{ERR_FUNC(RSA_F_ENCODE_PKCS1), "encode_pkcs1"},
{ERR_FUNC(RSA_F_INT_RSA_VERIFY), "int_rsa_verify"},
{ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "old_rsa_priv_decode"},
+ {ERR_FUNC(RSA_F_PKEY_PSS_INIT), "pkey_pss_init"},
{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "pkey_rsa_ctrl"},
{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "pkey_rsa_ctrl_str"},
{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "pkey_rsa_sign"},
} else {
if (p1 < -2)
return -2;
- if (rsa_pss_restricted(rctx) && p1 < rctx->min_saltlen) {
- RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);
- return 0;
+ if (rsa_pss_restricted(rctx)) {
+ if (p1 == -2 && ctx->operation == EVP_PKEY_OP_VERIFY) {
+ RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);
+ return -2;
+ }
+ if ((p1 == -1 && rctx->min_saltlen > EVP_MD_size(rctx->md))
+ || (p1 >= 0 && p1 < rctx->min_saltlen)) {
+ RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);
+ return 0;
+ }
}
rctx->saltlen = p1;
}
RSA_PKEY_CTX *rctx = ctx->data;
const EVP_MD *md;
const EVP_MD *mgf1md;
- int min_saltlen;
+ int min_saltlen, max_saltlen;
/* Should never happen */
if (!pkey_ctx_is_pss(ctx))
if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen))
return 0;
+ /* See if minumum salt length exceeds maximum possible */
+ max_saltlen = RSA_size(rsa) - EVP_MD_size(md);
+ if ((RSA_bits(rsa) & 0x7) == 1)
+ max_saltlen--;
+ if (min_saltlen > max_saltlen) {
+ RSAerr(RSA_F_PKEY_PSS_INIT, RSA_R_INVALID_SALT_LENGTH);
+ return 0;
+ }
+
rctx->min_saltlen = min_saltlen;
/*
than B<PSS>. It is otherwise similar to the B<RSA> version.
The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro is used to set the salt length.
-If the key has usage restrictionsthen an error is returned if an attempt is
+If the key has usage restrictions then an error is returned if an attempt is
made to set the salt length below the minimum value. It is otherwise similar
-to the B<RSA> operation except special negative values are not supported.
+to the B<RSA> operation except detection of the salt length (using -2) is
+not supported for verification if the key has usage restrictions.
The EVP_PKEY_CTX_set_signature_md() and EVP_PKEY_CTX_set_rsa_mgf1_md() macros
are used to set the digest and MGF1 algorithms respectively. If the key has
# define RSA_F_ENCODE_PKCS1 146
# define RSA_F_INT_RSA_VERIFY 145
# define RSA_F_OLD_RSA_PRIV_DECODE 147
+# define RSA_F_PKEY_PSS_INIT 165
# define RSA_F_PKEY_RSA_CTRL 143
# define RSA_F_PKEY_RSA_CTRL_STR 144
# define RSA_F_PKEY_RSA_SIGN 142
projects / openssl.git / commitdiff