POLARSSL_ERR_RSA_INVALID_PADDING