Provider behavior fixes (#102)

mamckee · web-flow · commit a8e9f21392e2 · 2025-01-03T10:25:09.000-08:00
* Check that ECDSA signature is a sequence of two integers without trailing data

* Return authenticated bytes for AEAD ciphers if out is NULL
diff --git a/ScosslCommon/src/scossl_aes_aead.c b/ScosslCommon/src/scossl_aes_aead.c
@@ -176,7 +176,7 @@ SCOSSL_STATUS scossl_aes_gcm_cipher(SCOSSL_CIPHER_GCM_CTX *ctx, INT32 encrypt,
     {
         // Auth Data Passed in
         SymCryptGcmAuthPart(&ctx->state, in, inl);
-        *outl = 0;
+        *outl = inl;
         return SCOSSL_SUCCESS;
     }
 
@@ -638,7 +638,7 @@ SCOSSL_STATUS scossl_aes_ccm_cipher(SCOSSL_CIPHER_CCM_CTX *ctx, INT32 encrypt,
         if (out == NULL)
         {
             // Auth Data Passed in
-            *outl = 0;
+            *outl = cbAuthdata;
             return SCOSSL_SUCCESS;
         }
     }
diff --git a/ScosslCommon/src/scossl_ecc.c b/ScosslCommon/src/scossl_ecc.c
@@ -362,6 +362,15 @@ static SCOSSL_STATUS scossl_ecdsa_remove_der(_In_reads_bytes_(cbDerSignature) PC
         goto cleanup;
     }
 
+    if (pbS + cbS != pbSeq + cbSeq)
+    {
+        SCOSSL_LOG_ERROR(SCOSSL_ERR_F_ECDSA_REMOVE_DER, ERR_R_PASSED_INVALID_ARGUMENT,
+                         "Unexpected value in sequence");
+        SCOSSL_LOG_BYTES_DEBUG(SCOSSL_ERR_F_ECDSA_REMOVE_DER, ERR_R_PASSED_INVALID_ARGUMENT,
+                               "pbDerSignature", pbDerSignature, cbDerSignature);
+        goto cleanup;
+    }
+
     // Check R's validity
     if (((pbR[0] & 0x80) == 0x80) ||                                  // R is negative
         ((cbR > 1) && (pbR[0] == 0x00) && ((pbR[1] & 0x80) != 0x80))) // R is non-zero, and has a redundant leading 0 byte
@@ -412,6 +421,13 @@ static SCOSSL_STATUS scossl_ecdsa_remove_der(_In_reads_bytes_(cbDerSignature) PC
     return res;
 }
 
+/*
+ECDSA-Sig-Value ::= SEQUENCE {
+    r INTEGER,
+    s INTEGER
+}
+*/
+
 // Quick hack function to generate precisely the DER encodings which we want for ECDSA signatures for the NIST prime curves
 // Takes 2 same-size big-endian integers output from SymCrypt and encodes them in the minimally sized (strict) equivalent DER encoding
 // Returns SCOSSL_SUCCESS on success, or SCOSSL_FAILURE on failure.

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ SCOSSL_STATUS scossl_aes_gcm_cipher(SCOSSL_CIPHER_GCM_CTX *ctx, INT32 encrypt,`
`176`	`176`	`{`
`177`	`177`	`// Auth Data Passed in`
`178`	`178`	`SymCryptGcmAuthPart(&ctx->state, in, inl);`
`179`		`- *outl = 0;`
	`179`	`+ *outl = inl;`
`180`	`180`	`return SCOSSL_SUCCESS;`
`181`	`181`	`}`
`182`	`182`
`@@ -638,7 +638,7 @@ SCOSSL_STATUS scossl_aes_ccm_cipher(SCOSSL_CIPHER_CCM_CTX *ctx, INT32 encrypt,`
`638`	`638`	`if (out == NULL)`
`639`	`639`	`{`
`640`	`640`	`// Auth Data Passed in`
`641`		`- *outl = 0;`
	`641`	`+ *outl = cbAuthdata;`
`642`	`642`	`return SCOSSL_SUCCESS;`
`643`	`643`	`}`
`644`	`644`	`}`