Skip to content

Commit

Permalink
Merge pull request #4707 from gilles-peskine-arm/require-matching-has…
Browse files Browse the repository at this point in the history 
…hlen-rsa-implementation

Require matching hashlen in RSA functions: implementation
  • Loading branch information
@gilles-peskine-arm
gilles-peskine-arm authored Jun 24, 2021
2 parents f06b92d + 6e3187b commit fedd52c
Show file tree
Hide file tree
Showing 13 changed files with 144 additions and 116 deletions.
5 changes: 5 additions & 0 deletions ChangeLog.d/require-matching-hashlen-rsa.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
API changes
* Signature functions in the RSA and PK modules now require the hash
length parameter to be the size of the hash input. For RSA signatures
other than raw PKCS#1 v1.5, this must match the output size of the
specified hash algorithm.
24 changes: 24 additions & 0 deletions docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
Signature functions now require the hash length to match the expected value
---------------------------------------------------------------------------

This affects users of the PK API as well as users of the low-level API in the RSA module. Users of the PSA API or of the ECDSA module are unaffected.

All the functions in the RSA module that accept a `hashlen` parameter used to
ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw
data was signed. The `hashlen` parameter is now always the size that is read
from the `hash` input buffer. This length must be equal to the output size of
the hash algorithm used when signing a hash. (The requirements when signing
raw data are unchanged.) This affects the following functions:

* `mbedtls_rsa_pkcs1_sign`, `mbedtls_rsa_pkcs1_verify`
* `mbedtls_rsa_rsassa_pkcs1_v15_sign`, `mbedtls_rsa_rsassa_pkcs1_v15_verify`
* `mbedtls_rsa_rsassa_pss_sign`, `mbedtls_rsa_rsassa_pss_verify`
* `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_rsa_rsassa_pss_verify_ext`

The signature functions in the PK module no longer accept 0 as the `hash_len` parameter. The `hash_len` parameter is now always the size that is read from the `hash` input buffer. This affects the following functions:

* `mbedtls_pk_sign`, `mbedtls_pk_verify`
* `mbedtls_pk_sign_restartable`, `mbedtls_pk_verify_restartable`
* `mbedtls_pk_verify_ext`

The migration path is to pass the correct value to those functions.
24 changes: 12 additions & 12 deletions include/mbedtls/pk.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,9 +399,17 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
* \brief Verify signature (including padding if relevant).
*
* \param ctx The PK context to use. It must have been set up.
* \param md_alg Hash algorithm used (see notes)
* \param md_alg Hash algorithm used.
* This can be #MBEDTLS_MD_NONE if the signature algorithm
* does not rely on a hash algorithm (non-deterministic
* ECDSA, RSA PKCS#1 v1.5).
* For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then
* \p hash is the DigestInfo structure used by RFC 8017
* §9.2 steps 3–6. If \p md_alg is a valid hash
* algorithm then \p hash is the digest itself, and this
* function calculates the DigestInfo encoding internally.
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes)
* \param hash_len Hash length
* \param sig Signature to verify
* \param sig_len Signature length
*
Expand All @@ -413,11 +421,6 @@ int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
* \note For RSA keys, the default padding type is PKCS#1 v1.5.
* Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
* to verify RSASSA_PSS signatures.
*
* \note If hash_len is 0, then the length associated with md_alg
* is used instead, or an error returned if it is invalid.
*
* \note md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
*/
int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
Expand Down Expand Up @@ -490,7 +493,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
* with a private key.
* \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes)
* \param hash_len Hash length
* \param sig Place to write the signature.
* It must have enough room for the signature.
* #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
Expand All @@ -507,9 +510,6 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
* There is no interface in the PK module to make RSASSA-PSS
* signatures yet.
*
* \note If hash_len is 0, then the length associated with md_alg
* is used instead, or an error returned if it is invalid.
*
* \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
* For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
*/
Expand All @@ -530,7 +530,7 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
* with a private key.
* \param md_alg Hash algorithm used (see notes for mbedtls_pk_sign())
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes for mbedtls_pk_sign())
* \param hash_len Hash length
* \param sig Place to write the signature.
* It must have enough room for the signature.
* #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
Expand Down
80 changes: 32 additions & 48 deletions include/mbedtls/rsa.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -796,13 +796,11 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
* if \p f_rng doesn't need a context argument.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param sig The buffer to hold the signature. This must be a writable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus. A buffer length of
Expand Down Expand Up @@ -830,13 +828,11 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
* if \p f_rng doesn't need a context argument.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param sig The buffer to hold the signature. This must be a writable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus. A buffer length of
Expand Down Expand Up @@ -878,13 +874,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
* if \p f_rng doesn't need a context argument.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param saltlen The length of the salt that should be used.
* If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use
* the largest possible salt length up to the hash length,
Expand Down Expand Up @@ -935,13 +929,11 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
* if \p f_rng doesn't need a context argument.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param sig The buffer to hold the signature. This must be a writable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus. A buffer length of
Expand Down Expand Up @@ -972,13 +964,11 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
* \param ctx The initialized RSA public key context to use.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param sig The buffer holding the signature. This must be a readable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus.
Expand All @@ -999,13 +989,11 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
* \param ctx The initialized RSA public key context to use.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param sig The buffer holding the signature. This must be a readable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus.
Expand Down Expand Up @@ -1036,13 +1024,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
* \param ctx The initialized RSA public key context to use.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param sig The buffer holding the signature. This must be a readable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus.
Expand All @@ -1069,13 +1055,11 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
* \param ctx The initialized RSA public key context to use.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hashlen The length of the message digest or raw data in Bytes.
* If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
* output length of the corresponding hash algorithm.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* This must be a readable buffer of at least \p hashlen Bytes.
* \param mgf1_hash_id The message digest algorithm used for the
* verification operation and the mask generation
* function (MGF1). For more details on the encoding
Expand Down
20 changes: 12 additions & 8 deletions library/rsa.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1790,7 +1790,8 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

