[{"id":3668500,"web_url":"http://patchwork.ozlabs.org/comment/3668500/","msgid":"<73592cd6-7ebd-4679-a091-a76280e84ce1@swupdate.org>","list_archive_url":null,"date":"2026-03-24T14:47:57","subject":"Re: [swupdate] [PATCH] crypto: openssl: fix verification of\n parameterized RSA-PSS keys","submitter":{"id":86869,"url":"http://patchwork.ozlabs.org/api/people/86869/","name":"Stefano Babic","email":"stefano.babic@swupdate.org"},"content":"On 3/24/26 14:33, 'Oliver Kaestner' via swupdate wrote:\n> Do not set RSA_PSS_SALTLEN_AUTO during verification.\n> \n> This fails for parameterized RSASSA-PSS keys, where the public key\n> encodes any restrictions, e.g. for the digest algorithm, or salt length.\n> \n> Setting RSA_PSS_SALTLEN_AUTO explicitly is unnecessary for verification\n> as the length will be auto-detected by default [1]:\n> \n>> EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to\n>> saltlen. As its name implies it is only supported for PSS padding.\n>> If this function is not called then the salt length is maximized up\n>> to the digest length when signing and auto detection when verifying.\n> \n> But setting this value also causes the verification to fail for\n> parameterized keys as the OpenSSL docs note [2]:\n> \n>> The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro is used to set the salt\n>> length. If the key has usage restrictions then an error is returned\n>> if an attempt is made to set the salt length below the minimum value.\n>> It is otherwise similar to the RSA operation except detection of the\n>> salt length (using RSA_PSS_SALTLEN_AUTO) is not supported for\n>> verification if the key has usage restrictions.\n> \n> So remove that call and let OpenSSL do the right thing automatically.\n> \n> [1] https://docs.openssl.org/3.5/man3/EVP_PKEY_CTX_ctrl/#rsa-parameters\n> [2] https://docs.openssl.org/3.5/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md\n> \n> Link: https://groups.google.com/g/swupdate/c/FMRY6rtuKW8\n> Signed-off-by: Oliver Kästner <okaestner@rosen-nxt.com>\n> ---\n>   crypto/swupdate_rsa_verify_openssl.c | 5 -----\n>   1 file changed, 5 deletions(-)\n> \n> diff --git a/crypto/swupdate_rsa_verify_openssl.c b/crypto/swupdate_rsa_verify_openssl.c\n> index fac102ce..195a0f44 100644\n> --- a/crypto/swupdate_rsa_verify_openssl.c\n> +++ b/crypto/swupdate_rsa_verify_openssl.c\n> @@ -71,11 +71,6 @@ static int dgst_verify_init(struct openssl_digest *dgst)\n>   \t\t\tERROR(\"EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx\", ERR_get_error());\n>   \t\t\treturn -EFAULT; /* failed */\n>   \t\t}\n> -\t\trc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);\n> -\t\tif (rc <= 0) {\n> -\t\t\tERROR(\"EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx\", ERR_get_error());\n> -\t\t\treturn -EFAULT; /* failed */\n> -\t\t}\n>   \t}\n>   \n>   \treturn 0;\n\nApplied to -master, thanks !\n\nBest regards,\nStefano Babic","headers":{"Return-Path":"<swupdate+bncBD2ZDGN6SEKRBIGIRLHAMGQELAOGTVA@googlegroups.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=googlegroups.com header.i=@googlegroups.com\n header.a=rsa-sha256 header.s=20251104 header.b=TGET2I/l;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com\n (client-ip=2a00:1450:4864:20::53e; helo=mail-ed1-x53e.google.com;\n envelope-from=swupdate+bncbd2zdgn6sekrbigirlhamgqelaogtva@googlegroups.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from mail-ed1-x53e.google.com (mail-ed1-x53e.google.com\n [IPv6:2a00:1450:4864:20::53e])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgCZf43qbz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 01:48:10 +1100 (AEDT)","by mail-ed1-x53e.google.com with SMTP id\n 4fb4d7f45d1cf-6697c7ffb86sf3035955a12.1\n        for <incoming@patchwork.ozlabs.org>;\n Tue, 24 Mar 2026 07:48:10 -0700 (PDT)","by 2002:aa7:c3d4:0:b0:66a:5de4:adb1 with SMTP id\n 4fb4d7f45d1cf-66a5de4af63ls611563a12.1.-pod-prod-06-eu;\n Tue, 24 Mar 2026 07:47:58 -0700 (PDT)","from mout.kundenserver.de (mout.kundenserver.de. [212.227.126.134])\n        by gmr-mx.google.com with ESMTPS id\n 4fb4d7f45d1cf-66a19bd6417si59725a12.2.2026.03.24.07.47.58\n        for <swupdate@googlegroups.com>\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Tue, 24 Mar 2026 07:47:58 -0700 (PDT)","from client.hidden.invalid by mrelayeu.kundenserver.de (mreue011\n [212.227.17.165]) with ESMTPSA (Nemesis) id 1MTRAS-1vzaUL3Ss0-00QsMj; Tue, 24\n Mar 2026 15:47:57 +0100"],"ARC-Seal":["i=2; a=rsa-sha256; t=1774363682; cv=pass;\n        d=google.com; s=arc-20240605;\n        b=AabDJzjQvNrdQ6aKAdfjvfcU2mXRSdl4sQAQ/snB61Nu2canOosqdedzkjsooR1lQ0\n         ssHUMMvVJkm80VRsBcIO+wpoE/V2w8OiMukD7222Ue0wwQKA8J7rIV4vtc3jKBZJkGnU\n         NKjw71gd6G8MGdraPZo2wHacFHFxnFBxez3QG9XuezS0CC5R0GMsW0JFhIIX0eaew3OQ\n         oSm4bTkChAJKeknK9NkdcFYkfMEXe35LwrMqSVhBQbWAexBMj9kRAG/dZzH00HFsFNft\n         CsFZ5/5Snmx/jfMrWmoN7VuQF0Nvfe3HZjF1+7r8PfjCs3wNtluszNzw8AyGwUXyANpP\n         iszg==","i=1; a=rsa-sha256; t=1774363678; cv=none;\n        d=google.com; s=arc-20240605;\n        b=F3x6m+Ynu4EH/dW4EAtcdumJr0TcuUCz1K3wdBpzTdKrADUy/IK3wQFJidEso5BSdJ\n         