git.ipfire.org Git - thirdparty/ipxe.git/commit

author	Michael Brown <mcb30@ipxe.org>
	Wed, 6 May 2026 21:14:17 +0000 (22:14 +0100)
committer	Michael Brown <mcb30@ipxe.org>
	Wed, 6 May 2026 21:14:41 +0000 (22:14 +0100)
commit	0c617b913235cbfc82b41db2595cdad10957f1ac
tree	0c3c6d1eae55a9365fc28779af5ca7f439ca982a	tree \| snapshot
parent	c8743b8c8e14613415683d670edd6a318a4d0d7e	commit \| diff

[crypto] Add support for RSA-PSS signature scheme

Add support for the RSA-PSS signature scheme as defined in RFC 8017
and required for TLS version 1.3.

Signature verification is deliberately implemented by first deriving
the salt value and then reconstructing the entire expected signature.
This is arguably inefficient since it involves two invocations of the
mask generation function when only one is required. However, this
implementation approach keeps the code size minimal (since there is no
need to implement separate verification logic), and makes it provably
impossible to accidentally omit a verification step (such as checking
the leading zero bits or the fixed 0x01 or 0xbc bytes). Since
signature verification is not a fast-path operation, the guaranteed
correctness is more valuable than a marginally faster execution.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/crypto/rsa.c		diff \| blob \| blame \| history
src/include/ipxe/rsa.h		diff \| blob \| blame \| history
src/tests/rsa_test.c		diff \| blob \| blame \| history