Merge pull request #5907 from mpg/use-psa-rsa-pss
Use PSA more often in `pk_verify_ext()`
diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md
index 194d96f..fc5317a 100644
--- a/docs/use-psa-crypto.md
+++ b/docs/use-psa-crypto.md
@@ -95,8 +95,6 @@
Current exceptions:
-- Verification of RSA-PSS signatures with a salt length that is different from
- the hash length.
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
the documentation of that option).
@@ -107,11 +105,11 @@
Current exceptions:
-- Verification of RSA-PSS signatures with a salt length that is different from
- the hash length, or with an MGF hash that's different from the message hash.
+- Verification of RSA-PSS signatures with an MGF hash that's different from
+ the message hash.
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
the documentation of that option).
-Other than the above exception, all crypto operations are based on PSA when
+Other than the above exceptions, all crypto operations are based on PSA when
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index db0bfac..386ec42 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -496,7 +496,9 @@
*
* \note If type is MBEDTLS_PK_RSASSA_PSS, then options must point
* to a mbedtls_pk_rsassa_pss_options structure,
- * otherwise it must be NULL.
+ * otherwise it must be NULL. Note that if
+ * #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not
+ * verified as PSA_ALG_RSA_PSS_ANY_SALT is used.
*/
int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
diff --git a/library/pk.c b/library/pk.c
index 8dc19ef..a73fa56 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -482,12 +482,9 @@
pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( pss_opts->mgf1_hash_id == md_alg &&
- ( (size_t) pss_opts->expected_salt_len == hash_len ||
- pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ) )
+ if( pss_opts->mgf1_hash_id == md_alg )
{
- /* see RSA_PUB_DER_MAX_BYTES in pkwrite.c */
- unsigned char buf[ 38 + 2 * MBEDTLS_MPI_MAX_SIZE ];
+ unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
unsigned char *p;
int key_len;
size_t signature_length;
@@ -497,10 +494,7 @@
psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md( md_alg );
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_algorithm_t psa_sig_alg =
- ( pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ?
- PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg) :
- PSA_ALG_RSA_PSS(psa_md_alg) );
+ psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT( psa_md_alg );
p = buf + sizeof( buf );
key_len = mbedtls_pk_write_pubkey( &p, buf, ctx );
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index bd5d31e..d796f6f 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -456,10 +456,14 @@
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA
pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:128:0
-Verify ext RSA #5 (PKCS1 v2.1, wrong salt_len)
-depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA
+Verify ext RSA #5a (PKCS1 v2.1, wrong salt_len) !USE_PSA
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA:!MBEDTLS_USE_PSA_CRYPTO
pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_INVALID_PADDING
+Verify ext RSA #5b (PKCS1 v2.1, wrong salt_len) USE_PSA
+depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA:MBEDTLS_USE_PSA_CRYPTO
+pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:0
+
Verify ext RSA #6 (PKCS1 v2.1, MGF1 alg != MSG hash alg)
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA
pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_NONE:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:128:0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index bd03016..914dffa 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -831,9 +831,13 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
-X509 CRT verification #68 (RSASSA-PSS, wrong salt_len)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, !USE_PSA)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:!MBEDTLS_USE_PSA_CRYPTO
+x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
+
+X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO
+x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #69 (RSASSA-PSS, wrong mgf_hash)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index dc36b81..388d45e 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -665,8 +665,8 @@
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL );
- TEST_ASSERT( res == ( result ) );
- TEST_ASSERT( flags == (uint32_t)( flags_result ) );
+ TEST_EQUAL( res, result );
+ TEST_EQUAL( flags, (uint32_t) flags_result );
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
/* CRLs aren't supported with CA callbacks, so skip the CA callback