RSA: no more dual semantics of pss_oaep (removed from ltc_rsa_parameters; now lives on rsa_key where it belongs)

Author: karel-m

src/headers/tomcrypt_pk.h

@@ -64,11 +64,7 @@ int rand_prime(void *N, long len, prng_state *prng, int wprng);
 #ifdef LTC_MRSA
 
 typedef struct ltc_rsa_parameters {
-   /** PSS/OAEP or PKCS #1 v1.5 style
-    *  0 -> PKCS #1 v1.5, 1 -> PSS/OAEP */
-   int pss_oaep;
-   /** saltLength is only defined for PSS
-    * If saltLength == 0 -> OAEP, else -> PSS */
+   /** saltLength for PSS */
    unsigned long saltlen;
    /** lparam hash for OAEP
     *     resp.
@@ -97,7 +93,9 @@ typedef struct Rsa_key {
     void *dP;
     /** The d mod (q - 1) CRT param */
     void *dQ;
-    /** Further parameters of the RSA key */
+    /** Key is constrained to PSS/OAEP operations */
+    int pss_oaep;
+    /** PSS/OAEP parameters of the RSA key */
     ltc_rsa_parameters params;
 } rsa_key;
 
@@ -113,8 +111,6 @@ int rsa_exptmod(const unsigned char *in,   unsigned long inlen,
 void rsa_free(rsa_key *key);
 
 typedef struct ltc_rsa_op_parameters {
-   /* The RSA API will set the `pss_oaep` field for you,
-    * depending on the value of `padding`. */
    ltc_rsa_parameters params;
    /* The padding type */
    int padding;

src/pk/rsa/rsa_import_x509.c

@@ -123,8 +123,6 @@ static int s_rsa_decode_parameters(const rsa_pss_parameters_data *d, ltc_rsa_par
       }
    }
 
-   rsa_params->pss_oaep = 1;
-
    return CRYPT_OK;
 }
 
@@ -169,7 +167,11 @@ static LTC_INLINE int s_rsa_pss_import_spki(const unsigned char *in, unsigned lo
                                             (public_key_decode_cb)s_rsa_decode, key)) != CRYPT_OK) {
       return err;
    }
-   return s_rsa_decode_parameters(&d, &key->params);
+   if ((err = s_rsa_decode_parameters(&d, &key->params)) != CRYPT_OK) {
+      return err;
+   }
+   key->pss_oaep = 1;
+   return CRYPT_OK;
 }
 
 static LTC_INLINE int s_rsa_import_spki(const unsigned char *in, unsigned long inlen, rsa_key *key)

src/pk/rsa/rsa_key.c

@@ -85,6 +85,7 @@ void rsa_shrink_key(rsa_key *key)
 int rsa_init(rsa_key *key)
 {
    LTC_ARGCHK(key != NULL);
+   key->pss_oaep = 0;
    XMEMSET(&key->params, 0, sizeof(key->params));
    return ltc_mp_init_multi(&key->e, &key->d, &key->N, &key->dQ, &key->dP, &key->qP, &key->p, &key->q, LTC_NULL);
 }
@@ -97,29 +98,27 @@ void rsa_free(rsa_key *key)
 {
    LTC_ARGCHKVD(key != NULL);
    ltc_mp_cleanup_multi(&key->q, &key->p, &key->qP, &key->dP, &key->dQ, &key->N, &key->d, &key->e, LTC_NULL);
+   key->pss_oaep = 0;
    XMEMSET(&key->params, 0, sizeof(key->params));
 }
 
 static LTC_INLINE int s_rsa_key_valid_rsa_params(ltc_rsa_op_checked *check)
 {
-   const ltc_rsa_parameters *key_params, *op_params;
+   const ltc_rsa_parameters *key_params;
    /* This is called from PKCS#1 de-/encoder code, so we can't check the key */
    if (check->key == NULL) {
       return CRYPT_OK;
    }
    key_params = &check->key->params;
-   op_params = &check->params->params;
-   /* The key is restricted to PSS, so check the op's params */
-   if (key_params->pss_oaep
-         && !rsa_params_equal(key_params, op_params)) {
-      return CRYPT_PK_TYPE_MISMATCH;
-   }
-   /* No PSS or OAEP, so we're fine. */
-   if (!key_params->pss_oaep
-         || !op_params->pss_oaep) {
+   /* Key has no PSS/OAEP constraints */
+   if (!check->key->pss_oaep) {
       return CRYPT_OK;
    }
-   /* Verify hash algs */
+   /* Key is constrained - operation must use matching PSS/OAEP params */
+   if (check->params->padding != LTC_PKCS_1_PSS
+         && check->params->padding != LTC_PKCS_1_OAEP) {
+      return CRYPT_PK_TYPE_MISMATCH;
+   }
    if (key_params->hash_alg == NULL
          || find_hash(key_params->hash_alg) != check->hash_alg) {
       return CRYPT_INVALID_HASH;
@@ -139,7 +138,7 @@ static LTC_INLINE int s_rsa_key_set_hash_algs(ltc_rsa_op_checked *check)
       return CRYPT_INVALID_HASH;
    }
    if (params->params.mgf1_hash_alg == NULL) {
-      if (!params->params.pss_oaep)
+      if (params->padding != LTC_PKCS_1_PSS && params->padding != LTC_PKCS_1_OAEP)
          return CRYPT_OK;
    } else if ((check->mgf1_hash_alg = find_hash(params->params.mgf1_hash_alg)) != -1) {
       return CRYPT_OK;
@@ -211,8 +210,6 @@ int rsa_key_valid_op(ltc_rsa_op op, ltc_rsa_op_checked *check)
       /* PKCS#1 ops don't need an RSA key */
       LTC_ARGCHK(check->key    != NULL);
    }
-   check->params->params.pss_oaep = check->params->padding == LTC_PKCS_1_OAEP
-         || check->params->padding == LTC_PKCS_1_PSS;
    if ((op & LTC_RSA_OP_SEND) == LTC_RSA_OP_SEND) {
       if ((err = s_rsa_check_prng(op, check->params)) != CRYPT_OK) {
          return err;
@@ -235,10 +232,6 @@ int rsa_key_valid_op(ltc_rsa_op op, ltc_rsa_op_checked *check)
 
 int rsa_params_equal(const ltc_rsa_parameters *a, const ltc_rsa_parameters *b)
 {
-   if (!a->pss_oaep)
-      return 0;
-   if (a->pss_oaep != b->pss_oaep)
-      return 0;
    if (a->saltlen != b->saltlen)
       return 0;
    if (!a->hash_alg || !b->hash_alg)

tests/rsa_test.c

@@ -506,6 +506,7 @@ static int s_rsa_pss_test(void)
    DO(rsa_encrypt_key_v2(tv, 4, buf0, &buf0len, &rsa_oparams, &key));
    DO(rsa_encrypt_key_v2(tv, 4, buf0, &buf0len, &rsa_oparams, &key));
    key.params = rsa_oparams.params;
+   key.pss_oaep = 1;
    DO(rsa_encrypt_key_v2(tv, 4, buf0, &buf0len, &rsa_oparams, &key));
    /* If the key is a PSS key, we must do a PSS operation */
    rsa_oparams.padding = LTC_PKCS_1_V1_5;