Clarify checking of emLen in RSA_padding_add_PKCS1_PSS_mgf1.

There is a comment "Note from a test above this value is guaranteed to
be non-negative". Reorganize the code to make it more clear that that
is actually the case, especially in the case where sLen == -1.

Change-Id: I09a3dd99458e34102c42d8d3a2f22c16c684c673
Reviewed-on: https://boringssl-review.googlesource.com/9172
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

crypto/rsa/padding.c

@@ -623,6 +623,11 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     emLen--;
   }
 
+  if (emLen < hLen + 2) {
+    OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+    goto err;
+  }
+
   /* Negative sLen has special meanings:
    *   -1  sLen == hLen
    *   -2  salt length is maximized
@@ -630,18 +635,17 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
   if (sLen == -1) {
     sLen = hLen;
   } else if (sLen == -2) {
-    if (emLen < hLen + 2) {
-      OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-      goto err;
-    }
     sLen = emLen - hLen - 2;
   } else if (sLen < -2) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);
     goto err;
-  } else if (emLen < hLen + sLen + 2) {
+  }
+
+  if (emLen - hLen - 2 < (size_t)sLen) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
     goto err;
   }
+
   if (sLen > 0) {
     salt = OPENSSL_malloc(sLen);
     if (!salt) {