commit 6e3187b2122055bbd0bf43f59d01dd4d6dc89f35
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Jun 22 18:39:53 2021 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Tue Jun 22 18:39:53 2021 +0200
tree 82eac11f3680c6cc44136f3082f7594e4460fa44
parent 9dbbc297a393bb129cf2653c2e36501f91d425e2

RSA: Use hashlen as the hash input size as documented

Where hashlen was previously ignored when the hash length could be
inferred from an md_alg parameter, the two must now match.

Adapt the existing tests accordingly. Adapt the sample programs accordingly.

This commit does not add any negative testing.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

programs/pkey/dh_client.c

diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index d68dc24..88e817e 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -221,7 +221,7 @@
     }
 
     if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256,
-                                          0, hash, p ) ) != 0 )
+                                          32, hash, p ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret );
         goto exit;

programs/pkey/dh_server.c

diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index 9d51c14..e469bbc 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -229,7 +229,7 @@
     buf[n + 1] = (unsigned char)( rsa.MBEDTLS_PRIVATE(len)      );
 
     if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256,
-                                0, hash, buf + n + 2 ) ) != 0 )
+                                32, hash, buf + n + 2 ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret );
         goto exit;

programs/pkey/rsa_sign.c

diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index d9ba3bb..ebc88e4 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -147,7 +147,7 @@
     }
 
     if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256,
-                                20, hash, buf ) ) != 0 )
+                                32, hash, buf ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_rsa_pkcs1_sign returned -0x%0x\n\n", (unsigned int) -ret );
         goto exit;

programs/pkey/rsa_verify.c

diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index fff568a..5a68246 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -141,7 +141,7 @@
     }
 
     if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256,
-                                          20, hash, buf ) ) != 0 )
+                                          32, hash, buf ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n", (unsigned int) -ret );
         goto exit;