Merge pull request wolfSSL#196 from aidangarske/rsa_decode_fix

Fix RSA decode and empty Keygen OID with FIPS

Author: ColtonWilley

scripts/utils-wolfssl.sh

@@ -27,10 +27,12 @@ WOLFSSL_SOURCE_DIR=${SCRIPT_DIR}/../wolfssl-source
 WOLFSSL_INSTALL_DIR=${SCRIPT_DIR}/../wolfssl-install
 WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0}
 WOLFSSL_FIPS_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-opensslcoexist '}
-WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include"}
+WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWOLFSSL_OLD_OID_SUM"}
 WOLFSSL_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha'}
 WOLFSSL_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM "}
 
+WOLFSSL_DEBUG_ASN_TEMPLATE=${DWOLFSSL_DEBUG_ASN_TEMPLATE:-0}
+WOLFPROV_DISABLE_ERR_TRACE=${WOLFPROV_DISABLE_ERR_TRACE:-0}
 WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}
 USE_CUR_TAG=${USE_CUR_TAG:-0}
 
@@ -84,12 +86,17 @@ install_wolfssl() {
 
         if [ "$WOLFPROV_DEBUG" = "1" ]; then
             CONF_ARGS+=" --enable-debug --enable-keylog-export"
-            if [[ "$OSTYPE" != "darwin"* ]]; then
+            if [[ "$OSTYPE" != "darwin"* ]] && [ "$WOLFPROV_DISABLE_ERR_TRACE" != "1" ]; then
                 # macOS doesn't support backtrace
                 CONF_ARGS+=" --enable-debug-trace-errcodes=backtrace"
             fi
             WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_LOGGINGENABLED_DEFAULT=1"
         fi
+        if [ "$WOLFSSL_DEBUG_ASN_TEMPLATE" = "1" ] && ( [ "$WOLFSSL_ISFIPS" != "1" ] || [ -z "$WOLFSSL_FIPS_BUNDLE" ] ); then
+            WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_DEBUG_ASN_TEMPLATE"
+        elif [ "$WOLFSSL_DEBUG_ASN_TEMPLATE" = "1" ] && ( [ "$WOLFSSL_ISFIPS" = "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ] ); then
+            WOLFSSL_FIPS_CONFIG_CFLAGS+=" -DWOLFSSL_DEBUG_ASN_TEMPLATE"
+        fi
         if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
             if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then
                 printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)"

src/wp_dh_kmgmt.c

@@ -2655,6 +2655,8 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
         OPENSSL_free(pemData);
     }
     OPENSSL_free(cipherInfo);
+
+    BIO_free(out);
 #else
     (void)ctx;
     (void)cBio;
@@ -2665,7 +2667,6 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     (void)pwCbArg;
 #endif
 
-    BIO_free(out);
     WOLFPROV_LEAVE(WP_LOG_KE, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }

src/wp_internal.c

@@ -573,6 +573,7 @@ int wp_cipher_from_params(const OSSL_PARAM params[], int* cipher,
 }
 
 #ifndef WOLFSSL_ENCRYPTED_KEYS
+#ifdef WP_HAVE_MD5
 /*
  * wolfProvider version of EncryptedInfo.
  */
@@ -695,6 +696,7 @@ static int wp_BufferKeyEncrypt(wp_EncryptedInfo* info, byte* der, word32 derSz,
 
     return ret;
 }
+#endif /* WP_HAVE_MD5 */
 #endif /* WOLFSSL_ENCRYPTED_KEYS */
 
 /**

src/wp_rsa_kmgmt.c

@@ -2167,7 +2167,7 @@ static int wp_rsa_decode_pki(wp_Rsa* rsa, unsigned char* data, word32 len)
     if (rc != 0) {
         ok = 0;
     }
-#if LIBWOLFSSL_VERSION_HEX < 0x05000000
+#if LIBWOLFSSL_VERSION_HEX < 0x05000000 || defined(HAVE_FIPS)
     if (!ok) {
         idx = 0;
         rc = wc_GetPkcs8TraditionalOffset(data, &idx, len);