Skip to content

Commit

Permalink
implemented suggested changes and useful comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@feventura
feventura committed Mar 12, 2024
1 parent f07a821 commit 2950737
Show file tree
Hide file tree
Showing 4 changed files with 132 additions and 50 deletions.
58 changes: 46 additions & 12 deletions oqsprov/oqs_encode_key2any.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -766,7 +766,6 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
OPENSSL_free(temp);
OPENSSL_free(templen);
PKCS8_PRIV_KEY_INFO_free(p8inf_internal);
OPENSSL_free(name);
return -1;
}

Expand Down Expand Up @@ -813,17 +812,43 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
}

buf = OPENSSL_secure_malloc(buflen);
if (buf == NULL) {
for (int j = 0; j <= i; j++) {
OPENSSL_cleanse(aString[j]->data, aString[j]->length);
ASN1_OCTET_STRING_free(aString[j]);
OPENSSL_cleanse(aType[j]->value.sequence->data,
aType[j]->value.sequence->length);
if (j < i)
OPENSSL_clear_free(temp[j], templen[j]);
}

if (sk_ASN1_TYPE_num(sk) != -1)
sk_ASN1_TYPE_pop_free(sk, &ASN1_TYPE_free);
else
ASN1_TYPE_free(aType[i]);

OPENSSL_free(aType);
OPENSSL_free(aString);
OPENSSL_free(temp);
OPENSSL_free(templen);
PKCS8_PRIV_KEY_INFO_free(p8inf_internal);
OPENSSL_free(name);
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return -1;
}
if (get_oqsname_fromtls(name)
!= 0) { // include pubkey in privkey for PQC
memcpy(buf, oqsxkey->comp_privkey[i],
oqsxkey->privkeylen_cmp[i]);
memcpy(buf + oqsxkey->privkeylen_cmp[i],
oqsxkey->comp_pubkey[i], oqsxkey->pubkeylen_cmp[i]);
} else {
memcpy(buf, oqsxkey->comp_privkey[i], buflen);
memcpy(buf, oqsxkey->comp_privkey[i],
buflen); // buflen for classical (RSA) might be different
// from oqsxkey->privkeylen_cmp[
}

if (nid == EVP_PKEY_EC) {
if (nid == EVP_PKEY_EC) { // add the curve OID with the ECPubkey OID
version = V_ASN1_OBJECT;
pval = OBJ_nid2obj(
oqsxkey->oqsx_provider_ctx.oqsx_evp_ctx->evp_info->nid);
Expand All @@ -847,14 +872,22 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
OPENSSL_free(aString);
OPENSSL_free(temp);
OPENSSL_free(templen);
OPENSSL_cleanse(buf, buflen);
PKCS8_PRIV_KEY_INFO_free(p8inf_internal);
OPENSSL_cleanse(
buf,
buflen); // buf is part of p8inf_internal so we cant free
// now, we cleanse it to remove pkey from memory
PKCS8_PRIV_KEY_INFO_free(p8inf_internal); // this also free buf
return -1;
}

templen[i] = i2d_PKCS8_PRIV_KEY_INFO(p8inf_internal, &temp[i]);
ASN1_STRING_set(aString[i], temp[i], templen[i]);
ASN1_TYPE_set1(aType[i], V_ASN1_SEQUENCE, aString[i]);
templen[i] = i2d_PKCS8_PRIV_KEY_INFO(
p8inf_internal,
&temp[i]); // create the privkey info for each individual key
ASN1_STRING_set(aString[i], temp[i],
templen[i]); // add privkey info as ASN1_STRING
ASN1_TYPE_set1(aType[i], V_ASN1_SEQUENCE,
aString[i]); // add the ASN1_STRING into a ANS1_TYPE
// so it can be added into the stack

if (!sk_ASN1_TYPE_push(sk, aType[i])) {
for (int j = 0; j <= i; j++) {
Expand All @@ -871,8 +904,11 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
OPENSSL_free(aString);
OPENSSL_free(temp);
OPENSSL_free(templen);
OPENSSL_cleanse(buf, buflen);
PKCS8_PRIV_KEY_INFO_free(p8inf_internal);
OPENSSL_cleanse(
buf,
buflen); // buf is part of p8inf_internal so we cant free
// now, we cleanse it to remove pkey from memory
PKCS8_PRIV_KEY_INFO_free(p8inf_internal); // this also free buf
return -1;
}
OPENSSL_free(name);
Expand Down Expand Up @@ -1694,7 +1730,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection)
for (i = 0; i < okey->numkeys; i++) {
if ((name = get_cmpname(OBJ_sn2nid(okey->tls_name), i))
== NULL) {
OPENSSL_free(name);
ERR_raise(ERR_LIB_USER, OQSPROV_R_INVALID_KEY);
return 0;
}
Expand Down Expand Up @@ -1760,7 +1795,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection)
for (i = 0; i < okey->numkeys; i++) {
if ((name = get_cmpname(OBJ_sn2nid(okey->tls_name), i))
== NULL) {
OPENSSL_free(name);
ERR_raise(ERR_LIB_USER, OQSPROV_R_INVALID_KEY);
return 0;
}
Expand Down
37 changes: 30 additions & 7 deletions oqsprov/oqs_sig.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ static int oqs_sig_verify_init(void *vpoqs_sigctx, void *voqssig,
}

// this list need to be in order of the last number on the OID from the
// composite
// composite, the len of each value is COMPOSITE_OID_PREFIX_LEN
static const unsigned char *composite_OID_prefix[] = {
"060B6086480186FA6B50080101", // mldsa44_pss2048
// id-MLDSA44-RSA2048-PSS-SHA256
Expand Down Expand Up @@ -251,6 +251,7 @@ static const unsigned char *composite_OID_prefix[] = {

