crypto/rsa: rsa.SignPSS panics when salt length is -2 or less

[haydentherapper]

What version of Go are you using (go version)?

$ go version

Go 1.19

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env

What did you do?

When calling rsa.SignPSS, you can provide a salt length in PSSOptions. When providing a negative salt length of -2 or less, a panic occurs when constructing the array. Note that -1 does not panic since it is handled in the case statement.

Proof: https://go.dev/play/p/uSgZHLJvoJJ
Line: https://go.dev/src/crypto/rsa/pss.go#L302

What did you expect to see?

A negative salt length handled gracefully, returning an error.

What did you see instead?

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
crypto/rsa.SignPSS({0x4ddb80, 0xc000060020}, 0xc000062180, 0x0?, {0xc0002ee000, 0x20, 0x20}, 0x40bd5d?)
	/usr/local/go-faketime/src/crypto/rsa/pss.go:302 +0x165
main.main()
	/tmp/sandbox3866896442/prog.go:17 +0x105

[gopherbot]

Change https://go.dev/cl/427374 mentions this issue: crypto/rsa: properly handle invalid PSS salt lengths

[heschi]

cc @golang/security

[gopherbot]

Change https://go.dev/cl/426659 mentions this issue: crypto/rsa,crypto/internal/boring: fix PSS salt handling