|
51 | 51 | #endif |
52 | 52 | #endif |
53 | 53 |
|
| 54 | +/* Minimum hash strength accepted by the wc_SignatureVerify/Generate |
| 55 | + * convenience APIs. Default is SHA-256 to keep MD5 and SHA-1 (both with |
| 56 | + * known collision attacks) out of new code. Define WC_SIG_MIN_HASH_TYPE |
| 57 | + * to a weaker wc_HashType (e.g. WC_HASH_TYPE_SHA) to opt back into legacy |
| 58 | + * behavior. The lower-level wc_SignatureVerifyHash/wc_SignatureGenerateHash |
| 59 | + * APIs are unaffected. */ |
| 60 | +#ifndef WC_SIG_MIN_HASH_TYPE |
| 61 | + #define WC_SIG_MIN_HASH_TYPE WC_HASH_TYPE_SHA256 |
| 62 | +#endif |
| 63 | + |
| 64 | +static int wc_SignatureCheckHashStrength(enum wc_HashType hash_type) |
| 65 | +{ |
| 66 | + int min_sz, this_sz; |
| 67 | + |
| 68 | + min_sz = wc_HashGetDigestSize(WC_SIG_MIN_HASH_TYPE); |
| 69 | + if (min_sz < 0) { |
| 70 | + /* configured floor not compiled in - skip enforcement */ |
| 71 | + return 0; |
| 72 | + } |
| 73 | + this_sz = wc_HashGetDigestSize(hash_type); |
| 74 | + if (this_sz < 0) { |
| 75 | + return this_sz; |
| 76 | + } |
| 77 | + if (this_sz < min_sz) { |
| 78 | + WOLFSSL_MSG("wc_Signature*: hash weaker than WC_SIG_MIN_HASH_TYPE"); |
| 79 | + return BAD_FUNC_ARG; |
| 80 | + } |
| 81 | + return 0; |
| 82 | +} |
| 83 | + |
54 | 84 |
|
55 | 85 | #if !defined(NO_RSA) && defined(WOLFSSL_CRYPTOCELL) |
56 | 86 | extern int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig, |
@@ -356,6 +386,12 @@ int wc_SignatureVerify( |
356 | 386 | } |
357 | 387 | hash_enc_len = hash_len = (word32)ret; |
358 | 388 |
|
| 389 | + /* Reject hashes weaker than WC_SIG_MIN_HASH_TYPE (default SHA-256) */ |
| 390 | + ret = wc_SignatureCheckHashStrength(hash_type); |
| 391 | + if (ret != 0) { |
| 392 | + return ret; |
| 393 | + } |
| 394 | + |
359 | 395 | #ifndef NO_RSA |
360 | 396 | if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) { |
361 | 397 | /* For RSA with ASN.1 encoding include room */ |
@@ -555,6 +591,12 @@ int wc_SignatureGenerate_ex( |
555 | 591 | } |
556 | 592 | hash_enc_len = hash_len = (word32)ret; |
557 | 593 |
|
| 594 | + /* Reject hashes weaker than WC_SIG_MIN_HASH_TYPE (default SHA-256) */ |
| 595 | + ret = wc_SignatureCheckHashStrength(hash_type); |
| 596 | + if (ret != 0) { |
| 597 | + return ret; |
| 598 | + } |
| 599 | + |
558 | 600 | #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) |
559 | 601 | if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) { |
560 | 602 | /* For RSA with ASN.1 encoding include room */ |
|
0 commit comments