Skip to content

fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx#10255

Open
MarkAtwood wants to merge 2 commits into
wolfSSL:masterfrom
MarkAtwood:fix/rsa-pss-pubenc-size-check
Open

fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx#10255
MarkAtwood wants to merge 2 commits into
wolfSSL:masterfrom
MarkAtwood:fix/rsa-pss-pubenc-size-check

Conversation

@MarkAtwood
Copy link
Copy Markdown
Contributor

@MarkAtwood MarkAtwood commented Apr 17, 2026

Summary

The RSA_MIN_PAD_SZ guard (inLen > sz - 11RSA_BUFFER_E) is a PKCS#1 v1.5 concept. PSS has its own length check inside RsaPad_PSS (emLen >= hLen + sLen + 2 per RFC 8017 §9.1.1) and the outer guard fires first, before RsaPad_PSS ever runs.

For keys in the range [hLen+2, hLen+10] bytes, the outer guard incorrectly returns RSA_BUFFER_E for combinations where PSS with saltLen=0 would be geometrically valid. Keys in this range are non-standard but valid — they can be loaded from external DER.

Fix: add a WC_RSA_PSS #ifdef that skips the RSA_BUFFER_E return when pad_type == WC_RSA_PSS_PAD, mirroring the existing WC_RSA_NO_PADDING exception for raw mode.

Test plan

  • PSS encrypt with non-standard key sizes in [hLen+2, hLen+10] bytes no longer returns RSA_BUFFER_E
  • PSS still correctly rejects combinations that exceed its own length constraint (PSS_SALTLEN_E)
  • Existing RSA PSS tests unaffected

/cc @wolfSSL-Fenrir-bot please review

@MarkAtwood
fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx
fd0b9b9 
The RSA_MIN_PAD_SZ guard (inLen > sz - 11) is a PKCS#1 v1.5 constraint.
PSS has its own length check inside RsaPad_PSS (emLen >= hLen + sLen + 2
per RFC 8017) and does not need this guard. For keys in the range
[hLen+2, hLen+10] bytes, the outer guard fires and returns RSA_BUFFER_E
before RsaPad_PSS ever runs, even though PSS with saltLen=0 would be
geometrically valid for those key sizes.

Add a WC_RSA_PSS ifdef that skips the RSA_BUFFER_E return when
pad_type == WC_RSA_PSS_PAD, mirroring the existing WC_RSA_NO_PADDING
exception for raw (no-pad) mode.
@MarkAtwood MarkAtwood requested review from SparkiDev and Copilot April 17, 2026 22:09
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adjusts RsaPublicEncryptEx so the RSA_MIN_PAD_SZ (PKCS#1 v1.5) input-length guard does not preempt PSS padding’s own size validation, enabling certain non-standard small key sizes to proceed to RsaPad_PSS.

Changes:

  • Skips the RSA_BUFFER_E early-return when pad_type == WC_RSA_PSS_PAD (under WC_RSA_PSS).
  • Keeps the existing exception path for WC_RSA_NO_PAD behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfcrypt/src/rsa.c Outdated
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 18, 2026
edited
Loading

MemBrowse Memory Report

No memory changes detected for:

dgarske
dgarske requested changes May 5, 2026
View reviewed changes
Comment thread wolfcrypt/src/rsa.c Outdated
@MarkAtwood
Copy link
Copy Markdown
Contributor Author

MarkAtwood commented May 30, 2026

Restructured as a single compound condition — pushed f05d929. No more implicit nesting of preprocessor-guarded if-statements. Each exemption is now a && clause gated by its own #ifdef, so adding future exemptions is just another line.

@MarkAtwood
fix: restructure RSA_MIN_PAD_SZ guard as compound condition
91a1b28 
Addresses review feedback: avoid fragile implicit nesting of
preprocessor-guarded if-statements. Use a single compound condition
with && clauses gated by #ifdef instead.
@MarkAtwood MarkAtwood force-pushed the fix/rsa-pss-pubenc-size-check branch from f05d929 to 91a1b28 Compare June 3, 2026 21:45
@MarkAtwood
Copy link
Copy Markdown
Contributor Author

MarkAtwood commented Jun 4, 2026

Restructured per review feedback — the implicit preprocessor nesting is replaced with a check_min_pad flag pattern (91a1b28). Each exemption is a separate #ifdef block, and there's a single guarded return RSA_BUFFER_E. Ready for re-review.

@MarkAtwood MarkAtwood requested a review from dgarske June 4, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

@dgarske dgarske Awaiting requested review from dgarske

Requested changes must be addressed to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

@MarkAtwood MarkAtwood

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MarkAtwood @dgarske @wolfSSL-Bot