From 539b9a52f9553e0921b7b74ef245e44c9389ad3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Feb 2022 10:19:08 +0100 Subject: [PATCH] Fix discussion of RSA-PSS salt length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/architecture/psa-migration/psa-limitations.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/architecture/psa-migration/psa-limitations.md b/docs/architecture/psa-migration/psa-limitations.md index 01fd188db4..53dd4a82cd 100644 --- a/docs/architecture/psa-migration/psa-limitations.md +++ b/docs/architecture/psa-migration/psa-limitations.md @@ -118,11 +118,15 @@ algorithms can differ from each other. - PSA: - algorithm specification: - hash alg used for message hashing, encoding and MGF1 - - salt length can be either "standard" (== hashlen) or "any" + - salt length can be either "standard" (<= hashlen, see note) or "any" - signature generation: - - salt length: always using the maximum legal value and random salt + - salt length: always <= hashlen (see note) and random salt - verification: - - salt length: either == hashlen, or any depending on algorithm + - salt length: either <= hashlen (see note), or any depending on algorithm + +Note: above, "<= hashlen" means that hashlen is used if possible, but if it +doesn't fit because the key is too short, then the maximum lenght that fits is +used. The RSA/PK API is in principle more flexible than the PSA Crypto API. The following sub-sections study whether and how this matters in practice. @@ -158,7 +162,7 @@ match a limitation of the PSA API. It is unclear what parameters people use in practice. It looks like by default OpenSSL picks saltlen = keylen - hashlen - 2 (tested with openssl 1.1.1f). The `certool` command provided by GnuTLS seems to be picking saltlen = hashlen -by default (tested with GnuTLS 3.6.13). FIPS 186-4 recommends saltlen >= +by default (tested with GnuTLS 3.6.13). FIPS 186-4 recommends 0 <= saltlen <= hashlen. ### Use in TLS