Add signature length mismatch handling when using PSA in pk_verify_ext

Introduce a regression test for that too. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2025-07-29 11:41:15 +03:00 · 2022-02-15 08:23:02 -05:00
parent 90ba2cbd0a
commit 8666df6f18
3 changed files with 23 additions and 15 deletions
--- a/library/pk.c
+++ b/library/pk.c
@ -410,6 +410,9 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
                                  hash_len, sig, sig_len );
        psa_destroy_key( key_id );

+        if( status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
        return( status == PSA_ERROR_INVALID_SIGNATURE?
                              MBEDTLS_ERR_RSA_VERIFY_FAILED :
                              mbedtls_psa_err_translate_pk( status ) );