Restrict salt length for RSA-PSS in the FIPS provider

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 2061d0be9ee580bfdd27596ead8123b83bba83c5..09c08f3da1e76331b66bf439294c05897600d332 100644 (file)
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -39,7 +39,8 @@ typedef enum OPTION_choice {
     OPT_NO_CONDITIONAL_ERRORS,
     OPT_NO_SECURITY_CHECKS,
     OPT_TLS_PRF_EMS_CHECK, OPT_EDDSA_NO_VERIFY_DIGESTED, OPT_NO_SHORT_MAC,
-    OPT_DISALLOW_PKCS15_PADDING, OPT_DISALLOW_SIGNATURE_X931_PADDING,
+    OPT_DISALLOW_PKCS15_PADDING, OPT_RSA_PSS_SALTLEN_CHECK,
+    OPT_DISALLOW_SIGNATURE_X931_PADDING,
     OPT_DISALLOW_DRGB_TRUNC_DIGEST,
     OPT_SIGNATURE_DIGEST_CHECK,
     OPT_HKDF_DIGEST_CHECK,
@@ -107,6 +108,8 @@ const OPTIONS fipsinstall_options[] = {
      "Disallow Triple-DES encryption"},
     {"rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
      "Disallow PKCS#1 version 1.5 padding for RSA encryption"},
+    {"rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
+     "Enable salt length check for RSA-PSS signature operations"},
     {"rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
      "Disallow X931 Padding for RSA signing"},
     {"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
@@ -159,6 +162,7 @@ typedef struct {
     unsigned int dsa_sign_disabled : 1;
     unsigned int tdes_encrypt_disabled : 1;
     unsigned int rsa_pkcs15_padding_disabled : 1;
+    unsigned int rsa_pss_saltlen_check : 1;
     unsigned int sign_x931_padding_disabled : 1;
     unsigned int hkdf_key_check : 1;
     unsigned int kbkdf_key_check : 1;
@@ -189,6 +193,7 @@ static const FIPS_OPTS pedantic_opts = {
     1,      /* dsa_sign_disabled */
     1,      /* tdes_encrypt_disabled */
     1,      /* rsa_pkcs15_padding_disabled */
+    1,      /* rsa_pss_saltlen_check */
     1,      /* sign_x931_padding_disabled */
     1,      /* hkdf_key_check */
     1,      /* kbkdf_key_check */
@@ -219,6 +224,7 @@ static FIPS_OPTS fips_opts = {
     0,      /* dsa_sign_disabled */
     0,      /* tdes_encrypt_disabled */
     0,      /* rsa_pkcs15_padding_disabled */
+    0,      /* rsa_pss_saltlen_check */
     0,      /* sign_x931_padding_disabled */
     0,      /* hkdf_key_check */
     0,      /* kbkdf_key_check */
@@ -380,6 +386,9 @@ static int write_config_fips_section(BIO *out, const char *section,
         || BIO_printf(out, "%s = %s\n",
                       OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
                       opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
+        || BIO_printf(out, "%s = %s\n",
+                      OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK,
+                      opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
         || BIO_printf(out, "%s = %s\n",
                       OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED,
                       opts->sign_x931_padding_disabled ? "1" : "0") <= 0
@@ -620,6 +629,9 @@ int fipsinstall_main(int argc, char **argv)
         case OPT_DISALLOW_TDES_ENCRYPT:
             fips_opts.tdes_encrypt_disabled = 1;
             break;
+        case OPT_RSA_PSS_SALTLEN_CHECK:
+            fips_opts.rsa_pss_saltlen_check = 1;
+            break;
         case OPT_DISALLOW_SIGNATURE_X931_PADDING:
             fips_opts.sign_x931_padding_disabled = 1;
             break;

diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 089730bbaef35114b75816d2730773152b9729f8..a8572523a2c194fa07f7684ffd7d0b900338c261 100644 (file)
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -38,9 +38,17 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
 int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                               const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                               const unsigned char *EM, int sLen)
+{
+    return ossl_rsa_verify_PKCS1_PSS_mgf1(rsa, mHash, Hash, mgf1Hash, EM, &sLen);
+}
+
+int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                                   const unsigned char *EM, int *sLenOut)
 {
     int i;
     int ret = 0;
+    int sLen = *sLenOut;
     int hLen, maskedDBLen, MSBits, emLen;
     const unsigned char *H;
     unsigned char *DB = NULL;
@@ -118,13 +126,15 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
                        "expected: %d retrieved: %d", sLen,
                        maskedDBLen - i);
         goto err;
+    } else {
+        sLen = maskedDBLen - i;
     }
     if (!EVP_DigestInit_ex(ctx, Hash, NULL)
         || !EVP_DigestUpdate(ctx, zeroes, sizeof(zeroes))
         || !EVP_DigestUpdate(ctx, mHash, hLen))
         goto err;
-    if (maskedDBLen - i) {
-        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
+    if (sLen != 0) {
+        if (!EVP_DigestUpdate(ctx, DB + i, sLen))
             goto err;
     }
     if (!EVP_DigestFinal_ex(ctx, H_, NULL))
@@ -136,6 +146,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
         ret = 1;
     }
 
+    *sLenOut = sLen;
  err:
     OPENSSL_free(DB);
     EVP_MD_CTX_free(ctx);
@@ -155,9 +166,18 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                                    const unsigned char *mHash,
                                    const EVP_MD *Hash, const EVP_MD *mgf1Hash,
                                    int sLen)
+{
+    return ossl_rsa_padding_add_PKCS1_PSS_mgf1(rsa, EM, mHash, Hash, mgf1Hash, &sLen);
+}
+
+int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+                                        const unsigned char *mHash,
+                                        const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                                        int *sLenOut)
 {
     int i;
     int ret = 0;
+    int sLen = *sLenOut;
     int hLen, maskedDBLen, MSBits, emLen;
     unsigned char *H, *salt = NULL, *p;
     EVP_MD_CTX *ctx = NULL;
@@ -187,7 +207,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     if (sLen == RSA_PSS_SALTLEN_DIGEST) {
         sLen = hLen;
     } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
-            || sLen == RSA_PSS_SALTLEN_AUTO) {
+               || sLen == RSA_PSS_SALTLEN_AUTO) {
         sLen = RSA_PSS_SALTLEN_MAX;
     } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
         sLen = RSA_PSS_SALTLEN_MAX;
@@ -261,6 +281,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
 
     ret = 1;
 
+    *sLenOut = sLen;
  err:
     EVP_MD_CTX_free(ctx);
     OPENSSL_clear_free(salt, (size_t)sLen); /* salt != NULL implies sLen > 0 */

diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 4b1564e89811ed1daf3fc529db6c941244da3ffd..eae0314471dcfa76865fa72a7eebdd7ed6299727 100644 (file)
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -37,6 +37,7 @@ B<openssl fipsinstall>
 [B<-no_short_mac>]
 [B<-tdes_encrypt_disabled>]
 [B<-rsa_pkcs15_padding_disabled>]
+[B<-rsa_pss_saltlen_check>]
 [B<-rsa_sign_x931_disabled>]
 [B<-hkdf_key_check>]
 [B<-kbkdf_key_check>]
@@ -280,6 +281,12 @@ Configure the module to not allow PKCS#1 version 1.5 padding to be used with
 RSA for key transport and key agreement.  See NIST's SP 800-131A Revision 2
 for details.
 
+=item B<-rsa_pss_saltlen_check>
+
+Configure the module to enable a run-time salt length check when generating or
+verifying a RSA-PSS signature.
+See FIPS 186-5 5.4 (g) for details.
+
 =item B<-rsa_sign_x931_disabled>
 
 Configure the module to not allow X9.31 padding to be used when signing with

diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod
index bc8fcaabe974b3316db69635b8ee48da955862f1..95ecb3d79dda621a40afab83f0a07c7016415ce8 100644 (file)
--- a/doc/man7/EVP_SIGNATURE-RSA.pod
+++ b/doc/man7/EVP_SIGNATURE-RSA.pod
@@ -86,6 +86,16 @@ digest size when signing to comply with FIPS 186-4 section 5.5.
 
 =back
 
+=item "rsa-pss-saltlen-check" (B<OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK>) <integer>
+
+The default value of 1 causes an error during signature generation or
+verification if salt length (B<OSSL_SIGNATURE_PARAM_PSS_SALTLEN>) is not between
+zero and the output block size of the digest function (inclusive).
+Setting this to zero will ignore the error and set the approved "fips-indicator"
+to 0.
+This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if
+set to 0.
+
 =back
 
 The following signature parameters can be retrieved using

diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod
index 6d977d9cb1f04ce507f2c27d7d50e5c85ab61725..e09f5f31d44e4f067d94e9b1b6c6f238386aa4e7 100644 (file)
--- a/doc/man7/provider-signature.pod
+++ b/doc/man7/provider-signature.pod
@@ -414,14 +414,14 @@ the error and set the approved "fips-indicator" to 0.
 This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if
 set to 0.
 
-=item "sign-check" (B<OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK>) <int>
+=item "sign-check" (B<OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK>) <integer>
 
 If required this parameter should be set early via an init function.
 The default value of 1 causes an error when a signing algorithm is used. (This
 is triggered by deprecated signing algorithms).
 Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
 
-=item "sign-x931-pad-check" (B<SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK>) <int>
+=item "sign-x931-pad-check" (B<SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK>) <integer>
 
 If required this parameter should be set before the padding mode is set
 The default value of 1 causes an error if the padding mode is set to X9.31 padding

diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
index 592efdb7fc879739639844b7fdaf2d2fc210517c..f9fd39e97bcfd3d473d1e71d1d1a13e4e96300fe 100644 (file)
--- a/include/crypto/rsa.h
+++ b/include/crypto/rsa.h
@@ -46,6 +46,14 @@ int ossl_rsa_pss_params_30_maskgenhashalg(const RSA_PSS_PARAMS_30 *rsa_pss_param
 int ossl_rsa_pss_params_30_saltlen(const RSA_PSS_PARAMS_30 *rsa_pss_params);
 int ossl_rsa_pss_params_30_trailerfield(const RSA_PSS_PARAMS_30 *rsa_pss_params);
 
