Merge pull request #5010 from gilles-peskine-arm/psa-rsa-pss_any_salt
PSA: fix salt length for PSS verification
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
commit
4313d3ac87
8 changed files with 314 additions and 49 deletions
|
|
@ -453,6 +453,27 @@ exit:
|
|||
return( status );
|
||||
}
|
||||
|
||||
#if defined(BUILTIN_ALG_RSA_PSS)
|
||||
static int rsa_pss_expected_salt_len( psa_algorithm_t alg,
|
||||
const mbedtls_rsa_context *rsa,
|
||||
size_t hash_length )
|
||||
{
|
||||
if( PSA_ALG_IS_RSA_PSS_ANY_SALT( alg ) )
|
||||
return( MBEDTLS_RSA_SALT_LEN_ANY );
|
||||
/* Otherwise: standard salt length, i.e. largest possible salt length
|
||||
* up to the hash length. */
|
||||
int klen = (int) mbedtls_rsa_get_len( rsa ); // known to fit
|
||||
int hlen = (int) hash_length; // known to fit
|
||||
int room = klen - 2 - hlen;
|
||||
if( room < 0 )
|
||||
return( 0 ); // there is no valid signature in this case anyway
|
||||
else if( room > hlen )
|
||||
return( hlen );
|
||||
else
|
||||
return( room );
|
||||
}
|
||||
#endif
|
||||
|
||||
static psa_status_t rsa_verify_hash(
|
||||
const psa_key_attributes_t *attributes,
|
||||
const uint8_t *key_buffer, size_t key_buffer_size,
|
||||
|
|
@ -503,11 +524,14 @@ static psa_status_t rsa_verify_hash(
|
|||
ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
|
||||
if( ret == 0 )
|
||||
{
|
||||
ret = mbedtls_rsa_rsassa_pss_verify( rsa,
|
||||
md_alg,
|
||||
(unsigned int) hash_length,
|
||||
hash,
|
||||
signature );
|
||||
int slen = rsa_pss_expected_salt_len( alg, rsa, hash_length );
|
||||
ret = mbedtls_rsa_rsassa_pss_verify_ext( rsa,
|
||||
md_alg,
|
||||
(unsigned) hash_length,
|
||||
hash,
|
||||
md_alg,
|
||||
slen,
|
||||
signature );
|
||||
}
|
||||
}
|
||||
else
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue