d12f2ba55e
cryptography.io wants RSA_R_BLOCK_TYPE_IS_NOT_02, only used by the ancient RSA_padding_check_SSLv23 function. Define it but never emit it. Additionally, it's rather finicky about RSA_R_TOO_LARGE* errors. We merged them in BoringSSL because having RSA_R_TOO_LARGE, RSA_R_TOO_LARGE_FOR_MODULUS, and RSA_R_TOO_LARGE_FOR_KEY_SIZE is a little silly. But since we don't expect well-behaved code to condition on error codes anyway, perhaps that wasn't worth it. Split them back up. Looking through OpenSSL, there is a vague semantic difference: RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - Specifically emitted if a digest is too big for PKCS#1 signing with this key. RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE - You asked me to sign or encrypt a digest/plaintext, but it's too big for this key. RSA_R_DATA_TOO_LARGE_FOR_MODULUS - You gave me an RSA ciphertext or signature and it is not fully reduced modulo N. -OR- The padding functions produced something that isn't reduced, but I believe this is unreachable outside of RSA_NO_PADDING. RSA_R_DATA_TOO_LARGE - Some low-level padding function was told to copy a digest/plaintext into some buffer, but the buffer was too small. I think this is basically unreachable. -OR- You asked me to verify a PSS signature, but I didn't need to bother because the digest/salt parameters you picked were too big. Update-Note: This depends on cl/196566462. Change-Id: I2e539e075eff8bfcd52ccde365e975ebcee72567 Reviewed-on: https://boringssl-review.googlesource.com/28547 Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
blinding.c | ||
internal.h | ||
padding.c | ||
rsa_impl.c | ||
rsa.c |