From 686a05e90cb59dda0658db1dc3f20b4734e6b063 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 2 Mar 2018 17:11:39 -0500 Subject: [PATCH] Documentation fix Added more elaborate descriptions, fixed minor issues. --- include/mbedtls/oid.h | 2 +- include/mbedtls/pkcs11_client.h | 16 ++++++++++------ include/mbedtls/rsa.h | 2 +- library/pkcs11_client.c | 8 +++++--- library/rsa.c | 8 ++++---- tests/suites/test_suite_pkcs11_client.data | 4 ++-- tests/suites/test_suite_pkcs11_client.function | 15 ++++----------- 7 files changed, 27 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 826ee6492..782764d82 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -227,7 +227,7 @@ #define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */ -#define MBEDTLS_MD_OID_MAX_SIZE 10 /**< Maximum length of an OID of a supported digest algorithm*/ +#define MBEDTLS_MD_OID_MAX_SIZE 10 /**< Maximum length of an OID of a supported digest algorithm */ /* * Encryption algorithms diff --git a/include/mbedtls/pkcs11_client.h b/include/mbedtls/pkcs11_client.h index 83aed5157..6d314a9a7 100644 --- a/include/mbedtls/pkcs11_client.h +++ b/include/mbedtls/pkcs11_client.h @@ -56,7 +56,9 @@ extern "C" { #include "pk.h" /** - * \brief Set up a PK context for a key pair in a PKCS#11 token + * \brief Set up a PK context from a key pair in a PKCS#11 token. + * This allows to access the token's cryptographic + * functionality through the PK interface. * * \param ctx PK context to fill, which must have been initialized * with mbedtls_pk_init(). @@ -84,7 +86,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, * * This function imports a PK object containing a * public key or a private-public key pair into a - * PKCS#11 token. + * PKCS#11 token. * * \param ctx PK context, which must contain a transparent pk * object (type \c MBEDTLS_PK_RSA, @@ -113,10 +115,12 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, * will be authorized for encryption. * * \param hSession Cryptoki session. - * \param hPublicKey If non-null, on output, Cryptoki handle of the public - * key. If null, the public key is not imported. - * \param hPrivateKey If non-null, on output, Cryptoki handle of the private - * key. If null, the private key is not imported. + * \param hPublicKey If not NULL, receives the Cryptoki handle of the public + * key on success. If NULL, the public key is not + * imported. + * \param hPrivateKey If not NULL, receives the Cryptoki handle of the + * private key on success. If NULL, the private key is + * not imported. * * \return 0 on success, * or MBEDTLS_ERR_PK_XXX error code. diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 046bfc501..90a59073b 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -738,7 +738,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, /** * \brief Encode a hash into a DigestInfo structure as specified - * by PKCS#1(RFC 8017, EMSA-PKCS1-v1_5-ENCODE step 2). + * by PKCS#1 (RFC 8017, EMSA-PKCS1-v1_5-ENCODE step 2). * Note: function works backwards in data buffer. * * \param p Reference to the current position pointer diff --git a/library/pkcs11_client.c b/library/pkcs11_client.c index 2e97d0e27..82cc0e19a 100644 --- a/library/pkcs11_client.c +++ b/library/pkcs11_client.c @@ -111,7 +111,7 @@ static size_t pkcs11_pk_get_bitlen( const void *ctx_arg ) static int pkcs11_pk_can_do( const void *ctx_arg, mbedtls_pk_type_t type ) { const mbedtls_pk_pkcs11_context_t *ctx = ctx_arg; - return ctx->key_type == mbedtls_pk_representation_type( type ); + return( ctx->key_type == mbedtls_pk_representation_type( type ) ); } static void *pkcs11_pk_alloc( ) @@ -138,6 +138,7 @@ static size_t pkcs11_pk_signature_size( const void *ctx_arg ) } } +#if defined(MBEDTLS_RSA_C) static int pkcs11_sign_core( mbedtls_pk_pkcs11_context_t *ctx, CK_MECHANISM_TYPE mechanism_type, const unsigned char *payload, size_t payload_len, @@ -145,7 +146,7 @@ static int pkcs11_sign_core( mbedtls_pk_pkcs11_context_t *ctx, size_t sig_size ) { CK_ULONG ck_sig_len = sig_size; - CK_MECHANISM mechanism = {mechanism_type, NULL_PTR, 0}; + CK_MECHANISM mechanism = { mechanism_type, NULL_PTR, 0 }; CK_RV rv; rv = C_SignInit( ctx->hSession, &mechanism, ctx->hPrivateKey ); if( rv != CKR_OK ) @@ -158,6 +159,7 @@ static int pkcs11_sign_core( mbedtls_pk_pkcs11_context_t *ctx, exit: return( pkcs11_err_to_mbedtls_pk_err( rv ) ); } +#endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_RSA_C) static int pkcs11_sign_rsa( mbedtls_pk_pkcs11_context_t *ctx, @@ -234,7 +236,7 @@ static int pkcs11_verify_core( mbedtls_pk_pkcs11_context_t *ctx, const unsigned char *payload, size_t payload_len, const unsigned char *sig, size_t sig_len ) { - CK_MECHANISM mechanism = {mechanism_type, NULL_PTR, 0}; + CK_MECHANISM mechanism = { mechanism_type, NULL_PTR, 0 }; CK_RV rv; rv = C_VerifyInit( ctx->hSession, &mechanism, ctx->hPublicKey ); diff --git a/library/rsa.c b/library/rsa.c index 7f1a7451d..5268013b2 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1538,7 +1538,7 @@ int mbedtls_rsa_emsa_pkcs1_v15_encode_digestinfo( unsigned char **p, if( md_alg == MBEDTLS_MD_NONE ) { - if( *p < start + hashlen ) + if( *p - start < (ptrdiff_t) hashlen ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); *p -= hashlen; memcpy( *p, hash, hashlen ); @@ -1550,7 +1550,7 @@ int mbedtls_rsa_emsa_pkcs1_v15_encode_digestinfo( unsigned char **p, return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); if( hashlen == 0 ) hashlen = mbedtls_md_get_size( md_info ); - else if ( hashlen != mbedtls_md_get_size( md_info ) ) + else if( hashlen != mbedtls_md_get_size( md_info ) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1570,7 +1570,7 @@ int mbedtls_rsa_emsa_pkcs1_v15_encode_digestinfo( unsigned char **p, * - Need hashlen bytes for hash * - Need oid_size bytes for hash alg OID. */ - if( *p < start + 10 + oid_size + hashlen ) + if( *p - start < (ptrdiff_t) ( 10 + oid_size + hashlen) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); *p -= 10 + oid_size + hashlen; start = *p; @@ -1657,7 +1657,7 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, unsigned char *p = dst + dst_len; /* Ignore hashlen if a hash algorithm is specified. This is - * fragile, but documented, bhavior. */ + * fragile, but documented, behavior. */ if( md_alg != MBEDTLS_MD_NONE ) hashlen = 0; diff --git a/tests/suites/test_suite_pkcs11_client.data b/tests/suites/test_suite_pkcs11_client.data index ba47f951e..32a888294 100644 --- a/tests/suites/test_suite_pkcs11_client.data +++ b/tests/suites/test_suite_pkcs11_client.data @@ -1,5 +1,5 @@ PKCS#11 RSA import and sign -depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C pk_import_sign:"data_files/server1.key" PKCS#11 RSA generate and sign @@ -10,7 +10,7 @@ PKCS#11 RSA import, sign and verify with Cryptoki depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C pk_import_sign_verify:"data_files/server1.key" -PKCS#11 RSA import, sign with MbedTLS and verify with Cryptoki +PKCS#11 RSA import, sign with Mbed TLS and verify with Cryptoki depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C pk_import_verify_signed:"data_files/server1.key" diff --git a/tests/suites/test_suite_pkcs11_client.function b/tests/suites/test_suite_pkcs11_client.function index d97233644..e43a0e47d 100644 --- a/tests/suites/test_suite_pkcs11_client.function +++ b/tests/suites/test_suite_pkcs11_client.function @@ -111,8 +111,6 @@ static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type, {CKA_SIGN, &ck_true, sizeof( ck_true )}, }; CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS; - unsigned char ecParams[16]; - size_t ecParams_length; switch( key_type ) { @@ -136,10 +134,6 @@ static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type, private_attributes, ARRAY_LENGTH( private_attributes ), phPublicKey, phPrivateKey ) ); -exit: - /* Shouldn't happen except if there's a test error (e.g. trying to - use a curve that isn't compiled in). */ - return( -1 ); } @@ -298,7 +292,7 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ void pk_import_sign_verify( char *file ) { - /* Sign with cryptoki, convert to mbedTLS format and save, + /* Sign with cryptoki, convert to Mbed TLS format and save, verify by cryptoki with a conversion to a raw, concatenated format by the engine. */ mbedtls_pk_context pkcs11_ctx; @@ -344,14 +338,14 @@ void pk_import_sign_verify( char *file ) sig_buffer, sig_length ) == 0 ); exit: + mbedtls_pk_free( &pkcs11_ctx ); + mbedtls_pk_free( &transparent_ctx ); if( hPublicKey != CK_INVALID_HANDLE ) C_DestroyObject( hSession, hPublicKey ); if( hPrivateKey != CK_INVALID_HANDLE ) C_DestroyObject( hSession, hPrivateKey ); C_CloseSession( hSession ); C_Finalize( NULL_PTR ); - mbedtls_pk_free( &pkcs11_ctx ); - mbedtls_pk_free( &transparent_ctx ); } /* END_CASE */ @@ -380,7 +374,6 @@ void pk_import_verify_signed( char *file ) TEST_ASSERT( hSession != CK_INVALID_HANDLE ); TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, - MBEDTLS_PK_FLAG_SIGN | MBEDTLS_PK_FLAG_VERIFY, hSession, &hPublicKey, @@ -413,7 +406,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C */ void pk_rsa_hardcoded_verify( char *message_hex_string, int digest, int mod, int radix_N, char *input_N, int radix_E, char *input_E, char *result_hex_str, int result )