diff options
| author | Richard Levitte <levitte@openssl.org> | 2020-08-05 08:01:59 +0200 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2020-08-07 01:59:18 +0200 |
| commit | 6ce6ad39fe85cf8b5c84ded9885329bf703ee649 (patch) | |
| tree | fe380d747814a957bfe959bb28cb8ee813af4be5 /providers/implementations/signature/rsa.c | |
| parent | mac: add some consistency to setting the XXX_final output length. (diff) | |
| download | openssl-6ce6ad39fe85cf8b5c84ded9885329bf703ee649.tar.xz openssl-6ce6ad39fe85cf8b5c84ded9885329bf703ee649.zip | |
RSA: Be less strict on PSS parameters when exporting to provider
We have a key in test/recipes/30-test_evp_data/evppkey.txt with bad
PSS parameters (RSA-PSS-BAD), which is supposed to trigger signature
computation faults. However, if this key needs to be exported to the
RSA provider implementation, the result would be an earlier error,
giving the computation that's supposed to be checked n chance to even
be reached.
Either way, the legacy to provider export is no place to validate the
values of the key.
We also ensure that the provider implementation can handle and detect
signed (negative) saltlen values.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12583)
Diffstat (limited to '')
| -rw-r--r-- | providers/implementations/signature/rsa.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 6de10d1f53..491c72d990 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -176,16 +176,16 @@ static int rsa_check_padding(int mdnid, int padding) return 1; } -static int rsa_check_parameters(EVP_MD *md, PROV_RSA_CTX *prsactx) +static int rsa_check_parameters(PROV_RSA_CTX *prsactx) { if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { int max_saltlen; /* See if minimum salt length exceeds maximum possible */ - max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_size(md); + max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_size(prsactx->md); if ((RSA_bits(prsactx->rsa) & 0x7) == 1) max_saltlen--; - if (prsactx->min_saltlen > max_saltlen) { + if (prsactx->min_saltlen < 0 || prsactx->min_saltlen > max_saltlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); return 0; } @@ -230,7 +230,6 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (md == NULL || md_nid == NID_undef || !rsa_check_padding(md_nid, ctx->pad_mode) - || !rsa_check_parameters(md, ctx) || mdname_len >= sizeof(ctx->mdname)) { if (md == NULL) ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, @@ -365,7 +364,8 @@ static int rsa_signature_init(void *vprsactx, void *vrsa, int operation) prsactx->saltlen = min_saltlen; return rsa_setup_md(prsactx, mdname, prsactx->propq) - && rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq); + && rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq) + && rsa_check_parameters(prsactx); } } @@ -1151,7 +1151,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) } if (rsa_pss_restricted(prsactx)) { - switch (prsactx->saltlen) { + switch (saltlen) { case RSA_PSS_SALTLEN_AUTO: if (prsactx->operation == EVP_PKEY_OP_VERIFY) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN); @@ -1168,7 +1168,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) EVP_MD_size(prsactx->md)); return 0; } - /* FALLTHRU */ + break; default: if (saltlen >= 0 && saltlen < prsactx->min_saltlen) { ERR_raise_data(ERR_LIB_PROV, |