Skip to content

fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx#10255

Open
MarkAtwood wants to merge 4 commits into
wolfSSL:masterfrom
MarkAtwood:fix/rsa-pss-pubenc-size-check
Open

fix: skip RSA_MIN_PAD_SZ check for PSS padding in RsaPublicEncryptEx#10255
MarkAtwood wants to merge 4 commits into
wolfSSL:masterfrom
MarkAtwood:fix/rsa-pss-pubenc-size-check

Conversation

@MarkAtwood

Copy link
Copy Markdown
Contributor

Summary

The RSA_MIN_PAD_SZ guard (inLen > sz - 11RSA_BUFFER_E) is a PKCS#1 v1.5 concept. PSS has its own length check inside RsaPad_PSS (emLen >= hLen + sLen + 2 per RFC 8017 §9.1.1) and the outer guard fires first, before RsaPad_PSS ever runs.

For keys in the range [hLen+2, hLen+10] bytes, the outer guard incorrectly returns RSA_BUFFER_E for combinations where PSS with saltLen=0 would be geometrically valid. Keys in this range are non-standard but valid — they can be loaded from external DER.

Fix: add a WC_RSA_PSS #ifdef that skips the RSA_BUFFER_E return when pad_type == WC_RSA_PSS_PAD, mirroring the existing WC_RSA_NO_PADDING exception for raw mode.

Test plan

  • PSS encrypt with non-standard key sizes in [hLen+2, hLen+10] bytes no longer returns RSA_BUFFER_E
  • PSS still correctly rejects combinations that exceed its own length constraint (PSS_SALTLEN_E)
  • Existing RSA PSS tests unaffected

/cc @wolfSSL-Fenrir-bot please review

@MarkAtwood MarkAtwood requested review from SparkiDev and Copilot April 17, 2026 22:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adjusts RsaPublicEncryptEx so the RSA_MIN_PAD_SZ (PKCS#1 v1.5) input-length guard does not preempt PSS padding’s own size validation, enabling certain non-standard small key sizes to proceed to RsaPad_PSS.

Changes:

  • Skips the RSA_BUFFER_E early-return when pad_type == WC_RSA_PSS_PAD (under WC_RSA_PSS).
  • Keeps the existing exception path for WC_RSA_NO_PAD behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfcrypt/src/rsa.c Outdated
Comment thread wolfcrypt/src/rsa.c Outdated
@MarkAtwood

Copy link
Copy Markdown
Contributor Author

Restructured as a single compound condition — pushed f05d929. No more implicit nesting of preprocessor-guarded if-statements. Each exemption is now a && clause gated by its own #ifdef, so adding future exemptions is just another line.

@MarkAtwood MarkAtwood force-pushed the fix/rsa-pss-pubenc-size-check branch from f05d929 to 91a1b28 Compare June 3, 2026 21:45
@MarkAtwood

Copy link
Copy Markdown
Contributor Author

Restructured per review feedback — the implicit preprocessor nesting is replaced with a check_min_pad flag pattern (91a1b28). Each exemption is a separate #ifdef block, and there's a single guarded return RSA_BUFFER_E. Ready for re-review.

@MarkAtwood MarkAtwood requested a review from dgarske June 4, 2026 22:19
@MarkAtwood MarkAtwood force-pushed the fix/rsa-pss-pubenc-size-check branch from 91a1b28 to 638b327 Compare June 9, 2026 15:23

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 2 total — 2 posted, 0 skipped
2 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Medium] New brace-scoped block introduced solely to declare check_min_padwolfcrypt/src/rsa.c:3700-3715
  • [Medium] New PSS small-key code path has no added test coveragewolfcrypt/src/rsa.c:3707-3711

Review generated by Skoll

Comment thread wolfcrypt/src/rsa.c Outdated
Comment thread wolfcrypt/src/rsa.c

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI is unhappy

wolfcrypt/test/test.c: In function ‘rsa_pss_test’:
wolfcrypt/test/test.c:27726:22: error: stack usage might be 33328 bytes [-Werror=stack-usage=]
27726 | static wc_test_ret_t rsa_pss_test(WC_RNG* rng, RsaKey* key)
      |                      ^~~~~~~~~~~~
wolfcrypt/test/test.c:28155:1: error: the frame size of 33248 bytes is larger than 4096 bytes [-Werror=frame-larger-than=]
28155 | }
      | ^
cc1: all warnings being treated as errors

The RSA_MIN_PAD_SZ guard (inLen > sz - 11) is a PKCS#1 v1.5 constraint.
PSS has its own length check inside RsaPad_PSS (emLen >= hLen + sLen + 2
per RFC 8017) and does not need this guard. For keys in the range
[hLen+2, hLen+10] bytes, the outer guard fires and returns RSA_BUFFER_E
before RsaPad_PSS ever runs, even though PSS with saltLen=0 would be
geometrically valid for those key sizes.

Add a WC_RSA_PSS ifdef that skips the RSA_BUFFER_E return when
pad_type == WC_RSA_PSS_PAD, mirroring the existing WC_RSA_NO_PADDING
exception for raw (no-pad) mode.
Addresses review feedback: avoid fragile implicit nesting of
preprocessor-guarded if-statements. Use a single compound condition
with && clauses gated by #ifdef instead.
Address review feedback on the RSA PSS size-check exemption:

- Hoist `int check_min_pad` to the top-of-function local declarations and
  drop the wrapper braces that were opened solely to host it, per the
  wolfSSL C89 declaration convention (dgarske review).

- Add a regression test in rsa_pss_test for the [hLen+2, hLen+10] byte
  modulus window the fix targets. wc_MakeRsaKey cannot produce keys this
  small (RSA_MIN_SIZE), so the test imports OpenSSL-generated PKCS#1 keys
  (independent oracle). With SHA-512/saltLen=0 a 576-bit key (emLen=72) is
  geometrically valid and must sign, while a 512-bit key (emLen=64) must be
  rejected by RsaPad_PSS with PSS_SALTLEN_E rather than masked as
  RSA_BUFFER_E by the outer guard. The test fails on the pre-fix code.
The PSS small-key regression block put a full RsaKey on the stack,
blowing the smallStackSize CI frame limit (frame 33216 > 2048,
stack usage 33312 > 4096). Follow the dh_test idiom: heap-allocate
the key under WOLFSSL_SMALL_STACK, free once at exit_rsa_pss.
Frame drops to 368 bytes; assertions unchanged.
@MarkAtwood MarkAtwood force-pushed the fix/rsa-pss-pubenc-size-check branch from 9ffe458 to fb93e86 Compare July 10, 2026 20:23
@MarkAtwood

Copy link
Copy Markdown
Contributor Author

@dgarske Fixed — rsa_pss_test was putting a full RsaKey on the stack, which blows up to ~33 KB under --enable-smallstack --with-max-rsa-bits=16384. Moved it to the heap using the same WOLFSSL_SMALL_STACK pattern as dh_test; frame drops from 33216 to 368 bytes (-fstack-usage), assertions unchanged. Also rebased onto current master (branch was ~3 months behind). Small-stack build: testwolfcrypt passes; non-small-stack branch compiles clean.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants