fix: PSS mgf1/saltlen setup for auto-promoted OAEP padding#133
Merged
timlegge merged 2 commits intocpan-authors:mainfrom Mar 22, 2026
Merged
Conversation
Verify that signatures created with OAEP padding (auto-promoted to PSS internally) can be verified with explicit PSS padding and vice versa. This validates that the mgf1 digest and salt length parameters are consistent between auto-promoted and explicit PSS paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… setup When OAEP padding auto-promotes to PSS in sign() and verify(), the mgf1_md and saltlen configuration was skipped because the conditional checked p_rsa->padding (still OAEP) instead of the local sign_pad / verify_pad variable (already promoted to PSS). This meant auto-promoted PSS used OpenSSL defaults (MGF1=SHA-1, saltlen=max) instead of the intended values (MGF1=hash_mode digest, saltlen=digest_length). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
toddr-bot
added a commit
to toddr-bot/Crypt-OpenSSL-RSA
that referenced
this pull request
Mar 23, 2026
On OpenSSL 3.x, the early CHECK_OPEN_SSL() calls for pctx, params_build, and push_BN operations would croak immediately on failure, bypassing the err: cleanup label. This leaked pctx, params_build, and the input BIGNUMs (n, e, d, p, q). Convert to THROW()/goto err which routes through the existing cleanup code. Also initialize `error` to 0 at declaration (was uninitialized before the if(p||q) block). Additionally adds t/pss_auto_promote.t to MANIFEST (missing since cpan-authors#133). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fix sign() and verify() to correctly configure PSS mgf1_md and saltlen when OAEP padding auto-promotes to PSS on OpenSSL 3.x.
Why
When
use_pkcs1_oaep_paddingis set andsign()/verify()are called, the code auto-promotes OAEP toRSA_PKCS1_PSS_PADDING(lines 1124-1126 and 1202-1204). However, the PSS parameter setup (mgf1 digest and salt length) checkedp_rsa->padding— which is stillRSA_PKCS1_OAEP_PADDING— instead of the localsign_pad/verify_padvariable that holds the promoted value. This caused theEVP_PKEY_CTX_set_rsa_mgf1_mdandEVP_PKEY_CTX_set_rsa_pss_saltlencalls to be silently skipped, falling back to OpenSSL defaults (MGF1=SHA-1, saltlen=max) instead of the intended values (MGF1=hash mode digest, saltlen=digest length).How
Two-character fix: replace
p_rsa->paddingwithsign_pad(line 1133) andverify_pad(line 1210) in the PSS parameter setup conditionals.Testing
t/pss_auto_promote.twith 6 tests validating cross-verification between OAEP-auto-promoted and explicit PSS paths🤖 Generated with Claude Code
Quality Report
Changes: 2 files changed, 65 insertions(+), 2 deletions(-)
Code scan: clean
Tests: passed (OK)
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline