Google Git
Sign in
boringssl / boringssl / b01d7bbf7b0933f105bad2f1c9aed64ece537cbe
commitb01d7bbf7b0933f105bad2f1c9aed64ece537cbe[log] [tgz]
authorDavid Benjamin <davidben@google.com>Mon Jun 30 14:46:18 2025 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Jun 30 14:23:31 2025 -0700
treeb6a33f73d07302b7a6d55f99cd0c61fcce519e1d
parentbe5be0a4f5ebf00da151a06860deb11a0ffb609f [diff]
Change the RSA-PSS salt length default to RSA_PSS_SALTLEN_DIGEST

Update-Note: Signing RSA-PSS with the EVP APIs will now default to a
salt length of RSA_PSS_SALTLEN_DIGEST (-1) instead of
RSA_PSS_SALTLEN_AUTO (-2). Applications that use
EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) without calling
EVP_PKEY_CTX_set_rsa_pss_saltlen will see slightly different behavior.
Call EVP_PKEY_CTX_set_rsa_pss_saltlen(RSA_PSS_SALTLEN_AUTO) to restore
the old behavior.

The new behavior matches that protocols do in practice (TLS, our only
supported X.509 modes), and also matches FIPS 186-5 requirements. The
RSA_PSS_SALTLEN_AUTO behavior caused signing to maximize the salt
length and caused verifying to automatically recover the salt length and
accept all values. Both behaviors are forbidden by FIPS 186-5, and the
verification procedure in RFC 8017 does not admit this auto-recovery
behavior.

Change-Id: I1d5666d3401c335840d8736207143bc673d5c789
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/79987
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
4 files changed
tree: b6a33f73d07302b7a6d55f99cd0c61fcce519e1d
  1. .bcr/
  2. .github/
  3. cmake/
  4. crypto/
  5. decrepit/
  6. docs/
  7. fuzz/
  8. gen/
  9. include/
  10. infra/
  11. pki/
  12. rust/
  13. ssl/
  14. third_party/
  15. tool/
  16. util/
  17. .bazelignore
  18. .bazelrc
  19. .bazelversion
  20. .clang-format
  21. .gitignore
  22. API-CONVENTIONS.md
  23. AUTHORS
  24. BREAKING-CHANGES.md
  25. BUILD.bazel
  26. build.json
  27. BUILDING.md
  28. CMakeLists.txt
  29. codereview.settings
  30. CONTRIBUTING.md
  31. FUZZING.md
  32. go.mod
  33. go.sum
  34. INCORPORATING.md
  35. LICENSE
  36. MODULE.bazel
  37. MODULE.bazel.lock
  38. PORTING.md
  39. PrivacyInfo.xcprivacy
  40. README.md
  41. SANDBOXING.md
  42. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: