From 7db1b78fff89027210565463dbef56d45a0824b0 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 9 Feb 2022 14:13:44 -0500 Subject: [PATCH 1/8] Make RSA-PSS verification use PSA with MBEDTLS_USE_PSA_CRYPTO Duplicate a test case but with a different expected error due to error translation to and from PSA. Signed-off-by: Andrzej Kurek --- library/pk.c | 83 ++++++++++++++++++++++------- tests/suites/test_suite_pk.data | 6 ++- tests/suites/test_suite_pk.function | 7 +++ 3 files changed, 77 insertions(+), 19 deletions(-) diff --git a/library/pk.c b/library/pk.c index e364520930b3..4eff8e52cb2f 100644 --- a/library/pk.c +++ b/library/pk.c @@ -347,22 +347,76 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, if( ! mbedtls_pk_can_do( ctx, type ) ) return( MBEDTLS_ERR_PK_TYPE_MISMATCH ); - if( type == MBEDTLS_PK_RSASSA_PSS ) + if( type != MBEDTLS_PK_RSASSA_PSS ) { + /* General case: no options */ + if( options != NULL ) + return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); + + return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) ); + } + #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const mbedtls_pk_rsassa_pss_options *pss_opts; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const mbedtls_pk_rsassa_pss_options *pss_opts; #if SIZE_MAX > UINT_MAX - if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) - return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); + if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) + return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); #endif /* SIZE_MAX > UINT_MAX */ - if( options == NULL ) - return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); + if( options == NULL ) + return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); - pss_opts = (const mbedtls_pk_rsassa_pss_options *) options; + pss_opts = (const mbedtls_pk_rsassa_pss_options *) options; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + if( pss_opts->mgf1_hash_id == md_alg && + ( (size_t) pss_opts->expected_salt_len == hash_len || + pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ) ) + { + /* see RSA_PUB_DER_MAX_BYTES in pkwrite.c */ + unsigned char buf[ 38 + 2 * MBEDTLS_MPI_MAX_SIZE ]; + unsigned char *p; + int key_len; + psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t psa_sig_md = + ( pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ? + PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg) : + PSA_ALG_RSA_PSS(psa_md_alg) ); + p = buf + sizeof( buf ); + key_len = mbedtls_pk_write_pubkey( &p, buf, ctx ); + + if( key_len < 0 ) + return( key_len ); + + psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY ); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); + psa_set_key_algorithm( &attributes, psa_sig_md ); + + status = psa_import_key( &attributes, + buf + sizeof( buf ) - key_len, key_len, + &key_id ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( key_id ); + return( mbedtls_psa_err_translate_pk( status ) ); + } + + status = psa_verify_hash( key_id, psa_sig_md, hash, + hash_len, sig, sig_len ); + psa_destroy_key( key_id ); + + return( status == PSA_ERROR_INVALID_SIGNATURE? + MBEDTLS_ERR_RSA_VERIFY_FAILED : + mbedtls_psa_err_translate_pk( status ) ); + } + else +#endif + { if( sig_len < mbedtls_pk_get_len( ctx ) ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); @@ -376,18 +430,11 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, if( sig_len > mbedtls_pk_get_len( ctx ) ) return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); - - return( 0 ); + } + return( 0 ); #else - return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); + return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); #endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */ - } - - /* General case: no options */ - if( options != NULL ) - return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); - - return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) ); } /* diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 5eb145ddac73..9fff6713b5a0 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -180,8 +180,12 @@ Verify ext RSA #4 (PKCS1 v2.1, salt_len = max, OK) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:0 +Verify ext RSA #5 using PSA (PKCS1 v2.1, wrong salt_len) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_USE_PSA_CRYPTO +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:MBEDTLS_ERR_RSA_VERIFY_FAILED + Verify ext RSA #5 (PKCS1 v2.1, wrong salt_len) -depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:!MBEDTLS_USE_PSA_CRYPTO pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:MBEDTLS_ERR_RSA_INVALID_PADDING Verify ext RSA #6 (PKCS1 v2.1, MGF1 alg != MSG hash alg) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 56cc45b625c6..edd5e667f7a1 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -438,6 +438,9 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, void *options; size_t hash_len; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_crypto_init(); +#endif mbedtls_pk_init( &pk ); memset( hash_result, 0x00, sizeof( hash_result ) ); @@ -481,6 +484,10 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, exit: mbedtls_pk_free( &pk ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + mbedtls_test_psa_purge_key_storage(); + mbedtls_psa_crypto_free(); +#endif } /* END_CASE */ From 853ad7bfcf8b5413b0ab454ba8f5a2660e9b91de Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 15 Feb 2022 07:13:03 -0500 Subject: [PATCH 2/8] Use macros in tests for PSA init/deinit routines Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_pk.function | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index edd5e667f7a1..d5c7d0867a39 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -438,9 +438,7 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, void *options; size_t hash_len; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_crypto_init(); -#endif + USE_PSA_INIT( ); mbedtls_pk_init( &pk ); memset( hash_result, 0x00, sizeof( hash_result ) ); @@ -484,10 +482,7 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, exit: mbedtls_pk_free( &pk ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_test_psa_purge_key_storage(); - mbedtls_psa_crypto_free(); -#endif + USE_PSA_DONE( ); } /* END_CASE */ From 90ba2cbd0aa3fcff2c95861a5d697747f23df7b5 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 15 Feb 2022 08:18:44 -0500 Subject: [PATCH 3/8] Cosmetic changes to return placement and variable naming Signed-off-by: Andrzej Kurek --- library/pk.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/library/pk.c b/library/pk.c index 4eff8e52cb2f..de0f7afb1fd2 100644 --- a/library/pk.c +++ b/library/pk.c @@ -383,7 +383,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_algorithm_t psa_sig_md = + psa_algorithm_t psa_sig_alg = ( pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ? PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg) : PSA_ALG_RSA_PSS(psa_md_alg) ); @@ -395,7 +395,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY ); psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); - psa_set_key_algorithm( &attributes, psa_sig_md ); + psa_set_key_algorithm( &attributes, psa_sig_alg ); status = psa_import_key( &attributes, buf + sizeof( buf ) - key_len, key_len, @@ -406,7 +406,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, return( mbedtls_psa_err_translate_pk( status ) ); } - status = psa_verify_hash( key_id, psa_sig_md, hash, + status = psa_verify_hash( key_id, psa_sig_alg, hash, hash_len, sig, sig_len ); psa_destroy_key( key_id ); @@ -430,8 +430,9 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, if( sig_len > mbedtls_pk_get_len( ctx ) ) return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); + + return( 0 ); } - return( 0 ); #else return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); #endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */ From 8666df6f189c6f46bd17e17d8648aaacc3380d16 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 15 Feb 2022 08:23:02 -0500 Subject: [PATCH 4/8] Add signature length mismatch handling when using PSA in pk_verify_ext Introduce a regression test for that too. Signed-off-by: Andrzej Kurek --- library/pk.c | 3 +++ tests/suites/test_suite_pk.data | 30 ++++++++++++++++------------- tests/suites/test_suite_pk.function | 5 +++-- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/library/pk.c b/library/pk.c index de0f7afb1fd2..855b6e15c266 100644 --- a/library/pk.c +++ b/library/pk.c @@ -410,6 +410,9 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, hash_len, sig, sig_len ); psa_destroy_key( key_id ); + if( status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len( ctx ) ) + return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); + return( status == PSA_ERROR_INVALID_SIGNATURE? MBEDTLS_ERR_RSA_VERIFY_FAILED : mbedtls_psa_err_translate_pk( status ) ); diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 9fff6713b5a0..6b1cbcb364b1 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -166,55 +166,59 @@ pk_rsa_alt: Verify ext RSA #1 (PKCS1 v2.1, salt_len = ANY, OK) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:0 +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:128:0 Verify ext RSA #2 (PKCS1 v2.1, salt_len = ANY, wrong message) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616766":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_RSA_VERIFY_FAILED +pk_rsa_verify_ext_test_vec:"54657374206d657373616766":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:128:MBEDTLS_ERR_RSA_VERIFY_FAILED Verify ext RSA #3 (PKCS1 v2.1, salt_len = 0, OK) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"7fc506d26ca3b22922a1ce39faaedd273161b82d9443c56f1a034f131ae4a18cae1474271cb4b66a17d9707ca58b0bdbd3c406b7e65bbcc9bbbce94dc45de807b4989b23b3e4db74ca29298137837eb90cc83d3219249bc7d480fceaf075203a86e54c4ecfa4e312e39f8f69d76534089a36ed9049ca9cfd5ab1db1fa75fe5c8":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:0:0 +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"7fc506d26ca3b22922a1ce39faaedd273161b82d9443c56f1a034f131ae4a18cae1474271cb4b66a17d9707ca58b0bdbd3c406b7e65bbcc9bbbce94dc45de807b4989b23b3e4db74ca29298137837eb90cc83d3219249bc7d480fceaf075203a86e54c4ecfa4e312e39f8f69d76534089a36ed9049ca9cfd5ab1db1fa75fe5c8":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:0:128:0 Verify ext RSA #4 (PKCS1 v2.1, salt_len = max, OK) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:0 +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:128:0 Verify ext RSA #5 using PSA (PKCS1 v2.1, wrong salt_len) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_USE_PSA_CRYPTO -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:MBEDTLS_ERR_RSA_VERIFY_FAILED +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_VERIFY_FAILED Verify ext RSA #5 (PKCS1 v2.1, wrong salt_len) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:!MBEDTLS_USE_PSA_CRYPTO -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:MBEDTLS_ERR_RSA_INVALID_PADDING +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_INVALID_PADDING Verify ext RSA #6 (PKCS1 v2.1, MGF1 alg != MSG hash alg) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_NONE:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:0 +pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_NONE:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:128:0 Verify ext RSA #7 (PKCS1 v2.1, wrong MGF1 alg != MSG hash alg) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_NONE:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_RSA_INVALID_PADDING +pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_NONE:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA1:MBEDTLS_RSA_SALT_LEN_ANY:128:MBEDTLS_ERR_RSA_INVALID_PADDING Verify ext RSA #8 (PKCS1 v2.1, RSASSA-PSS without options) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:-1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_PK_BAD_INPUT_DATA +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:-1:MBEDTLS_RSA_SALT_LEN_ANY:128:MBEDTLS_ERR_PK_BAD_INPUT_DATA Verify ext RSA #9 (PKCS1 v1.5, RSA with options) depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_PK_BAD_INPUT_DATA +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:128:MBEDTLS_ERR_PK_BAD_INPUT_DATA Verify ext RSA #10 (PKCS1 v1.5, RSA without options) depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_RSA_VERIFY_FAILED +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:128:MBEDTLS_ERR_RSA_VERIFY_FAILED Verify ext RSA #11 (PKCS1 v2.1, asking for ECDSA) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C -pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_ECDSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:MBEDTLS_ERR_PK_TYPE_MISMATCH +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_ECDSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:128:MBEDTLS_ERR_PK_TYPE_MISMATCH Verify ext RSA #12 (PKCS1 v1.5, good) depends_on:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15 -pk_rsa_verify_ext_test_vec:"206ef4bf396c6087f8229ef196fd35f37ccb8de5efcdb238f20d556668f114257a11fbe038464a67830378e62ae9791453953dac1dbd7921837ba98e84e856eb80ed9487e656d0b20c28c8ba5e35db1abbed83ed1c7720a97701f709e3547a4bfcabca9c89c57ad15c3996577a0ae36d7c7b699035242f37954646c1cd5c08ac":MBEDTLS_MD_SHA1:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":MBEDTLS_PK_RSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:0 +pk_rsa_verify_ext_test_vec:"206ef4bf396c6087f8229ef196fd35f37ccb8de5efcdb238f20d556668f114257a11fbe038464a67830378e62ae9791453953dac1dbd7921837ba98e84e856eb80ed9487e656d0b20c28c8ba5e35db1abbed83ed1c7720a97701f709e3547a4bfcabca9c89c57ad15c3996577a0ae36d7c7b699035242f37954646c1cd5c08ac":MBEDTLS_MD_SHA1:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":MBEDTLS_PK_RSA:-1:MBEDTLS_RSA_SALT_LEN_ANY:128:0 + +Verify ext RSA #13 (PKCS1 v2.1, salt_len = max, sig_len too long) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:129:MBEDTLS_ERR_PK_SIG_LEN_MISMATCH Check pair #1 (EC, OK) depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index d5c7d0867a39..29f862257e77 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -429,7 +429,8 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, int mod, int radix_N, char * input_N, int radix_E, char * input_E, data_t * result_str, int pk_type, - int mgf1_hash_id, int salt_len, int result ) + int mgf1_hash_id, int salt_len, int sig_len, + int result ) { unsigned char hash_result[MBEDTLS_MD_MAX_SIZE]; mbedtls_rsa_context *rsa; @@ -478,7 +479,7 @@ void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest, TEST_ASSERT( mbedtls_pk_verify_ext( pk_type, options, &pk, digest, hash_result, hash_len, - result_str->x, mbedtls_pk_get_len( &pk ) ) == result ); + result_str->x, sig_len ) == result ); exit: mbedtls_pk_free( &pk ); From 4a953cdd9f383d87eb36fce72b07db98acafbc80 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 16 Feb 2022 06:13:35 -0500 Subject: [PATCH 5/8] pk: properly handle signatures in larger buffers when using PSA As stated in function documentation. Signed-off-by: Andrzej Kurek --- library/pk.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/library/pk.c b/library/pk.c index 855b6e15c266..1c0987a7326a 100644 --- a/library/pk.c +++ b/library/pk.c @@ -379,7 +379,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, /* see RSA_PUB_DER_MAX_BYTES in pkwrite.c */ unsigned char buf[ 38 + 2 * MBEDTLS_MPI_MAX_SIZE ]; unsigned char *p; - int key_len; + int key_len, signature_length; psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -406,8 +406,15 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, return( mbedtls_psa_err_translate_pk( status ) ); } + /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH + * on a valid signature with trailing data in a buffer, but + * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact, + * so for this reason the passed sig_len is overwritten. Smaller + * signature lengths should not be accepted for verification. */ + signature_length = sig_len > mbedtls_pk_get_len( ctx ) ? + mbedtls_pk_get_len( ctx ) : sig_len; status = psa_verify_hash( key_id, psa_sig_alg, hash, - hash_len, sig, sig_len ); + hash_len, sig, signature_length ); psa_destroy_key( key_id ); if( status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len( ctx ) ) From 32048a6d9295124e6ae18f6162e5941d8018a8ba Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 16 Feb 2022 06:14:17 -0500 Subject: [PATCH 6/8] pk_verify_ext: introduce more tests for signature length mismatches Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_pk.data | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 6b1cbcb364b1..f10774ebf9fb 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -220,6 +220,34 @@ Verify ext RSA #13 (PKCS1 v2.1, salt_len = max, sig_len too long) depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:129:MBEDTLS_ERR_PK_SIG_LEN_MISMATCH +Verify ext RSA #14 (PKCS1 v2.1, salt_len = ANY, sig_len too long) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:129:MBEDTLS_ERR_PK_SIG_LEN_MISMATCH + +Verify ext RSA #15 (PKCS1 v2.1, salt_len = ANY, sig_len too short) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:127:MBEDTLS_ERR_RSA_VERIFY_FAILED + +Verify ext RSA #16 (PKCS1 v2.1, salt_len = max, sig_len too short) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616765":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:127:MBEDTLS_ERR_RSA_VERIFY_FAILED + +Verify ext RSA #17 (PKCS1 v2.1, salt_len = ANY, wrong message, sig_len too short) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616766":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:127:MBEDTLS_ERR_RSA_VERIFY_FAILED + +Verify ext RSA #18 (PKCS1 v2.1, salt_len = max, wrong message, sig_len too short) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616766":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:127:MBEDTLS_ERR_RSA_VERIFY_FAILED + +Verify ext RSA #19 (PKCS1 v2.1, salt_len = ANY, wrong message, sig_len too long) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616766":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:129:MBEDTLS_ERR_RSA_VERIFY_FAILED + +Verify ext RSA #20 (PKCS1 v2.1, salt_len = max, wrong message, sig_len too long) +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C +pk_rsa_verify_ext_test_vec:"54657374206d657373616766":MBEDTLS_MD_SHA256:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:129:MBEDTLS_ERR_RSA_VERIFY_FAILED + Check pair #1 (EC, OK) depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0 From 59550537f0bc5042d3e3247591112720b4376451 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 16 Feb 2022 07:46:42 -0500 Subject: [PATCH 7/8] Change signature_length type to size_t Signed-off-by: Andrzej Kurek --- library/pk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/pk.c b/library/pk.c index 1c0987a7326a..c593af95e6f6 100644 --- a/library/pk.c +++ b/library/pk.c @@ -379,7 +379,9 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, /* see RSA_PUB_DER_MAX_BYTES in pkwrite.c */ unsigned char buf[ 38 + 2 * MBEDTLS_MPI_MAX_SIZE ]; unsigned char *p; - int key_len, signature_length; + int key_len; + size_t signature_length; + psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; From d70fa0e32763954c7f4ca7f900907f6e9ff0247b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 17 Feb 2022 10:51:15 -0500 Subject: [PATCH 8/8] Restructure error handling in mbedtls_pk_verify_ext Signed-off-by: Andrzej Kurek --- library/pk.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/pk.c b/library/pk.c index c593af95e6f6..45d1a9de78fe 100644 --- a/library/pk.c +++ b/library/pk.c @@ -371,7 +371,6 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, pss_opts = (const mbedtls_pk_rsassa_pss_options *) options; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; if( pss_opts->mgf1_hash_id == md_alg && ( (size_t) pss_opts->expected_salt_len == hash_len || pss_opts->expected_salt_len == MBEDTLS_RSA_SALT_LEN_ANY ) ) @@ -381,6 +380,8 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, unsigned char *p; int key_len; size_t signature_length; + psa_status_t status = PSA_ERROR_DATA_CORRUPT; + psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT; psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; @@ -417,14 +418,18 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, mbedtls_pk_get_len( ctx ) : sig_len; status = psa_verify_hash( key_id, psa_sig_alg, hash, hash_len, sig, signature_length ); - psa_destroy_key( key_id ); + destruction_status = psa_destroy_key( key_id ); if( status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len( ctx ) ) return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); - return( status == PSA_ERROR_INVALID_SIGNATURE? - MBEDTLS_ERR_RSA_VERIFY_FAILED : - mbedtls_psa_err_translate_pk( status ) ); + if( status == PSA_ERROR_INVALID_SIGNATURE ) + return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + + if( status == PSA_SUCCESS ) + status = destruction_status; + + return( mbedtls_psa_err_translate_pk( status ) ); } else #endif