Add constants for special PSS salt length values
Align with OpenSSL for the names of the constants. -1 and -2 are too
confusing.
Change-Id: Ibd82361e81fe58f4a1006fc9f4c605c59b66ab12
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/79727
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/crypto/evp/evp_test.cc b/crypto/evp/evp_test.cc
index f71bd9f..ee165e5 100644
--- a/crypto/evp/evp_test.cc
+++ b/crypto/evp/evp_test.cc
@@ -610,7 +610,7 @@
bool is_pss = t->HasInstruction("mgf");
const EVP_MD *mgf1_md = nullptr;
- int pss_salt_len = -1;
+ int pss_salt_len = RSA_PSS_SALTLEN_DIGEST;
if (is_pss) {
ASSERT_EQ("MGF1", t->GetInstructionOrDie("mgf"));
mgf1_md = GetWycheproofDigest(t, "mgfSha", true);
diff --git a/crypto/evp/p_rsa.cc b/crypto/evp/p_rsa.cc
index 01eae68..4b47ee3 100644
--- a/crypto/evp/p_rsa.cc
+++ b/crypto/evp/p_rsa.cc
@@ -64,7 +64,7 @@
rctx->nbits = 2048;
rctx->pad_mode = RSA_PKCS1_PADDING;
- rctx->saltlen = -2;
+ rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
ctx->data = rctx;
diff --git a/crypto/fipsmodule/rsa/padding.cc.inc b/crypto/fipsmodule/rsa/padding.cc.inc
index d86627f..2b9e20d 100644
--- a/crypto/fipsmodule/rsa/padding.cc.inc
+++ b/crypto/fipsmodule/rsa/padding.cc.inc
@@ -183,11 +183,11 @@
// -2 salt length is autorecovered from signature
// -N reserved
size_t hLen = EVP_MD_size(Hash);
- if (sLen == -1) {
+ if (sLen == RSA_PSS_SALTLEN_DIGEST) {
sLen = (int)hLen;
- } else if (sLen == -2) {
- sLen = -2;
- } else if (sLen < -2) {
+ } else if (sLen == RSA_PSS_SALTLEN_AUTO) {
+ // Leave |sLen| negative.
+ } else if (sLen < 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
goto err;
}
@@ -304,9 +304,9 @@
// -2 salt length is maximized
// -N reserved
size_t sLen;
- if (sLenRequested == -1) {
+ if (sLenRequested == RSA_PSS_SALTLEN_DIGEST) {
sLen = hLen;
- } else if (sLenRequested == -2) {
+ } else if (sLenRequested == RSA_PSS_SALTLEN_AUTO) {
sLen = emLen - hLen - 2;
} else if (sLenRequested < 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
diff --git a/crypto/fipsmodule/service_indicator/service_indicator.cc.inc b/crypto/fipsmodule/service_indicator/service_indicator.cc.inc
index 8b77013..d7ace3a 100644
--- a/crypto/fipsmodule/service_indicator/service_indicator.cc.inc
+++ b/crypto/fipsmodule/service_indicator/service_indicator.cc.inc
@@ -217,7 +217,8 @@
const EVP_MD *mgf1_md;
if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pctx, &salt_len) ||
!EVP_PKEY_CTX_get_rsa_mgf1_md(pctx, &mgf1_md) ||
- (salt_len != -1 && salt_len != (int)EVP_MD_size(pctx_md)) ||
+ (salt_len != RSA_PSS_SALTLEN_DIGEST &&
+ salt_len != (int)EVP_MD_size(pctx_md)) ||
EVP_MD_type(mgf1_md) != md_type) {
// Only PSS where saltLen == hashLen is tested with ACVP. Cases with
// non-standard padding functions are also excluded.
diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
index c91b11b..571f806 100644
--- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc
+++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
@@ -1275,7 +1275,8 @@
approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
- approved, EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)));
+ approved,
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST)));
EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
}
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
@@ -1306,7 +1307,8 @@
approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
- approved, EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)));
+ approved,
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST)));
EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
}
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
@@ -1346,7 +1348,7 @@
pkey.get()));
if (test.use_pss) {
ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING));
- ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST));
}
ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), nullptr, &sig_len, nullptr, 0));
signature.resize(sig_len);
@@ -1370,7 +1372,7 @@
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
- ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST));
}
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
approved,
@@ -1391,7 +1393,7 @@
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
approved, EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)));
EXPECT_EQ(approved, FIPSStatus::NOT_APPROVED);
- ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1));
+ ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST));
}
ASSERT_TRUE(CALL_SERVICE_AND_CHECK_APPROVED(
approved,
diff --git a/crypto/x509/rsa_pss.cc b/crypto/x509/rsa_pss.cc
index 5449bef..689f64d 100644
--- a/crypto/x509/rsa_pss.cc
+++ b/crypto/x509/rsa_pss.cc
@@ -167,7 +167,7 @@
return 0;
}
int md_len = (int)EVP_MD_size(sigmd);
- if (saltlen == -1) {
+ if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
saltlen = md_len;
} else if (saltlen != md_len) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 6159d40..f8e2b4c 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -2206,7 +2206,8 @@
ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,
pkey.get()));
ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
- ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1));
+ ASSERT_TRUE(
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, RSA_PSS_SALTLEN_DIGEST));
ASSERT_TRUE(SignatureRoundTrips(md_ctx.get(), pkey.get()));
md_ctx.Reset();
@@ -2221,7 +2222,8 @@
ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha1(), NULL,
pkey.get()));
ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
- ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1));
+ ASSERT_TRUE(
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, RSA_PSS_SALTLEN_DIGEST));
bssl::UniquePtr<X509> cert = CertFromPEM(kLeafPEM);
ASSERT_TRUE(cert);
EXPECT_FALSE(X509_sign_ctx(cert.get(), md_ctx.get()));
@@ -2231,7 +2233,8 @@
ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,
pkey.get()));
ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
- ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1));
+ ASSERT_TRUE(
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, RSA_PSS_SALTLEN_DIGEST));
ASSERT_TRUE(EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()));
cert = CertFromPEM(kLeafPEM);
ASSERT_TRUE(cert);
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 88f0092..32d2084 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -686,16 +686,18 @@
int *out_padding);
// EVP_PKEY_CTX_set_rsa_pss_saltlen sets the length of the salt in a PSS-padded
-// signature. A value of -1 cause the salt to be the same length as the digest
-// in the signature. A value of -2 causes the salt to be the maximum length
-// that will fit when signing and recovered from the signature when verifying.
-// Otherwise the value gives the size of the salt in bytes.
+// signature. A value of |RSA_PSS_SALTLEN_DIGEST| causes the salt to be the same
+// length as the digest in the signature. A value of |RSA_PSS_SALTLEN_AUTO|
+// causes the salt to be the maximum length that will fit when signing and
+// recovered from the signature when verifying. Otherwise the value gives the
+// size of the salt in bytes.
//
-// If unsure, use -1.
+// If unsure, use |RSA_PSS_SALTLEN_DIGEST|.
//
// Returns one on success or zero on error.
//
-// TODO(davidben): The default is currently -2. Switch it to -1.
+// TODO(davidben): The default is currently |RSA_PSS_SALTLEN_AUTO|. Switch it to
+// |RSA_PSS_SALTLEN_DIGEST|.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
int salt_len);
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index c6c9fc4..c80aea8 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -301,6 +301,13 @@
size_t digest_len, uint8_t *out, unsigned *out_len,
RSA *rsa);
+// RSA_PSS_SALTLEN_DIGEST indicates a PSS salt length that matches the digest
+// length. This is recommended.
+#define RSA_PSS_SALTLEN_DIGEST (-1)
+// RSA_PSS_SALTLEN_AUTO indicates a maximum possible PSS salt length when
+// signing, and automatically detecting the salt length when verifying.
+#define RSA_PSS_SALTLEN_AUTO (-2)
+
// RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key
// from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It
// writes, at most, |max_out| bytes of signature data to |out|. The |max_out|
@@ -311,9 +318,10 @@
// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
// used.
//
-// |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,
-// then the salt length is the same as the hash length. If -2, then the salt
-// length is maximal given the size of |rsa|. If unsure, use -1.
+// |salt_len| specifies the expected salt length in bytes. If |salt_len| is
+// |RSA_PSS_SALTLEN_DIGEST|, then the salt length is the same as the hash
+// length. If |RSA_PSS_SALTLEN_AUTO|, then the salt length is maximal given the
+// size of |rsa|. If unsure, use |RSA_PSS_SALTLEN_DIGEST|.
//
// WARNING: |digest| must be the result of hashing the data to be signed with
// |md|. Passing unhashed inputs will not result in a secure signature scheme.
@@ -373,9 +381,9 @@
// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
// used. |salt_len| specifies the expected salt length in bytes.
//
-// If |salt_len| is -1, then the salt length is the same as the hash length. If
-// -2, then the salt length is recovered and all values accepted. If unsure, use
-// -1.
+// If |salt_len| is |RSA_PSS_SALTLEN_DIGEST|, then the salt length is the same
+// as the hash length. If |RSA_PSS_SALTLEN_AUTO|, then the salt length is
+// recovered and all values accepted. If unsure, use |RSA_PSS_SALTLEN_DIGEST|.
//
// WARNING: |digest| must be the result of hashing the data to be verified with
// |md|. Passing unhashed input will not result in a secure signature scheme.
diff --git a/pki/verify_signed_data.cc b/pki/verify_signed_data.cc
index f53f039..668598c 100644
--- a/pki/verify_signed_data.cc
+++ b/pki/verify_signed_data.cc
@@ -273,7 +273,7 @@
// also use the digest length as the salt length, which is specified with -1
// in OpenSSL's API.
if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
- !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) {
+ !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST)) {
return false;
}
}
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 70b9f03..46906f9 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -185,7 +185,7 @@
if (alg->is_rsa_pss) {
if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
- !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {
+ !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST)) {
return false;
}
}
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index a847397..0f43d86 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -1242,7 +1242,7 @@
// Configure additional signature parameters.
if (SSL_is_signature_algorithm_rsa_pss(signature_algorithm)) {
if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
- !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {
+ !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST)) {
return ssl_private_key_failure;
}
}
diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index 018aceb..80599d7 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -2043,7 +2043,7 @@
size_t sig_len;
if (UsePSS) {
if (!RSA_sign_pss_mgf1(key, &sig_len, sig.data(), sig.size(), digest_buf,
- digest_len, md, md, -1)) {
+ digest_len, md, md, RSA_PSS_SALTLEN_DIGEST)) {
return false;
}
} else {
@@ -2087,8 +2087,8 @@
uint8_t ok;
if (UsePSS) {
- ok = RSA_verify_pss_mgf1(key.get(), digest_buf, digest_len, md, md, -1,
- sig.data(), sig.size());
+ ok = RSA_verify_pss_mgf1(key.get(), digest_buf, digest_len, md, md,
+ RSA_PSS_SALTLEN_DIGEST, sig.data(), sig.size());
} else {
ok = RSA_verify(EVP_MD_type(md), digest_buf, digest_len, sig.data(),
sig.size(), key.get());
