diff options
Diffstat (limited to 'src/crypto/evp')
-rw-r--r-- | src/crypto/evp/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/crypto/evp/digestsign.c | 5 | ||||
-rw-r--r-- | src/crypto/evp/evp_asn1.c | 19 | ||||
-rw-r--r-- | src/crypto/evp/evp_extra_test.cc | 85 | ||||
-rw-r--r-- | src/crypto/evp/pbkdf.c | 16 | ||||
-rw-r--r-- | src/crypto/evp/pbkdf_test.cc | 43 |
6 files changed, 161 insertions, 8 deletions
diff --git a/src/crypto/evp/CMakeLists.txt b/src/crypto/evp/CMakeLists.txt index 5d2e918..000f076 100644 --- a/src/crypto/evp/CMakeLists.txt +++ b/src/crypto/evp/CMakeLists.txt @@ -47,3 +47,4 @@ add_executable( target_link_libraries(evp_extra_test crypto) target_link_libraries(evp_test crypto) target_link_libraries(pbkdf_test crypto) +add_dependencies(all_tests evp_extra_test evp_test pbkdf_test) diff --git a/src/crypto/evp/digestsign.c b/src/crypto/evp/digestsign.c index ccb4de4..69c483a 100644 --- a/src/crypto/evp/digestsign.c +++ b/src/crypto/evp/digestsign.c @@ -55,7 +55,6 @@ #include <openssl/evp.h> -#include <openssl/digest.h> #include <openssl/err.h> #include "internal.h" @@ -79,10 +78,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ctx->pctx_ops = &md_pctx_ops; if (type == NULL) { - type = EVP_sha1(); - } - - if (type == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_NO_DEFAULT_DIGEST); return 0; } diff --git a/src/crypto/evp/evp_asn1.c b/src/crypto/evp/evp_asn1.c index 356c62b..c57f411 100644 --- a/src/crypto/evp/evp_asn1.c +++ b/src/crypto/evp/evp_asn1.c @@ -83,16 +83,22 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp, goto err; } + const uint8_t *in = *inp; if (!ret->ameth->old_priv_decode || - !ret->ameth->old_priv_decode(ret, inp, len)) { + !ret->ameth->old_priv_decode(ret, &in, len)) { if (ret->ameth->priv_decode) { - PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, inp, len); + /* Reset |in| in case |old_priv_decode| advanced it on error. */ + in = *inp; + PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &in, len); if (!p8) { goto err; } EVP_PKEY_free(ret); ret = EVP_PKCS82PKEY(p8); PKCS8_PRIV_KEY_INFO_free(p8); + if (ret == NULL) { + goto err; + } } else { OPENSSL_PUT_ERROR(EVP, ERR_R_ASN1_LIB); goto err; @@ -102,6 +108,7 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp, if (out != NULL) { *out = ret; } + *inp = in; return ret; err: @@ -129,7 +136,8 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, long len) { keytype = EVP_PKEY_EC; } else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not traditional format */ - PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, inp, len); + p = *inp; + PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); EVP_PKEY *ret; sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); @@ -139,6 +147,11 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, long len) { } ret = EVP_PKCS82PKEY(p8); PKCS8_PRIV_KEY_INFO_free(p8); + if (ret == NULL) { + return NULL; + } + + *inp = p; if (out) { *out = ret; } diff --git a/src/crypto/evp/evp_extra_test.cc b/src/crypto/evp/evp_extra_test.cc index 9c955fa..bd70040 100644 --- a/src/crypto/evp/evp_extra_test.cc +++ b/src/crypto/evp/evp_extra_test.cc @@ -321,6 +321,27 @@ static const uint8_t kExampleBadECKeyDER[] = { 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 }; +// kExampleBadECKeyDER2 is a sample EC private key encoded as an ECPrivateKey +// structure, but with the curve OID swapped out for 1.1.1.1.1.1.1.1.1. It is +// then concatenated with an ECPrivateKey wrapped in a PrivateKeyInfo, +// optional public key omitted, and with the private key chopped off. +static const uint8_t kExampleBadECKeyDER2[] = { + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a, + 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08, + 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a, + 0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x29, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69, + 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c, + 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, + 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, + 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, + 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, + 0xc1, 0x30, 0x41, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x03, 0x01, 0x07, 0x04, 0x27, 0x30, 0x25, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x07, +}; + static ScopedEVP_PKEY LoadExampleRSAKey() { ScopedRSA rsa(RSA_private_key_from_bytes(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER))); @@ -530,6 +551,64 @@ static bool TestEVP_PKCS82PKEY(void) { fprintf(stderr, "Imported invalid EC key\n"); return false; } + ERR_clear_error(); + + return true; +} + +// Testd2i_PrivateKey tests |d2i_PrivateKey|. +static bool Testd2i_PrivateKey(void) { + const uint8_t *derp = kExampleRSAKeyDER; + ScopedEVP_PKEY pkey(d2i_PrivateKey(EVP_PKEY_RSA, nullptr, &derp, + sizeof(kExampleRSAKeyDER))); + if (!pkey || derp != kExampleRSAKeyDER + sizeof(kExampleRSAKeyDER)) { + fprintf(stderr, "Failed to import raw RSA key.