[gnutls-devel] GnuTLS | TLSv1.3 RSA-PSS allows truncated salt in violation of RFC8446 (#1258)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Jul 28 12:43:30 CEST 2021

David Woodhouse created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1258

RFC8446 §4.2.3 says for the RSASSA-PSS algorithms:
      The length of the Salt MUST be equal to the length of the output
      of the digest algorithm. 
However, in the case of a 1024-bit RSA key using RSA-PSS+SHA512, the maximum possible salt length is only 62 bytes.

I originally filed an OpenSSL issue for this *not* working in OpenSSL: https://github.com/openssl/openssl/issues/16167

But now after referring to RFC8446 I think the bug is that it *does* work in GnuTLS, and it shouldn't.

And I should fix my PSS padding code in OpenConnect too, to fail when there isn't enough room for `salt_len == hash_len` instead of truncating the salt.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1258
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210728/ac486fd4/attachment.html>

More information about the Gnutls-devel mailing list