-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PK signature function: require exact hash length
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
- Loading branch information
1 parent
e7885e5
commit 9dbbc29
Showing
3 changed files
with
34 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
API changes | ||
* Functions in the RSA module that accept a hashlen parameter now require | ||
it to match the output size of the hash algorithm used, except when | ||
signing raw data. | ||
* Signature functions in the RSA and PK modules now require the hash | ||
length parameter to be the size of the hash input. For RSA signatures | ||
other than raw PKCS#1 v1.5, this must match the output size of the | ||
specified hash algorithm. |
25 changes: 18 additions & 7 deletions
25
docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,24 @@ | ||
RSA signature functions now require `hashlen` to match the expected value | ||
------------------------------------------------------------------------- | ||
Signature functions now require the hash length to match the expected value | ||
--------------------------------------------------------------------------- | ||
|
||
This only affects users of the low-level RSA API; users of the high-level PK | ||
API or of the PSA Crypto API are not affected. | ||
This affects users of the PK API as well as users of the low-level API in the RSA module. Users of the PSA API or of the ECDSA module are unaffected. | ||
|
||
All the functions in the RSA module that accept a `hashlen` parameter used to | ||
ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw | ||
data was signed. They now require this parameter's value to be equal to the | ||
output size of the hash algorithm used when signing a hash. (The requirements | ||
when signing raw data are unchanged.) | ||
data was signed. The `hashlen` parameter is now always the size that is read | ||
from the `hash` input buffer. This length must be equal to the output size of | ||
the hash algorithm used when signing a hash. (The requirements when signing | ||
raw data are unchanged.) This affects the following functions: | ||
|
||
* `mbedtls_rsa_pkcs1_sign`, `mbedtls_rsa_pkcs1_verify` | ||
* `mbedtls_rsa_rsassa_pkcs1_v15_sign`, `mbedtls_rsa_rsassa_pkcs1_v15_verify` | ||
* `mbedtls_rsa_rsassa_pss_sign`, `mbedtls_rsa_rsassa_pss_verify` | ||
* `mbedtls_rsa_rsassa_pss_sign_ext`, `mbedtls_rsa_rsassa_pss_verify_ext` | ||
|
||
The signature functions in the PK module no longer accept 0 as the `hash_len` parameter. The `hash_len` parameter is now always the size that is read from the `hash` input buffer. This affects the following functions: | ||
|
||
* `mbedtls_pk_sign`, `mbedtls_pk_verify` | ||
* `mbedtls_pk_sign_restartable`, `mbedtls_pk_verify_restartable` | ||
* `mbedtls_pk_verify_ext` | ||
|
||
The migration path is to pass the correct value to those functions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters