yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-24 22:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Relax checks on RSA mode for public key operations

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-06-02 16:47:02 +02:00
parent 78117d57b0
commit e6d1d82b66
2 changed files with 42 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
include/polarssl/rsa.h
View file

@ -126,6 +126,17 @@ rsa_context;
* *
* \note The hash_id parameter is actually ignored * \note The hash_id parameter is actually ignored
* when using RSA_PKCS_V15 padding. * when using RSA_PKCS_V15 padding.
*
* \note Choice of padding mode is strictly enforced for private key
* operations, since there might be security concerns in
* mixing padding modes. For public key operations it's merely
* a default value, which can be overriden by calling specific
* rsa_rsaes_xxx or rsa_rsassa_xxx functions.
*
* \note The chosen hash is always used for OEAP encryption.
* For PSS signatures, it's always used for making signatures,
* but can be overriden (and always is, if set to
* POLARSSL_MD_NONE) for verifying them.
*/ */
void rsa_init( rsa_context *ctx, void rsa_init( rsa_context *ctx,
int padding, int padding,
@ -133,16 +144,11 @@ void rsa_init( rsa_context *ctx,
/** /**
* \brief Set padding for an already initialized RSA context * \brief Set padding for an already initialized RSA context
* * See \c rsa_init() for details.
* Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP
* encryption scheme and the RSASSA-PSS signature scheme.
* *
* \param ctx RSA context to be set * \param ctx RSA context to be set
* \param padding RSA_PKCS_V15 or RSA_PKCS_V21 * \param padding RSA_PKCS_V15 or RSA_PKCS_V21
* \param hash_id RSA_PKCS_V21 hash identifier * \param hash_id RSA_PKCS_V21 hash identifier
*
* \note The hash_id parameter is actually ignored
* when using RSA_PKCS_V15 padding.
*/ */
void rsa_set_padding( rsa_context *ctx, int padding, int hash_id); void rsa_set_padding( rsa_context *ctx, int padding, int hash_id);
@ -405,11 +411,8 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
* \note The "sig" buffer must be as large as the size * \note The "sig" buffer must be as large as the size
* of ctx->N (eg. 128 bytes if RSA-1024 is used). * of ctx->N (eg. 128 bytes if RSA-1024 is used).
* *
* \note In case of PKCS#1 v2.1 encoding keep in mind that * \note In case of PKCS#1 v2.1 encoding, see comments on
* the hash_id in the RSA context is the one used for the * \note \c rsa_rsassa_pss_sign() for details on md_alg and hash_id.
* encoding. hash_id in the function call is the type of hash
* that is encoded. According to RFC 3447 it is advised to
* keep both hashes the same.
*/ */
int rsa_pkcs1_sign( rsa_context *ctx, int rsa_pkcs1_sign( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),
@ -466,9 +469,8 @@ int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
* \note The "sig" buffer must be as large as the size * \note The "sig" buffer must be as large as the size
* of ctx->N (eg. 128 bytes if RSA-1024 is used). * of ctx->N (eg. 128 bytes if RSA-1024 is used).
* *
* \note In case of PKCS#1 v2.1 encoding keep in mind that * \note The hash_id in the RSA context is the one used for the
* the hash_id in the RSA context is the one used for the * encoding. md_alg in the function call is the type of hash
* encoding. hash_id in the function call is the type of hash
* that is encoded. According to RFC 3447 it is advised to * that is encoded. According to RFC 3447 it is advised to
* keep both hashes the same. * keep both hashes the same.
*/ */
@ -501,11 +503,8 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
* \note The "sig" buffer must be as large as the size * \note The "sig" buffer must be as large as the size
* of ctx->N (eg. 128 bytes if RSA-1024 is used). * of ctx->N (eg. 128 bytes if RSA-1024 is used).
* *
* \note In case of PKCS#1 v2.1 encoding keep in mind that * \note In case of PKCS#1 v2.1 encoding, see comments on
* the hash_id in the RSA context is the one used for the * \c rsa_rsassa_pss_verify() about md_alg and hash_id.
* verification. hash_id in the function call is the type of
* hash that is verified. According to RFC 3447 it is advised to
* keep both hashes the same.
*/ */
int rsa_pkcs1_verify( rsa_context *ctx, int rsa_pkcs1_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),
@ -561,11 +560,11 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
* \note The "sig" buffer must be as large as the size * \note The "sig" buffer must be as large as the size
* of ctx->N (eg. 128 bytes if RSA-1024 is used). * of ctx->N (eg. 128 bytes if RSA-1024 is used).
* *
* \note In case of PKCS#1 v2.1 encoding keep in mind that * \note The hash_id in the RSA context is the one used for the
* the hash_id in the RSA context is the one used for the * verification. md_alg in the function call is the type of
* verification. hash_id in the function call is the type of
* hash that is verified. According to RFC 3447 it is advised to * hash that is verified. According to RFC 3447 it is advised to
* keep both hashes the same. * keep both hashes the same. If hash_id in the RSA context is
* unset, the md_alg from the function call is used.
*/ */
int rsa_rsassa_pss_verify( rsa_context *ctx, int rsa_rsassa_pss_verify( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), int (*f_rng)(void *, unsigned char *, size_t),

30
library/rsa.c
View file

@ -505,7 +505,10 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
const md_info_t *md_info; const md_info_t *md_info;
md_context_t md_ctx; md_context_t md_ctx;
if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
if( f_rng == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
md_info = md_info_from_type( ctx->hash_id ); md_info = md_info_from_type( ctx->hash_id );
@ -515,7 +518,7 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
olen = ctx->len; olen = ctx->len;
hlen = md_get_size( md_info ); hlen = md_get_size( md_info );
if( olen < ilen + 2 * hlen + 2 || f_rng == NULL ) if( olen < ilen + 2 * hlen + 2 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
memset( output, 0, olen ); memset( output, 0, olen );
@ -572,7 +575,10 @@ int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
int ret; int ret;
unsigned char *p = output; unsigned char *p = output;
if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
if( f_rng == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len; olen = ctx->len;
@ -675,7 +681,7 @@ int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
/* /*
* Parameters sanity checks * Parameters sanity checks
*/ */
if( ctx->padding != RSA_PKCS_V21 ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
ilen = ctx->len; ilen = ctx->len;
@ -780,7 +786,7 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
unsigned char *p, bad, pad_done = 0; unsigned char *p, bad, pad_done = 0;
unsigned char buf[POLARSSL_MPI_MAX_SIZE]; unsigned char buf[POLARSSL_MPI_MAX_SIZE];
if( ctx->padding != RSA_PKCS_V15 ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
ilen = ctx->len; ilen = ctx->len;
@ -901,7 +907,10 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
const md_info_t *md_info; const md_info_t *md_info;
md_context_t md_ctx; md_context_t md_ctx;
if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
if( f_rng == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len; olen = ctx->len;
@ -995,7 +1004,7 @@ int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
unsigned char *p = sig; unsigned char *p = sig;
const char *oid; const char *oid;
if( ctx->padding != RSA_PKCS_V15 ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len; olen = ctx->len;
@ -1117,7 +1126,7 @@ int rsa_rsassa_pss_verify( rsa_context *ctx,
const md_info_t *md_info; const md_info_t *md_info;
md_context_t md_ctx; md_context_t md_ctx;
if( ctx->padding != RSA_PKCS_V21 ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V21 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
siglen = ctx->len; siglen = ctx->len;
@ -1148,7 +1157,8 @@ int rsa_rsassa_pss_verify( rsa_context *ctx,
hashlen = md_get_size( md_info ); hashlen = md_get_size( md_info );
} }
md_info = md_info_from_type( ctx->hash_id ); md_info = md_info_from_type( ctx->hash_id != POLARSSL_MD_NONE ?
ctx->hash_id : md_alg );
if( md_info == NULL ) if( md_info == NULL )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
@ -1227,7 +1237,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
const md_info_t *md_info; const md_info_t *md_info;
asn1_buf oid; asn1_buf oid;
if( ctx->padding != RSA_PKCS_V15 ) if( mode == RSA_PRIVATE && ctx->padding != RSA_PKCS_V15 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
siglen = ctx->len; siglen = ctx->len;