Skip to content

Commit db463bd

Browse files
DmitriyMusatkinDmitriyMusatkin
authored
Clean up error handling around unsupported rsa functions (#227)
1 parent 6cde8e7 commit db463bd

File tree

2 files changed

+43
-5
lines changed

2 files changed

+43
-5
lines changed

source/unix/openssl_rsa.c

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ static int s_rsa_encrypt(
7171

7272
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key_pair_impl->key, NULL);
7373
if (ctx == NULL) {
74-
return aws_raise_error(AWS_ERROR_CAL_CRYPTO_OPERATION_FAILED);
74+
return aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
7575
}
7676

7777
if (aws_reinterpret_lc_evp_error_as_crt(EVP_PKEY_encrypt_init(ctx), "EVP_PKEY_encrypt_init", AWS_LS_CAL_RSA)) {
@@ -129,7 +129,7 @@ static int s_rsa_decrypt(
129129

130130
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key_pair_impl->key, NULL);
131131
if (ctx == NULL) {
132-
return aws_raise_error(AWS_ERROR_CAL_CRYPTO_OPERATION_FAILED);
132+
return aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
133133
}
134134

135135
if (aws_reinterpret_lc_evp_error_as_crt(EVP_PKEY_decrypt_init(ctx), "EVP_PKEY_decrypt_init", AWS_LS_CAL_RSA)) {
@@ -191,7 +191,14 @@ static int s_set_signature_ctx_from_algo(EVP_PKEY_CTX *ctx, enum aws_rsa_signatu
191191
}
192192
if (aws_reinterpret_lc_evp_error_as_crt(
193193
EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()), "EVP_PKEY_CTX_set_signature_md", AWS_LS_CAL_RSA)) {
194-
return AWS_OP_ERR;
194+
/*
195+
* This can fail with invalid digest on platforms that disabled sha1 for fips (ex. openssl 3.5+).
196+
* Unfortunately, error code for invalid digest is wildly inconsistent between versions, making it
197+
* impossible to write a backwards compatible error handling. In practice however the only way this should
198+
* fail is when algo is not supported, so lets just hardcode the error. Still call the helper to get
199+
* consistent logging for error.
200+
*/
201+
return aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
195202
}
196203
} else if (algorithm == AWS_CAL_RSA_SIGNATURE_PSS_SHA256) {
197204
if (aws_reinterpret_lc_evp_error_as_crt(
@@ -232,7 +239,7 @@ static int s_rsa_sign(
232239

233240
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key_pair_impl->key, NULL);
234241
if (ctx == NULL) {
235-
return aws_raise_error(AWS_ERROR_CAL_CRYPTO_OPERATION_FAILED);
242+
return aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
236243
}
237244

238245
if (aws_reinterpret_lc_evp_error_as_crt(EVP_PKEY_sign_init(ctx), "EVP_PKEY_sign_init", AWS_LS_CAL_RSA)) {
@@ -290,7 +297,7 @@ static int s_rsa_verify(
290297

291298
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(key_pair_impl->key, NULL);
292299
if (ctx == NULL) {
293-
return aws_raise_error(AWS_ERROR_CAL_CRYPTO_OPERATION_FAILED);
300+
return aws_raise_error(AWS_ERROR_CAL_UNSUPPORTED_ALGORITHM);
294301
}
295302

296303
if (aws_reinterpret_lc_evp_error_as_crt(EVP_PKEY_verify_init(ctx), "EVP_PKEY_verify_init", AWS_LS_CAL_RSA)) {

tests/rsa_test.c

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,25 @@
1212

1313
#include "test_case_helper.h"
1414

15+
#if defined(AWS_OS_LINUX)
16+
# include <aws/cal/private/opensslcrypto_common.h>
17+
#endif
18+
19+
/*
20+
* Helper to figure out whether rsa signing with sha1 is supported with currently crypto lib.
21+
*/
22+
static bool s_crypto_supports_sha1_signing(void) {
23+
bool is_supported = true;
24+
#if defined(AWS_OS_LINUX)
25+
# if defined(OPENSSL_IS_OPENSSL)
26+
# if OPENSSL_VERSION_NUMBER >= 0x30500000L
27+
is_supported = false;
28+
# endif
29+
# endif
30+
#endif
31+
return is_supported;
32+
}
33+
1534
/*
1635
* TODO: Need better test vectors. NIST ones are a pain to use.
1736
* For now using manually generated vectors and relying on round tripping.
@@ -335,6 +354,10 @@ AWS_TEST_CASE(rsa_verify_signing_pkcs1_sha256, s_rsa_verify_signing_pkcs1_sha256
335354

336355
static int s_rsa_verify_signing_pkcs1_sha1(struct aws_allocator *allocator, void *ctx) {
337356
(void)ctx;
357+
if (!s_crypto_supports_sha1_signing()) {
358+
return AWS_OP_SKIP;
359+
}
360+
338361
struct aws_byte_cursor message = aws_byte_cursor_from_c_str(TEST_ENCRYPTION_STRING);
339362

340363
aws_cal_library_init(allocator);
@@ -626,6 +649,10 @@ AWS_TEST_CASE(rsa_signing_roundtrip_pkcs1_sha256_from_user, s_rsa_signing_roundt
626649
static int s_rsa_signing_roundtrip_pkcs1_sha1_from_user(struct aws_allocator *allocator, void *ctx) {
627650
(void)ctx;
628651

652+
if (!s_crypto_supports_sha1_signing()) {
653+
return AWS_OP_SKIP;
654+
}
655+
629656
aws_cal_library_init(allocator);
630657

631658
ASSERT_SUCCESS(s_rsa_signing_roundtrip_from_user(
@@ -893,6 +920,10 @@ AWS_TEST_CASE(rsa_signing_mismatch_pkcs1_sha256, s_rsa_signing_mismatch_pkcs1_sh
893920

894921
static int s_rsa_signing_mismatch_pkcs1_sha1(struct aws_allocator *allocator, void *ctx) {
895922
(void)ctx;
923+
if (!s_crypto_supports_sha1_signing()) {
924+
return AWS_OP_SKIP;
925+
}
926+
896927
struct aws_byte_cursor message = aws_byte_cursor_from_c_str(TEST_ENCRYPTION_STRING);
897928

898929
aws_cal_library_init(allocator);

0 commit comments

Comments
 (0)