cipher: Check by caller instead, not by callee for RSA-PSS.

* cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API. * cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Before the call to _gcry_rsa_pss_encode, check the condition here, raise GPG_ERR_INV_ARG if it's not good. * cipher/rsa-common.c (_gcry_rsa_pss_encode): No check inside. Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
author: NIIBE Yutaka <gniibe@fsij.org> 2021-07-23 10:41:59 +0900
committer: NIIBE Yutaka <gniibe@fsij.org> 2021-07-23 10:41:59 +0900
commit: 652e115e10f2bd53d1e1fbe161c2528f4ca89012 (patch)
tree: d4b32fa8c2452627d25027683efe21b7b1eed9c3 /cipher
parent: 7f401b9748c450e5e4676ea2cc611aeff41c3fb3 (diff)
download: libgcrypt-652e115e10f2bd53d1e1fbe161c2528f4ca89012.tar.gz
3 files changed, 13 insertions, 23 deletions
diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
index d31e26f3..2b8c92b8 100644
--- a/cipher/pubkey-internal.h
+++ b/cipher/pubkey-internal.h
@@ -76,7 +76,7 @@ _gcry_rsa_oaep_decode (unsigned char **r_result, size_t *r_resultlen,
 gpg_err_code_t
 _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo,
                       const unsigned char *value, size_t valuelen, int saltlen,
-                      const void *random_override, size_t random_override_len);
+                      const void *random_override);
 gpg_err_code_t
 _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
                       unsigned int nbits, int algo, size_t saltlen);
diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
index 7ddef7dc..7ed8a55c 100644
--- a/cipher/pubkey-util.c
+++ b/cipher/pubkey-util.c
@@ -678,7 +678,7 @@ _gcry_pk_util_free_encoding_ctx (struct pk_encoding_ctx *ctx)
 
    LABEL is specific to OAEP.
 
-   SALT-LENGTH is for PSS it is limited to 16384 bytes.
+   SALT-LENGTH is for PSS, it is limited to 16384 bytes.
 
    RANDOM-OVERRIDE is used to replace random nonces for regression
    testing.  */
@@ -1032,7 +1032,6 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
           const void * value;
           size_t valuelen;
           void *random_override = NULL;
-          size_t random_override_len = 0;
 
 	  ctx->hash_algo = get_hash_algo (s, n);
 
@@ -1066,17 +1065,16 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
                   s = sexp_nth_data (list, 1, &n);
                   if (!s)
                     rc = GPG_ERR_NO_OBJ;
-                  else if (n > 0)
+                  else if (n == ctx->saltlen)
                     {
                       random_override = xtrymalloc (n);
                       if (!random_override)
                         rc = gpg_err_code_from_syserror ();
                       else
-                        {
-                          memcpy (random_override, s, n);
-                          random_override_len = n;
-                        }
+                        memcpy (random_override, s, n);
                     }
+                  else
+                    rc = GPG_ERR_INV_ARG;
                   sexp_release (list);
                   if (rc)
                     goto leave;
@@ -1085,9 +1083,8 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
               /* Encode the data.  (NBITS-1 is due to 8.1.1, step 1.) */
 	      rc = _gcry_rsa_pss_encode (ret_mpi, ctx->nbits - 1,
                                          ctx->hash_algo,
-                                         value, valuelen, ctx->saltlen,
-                                         random_override, random_override_len);
-
+                                         value, valuelen,
+                                         ctx->saltlen, random_override);
               xfree (random_override);
 	    }
         }
diff --git a/cipher/rsa-common.c b/cipher/rsa-common.c
index 29b7bc81..6ff53c71 100644
--- a/cipher/rsa-common.c
+++ b/cipher/rsa-common.c
@@ -742,9 +742,9 @@ _gcry_rsa_oaep_decode (unsigned char **r_result, size_t *r_resultlen,
    length of salt to be used.  On success the result is stored as a
    new MPI at R_RESULT.  On error the value at R_RESULT is undefined.
 
-   If {RANDOM_OVERRIDE, RANDOM_OVERRIDE_LEN} is given it is used as
-   the salt instead of using a random string for the salt.  This
-   feature is only useful for regression tests.
+   If RANDOM_OVERRIDE is given it is used as the salt instead of using
+   a random string for the salt.  This feature is only useful for
+   regression tests.
 
    Here is figure 2 from the RFC (errata 595 applied) depicting the
    process:
@@ -778,7 +778,7 @@ _gcry_rsa_oaep_decode (unsigned char **r_result, size_t *r_resultlen,
 gpg_err_code_t
 _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo,
                       const unsigned char *value, size_t valuelen, int saltlen,
-                      const void *random_override, size_t random_override_len)
+                      const void *random_override)
 {
   gcry_err_code_t rc = 0;
   size_t hlen;                 /* Length of the hash digest.  */
@@ -840,14 +840,7 @@ _gcry_rsa_pss_encode (gcry_mpi_t *r_result, unsigned int nbits, int algo,
   if (saltlen)
     {
       if (random_override)
-        {
-          if (random_override_len != saltlen)
-            {
-              rc = GPG_ERR_INV_ARG;
-              goto leave;
-            }
-          memcpy (salt, random_override, saltlen);
-        }
+        memcpy (salt, random_override, saltlen);
       else
         _gcry_randomize (salt, saltlen, GCRY_STRONG_RANDOM);
     }
author	NIIBE Yutaka <gniibe@fsij.org>	2021-07-23 10:41:59 +0900
committer	NIIBE Yutaka <gniibe@fsij.org>	2021-07-23 10:41:59 +0900
commit	652e115e10f2bd53d1e1fbe161c2528f4ca89012 (patch)
tree	d4b32fa8c2452627d25027683efe21b7b1eed9c3 /cipher
parent	7f401b9748c450e5e4676ea2cc611aeff41c3fb3 (diff)
download	libgcrypt-652e115e10f2bd53d1e1fbe161c2528f4ca89012.tar.gz