+int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                                   const unsigned char *EM, int *sLenOut);
+int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+                                        const unsigned char *mHash,
+                                        const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                                        int *sLenOut);
+
 const char *ossl_rsa_mgf_nid2name(int mgf);
 int ossl_rsa_oaeppss_md2nid(const EVP_MD *md);
 const char *ossl_rsa_oaeppss_nid2name(int md);

diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index f490ff5de1316f1fe8187079ecdd2d66414dd1d4..7e914e9dd573f68a2501e55710bf4a8572dd0a73 100644 (file)
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -165,6 +165,15 @@ extern "C" {
  */
 # define OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED \
             "rsa-pkcs15-padding-disabled"
+
+/*
+ * A boolean that determines if the runtime salt length check for RSA-PSS is
+ * performed.
+ * This is disabled by default.
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK "rsa-pss-saltlen-check"
+
 /*
  * A boolean that determines if X9.31 padding can be used for RSA signing.
  * X9.31 RSA has been removed from FIPS 186-5, and is no longer approved for

diff --git a/providers/common/include/prov/fipscommon.h b/providers/common/include/prov/fipscommon.h
index cb1cfb2e435be6357c27b134010f9e1fb57cc9c1..077ec1f37d6b6162e75e6c2986cb211e04c65502 100644 (file)
--- a/providers/common/include/prov/fipscommon.h
+++ b/providers/common/include/prov/fipscommon.h
@@ -25,6 +25,7 @@ int FIPS_x963kdf_digest_check(OSSL_LIB_CTX *libctx);
 int FIPS_dsa_sign_check(OSSL_LIB_CTX *libctx);
 int FIPS_tdes_encrypt_check(OSSL_LIB_CTX *libctx);
 int FIPS_rsa_pkcs15_padding_disabled(OSSL_LIB_CTX *libctx);
+int FIPS_rsa_pss_saltlen_check(OSSL_LIB_CTX *libctx);
 int FIPS_rsa_sign_x931_disallowed(OSSL_LIB_CTX *libctx);
 int FIPS_hkdf_key_check(OSSL_LIB_CTX *libctx);
 int FIPS_kbkdf_key_check(OSSL_LIB_CTX *libctx);

diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index fa6c38f4188e7609ad7a69c70e5b2f66ef542008..f64082e89539fdbf5e75d51c91950f59a196c706 100644 (file)
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -106,6 +106,7 @@ typedef struct fips_global_st {
     FIPS_OPTION fips_dsa_sign_disallowed;
     FIPS_OPTION fips_tdes_encrypt_disallowed;
     FIPS_OPTION fips_rsa_pkcs15_padding_disabled;
+    FIPS_OPTION fips_rsa_pss_saltlen_check;
     FIPS_OPTION fips_rsa_sign_x931_disallowed;
     FIPS_OPTION fips_hkdf_key_check;
     FIPS_OPTION fips_kbkdf_key_check;
@@ -144,6 +145,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
     init_fips_option(&fgbl->fips_dsa_sign_disallowed, 0);
     init_fips_option(&fgbl->fips_tdes_encrypt_disallowed, 0);
     init_fips_option(&fgbl->fips_rsa_pkcs15_padding_disabled, 0);
+    init_fips_option(&fgbl->fips_rsa_pss_saltlen_check, 0);
     init_fips_option(&fgbl->fips_rsa_sign_x931_disallowed, 0);
     init_fips_option(&fgbl->fips_hkdf_key_check, 0);
     init_fips_option(&fgbl->fips_kbkdf_key_check, 0);
@@ -216,7 +218,7 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
     * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and
     * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters.
     */
-    OSSL_PARAM core_params[31], *p = core_params;
+    OSSL_PARAM core_params[32], *p = core_params;
 
     *p++ = OSSL_PARAM_construct_utf8_ptr(
             OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
@@ -279,6 +281,8 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
                         fips_tdes_encrypt_disallowed);
     FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
                         fips_rsa_pkcs15_padding_disabled);
+    FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PSS_SALTLEN_CHECK,
+                        fips_rsa_pss_saltlen_check);
     FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_RSA_SIGN_X931_PAD_DISABLED,
                         fips_rsa_sign_x931_disallowed);
     FIPS_FEATURE_OPTION(fgbl, OSSL_PROV_FIPS_PARAM_HKDF_KEY_CHECK,
@@ -368,6 +372,8 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
                      fips_tdes_encrypt_disallowed);
     FIPS_FEATURE_GET(fgbl, OSSL_PROV_FIPS_PARAM_RSA_PKCS15_PADDING_DISABLED,
                      fips_rsa_pkcs15_padding_disabled);
+    FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
+                     fips_rsa_pss_saltlen_check);
     FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
                      fips_rsa_sign_x931_disallowed);
     FIPS_FEATURE_GET(fgbl, OSSL_PROV_PARAM_HKDF_KEY_CHECK,
@@ -932,6 +938,7 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
     FIPS_SET_OPTION(fgbl, fips_dsa_sign_disallowed);
     FIPS_SET_OPTION(fgbl, fips_tdes_encrypt_disallowed);
     FIPS_SET_OPTION(fgbl, fips_rsa_pkcs15_padding_disabled);
+    FIPS_SET_OPTION(fgbl, fips_rsa_pss_saltlen_check);
     FIPS_SET_OPTION(fgbl, fips_rsa_sign_x931_disallowed);
     FIPS_SET_OPTION(fgbl, fips_hkdf_key_check);
     FIPS_SET_OPTION(fgbl, fips_kbkdf_key_check);
@@ -1155,6 +1162,7 @@ FIPS_FEATURE_CHECK(FIPS_dsa_sign_check, fips_dsa_sign_disallowed)
 FIPS_FEATURE_CHECK(FIPS_tdes_encrypt_check, fips_tdes_encrypt_disallowed)
 FIPS_FEATURE_CHECK(FIPS_rsa_pkcs15_padding_disabled,
                    fips_rsa_pkcs15_padding_disabled)
+FIPS_FEATURE_CHECK(FIPS_rsa_pss_saltlen_check, fips_rsa_pss_saltlen_check)
 FIPS_FEATURE_CHECK(FIPS_rsa_sign_x931_disallowed,
                    fips_rsa_sign_x931_disallowed)
 FIPS_FEATURE_CHECK(FIPS_hkdf_key_check, fips_hkdf_key_check)

diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 7eded5b058340229cdfb79fc9fef3ad77085c697..184267d16d5fd31b1e1144d8a19d1634026d1eed 100644 (file)
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -574,6 +574,32 @@ static void free_tbuf(PROV_RSA_CTX *ctx)
     ctx->tbuf = NULL;
 }
 
+#ifdef FIPS_MODULE
+static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen)
+{
+    int mdsize = rsa_get_md_size(ctx);
+    /*
+     * Perform the check if the salt length is compliant to FIPS 186-5.
+     *
+     * According to FIPS 186-5 5.4 (g), the salt length shall be between zero
+     * and the output block length of the digest function (inclusive).
+     */
+    int approved = (saltlen >= 0 && saltlen <= mdsize);
+
+    if (!approved) {
+        if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
+                                         ctx->libctx,
+                                         algoname, "PSS Salt Length",
+                                         FIPS_rsa_pss_saltlen_check)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
+            return 0;
+        }
+    }
+
+    return 1;
+}
+#endif
+
 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
@@ -663,46 +689,55 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
             break;
 
         case RSA_PKCS1_PSS_PADDING:
-            /* Check PSS restrictions */
-            if (rsa_pss_restricted(prsactx)) {
-                switch (prsactx->saltlen) {
-                case RSA_PSS_SALTLEN_DIGEST:
-                    if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
-                        ERR_raise_data(ERR_LIB_PROV,
-                                       PROV_R_PSS_SALTLEN_TOO_SMALL,
-                                       "minimum salt length set to %d, "
-                                       "but the digest only gives %d",
-                                       prsactx->min_saltlen,
-                                       EVP_MD_get_size(prsactx->md));
-                        return 0;
-                    }
-                    /* FALLTHRU */
-                default:
-                    if (prsactx->saltlen >= 0
-                        && prsactx->saltlen < prsactx->min_saltlen) {
-                        ERR_raise_data(ERR_LIB_PROV,
-                                       PROV_R_PSS_SALTLEN_TOO_SMALL,
-                                       "minimum salt length set to %d, but the"
-                                       "actual salt length is only set to %d",
-                                       prsactx->min_saltlen,
-                                       prsactx->saltlen);
-                        return 0;
+            {
+                int saltlen;
+
+                /* Check PSS restrictions */
+                if (rsa_pss_restricted(prsactx)) {
+                    switch (prsactx->saltlen) {
+                    case RSA_PSS_SALTLEN_DIGEST:
+                        if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
+                            ERR_raise_data(ERR_LIB_PROV,
+                                           PROV_R_PSS_SALTLEN_TOO_SMALL,
+                                           "minimum salt length set to %d, "
+                                           "but the digest only gives %d",
+                                           prsactx->min_saltlen,
+                                           EVP_MD_get_size(prsactx->md));
+                            return 0;
+                        }
+                        /* FALLTHRU */
+                    default:
+                        if (prsactx->saltlen >= 0
+                            && prsactx->saltlen < prsactx->min_saltlen) {
+                            ERR_raise_data(ERR_LIB_PROV,
+                                           PROV_R_PSS_SALTLEN_TOO_SMALL,
+                                           "minimum salt length set to %d, but the"
+                                           "actual salt length is only set to %d",
+                                           prsactx->min_saltlen,
+                                           prsactx->saltlen);
+                            return 0;
+                        }
+                        break;
                     }
-                    break;
                 }
+                if (!setup_tbuf(prsactx))
+                    return 0;
+                saltlen = prsactx->saltlen;
+                if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
+                                                         prsactx->tbuf, tbs,
+                                                         prsactx->md, prsactx->mgf1_md,
+                                                         &saltlen)) {
+                    ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
+                    return 0;
+                }
+#ifdef FIPS_MODULE
+                if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen))
+                    return 0;
+#endif
+                ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
+                                          sig, prsactx->rsa, RSA_NO_PADDING);
+                clean_tbuf(prsactx);
             }
-            if (!setup_tbuf(prsactx))
-                return 0;
-            if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
-                                                prsactx->tbuf, tbs,
-                                                prsactx->md, prsactx->mgf1_md,
-                                                prsactx->saltlen)) {
-                ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
-                return 0;
-            }
-            ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
-                                      sig, prsactx->rsa, RSA_NO_PADDING);
-            clean_tbuf(prsactx);
             break;
 
         default:
@@ -856,6 +891,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
         case RSA_PKCS1_PSS_PADDING:
             {
                 int ret;
+                int saltlen;
                 size_t mdsize;
 
                 /*
@@ -878,14 +914,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
                     return 0;
                 }
-                ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
-                                                prsactx->md, prsactx->mgf1_md,
-                                                prsactx->tbuf,
-                                                prsactx->saltlen);
+                saltlen = prsactx->saltlen;
+                ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
+                                                     prsactx->md, prsactx->mgf1_md,
+                                                     prsactx->tbuf,
+                                                     &saltlen);
                 if (ret <= 0) {
                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
                     return 0;
                 }
+#ifdef FIPS_MODULE
+                if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen))
+                    return 0;
+#endif
                 return 1;
             }
         default:
@@ -1259,15 +1300,19 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
 
