diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index e08767e925..e59d16502d 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -83,7 +83,6 @@ typedef struct mbedtls_x509_crl { mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ - void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ /** Next element in the linked list of CRL. * \p NULL indicates the end of the list. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 9817d35a7d..8a220cd414 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -82,7 +82,6 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf MBEDTLS_PRIVATE(sig); /**< Signature: hash of the tbs part signed with the private key. */ mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ - void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ /** Next certificate in the linked list that constitutes the CA chain. * \p NULL indicates the end of the list. diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index f9eb04d333..bed1c953e5 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -56,7 +56,6 @@ typedef struct mbedtls_x509_csr { mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ - void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ } mbedtls_x509_csr; diff --git a/library/x509.c b/library/x509.c index 0571687daa..8ca7dde624 100644 --- a/library/x509.c +++ b/library/x509.c @@ -715,38 +715,30 @@ int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x5 * Get signature algorithm from alg OID and optional parameters */ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, - void **sig_opts) + mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (*sig_opts != NULL) { - return MBEDTLS_ERR_X509_BAD_INPUT_DATA; - } - if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret); } #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) { - mbedtls_pk_rsassa_pss_options *pss_opts; - - pss_opts = mbedtls_calloc(1, sizeof(mbedtls_pk_rsassa_pss_options)); - if (pss_opts == NULL) { - return MBEDTLS_ERR_X509_ALLOC_FAILED; - } + mbedtls_md_type_t mgf1_hash_id; + int expected_salt_len; ret = mbedtls_x509_get_rsassa_pss_params(sig_params, md_alg, - &pss_opts->mgf1_hash_id, - &pss_opts->expected_salt_len); + &mgf1_hash_id, + &expected_salt_len); if (ret != 0) { - mbedtls_free(pss_opts); return ret; } - - *sig_opts = (void *) pss_opts; + /* Ensure MGF1 hash alg is the same as the one used to hash the message. */ + if (mgf1_hash_id != *md_alg) { + return MBEDTLS_ERR_X509_INVALID_ALG; + } } else #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ { diff --git a/library/x509_crl.c b/library/x509_crl.c index bc4fdbb884..81af93b6a9 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -389,8 +389,7 @@ int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain, crl->version++; if ((ret = mbedtls_x509_get_sig_alg(&crl->sig_oid, &sig_params1, - &crl->sig_md, &crl->sig_pk, - &crl->sig_opts)) != 0) { + &crl->sig_md, &crl->sig_pk)) != 0) { mbedtls_x509_crl_free(crl); return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG; } @@ -676,10 +675,6 @@ void mbedtls_x509_crl_free(mbedtls_x509_crl *crl) mbedtls_x509_crl_entry *entry_prv; while (crl_cur != NULL) { -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - mbedtls_free(crl_cur->sig_opts); -#endif - mbedtls_asn1_free_named_data_list_shallow(crl_cur->issuer.next); entry_cur = crl_cur->entry.next; diff --git a/library/x509_crt.c b/library/x509_crt.c index 5d26ebbbc1..47907f2f89 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1163,8 +1163,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt, crt->version++; if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1, - &crt->sig_md, &crt->sig_pk, - &crt->sig_opts)) != 0) { + &crt->sig_md, &crt->sig_pk)) != 0) { mbedtls_x509_crt_free(crt); return ret; } @@ -3203,10 +3202,6 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt) while (cert_cur != NULL) { mbedtls_pk_free(&cert_cur->pk); -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - mbedtls_free(cert_cur->sig_opts); -#endif - mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next); mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next); mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next); diff --git a/library/x509_csr.c b/library/x509_csr.c index 8e5fdb6813..c4a12845dc 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -407,8 +407,7 @@ static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr, } if ((ret = mbedtls_x509_get_sig_alg(&csr->sig_oid, &sig_params, - &csr->sig_md, &csr->sig_pk, - &csr->sig_opts)) != 0) { + &csr->sig_md, &csr->sig_pk)) != 0) { mbedtls_x509_csr_free(csr); return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG; } @@ -621,10 +620,6 @@ void mbedtls_x509_csr_free(mbedtls_x509_csr *csr) mbedtls_pk_free(&csr->pk); -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - mbedtls_free(csr->sig_opts); -#endif - mbedtls_asn1_free_named_data_list_shallow(csr->subject.next); mbedtls_asn1_sequence_free(csr->subject_alt_names.next); diff --git a/library/x509_internal.h b/library/x509_internal.h index 36cbc6518c..dc56bf6942 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -35,8 +35,7 @@ int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, #endif int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig); int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, - void **sig_opts); + mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg); int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, mbedtls_x509_time *t); int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,