[development] Restrict MBEDTLS_X509_RSASSA_PSS_SUPPORT

include/mbedtls/x509_crl.h

@@ -83,7 +83,6 @@ typedef struct mbedtls_x509_crl {
     mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
     mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
     mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
-    void *MBEDTLS_PRIVATE(sig_opts);             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
 
     /** Next element in the linked list of CRL.
      * \p NULL indicates the end of the list.

include/mbedtls/x509_crt.h

@@ -82,7 +82,6 @@ typedef struct mbedtls_x509_crt {
     mbedtls_x509_buf MBEDTLS_PRIVATE(sig);               /**< Signature: hash of the tbs part signed with the private key. */
     mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
     mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
-    void *MBEDTLS_PRIVATE(sig_opts);             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
 
     /** Next certificate in the linked list that constitutes the CA chain.
      * \p NULL indicates the end of the list.

include/mbedtls/x509_csr.h

@@ -56,7 +56,6 @@ typedef struct mbedtls_x509_csr {
     mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
     mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
     mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
-    void *MBEDTLS_PRIVATE(sig_opts);         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
 }
 mbedtls_x509_csr;
 

library/ssl_tls12_client.c

@@ -2100,15 +2100,7 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
 
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
         if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
-            mbedtls_pk_rsassa_pss_options rsassa_pss_options;
-            rsassa_pss_options.mgf1_hash_id = md_alg;
-            rsassa_pss_options.expected_salt_len =
-                mbedtls_md_get_size_from_type(md_alg);
-            if (rsassa_pss_options.expected_salt_len == 0) {
-                return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-            }
-
-            ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
+            ret = mbedtls_pk_verify_ext(pk_alg, NULL,
                                         peer_pk,
                                         md_alg, hash, hashlen,
                                         p, sig_len);

library/ssl_tls13_generic.c

@@ -227,11 +227,6 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
     unsigned char verify_hash[PSA_HASH_MAX_SIZE];
     size_t verify_hash_len;
 
-    void const *options = NULL;
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-    mbedtls_pk_rsassa_pss_options rsassa_pss_options;
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-
     /*
      * struct {
      *     SignatureScheme algorithm;
@@ -304,16 +299,8 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-    if (sig_alg == MBEDTLS_PK_RSASSA_PSS) {
-        rsassa_pss_options.mgf1_hash_id = md_alg;
-
-        rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg);
-        options = (const void *) &rsassa_pss_options;
-    }
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
 
-    if ((ret = mbedtls_pk_verify_ext(sig_alg, options,
+    if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL,
                                      &ssl->session_negotiate->peer_cert->pk,
                                      md_alg, verify_hash, verify_hash_len,
                                      p, signature_len)) == 0) {

library/x509.c

@@ -715,38 +715,30 @@ int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x5
  * Get signature algorithm from alg OID and optional parameters
  */
 int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
-                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
-                             void **sig_opts)
+                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
-    if (*sig_opts != NULL) {
-        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
-    }
-
     if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) {
         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret);
     }
 
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) {
-        mbedtls_pk_rsassa_pss_options *pss_opts;
-
-        pss_opts = mbedtls_calloc(1, sizeof(mbedtls_pk_rsassa_pss_options));
-        if (pss_opts == NULL) {
-            return MBEDTLS_ERR_X509_ALLOC_FAILED;
-        }
+        mbedtls_md_type_t mgf1_hash_id;
+        int expected_salt_len;
 
         ret = mbedtls_x509_get_rsassa_pss_params(sig_params,
                                                  md_alg,
-                                                 &pss_opts->mgf1_hash_id,
-                                                 &pss_opts->expected_salt_len);
+                                                 &mgf1_hash_id,
+                                                 &expected_salt_len);
         if (ret != 0) {
-            mbedtls_free(pss_opts);
             return ret;
         }
-
-        *sig_opts = (void *) pss_opts;
+        /* Ensure MGF1 hash alg is the same as the one used to hash the message. */
+        if (mgf1_hash_id != *md_alg) {
+            return MBEDTLS_ERR_X509_INVALID_ALG;
+        }
     } else
 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
     {
@@ -1045,8 +1037,7 @@ int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *ser
  * Helper for writing signature algorithms
  */
 int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
-                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
-                              const void *sig_opts)
+                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg)
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     char *p = buf;
@@ -1063,23 +1054,17 @@ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *si
 
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
-        const mbedtls_pk_rsassa_pss_options *pss_opts;
-
-        pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
-
         const char *name = md_type_to_string(md_alg);
-        const char *mgf_name = md_type_to_string(pss_opts->mgf1_hash_id);
-
-        ret = mbedtls_snprintf(p, n, " (%s, MGF1-%s, 0x%02X)",
-                               name ? name : "???",
-                               mgf_name ? mgf_name : "???",
-                               (unsigned int) pss_opts->expected_salt_len);
+        if (name != NULL) {
+            ret = mbedtls_snprintf(p, n, " (%s)", name);
+        } else {
+            ret = mbedtls_snprintf(p, n, " (?)");
+        }
         MBEDTLS_X509_SAFE_SNPRINTF;
     }
 #else
     ((void) pk_alg);
     ((void) md_alg);
-    ((void) sig_opts);
 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
 
     return (int) (size - n);

library/x509_crl.c

@@ -389,8 +389,7 @@ int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
     crl->version++;
 
     if ((ret = mbedtls_x509_get_sig_alg(&crl->sig_oid, &sig_params1,
-                                        &crl->sig_md, &crl->sig_pk,
-                                        &crl->sig_opts)) != 0) {
+                                        &crl->sig_md, &crl->sig_pk)) != 0) {
         mbedtls_x509_crl_free(crl);
         return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
     }
@@ -646,8 +645,7 @@ int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix,
     ret = mbedtls_snprintf(p, n, "\n%ssigned using  : ", prefix);
     MBEDTLS_X509_SAFE_SNPRINTF;
 
-    ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
-                                    crl->sig_opts);
+    ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md);
     MBEDTLS_X509_SAFE_SNPRINTF;
 
     ret = mbedtls_snprintf(p, n, "\n");
@@ -676,10 +674,6 @@ void mbedtls_x509_crl_free(mbedtls_x509_crl *crl)
     mbedtls_x509_crl_entry *entry_prv;
 
     while (crl_cur != NULL) {
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-        mbedtls_free(crl_cur->sig_opts);
-#endif
-
         mbedtls_asn1_free_named_data_list_shallow(crl_cur->issuer.next);
 
         entry_cur = crl_cur->entry.next;

library/x509_crt.c

@@ -1163,8 +1163,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
     crt->version++;
 
     if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
-                                        &crt->sig_md, &crt->sig_pk,
-                                        &crt->sig_opts)) != 0) {
+                                        &crt->sig_md, &crt->sig_pk)) != 0) {
         mbedtls_x509_crt_free(crt);
         return ret;
     }
@@ -1800,8 +1799,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
     ret = mbedtls_snprintf(p, n, "\n%ssigned using      : ", prefix);
     MBEDTLS_X509_SAFE_SNPRINTF;
 
-    ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
-                                    crt->sig_md, crt->sig_opts);
+    ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk, crt->sig_md);
     MBEDTLS_X509_SAFE_SNPRINTF;
 
     /* Key size */
@@ -2061,7 +2059,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
             flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
         }
 
-        if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+        if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk,
                                   crl_list->sig_md, hash, hash_length,
                                   crl_list->sig.p, crl_list->sig.len) != 0) {
             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@@ -2135,7 +2133,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
     (void) rs_ctx;
 #endif
 
-    return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
+    return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk,
                                  child->sig_md, hash, hash_len,
                                  child->sig.p, child->sig.len);
 }
@@ -3203,10 +3201,6 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
     while (cert_cur != NULL) {
         mbedtls_pk_free(&cert_cur->pk);
 
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-        mbedtls_free(cert_cur->sig_opts);
-#endif
-
         mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next);
         mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next);
         mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);

library/x509_csr.c

@@ -407,8 +407,7 @@ static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
     }
 
     if ((ret = mbedtls_x509_get_sig_alg(&csr->sig_oid, &sig_params,
-                                        &csr->sig_md, &csr->sig_pk,
-                                        &csr->sig_opts)) != 0) {
+                                        &csr->sig_md, &csr->sig_pk)) != 0) {
         mbedtls_x509_csr_free(csr);
         return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
     }
@@ -547,8 +546,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
     ret = mbedtls_snprintf(p, n, "\n%ssigned using  : ", prefix);
     MBEDTLS_X509_SAFE_SNPRINTF;
 
-    ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
-                                    csr->sig_opts);
+    ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md);
     MBEDTLS_X509_SAFE_SNPRINTF;
 
     if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
@@ -621,10 +619,6 @@ void mbedtls_x509_csr_free(mbedtls_x509_csr *csr)
 
     mbedtls_pk_free(&csr->pk);
 
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-    mbedtls_free(csr->sig_opts);
-#endif
-
     mbedtls_asn1_free_named_data_list_shallow(csr->subject.next);
     mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
 

library/x509_internal.h

@@ -35,8 +35,7 @@ int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
 #endif
 int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
 int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
-                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
-                             void **sig_opts);
+                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg);
 int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
                           mbedtls_x509_time *t);
 int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
@@ -45,8 +44,7 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
                          mbedtls_x509_buf *ext, int tag);
 #if !defined(MBEDTLS_X509_REMOVE_INFO)
 int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
-                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
-                              const void *sig_opts);
+                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg);
 #endif
 int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
 int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,