     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
                                      OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))
-        return  0;
+        return 0;
 
     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,
                                      OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))
-        return  0;
+        return 0;
 
     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params,
                                      OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK))
-        return  0;
+        return 0;
+
+    if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params,
+                                     OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK))
+        return 0;
 
     pad_mode = prsactx->pad_mode;
     saltlen = prsactx->saltlen;
@@ -1497,6 +1542,7 @@ static const OSSL_PARAM settable_ctx_params[] = {
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
+    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
     OSSL_PARAM_END
 };
@@ -1508,6 +1554,7 @@ static const OSSL_PARAM settable_ctx_params_no_digest[] = {
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
+    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
     OSSL_PARAM_END
 };

diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index ad11d3ae1eb50825433c0e3eebcbca5f8fc3cbf3..8670cfa0ab90c7b83963639bc0049d781a3d1139 100644 (file)
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -1225,7 +1225,7 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
         2048,
         "SHA384",
         ITM(rsa_siggen0_msg),
-        62
+        48
     },
 };
 
@@ -1391,70 +1391,70 @@ static const unsigned char rsa_sigver15_1_sig[] = {
 };
 
 static const unsigned char rsa_sigverpss_0_n[] = {
-    0xb2, 0xee, 0xdd, 0xdf, 0xa0, 0x35, 0x92, 0x21,
-    0xf4, 0x8e, 0xc3, 0x24, 0x39, 0xed, 0xe2, 0x38,
-    0xc0, 0xaa, 0xff, 0x35, 0x75, 0x27, 0x05, 0xd4,
-    0x84, 0x78, 0x23, 0x50, 0xa5, 0x64, 0x1e, 0x11,
-    0x45, 0x2a, 0xb1, 0xeb, 0x97, 0x07, 0x0b, 0xff,
-    0xb3, 0x1f, 0xc4, 0xa4, 0x80, 0xae, 0x1c, 0x8c,
-    0x66, 0x71, 0x95, 0x80, 0x60, 0xea, 0x4d, 0xde,
-    0x90, 0x98, 0xe8, 0xe2, 0x96, 0xa7, 0x0e, 0x5f,
-    0x00, 0x74, 0xed, 0x79, 0xc3, 0xe2, 0xc2, 0x4e,
-    0xbe, 0x07, 0xbd, 0xb1, 0xb2, 0xeb, 0x6c, 0x29,
-    0x9a, 0x59, 0x29, 0x81, 0xa3, 0x83, 0xa3, 0x00,
-    0x24, 0xa8, 0xfd, 0x45, 0xbb, 0xca, 0x1e, 0x44,
-    0x47, 0xbb, 0x82, 0x4a, 0x5b, 0x71, 0x46, 0xc0,
-    0xb4, 0xcc, 0x1b, 0x5e, 0x88, 0x9c, 0x89, 0x69,
-    0xb4, 0xb0, 0x7c, 0x8e, 0xea, 0x24, 0xc0, 0x2f,
-    0xc8, 0x3f, 0x9d, 0x9f, 0x43, 0xd3, 0xf0, 0x25,
-    0x67, 0xf1, 0xf0, 0x9b, 0xd4, 0xff, 0x17, 0x9f,
-    0xc3, 0x41, 0x2f, 0x53, 0x33, 0xdd, 0x73, 0x8a,
-    0x5c, 0x74, 0x04, 0x3b, 0x60, 0xcc, 0x9f, 0xca,
-    0x01, 0xb0, 0x0d, 0xe0, 0xcf, 0xb2, 0xf0, 0x08,
-    0x73, 0xb6, 0x67, 0x6c, 0x54, 0x9e, 0x1c, 0x01,
-    0xb5, 0x34, 0xab, 0xcf, 0x77, 0xfe, 0x04, 0x01,
-    0xc1, 0xd2, 0x4d, 0x47, 0x60, 0x5c, 0x68, 0x47,
-    0x8a, 0x47, 0x3c, 0x3a, 0xa3, 0xb2, 0x75, 0x87,
-    0x6e, 0x01, 0x7b, 0xdb, 0xe9, 0x6e, 0x63, 0xb2,
-    0x65, 0xab, 0xc6, 0xed, 0x0d, 0xa6, 0x84, 0xff,
-    0xf3, 0xcf, 0xd3, 0x9a, 0x96, 0x9b, 0x5c, 0x22,
-    0xf8, 0x07, 0x7d, 0x63, 0x75, 0x50, 0x91, 0x5b,
-    0xc4, 0x1f, 0x29, 0x1f, 0x5d, 0xb0, 0x6e, 0xfa,
-    0x9b, 0x16, 0xf0, 0xe4, 0xda, 0x2c, 0x94, 0x20,
-    0x9b, 0x44, 0x51, 0x38, 0xd0, 0xe4, 0x86, 0xc9,
-    0x76, 0x12, 0x04, 0x1a, 0x25, 0x14, 0xb7, 0x14,
-    0xdb, 0x6e, 0xd2, 0xc3, 0x57, 0x2c, 0x4c, 0xec,
-    0xfe, 0x25, 0xed, 0x3e, 0xe3, 0x26, 0xa8, 0xd4,
-    0xd0, 0x21, 0xbc, 0x09, 0x7e, 0xb0, 0x02, 0x3c,
-    0xa3, 0x43, 0xa4, 0x1f, 0x73, 0x54, 0x5f, 0xa3,
-    0xe2, 0x49, 0x4e, 0x25, 0xe8, 0xfc, 0xfb, 0xa9,
-    0x29, 0xc0, 0x7d, 0xd0, 0x06, 0xd5, 0x5c, 0x52,
-    0x68, 0x3c, 0xf8, 0xc5, 0xdb, 0x92, 0x27, 0x7c,
-    0xd8, 0x56, 0x1a, 0x7d, 0xe3, 0x32, 0xe5, 0x08,
-    0xc9, 0x36, 0x9d, 0x7e, 0xd2, 0x2d, 0xc2, 0x53,
-    0xf2, 0x7e, 0xce, 0x8a, 0x10, 0x5c, 0xf7, 0xe9,
-    0x99, 0xa6, 0xa8, 0xf5, 0x8d, 0x6c, 0xed, 0xf3,
-    0xa1, 0xc8, 0x2a, 0x75, 0x77, 0x99, 0x18, 0xe1,
-    0x32, 0xdb, 0x35, 0x4a, 0x8b, 0x4a, 0xec, 0xc2,
-    0x15, 0xe9, 0x4b, 0x89, 0x13, 0x81, 0xfb, 0x0c,
-    0xf9, 0xb4, 0xd8, 0xee, 0xb5, 0xba, 0x45, 0xa1,
-    0xea, 0x01, 0xf9, 0xbb, 0xd5, 0xa1, 0x73, 0xa1,
-    0x5b, 0xef, 0x98, 0xa8, 0xcf, 0x74, 0xf4, 0xd5,
-    0x1a, 0xe2, 0xa7, 0xb9, 0x37, 0x43, 0xb1, 0x29,
-    0x94, 0xc3, 0x71, 0x74, 0x34, 0x7d, 0x6f, 0xac,
-    0x97, 0xb3, 0x5b, 0x3a, 0x0a, 0x3c, 0xe2, 0x94,
-    0x6c, 0x39, 0xb8, 0xe9, 0x2c, 0xf9, 0xc3, 0x8b,
-    0xd1, 0x80, 0x4d, 0x22, 0x64, 0x63, 0x20, 0x1b,
-    0xeb, 0xf9, 0x09, 0x14, 0x86, 0x6e, 0xf4, 0x6d,
-    0xfc, 0xe5, 0x1b, 0xf7, 0xf2, 0xe0, 0x4d, 0xc8,
-    0xeb, 0x24, 0x35, 0x16, 0x0a, 0x81, 0x9f, 0x9e,
-    0x47, 0xd8, 0xea, 0x85, 0xda, 0x77, 0x6c, 0x3d,
-    0xd4, 0xa9, 0x15, 0xbd, 0xda, 0x5d, 0xf0, 0x72,
-    0x8d, 0xb5, 0x12, 0x72, 0xb1, 0x62, 0xa0, 0xad,
-    0xc8, 0x0e, 0x5b, 0x47, 0x4c, 0x69, 0xf7, 0x07,
-    0xe8, 0xd9, 0x9b, 0xc7, 0x2f, 0xd5, 0x68, 0x1e,
-    0x1c, 0xe0, 0x8f, 0x40, 0x45, 0x5f, 0x08, 0xc8,
-    0x95, 0x57, 0xb7, 0x35, 0x92, 0x97, 0xf9, 0x7d,
+    0xb2, 0x76, 0x6c, 0x31, 0x01, 0x15, 0xd8, 0xe7,
+    0x88, 0xd3, 0x4a, 0xb2, 0x75, 0xc8, 0xeb, 0x1f,
+    0xd4, 0xe3, 0xf7, 0xbc, 0x83, 0xb6, 0xe7, 0x88,
+    0x1f, 0x77, 0x36, 0xe1, 0x61, 0x2b, 0xa1, 0x83,
+    0xe5, 0x0b, 0x59, 0x8c, 0xd9, 0x7c, 0x88, 0x3e,
+    0x68, 0xef, 0x71, 0x1b, 0x72, 0x5d, 0x5e, 0xfe,
+    0xa8, 0x1f, 0xe9, 0x8c, 0x41, 0x18, 0xd3, 0x90,
+    0x2f, 0x6d, 0xc3, 0x46, 0x74, 0x69, 0x9b, 0xe1,
+    0x46, 0x9c, 0x9d, 0xaf, 0x5c, 0x36, 0xb8, 0x54,
+    0xf0, 0x67, 0xcb, 0x2c, 0xf4, 0x81, 0x7a, 0x4d,
+    0xaf, 0x1b, 0x53, 0xc9, 0x3d, 0xbf, 0x2e, 0xee,
+    0xe2, 0xe5, 0x00, 0x34, 0x58, 0xfd, 0x9f, 0xd0,
+    0xa5, 0xdf, 0x20, 0x04, 0x41, 0x5f, 0x1b, 0x53,
+    0xd5, 0x25, 0x9a, 0x06, 0x9d, 0xb6, 0x57, 0xa0,
+    0x3e, 0xea, 0x21, 0x32, 0x85, 0xed, 0x34, 0xcb,
+    0x4e, 0x96, 0xcc, 0xe6, 0xe0, 0x86, 0x9a, 0x38,
+    0xeb, 0x1c, 0xb0, 0x9c, 0x90, 0xf1, 0xca, 0xe0,
+    0x56, 0x1e, 0xf3, 0x90, 0xe0, 0xa8, 0x1f, 0x18,
+    0xcf, 0xac, 0x22, 0xec, 0x72, 0x59, 0xfd, 0x08,
+    0x41, 0x68, 0xc0, 0x7a, 0x19, 0xfe, 0x85, 0x6b,
+    0x7a, 0xf8, 0x20, 0x80, 0x66, 0xf2, 0xfc, 0x27,
+    0xc7, 0xa9, 0x39, 0xa7, 0x39, 0x01, 0xed, 0x78,
+    0xa7, 0x5f, 0xa5, 0x48, 0x99, 0x55, 0xb5, 0x0f,
+    0xb3, 0x08, 0x14, 0x00, 0xfc, 0xc1, 0x5a, 0xb8,
+    0xa1, 0xd4, 0xfd, 0x9b, 0xb8, 0xbc, 0x3b, 0x7f,
+    0x0b, 0x2e, 0x52, 0x22, 0x01, 0xc0, 0x24, 0x2b,
+    0xda, 0xfd, 0x61, 0xfc, 0x72, 0xe7, 0x72, 0x84,
+    0x7d, 0x57, 0xae, 0x52, 0xda, 0x47, 0x29, 0xac,
+    0x4b, 0x52, 0xb5, 0x0c, 0xa8, 0xe7, 0x70, 0x5d,
+    0x06, 0x67, 0x29, 0xb2, 0x68, 0xae, 0xb5, 0x27,
+    0x84, 0xab, 0x8f, 0x26, 0x8b, 0x6e, 0x8a, 0x61,
+    0x25, 0x11, 0x92, 0xc6, 0x07, 0x7e, 0x05, 0x19,
+    0xc2, 0xf3, 0xbc, 0xb1, 0xf9, 0x2d, 0x6e, 0x52,
+    0x85, 0x1c, 0x72, 0xd8, 0x71, 0x58, 0x70, 0x8a,
+    0x85, 0x7e, 0x2e, 0x89, 0xb1, 0x0c, 0xe2, 0x46,
+    0xf6, 0x09, 0x79, 0x36, 0x02, 0xae, 0xb9, 0x87,
+    0x29, 0x02, 0x98, 0x1c, 0x83, 0x89, 0x3b, 0xa1,
+    0xd2, 0xfa, 0x92, 0x92, 0x3e, 0x40, 0x05, 0xf5,
+    0xd6, 0x57, 0xda, 0xea, 0x77, 0x6f, 0xb2, 0x8e,
+    0xdc, 0xfd, 0xdb, 0xb9, 0x78, 0xe1, 0xb0, 0xb8,
+    0x57, 0x93, 0x60, 0x6a, 0xb7, 0x70, 0x48, 0x9e,
+    0x52, 0xd8, 0x82, 0xd2, 0x3b, 0xa3, 0x7e, 0x92,
+    0x5e, 0x5d, 0x5a, 0x88, 0xa0, 0x1f, 0x3c, 0x40,
+    0xd3, 0xc5, 0xdf, 0xa1, 0x18, 0x38, 0xe5, 0xe8,
+    0xdc, 0x59, 0x82, 0x55, 0x3a, 0x3a, 0x61, 0x4a,
+    0xed, 0x63, 0xf0, 0xa3, 0x61, 0x1e, 0x2e, 0x16,
+    0x35, 0xad, 0x99, 0x36, 0x3f, 0x1d, 0xc5, 0x36,
+    0xc6, 0xcd, 0x5c, 0x80, 0x3d, 0x48, 0x29, 0xf3,
+    0x37, 0xcd, 0xe1, 0xf7, 0x98, 0x27, 0x3c, 0x1e,
+    0x2d, 0x7a, 0xbe, 0xf3, 0x81, 0x66, 0xc7, 0xf3,
+    0x70, 0xb2, 0xe4, 0xb0, 0x86, 0x9b, 0xba, 0x00,
+    0x2a, 0xeb, 0x08, 0xd1, 0xa2, 0x3f, 0x4c, 0x2e,
+    0x7b, 0x87, 0xe1, 0x3b, 0xb9, 0xba, 0x3e, 0x78,
+    0xaf, 0x46, 0x89, 0x14, 0x01, 0x5d, 0x3b, 0x7c,
+    0x3e, 0x35, 0x58, 0xea, 0x76, 0x4a, 0xb2, 0xf8,
+    0x9b, 0x94, 0x2c, 0xa6, 0xf3, 0x19, 0x85, 0xc0,
+    0x91, 0x52, 0xc7, 0x57, 0x65, 0x99, 0x7a, 0x65,
+    0xaf, 0xd9, 0x01, 0xed, 0xea, 0x64, 0x8a, 0x0a,
+    0x62, 0x77, 0x14, 0xb0, 0xf6, 0xe2, 0x03, 0xdd,
+    0x3a, 0x81, 0x62, 0x30, 0x40, 0x66, 0xfe, 0xbc,
+    0xbd, 0x2a, 0xae, 0x6f, 0xd8, 0x94, 0xfd, 0xf1,
+    0xd6, 0x9b, 0xb7, 0xe4, 0x0f, 0xae, 0xfe, 0x10,
+    0x63, 0x72, 0x36, 0xc8, 0x75, 0x7c, 0x8e, 0xff,
+    0x3f, 0xd6, 0xb4, 0x5e, 0xdc, 0xda, 0x5d, 0x4d
 };
 static const unsigned char rsa_sigverpss_0_e[] = {
     0x01, 0x00, 0x01,
@@ -1478,70 +1478,70 @@ static const unsigned char rsa_sigverpss_0_msg[] = {
     0x10, 0xe1, 0x92, 0xc3, 0x58, 0x51, 0xab, 0x7c,
 };
 static const unsigned char rsa_sigverpss_0_sig[] = {
-    0x43, 0xb2, 0x4a, 0x50, 0xa7, 0xe2, 0x6c, 0x5d,
-    0x50, 0xc5, 0x39, 0xc1, 0xc1, 0x35, 0xbd, 0x66,
-    0xbd, 0x86, 0x54, 0xc5, 0x2e, 0x65, 0xfc, 0x19,
-    0x19, 0x6a, 0x22, 0x43, 0x22, 0x11, 0x26, 0xae,
-    0x51, 0x78, 0xfa, 0xfa, 0xc1, 0xf0, 0x77, 0x1b,
-    0xd6, 0x5b, 0x93, 0xbd, 0x84, 0xe4, 0x35, 0xbd,
-    0x8d, 0x91, 0xb2, 0x7c, 0xb2, 0xb1, 0xda, 0xd7,
-    0x72, 0x62, 0x88, 0x3e, 0xe9, 0x40, 0x27, 0x4e,
-    0xa5, 0x17, 0x94, 0xf1, 0xe9, 0xdd, 0x8c, 0x6c,
-    0x5b, 0xc0, 0x0b, 0xe3, 0x7c, 0x8b, 0xc8, 0x10,
-    0x57, 0x35, 0x69, 0xb7, 0x56, 0xe0, 0x2f, 0x61,
-    0x2e, 0x13, 0x11, 0x79, 0xfa, 0x60, 0x8f, 0x2a,
-    0x65, 0x73, 0xf5, 0x17, 0x34, 0x74, 0x72, 0x22,
-    0xff, 0x22, 0x5b, 0x97, 0x59, 0x44, 0xf4, 0xfb,
-    0x4a, 0x2b, 0x7e, 0x28, 0xe3, 0x79, 0x84, 0x24,
-    0x63, 0xeb, 0xde, 0x63, 0x88, 0xe0, 0xbd, 0x28,
-    0xef, 0x49, 0x6d, 0xd4, 0x2a, 0x87, 0x53, 0xba,
-    0x5f, 0xde, 0xe3, 0xd4, 0xb2, 0xc2, 0x6f, 0x49,
-    0x10, 0xae, 0x5e, 0x15, 0xdd, 0x0f, 0x91, 0xe2,
-    0xeb, 0x1e, 0xc5, 0x36, 0x8e, 0xdf, 0xa6, 0x17,
-    0x25, 0x21, 0x16, 0x06, 0x72, 0x37, 0x77, 0x19,
-    0xe5, 0x88, 0x1b, 0x0b, 0x5b, 0x80, 0x44, 0x8f,
-    0x13, 0xef, 0xbb, 0xfa, 0xf6, 0x4a, 0x11, 0x6a,
-    0x6a, 0x0c, 0xe0, 0x42, 0x6b, 0x7d, 0xfd, 0xad,
-    0xb0, 0x4b, 0xff, 0x3f, 0x20, 0xca, 0x5f, 0x64,
-    0xcc, 0xc9, 0x5b, 0x89, 0xc2, 0x05, 0x33, 0xf9,
-    0xa5, 0x31, 0x55, 0xfb, 0xdc, 0xeb, 0xd1, 0x24,
-    0xbf, 0x17, 0x0f, 0xc8, 0xfd, 0xe9, 0x6a, 0xc1,
-    0xa7, 0x94, 0x36, 0x72, 0x22, 0x29, 0x2c, 0x1c,
-    0xd1, 0x8b, 0x7b, 0x37, 0x42, 0x25, 0x8d, 0xe3,