gokp7QvruMUrVccX42Ten03qvKZLd6ty4ZlgZVZ7RGXX4AGX6gPDLTEhQHetwy39hMUU\n         1Kh1+HAucNLkQYuf0FXb3zImGcZ4fh5XoVieE2wAoZ7LDvoU8WVcoDd99mTghW75q2Xn\n         FDZ7MMY8skoqPud6MHPfAcUlVLZM0WZ60iA04DOCe+0kUYyW3aMzG1nMEPmqt1XBJ705\n         trDrPaWsCcT4vRY5CWawkQpsyl0eFaXZ2CYoSm3LzYVJLLQOx469MeZLzPlSaR0FAMZi\n         wdmA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :list-id:mailing-list:precedence:ui-outboundreport\n         :content-transfer-encoding:in-reply-to:from:content-language\n         :references:to:subject:user-agent:mime-version:date:message-id\n         :sender:dkim-signature;\n        bh=KTd8ilwzCMW7dCTiEtjtXdhRqgyaI/Gscpp/QpeKPTE=;\n        fh=SqmzFdLmZ/nEFP4mx6zG5GFH2Hrpr/hDy3lRqXd0mD4=;\n        b=a5SLH/1gj4GW5mFJgMxRj+FqbtsAu5A2Rwu03+GGkpGMVwrjcwj0/wCpmgunsMi4HT\n         UgLF8dOOBLIaTrLUKSm2u5NxW5DAciZ9p9gXJzrW4cO9mS0kSsZ0mxpYwqNdYYP+y1JY\n         nLI+g/XXYFmZ4pBBDyusdurSP+9LjfCY4mDyvfod3z9u/ilMSJqT+fv8kIdGqfpRbwHx\n         ds2cJAEL14WRqFRhw52UcnXRc/MVQlmJUn6BjpiuZkDr7oCLsjhZ5SMxA485GuHFdJR4\n         mGKKGr6Qu/pxbanb4SqFrzQ6q3u/zqdu7eGJ/DghIyDRojFpmQytleuIGwr6LnkdV9Sn\n         Nv1w==;\n        darn=patchwork.ozlabs.org","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=ui-outboundreport:content-transfer-encoding:in-reply-to:from\n         :content-language:references:to:subject:user-agent:mime-version:date\n         :message-id:dkim-signature;\n        bh=qFEaSIZtm+6cW1OCawcFZ8PRHr4wrvr7+m4lBlgvRhw=;\n        fh=37yAKsYs6j2sds57fPfuftV3jHmplCZ9kQiVe3RIMQc=;\n        b=J5Y/upI4EjSg8NL9HP6X02rzZ/T99FRYiHjKLShUGIyIOsuTQXRdJml31RMhFpFwBD\n         Hco/eR8CqLHmuktNUn4nRBaWBchdLBWwIV41UA0RquDJ3MCKRiBxgb9rlhyUxwYhFtsh\n         B8FfonR/Ei7nVLEYP36mTruso0TwAUSrzQ6DQyNqlBy3HclR1xF+8pXV7zA8ocLMK06N\n         6Y/a6/LWRkwtrRjYeGrQ1AbNmqbGFXQZWD8g5QfKYeLdR35b7ln+/SGdL6nnkVZXgyla\n         4K2TU2DmmGelL+rluv3zHo5g2HBh5M6wLoq72FJ1OPM5PabPLHbtZwhM3az7eHmo0BHS\n         kvBg==;\n        dara=google.com"],"ARC-Authentication-Results":["i=2; gmr-mx.google.com;\n       dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=qUXm79nh;\n       spf=pass (google.com: domain of stefano.babic@swupdate.org designates\n 212.227.126.134 as permitted sender)\n smtp.mailfrom=stefano.babic@swupdate.org;\n       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org","i=1; gmr-mx.google.com;\n       dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=qUXm79nh;\n       spf=pass (google.com: domain of stefano.babic@swupdate.org designates\n 212.227.126.134 as permitted sender)\n smtp.mailfrom=stefano.babic@swupdate.org;\n       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=googlegroups.com; s=20251104; t=1774363682; x=1774968482;\n darn=patchwork.ozlabs.org;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :list-id:mailing-list:precedence:x-original-authentication-results\n         :x-original-sender:ui-outboundreport:content-transfer-encoding\n         :in-reply-to:from:content-language:references:to:subject:user-agent\n         :mime-version:date:message-id:sender:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=KTd8ilwzCMW7dCTiEtjtXdhRqgyaI/Gscpp/QpeKPTE=;\n        b=TGET2I/lGCjCaxmpHGp1Y55f3NmBm/iJh6LPoqBJzSoZHFaMecy/sTxakY9hQuHkl+\n         lpBhGNsNIk+uKHKqZYd2HVMbBTRu3dI8pJ4wQTzfSFnM1E946fU21uruE0vBGqAhxLhd\n         dswgWS4CwdUGp9ShfhN8CWfoFB0ZJZ1NKJnuFO6w12Inz3hzCXR6ViviKih820WVYcDW\n         9YTBmNAVvo1o4x3fXw7vccJ1IG+Y3AxQtdGpwLYIYPKuetQBAjTzRfZmAq+8/tQGOxze\n         /XbTvLx2f5fPIiutBNmd1oKGAiDBcRpFAmGU2ePEhtc/NNxsnk+IM5VrEtw0mhcMZiz3\n         CmeQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1774363682; x=1774968482;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :x-spam-checked-in-group:list-id:mailing-list:precedence\n         :x-original-authentication-results:x-original-sender\n         :ui-outboundreport:content-transfer-encoding:in-reply-to:from\n         :content-language:references:to:subject:user-agent:mime-version:date\n         :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject\n         :date:message-id:reply-to;\n        bh=KTd8ilwzCMW7dCTiEtjtXdhRqgyaI/Gscpp/QpeKPTE=;\n        b=WltrYPDxmuT6yM4QDv/EpAFeHlJRgy6X+MD4GZtRltmW57efMfLbSgvdfgrmbL+/hI\n         ApuNP+IMGPZPVFJyfK/UbZPC0BHpGS/DI9QHDQwFfWGMCeprRidYE98avjRpZuVA3hcx\n         gM3KQNN9RdvtJCJbv84yHliiz38ay60J7+p3G8u/SISMd+nbSVlA8oeOVVhsoKbZbfNS\n         cW9pHOS9HsDDi5BWklre7mATzaXWranjTyE3Jk4WRKlnH7b65PG2bJTRKdM8kvMQJWGZ\n         xzoiqWWM8Vh/SPcqagJnMaewaH49RlzRSsd/cRCkfEone4EZHjFQd8lkqA/MCF6h6Kie\n         ThbQ==","Sender":"swupdate@googlegroups.com","X-Forwarded-Encrypted":["i=2;\n AJvYcCVwwJII2X1odocidoAW4prUORui8U7/qXVnW6tjUPSx0HAP8MZx9B9b1j61/+T3E8BfQor+6R138g==@patchwork.ozlabs.org","i=2;\n AJvYcCV6lJIGuBjTX0rpw2HK6mtylpoUGiNJW02l2M1zTorZPQBbO/26QPVUQJcUkIfHBzs4d3kfQeeqBg==@googlegroups.com"],"X-Gm-Message-State":"AOJu0YwRDnaNtiUyJE9V12AYil44X7R0eBVo5QPOXkq0jWZPYU6D33Gv\n\t/p1NaoYCwViNbm9ATsh0fe7mWZ4yvVd6e9floUIFy66j3eIIlI8lAyGd","X-Received":["by 2002:a05:6402:2684:b0:66a:3390:30cd with SMTP id\n 