From e7885e54416a42690f153e0cf476ed83a477aa86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 Jun 2021 12:29:27 +0200 Subject: [PATCH 1/3] RSA: Require hashlen to match md_alg when applicable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/require-matching-hashlen-rsa.txt | 4 + .../require-matching-hashlen-rsa.md | 13 +++ include/mbedtls/rsa.h | 80 ++++++++----------- 3 files changed, 49 insertions(+), 48 deletions(-) create mode 100644 ChangeLog.d/require-matching-hashlen-rsa.txt create mode 100644 docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md diff --git a/ChangeLog.d/require-matching-hashlen-rsa.txt b/ChangeLog.d/require-matching-hashlen-rsa.txt new file mode 100644 index 000000000..d1420d1f9 --- /dev/null +++ b/ChangeLog.d/require-matching-hashlen-rsa.txt @@ -0,0 +1,4 @@ +API changes + * Functions in the RSA module that accept a hashlen parameter now require + it to match the output size of the hash algorithm used, except when + signing raw data. diff --git a/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md new file mode 100644 index 000000000..75fadd878 --- /dev/null +++ b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md @@ -0,0 +1,13 @@ +RSA signature functions now require `hashlen` to match the expected value +------------------------------------------------------------------------- + +This only affects users of the low-level RSA API; users of the high-level PK +API or of the PSA Crypto API are not affected. + +All the functions in the RSA module that accept a `hashlen` parameter used to +ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw +data was signed. They now require this parameter's value to be equal to the +output size of the hash algorithm used when signing a hash. (The requirements +when signing raw data are unchanged.) + +The migration path is to pass the correct value to those functions. diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index c953a8949..9a070e703 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -796,13 +796,11 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param sig The buffer to hold the signature. This must be a writable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. A buffer length of @@ -830,13 +828,11 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param sig The buffer to hold the signature. This must be a writable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. A buffer length of @@ -878,13 +874,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param saltlen The length of the salt that should be used. * If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use * the largest possible salt length up to the hash length, @@ -935,13 +929,11 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * This is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param sig The buffer to hold the signature. This must be a writable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. A buffer length of @@ -972,13 +964,11 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * \param ctx The initialized RSA public key context to use. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * This is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param sig The buffer holding the signature. This must be a readable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. @@ -999,13 +989,11 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \param ctx The initialized RSA public key context to use. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * This is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param sig The buffer holding the signature. This must be a readable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. @@ -1036,13 +1024,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * \param ctx The initialized RSA public key context to use. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * This is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param sig The buffer holding the signature. This must be a readable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. @@ -1069,13 +1055,11 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * \param ctx The initialized RSA public key context to use. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. - * \param hashlen The length of the message digest. - * This is only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hashlen The length of the message digest or raw data in Bytes. + * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the + * output length of the corresponding hash algorithm. * \param hash The buffer holding the message digest or raw data. - * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable - * buffer of length \p hashlen Bytes. If \p md_alg is not - * #MBEDTLS_MD_NONE, it must be a readable buffer of length - * the size of the hash corresponding to \p md_alg. + * This must be a readable buffer of at least \p hashlen Bytes. * \param mgf1_hash_id The message digest algorithm used for the * verification operation and the mask generation * function (MGF1). For more details on the encoding From 9dbbc297a393bb129cf2653c2e36501f91d425e2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jun 2021 18:28:13 +0200 Subject: [PATCH 2/3] PK signature function: require exact hash length Signed-off-by: Gilles Peskine --- ChangeLog.d/require-matching-hashlen-rsa.txt | 7 +++--- .../require-matching-hashlen-rsa.md | 25 +++++++++++++------ include/mbedtls/pk.h | 24 +++++++++--------- 3 files changed, 34 insertions(+), 22 deletions(-) diff --git a/ChangeLog.d/require-matching-hashlen-rsa.txt b/ChangeLog.d/require-matching-hashlen-rsa.txt index d1420d1f9..096b577b5 100644 --- a/ChangeLog.d/require-matching-hashlen-rsa.txt +++ b/ChangeLog.d/require-matching-hashlen-rsa.txt @@ -1,4 +1,5 @@ API changes - * Functions in the RSA module that accept a hashlen parameter now require - it to match the output size of the hash algorithm used, except when - signing raw data. + * Signature functions in the RSA and PK modules now require the hash + length parameter to be the size of the hash input. For RSA signatures + other than raw PKCS#1 v1.5, this must match the output size of the + specified hash algorithm. diff --git a/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md index 75fadd878..d59a8d397 100644 --- a/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md +++ b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md @@ -1,13 +1,24 @@ -RSA signature functions now require `hashlen` to match the expected value -------------------------------------------------------------------------- +Signature functions now require the hash length to match the expected value +--------------------------------------------------------------------------- -This only affects users of the low-level RSA API; users of the high-level PK -API or of the PSA Crypto API are not affected. +This affects users of the PK API as well as users of the low-level API in the RSA module. Users of the PSA API or of the ECDSA module are unaffected. All the functions in the RSA module that accept a `hashlen` parameter used to ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw -data was signed. They now require this parameter's value to be equal to the -output size of the hash algorithm used when signing a hash. (The requirements -when signing raw data are unchanged.) +data was signed. The `hashlen` parameter is now always the size that is read +from the `hash` input buffer. This length must be equal to the output size of +the hash algorithm used when signing a hash. (The requirements when signing +raw data are unchanged.) This affects the following functions: + +* `mbedtls_rsa_pkcs1_sign`, `mbedtls_rsa_pkcs1_verify` +* `mbedtls_rsa_rsassa_pkcs1_v15_sign`, `mbedtls_rsa_rsassa_pkcs1_v15_verify` +* `mbedtls_rsa_rsassa_pss_sign`, `mbedtls_rsa_rsassa_pss_verify` +* `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_rsa_rsassa_pss_verify_ext` + +The signature functions in the PK module no longer accept 0 as the `hash_len` parameter. The `hash_len` parameter is now always the size that is read from the `hash` input buffer. This affects the following functions: + +* `mbedtls_pk_sign`, `mbedtls_pk_verify` +* `mbedtls_pk_sign_restartable`, `mbedtls_pk_verify_restartable` +* `mbedtls_pk_verify_ext` The migration path is to pass the correct value to those functions. diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 85bf7c906..d29059dbe 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -399,9 +399,17 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type ); * \brief Verify signature (including padding if relevant). * * \param ctx The PK context to use. It must have been set up. - * \param md_alg Hash algorithm used (see notes) + * \param md_alg Hash algorithm used. + * This can be #MBEDTLS_MD_NONE if the signature algorithm + * does not rely on a hash algorithm (non-deterministic + * ECDSA, RSA PKCS#1 v1.5). + * For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then + * \p hash is the DigestInfo structure used by RFC 8017 + * §9.2 steps 3–6. If \p md_alg is a valid hash + * algorithm then \p hash is the digest itself, and this + * function calculates the DigestInfo encoding internally. * \param hash Hash of the message to sign - * \param hash_len Hash length or 0 (see notes) + * \param hash_len Hash length * \param sig Signature to verify * \param sig_len Signature length * @@ -413,11 +421,6 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type ); * \note For RSA keys, the default padding type is PKCS#1 v1.5. * Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... ) * to verify RSASSA_PSS signatures. - * - * \note If hash_len is 0, then the length associated with md_alg - * is used instead, or an error returned if it is invalid. - * - * \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0 */ int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, @@ -490,7 +493,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, * with a private key. * \param md_alg Hash algorithm used (see notes) * \param hash Hash of the message to sign - * \param hash_len Hash length or 0 (see notes) + * \param hash_len Hash length * \param sig Place to write the signature. * It must have enough room for the signature. * #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. @@ -507,9 +510,6 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, * There is no interface in the PK module to make RSASSA-PSS * signatures yet. * - * \note If hash_len is 0, then the length associated with md_alg - * is used instead, or an error returned if it is invalid. - * * \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. * For ECDSA, md_alg may never be MBEDTLS_MD_NONE. */ @@ -530,7 +530,7 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, * with a private key. * \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign()) * \param hash Hash of the message to sign - * \param hash_len Hash length or 0 (see notes for mbedtls_pk_sign()) + * \param hash_len Hash length * \param sig Place to write the signature. * It must have enough room for the signature. * #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough. From 6e3187b2122055bbd0bf43f59d01dd4d6dc89f35 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Jun 2021 18:39:53 +0200 Subject: [PATCH 3/3] RSA: Use hashlen as the hash input size as documented Where hashlen was previously ignored when the hash length could be inferred from an md_alg parameter, the two must now match. Adapt the existing tests accordingly. Adapt the sample programs accordingly. This commit does not add any negative testing. Signed-off-by: Gilles Peskine --- library/rsa.c | 20 ++++++++----- programs/pkey/dh_client.c | 2 +- programs/pkey/dh_server.c | 2 +- programs/pkey/rsa_sign.c | 2 +- programs/pkey/rsa_verify.c | 2 +- tests/suites/test_suite_pk.function | 22 +++++++------- tests/suites/test_suite_pkcs1_v15.function | 20 +++++++------ tests/suites/test_suite_pkcs1_v21.function | 35 +++++++++++++--------- tests/suites/test_suite_rsa.function | 22 +++++++------- 9 files changed, 71 insertions(+), 56 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index a788337a5..57b8a6f4b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1799,7 +1799,8 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, if( md_info == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hashlen = mbedtls_md_get_size( md_info ); + if( hashlen != mbedtls_md_get_size( md_info ) ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id ); @@ -1934,14 +1935,13 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * Parameters: * - md_alg: Identifies the hash algorithm used to generate the given hash; * MBEDTLS_MD_NONE if raw data is signed. - * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. + * - hashlen: Length of hash. Must match md_alg if that's not NONE. * - hash: Buffer containing the hashed message or the raw data. * - dst_len: Length of the encoded message. * - dst: Buffer to hold the encoded message. * * Assumptions: - * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE. - * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE. + * - hash has size hashlen. * - dst points to a buffer of size at least dst_len. * */ @@ -1966,7 +1966,8 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hashlen = mbedtls_md_get_size( md_info ); + if( hashlen != mbedtls_md_get_size( md_info ) ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); /* Double-check that 8 + hashlen + oid_size can be used as a * 1-byte ASN.1 length encoding and that there's no overflow. */ @@ -2031,6 +2032,8 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, * TAG-NULL + LEN [ NULL ] ] * TAG-OCTET + LEN [ HASH ] ] */ + if( 0x08 + oid_size + hashlen >= 0x80 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; *p++ = (unsigned char)( 0x08 + oid_size + hashlen ); *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; @@ -2212,7 +2215,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, if( md_info == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hashlen = mbedtls_md_get_size( md_info ); + if( hashlen != mbedtls_md_get_size( md_info ) ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } md_info = mbedtls_md_info_from_type( mgf1_hash_id ); @@ -2683,7 +2687,7 @@ int mbedtls_rsa_self_test( int verbose ) } if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, - MBEDTLS_MD_SHA1, 0, + MBEDTLS_MD_SHA1, 20, sha1sum, rsa_ciphertext ) != 0 ) { if( verbose != 0 ) @@ -2696,7 +2700,7 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); - if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 0, + if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 20, sha1sum, rsa_ciphertext ) != 0 ) { if( verbose != 0 ) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index d68dc2477..88e817eaa 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -221,7 +221,7 @@ int main( void ) } if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256, - 0, hash, p ) ) != 0 ) + 32, hash, p ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret ); goto exit; diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 9d51c14a8..e469bbc02 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -229,7 +229,7 @@ int main( void ) buf[n + 1] = (unsigned char)( rsa.MBEDTLS_PRIVATE(len) ); if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256, - 0, hash, buf + n + 2 ) ) != 0 ) + 32, hash, buf + n + 2 ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret ); goto exit; diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index d9ba3bb6e..ebc88e457 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -147,7 +147,7 @@ int main( int argc, char *argv[] ) } if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256, - 20, hash, buf ) ) != 0 ) + 32, hash, buf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_sign returned -0x%0x\n\n", (unsigned int) -ret ); goto exit; diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index fff568a3d..5a68246e5 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -141,7 +141,7 @@ int main( int argc, char *argv[] ) } if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256, - 20, hash, buf ) ) != 0 ) + 32, hash, buf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n", (unsigned int) -ret ); goto exit; diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 573c9d430..c7c5f507b 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -444,9 +444,10 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, if( digest != MBEDTLS_MD_NONE ) { - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), - message_str->x, message_str->len, hash_result ) == 0 ); - hash_len = 0; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, + hash_result ) == 0 ); + hash_len = mbedtls_md_get_size( md_info ); } else { @@ -611,7 +612,8 @@ void pk_sign_verify( int type, int parameter, int sign_ret, int verify_ret ) { mbedtls_pk_context pk; size_t sig_len; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + unsigned char hash[32]; // Hard-coded for SHA256 + size_t hash_len = sizeof( hash ); unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; void *rs_ctx = NULL; #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) @@ -635,7 +637,7 @@ void pk_sign_verify( int type, int parameter, int sign_ret, int verify_ret ) TEST_ASSERT( pk_genkey( &pk, parameter ) == 0 ); TEST_ASSERT( mbedtls_pk_sign_restartable( &pk, MBEDTLS_MD_SHA256, - hash, sizeof hash, sig, &sig_len, + hash, hash_len, sig, &sig_len, mbedtls_test_rnd_std_rand, NULL, rs_ctx ) == sign_ret ); if( sign_ret == 0 ) TEST_ASSERT( sig_len <= MBEDTLS_PK_SIGNATURE_MAX_SIZE ); @@ -643,22 +645,22 @@ void pk_sign_verify( int type, int parameter, int sign_ret, int verify_ret ) sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE; TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256, - hash, sizeof hash, sig, sig_len ) == verify_ret ); + hash, hash_len, sig, sig_len ) == verify_ret ); if( verify_ret == 0 ) { hash[0]++; TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256, - hash, sizeof hash, sig, sig_len ) != 0 ); + hash, hash_len, sig, sig_len ) != 0 ); hash[0]--; sig[0]++; TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256, - hash, sizeof hash, sig, sig_len ) != 0 ); + hash, hash_len, sig, sig_len ) != 0 ); sig[0]--; } - TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256, hash, sizeof hash, + TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256, hash, hash_len, sig, &sig_len, mbedtls_test_rnd_std_rand, NULL ) == sign_ret ); @@ -668,7 +670,7 @@ void pk_sign_verify( int type, int parameter, int sign_ret, int verify_ret ) sig_len = MBEDTLS_PK_SIGNATURE_MAX_SIZE; TEST_ASSERT( mbedtls_pk_verify_restartable( &pk, MBEDTLS_MD_SHA256, - hash, sizeof hash, sig, sig_len, rs_ctx ) == verify_ret ); + hash, hash_len, sig, sig_len, rs_ctx ) == verify_ret ); if( verify_ret == 0 ) { diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index d78ee8895..3d29f10bb 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -269,6 +269,7 @@ void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, data_t * result_str, int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); unsigned char output[128]; mbedtls_rsa_context ctx; mbedtls_mpi N, P, Q, E; @@ -298,13 +299,13 @@ void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); + if( md_info != NULL ) + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); - if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, digest, 