From 7f6f4e690727f6f9c69422ff26dc4f2d283165b0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 23 Apr 2025 11:29:51 +0200 Subject: [PATCH] library: pass NULL options parameter to mbedtls_pk_verify_ext() Signed-off-by: Valerio Setti --- library/ssl_tls12_client.c | 10 +--------- library/ssl_tls13_generic.c | 15 +-------------- library/x509_crt.c | 4 ++-- tests/suites/test_suite_x509write.function | 2 +- 4 files changed, 5 insertions(+), 26 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index df7dfbfa61..114c32aea1 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2100,15 +2100,7 @@ start_processing: #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { - mbedtls_pk_rsassa_pss_options rsassa_pss_options; - rsassa_pss_options.mgf1_hash_id = md_alg; - rsassa_pss_options.expected_salt_len = - mbedtls_md_get_size_from_type(md_alg); - if (rsassa_pss_options.expected_salt_len == 0) { - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } - - ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options, + ret = mbedtls_pk_verify_ext(pk_alg, NULL, peer_pk, md_alg, hash, hashlen, p, sig_len); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index deba2ae1e0..70175e0d60 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -227,11 +227,6 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, unsigned char verify_hash[PSA_HASH_MAX_SIZE]; size_t verify_hash_len; - void const *options = NULL; -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - mbedtls_pk_rsassa_pss_options rsassa_pss_options; -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - /* * struct { * SignatureScheme algorithm; @@ -304,16 +299,8 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, } MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (sig_alg == MBEDTLS_PK_RSASSA_PSS) { - rsassa_pss_options.mgf1_hash_id = md_alg; - rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg); - options = (const void *) &rsassa_pss_options; - } -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - - if ((ret = mbedtls_pk_verify_ext(sig_alg, options, + if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len)) == 0) { diff --git a/library/x509_crt.c b/library/x509_crt.c index b4c7d8adc4..faea404dba 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2059,7 +2059,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk, + if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2133,7 +2133,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk, + return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 107d9235a4..f3a161ca52 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -37,7 +37,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_ext(csr.sig_pk, csr.sig_opts, &csr.pk, + if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;