4fb4d7f45d1cf-66a33903391mr3145573a12.26.1774363682287;\n        Tue, 24 Mar 2026 07:48:02 -0700 (PDT)","by 2002:a05:6402:2087:b0:662:fad8:4a9f with SMTP id\n 4fb4d7f45d1cf-668c9311ba7mr10032744a12.9.1774363678458;\n        Tue, 24 Mar 2026 07:47:58 -0700 (PDT)"],"X-BeenThere":"swupdate@googlegroups.com;\n h=\"AYAyTiJSP13e5dIR2+XoZxOnMAJtgMrDSElbJ0rOM6r/8jME8Q==\"","Received-SPF":"pass (google.com: domain of stefano.babic@swupdate.org\n designates 212.227.126.134 as permitted sender) client-ip=212.227.126.134;","X-UI-Sender-Class":"55c96926-9e95-11ee-ae09-1f7a4046a0f6","Message-ID":"<73592cd6-7ebd-4679-a091-a76280e84ce1@swupdate.org>","Date":"Tue, 24 Mar 2026 15:47:57 +0100","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [swupdate] [PATCH] crypto: openssl: fix verification of\n parameterized RSA-PSS keys","To":"Oliver Kaestner <okaestner@rosen-nxt.com>,\n \"swupdate@googlegroups.com\" <swupdate@googlegroups.com>","References":"\n <ZR5P278MB19111BB86B3D130C03BC3A04E148A@ZR5P278MB1911.CHEP278.PROD.OUTLOOK.COM>","Content-Language":"en-US","From":"Stefano Babic <stefano.babic@swupdate.org>","In-Reply-To":"\n <ZR5P278MB19111BB86B3D130C03BC3A04E148A@ZR5P278MB1911.CHEP278.PROD.OUTLOOK.COM>","Content-Type":"text/plain; charset=\"UTF-8\"; format=flowed","Content-Transfer-Encoding":"quoted-printable","X-Provags-ID":"V03:K1:GpKAc50gpk6aSwZjHtVx5dsVMZqG/wHob4iH2cXPF2uO6v83fhm\n ZPCorrnT9jU7WJS7o81T+BeaQGHXUnQ0a3GzLLFlh7z+6WzzbJN2JzEbjHp440uwg8RZIJt\n m/mtKOKi9Mt7xrw8hYgWnDXySPNXPH5zp09tv/fccW2EZsNLse3YUNaREMEXAtTK8sfcvL2\n KKKGVo6hf1CtqbKH9oA+w==","X-Spam-Flag":"NO","UI-OutboundReport":"notjunk:1;M01:P0:eAAUzVWR6r4=;AjVm09t0K6bBray2QontUnEK8PH\n yopkKCgYqKVSY7Tm3JhSkBTmo1wgatCRwNm7W+2ZBslCERAiZqlR3oBoYH7kxM+XN1J3jV6tg\n x3Eq+xZZvET6x5RqVD7xbulTfKf1oE6NkMG077xZVs1K/YAsm9DjkgikEGvZjXfxDgHUfzT3v\n BMiMmymLneQCIiLS3Q1krDsoGjsy5MrvvouDUm+z+nZvf5nO3D/35z6BvG1sceFn/+mlPldv4\n PBjoI0p51t523A1Hdw26PNmJ6MZgeJ0o+TZXGpVBP14J1qDxjMtnJJ1AET+Bz5dPPVWYcGZqD\n GcYCeYKTbQ9jq3b+6jWWSnRWXMxwSZ06dXrFVgL8cWdD4pXDoWhPA/4I6+cQAP4gmmllCLd48\n N+ZUQComEyIl6V6ktewAr0dlJhVpZPy2c8H+CfZp9JFZ+69Ox2bv01L7sZp4nZtjemj22TRrF\n GCyTA6b/s2jRuvRDor7ITX6tmnV6F9LALPOCpo9K37QYzxCVIJ8FEGb+bfbOpHvOTgiSJJxOx\n 2NGXx6KfcxA61PsMouEVOX/wTpqVRp5sW6+ZXxd0y3aQca8SU8oCRQAckUzv0UNLcUnydwisd\n t1Z0e9rWVc+4rGtKBspBfdC+Erp18oIGxNMuzzqPHpLbFFNy9F53IZz4iETbveeIKEnwcTIVc\n +vNBq5ayUf6ULIW/MDFVYy6jhyeGXZri4vl5HWSsCVu2MV1msESE60xTtLAG2ZzJCLm4c0wEu\n xsPiD7Mao0OlGg3DjWPZRSQUmcbk4SyGekHBXrIo00ZykpbEPbG4i2tnoLfwjUsLyQdy5U0+U\n jlTULZ77VQcTpODHKgxlrdkz+T1CpHUKts6dWFLCziN0pGlQvvmHRgVAt6Og1X4uYspLzPGnG\n 3UVc0acZ06stL4R89Yq2R6G7TF9HcPZSYRCNvePgLdaZBUocKy/BwvGk8QVbzIaz0++9Iow/y\n SL3v7QepB+sJcW+gLpn07w0BhYzM74bacskITmGqGk5CrwAHQzxZ64ZsGqBHuA96UOWqxyTrZ\n hE066gn8lP1MeX2k3Dsdlcc9hM0i/NAS7ZLpkv2BFDpXj97C9pDKY5ctyzahKrBpwlkvhryP1\n mWYZJwna8YlAqJaG1LzbokQoGmoOGWNddvCLMsZ0SUuAdBujg4532heE4266UgLSioXSDawDx\n qrAT47+KI24+3qoV6myjMM64NqIAByenlNYAPYiRPDL05gnrWT/tkLz1b4nWZhfhGhH0vR17m\n jns3tPb3LLPx23JUy8E+wZkQiEode6xlQuA02ZvxMAafM4g76DKIC5hPDPOc+n7RSD5AVw7m+\n 44UzKXm6E6bdhtw8LJ1x/R1jYNgR0eDPIILr458ydEDfsI1QnK/TuWfW3cyaBhqRRQvOni4TX\n faKdxzPYNUhy2HPLH37b2IfftwtX2T0GErulp2FzMqWBlUkqULMwg2qk690ORtr89GamGTfOx\n 912BcpYV5cJgQg6n3OIptAwNTeDYPG08YrIs1ZKlfZmQcqASx3Ub6pf/e1AFltrtMddSZERLJ\n 2GxKny11jlwW5LeDp0tp2fcCaajw+Pzg0Q7530FshWnKbeRbShi2/svjlohlGPDzXK20T5V9j\n jQZmNe1ihaSKyUQUgP9fSXeJmRfTdLZgIADOCYuhzB1OqHOZ8Z1ZZwmkO7dF91V9Bpj9xqeJX\n EM++cPqNt6dMQQ+hQ4Ry8FpbezcPqnDn9Sx9jU2Z/Xn6Cg/BZ2RZe7crBCiY2GPCpTzFetrTm\n FAJsPfju3kMoatUXtD08h9nhTqGVJvndFkI+v7QfbJbd8Dp73cSEfyK+3c68Ng3ZVHjE+Ey/g\n 2Cy498ZPvu9HYBRivEhZJ7Z5TaAYUuk8fjGabdGMA2JYqakHuwbXBImPI2acljUu865CEry2Z\n VMDDYPWKSdAnv+zJgQeIw/Zxafob6jkSaEbZOcvtPQBYKAjhGQiWpU1j4nVK1nakSpXL1Unig\n TXlRpfgn6HxZDCLCze3hIPVjZ4IzFo8sj2epCetTRMvgQr6Dyk","X-Original-Sender":"stefano.babic@swupdate.org","X-Original-Authentication-Results":"gmr-mx.google.com;       dkim=pass\n header.i=@swupdate.org header.s=s1-ionos header.b=qUXm79nh;       spf=pass\n (google.com: domain of stefano.babic@swupdate.org designates 212.227.126.134\n as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org;\n       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org","Precedence":"list","Mailing-list":"list swupdate@googlegroups.com;\n contact swupdate+owners@googlegroups.com","List-ID":"<swupdate.googlegroups.com>","X-Spam-Checked-In-Group":"swupdate@googlegroups.com","X-Google-Group-Id":"605343134186","List-Post":"<https://groups.google.com/group/swupdate/post>,\n <mailto:swupdate@googlegroups.com>","List-Help":"<https://groups.google.com/support/>,\n <mailto:swupdate+help@googlegroups.com>","List-Archive":"<https://groups.google.com/group/swupdate","List-Subscribe":"<https://groups.google.com/group/swupdate/subscribe>,\n <mailto:swupdate+subscribe@googlegroups.com>","List-Unsubscribe":"\n <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,\n <https://groups.google.com/group/swupdate/subscribe>"}},{"id":3668506,"web_url":"http://patchwork.ozlabs.org/comment/3668506/","msgid":"<50155983-4ea9-4709-81de-a2fcbc7b71b7n@googlegroups.com>","list_archive_url":null,"date":"2026-03-24T14:52:42","subject":"Re: [swupdate] [PATCH] crypto: openssl: fix verification of\n parameterized RSA-PSS keys","submitter":{"id":92958,"url":"http://patchwork.ozlabs.org/api/people/92958/","name":"Oliver Kästner","email":"okaestner@rosen-nxt.com"},"content":"Great, thanks! Would it be possible to apply it on scarthgap, too? \nOtherwise I'll just patch it in my bbappend.