Add signature scheme rsa pss
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 12ef4d5..6b7a6f8 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -320,6 +320,11 @@
unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
size_t verify_hash_len;
+ void const *opts_ptr = NULL;
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ mbedtls_pk_rsassa_pss_options opts;
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
/*
* struct {
* SignatureScheme algorithm;
@@ -368,6 +373,13 @@
md_alg = MBEDTLS_MD_SHA512;
sig_alg = MBEDTLS_PK_ECDSA;
break;
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ case MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256:
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA" ) );
+ md_alg = MBEDTLS_MD_SHA256;
+ sig_alg = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
goto error;
@@ -426,8 +438,21 @@
}
MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
+ {
+ const mbedtls_md_info_t* md_info;
+ opts.mgf1_hash_id = md_alg;
+ if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+ {
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ opts.expected_salt_len = mbedtls_md_get_size( md_info );
+ opts_ptr = (const void*) &opts;
+ }
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
- if( ( ret = mbedtls_pk_verify_ext( sig_alg, NULL,
+ if( ( ret = mbedtls_pk_verify_ext( sig_alg, opts_ptr,
&ssl->session_negotiate->peer_cert->pk,
md_alg, verify_hash, verify_hash_len,
p, signature_len ) ) == 0 )