[PATCH] crypto: Add RSAPSS providers
2 views
Skip to first unread message
Bastian Germann
Dec 18, 2025, 5:59:21 AM (3 days ago) Dec 18
to swup...@googlegroups.com, Bastian Germann
When enabling both RAWRSA and RSAPSS the RSA digest providers' behavior
is to calculate RSAPSS because they are not able to distinguish at
runtime which algorithm to select.
In order to achieve this, add a second provider with a different name,
which can then be used to select the PSS flavor.
Signed-off-by: Bastian Germann <ba...@debian.org>
---
crypto/swupdate_rsa_verify_mbedtls.c | 22 ++++++++++++++--------
crypto/swupdate_rsa_verify_openssl.c | 28 +++++++++++++++++-----------
2 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/crypto/swupdate_rsa_verify_mbedtls.c b/crypto/swupdate_rsa_verify_mbedtls.c
index bf8a2c39..6b2f055d 100644
--- a/crypto/swupdate_rsa_verify_mbedtls.c
+++ b/crypto/swupdate_rsa_verify_mbedtls.c
@@ -19,6 +19,7 @@
#include "swupdate_mbedtls.h"
#define MODNAME "mbedtlsRSA"
+#define MODNAME_PSS "mbedtlsRSAPSS"
static swupdate_dgst_lib libs;
@@ -58,14 +59,14 @@ static int mbedtls_rsa_verify_file(void *ctx, const char *sigfile,
mbedtls_pk_type_t pk_type = MBEDTLS_PK_RSA;
uint8_t signature[256];
void *pss_options = NULL;
-#if defined(CONFIG_SIGALG_RSAPSS)
- pk_type = MBEDTLS_PK_RSASSA_PSS;
- mbedtls_pk_rsassa_pss_options options = {
- .mgf1_hash_id = MBEDTLS_MD_SHA256,
- .expected_salt_len = MBEDTLS_RSA_SALT_LEN_ANY
- };
- pss_options = &options;
-#endif
+ if (get_dgstlib() == MODNAME_PSS) {
+ pk_type = MBEDTLS_PK_RSASSA_PSS;
+ mbedtls_pk_rsassa_pss_options options = {
+ .mgf1_hash_id = MBEDTLS_MD_SHA256,
+ .expected_salt_len = MBEDTLS_RSA_SALT_LEN_ANY
+ };
+ pss_options = &options;
+ }
(void)signer_name;
@@ -125,5 +126,10 @@ static void mbedtls_rsa_dgst(void)
{
libs.dgst_init = mbedtls_rsa_dgst_init;
libs.verify_file = mbedtls_rsa_verify_file;
+#if defined(CONFIG_SIGALG_RAWRSA)
(void)register_dgstlib(MODNAME, &libs);
+#endif
+#if defined(CONFIG_SIGALG_RSAPSS)
+ (void)register_dgstlib(MODNAME_PSS, &libs);
+#endif
}
diff --git a/crypto/swupdate_rsa_verify_openssl.c b/crypto/swupdate_rsa_verify_openssl.c
index d8ad7804..8ac52d0d 100644
--- a/crypto/swupdate_rsa_verify_openssl.c
+++ b/crypto/swupdate_rsa_verify_openssl.c
@@ -19,6 +19,7 @@
#define BUFSIZE (1024 * 8)
#define MODNAME "opensslRSA"
+#define MODNAME_PSS "opensslRSAPSS"
static swupdate_dgst_lib libs;
@@ -63,18 +64,18 @@ static int dgst_verify_init(struct openssl_digest *dgst)
return -EFAULT; /* failed */
}
-#if defined(CONFIG_SIGALG_RSAPSS)
- rc = EVP_PKEY_CTX_set_rsa_padding(dgst->ckey, RSA_PKCS1_PSS_PADDING);
- if (rc <= 0) {
- ERROR("EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx", ERR_get_error());
- return -EFAULT; /* failed */
- }
- rc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);
- if (rc <= 0) {
- ERROR("EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx", ERR_get_error());
- return -EFAULT; /* failed */
+ if (get_dgstlib() == MODNAME_PSS) {
+ rc = EVP_PKEY_CTX_set_rsa_padding(dgst->ckey, RSA_PKCS1_PSS_PADDING);
+ if (rc <= 0) {
+ ERROR("EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx", ERR_get_error());
+ return -EFAULT; /* failed */
+ }
+ rc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);
+ if (rc <= 0) {
+ ERROR("EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx", ERR_get_error());
+ return -EFAULT; /* failed */
+ }
}
-#endif
return 0;
}
@@ -262,5 +263,10 @@ static void openssl_dgst(void)
{
libs.dgst_init = openssl_rsa_dgst_init;
libs.verify_file = openssl_rsa_verify_file;
+#if defined(CONFIG_SIGALG_RAWRSA)
(void)register_dgstlib(MODNAME, &libs);
+#endif
+#if defined(CONFIG_SIGALG_RSAPSS)
+ (void)register_dgstlib(MODNAME_PSS, &libs);
+#endif
}
is to calculate RSAPSS because they are not able to distinguish at
runtime which algorithm to select.