\n\n- Oliver\n\nOn Tuesday, March 24, 2026 at 3:48:02 PM UTC+1 Stefano Babic wrote:\n\n> On 3/24/26 14:33, 'Oliver Kaestner' via swupdate wrote:\n> > Do not set RSA_PSS_SALTLEN_AUTO during verification.\n> > \n> > This fails for parameterized RSASSA-PSS keys, where the public key\n> > encodes any restrictions, e.g. for the digest algorithm, or salt length.\n> > \n> > Setting RSA_PSS_SALTLEN_AUTO explicitly is unnecessary for verification\n> > as the length will be auto-detected by default [1]:\n> > \n> >> EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to\n> >> saltlen. As its name implies it is only supported for PSS padding.\n> >> If this function is not called then the salt length is maximized up\n> >> to the digest length when signing and auto detection when verifying.\n> > \n> > But setting this value also causes the verification to fail for\n> > parameterized keys as the OpenSSL docs note [2]:\n> > \n> >> The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro is used to set the salt\n> >> length. If the key has usage restrictions then an error is returned\n> >> if an attempt is made to set the salt length below the minimum value.\n> >> It is otherwise similar to the RSA operation except detection of the\n> >> salt length (using RSA_PSS_SALTLEN_AUTO) is not supported for\n> >> verification if the key has usage restrictions.\n> > \n> > So remove that call and let OpenSSL do the right thing automatically.\n> > \n> > [1] https://docs.openssl.org/3.5/man3/EVP_PKEY_CTX_ctrl/#rsa-parameters\n> > [2] https://docs.openssl.org/3.5/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md\n> > \n> > Link: https://groups.google.com/g/swupdate/c/FMRY6rtuKW8\n> > Signed-off-by: Oliver Kästner <okae...@rosen-nxt.com>\n> > ---\n> > crypto/swupdate_rsa_verify_openssl.c | 5 -----\n> > 1 file changed, 5 deletions(-)\n> > \n> > diff --git a/crypto/swupdate_rsa_verify_openssl.c \n> b/crypto/swupdate_rsa_verify_openssl.c\n> > index fac102ce..195a0f44 100644\n> > --- a/crypto/swupdate_rsa_verify_openssl.c\n> > +++ b/crypto/swupdate_rsa_verify_openssl.c\n> > @@ -71,11 +71,6 @@ static int dgst_verify_init(struct openssl_digest \n> *dgst)\n> > ERROR(\"EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx\", \n> ERR_get_error());\n> > return -EFAULT; /* failed */\n> > }\n> > - rc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);\n> > - if (rc <= 0) {\n> > - ERROR(\"EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx\", \n> ERR_get_error());\n> > - return -EFAULT; /* failed */\n> > - }\n> > }\n> > \n> > return 0;\n>\n> Applied to -master, thanks !\n>\n> Best regards,\n> Stefano Babic\n>\n> -- \n> _______________________________________________________________________\n> Nabla Software Engineering GmbH\n> Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596 \n> <+49%20821%2045592596>\n> Geschäftsführer : Stefano Babic | HRB 40522 Augsburg\n> E-Mail: sba...@nabladev.com\n>\n>","headers":{"Return-Path":"<swupdate+bncBCCONF765YHBBPGKRLHAMGQEHQEVBOA@googlegroups.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=googlegroups.com header.i=@googlegroups.com\n header.a=rsa-sha256 header.s=20251104 header.b=YVjjO3gv;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com\n (client-ip=2001:4860:4864:20::37; helo=mail-oa1-x37.google.com;\n envelope-from=swupdate+bncbcconf765yhbbpgkrlhamgqehqevboa@googlegroups.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from mail-oa1-x37.google.com (mail-oa1-x37.google.com\n [IPv6:2001:4860:4864:20::37])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgCh71Zl2z1y1g\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 01:52:54 +1100 (AEDT)","by mail-oa1-x37.google.com with SMTP id\n 586e51a60fabf-41737430593sf44405430fac.1\n        for <incoming@patchwork.ozlabs.org>;\n Tue, 24 Mar 2026 07:52:53 -0700 (PDT)","by 2002:a05:6871:3143:b0:41c:64c3:46be with SMTP id\n 586e51a60fabf-41c64c3de3fls1039477fac.1.-pod-prod-07-us; Tue, 24 Mar 2026\n 07:52:43 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=googlegroups.com; s=20251104; t=1774363967; x=1774968767;\n darn=patchwork.ozlabs.org;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :list-id:mailing-list:precedence:reply-to:x-original-sender\n         :mime-version:subject:references:in-reply-to:message-id:to:from:date\n         :from:to:cc:subject:date:message-id:reply-to;\n        bh=wzhv7LsIj+0ZHPwyQzn9ks0wwmxGvEXaEnf1n97TrYk=;\n        b=YVjjO3gvEgFzT1hJ+ryvwEa3XsR2e5/vJrKnNEw+5aYWwPx9t2A6/ANHU3ugnJalt3\n         sHT90xXmZF5Zba3gCLvbT9et5Xgul5nh7xosgWnmfTJZvlsa+w044cjA3oecsSQWPu9o\n         dQ3yKuVxG3G2LhPTxaZB/rGAmL1yR/sBmIm6VcSUO/eMCkf5vOfOqqYM+Le3PporiGIL\n         +Ocfiy3OcyuLR9YDDYd4fnkYYGCyq7+w6hJQlZ1KED/IS+aa1XzFJptgAMC0dyI1z7mV\n         iSC49dt0NcZfi2/srnjhc8S5PTI3LxxyqPQrmpPc/lUWCuDHTwWxqbMCxvD8E6JP+iqV\n         574A==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1774363967; x=1774968767;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to\n         :x-original-sender:mime-version:subject:references:in-reply-to\n         :message-id:to:from:date:x-beenthere:x-gm-message-state:from:to:cc\n         :subject:date:message-id:reply-to;\n        bh=wzhv7LsIj+0ZHPwyQzn9ks0wwmxGvEXaEnf1n97TrYk=;\n        b=AzrLbDPBpQpnBkWla1LToxejOj/zW/3LmoVBusgY4i2lcBBt3g8Z5qm9nPz2ZUnOZ1\n         Lt1oWXl7U0WI4pavBP+WjF7OGwFPfiVljjMahqEgZrOpNza6dT8B2oHDFOtfz8AYANJa\n         3dDlyXGQQih2MiUDIek88/fWrh4tfxEiiyz8EWw0BKH6eg6g/PznMyMPg5/85ZP2JsFU\n         N0qnfYKiov7pWGe+RZgeFKG3jHeDUgcSwBZZVpv/2NWkNUZJlBRNa3WJHshfUNTWDEdv\n         f6guGwDQ0TzTmb0xCUjdgT9VVuompldQw+eiAYU8lSbO7PdI566QoMm0CSyxsZzmEaG8\n         GSbA==","X-Forwarded-Encrypted":"i=1;\n AJvYcCXNolwNokddNurxoxRXm90W3Lf9G0M5RDNnplN2viR1B6J5/K5lT2d8Uak2dmfH5+KPvfj8GJM7og==@patchwork.ozlabs.org","X-Gm-Message-State":"AOJu0YyZ53tF/Zc//YZmCh1Gwf1g4dwxMbts5VceD0ELgz2eYhh47+eL\n\t2fgHmHLWn0vkvwOOBXKgGuEtk9bHgSKt8/gxaeScYLY8COGNQUFkNxFR","X-Received":["by 2002:a05:6870:8116:b0:409:62c9:5cc7 with SMTP id\n 586e51a60fabf-41c110015eemr10986603fac.15.1774363966513;\n        Tue, 24 Mar 2026 07:52:46 -0700 (PDT)","by 2002:a05:6808:309e:b0:467:226e:3007 with SMTP id\n 5614622812f47-467e5ed677emr8908126b6e.29.1774363963605;\n        Tue, 24 Mar 2026 07:52:43 -0700 (PDT)"],"X-BeenThere":"swupdate@googlegroups.com;\n h=\"AYAyTiIYKWRLNBcGPRYHIIYhXrYgD4awCfUS05LAtEnquuretQ==\"","Date":"Tue, 24 Mar 2026 07:52:42 -0700 (PDT)","From":"=?utf-8?q?=27Oliver_K=C3=A4stner=27_via_swupdate?=\n <swupdate@googlegroups.com>","To":"swupdate <swupdate@googlegroups.com>","Message-Id":"<50155983-4ea9-4709-81de-a2fcbc7b71b7n@googlegroups.com>","In-Reply-To":"<73592cd6-7ebd-4679-a091-a76280e84ce1@swupdate.org>","References":"\n <ZR5P278MB19111BB86B3D130C03BC3A04E148A@ZR5P278MB1911.CHEP278.PROD.OUTLOOK.COM>\n <73592cd6-7ebd-4679-a091-a76280e84ce1@swupdate.org>","Subject":"Re: [swupdate] [PATCH] crypto: openssl: fix verification of\n parameterized RSA-PSS keys","MIME-Version":"1.0","Content-Type":"multipart/mixed;\n\tboundary=\"----=_Part_613098_1990872806.1774363962865\"","X-Original-Sender":"okaestner@rosen-nxt.com","X-Original-From":"=?utf-8?q?Oliver_K=C3=A4stner?= <okaestner@rosen-nxt.com>","Reply-To":"=?utf-8?q?Oliver_K=C3=A4stner?= <okaestner@rosen-nxt.com>","Precedence":"list","Mailing-list":"list swupdate@googlegroups.com;\n contact swupdate+owners@googlegroups.com","List-ID":"<swupdate.googlegroups.com>","X-Spam-Checked-In-Group":"swupdate@googlegroups.com","X-Google-Group-Id":"605343134186","List-Post":"<https://groups.google.com/group/swupdate/post>,\n <mailto:swupdate@googlegroups.com>","List-Help":"<https://groups.google.com/support/>,\n <mailto:swupdate+help@googlegroups.com>","List-Archive":"<https://groups.google.com/group/swupdate","List-Subscribe":"<https://groups.google.com/group/swupdate/subscribe>,\n <mailto:swupdate+subscribe@googlegroups.com>","List-Unsubscribe":"\n <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,\n <https://groups.google.com/group/swupdate/subscribe>"}},{"id":3668526,"web_url":"http://patchwork.ozlabs.org/comment/3668526/","msgid":"<2f75e74d-7b0b-453c-a66d-822c3710b9c0@swupdate.org>","list_archive_url":null,"date":"2026-03-24T15:21:34","subject":"Re: [swupdate] [PATCH] crypto: openssl: fix verification of\n parameterized RSA-PSS keys","submitter":{"id":86869,"url":"http://patchwork.ozlabs.org/api/people/86869/","name":"Stefano Babic","email":"stefano.babic@swupdate.org"},"content":"On 3/24/26 15:52, 'Oliver Kästner' via swupdate wrote:\n> Great, thanks! Would it be possible to apply it on scarthgap, too? \n\nNot as fix version, so 2025.12.x.\n\nBut you can use PREFERRED_VERSION_swupdate = \"2025.12+git%\"\n\nI have update the _git recipe for all supported branches:\n\n    857cb95..d4cfdeb  master -> master\n    0792561..81f4faa  scarthgap -> scarthgap\n    0cbabdc..7e28fc4  whinlatter -> whinlatter\n    857cb95..b1fbd1d  wrynose -> wrynose\n\nBest regards,\nStefano Babic\n\n\n> Otherwise I'll just patch it in my bbappend.\n> \n> - Oliver\n> \n> On Tuesday, March 24, 2026 at 3:48:02 PM UTC+1 Stefano Babic wrote:\n> \n>     On 3/24/26 14:33, 'Oliver Kaestner' via swupdate wrote:\n>      > Do not set RSA_PSS_SALTLEN_AUTO during verification.\n>      >\n>      > This fails for parameterized RSASSA-PSS keys, where the public key\n>      > encodes any restrictions, e.g. for the digest algorithm, or salt\n>     length.\n>      >\n>      > Setting RSA_PSS_SALTLEN_AUTO explicitly is unnecessary for\n>     verification\n>      > as the length will be auto-detected by default [1]:\n>      >\n>      >> EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to\n>      >> saltlen. As its name implies it is only supported for PSS padding.\n>      >> If this function is not called then the salt length is maximized up\n>      >> to the digest length when signing and auto detection when\n>     verifying.\n>      >\n>      > But setting this value also causes the verification to fail for\n>      > parameterized keys as the OpenSSL docs note [2]:\n>      >\n>      >> The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro is used to set the\n>     salt\n>      >> length. If the key has usage restrictions then an error is returned\n>      >> if an attempt is made to set the salt length below the minimum\n>     value.\n>      >> It is otherwise similar to the RSA operation except detection of\n>     the\n>      >> salt length (using RSA_PSS_SALTLEN_AUTO) is not supported for\n>      >> verification if the key has usage restrictions.\n>      >\n>      > So remove that call and let OpenSSL do the right thing\n>     automatically.\n>      >\n>      > [1] https://docs.openssl.org/3.5/man3/EVP_PKEY_CTX_ctrl/#rsa-\n>     parameters <https://docs.openssl.org/3.5/man3/EVP_PKEY_CTX_ctrl/\n>     #rsa-parameters>\n>      > [2] https://docs.openssl.org/3.5/man3/\n>     EVP_PKEY_CTX_set_rsa_pss_keygen_md <https://docs.openssl.org/3.5/\n>     man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md>\n>      >\n>      > Link: https://groups.google.com/g/swupdate/c/FMRY6rtuKW8\n>     <https://groups.google.com/g/swupdate/c/FMRY6rtuKW8>\n>      > Signed-off-by: Oliver Kästner <okae...@rosen-nxt.com>\n>      > ---\n>      > crypto/swupdate_rsa_verify_openssl.c | 5 -----\n>      > 1 file changed, 5 deletions(-)\n>      >\n>      > diff --git a/crypto/swupdate_rsa_verify_openssl.c b/crypto/\n>     swupdate_rsa_verify_openssl.c\n>      > index fac102ce..195a0f44 100644\n>      > --- a/crypto/swupdate_rsa_verify_openssl.c\n>      > +++ b/crypto/swupdate_rsa_verify_openssl.c\n>      > @@ -71,11 +71,6 @@ static int dgst_verify_init(struct\n>     openssl_digest *dgst)\n>      > ERROR(\"EVP_PKEY_CTX_set_rsa_padding failed, error 0x%lx\",\n>     ERR_get_error());\n>      > return -EFAULT; /* failed */\n>      > }\n>      > - rc = EVP_PKEY_CTX_set_rsa_pss_saltlen(dgst->ckey, -2);\n>      > - if (rc <= 0) {\n>      > - ERROR(\"EVP_PKEY_CTX_set_rsa_pss_saltlen failed, error 0x%lx\",\n>     ERR_get_error());\n>      > - return -EFAULT; /* failed */\n>      > - }\n>      > }\n>      >\n>      > return 0;\n> \n>     Applied to -master, thanks !\n> \n>     Best regards,\n>     Stefano Babic\n> \n>     -- \n>     _______________________________________________________________________\n>     Nabla Software Engineering GmbH\n>     Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596 <tel:\n>     +49%20821%2045592596>\n>     Geschäftsführer : Stefano Babic | HRB 40522 Augsburg\n>     E-Mail: sba...@nabladev.com\n> \n> -- \n> You received this message because you are subscribed to the Google \n> Groups \"swupdate\" group.\n> To unsubscribe from this group and stop receiving emails from it, send \n> an email to swupdate+unsubscribe@googlegroups.com \n> <mailto:swupdate+unsubscribe@googlegroups.com>.\n> To view this discussion visit https://groups.google.com/d/msgid/ \n> swupdate/50155983-4ea9-4709-81de-a2fcbc7b71b7n%40googlegroups.com \n> <https://groups.google.com/d/msgid/swupdate/50155983-4ea9-4709-81de- \n> a2fcbc7b71b7n%40googlegroups.com?utm_medium=email&utm_source=footer>.","headers":{"Return-Path":"<swupdate+bncBD2ZDGN6SEKRBAOYRLHAMGQE4PXQEVY@googlegroups.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=googlegroups.com header.i=@googlegroups.com\n header.a=rsa-sha256 header.s=20251104 header.b=As2BP2dA;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com\n (client-ip=2a00:1450:4864:20::43a; helo=mail-wr1-x43a.google.com;\n envelope-from=swupdate+bncbd2zdgn6sekrbaoyrlhamgqe4pxqevy@googlegroups.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from mail-wr1-x43a.google.com (mail-wr1-x43a.google.com\n [IPv6:2a00:1450:4864:20::43a])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgDKN6fJMz1y1g\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 02:21:43 +1100 (AEDT)","by mail-wr1-x43a.google.com with SMTP id\n ffacd0b85a97d-43b40c22eaesf5315507f8f.2\n        for <incoming@patchwork.ozlabs.org>;\n Tue, 24 Mar 2026 08:21:43 -0700 (PDT)","by 2002:a05:6000:1863:b0:439:8f85:db06 with SMTP id\n ffacd0b85a97d-43b86f7d803ls319354f8f.0.-pod-prod-01-eu; Tue, 24 Mar 2026\n 08:21:35 -0700 (PDT)","from mout.kundenserver.de (mout.kundenserver.de. [212.227.17.13])\n        by gmr-mx.google.com with ESMTPS id\n ffacd0b85a97d-43b64706badsi285757f8f.6.2026.03.24.08.21.35\n        for <swupdate@googlegroups.com>\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Tue, 24 Mar 2026 08:21:35 -0700 (PDT)","from client.hidden.invalid by mrelayeu.kundenserver.de (mreue106\n [212.227.15.152]) with ESMTPSA (Nemesis) id 1N1PPJ-1vOru00N6R-015MvO for\n <swupdate@googlegroups.com>; Tue, 24 Mar 2026 16:21:35 +0100"],"ARC-Seal":["i=2; a=rsa-sha256; t=1774365699; cv=pass;\n        d=google.com; s=arc-20240605;\n        b=b5QLptUM/r9hAhRSNtQ1ylBDuu3SsoG5FOrjFvI7Fi+/hcU0ti048nGvyxURcbYtIT\n         pHHPsdjqU0+E70CHRNFQoyF/JikkL7ZMko00VMqD+bjANqHWjW86zvo2ED6VNE1IIdjW\n         oOdtQGpll/4nFZUci/lN08xvlRCm6RFMTAecr8xBUeKfDVLVMaxZrDaEN/gVZKpCJ9SK\n         kNXG4/KxNpdJ2C1R688GRrRia32jXsVm0063OA+bu3cugP1dCYg9p43bVdmeuQuUtvsi\n         WyrI6M9dgNO4C8b3DyyKQhPySxp1plChok6rElEsm3PMgiQ8FSr14Jqasb6RMfQQM5nR\n         ZEww==","i=1; a=rsa-sha256; t=1774365695; cv=none;\n        d=google.com; s=arc-20240605;\n        b=bTmJptpx2VOaFFe7K9wOUEu0BSrNT1PN9W8oLdDD4cCuo81ksH5qEsupQIL6OQq22G\n         h458UAbIc8IicSvX7I3awV1ZYdiSKa+EzW0NAf3yWnf5yHCC2uDWN6SBou1JZddNYjUj\n         AiGdozUj/SV+8bBvt+HYu7E/toqvtXAsJ3G29CBtAkbmop9XizX+0pnG+TuIXKGd0uER\n         nXD4GzQL9SvOLqmveRwSX6Jk8cOZqB8ulWA2a05p8flqkrgHgEaENd/I4qyNf7tpQyRu\n         sm4ZmDypE31t5JmPe9TKUqhVAqzCwX8JFOZEIodYkzuVw+FGuU9KIRBrCeCUW2MPehAh\n         pguA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :list-id:mailing-list:precedence:ui-outboundreport\n         :content-transfer-encoding:in-reply-to:from:content-language\n         :references:to:subject:user-agent:mime-version:date:message-id\n         :sender:dkim-signature;\n        bh=4DgD7gcj1vRMt9R4X6G6Vn1rA2MP8vl1UqNUebo4D0w=;\n        fh=GnfTEsOKdw0Db04z7tQllwPoFfHMs3Kw1otW8dObRHw=;\n        b=jtpwX82/915NzVPg29n3O36U2JcM17YJ3uGs44iWoU8SDya1ta3G7i2/XWNJbFjWq2\n         vUsM3Gr8V+TUACI8aaGj9fp1qXijzhplUrkWlYeubbcF/E+mJfM/LDCegYuNfuQ1v6oU\n         ds5jC2nTfRhbFcih5LDMzmUb2KR972Zzvvm65aUVpLj7t+VAR4kKo4rJRkA+wYTC0AgM\n         26a+xLpaqp92YB1h09YenX2u8Lc3AxotehTtPTNWykbc3rUqv6P7AX1irhB46IIHespw\n         7OiXuStjsYCY7haqiz+GACW/KUDl+XKNE+fp52RuVO64QPtC5+6rQ9vL5oCoQ2oJgeXQ\n         PLRA==;\n        darn=patchwork.ozlabs.org","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=ui-outboundreport:content-transfer-encoding:in-reply-to:from\n         :content-language:references:to:subject:user-agent:mime-version:date\n         :message-id:dkim-signature;\n        bh=h7K/eJwZ7btlk08onYTvC06PK5V9k/5ego6vuPUY9Bg=;\n        fh=nvZsCFpxgpf+fsVXzjnWA8g1K3V/kNbRAKogjNDW4HY=;\n        b=bx36CG4BJQtGOYttAl+pcp0p+P4+3R8wEDErcl9nXa5OQXT9/AKvYZ6PMjtqejIHw9\n         fFX1Xrs7HAD2qANKlcvMVYR2eiRczimoMm4lubTE1MkhUdso6CqgmYIU39t1paoN1a/I\n         rnkU+ntG6OzKjLT3UtpLxRrjtgnjbU2s+BGCRNoo3o/skehR7IvHV6WMw6rIDYc3CNW5\n         E+erVv+YGHkbl174vgGcGPH9gpDNtyZGlklwJeWZUCaABLuvK70lTNuSGJG8ZziPoHjR\n         BRXAA9+1FsYwoXyONn9TZUgJCww/sTUGmqwbyx1xUo+TiZvqt8gEGgXRkNkw0snd2qpU\n         pbpA==;\n        dara=google.com"],"ARC-Authentication-Results":["i=2; gmr-mx.google.com;\n       dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=Wx90hIE5;\n       spf=pass (google.com: domain of stefano.babic@swupdate.org designates\n 212.227.17.13 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org;\n       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org","i=1; gmr-mx.google.com;\n       dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=Wx90hIE5;\n       spf=pass (google.com: domain of stefano.babic@swupdate.org designates\n 212.227.17.13 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org;\n       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=swupdate.org"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=googlegroups.com; s=20251104; t=1774365699; x=1774970499;\n darn=patchwork.ozlabs.org;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :list-id:mailing-list:precedence:x-original-authentication-results\n         :x-original-sender:ui-outboundreport:content-transfer-encoding\n         :in-reply-to:from:content-language:references:to:subject:user-agent\n         :mime-version:date:message-id:sender:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=4DgD7gcj1vRMt9R4X6G6Vn1rA2MP8vl1UqNUebo4D0w=;\n        b=As2BP2dAnvnxOt76/u+nSj/Eu+0tTzC6H6lFDuJr3VCFuMNQT9Q1KBAFwujJUAaq5i\n         RwLUGH22gI8n8Oopk2smQEK76VCvMfxPu/wKlNuF0Ql2BUmB+qaEguTgk4nJP8j+9BgY\n         bccUKb+hYoMtqp+Wkl8FgZ9Ox/E7DBt9xMJWGOT1UUBL8KZkC/ve9z4UW9zcwQZgyEmj\n         +cxIpOxU3bC10HKzZ6xUwZ8DQ/wv5fqNzkLZgg3se+08r6shpzuP81JswXIuNnLJwz39\n         Nyv2LSUDZHQMdSvIVxDyt6DEHyKUjyRY0cV6uUG5k6iBOmtYkUAKi1VuNYw061QcFrc7\n         hOMg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1774365699; x=1774970499;\n        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n         :x-spam-checked-in-group:list-id:mailing-list:precedence\n         :x-original-authentication-results:x-original-sender\n         :ui-outboundreport:content-transfer-encoding:in-reply-to:from\n         :content-language:references:to:subject:user-agent:mime-version:date\n         :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject\n         :date:message-id:reply-to;\n        bh=4DgD7gcj1vRMt9R4X6G6Vn1rA2MP8vl1UqNUebo4D0w=;\n        b=CMX42kyJWWE6hLqtEk5Th2wN6eEiVo4WpPgibUasqSoMSpSi6LvuOfWd1fyXi2OPRN\n         UR57505r96d+nVzW0SndPqvBCO3Q3JpshVyca3MVfP2z41cwog47Iqgs9qZY+58NUPm2\n         U+YDK0G+/TkOIYac//vYRRHTaNzrZlTPxafCWvcXHUxdP6w8DgaVzxHbPirG1HcE7V5D\n         jZl4GY2Z59FE4sbQj6ROC0vgarRDzQ4j2l6uKkGix5nwzCJCShIPJnhBjVLxAjyIfST7\n         PrSedXHw8Iro5Uzan34DGsrbJKmPsm5HuAJNdgZybDCfNNMAfAqNtFk1kqn6K+TOcTrO\n         1M2Q==","Sender":"swupdate@googlegroups.com","X-Forwarded-Encrypted":"i=2;\n