fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx#10255
fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx#10255MarkAtwood wants to merge 4 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adjusts RsaPublicEncryptEx so the RSA_MIN_PAD_SZ (PKCS#1 v1.5) input-length guard does not preempt PSS padding’s own size validation, enabling certain non-standard small key sizes to proceed to RsaPad_PSS.
Changes:
- Skips the
RSA_BUFFER_Eearly-return whenpad_type == WC_RSA_PSS_PAD(underWC_RSA_PSS). - Keeps the existing exception path for
WC_RSA_NO_PADbehavior.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Restructured as a single compound condition — pushed f05d929. No more implicit nesting of preprocessor-guarded if-statements. Each exemption is now a |
f05d929 to
91a1b28
Compare
|
Restructured per review feedback — the implicit preprocessor nesting is replaced with a |
91a1b28 to
638b327
Compare
dgarske
left a comment
There was a problem hiding this comment.
Skoll Code Review
Scan type: reviewOverall recommendation: COMMENT
Findings: 2 total — 2 posted, 0 skipped
2 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Medium] New brace-scoped block introduced solely to declare check_min_pad —
wolfcrypt/src/rsa.c:3700-3715 - [Medium] New PSS small-key code path has no added test coverage —
wolfcrypt/src/rsa.c:3707-3711
Review generated by Skoll
dgarske
left a comment
There was a problem hiding this comment.
CI is unhappy
wolfcrypt/test/test.c: In function ‘rsa_pss_test’:
wolfcrypt/test/test.c:27726:22: error: stack usage might be 33328 bytes [-Werror=stack-usage=]
27726 | static wc_test_ret_t rsa_pss_test(WC_RNG* rng, RsaKey* key)
| ^~~~~~~~~~~~
wolfcrypt/test/test.c:28155:1: error: the frame size of 33248 bytes is larger than 4096 bytes [-Werror=frame-larger-than=]
28155 | }
| ^
cc1: all warnings being treated as errors
The RSA_MIN_PAD_SZ guard (inLen > sz - 11) is a PKCS#1 v1.5 constraint. PSS has its own length check inside RsaPad_PSS (emLen >= hLen + sLen + 2 per RFC 8017) and does not need this guard. For keys in the range [hLen+2, hLen+10] bytes, the outer guard fires and returns RSA_BUFFER_E before RsaPad_PSS ever runs, even though PSS with saltLen=0 would be geometrically valid for those key sizes. Add a WC_RSA_PSS ifdef that skips the RSA_BUFFER_E return when pad_type == WC_RSA_PSS_PAD, mirroring the existing WC_RSA_NO_PADDING exception for raw (no-pad) mode.
Addresses review feedback: avoid fragile implicit nesting of preprocessor-guarded if-statements. Use a single compound condition with && clauses gated by #ifdef instead.
Address review feedback on the RSA PSS size-check exemption: - Hoist `int check_min_pad` to the top-of-function local declarations and drop the wrapper braces that were opened solely to host it, per the wolfSSL C89 declaration convention (dgarske review). - Add a regression test in rsa_pss_test for the [hLen+2, hLen+10] byte modulus window the fix targets. wc_MakeRsaKey cannot produce keys this small (RSA_MIN_SIZE), so the test imports OpenSSL-generated PKCS#1 keys (independent oracle). With SHA-512/saltLen=0 a 576-bit key (emLen=72) is geometrically valid and must sign, while a 512-bit key (emLen=64) must be rejected by RsaPad_PSS with PSS_SALTLEN_E rather than masked as RSA_BUFFER_E by the outer guard. The test fails on the pre-fix code.
The PSS small-key regression block put a full RsaKey on the stack, blowing the smallStackSize CI frame limit (frame 33216 > 2048, stack usage 33312 > 4096). Follow the dh_test idiom: heap-allocate the key under WOLFSSL_SMALL_STACK, free once at exit_rsa_pss. Frame drops to 368 bytes; assertions unchanged.
9ffe458 to
fb93e86
Compare
|
@dgarske Fixed — rsa_pss_test was putting a full RsaKey on the stack, which blows up to ~33 KB under --enable-smallstack --with-max-rsa-bits=16384. Moved it to the heap using the same WOLFSSL_SMALL_STACK pattern as dh_test; frame drops from 33216 to 368 bytes (-fstack-usage), assertions unchanged. Also rebased onto current master (branch was ~3 months behind). Small-stack build: testwolfcrypt passes; non-small-stack branch compiles clean. |
Summary
The
RSA_MIN_PAD_SZguard (inLen > sz - 11→RSA_BUFFER_E) is a PKCS#1 v1.5 concept. PSS has its own length check insideRsaPad_PSS(emLen >= hLen + sLen + 2per RFC 8017 §9.1.1) and the outer guard fires first, beforeRsaPad_PSSever runs.For keys in the range
[hLen+2, hLen+10]bytes, the outer guard incorrectly returnsRSA_BUFFER_Efor combinations where PSS withsaltLen=0would be geometrically valid. Keys in this range are non-standard but valid — they can be loaded from external DER.Fix: add a
WC_RSA_PSS#ifdefthat skips theRSA_BUFFER_Ereturn whenpad_type == WC_RSA_PSS_PAD, mirroring the existingWC_RSA_NO_PADDINGexception for raw mode.Test plan
/cc @wolfSSL-Fenrir-bot please review