0, hash_result, - output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( + &ctx, &mbedtls_test_rnd_buffer_rand, &info, + digest, mbedtls_md_get_size( md_info ), hash_result, + output ) == result ); if( result == 0 ) { @@ -326,6 +327,7 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, data_t * result_str, int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); mbedtls_rsa_context ctx; mbedtls_mpi N, E; ((void) salt); @@ -343,10 +345,10 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); + if( md_info != NULL ) + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, mbedtls_md_get_size( md_info ), hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index ec5591f6d..27b0990d7 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -123,6 +123,7 @@ void pkcs1_rsassa_pss_sign( int mod, data_t * input_P, data_t * input_Q, int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); unsigned char output[512]; mbedtls_rsa_context ctx; mbedtls_test_rnd_buf_info info; @@ -152,14 +153,15 @@ void pkcs1_rsassa_pss_sign( int mod, data_t * input_P, data_t * input_Q, TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); - if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); + if( md_info != NULL ) + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); if (fixed_salt_length == MBEDTLS_RSA_SALT_LEN_ANY) { - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, digest, 0,hash_result, - output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( + &ctx, &mbedtls_test_rnd_buffer_rand, &info, + digest, mbedtls_md_get_size( md_info ), hash_result, + output ) == result ); if( result == 0 ) { ASSERT_COMPARE( output, ctx.len, result_str->x, result_str->len ); @@ -169,9 +171,10 @@ void pkcs1_rsassa_pss_sign( int mod, data_t * input_P, data_t * input_Q, info.length = rnd_buf->len; } - TEST_ASSERT( mbedtls_rsa_rsassa_pss_sign_ext( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, digest, 0, hash_result, - fixed_salt_length, output ) == result ); + TEST_ASSERT( mbedtls_rsa_rsassa_pss_sign_ext( + &ctx, &mbedtls_test_rnd_buffer_rand, &info, + digest, mbedtls_md_get_size( md_info ), hash_result, + fixed_salt_length, output ) == result ); if( result == 0 ) { ASSERT_COMPARE( output, ctx.len, result_str->x, result_str->len ); @@ -190,6 +193,7 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, char * salt, data_t * result_str, int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); mbedtls_rsa_context ctx; mbedtls_mpi N, E; ((void) salt); @@ -208,10 +212,10 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); + if( md_info != NULL ) + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, mbedtls_md_get_size( md_info ), hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -248,9 +252,12 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, if( msg_digest_id != MBEDTLS_MD_NONE ) { - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( msg_digest_id ), - message_str->x, message_str->len, hash_result ) == 0 ); - hash_len = 0; + const mbedtls_md_info_t *md_info = + mbedtls_md_info_from_type( msg_digest_id ); + TEST_ASSERT( mbedtls_md( md_info, + message_str->x, message_str->len, + hash_result ) == 0 ); + hash_len = mbedtls_md_get_size( md_info ); } else { diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 14b4afc3a..1bffc769e 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -86,6 +86,7 @@ void mbedtls_rsa_pkcs1_sign( data_t * message_str, int padding_mode, data_t * result_str, int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); unsigned char output[256]; mbedtls_rsa_context ctx; mbedtls_mpi N, P, Q, E; @@ -111,13 +112,13 @@ void mbedtls_rsa_pkcs1_sign( data_t * message_str, int padding_mode, TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 ); TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 ); + if( md_info != NULL ) + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); - if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_pseudo_rand, - &rnd_info, digest, 0, hash_result, - output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( + &ctx, &mbedtls_test_rnd_pseudo_rand, &rnd_info, + digest, mbedtls_md_get_size( md_info ), hash_result, + output ) == result ); if( result == 0 ) { @@ -139,8 +140,8 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, data_t * result_str, int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( digest ); mbedtls_rsa_context ctx; - mbedtls_mpi N, E; mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E ); @@ -155,11 +156,10 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( mod / 8 ) ); TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); + if( md_info != NULL ) + TEST_ASSERT( mbedtls_md( md_info, message_str->x, message_str->len, hash_result ) == 0 ); - if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, mbedtls_md_get_size( md_info ), hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );