diff options
author | Robert Relyea <rrelyea@redhat.com> | 2022-12-19 14:10:39 -0800 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2022-12-19 14:10:39 -0800 |
commit | fb3863f21b59cedf454a28f615d00368a2d1a227 (patch) | |
tree | c58e83fb3ebf44a5a655ac79a0bf276145daca30 /lib/softoken/pkcs11i.h | |
parent | 00596c167335912314757fd6efc4b46c9c3c029a (diff) | |
download | nss-hg-fb3863f21b59cedf454a28f615d00368a2d1a227.tar.gz |
Bug 1806496 In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
This patch adds a new mechanism specific check for PSS in fip_algorithms.h.
The new check uses the hash mechanism provided in the pss mechanism list to look up the hash length. A static utility function in pkcs11c.c is moved to pkcs11u.c and made global so it can be reused in this code.
We know that mechanism supplied in the parameters matches the hash because that check is enforces in pkcs11c.c for the combined hash and signed functions.
Differential Revision: https://phabricator.services.mozilla.com/D165176
Diffstat (limited to 'lib/softoken/pkcs11i.h')
-rw-r--r-- | lib/softoken/pkcs11i.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h index e4719a8ee..b0408dc43 100644 --- a/lib/softoken/pkcs11i.h +++ b/lib/softoken/pkcs11i.h @@ -914,6 +914,9 @@ void sftk_MACConstantTime_EndHash( void *pctx, void *out, unsigned int *outLength, unsigned int maxLength); void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool); +/* Crypto Utilities */ +HASH_HashType sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech); + /**************************************** * implement TLS Pseudo Random Function (PRF) */ |