[gnutls-devel] GnuTLS | TLSv1.3 RSA-PSS allows truncated salt in violation of RFC8446 (#1258)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Jul 28 12:43:30 CEST 2021
David Woodhouse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1258
RFC8446 §4.2.3 says for the RSASSA-PSS algorithms:
```
The length of the Salt MUST be equal to the length of the output
of the digest algorithm.
```
However, in the case of a 1024-bit RSA key using RSA-PSS+SHA512, the maximum possible salt length is only 62 bytes.
I originally filed an OpenSSL issue for this *not* working in OpenSSL: https://github.com/openssl/openssl/issues/16167
But now after referring to RFC8446 I think the bug is that it *does* work in GnuTLS, and it shouldn't.
And I should fix my PSS padding code in OpenConnect too, to fail when there isn't enough room for `salt_len == hash_len` instead of truncating the salt.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1258
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210728/ac486fd4/attachment.html>
More information about the Gnutls-devel
mailing list