In order to achieve this, add a second provider with a different name,
which can then be used to select the PSS flavor.
Signed-off-by: Bastian Germann <ba...@debian.org>
---
crypto/swupdate_rsa_verify_mbedtls.c | 22 ++++++++++++++--------
crypto/swupdate_rsa_verify_openssl.c | 28 +++++++++++++++++-----------
2 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/crypto/swupdate_rsa_verify_mbedtls.c b/crypto/swupdate_rsa_verify_mbedtls.c
index bf8a2c39..6b2f055d 100644
--- a/crypto/swupdate_rsa_verify_mbedtls.c
+++ b/crypto/swupdate_rsa_verify_mbedtls.c
@@ -19,6 +19,7 @@
#include "swupdate_mbedtls.h"
#define MODNAME "mbedtlsRSA"
+#define MODNAME_PSS "mbedtlsRSAPSS"
static swupdate_dgst_lib libs;
@@ -58,14 +59,14 @@ static int mbedtls_rsa_verify_file(void *ctx, const char *sigfile,
mbedtls_pk_type_t pk_type = MBEDTLS_PK_RSA;
uint8_t signature[256];
void *pss_options = NULL;
-#if defined(CONFIG_SIGALG_RSAPSS)
- pk_type = MBEDTLS_PK_RSASSA_PSS;
- mbedtls_pk_rsassa_pss_options options = {
- .mgf1_hash_id = MBEDTLS_MD_SHA256,
- .expected_salt_len = MBEDTLS_RSA_SALT_LEN_ANY
- };
- pss_options = &options;
-#endif
+ if (get_dgstlib() == MODNAME_PSS) {
+ pk_type = MBEDTLS_PK_RSASSA_PSS;
+ mbedtls_pk_rsassa_pss_options options = {
+ .mgf1_hash_id = MBEDTLS_MD_SHA256,
+ .expected_salt_len = MBEDTLS_RSA_SALT_LEN_ANY
+ };
+ pss_options = &options;
+ }
(void)signer_name;
@@ -125,5 +126,10 @@ static void mbedtls_rsa_dgst(void)
{
libs.dgst_init = mbedtls_rsa_dgst_init;
libs.verify_file = mbedtls_rsa_verify_file;
+#if defined(CONFIG_SIGALG_RAWRSA)
(void)register_dgstlib(MODNAME, &libs);
+#endif
+#if defined(CONFIG_SIGALG_RSAPSS)
+ (void)register_dgstlib(MODNAME_PSS, &libs);
+#endif
}
diff --git a/crypto/swupdate_rsa_verify_openssl.c b/crypto/swupdate_rsa_verify_openssl.c
index d8ad7804..8ac52d0d 100644
--- a/crypto/swupdate_rsa_verify_openssl.c
+++ b/crypto/swupdate_rsa_verify_openssl.c
@@ -19,6 +19,7 @@
#define BUFSIZE (1024 * 8)
#define MODNAME "opensslRSA"
+#define MODNAME_PSS "opensslRSAPSS"
static swupdate_dgst_lib libs;
@@ -63,18 +64,18 @@ static int dgst_verify_init(struct openssl_digest *dgst)
return -EFAULT; /* failed */
}
-#if defined(CONFIG_SIGALG_RSAPSS)
- rc = EVP_PKEY_CTX_set_rsa_padding(dgst->ckey, RSA_PKCS1_PSS_PADDING);
- if (rc <= 0) {
- ERROR("EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx", ERR_get_error());
- return -EFAULT; /* failed */
- }
- rc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);
- if (rc <= 0) {
- ERROR("EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx", ERR_get_error());
- return -EFAULT; /* failed */
+ if (get_dgstlib() == MODNAME_PSS) {
+ rc = EVP_PKEY_CTX_set_rsa_padding(dgst->ckey, RSA_PKCS1_PSS_PADDING);
+ if (rc <= 0) {
+ ERROR("EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx", ERR_get_error());
+ return -EFAULT; /* failed */
+ }
+ rc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);
+ if (rc <= 0) {
+ ERROR("EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx", ERR_get_error());
+ return -EFAULT; /* failed */
+ }
}
-#endif
return 0;
}
@@ -262,5 +263,10 @@ static void openssl_dgst(void)
{
libs.dgst_init = openssl_rsa_dgst_init;
libs.verify_file = openssl_rsa_verify_file;
+#if defined(CONFIG_SIGALG_RAWRSA)
(void)register_dgstlib(MODNAME, &libs);
+#endif
+#if defined(CONFIG_SIGALG_RSAPSS)
+ (void)register_dgstlib(MODNAME_PSS, &libs);
+#endif
}
Reply all
Reply to author
Forward
0 new messages