-    0xcc, 0x06, 0x5f, 0x3c, 0x15, 0xfa, 0x74, 0x8a,
-    0x83, 0xf0, 0xcc, 0xf5, 0x30, 0xd1, 0xa8, 0x88,
-    0x9f, 0x4e, 0x1d, 0xd8, 0xe3, 0x1b, 0xb5, 0xe3,
-    0xdb, 0xce, 0xbc, 0x03, 0xfe, 0xe6, 0xa2, 0xb4,
-    0x94, 0x76, 0xd1, 0xb7, 0xce, 0xae, 0x6a, 0x7c,
-    0xbd, 0x4f, 0xd6, 0xfe, 0x60, 0xd0, 0x78, 0xd4,
-    0x04, 0x3f, 0xe0, 0x17, 0x2a, 0x41, 0x26, 0x5a,
-    0x81, 0x80, 0xcd, 0x40, 0x7c, 0x4f, 0xd6, 0xd6,
-    0x1d, 0x1f, 0x58, 0x59, 0xaf, 0xa8, 0x00, 0x91,
-    0x69, 0xb1, 0xf8, 0x3b, 0xef, 0x59, 0x7e, 0x83,
-    0x4e, 0xca, 0x1d, 0x33, 0x35, 0xb6, 0xa5, 0x9a,
-    0x0e, 0xc5, 0xe5, 0x11, 0xdd, 0x5d, 0xb7, 0x32,
-    0x66, 0x23, 0x63, 0x08, 0xbc, 0x2e, 0x9c, 0x10,
-    0x30, 0xa4, 0x13, 0x38, 0xee, 0xc7, 0x10, 0xf6,
-    0xed, 0xe9, 0xe1, 0xd1, 0x89, 0x8b, 0x94, 0x21,
-    0xde, 0x76, 0x72, 0x90, 0xc4, 0xbc, 0x59, 0x31,
-    0x1b, 0x1b, 0xd7, 0xa0, 0xd0, 0x3d, 0xaa, 0x43,
-    0x66, 0xfa, 0x43, 0x8d, 0xcc, 0x37, 0xdc, 0x60,
-    0x59, 0xaf, 0x02, 0x98, 0xe5, 0xe0, 0x17, 0xd6,
-    0xc3, 0x84, 0xf2, 0xaa, 0x5d, 0x88, 0xa8, 0x78,
-    0xbf, 0xbd, 0x18, 0x34, 0x9f, 0x5c, 0x6d, 0x22,
-    0x0c, 0x77, 0x4f, 0x16, 0xf2, 0x85, 0x88, 0x2e,
-    0x9a, 0x2b, 0x30, 0x1e, 0x17, 0xc8, 0xc7, 0xd4,
-    0x20, 0x93, 0x47, 0x0d, 0x32, 0x7d, 0xcb, 0x77,
-    0x85, 0x82, 0xc3, 0x80, 0x75, 0x10, 0x83, 0x33,
-    0xd5, 0xde, 0x47, 0xd4, 0x22, 0x55, 0x4d, 0xca,
-    0x4f, 0x90, 0xd2, 0x9f, 0x80, 0x58, 0x22, 0x4c,
-    0x5a, 0xaa, 0x53, 0x9e, 0xeb, 0xde, 0x62, 0x8a,
-    0xfb, 0xd7, 0x4b, 0x28, 0xd5, 0xe1, 0x02, 0xf9,
-    0x61, 0x74, 0x42, 0x12, 0x32, 0x5d, 0x1b, 0x10,
-    0x8f, 0x51, 0x8d, 0x7c, 0x59, 0xc5, 0xb7, 0x5a,
-    0x68, 0xe7, 0xdd, 0xb0, 0xc0, 0x22, 0xbc, 0xf1,
-    0x37, 0xcc, 0x63, 0xa2, 0x85, 0xb9, 0x11, 0x91,
-    0x43, 0xb9, 0x7b, 0xfb, 0x4a, 0x21, 0xc9, 0xd5,
+    0xad, 0x38, 0x4f, 0x00, 0xdd, 0x95, 0xd7, 0x72,
+    0x90, 0x50, 0x48, 0x4e, 0xfd, 0x87, 0x3b, 0xab,
+    0x36, 0x75, 0xe5, 0xa7, 0x32, 0xcf, 0xf5, 0x3a,
+    0x9e, 0xe9, 0x59, 0x54, 0xcf, 0x95, 0x59, 0x63,
+    0x14, 0x43, 0xf8, 0x49, 0x55, 0x86, 0x13, 0x91,
+    0x4f, 0x0b, 0x67, 0x70, 0xc1, 0xd6, 0x97, 0x19,
+    0xc5, 0xd2, 0xba, 0x48, 0x1b, 0x16, 0x65, 0xd3,
+    0xcf, 0xee, 0x35, 0x19, 0xc8, 0xa6, 0x0f, 0x72,
+    0xc6, 0x13, 0x9f, 0xa4, 0x9f, 0x53, 0x62, 0x49,
+    0x1e, 0x1f, 0x18, 0x89, 0x2a, 0x7f, 0xf3, 0x17,
+    0x78, 0x9d, 0x8a, 0xc1, 0x8e, 0xdd, 0x91, 0xf1,
+    0x1f, 0xdd, 0x98, 0xff, 0x9a, 0x6d, 0xb8, 0x14,
+    0x87, 0xaa, 0x08, 0xad, 0xe8, 0x6d, 0x95, 0x6b,
+    0xc3, 0xad, 0x6a, 0x56, 0xa2, 0x78, 0x2d, 0x8c,
+    0xa3, 0x80, 0x4f, 0x97, 0x91, 0x2e, 0x14, 0x7b,
+    0x7a, 0x70, 0x9b, 0x48, 0x4d, 0xa4, 0x64, 0xe6,
+    0x3f, 0x6f, 0x26, 0x83, 0x73, 0xb0, 0x41, 0xd6,
+    0x29, 0x57, 0x31, 0x2e, 0x87, 0x3b, 0xea, 0x69,
+    0x97, 0xc5, 0xe7, 0x75, 0xc6, 0x05, 0xf7, 0x05,
+    0xf2, 0x74, 0xb5, 0x96, 0x71, 0x48, 0xcf, 0x1e,
+    0xa1, 0x67, 0x0a, 0x72, 0x28, 0xfb, 0x87, 0xde,
+    0xca, 0x91, 0x97, 0x63, 0x1e, 0x70, 0x22, 0x5c,
+    0xa2, 0xbe, 0x2a, 0x50, 0xf3, 0xac, 0x2f, 0x04,
+    0x1d, 0x09, 0x14, 0xdf, 0x9d, 0xe5, 0x03, 0x8e,
+    0xe1, 0xa1, 0x4e, 0x78, 0x71, 0xc5, 0xed, 0x04,
+    0x3e, 0x34, 0xf7, 0xce, 0xae, 0xe9, 0xc7, 0xe8,
+    0x25, 0xc2, 0xf8, 0x23, 0xfd, 0x8b, 0xec, 0x5a,
+    0xe1, 0x16, 0x0c, 0x6f, 0x04, 0x8b, 0x10, 0xe7,
+    0xc8, 0x9d, 0x6d, 0x8f, 0x21, 0x1d, 0x9d, 0xe6,
+    0xfa, 0x5f, 0x4f, 0xc7, 0x98, 0x2f, 0x78, 0x1f,
+    0x14, 0xcd, 0xc3, 0x6e, 0xfa, 0x36, 0xcf, 0x6e,
+    0xda, 0xf7, 0x31, 0xa8, 0x7f, 0x70, 0x8a, 0xc0,
+    0x24, 0xef, 0x5b, 0x0f, 0xab, 0x49, 0x89, 0xe2,
+    0x61, 0xc5, 0x9c, 0xae, 0x04, 0xf2, 0x54, 0x9f,
+    0x7a, 0xce, 0x2b, 0x62, 0x07, 0xdb, 0x86, 0x10,
+    0xe9, 0x3a, 0xc1, 0xdd, 0xd1, 0xe5, 0x17, 0xcf,
+    0x72, 0xe8, 0x03, 0x72, 0x23, 0xd8, 0xb3, 0x6e,
+    0x2d, 0xfc, 0xa7, 0xd4, 0x7d, 0x85, 0x9b, 0x73,
+    0x7e, 0xa6, 0xe1, 0x71, 0xd5, 0xf3, 0xf0, 0xe8,
+    0x23, 0x80, 0x7e, 0x3c, 0x4e, 0xc9, 0x7c, 0x3a,
+    0x9a, 0xc3, 0x65, 0xb8, 0xea, 0x49, 0x02, 0x92,
+    0xda, 0x39, 0xb4, 0xb2, 0xde, 0xf3, 0x1d, 0xb2,
+    0x81, 0xed, 0x21, 0x58, 0xdb, 0xb8, 0xe5, 0x96,
+    0xe9, 0xd5, 0xd3, 0x76, 0xde, 0x45, 0xa1, 0x1a,
+    0xfe, 0xcd, 0x41, 0x63, 0x86, 0xd5, 0x72, 0xf1,
+    0xae, 0x41, 0xf0, 0x10, 0x47, 0xcb, 0xd0, 0x86,
+    0x60, 0xb6, 0x38, 0x28, 0x6b, 0x96, 0xa5, 0xd0,
+    0x8e, 0x7e, 0x8e, 0x4f, 0xbf, 0x26, 0xbc, 0x10,
+    0x23, 0x7c, 0xd8, 0xba, 0x63, 0x0a, 0x61, 0x25,
+    0x0d, 0x3c, 0xba, 0x37, 0xef, 0x58, 0xaf, 0x57,
+    0x67, 0x10, 0xdc, 0xe6, 0x73, 0x6d, 0xf6, 0x0b,
+    0x38, 0x75, 0x00, 0x9d, 0x50, 0x71, 0xf0, 0x79,
+    0x33, 0xb0, 0xe4, 0xb9, 0x2a, 0x66, 0x48, 0xae,
+    0x74, 0xb4, 0xcb, 0x88, 0x57, 0x35, 0x28, 0xfd,
+    0xa1, 0x7b, 0x50, 0x8e, 0x7a, 0x09, 0x94, 0x01,
+    0xed, 0x3b, 0x1d, 0x42, 0xc3, 0x34, 0x5e, 0x2c,
+    0x1e, 0x94, 0x90, 0x45, 0x24, 0x0e, 0x2e, 0xaa,
+    0x50, 0x90, 0x2b, 0x32, 0x16, 0xf7, 0xeb, 0xbd,
+    0x49, 0x32, 0x10, 0xa1, 0xd6, 0xd6, 0x17, 0x88,
+    0xbb, 0x6d, 0x5f, 0xfc, 0xc3, 0xf4, 0x78, 0x38,
+    0x4c, 0xc8, 0xe0, 0x61, 0xd5, 0x5b, 0x30, 0xb1,
+    0x18, 0xa8, 0x90, 0xaf, 0x2b, 0xe9, 0x36, 0xad,
+    0xd0, 0x8b, 0x46, 0xe4, 0x38, 0xc0, 0x6f, 0xfc,
+    0x86, 0xae, 0x64, 0x00, 0xd1, 0x39, 0x3f, 0xee
 };
 
 #define rsa_sigverpss_1_n rsa_sigverpss_0_n
@@ -1565,70 +1565,70 @@ static const unsigned char rsa_sigverpss_1_msg[] = {
     0xfa, 0x38, 0x6b, 0x41, 0xe4, 0x39, 0x6e, 0x66,
 };
 static const unsigned char rsa_sigverpss_1_sig[] = {
-    0x48, 0x7f, 0x71, 0x82, 0x63, 0x1d, 0xf2, 0xee,
-    0xe8, 0x79, 0xeb, 0x3a, 0xaf, 0x41, 0x8a, 0x7c,
-    0xab, 0x0b, 0xd4, 0x57, 0xb6, 0x62, 0x9f, 0x6f,
-    0xec, 0xc1, 0xd4, 0xef, 0x55, 0x51, 0xd1, 0x0a,
-    0x0e, 0x1d, 0x8a, 0x64, 0x69, 0x08, 0x57, 0xf5,
-    0x04, 0xa8, 0x6c, 0xde, 0x76, 0x4d, 0x81, 0xf4,
-    0x95, 0x7e, 0x95, 0x6d, 0x41, 0x31, 0x2f, 0x9d,
-    0xe7, 0x47, 0x45, 0x45, 0x9f, 0xa8, 0xf8, 0xe3,
-    0x30, 0xa6, 0x41, 0x0f, 0x12, 0x05, 0x6d, 0x2b,
-    0x1a, 0xae, 0xef, 0xd4, 0x6b, 0xc6, 0xf4, 0x61,
-    0xa5, 0x07, 0xfe, 0xe8, 0xd0, 0xfd, 0xa3, 0x93,
-    0x58, 0xb4, 0x22, 0x37, 0x1b, 0x84, 0xcb, 0xef,
-    0xae, 0x24, 0xec, 0x62, 0xe2, 0x7d, 0xf4, 0x09,
-    0x5a, 0xc3, 0x0f, 0x4b, 0x49, 0xb7, 0xe7, 0xb2,
-    0x9b, 0x01, 0x2c, 0x8a, 0x39, 0xdd, 0x10, 0xec,
-    0x30, 0xb9, 0x7e, 0x39, 0x98, 0x94, 0x2a, 0xa4,
-    0xb3, 0x97, 0x7f, 0x85, 0x6e, 0x19, 0x75, 0x9e,
-    0x91, 0x94, 0xaa, 0xb5, 0xb0, 0x1f, 0x72, 0x50,
-    0xb5, 0x6d, 0x7a, 0xff, 0x90, 0xcc, 0x24, 0x80,
-    0x20, 0x23, 0x1c, 0xf3, 0xbd, 0x01, 0xc7, 0x82,
-    0x63, 0x04, 0xcc, 0xbd, 0xfb, 0x41, 0x9a, 0xb8,
-    0xeb, 0x6d, 0x78, 0x02, 0xee, 0x4a, 0x6d, 0xbb,
-    0xf7, 0xb7, 0xcf, 0x91, 0xca, 0x11, 0xf2, 0x62,
-    0xec, 0x18, 0x14, 0xcd, 0x10, 0xd8, 0x60, 0xe5,
-    0x20, 0x86, 0x74, 0x84, 0xd5, 0x35, 0x34, 0x69,
-    0x65, 0x93, 0x31, 0x99, 0xb6, 0x2d, 0x43, 0x23,
-    0x1d, 0x73, 0x55, 0xfa, 0x03, 0x76, 0x22, 0xcc,
-    0x66, 0xbc, 0x20, 0x2f, 0x7f, 0x4f, 0x78, 0xdd,
-    0xd1, 0x1f, 0xb6, 0x79, 0x6b, 0x58, 0x58, 0x57,
-    0x56, 0x87, 0xbc, 0x72, 0x6c, 0x81, 0x0a, 0xe2,
-    0xae, 0xb2, 0x4b, 0x66, 0x5b, 0x65, 0x35, 0x2b,
-    0x89, 0x0b, 0xa8, 0x5c, 0x34, 0xb3, 0x5f, 0xb0,
-    0x21, 0x5d, 0x4c, 0x60, 0x57, 0x73, 0xb6, 0x16,
-    0x94, 0xa7, 0x55, 0x52, 0x2a, 0x87, 0x10, 0xc9,
-    0x7c, 0x86, 0xb9, 0xdd, 0xf5, 0xb9, 0x30, 0xc0,
-    0xe6, 0x2a, 0xc9, 0x08, 0x3a, 0x88, 0xdc, 0x27,
-    0xea, 0x2f, 0xd9, 0x37, 0x06, 0x36, 0xd8, 0xe5,
-    0x66, 0x11, 0x54, 0x72, 0x4c, 0xc8, 0xa2, 0xc1,
-    0xed, 0xf5, 0x17, 0x3b, 0x06, 0x2b, 0x4c, 0xc9,
-    0x49, 0x2b, 0x98, 0x6f, 0xb8, 0x77, 0x96, 0x0c,
-    0x6b, 0x47, 0x81, 0x6c, 0xf3, 0x94, 0x3d, 0x3b,
-    0x24, 0x2d, 0x26, 0x9c, 0x40, 0xc1, 0x1f, 0xa7,
-    0xb2, 0xb4, 0x29, 0xb6, 0x05, 0xe5, 0x6e, 0x3c,
-    0xab, 0xd4, 0xaa, 0x3d, 0x78, 0x63, 0x3e, 0xf2,
-    0x75, 0x0d, 0xc3, 0x46, 0x0e, 0x68, 0xd7, 0x3d,
-    0xb9, 0xcb, 0x9a, 0x0a, 0xce, 0xec, 0x6f, 0x21,
-    0x8c, 0x86, 0xaa, 0xeb, 0x7b, 0x56, 0x41, 0xa6,
-    0x7a, 0xd3, 0x03, 0x02, 0x5c, 0x76, 0x01, 0xf7,
-    0x5d, 0x5e, 0x8e, 0x7d, 0xac, 0x35, 0x84, 0x11,
-    0xc6, 0xbc, 0x9a, 0x53, 0xcc, 0x3b, 0x4f, 0x5b,
-    0x23, 0x79, 0x30, 0x52, 0xc3, 0x73, 0x5d, 0xc8,
-    0xf1, 0xec, 0x2e, 0x0d, 0xda, 0x64, 0x90, 0x50,
-    0x62, 0xcf, 0x18, 0xc5, 0x52, 0x45, 0xe7, 0x38,
-    0x1a, 0xec, 0x01, 0x18, 0xbb, 0x85, 0x97, 0x7f,
-    0x68, 0x2b, 0x6f, 0xfc, 0xcd, 0x08, 0xc8, 0xe2,
-    0xca, 0x7e, 0xa6, 0x4f, 0xca, 0x5d, 0xdd, 0xf8,
-    0xfa, 0x52, 0x1c, 0x91, 0x82, 0x56, 0x07, 0xb2,
-    0x03, 0x3e, 0xa2, 0x8d, 0x60, 0xff, 0x78, 0x05,
-    0x1a, 0xfc, 0x6e, 0x27, 0x80, 0xbd, 0x90, 0x98,
-    0x83, 0x46, 0xba, 0xec, 0xee, 0x89, 0xe3, 0x1b,
-    0xc0, 0xcd, 0x2f, 0x05, 0x37, 0x18, 0xb5, 0xfa,
-    0xc3, 0x91, 0x85, 0x0f, 0xb7, 0x74, 0x1c, 0x64,
-    0xf0, 0xf8, 0x56, 0x35, 0xb8, 0x1d, 0xc3, 0x39,
-    0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
+    0x2a, 0x7a, 0xc1, 0x6d, 0x2a, 0x7d, 0xc0, 0x0c,
+    0x70, 0x8b, 0xab, 0xac, 0x8b, 0x93, 0xcd, 0x8c,
+    0x9a, 0xdf, 0x93, 0x53, 0xda, 0x2d, 0x97, 0xf4,
+    0xc5, 0x3d, 0xee, 0x5a, 0x5a, 0x51, 0x2a, 0xef,
+    0xa2, 0xf0, 0x2e, 0x19, 0x83, 0x94, 0x43, 0x95,
+    0x10, 0xde, 0x6a, 0xcc, 0xaf, 0xe0, 0xfb, 0xed,
+    0xd0, 0xf9, 0x6a, 0x37, 0x66, 0x29, 0xee, 0xbb,
+    0xce, 0xcc, 0x02, 0x27, 0xe4, 0xb9, 0x43, 0x3c,
+    0xfd, 0x24, 0x93, 0x4e, 0x67, 0x1c, 0x8e, 0xfc,
+    0xf0, 0xaa, 0x5f, 0x56, 0x68, 0x18, 0x5f, 0xd5,
+    0x8e, 0xdc, 0x58, 0x7e, 0x2d, 0xc7, 0xd6, 0x16,
+    0xfe, 0x3b, 0xb5, 0xcb, 0x9e, 0x50, 0xd1, 0x2f,
+    0xce, 0x5e, 0x63, 0x81, 0xda, 0x46, 0xc1, 0x5b,
+    0xaa, 0x6a, 0x3c, 0xcd, 0xa6, 0x4c, 0x1a, 0xff,
+    0xda, 0xd0, 0x53, 0xeb, 0xbf, 0x83, 0x7f, 0x2b,
+    0xb7, 0xee, 0x89, 0xbc, 0x70, 0x2c, 0xec, 0x29,
+    0xce, 0xf9, 0xb6, 0x95, 0xde, 0xcc, 0x7b, 0x79,
+    0xb5, 0x77, 0x6f, 0x0a, 0xf7, 0xe0, 0xc9, 0x90,
+    0x58, 0xf1, 0x0b, 0xb1, 0xda, 0xdc, 0x11, 0xe9,
+    0x6c, 0x46, 0x2e, 0x06, 0x84, 0x78, 0x57, 0xaa,
+    0x54, 0xa2, 0x35, 0xec, 0xa0, 0x48, 0xec, 0xa6,
+    0x15, 0x9d, 0x49, 0xbb, 0x43, 0x19, 0xa8, 0x6f,
+    0x7d, 0xd3, 0x03, 0xbf, 0x9b, 0x42, 0x7e, 0x8d,
+    0xee, 0x9a, 0x80, 0x3c, 0xe1, 0xe3, 0x1f, 0x61,
+    0x6e, 0x21, 0x70, 0xf4, 0x37, 0x55, 0x83, 0x9a,
+    0xe1, 0xe9, 0xb0, 0xe6, 0xf0, 0x94, 0x2d, 0xd6,
+    0x8d, 0x1e, 0x3d, 0x12, 0xb9, 0xd4, 0xb0, 0x9b,
+    0x40, 0x36, 0xb0, 0x39, 0x55, 0xdc, 0x04, 0x32,
+    0x3c, 0xd1, 0xb9, 0x08, 0x43, 0x35, 0x57, 0x47,
+    0x46, 0xea, 0x98, 0x26, 0x46, 0xef, 0xc3, 0x4d,
+    0xc4, 0xa6, 0x3d, 0x1c, 0x35, 0x45, 0x78, 0x73,
+    0xab, 0xe1, 0x33, 0x53, 0xad, 0xe9, 0xab, 0x32,
+    0x18, 0xd8, 0x71, 0x69, 0xf5, 0x15, 0xb7, 0x30,
+    0x00, 0xde, 0x0c, 0x01, 0x78, 0x82, 0xaf, 0xf0,
+    0x10, 0x34, 0xab, 0xd9, 0x3a, 0xa7, 0x23, 0x13,
+    0x31, 0x09, 0x90, 0x8a, 0xda, 0x2e, 0xc5, 0x38,
+    0x59, 0x67, 0x24, 0xd9, 0x9e, 0x6f, 0xd8, 0x12,
+    0x59, 0x16, 0x26, 0xd8, 0x31, 0x0e, 0x76, 0x82,
+    0x7c, 0x8d, 0xd4, 0x80, 0xa8, 0x55, 0xeb, 0x97,
+    0x76, 0xc9, 0x82, 0x4a, 0x73, 0x84, 0x0f, 0x9d,
+    0x7f, 0x2e, 0x7b, 0x16, 0xa9, 0x89, 0xdc, 0x95,
+    0x59, 0x11, 0xa2, 0xfd, 0xa3, 0x17, 0xc0, 0xe8,
+    0xfd, 0xed, 0xd0, 0x2f, 0xca, 0x70, 0x6e, 0xa6,
+    0x8b, 0x79, 0x39, 0xae, 0x77, 0xb2, 0x3d, 0x8f,
+    0x8b, 0xf8, 0xaf, 0x05, 0x20, 0x80, 0xde, 0xb4,
+    0x19, 0x77, 0x0b, 0x45, 0x87, 0xe0, 0xcb, 0x35,
+    0x24, 0x46, 0x9d, 0xa5, 0xee, 0x30, 0xba, 0x9a,
+    0xe9, 0x3c, 0x6a, 0x7e, 0xd4, 0xdc, 0x47, 0x26,
+    0x83, 0xf5, 0x05, 0x8e, 0x70, 0xb5, 0x0c, 0x4f,
+    0x83, 0xe2, 0x60, 0x99, 0x7b, 0xc5, 0xf4, 0x8a,
+    0x8d, 0x87, 0xe1, 0x5c, 0x90, 0x5d, 0x21, 0x26,
+    0xe1, 0x43, 0x0e, 0x4c, 0xed, 0xb4, 0xd9, 0x92,
+    0xd6, 0x4c, 0x4e, 0xd4, 0x81, 0x12, 0x01, 0x88,
+    0x3e, 0xf6, 0xab, 0x64, 0xed, 0x8f, 0x7d, 0x22,
+    0xbb, 0x21, 0x4c, 0xc0, 0xe2, 0x72, 0x5a, 0x15,
+    0x47, 0xdd, 0x1f, 0xf1, 0xb8, 0x32, 0x97, 0x08,
+    0xc0, 0x8b, 0xe8, 0x65, 0x1a, 0x6b, 0x86, 0x22,
+    0xee, 0x8d, 0xa5, 0xa2, 0x86, 0xf1, 0xcc, 0xb4,
+    0x93, 0xc1, 0x8a, 0x99, 0x2d, 0x13, 0xad, 0xe5,
+    0x28, 0x7e, 0xff, 0xfb, 0xfc, 0x43, 0x0e, 0xfa,
+    0x9d, 0x08, 0x51, 0x40, 0x1f, 0x50, 0xa9, 0xb7,
+    0xfa, 0xc3, 0x33, 0x24, 0x73, 0xb3, 0x30, 0x69,
+    0xf8, 0x3d, 0xc3, 0x62, 0xac, 0x5e, 0x2b, 0x13,
+    0xe9, 0x97, 0x20, 0x35, 0xf8, 0xf1, 0x78, 0xe1
 };
 
