diff --git a/library/rsa.c b/library/rsa.c index bdd2538c3..bd97d521b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -566,7 +566,7 @@ cleanup: * \param slen length of the source buffer * \param md_ctx message digest context to use */ -static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, +static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen, mbedtls_md_context_t *md_ctx ) { unsigned char mask[MBEDTLS_MD_MAX_SIZE]; @@ -574,6 +574,7 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, unsigned char *p; unsigned int hlen; size_t i, use_len; + int ret; memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); memset( counter, 0, 4 ); @@ -589,10 +590,14 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, if( dlen < hlen ) use_len = dlen; - mbedtls_md_starts( md_ctx ); - mbedtls_md_update( md_ctx, src, slen ); - mbedtls_md_update( md_ctx, counter, 4 ); - mbedtls_md_finish( md_ctx, mask ); + if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) + goto exit; for( i = 0; i < use_len; ++i ) *p++ ^= mask[i]; @@ -602,7 +607,10 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, dlen -= use_len; } +exit: mbedtls_zeroize( mask, sizeof( mask ) ); + + return( ret ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -654,7 +662,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, p += hlen; /* Construct DB */ - mbedtls_md( md_info, label, label_len, p ); + if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) + return( ret ); p += hlen; p += olen - 2 * hlen - 2 - ilen; *p++ = 1; @@ -662,21 +671,24 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - return( ret ); - } + goto exit; /* maskedDB: Apply dbMask to DB */ - mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, - &md_ctx ); + if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, + &md_ctx ) ) != 0 ) + goto exit; /* maskedSeed: Apply seedMask to seed */ - mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, - &md_ctx ); + if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, + &md_ctx ) ) != 0 ) + goto exit; +exit: mbedtls_md_free( &md_ctx ); + if( ret != 0 ) + return( ret ); + return( ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, output, output ) : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); @@ -843,20 +855,23 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, goto cleanup; } - - /* Generate lHash */ - mbedtls_md( md_info, label, label_len, lhash ); - /* seed: Apply seedMask to maskedSeed */ - mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, - &md_ctx ); - + if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, + &md_ctx ) ) != 0 || /* DB: Apply dbMask to maskedDB */ - mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, - &md_ctx ); + ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, + &md_ctx ) ) != 0 ) + { + mbedtls_md_free( &md_ctx ); + goto cleanup; + } mbedtls_md_free( &md_ctx ); + /* Generate lHash */ + if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) + goto cleanup; + /* * Check contents, in "constant-time" */ @@ -1107,28 +1122,28 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - /* No need to zeroize salt: we didn't use it. */ - return( ret ); - } + goto exit; /* Generate H = Hash( M' ) */ - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, p, 8 ); - mbedtls_md_update( &md_ctx, hash, hashlen ); - mbedtls_md_update( &md_ctx, salt, slen ); - mbedtls_md_finish( &md_ctx, p ); - mbedtls_zeroize( salt, sizeof( salt ) ); + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) + goto exit; /* Compensate for boundary condition when applying mask */ if( msb % 8 == 0 ) offset = 1; /* maskedDB: Apply dbMask to DB */ - mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); - - mbedtls_md_free( &md_ctx ); + if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, + &md_ctx ) ) != 0 ) + goto exit; msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; sig[0] &= 0xFF >> ( olen * 8 - msb ); @@ -1136,6 +1151,14 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, p += hlen; *p++ = 0xBC; + mbedtls_zeroize( salt, sizeof( salt ) ); + +exit: + mbedtls_md_free( &md_ctx ); + + if( ret != 0 ) + return( ret ); + return( ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, sig ) : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); @@ -1382,23 +1405,21 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - return( ret ); - } + goto exit; - mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); + if( ( ret = mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, + &md_ctx ) ) != 0 ) + goto exit; buf[0] &= 0xFF >> ( siglen * 8 - msb ); while( p < buf + siglen && *p == 0 ) p++; - if( p == buf + siglen || - *p++ != 0x01 ) + if( p == buf + siglen || *p++ != 0x01 ) { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + ret = MBEDTLS_ERR_RSA_INVALID_PADDING; + goto exit; } /* Actual salt len */ @@ -1407,25 +1428,31 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && slen != (size_t) expected_salt_len ) { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + ret = MBEDTLS_ERR_RSA_INVALID_PADDING; + goto exit; } /* * Generate H = Hash( M' ) */ - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, zeros, 8 ); - mbedtls_md_update( &md_ctx, hash, hashlen ); - mbedtls_md_update( &md_ctx, p, slen ); - mbedtls_md_finish( &md_ctx, result ); + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, zeros, 8 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, p, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( &md_ctx, result ) ) != 0 ) + goto exit; + if( ( ret = memcmp( p + slen, result, hlen ) ) != 0 ) + ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; + +exit: mbedtls_md_free( &md_ctx ); - if( memcmp( p + slen, result, hlen ) == 0 ) - return( 0 ); - else - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + return( ret ); } /* @@ -1829,7 +1856,13 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " PKCS#1 data sign : " ); - mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); + if( mbedtls_sha1_ext( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) + { + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + return( 1 ); + } if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, sha1sum, rsa_ciphertext ) != 0 )