pk: properly handle signatures in larger buffers when using PSA
As stated in function documentation.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
diff --git a/library/pk.c b/library/pk.c
index 855b6e1..1c0987a 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -379,7 +379,7 @@
/* see RSA_PUB_DER_MAX_BYTES in pkwrite.c */
unsigned char buf[ 38 + 2 * MBEDTLS_MPI_MAX_SIZE ];
unsigned char *p;
- int key_len;
+ int key_len, signature_length;
psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg );
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -406,8 +406,15 @@
return( mbedtls_psa_err_translate_pk( status ) );
}
+ /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+ * on a valid signature with trailing data in a buffer, but
+ * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
+ * so for this reason the passed sig_len is overwritten. Smaller
+ * signature lengths should not be accepted for verification. */
+ signature_length = sig_len > mbedtls_pk_get_len( ctx ) ?
+ mbedtls_pk_get_len( ctx ) : sig_len;
status = psa_verify_hash( key_id, psa_sig_alg, hash,
- hash_len, sig, sig_len );
+ hash_len, sig, signature_length );
psa_destroy_key( key_id );
if( status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len( ctx ) )