 static const unsigned char rsa_sigverx931_0_n[] = {
@@ -1880,7 +1880,7 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
         ITM(rsa_sigverpss_0_n),
         ITM(rsa_sigverpss_0_e),
         ITM(rsa_sigverpss_0_sig),
-        62,
+        48,
         PASS
     },
     {
@@ -1891,7 +1891,7 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
         ITM(rsa_sigverpss_1_n),
         ITM(rsa_sigverpss_1_e),
         ITM(rsa_sigverpss_1_sig),
-        62,
+        48,
         FAIL
     },
 };

diff --git a/test/evp_test.c b/test/evp_test.c
index c3d28cdf711e1ee51f1c4d8159dede4d466cba78..38a401ba2319fe8ab7cfd0f8cd892ac4eda59f3d 100644 (file)
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -224,6 +224,7 @@ static const OSSL_PARAM settable_ctx_params[] = {
     OSSL_PARAM_int("ems_check", NULL),
     OSSL_PARAM_int("sign-check", NULL),
     OSSL_PARAM_int("encrypt-check", NULL),
+    OSSL_PARAM_int("rsa-pss-saltlen-check", NULL),
     OSSL_PARAM_int("sign-x931-pad-check", NULL),
     OSSL_PARAM_END
 };
@@ -2598,15 +2599,20 @@ static int verify_test_init(EVP_TEST *t, const char *name)
 
 static int verify_test_run(EVP_TEST *t)
 {
+    int ret = 1;
     PKEY_DATA *kdata = t->data;
 
     if (!pkey_test_run_init(t))
         goto err;
     if (EVP_PKEY_verify(kdata->ctx, kdata->output, kdata->output_len,
-                        kdata->input, kdata->input_len) <= 0)
+                        kdata->input, kdata->input_len) <= 0) {
         t->err = "VERIFY_ERROR";
+        goto err;
+    }
+    if (!pkey_check_fips_approved(kdata->ctx, t))
+        ret = 0;
 err:
-    return 1;
+    return ret;
 }
 
 static const EVP_TEST_METHOD pverify_test_method = {

diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index 513b04b78d5f12537413f12325278ad3db03f4d0..a28d1196066ba2512c975fbe707edbb6c929d6ff 100644 (file)
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -919,6 +919,7 @@ Input="0123456789ABCDEF0123456789ABCDEF"
 Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
 
 # Verify using salt length auto detect
+FIPSversion = <3.4.0
 Verify = RSA-2048-PUBLIC
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_pss_saltlen:auto
@@ -969,12 +970,14 @@ Input="0123456789ABCDEF0123"
 Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
 
 # Verify using salt length larger than minimum
+FIPSversion = <3.4.0
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_pss_saltlen:30
 Input="0123456789ABCDEF0123"
 Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
 