hashlen = mbedtls_md_get_size( md_info );
if( hashlen != mbedtls_md_get_size( md_info ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
}

md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
Expand Down Expand Up @@ -1925,14 +1926,13 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
* Parameters:
* - md_alg: Identifies the hash algorithm used to generate the given hash;
* MBEDTLS_MD_NONE if raw data is signed.
* - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
* - hashlen: Length of hash. Must match md_alg if that's not NONE.
* - hash: Buffer containing the hashed message or the raw data.
* - dst_len: Length of the encoded message.
* - dst: Buffer to hold the encoded message.
*
* Assumptions:
* - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
* - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
* - hash has size hashlen.
* - dst points to a buffer of size at least dst_len.
*
*/
Expand All @@ -1957,7 +1957,8 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

hashlen = mbedtls_md_get_size( md_info );
if( hashlen != mbedtls_md_get_size( md_info ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

/* Double-check that 8 + hashlen + oid_size can be used as a
* 1-byte ASN.1 length encoding and that there's no overflow. */
Expand Down Expand Up @@ -2022,6 +2023,8 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
* TAG-NULL + LEN [ NULL ] ]
* TAG-OCTET + LEN [ HASH ] ]
*/
if( 0x08 + oid_size + hashlen >= 0x80 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
*p++ = (unsigned char)( 0x08 + oid_size + hashlen );
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
Expand Down Expand Up @@ -2203,7 +2206,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
if( md_info == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );

hashlen = mbedtls_md_get_size( md_info );
if( hashlen != mbedtls_md_get_size( md_info ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
}

md_info = mbedtls_md_info_from_type( mgf1_hash_id );
Expand Down Expand Up @@ -2674,7 +2678,7 @@ int mbedtls_rsa_self_test( int verbose )
}

if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
MBEDTLS_MD_SHA1, 0,
MBEDTLS_MD_SHA1, 20,
sha1sum, rsa_ciphertext ) != 0 )
{
if( verbose != 0 )
Expand All @@ -2687,7 +2691,7 @@ int mbedtls_rsa_self_test( int verbose )
if( verbose != 0 )
mbedtls_printf( "passed\n PKCS#1 sig. verify: " );

if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 0,
if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 20,
sha1sum, rsa_ciphertext ) != 0 )
{
if( verbose != 0 )
Expand Down
2 changes: 1 addition & 1 deletion programs/pkey/dh_client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ int main( void )
}

if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256,
0, hash, p ) ) != 0 )
32, hash, p ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret );
goto exit;
Expand Down
2 changes: 1 addition & 1 deletion programs/pkey/dh_server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ int main( void )
buf[n + 1] = (unsigned char)( rsa.MBEDTLS_PRIVATE(len) );

if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256,
0, hash, buf + n + 2 ) ) != 0 )
32, hash, buf + n + 2 ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret );
goto exit;
Expand Down
2 changes: 1 addition & 1 deletion programs/pkey/rsa_sign.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ int main( int argc, char *argv[] )
}

if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256,
20, hash, buf ) ) != 0 )
32, hash, buf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_sign returned -0x%0x\n\n", (unsigned int) -ret );
goto exit;
Expand Down
Loading

0 comments on commit fedd52c

Please sign in to comment.