From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 26 Sep 2017 14:44:44 +0000 (+0200)
Subject: gcrypt: Add support for static salts when signing with RSA-PSS
X-Git-Tag: 5.6.1rc1~6^2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37efb9787b6e0c08fee9aad5a1d152105d5a4049;p=thirdparty%2Fstrongswan.git

gcrypt: Add support for static salts when signing with RSA-PSS
---

diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 5dc0bfd30f..c06f433485 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -177,14 +177,25 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 
 	if (pss)
 	{
-		u_int slen = hasher_hash_size(hash_algorithm);
-		if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
+		if (pss->salt.len)
 		{
-			slen = pss->salt_len;
+			err = gcry_sexp_build(&in, NULL,
+							"(data(flags pss)(salt-length %u)"
+							"(random-override %b)(hash %s %b))",
+							pss->salt.len, pss->salt.len, pss->salt.ptr,
+							hash_name, hash.len, hash.ptr);
+		}
+		else
+		{
+			u_int slen = hasher_hash_size(hash_algorithm);
+			if (pss->salt_len > RSA_PSS_SALT_LEN_DEFAULT)
+			{
+				slen = pss->salt_len;
+			}
+			err = gcry_sexp_build(&in, NULL,
+							"(data(flags pss)(salt-length %u)(hash %s %b))",
+							slen, hash_name, hash.len, hash.ptr);
 		}
-		err = gcry_sexp_build(&in, NULL,
-							  "(data(flags pss)(salt-length %u)(hash %s %b))",
-							  slen, hash_name, hash.len, hash.ptr);
 	}
 	else
 	{