 # Verify using maximum salt length
+FIPSversion = <3.4.0
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_pss_saltlen:max
 Input="0123456789ABCDEF0123"
@@ -2031,3 +2034,135 @@ Ctrl = digest:SHA256
 Ctrl = rsa_padding_mode:x931
 Input = "0123456789ABCDEF123456789ABCDEFG"
 Output = 4b75f521e2e6eeda3f2dcb84ebdacbadeab8ffc1ecdf06c7c4e38727e082a8f5e71be66cdee6d14da1d3a0f18ff20914f71b5308363c81e7471688f4f201e82603ea6a7f31da89cd846b30e2893fd956e76b3d23d40f733e0358e3883526158c74577ba43cc664eaeb909818e75b89fc764cf4575517f87251f8d3cf29b1532f33e6183d454bddd6f255d0ca4415d957eb90dbc55d047f48a01c6e68d5ab46327a158ff7a3383b5b0446b8cd4a91b8859abd3285020a1613ef17d3f8562147828bb36be65505eeec77e968d04e172e2851ff1d7ef523b4022deb72d5fbf78db6738d170098586b904d1c369cedb5e3fe1b909a8dd8ac3beb521af2510d044580
+
+# RSA signing with PSS salt length >= digest length is unapproved
+FIPSversion = >= 3.4.0
+Sign = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:64
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Result = KEYOP_ERROR
+Reason = invalid salt length
+
+# RSA verifying with PSS salt length >= digest length is unapproved
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:64
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B433CA3B11E36D2844265C6B52CD7393FC62A7C6706747BD9454ADE78DE35417D6F6FCE32F1C1D8F40CEF5715BC981AE4B1C94BF8C11E30BC3F19C71BE0FBDED06ECA5FCAC372688A9E821785B9ABA9705D76A1F74A092ACFEF30B018387771031554C43D3C49317C289EC570C603A6356E2FC1FB824F0505029750BC9028B342C27CD8F01C811C0172EFA807218C4657ACA5AA81A2BB1B0C4D63BE32C08BEF11C6E19C565D03246EE021B9293AB3FE33A8946F8EAAAE353E66FA3BB170FDADB7431FFAD4C92623148395FC6F6601495D6FF83E67B20BDDAD082C149E8
+Result = VERIFY_ERROR
+Reason = invalid salt length
+
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Unapproved = 1
+CtrlInit = rsa-pss-saltlen-check:0
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:64
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B433CA3B11E36D2844265C6B52CD7393FC62A7C6706747BD9454ADE78DE35417D6F6FCE32F1C1D8F40CEF5715BC981AE4B1C94BF8C11E30BC3F19C71BE0FBDED06ECA5FCAC372688A9E821785B9ABA9705D76A1F74A092ACFEF30B018387771031554C43D3C49317C289EC570C603A6356E2FC1FB824F0505029750BC9028B342C27CD8F01C811C0172EFA807218C4657ACA5AA81A2BB1B0C4D63BE32C08BEF11C6E19C565D03246EE021B9293AB3FE33A8946F8EAAAE353E66FA3BB170FDADB7431FFAD4C92623148395FC6F6601495D6FF83E67B20BDDAD082C149E8
+
+# RSA verifying with PSS salt length "digest" is approved
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:digest
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = C7280C47D9E2E7468157776CA84F52485F771D961674BF88B64FE3476A193494BCCD7139C204C557EA2FD69BC986EA2AA0416B7CA0C95C442EEAEA1AD5E8F8CE8B248AACDBEDAAA0FF2486F2B10F7F310D63969258BDC6E4D1EAEA5F45E5EB00A328BE70424DC2676EE3679D65F5AEA7A7057FDDE1EE24DFF2BEF63206466D9B6BB440C818683797EAF26D9273CC1A9CDCEDB9A90023BCB35A1DA66288741C5728EEFA681AA8384521B6067E9C7502A005814979BAA71074FAF7D08F61B38F2812B4F5DB889BE2CA19B9D9B32E3463544D35F36F5116527A573AE245878F42E3E7AACC99AA5B18A3E89002779DCD3CF15B5942D31D0E0FF2753C58D046F864F5
+
+# RSA signing with PSS salt length "max" is unapproved
+FIPSversion = >= 3.4.0
+Sign = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:max
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Result = KEYOP_ERROR
+Reason = invalid salt length
+
+# RSA verifying with PSS salt length "max" is unapproved
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:max
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 8424963AB8323443EC617FCB698B583A831303EB97C24C35EFAD6800D32BF74E2E1ACDA367FAD902EE852B1408602A8903E6D90C08F841215C130421E634BCDC798DD12A3E444B4237DE9497D2DD43794D7D04727B4E11C48E6F6BDA03A0117893ABBF3B00EC954AED35904AECA4B6E6020F860C8AE40B17FBBA7E2AB7BFC62E04AC9FBD8CABB03EEA68A12EDB417F13F24084AA5440C206886B86EDA4ADD29CE5DA07701FCC53CE5D77F03E711C8B1DD38763414022A88887813F7F31BA733CCAB124CFA03455C4850514231C9294BC68AD04E917E0F7675B53457A30EC1793D3D117A94D3B9DD60346EEB7027F79BF93AE62A297C261F36969CE2F797BB9B9
+Result = VERIFY_ERROR
+Reason = invalid salt length
+
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Unapproved = 1
+CtrlInit = rsa-pss-saltlen-check:0
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:max
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 8424963AB8323443EC617FCB698B583A831303EB97C24C35EFAD6800D32BF74E2E1ACDA367FAD902EE852B1408602A8903E6D90C08F841215C130421E634BCDC798DD12A3E444B4237DE9497D2DD43794D7D04727B4E11C48E6F6BDA03A0117893ABBF3B00EC954AED35904AECA4B6E6020F860C8AE40B17FBBA7E2AB7BFC62E04AC9FBD8CABB03EEA68A12EDB417F13F24084AA5440C206886B86EDA4ADD29CE5DA07701FCC53CE5D77F03E711C8B1DD38763414022A88887813F7F31BA733CCAB124CFA03455C4850514231C9294BC68AD04E917E0F7675B53457A30EC1793D3D117A94D3B9DD60346EEB7027F79BF93AE62A297C261F36969CE2F797BB9B9
+
+# RSA signing with PSS salt length "auto" is unapproved
+FIPSversion = >= 3.4.0
+Sign = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:auto
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Result = KEYOP_ERROR
+Reason = invalid salt length
+
+# RSA verifying with PSS salt length "auto" is unapproved
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:auto
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 4B3602F5E515B82573F0A19E244E8D2B6ED6A7E3066891B65E13D1EDAE535ECD0E59830B190322D357D6199E29C94DB6FFF2EEDB3B8BA57E81062AF963C9C392DC17343873EE7D572C059BAD5B6E4AD09EE50FC69C6FFE22353B95EA80B420E5C85BA86423ECF610F61887D2F02839B28B271B3FA98420D8630EF94E36015A1383C45EB4CA2CA7FCDCDBCF7722DB84AA303F333DF38ED1C92466CB139F8C7D5D7D7B393574951F2DB071579F7170A72934F29AD3EFB403A57AC8A6449742E240DB32C3505293942CAAF1785F886B561075DACB546BBA76FC4C1D8DD8241BC452A3A8B2510D136A2563B242FBF15D7ED3BA08A2C3F45CDE795C94B891F98A8E4F
+Result = VERIFY_ERROR
+Reason = invalid salt length
+
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Unapproved = 1
+CtrlInit = rsa-pss-saltlen-check:0
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:auto
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 4B3602F5E515B82573F0A19E244E8D2B6ED6A7E3066891B65E13D1EDAE535ECD0E59830B190322D357D6199E29C94DB6FFF2EEDB3B8BA57E81062AF963C9C392DC17343873EE7D572C059BAD5B6E4AD09EE50FC69C6FFE22353B95EA80B420E5C85BA86423ECF610F61887D2F02839B28B271B3FA98420D8630EF94E36015A1383C45EB4CA2CA7FCDCDBCF7722DB84AA303F333DF38ED1C92466CB139F8C7D5D7D7B393574951F2DB071579F7170A72934F29AD3EFB403A57AC8A6449742E240DB32C3505293942CAAF1785F886B561075DACB546BBA76FC4C1D8DD8241BC452A3A8B2510D136A2563B242FBF15D7ED3BA08A2C3F45CDE795C94B891F98A8E4F
+
+# RSA verifying with PSS salt length "auto-digestmax" and a signature whose salt length is compliant to FIPS standard is approved
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:auto-digestmax
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = A3D8F40E767B72EED6B9DEA1D717F6A2792001B6BFAD28B54989C668FD65010BD07C90CBFDE139AEE41731A58BF2E895754AA61D3BD9AEF3D6307316EE5792075C22E4DC1DF1377242C258557281C089DF6996148342F3D259DF67A7D67D47EE222F0D14AD6292A6C8D4461AB9E24D27D8BDD35CE9CCC755B7BBCD8D3BEE779C97745A577B6B5634DBCB68A573423089BA93407A96CA07A235C90DA233AC76B290B0475812999531A90BC08F6947F15894232125F1EA35070FADCAB94AF11B149A7B76B0D74C0799DABBA027069DFA8AB56BDC1247F25016C631A18322F9F2B071405991A3618B42EBB05CE215DF93ADC3C14DB87466ED9A6B61605B32686DBB
+
+# RSA verifying with PSS salt length "auto-digestmax" and a signature whose salt length is not compliant to FIPS standard is unapproved
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:auto-digestmax
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B433CA3B11E36D2844265C6B52CD7393FC62A7C6706747BD9454ADE78DE35417D6F6FCE32F1C1D8F40CEF5715BC981AE4B1C94BF8C11E30BC3F19C71BE0FBDED06ECA5FCAC372688A9E821785B9ABA9705D76A1F74A092ACFEF30B018387771031554C43D3C49317C289EC570C603A6356E2FC1FB824F0505029750BC9028B342C27CD8F01C811C0172EFA807218C4657ACA5AA81A2BB1B0C4D63BE32C08BEF11C6E19C565D03246EE021B9293AB3FE33A8946F8EAAAE353E66FA3BB170FDADB7431FFAD4C92623148395FC6F6601495D6FF83E67B20BDDAD082C149E8
+Result = VERIFY_ERROR
+Reason = invalid salt length
+
+FIPSversion = >= 3.4.0
+Verify = RSA-PSS
+Unapproved = 1
+CtrlInit = rsa-pss-saltlen-check:0
+Ctrl = digest:SHA384
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:auto-digestmax
+Input = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"
+Output = 49BA0CA65076271C0FEB69EB5D03E6989238B8F116FEC934F5A1299762E6FE0B6AA8C2B433CA3B11E36D2844265C6B52CD7393FC62A7C6706747BD9454ADE78DE35417D6F6FCE32F1C1D8F40CEF5715BC981AE4B1C94BF8C11E30BC3F19C71BE0FBDED06ECA5FCAC372688A9E821785B9ABA9705D76A1F74A092ACFEF30B018387771031554C43D3C49317C289EC570C603A6356E2FC1FB824F0505029750BC9028B342C27CD8F01C811C0172EFA807218C4657ACA5AA81A2BB1B0C4D63BE32C08BEF11C6E19C565D03246EE021B9293AB3FE33A8946F8EAAAE353E66FA3BB170FDADB7431FFAD4C92623148395FC6F6601495D6FF83E67B20BDDAD082C149E8

diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index dc30fe53c3bbdb0896929370a8e361490b830f45..a50b976533c4d212acab187053964fdeef295dad 100644 (file)
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -516,12 +516,12 @@ my @smime_cms_param_tests = (
     ],
 
     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
-      [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+      [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
         "-signer", $smrsa1,
         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
         "-out", "{output}.cms" ],
       sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
         "-CAfile", $smroot, "-out", "{output}.txt" ],
       \&final_compare
     ],

diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl
index 270cc8f8e801ae88f07e05530161609383ece131..dea366b7a117424f9e53207652c71016872db611 100644 (file)
--- a/util/mk-fipsmodule-cnf.pl
+++ b/util/mk-fipsmodule-cnf.pl
@@ -19,6 +19,7 @@ my $digest_check = 1;
 my $dsa_sign_disabled = 1;
 my $tdes_encrypt_disabled = 1;
 my $pkcs15_pad_disable = 1;
+my $rsa_pss_saltlen_check = 1;
 my $rsa_sign_x931_pad_disabled = 1;
 my $kdf_key_check = 1;
 my $pbkdf2_lower_bound_check = 1;
@@ -69,6 +70,7 @@ sskdf-digest-check = $digest_check
 x963kdf-digest-check = $digest_check
 tdes-encrypt-disabled = $tdes_encrypt_disabled
 rsa-pkcs15-padding-disabled = $pkcs15_pad_disable
+rsa-pss-saltlen-check = $rsa_pss_saltlen_check
 rsa-sign-x931-pad-disabled = $rsa_sign_x931_pad_disabled
 hkdf-key-check = $kdf_key_check
 kbkdf-key-check = $kdf_key_check

diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 74bbe02763a5fe9702a0bb99fecf6a47b3c56728..a41d0f57ef170ac59b37a9460fed1b86f7881edc 100644 (file)
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -42,6 +42,7 @@ my %params = (
     'PROV_PARAM_X963KDF_DIGEST_CHECK' =>   "x963kdf-digest-check",   # uint
     'PROV_PARAM_DSA_SIGN_DISABLED' =>      "dsa-sign-disabled",      # uint
     'PROV_PARAM_TDES_ENCRYPT_DISABLED' =>  "tdes-encrypt-disabled",  # uint
+    'PROV_PARAM_RSA_PSS_SALTLEN_CHECK' =>  "rsa-pss-saltlen-check",  # uint
     'PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED' =>  "rsa-sign-x931-pad-disabled",   # uint
     'PROV_PARAM_HKDF_KEY_CHECK' =>         "hkdf-key-check",         # uint
     'PROV_PARAM_KBKDF_KEY_CHECK' =>        "kbkdf-key-check",        # uint
@@ -427,6 +428,7 @@ my %params = (
     'SIGNATURE_PARAM_FIPS_DIGEST_CHECK' =>  '*PKEY_PARAM_FIPS_DIGEST_CHECK',
     'SIGNATURE_PARAM_FIPS_KEY_CHECK' =>     '*PKEY_PARAM_FIPS_KEY_CHECK',
     'SIGNATURE_PARAM_FIPS_SIGN_CHECK' =>    '*PKEY_PARAM_FIPS_SIGN_CHECK',
+    'SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK' => "rsa-pss-saltlen-check",
     'SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK' => "sign-x931-pad-check",
     'SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
     'SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED' => 'verify-digested',