[pkg-opensc-commit] [libp11] 67/86: Fixed incorrect errors reported on sig/enc/dec
Eric Dorland
eric at moszumanska.debian.org
Sun Jul 24 21:40:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit eea37007782453697782b0eeb01c2982b0ac1ecb
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date: Thu Mar 10 10:38:50 2016 +0100
Fixed incorrect errors reported on sig/enc/dec
It also adds support for RSA encryption (not only signing).
The redundant signature length verification code was removed.
There is no value added by re-implementing checks that are
already performed by the PKCS#11 module.
---
NEWS | 3 +++
src/p11_ec.c | 5 +++--
src/p11_rsa.c | 49 ++++++++++++++++++++++++++-----------------------
3 files changed, 32 insertions(+), 25 deletions(-)
diff --git a/NEWS b/NEWS
index 60e8310..170353b 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,9 @@ New in 0.4.0; unreleased;
by OpenSSL for various features including OAEP (Michał Trojnara)
* Added support for the ANSI X9.31 (RSA_X931_PADDING) RSA padding
(Michał Trojnara)
+* Added support for RSA encryption (not only signing) (Michał Trojnara)
+* Fixed incorrect errors reported on signing/encryption/decryption
+ (Michał Trojnara)
* Fixed deadlocks in keys and certificates listing (Brian Hinz)
* Use PKCS11_MODULE_PATH environment variable (Doug Engert)
* Added support for building against OpenSSL 1.1.0-dev (Doug Engert)
diff --git a/src/p11_ec.c b/src/p11_ec.c
index cd5d330..d66b0e0 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -194,8 +194,9 @@ static int pkcs11_ecdsa_sign(const unsigned char *msg, unsigned int msg_len,
pkcs11_w_lock(PRIVSLOT(slot)->lockid);
rv = CRYPTOKI_call(ctx,
- C_SignInit(spriv->session, &mechanism, kpriv->object)) ||
- CRYPTOKI_call(ctx,
+ C_SignInit(spriv->session, &mechanism, kpriv->object));
+ if (!rv)
+ rv = CRYPTOKI_call(ctx,
C_Sign(spriv->session, (CK_BYTE *)msg, msg_len, sigret, &ck_sigsize));
pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index 8ac8489..594030e 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -73,6 +73,8 @@ static int pkcs11_mechanism(CK_MECHANISM *mechanism, const int padding)
return 0;
}
+/* RSA private key encryption (also invoked by OpenSSL for signing) */
+/* OpenSSL assumes that the output buffer is always big enough */
int pkcs11_private_encrypt(int flen,
const unsigned char *from, unsigned char *to,
PKCS11_KEY *key, int padding)
@@ -82,41 +84,40 @@ int pkcs11_private_encrypt(int flen,
PKCS11_KEY_private *kpriv = PRIVKEY(key);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
CK_MECHANISM mechanism;
+ CK_ULONG size;
int rv;
- int sigsize;
- CK_ULONG ck_sigsize;
- sigsize = pkcs11_get_key_size(key);
- ck_sigsize = sigsize;
-
- if (padding == RSA_PKCS1_PADDING &&
- (flen + RSA_PKCS1_PADDING_SIZE) > sigsize) {
- return -1; /* the size is wrong */
- }
+ size = pkcs11_get_key_size(key);
if (pkcs11_mechanism(&mechanism, padding) < 0)
return -1;
pkcs11_w_lock(PRIVSLOT(slot)->lockid);
- /* API is somewhat fishy here. *siglen is 0 on entry (cleared
- * by OpenSSL). The library assumes that the memory passed
- * by the caller is always big enough */
- rv = CRYPTOKI_call(ctx, C_SignInit(spriv->session, &mechanism, kpriv->object)) ||
- CRYPTOKI_call(ctx,
- C_Sign(spriv->session, (CK_BYTE *) from, flen, to, &ck_sigsize));
+ /* Try signing first, as applications are more likely to use it */
+ rv = CRYPTOKI_call(ctx,
+ C_SignInit(spriv->session, &mechanism, kpriv->object));
+ if (!rv)
+ rv = CRYPTOKI_call(ctx,
+ C_Sign(spriv->session, (CK_BYTE *)from, flen, to, &size));
+ if (rv == CKR_KEY_FUNCTION_NOT_PERMITTED) {
+ /* OpenSSL may use it for encryption rather than signing */
+ rv = CRYPTOKI_call(ctx,
+ C_EncryptInit(spriv->session, &mechanism, kpriv->object));
+ if (!rv)
+ rv = CRYPTOKI_call(ctx,
+ C_Encrypt(spriv->session, (CK_BYTE *)from, flen, to, &size));
+ }
pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
if (rv) {
- PKCS11err(PKCS11_F_PKCS11_RSA_SIGN, pkcs11_map_err(rv));
+ PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, pkcs11_map_err(rv));
return -1;
}
- if ((unsigned)sigsize != ck_sigsize)
- return -1;
-
- return sigsize;
+ return size;
}
+/* RSA private key decryption */
int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
PKCS11_KEY *key, int padding)
{
@@ -132,9 +133,11 @@ int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *t
return -1;
pkcs11_w_lock(PRIVSLOT(slot)->lockid);
- rv = CRYPTOKI_call(ctx, C_DecryptInit(spriv->session, &mechanism, kpriv->object)) ||
- CRYPTOKI_call(ctx,
- C_Decrypt(spriv->session, (CK_BYTE *) from, (CK_ULONG)flen,
+ rv = CRYPTOKI_call(ctx,
+ C_DecryptInit(spriv->session, &mechanism, kpriv->object));
+ if (!rv)
+ rv = CRYPTOKI_call(ctx,
+ C_Decrypt(spriv->session, (CK_BYTE *)from, size,
(CK_BYTE_PTR)to, &size));
pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list