From 30e8f5539b6d98dd9544bbd3b94dfa1614571d65 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 16 Nov 2017 10:37:47 -0700 Subject: [PATCH] PKCS7 cleanup: remove dependencies on 3DES and SHA1 --- configure.ac | 2 -- wolfcrypt/src/pkcs7.c | 6 +++--- wolfcrypt/test/test.c | 29 ++++++++++++++++++++++++++--- 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 5ba9dfe23..8e152784c 100644 --- a/configure.ac +++ b/configure.ac @@ -3777,8 +3777,6 @@ then ENABLED_X963KDF="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_X963_KDF" fi - AS_IF([test "x$ENABLED_DES3" = "xno"], - [ENABLED_DES3=yes]) fi if test "x$ENABLED_DES3" = "xno" diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index a81ef77d1..1c4f0c33c 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -382,7 +382,7 @@ typedef struct ESD { enum wc_HashType hashType; byte contentDigest[WC_MAX_DIGEST_SIZE + 2]; /* content only + ASN.1 heading */ byte contentAttribsDigest[WC_MAX_DIGEST_SIZE]; - byte encContentDigest[512]; + byte encContentDigest[MAX_ENCRYPTED_KEY_SZ]; byte outerSeq[MAX_SEQ_SZ]; byte outerContent[MAX_EXP_SZ]; @@ -3217,7 +3217,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, int keySz; word32 encOID; word32 keyIdx; - byte issuerHash[WC_SHA_DIGEST_SIZE]; + byte issuerHash[KEYID_SIZE]; byte* outKey = NULL; #ifdef WC_RSA_BLINDING @@ -3245,7 +3245,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, return ASN_PARSE_E; /* if we found correct recipient, issuer hashes will match */ - if (XMEMCMP(issuerHash, pkcs7->issuerHash, WC_SHA_DIGEST_SIZE) == 0) { + if (XMEMCMP(issuerHash, pkcs7->issuerHash, KEYID_SIZE) == 0) { *recipFound = 1; } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index fa6bf0132..7d37dcd73 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -14088,8 +14088,10 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, { /* key transport key encryption technique */ #ifndef NO_RSA + #ifndef NO_DES3 {data, (word32)sizeof(data), DATA, DES3b, 0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz, NULL, 0, "pkcs7envelopedDataDES3.der"}, + #endif #ifndef NO_AES {data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, rsaCert, rsaCertSz, @@ -14545,7 +14547,11 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, static byte senderNonceOid[] = { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05 }; +#ifndef NO_SHA static byte transId[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1]; +#else + static byte transId[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1]; +#endif static byte messageType[] = { 0x13, 2, '1', '9' }; static byte senderNonce[PKCS7_NONCE_SZ + 2]; @@ -14689,15 +14695,21 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, } } - /* generate trans ID */ + /* generate transactionID (used with SCEP) */ { + #ifndef NO_SHA wc_Sha sha; byte digest[WC_SHA_DIGEST_SIZE]; + #else + wc_Sha256 sha; + byte digest[WC_SHA256_DIGEST_SIZE]; + #endif int j,k; transId[0] = 0x13; - transId[1] = WC_SHA_DIGEST_SIZE * 2; + transId[1] = sizeof(digest) * 2; + #ifndef NO_SHA ret = wc_InitSha_ex(&sha, HEAP_HINT, devId); if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -14707,8 +14719,19 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, wc_ShaUpdate(&sha, pkcs7.publicKey, pkcs7.publicKeySz); wc_ShaFinal(&sha, digest); wc_ShaFree(&sha); + #else + ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId); + if (ret != 0) { + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(&pkcs7); + return -7704; + } + wc_Sha256Update(&sha, pkcs7.publicKey, pkcs7.publicKeySz); + wc_Sha256Final(&sha, digest); + wc_Sha256Free(&sha); + #endif - for (j = 0, k = 2; j < WC_SHA_DIGEST_SIZE; j++, k += 2) { + for (j = 0, k = 2; j < (int)sizeof(digest); j++, k += 2) { XSNPRINTF((char*)&transId[k], 3, "%02x", digest[j]); } }