\n"); + return false; + } + + derp = kExampleDSAKeyDER; + pkey.reset(d2i_PrivateKey(EVP_PKEY_DSA, nullptr, &derp, + sizeof(kExampleDSAKeyDER))); + if (!pkey || derp != kExampleDSAKeyDER + sizeof(kExampleDSAKeyDER)) { + fprintf(stderr, "Failed to import raw DSA key.\n"); + return false; + } + + derp = kExampleRSAKeyPKCS8; + pkey.reset(d2i_PrivateKey(EVP_PKEY_RSA, nullptr, &derp, + sizeof(kExampleRSAKeyPKCS8))); + if (!pkey || derp != kExampleRSAKeyPKCS8 + sizeof(kExampleRSAKeyPKCS8)) { + fprintf(stderr, "Failed to import PKCS#8 RSA key.\n"); + return false; + } + + derp = kExampleECKeyDER; + pkey.reset(d2i_PrivateKey(EVP_PKEY_EC, nullptr, &derp, + sizeof(kExampleECKeyDER))); + if (!pkey || derp != kExampleECKeyDER + sizeof(kExampleECKeyDER)) { + fprintf(stderr, "Failed to import raw EC key.\n"); + return false; + } + + derp = kExampleBadECKeyDER; + pkey.reset(d2i_PrivateKey(EVP_PKEY_EC, nullptr, &derp, + sizeof(kExampleBadECKeyDER))); + if (pkey) { + fprintf(stderr, "Imported invalid EC key.\n"); + return false; + } + ERR_clear_error(); + + // Copy the input into a |malloc|'d vector to flag memory errors. + std::vector<uint8_t> copy(kExampleBadECKeyDER2, kExampleBadECKeyDER2 + + sizeof(kExampleBadECKeyDER2)); + derp = bssl::vector_data(©); + pkey.reset(d2i_PrivateKey(EVP_PKEY_EC, nullptr, &derp, copy.size())); + if (pkey) { + fprintf(stderr, "Imported invalid EC key #2.\n"); + return false; + } + ERR_clear_error(); return true; } @@ -596,6 +675,12 @@ int main(void) { return 1; } + if (!Testd2i_PrivateKey()) { + fprintf(stderr, "Testd2i_PrivateKey failed\n"); + ERR_print_errors_fp(stderr); + return 1; + } + printf("PASS\n"); return 0; } diff --git a/src/crypto/evp/pbkdf.c b/src/crypto/evp/pbkdf.c index be6ed86..b06b922 100644 --- a/src/crypto/evp/pbkdf.c +++ b/src/crypto/evp/pbkdf.c @@ -123,6 +123,22 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, p += cplen; } HMAC_CTX_cleanup(&hctx_tpl); + + // RFC 2898 describes iterations (c) as being a "positive integer", so a + // value of 0 is an error. + // + // Unfortunatley not all consumers of PKCS5_PBKDF2_HMAC() check their return + // value, expecting it to succeed and unconditonally using |out_key|. + // As a precaution for such callsites in external code, the old behavior + // of iterations < 1 being treated as iterations == 1 is preserved, but + // additionally an error result is returned. + // + // TODO(eroman): Figure out how to remove this compatibility hack, or change + // the default to something more sensible like 2048. + if (iterations == 0) { + return 0; + } + return 1; } diff --git a/src/crypto/evp/pbkdf_test.cc b/src/crypto/evp/pbkdf_test.cc index ae2f405..a39189f 100644 --- a/src/crypto/evp/pbkdf_test.cc +++ b/src/crypto/evp/pbkdf_test.cc @@ -149,6 +149,44 @@ static bool TestSHA2() { return true; } +// Tests key derivation using iterations=0. +// +// RFC 2898 defines the iteration count (c) as a "positive integer". So doing a +// key derivation with iterations=0 is ill-defined and should result in a +// failure. +static bool TestZeroIterations() { + static const char kPassword[] = "password"; + const size_t password_len = strlen(kPassword); + static const uint8_t kSalt[] = {1, 2, 3, 4}; + const size_t salt_len = sizeof(kSalt); + const EVP_MD *digest = EVP_sha1(); + + uint8_t key[10] = {0}; + const size_t key_len = sizeof(key); + + // Verify that calling with iterations=1 works. + if (!PKCS5_PBKDF2_HMAC(kPassword, password_len, kSalt, salt_len, + 1 /* iterations */, digest, key_len, key)) { + fprintf(stderr, "PBKDF2 failed with iterations=1\n"); + return false; + } + + // Flip the first key byte (so can later test if it got set). + const uint8_t expected_first_byte = key[0]; + key[0] = ~key[0]; + + // However calling it with iterations=0 fails. + if (PKCS5_PBKDF2_HMAC(kPassword, password_len, kSalt, salt_len, + 0 /* iterations */, digest, key_len, key)) { + fprintf(stderr, "PBKDF2 returned zero with iterations=0\n"); + return false; + } + + // For backwards compatibility, the iterations == 0 case still fills in + // the out key. + return key[0] == expected_first_byte; +} + int main(void) { CRYPTO_library_init(); ERR_load_crypto_strings(); @@ -173,6 +211,11 @@ int main(void) { return 1; } + if (!TestZeroIterations()) { + fprintf(stderr, "TestZeroIterations failed\n"); + return 1; + } + printf("PASS\n"); ERR_free_strings(); return 0; |