Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS#11 RSA Padding Offload #7750

Merged
merged 1 commit into from
Jul 24, 2024
Merged

PKCS#11 RSA Padding Offload #7750

merged 1 commit into from
Jul 24, 2024

Conversation

space88man
Copy link
Contributor

@space88man space88man commented Jul 14, 2024
edited

Description

This PR# allows tokens to perform CKM_RSA_PKCS (sign/encrypt), CKM_RSA_PKCS_PSS (sign), CKM_RSA_PKCS_OAEP (encrypt). These mechanims are the post-hash versions: i.e. wolfCrypt has already created the message digest.

It is for use cases where tokens do not expose CKM_RSA_X_509, eg., LUNA in FIPS-mode

The changes to callback and pkcs#11 can be gated by -DWOLF_CRYPTO_CB_NOPAD -DNO_PKCS11_RSA_PAD.

Breaks ABI? Might do so as it changes the size of some structs.

Testing

There is a test set here: https://github.com/user-attachments/files/16215326/testing-v2.zip
It includes:

  • pure software RSA test (regression checking)
  • token RSA test (raw / PKCS / PKCS-PSS / PKCS-OAEP)

Without PR - token should only see CKM_RSA_X_509.
With PR - token should see CKM_RSA_PKCS / CKM_RSA_PKCS_PSS / CKM_RSA_PKCS_OAEP

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

Updates

  • the other two crypto callbacks are wc_AriaCryptoCb and wc_CAAM_router:

    • Aria doesn't seem to do RSA — so is probably unaffected
    • CAAM does RSA — not clear whether it has padding capability

  • make check now passes

  • make check also passes when PKCS-offload is disabled (CFLAGS=-DWOLF_CRYPTO_CB_NOPAD …)

  • scan-build is leaving one warning

      wolfcrypt/src/rsa.c:3179:95: warning: The left operand of '!=' is a garbage value   [core.UndefinedBinaryOperatorResult]
   3179 |         if ((type == RSA_PUBLIC_ENCRYPT || type == RSA_PRIVATE_ENCRYPT) &&  (padding->pad_type != WC_RSA_NO_PAD)) {
        |                                                                             ~~~~~~~~~~~~~~~~~ ^
  1 warning generated.

  • code formatting (line length <= 80 chars)

@wolfSSL-Bot
Copy link

Can one of the admins verify this patch?

@space88man space88man force-pushed the wip-padding-refactor branch 3 times, most recently from 2aa7ee2 to 4587da7 Compare July 15, 2024 06:04
@dgarske
Copy link
Contributor

dgarske commented Jul 15, 2024

Okay to test. Contributor agreement on file.

@dgarske
Copy link
Contributor

dgarske commented Jul 15, 2024

Seeing errors like:

wolfcrypt/test/testwolfcrypt
...
RSA      test failed!
 error L=19776 code=-1792 (unknown error number)
 [fiducial line numbers: 8773 27740 43402 55860]
FAIL testsuite/testsuite.test (exit status: 255)

@space88man space88man force-pushed the wip-padding-refactor branch 2 times, most recently from f5cf473 to f193f66 Compare July 15, 2024 20:35
@space88man
Copy link
Contributor Author

space88man commented Jul 15, 2024
edited

...
RSA test failed!
error L=19776 code=-1792 (unknown error number)

@dgarske Forced push - this is passing now but I am getting an infinite loop in unit.test — I can reproduce this on master so may not be related to this PR# including unit.test.

@dgarske
Copy link
Contributor

dgarske commented Jul 15, 2024

Thanks @space88man , this is great work. I can see some issues with the asynchronous RSA cases (stack variable used). I like the new RsaPadding struct and the new function RsaFunctionPad API, but it's a pretty big change.
I will likely push a few changes to your fork before it could be accepted.

@space88man space88man force-pushed the wip-padding-refactor branch 4 times, most recently from 23ba8ac to 7f709ef Compare July 18, 2024 00:43
dgarske
dgarske requested changes Jul 18, 2024
View reviewed changes
wolfcrypt/src/rsa.c Outdated Show resolved Hide resolved
wolfcrypt/src/rsa.c Outdated Show resolved Hide resolved
wolfcrypt/src/rsa.c Outdated Show resolved Hide resolved
@space88man space88man requested a review from dgarske July 18, 2024 17:32
dgarske
dgarske requested changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maximum 80 characters per line:

overlong lines added:
/tests/api.c:76660         if (info->pk.type == WC_PK_TYPE_RSA || info->pk.type == WC_PK_TYPE_RSA_PSS) {
/tests/api.c:76692                                 info->pk.rsa.type, &key, info->pk.rsa.rng, info->pk.rsa.padding);
/wolfcrypt/src/cryptocb.c:422                     word32* outLen, int type, RsaKey* key, WC_RNG* rng, RsaPadding *padding)
/wolfcrypt/src/rsa.c:3135         ret = wc_CryptoCb_RsaPadding(in, inLen, out, outLen, type, key, rng, padding);
/wolfcrypt/src/rsa.c:3143             ret = wc_RsaPad_ex(in, inLen, out, in2Len, padding->pad_value, rng, padding->pad_type,
/wolfcrypt/src/rsa.c:3144                                padding->hash, padding->mgf, padding->label, padding->labelSz, padding->saltLen,
/wolfcrypt/src/rsa.c:3153         ret = wc_CryptoCb_RsaPadding(in2, in2Len, out, outLen, type, key, rng, padding);
/wolfcrypt/src/rsa.c:3179         if ((type == RSA_PUBLIC_ENCRYPT || type == RSA_PRIVATE_ENCRYPT) && (padding->pad_type != WC_RSA_NO_PAD)) {
/wolfcrypt/src/rsa.c:3181             ret = wc_RsaPad_ex(in, inLen, out, in2Len, padding->pad_value, rng, padding->pad_type,
/wolfcrypt/src/rsa.c:3182                                padding->hash, padding->mgf, padding->label, padding->labelSz, padding->saltLen,
/wolfcrypt/src/rsa.c:3253     return wc_RsaFunction_ex(in, inLen, out, outLen, type, key, rng, 1, &padding);
/wolfcrypt/src/rsa.c:3257                       word32* outLen, int type, RsaKey* key, WC_RNG* rng, RsaPadding *padding)
/wolfcrypt/src/rsa.c:3260     return wc_RsaFunction_ex(in, inLen, out, outLen, type, key, rng, 1, padding);
/wolfcrypt/src/rsa.c:3393             ret = wc_RsaPad_ex(in, inLen, out, (word32)sz, pad_value, rng, pad_type,
/wolfcrypt/src/rsa.c:3416         ret = wc_RsaFunctionPad(in, (word32)inLen, out, &key->dataLen, rsa_type, key,
/wolfcrypt/src/wc_pkcs11.c:2163     rv = session->func->C_GetMechanismInfo(session->slotId, mechanism, &mechInfo);
/wolfssl/wolfcrypt/cryptocb.h:484 WOLFSSL_LOCAL int wc_CryptoCb_RsaPadding(const byte* in, word32 inLen, byte* out,
/wolfssl/wolfcrypt/rsa.h:310                                    word32* outLen, int type, RsaKey* key, WC_RNG* rng, RsaPadding* padding);```

@space88man
Copy link
Contributor Author

Maximum 80 characters per line:

overlong lines added:
/tests/api.c:76660         if (info->pk.type == WC_PK_TYPE_RSA || info->pk.type == WC_PK_TYPE_RSA_PSS) {

Incoming push - there are some existing lines len > 80 chars but I won't touch those to minimize the diff.

@space88man space88man requested a review from dgarske July 19, 2024 00:22
@dgarske dgarske requested a review from SparkiDev July 19, 2024 01:02
dgarske
dgarske requested changes Jul 19, 2024
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

[check-source-text] [2 of 7] [wolfssl]
overlong lines added:
/wolfcrypt/src/rsa.c:3188                                padding->label, padding->labelSz, padding->saltLen,
/wolfssl/wolfcrypt/cryptocb.h:484 WOLFSSL_LOCAL int wc_CryptoCb_RsaPadding(const byte* in, word32 inLen, byte* out,
/wolfssl/wolfcrypt/rsa.h:310                                    word32* outLen, int type, RsaKey* key, WC_RNG* rng, RsaPadding* padding);

[clang-tidy-defaults] [7 of 7] [wolfssl]
    configure...   real 0m11.163s  user 0m5.349s  sys 0m2.509s
    build.../tmp/workspace/PRB-multi-test-script/wolfssl/wolfcrypt/src/rsa.c:3184:43: warning: The left operand of '!=' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
(padding && padding->pad_type != WC_RSA_NO_PAD)) {
^
/tmp/workspace/PRB-multi-test-script/wolfssl/wolfcrypt/src/rsa.c:4297:12: note: Calling 'wc_RsaPSS_Sign_ex'
return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
make: *** [Makefile:5159: all] Error 2
   real 0m24.244s  user 0m23.129s  sys 0m0.696s
    clang-tidy-defaults fail_analytic_build
    failed config: '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' 'CPPFLAGS=-DKEEP_OUR_CERT -DKEEP_PEER_CERT -DWOLFSSL_ALT_NAMES -DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -pedantic -DSP_ALLOC -DWOLFSSL_CLANG_TIDY' 'CC=/tmp/workspace/PRB-multi-test-script/testing/git-hooks/clang-tidy-builder.sh' 'CLANG=/usr/lib/llvm-14/bin/clang-14' 'CFLAGS=-Wunreachable-code-aggressive -Wthread-safety -Wloop-analysis -Wenum-compare-conditional -fcolor-diagnostics -fcomplete-member-pointers -Wheader-hygiene -Wstring-conversion -Wtautological-overlap-compare -g -fdebug-types-section -Wunreachable-code-break -Wunreachable-code-return -Wimplicit-fallthrough'
    BUILD_ENV: 'CLANG_TIDY=/usr/lib/llvm-14/bin/clang-tidy' 'CLANG=/usr/lib/llvm-14/bin/clang-14'
final tally: 6 of 7 checks succeeded, 0 skipped, 0 forced, and 1 failed, for wolfssl.
exiting with status 2

@space88man
Copy link
Contributor Author

space88man commented Jul 19, 2024
edited

[clang-tidy-defaults] [7 of 7] [wolfssl]
configure... real 0m11.163s user 0m5.349s sys 0m2.509s
build.../tmp/workspace/PRB-multi-test-script/wolfssl/wolfcrypt/src/rsa.c:3184:43: warning: The left operand of '!=' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
(padding && padding->pad_type != WC_RSA_NO_PAD)) {

@dgarske Probably some face-palm thing but it is really not clear to me what clang-static-analyzer is complaining about here. I found a similar issue in mbedtls: Mbed-TLS/mbedtls#1002 which was declared as a false positive.

The comparison: padding->pad_type != WC_RSA_NO_PAD looks innocent enough - maybe the static analyzer can't assume the argument padding was initialized by the caller?

@space88man space88man requested a review from dgarske July 19, 2024 16:17
@dgarske
Copy link
Contributor

dgarske commented Jul 19, 2024

[clang-tidy-defaults] [7 of 7] [wolfssl]
configure... real 0m11.163s user 0m5.349s sys 0m2.509s
build.../tmp/workspace/PRB-multi-test-script/wolfssl/wolfcrypt/src/rsa.c:3184:43: warning: The left operand of '!=' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
(padding && padding->pad_type != WC_RSA_NO_PAD)) {

@dgarske Probably some face-palm thing but it is really not clear to me what clang-static-analyzer is complaining about here. I found a similar issue in mbedtls: Mbed-TLS/mbedtls#1002 which was declared as a false positive.

The comparison: padding->pad_type != WC_RSA_NO_PAD looks innocent enough - maybe the static analyzer can't assume the argument padding was initialized by the caller?

I’ll see if I can locate the cause.

@dgarske
Copy link
Contributor

dgarske commented Jul 23, 2024

@space88man , great work on this PR. I think there is some really useful work here, but it is a bit more intrusive then we can accept as-is. I'd like to take bits of this and implement in a slightly different way. I plan to open a new PR and provide a link to it. Thanks, David Garske, wolfSSL

@space88man
Copy link
Contributor Author

@space88man , great work on this PR. I think there is some really useful work here, but it is a bit more intrusive then we can accept as-is.

Sure - totally understandable; I look forward to testing out the alternative PR. Before I close this - would you like me to PR only the pkcs11.h changes, that has no impact to the rest of the code base?

@dgarske
Copy link
Contributor

dgarske commented Jul 24, 2024

@space88man , great work on this PR. I think there is some really useful work here, but it is a bit more intrusive then we can accept as-is.

Sure - totally understandable; I look forward to testing out the alternative PR. Before I close this - would you like me to PR only the pkcs11.h changes, that has no impact to the rest of the code base?

Hi @space88man , yes go ahead and trim this down to just the pkcs11.h changes for now. I hope yo get to this in the next couple of days. Thanks, David Garske, wolfSSL

@space88man
Copy link
Contributor Author

@space88man , great work on this PR. I think there is some really useful work here, but it is a bit more intrusive then we can accept as-is.

Sure - totally understandable; I look forward to testing out the alternative PR. Before I close this - would you like me to PR only the pkcs11.h changes, that has no impact to the rest of the code base?

The original draft/WIP can be referenced here: https://github.com/space88man/wolfssl/tree/wip2-padding-refactor.

I've reduced this PR to the pkcs11.h header changes

@dgarske
Copy link
Contributor

dgarske commented Jul 24, 2024

Retest this please - saw a GitHub origin timeout

@dgarske
Copy link
Contributor

dgarske commented Jul 24, 2024

Retest this please - FIPS timeout

@dgarske
Copy link
Contributor

dgarske commented Jul 24, 2024

Retest this please. Windows test machine was down...

@dgarske dgarske assigned SparkiDev and unassigned dgarske Jul 24, 2024
@SparkiDev SparkiDev merged commit 324e714 into wolfSSL:master Jul 24, 2024
121 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgarske dgarske dgarske approved these changes

@SparkiDev SparkiDev SparkiDev approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

@SparkiDev SparkiDev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@space88man @wolfSSL-Bot @dgarske @SparkiDev