library: x509: simplify RSA-PSS management
- Do not store RSA-PSS signature options in CRL/CRT/CSR structures;
- During the parsing phase, just ensure that MGF1 hash alg is the same
as the one used for the message.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/library/x509.c b/library/x509.c
index 0571687..8ca7dde 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -715,38 +715,30 @@
* Get signature algorithm from alg OID and optional parameters
*/
int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
- mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
- void **sig_opts)
+ mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if (*sig_opts != NULL) {
- return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
- }
-
if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret);
}
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) {
- mbedtls_pk_rsassa_pss_options *pss_opts;
-
- pss_opts = mbedtls_calloc(1, sizeof(mbedtls_pk_rsassa_pss_options));
- if (pss_opts == NULL) {
- return MBEDTLS_ERR_X509_ALLOC_FAILED;
- }
+ mbedtls_md_type_t mgf1_hash_id;
+ int expected_salt_len;
ret = mbedtls_x509_get_rsassa_pss_params(sig_params,
md_alg,
- &pss_opts->mgf1_hash_id,
- &pss_opts->expected_salt_len);
+ &mgf1_hash_id,
+ &expected_salt_len);
if (ret != 0) {
- mbedtls_free(pss_opts);
return ret;
}
-
- *sig_opts = (void *) pss_opts;
+ /* Ensure MGF1 hash alg is the same as the one used to hash the message. */
+ if (mgf1_hash_id != *md_alg) {
+ return MBEDTLS_ERR_X509_INVALID_ALG;
+ }
} else
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
{