Add support for using a different MGF1 hash with RSA-OAEP #6779
Conversation
|
Thanks for the pull request. I'd rather step up LTC than cherry-pick a single commit, but doing that is a bit complicated so I'll do it if @jforissier doesn't beat me to it after the upcoming OP-TEE release. For the sake of this review, we can ignore "core: ltc: Add possibility to use different hash algorithms in RSAES-AEP" and assume it will be available upstream. It would be nice with a test in xtest to see that this continues to work. |
|
Please squash the "core: pass TEE_ATTR_RSA_OAEP_MGF_HASH to RSA-OAEP implementations" fixup commits. |
Sure, sounds good to me.
I can take a look. Any preferences where this should go? |
It should be in the 4xxx range of tests, either as a new case or by extending an already present case. The latter might be the easiest. |
|
I've started updating LTC with #6786. Once that's merged I'll create another PR to update LTC to the latest. |
There was a problem hiding this comment.
For commit "core: ltc: Add possibility to use different hash algorithms in RSAES-OAEP":
I think the reference to the libtomcrypt commit should be a Link: tag than a raw commit SHA1 that is rather expected to be a ref in the current Git revision, e.g.:
Link: https://github.com/libtom/libtomcrypt/commit/63091c9e5c776ec1c5a7a5d2973395a24e82b3ba`
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Otherwise,
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com> for this commit.
Minor comments for commit "core: pass TEE_ATTR_RSA_OAEP_MGF_HASH to RSA-OAEP implementations".
core/lib/libtomcrypt/rsa.c
Outdated
| if (algo != TEE_ALG_RSAES_PKCS1_V1_5) { | ||
| res = tee_algo_to_ltc_hashindex(mgf_algo, <c_mgfindex); | ||
| if (res != TEE_SUCCESS) { | ||
| EMSG("tee_algo_to_ltc_hashindex() returned %d for mgf algo %x", (int)res, mgf_algo); |
There was a problem hiding this comment.
s/algo %x",/algo %#"PRIx32, /
lib/libmbedtls/core/rsa.c
Outdated
| if (md_algo == MBEDTLS_MD_NONE) { | ||
| /* Using a different MGF1 algorithm is not supported. */ | ||
| if (md_algo == MBEDTLS_MD_NONE || | ||
| md_algo != tee_algo_to_mbedtls_hash_algo(mgf_algo)) { |
There was a problem hiding this comment.
Maybe a debug message here could help:
if (md_algo == MBEDTLS_MD_NONE) {
res = TEE_ERROR_NOT_SUPPORTED;
goto out;
}
+ if (md_algo != tee_algo_to_mbedtls_hash_algo(mgf_algo)) {
+ DMSG("Using a different MGF1 algorithm is not supported");
+ res = TEE_ERROR_NOT_SUPPORTED;
+ goto out;
+ } There was a problem hiding this comment.
Yes, that makes sense. Done.
…OAEP The hash algorithms used in the MGF and to create the hash of the Label must not forcibly be the same. This change allows to use different algorithms. Unfortunately this breaks the API if you use one of: * `rsa_decrypt_key_ex()` * `rsa_encrypt_key_ex()` * `pkcs_1_oaep_decode()` * `pkcs_1_oaep_encode()` The `rsa_decrypt_key()` and `rsa_encrypt_key()` macros are still the same. Link: libtom/libtomcrypt@63091c9 Signed-off-by: Steffen Jaeckel <s@jaeckel.eu> Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
OP-TEE currently doesn't support using a different hash for MGF1 with RSA-OAEP. However, this is required for AOSP compatibility (e.g. in EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess [1]). Pass the MGF1 attribute to crypto implementations. Note that only libtomcrypt supports this feature at the moment, so other implementations will either fail or fall back to libtomcrypt when passed a different MGF1 hash. Link: https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/security/keymint/aidl/vts/functional/KeyMintTest.cpp#5552 [1] Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
samitolvanen
force-pushed
the
optee-mgf1
branch
from
56edae5
to
e23655e
Compare
I updated the commit message for now, but I believe Jens plans to update LTC separately, and at that point I can just drop this commit from the PR. |
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
OP-TEE currently doesn't support using a different hash algorithm for MGF1 with RSA-OAEP. However, this is required for AOSP compatibility (e.g. in the EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess KeyMint VTS test).
This PR cherry-picks the upstream libtomcrypt commit 63091c9e5c77 ("Add possibility to use different hash algorithms in RSAES-OAEP") and passes the MGF1 hash from the
TEE_ATTR_RSA_OAEP_MGF_HASHattribute to crypto implementations.