Daiki Ueno ueno@gnu.org writes:
nisse@lysator.liu.se (Niels Möller) writes:
Thank you for the detailed comments. Please find attached the updated patches.
I hope you're ok if we do this piecewise. Here are comments on some on the pieces.
mgf1.h \mgf1.h is intended as a public, rather than internal, header? Maybe rename to pss-mgf1.h, unless you foresee some non-pss use for it.
RSA-OAEP could also use it, though I am not sure if it is worth being supported.
Maybe rename it pkcs1-mgf1.h, then? I feel "mgf1.h" is a bit too obscure for a short name.
diff --git a/nettle-internal.h b/nettle-internal.h index 4e3098b..47b35c2 100644 --- a/nettle-internal.h +++ b/nettle-internal.h @@ -54,6 +54,7 @@ /* Arbitrary limits which apply to systems that don't have alloca */ #define NETTLE_MAX_HASH_BLOCK_SIZE 128 #define NETTLE_MAX_HASH_DIGEST_SIZE 64 +#define NETTLE_MAX_HASH_CONTEXT_SIZE 512 #define NETTLE_MAX_SEXP_ASSOC 17 #define NETTLE_MAX_CIPHER_BLOCK_SIZE 32
It's not so nice with a literal constant, since sizes are somewhat platform dependent. I'm considering the patch at the end of this message instead. It uses sizeof(sha3_224_ctx), which turns out to be the largest one by a quite large margin (and 352 bytes, on x86_64). The drawback is that code using this constant needs to include sha3.h to get the size, but I think that's ok for implementation files.
--- /dev/null +++ b/testsuite/pss-test.c @@ -0,0 +1,101 @@ +#include "testutils.h"
+#include "pss.h"
+#if HAVE_VALGRIND_MEMCHECK_H +# include <valgrind/memcheck.h>
+static void +test_unmark_mpz(mpz_t m) +{
- VALGRIND_MAKE_MEM_DEFINED (&m->_mp_alloc, sizeof(m->_mp_alloc));
- VALGRIND_MAKE_MEM_DEFINED (&m->_mp_size, sizeof(m->_mp_size));
- VALGRIND_MAKE_MEM_DEFINED (&m->_mp_d, sizeof(mp_limb_t) * m->_mp_alloc);
^ This looks wrong.
+}
I'd suggest
VALGRIND_MAKE_MEM_DEFINED(m, sizeof(*m)); VALGRIND_MAKE_MEM_DEFINED(m->_mp_d, sizeof(mp_limb_t) * mpz_size(m));
The first is a bit tricky since the mpz_t is a typedef:ed array, I hope I got it right.
--- a/nettle.texinfo +++ b/nettle.texinfo @@ -3770,6 +3770,36 @@ of the digest together with an object identifier for the used hash algorithm. @end deftypefun
+While the above functions for the RSA signature operations use the +@cite{PKCS#1} padding scheme, Nettle also provides the variants based on +the PSS padding scheme, specified in @cite{RFC 3447}.
+Creating an RSA signature with the PSS padding scheme is done with one +of the following functions:
It would be nice if the documentation gave some explanation of the purpose of the salt input, and some guidance on how to select the salt length and contents.
Regards, /Niels
diff --git a/nettle-internal.h b/nettle-internal.h index 4e3098b..9c4c699 100644 --- a/nettle-internal.h +++ b/nettle-internal.h @@ -54,6 +54,7 @@ /* Arbitrary limits which apply to systems that don't have alloca */ #define NETTLE_MAX_HASH_BLOCK_SIZE 128 #define NETTLE_MAX_HASH_DIGEST_SIZE 64 +#define NETTLE_MAX_HASH_CONTEXT_SIZE (sizeof(struct sha3_224_ctx)) #define NETTLE_MAX_SEXP_ASSOC 17 #define NETTLE_MAX_CIPHER_BLOCK_SIZE 32
diff --git a/testsuite/meta-hash-test.c b/testsuite/meta-hash-test.c index 0dcd1b9..f7fa536 100644 --- a/testsuite/meta-hash-test.c +++ b/testsuite/meta-hash-test.c @@ -1,6 +1,8 @@ #include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" +/* For NETTLE_MAX_HASH_CONTEXT_SIZE */ +#include "sha3.h"
const char* hashes[] = { "md2", @@ -34,7 +36,8 @@ test_main(void) while (NULL != nettle_hashes[j]) j++; ASSERT(j == count); /* we are not missing testing any hashes */ - for (j = 0; NULL != nettle_hashes[j]; j++) + for (j = 0; NULL != nettle_hashes[j]; j++) { ASSERT(nettle_hashes[j]->digest_size <= NETTLE_MAX_HASH_DIGEST_SIZE); + ASSERT(nettle_hashes[j]->context_size <= NETTLE_MAX_HASH_CONTEXT_SIZE); + } } - diff --git a/tools/nettle-hash.c b/tools/nettle-hash.c index fc991ee..488dff3 100644 --- a/tools/nettle-hash.c +++ b/tools/nettle-hash.c @@ -53,11 +53,11 @@ list_algorithms (void) { unsigned i; const struct nettle_hash *alg; - printf ("%10s digestsize (internal block size), in units of octets\n", "name"); + printf ("%10s digestsize (internal block size, context size), in units of octets\n", "name");
for (i = 0; (alg = nettle_hashes[i]); i++) - printf ("%10s %d (%d)\n", - alg->name, alg->digest_size, alg->block_size); + printf ("%10s %d (%d, %d)\n", + alg->name, alg->digest_size, alg->block_size, alg->context_size); };
static const struct nettle_hash *