};

/*put the chars on in into memory on out*/
void composite_prefix_conversion(char *out, const unsigned char *in)
{
int temp;
Expand Down Expand Up @@ -389,13 +390,19 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,

if (is_composite) {
unsigned char *buf;
CompositeSignature *compsig = CompositeSignature_new();
int i;
int nid = OBJ_sn2nid(oqsxkey->tls_name);
int comp_idx = get_composite_idx(get_oqsalg_idx(nid));
if (comp_idx == -1)
goto endsign;
const unsigned char *oid_prefix = composite_OID_prefix[comp_idx - 1];
char *final_tbs;
size_t final_tbslen = COMPOSITE_OID_PREFIX_LEN / 2;
CompositeSignature *compsig = CompositeSignature_new();
size_t final_tbslen
= COMPOSITE_OID_PREFIX_LEN
/ 2; // COMPOSITE_OID_PREFIX_LEN stores the size of the *char, but
// the prefix will be on memory, so each 2 chars will
// translate into one byte
int aux = 0;
unsigned char *tbs_hash;

Expand All @@ -405,7 +412,7 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
char *upcase_name;
if ((name = get_cmpname(nid, i)) == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
OPENSSL_free(name);
CompositeSignature_free(compsig);
goto endsign;
}
upcase_name = get_oqsname_fromtls(name);
Expand Down Expand Up @@ -433,6 +440,7 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
break;
default:
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
CompositeSignature_free(compsig);
goto endsign;
}
final_tbs = OPENSSL_malloc(final_tbslen);
Expand All @@ -446,7 +454,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
char *name;
if ((name = get_cmpname(nid, i)) == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
OPENSSL_free(name);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
goto endsign;
}

Expand All @@ -458,6 +467,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
final_tbslen, oqsxkey->comp_privkey[i])
!= OQS_SUCCESS) {
ERR_raise(ERR_LIB_USER, OQSPROV_R_SIGNING_FAILED);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
OPENSSL_free(buf);
goto endsign;
Expand All @@ -481,6 +492,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
final_tbs, final_tbslen)
<= 0)) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
EVP_MD_CTX_free(evp_ctx);
OPENSSL_free(buf);
Expand All @@ -493,6 +506,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
== NULL
|| (EVP_PKEY_sign_init(classical_ctx_sign) <= 0)) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
OPENSSL_free(buf);
goto endsign;
Expand All @@ -509,6 +524,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
EVP_sha256())
<= 0)) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
OPENSSL_free(buf);
goto endsign;
Expand All @@ -520,6 +537,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
RSA_PKCS1_PADDING)
<= 0) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
OPENSSL_free(buf);
goto endsign;
Expand All @@ -544,6 +563,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
digest, digest_len)
<= 0)) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
OPENSSL_free(buf);
goto endsign;
Expand All @@ -553,6 +574,8 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen,
->evp_info->length_signature) {
/* sig is bigger than expected */
ERR_raise(ERR_LIB_USER, OQSPROV_R_BUFFER_LENGTH_WRONG);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
OPENSSL_free(name);
OPENSSL_free(buf);
goto endsign;
Expand Down Expand Up @@ -696,6 +719,8 @@ static int oqs_sig_verify(void *vpoqs_sigctx, const unsigned char *sig,
int i;
int nid = OBJ_sn2nid(oqsxkey->tls_name);
int comp_idx = get_composite_idx(get_oqsalg_idx(nid));
if (comp_idx == -1)
goto endverify;
unsigned char *buf;
size_t buf_len;
const unsigned char *oid_prefix = composite_OID_prefix[comp_idx - 1];
Expand All @@ -716,7 +741,6 @@ static int oqs_sig_verify(void *vpoqs_sigctx, const unsigned char *sig,
char *upcase_name;
if ((name = get_cmpname(nid, i)) == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_FATAL);
OPENSSL_free(name);
CompositeSignature_free(compsig);
goto endverify;
}
Expand Down Expand Up @@ -766,7 +790,6 @@ static int oqs_sig_verify(void *vpoqs_sigctx, const unsigned char *sig,

char *name;
if ((name = get_cmpname(nid, i)) == NULL) {
OPENSSL_free(name);
ERR_raise(ERR_LIB_USER, OQSPROV_R_VERIFY_ERROR);
CompositeSignature_free(compsig);
OPENSSL_free(final_tbs);
Expand Down
17 changes: 12 additions & 5 deletions oqsprov/oqsprov.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
*/

#include "oqs_prov.h"
#include <errno.h>
#include <openssl/core.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
Expand Down Expand Up @@ -1172,21 +1173,27 @@ static const OSSL_ALGORITHM oqsprovider_decoder[] = {
// get the last number on the composite OID
int get_composite_idx(int idx)
{
char *token, *s;
int i, len, count = 0;
char *s;
int i, len, ret = -1, count = 0;

s = oqs_oid_alg_list[idx * 2];
if (2 * idx > OQS_OID_CNT)
return 0;
s = (char *)oqs_oid_alg_list[idx * 2];
len = strlen(s);

for (i = 0; i < len; i++) {
if (s[i] == '.') {
count += 1;
}
if (count == 8) { // 8 dots in composite OID
return atoi(s + i + 1);
errno = 0;
ret = strtol(s + i + 1, NULL, 10);
if (errno == ERANGE)
ret = -1;
break;
}
}
return 0;
return ret;
}

static const OSSL_PARAM *oqsprovider_gettable_params(void *provctx)
Expand Down
Loading

0 comments on commit 2950737

Please sign in to comment.