Merge remote-tracking branch 'origin/development' into development_new

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com> Conflicts: include/mbedtls/check_config.h: nearby edits library/entropy.c: nearby edits programs/random/gen_random_havege.c: modification vs. removal programs/ssl/ssl_test_lib.h: nearby edits programs/test/cpp_dummy_build.cpp: nearby edits visualc/VS2010/mbedTLS.vcxproj: automatically generated file, regenerated with scripts/generate_visualc_files.pl
2025-08-08 17:42:09 +03:00 · 2021-04-07 16:31:09 +01:00
parent 38ff9adacb 6741fc9148
commit 73e3e2cb1a
217 changed files with 23474 additions and 8202 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -490,6 +490,9 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
    mbedtls_rsa_set_padding( ctx, padding, hash_id );

 #if defined(MBEDTLS_THREADING_C)
+    /* Set ctx->ver to nonzero to indicate that the mutex has been
+     * initialized and will need to be freed. */
+    ctx->ver = 1;
    mbedtls_mutex_init( &ctx->mutex );
 #endif
 }
@@ -537,9 +540,6 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
    RSA_VALIDATE_RET( ctx != NULL );
    RSA_VALIDATE_RET( f_rng != NULL );

-    if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
-        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-
    /*
     * If the modulus is 1024 bit long or shorter, then the security strength of
     * the RSA algorithm is less than or equal to 80 bits and therefore an error
@@ -552,6 +552,12 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
    mbedtls_mpi_init( &G );
    mbedtls_mpi_init( &L );

+    if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
    /*
     * find primes P and Q with Q < P so that:
     * 1.  |P-Q| > 2^( nbits / 2 - 100 )
@@ -629,7 +635,9 @@ cleanup:
    if( ret != 0 )
    {
        mbedtls_rsa_free( ctx );
-        return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
+        if( ( -ret & ~0x7f ) == 0 )
+            ret = MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret;
+        return( ret );
    }

    return( 0 );
@@ -1787,21 +1795,19 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
 }

 #if defined(MBEDTLS_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
- */
-int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
                         int (*f_rng)(void *, unsigned char *, size_t),
                         void *p_rng,
                         int mode,
                         mbedtls_md_type_t md_alg,
                         unsigned int hashlen,
                         const unsigned char *hash,
+                         int saltlen,
                         unsigned char *sig )
 {
    size_t olen;
    unsigned char *p = sig;
-    unsigned char salt[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *salt = NULL;
    size_t slen, min_slen, hlen, offset = 0;
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    size_t msb;
@@ -1839,31 +1845,44 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,

    hlen = mbedtls_md_get_size( md_info );

-    /* Calculate the largest possible salt length. Normally this is the hash
-     * length, which is the maximum length the salt can have. If there is not
-     * enough room, use the maximum salt length that fits. The constraint is
-     * that the hash length plus the salt length plus 2 bytes must be at most
-     * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
-     * (PKCS#1 v2.2) §9.1.1 step 3. */
-    min_slen = hlen - 2;
-    if( olen < hlen + min_slen + 2 )
+    if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
+    {
+       /* Calculate the largest possible salt length, up to the hash size.
+        * Normally this is the hash length, which is the maximum salt length
+        * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
+        * enough room, use the maximum salt length that fits. The constraint is
+        * that the hash length plus the salt length plus 2 bytes must be at most
+        * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+        * (PKCS#1 v2.2) §9.1.1 step 3. */
+        min_slen = hlen - 2;
+        if( olen < hlen + min_slen + 2 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        else if( olen >= hlen + hlen + 2 )
+            slen = hlen;
+        else
+            slen = olen - hlen - 2;
+    }
+    else if ( (saltlen < 0) || (saltlen + hlen + 2 > olen) )
+    {
        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-    else if( olen >= hlen + hlen + 2 )
-        slen = hlen;
+    }
    else
-        slen = olen - hlen - 2;
+    {
+        slen = (size_t) saltlen;
+    }

    memset( sig, 0, olen );

-    /* Generate salt of length slen */
-    if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
-        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
-
    /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
    p += olen - hlen - slen - 2;
    *p++ = 0x01;
-    memcpy( p, salt, slen );
+
+    /* Generate salt of length slen in place in the encoded message */
+    salt = p;
+    if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
    p += slen;

    mbedtls_md_init( &md_ctx );
@@ -1897,8 +1916,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
    p += hlen;
    *p++ = 0xBC;

-    mbedtls_platform_zeroize( salt, sizeof( salt ) );
-
 exit:
    mbedtls_md_free( &md_ctx );

@@ -1909,6 +1926,40 @@ exit:
            ? mbedtls_rsa_public(  ctx, sig, sig )
            : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
 }
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
+ * the option to pass in the salt length.
+ */
+int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         int saltlen,
+                         unsigned char *sig )
+{
+    return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg,
+                                hashlen, hash, saltlen, sig );
+}
+
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig )
+{
+    return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig );
+}
 #endif /* MBEDTLS_PKCS1_V21 */

 #if defined(MBEDTLS_PKCS1_V15)
@@ -2481,7 +2532,6 @@ int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
    RSA_VALIDATE_RET( dst != NULL );
    RSA_VALIDATE_RET( src != NULL );

-    dst->ver = src->ver;
    dst->len = src->len;

    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
@@ -2540,7 +2590,12 @@ void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
 #endif /* MBEDTLS_RSA_NO_CRT */

 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_free( &ctx->mutex );
+    /* Free the mutex, but only if it hasn't been freed already. */
+    if( ctx->ver != 0 )
+    {
+        mbedtls_mutex_free( &ctx->mutex );
+        ctx->ver = 0;
+    }
 #endif
 }