commit 9dbbc297a393bb129cf2653c2e36501f91d425e2
author Gilles Peskine <Gilles.Peskine@arm.com> Tue Jun 22 18:28:13 2021 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Tue Jun 22 18:39:41 2021 +0200
tree 5ea1a8ddfe4f745b5206e3caa58712da03229670
parent e7885e54416a42690f153e0cf476ed83a477aa86

PK signature function: require exact hash length

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md

diff --git a/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
index 75fadd8..d59a8d3 100644
--- a/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
+++ b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
@@ -1,13 +1,24 @@
-RSA signature functions now require `hashlen` to match the expected value
--------------------------------------------------------------------------
+Signature functions now require the hash length to match the expected value
+---------------------------------------------------------------------------
 
-This only affects users of the low-level RSA API; users of the high-level PK
-API or of the PSA Crypto API are not affected.
+This affects users of the PK API as well as users of the low-level API in the RSA module. Users of the PSA API or of the ECDSA module are unaffected.
 
 All the functions in the RSA module that accept a `hashlen` parameter used to
 ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw
-data was signed. They now require this parameter's value to be equal to the
-output size of the hash algorithm used when signing a hash. (The requirements
-when signing raw data are unchanged.)
+data was signed. The `hashlen` parameter is now always the size that is read
+from the `hash` input buffer. This length must be equal to the output size of
+the hash algorithm used when signing a hash. (The requirements when signing
+raw data are unchanged.) This affects the following functions:
+
+* `mbedtls_rsa_pkcs1_sign`, `mbedtls_rsa_pkcs1_verify`
+* `mbedtls_rsa_rsassa_pkcs1_v15_sign`, `mbedtls_rsa_rsassa_pkcs1_v15_verify`
+* `mbedtls_rsa_rsassa_pss_sign`, `mbedtls_rsa_rsassa_pss_verify`
+* `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_rsa_rsassa_pss_verify_ext`
+
+The signature functions in the PK module no longer accept 0 as the `hash_len` parameter. The `hash_len` parameter is now always the size that is read from the `hash` input buffer. This affects the following functions:
+
+* `mbedtls_pk_sign`, `mbedtls_pk_verify`
+* `mbedtls_pk_sign_restartable`, `mbedtls_pk_verify_restartable`
+* `mbedtls_pk_verify_ext`
 
 The migration path is to pass the correct value to those functions.