AJvYcCW/yI0H15iaknQAx8acE1Llkfdd14gabX/cyuUItgYlCS324SdxWxf9GfopGOUcCBDXbSRBi2XyKg==@patchwork.ozlabs.org","X-Gm-Message-State":"AOJu0Yw9LLrFxgbV8TOOyLfRneH493oXutq7eyEI+1r9rgkymvG911AC\n\tn2tBBUiUa3WCX/3DwZ7cYZkNLUMh3APc94qJiutCrVo4fK0UVEsKdHFE","X-Received":["by 2002:a05:600c:1f86:b0:486:fb5c:3b20 with SMTP id\n 5b1f17b1804b1-48715fef819mr2787315e9.13.1774365699486;\n        Tue, 24 Mar 2026 08:21:39 -0700 (PDT)","by 2002:a05:6000:26c8:b0:439:bcb8:54b7 with SMTP id\n ffacd0b85a97d-43b6424b9eemr25171248f8f.15.1774365695564;\n        Tue, 24 Mar 2026 08:21:35 -0700 (PDT)"],"X-BeenThere":"swupdate@googlegroups.com;\n h=\"AYAyTiLZp3gf0X3SSa5t6BNHfg/yxrGZ8zOPJznjYAo1YCgZ/g==\"","Received-SPF":"pass (google.com: domain of stefano.babic@swupdate.org\n designates 212.227.17.13 as permitted sender) client-ip=212.227.17.13;","X-UI-Sender-Class":"55c96926-9e95-11ee-ae09-1f7a4046a0f6","Message-ID":"<2f75e74d-7b0b-453c-a66d-822c3710b9c0@swupdate.org>","Date":"Tue, 24 Mar 2026 16:21:34 +0100","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [swupdate] [PATCH] crypto: openssl: fix verification of\n parameterized RSA-PSS keys","To":"swupdate@googlegroups.com","References":"\n <ZR5P278MB19111BB86B3D130C03BC3A04E148A@ZR5P278MB1911.CHEP278.PROD.OUTLOOK.COM>\n <73592cd6-7ebd-4679-a091-a76280e84ce1@swupdate.org>\n <50155983-4ea9-4709-81de-a2fcbc7b71b7n@googlegroups.com>","Content-Language":"en-US","From":"Stefano Babic <stefano.babic@swupdate.org>","In-Reply-To":"<50155983-4ea9-4709-81de-a2fcbc7b71b7n@googlegroups.com>","Content-Type":"text/plain; charset=\"UTF-8\"; format=flowed","Content-Transfer-Encoding":"quoted-printable","X-Provags-ID":"V03:K1:BMctxzWVgma/d8bqtNTK2F8f9aj6AO6uYSYB5w40Zgx+9QaUqv6\n 9G+zeDLzrD11WCVDg6S4s0KzcXdUvVaEcYongmCWlhdh+IddOzILN0z5EEdcLYmCakSJfxa\n abMrHhuAk1SuR4XeFzkeiF3T4SqPOdmboXSiQaWo/oFCfO7igYZ9HZLUVfhg/FZFiFQVfX0\n ZSUkVDFKc+8ecYj/HKtuA==","X-Spam-Flag":"NO","UI-OutboundReport":"notjunk:1;M01:P0:kqxBnFVOgfw=;T7XuDDReuzxzDZjX97s0FP/vq2g\n 2kENoX17I8fcDGkzJa18DfJ7lwvWrMYn0sCBO5WLzdPZheNC2+Dgt4LDzmG2lbW2pq/brf9ZR\n Jo+42qHmcd7EaMElQIqIolpX0Rmp/o6hskCEuOnYGYnwR45uPa4AOrx3o9CcbB8JyZ4fJMfpa\n /NzeyDWMbEN3Wjp2fjwiDLgMNhY4J/ciIZcZDHqliIpqk1+cFYW+aI0gu7kZ7In+3EkcctL1U\n V3MJMeAH9mT8sAcabYRgUbvGpxYfFj3TqBK9yyWVVGirXSb4Uj3zhLHzx+Ra6T08yCctzZfbg\n ummmkW6hdJfK27MvvR/Z98CbGmp1XnhcFq60V5hGV4lGp8exXzQfObbGUemfHztC8ZF0c+Ase\n 2Xx89ieRpSpFE76JnLluA0wT6+ltI1Rtois+i9A1+voehMYyEfNIj1QGy+7B23sW1q+PyQksW\n tQgU+N9Efurw6q8Fesyw2UwjHgPhHbsf7z8niiNsUf5QEcsM9WYZCKnLpfchqsdSE2R4UAhdk\n jJ6PKyFsybVwT0lc/1MhzLBpQ6kPTBbtnQsL+cTIT9l8c8HxE5hw+G5fTXIeqYzGFRA41eXHW\n owxSwfdI3Oa1rBkp0gXXtIQw2RAU5qbCUss21LwoHPVFagDP1ywtqbEaMRQc6+oNEXVVXnXZU\n ptmnjCcwjINXfej+PbgqgaNT83p7b8JeuOCGrd5EShTuVMQx9Tfq9B7lHgyLB/rT5fJyqdvAk\n XFAxSFm4KJ/2sy2a76oVB6dD1V3Y5x1bqdJiy7IhuCt7bvSC4f08UPI4D31PMw3//mS9zhcQ7\n gex/zaBRIBqregmJzN+uTRpZyYi3+zZiEpJbld8vCeEt4uPDYA23T+fzYqnjdkFtzfj8speAU\n r24EepSICgkFmkEUQNxy45dglNQJ4IBMS4xyKXEz/iZpye1s5IM2JkQvIqzxqXjXRsOaqegk/\n NgFmd7Cd7I1SnQxyValI7k/CbfWBU39xZQj9BDpdl08Tf85YAhJMEInxgAJvSElrHYGn6GOOX\n Ld5eF+KSJ7mDCTJg/GjnG3pjDf/ygHWe0TIhoy0/U/P7yXIiSX2UjRFh1a/VIdNKhmNAPSG2h\n Sv534c1F7M1hYjQuEs/5w8hsggltvl1yXsNyeqoEL/2gwyqeWNBTN1kfQ0K3HpqADJVQL5gl1\n XySpndhLxJUu0ECiyFONTGNg8f0C1DuhobRxsvgqcCc9MD/wFk1hiXYeihw1/HEWcmTzik3E7\n s7P5j5SuuJMrp0EvKdKT2RbsGtcPE/voA6wLiSXQ+NAjPORQrF40V1DJMEGE7MceKmi/Gg8I6\n neyHGDAz5mqRI7mV5RGIWVBbetT6IBnFugaJjizpl0OFXnsR+mDaGKP3z+l04qJd2I5bUzVVl\n 8BaH6OeiCAjvJCMT1XJwezTdFBbC82pkFclE12CeL8x3QW7dNaG1iLYUY9RRZSuWUi6ZInr3m\n LT9nsNWOY0gzpnk/2oV9gfIKdz5AZmeFe8NKQjpVY0gFUqBBWXS1ChJsxm1BvifVT6rfD1jfz\n ubOhBxeTZJrOLLAPbSVtqsh1rGmROikwBscVv5UwpRS55YJ+kNqAPlcXzVFpyPrpTtAF23l3c\n TVyz7yuf9XNTlk9slObAH38h0CQefx2yh0i9Otka7U9B8AsnLRCadc8vKIhwzaKU0Gd6A0m6k\n fH+xdGYEgoYeUteDM/ggwddRALvxCU9t+HYoFG1/vN12ePStyFTNAxPWIm3zeFF0QnWzAjvdK\n IozgRFLoh7d0ZNzxQ6YlBU3yFgosPtGiCT+IZewZnqDx+WnEBzgP8NXlmSXWmtgM8qqsrV3/K\n GOVZL3kW8/NdQtdHtDJRDSGQG7GDD95O9+AwAl3UOk2XHfyYPL6GVtMsP3bXpg0lK6fHtN1kW\n Put9ps5i5iPryNzFm+voFEkDqHBaDznSBKvhqgZDzc0VVXOX2xfsRwV6zBpipf37zPmPUHzSm\n igCUHiLw==","X-Original-Sender":"stefano.babic@swupdate.org","X-Original-Authentication-Results":"gmr-mx.google.com;       dkim=pass\n header.i=@swupdate.org header.s=s1-ionos header.b=Wx90hIE5;       spf=pass\n (google.com: domain of stefano.babic@swupdate.org designates 212.227.17.13 as\n permitted sender) smtp.mailfrom=stefano.babic@swupdate.org;       dmarc=pass\n (p=NONE sp=NONE dis=NONE) header.from=swupdate.org","Precedence":"list","Mailing-list":"list swupdate@googlegroups.com;\n contact swupdate+owners@googlegroups.com","List-ID":"<swupdate.googlegroups.com>","X-Spam-Checked-In-Group":"swupdate@googlegroups.com","X-Google-Group-Id":"605343134186","List-Post":"<https://groups.google.com/group/swupdate/post>,\n <mailto:swupdate@googlegroups.com>","List-Help":"<https://groups.google.com/support/>,\n <mailto:swupdate+help@googlegroups.com>","List-Archive":"<https://groups.google.com/group/swupdate","List-Subscribe":"<https://groups.google.com/group/swupdate/subscribe>,\n <mailto:swupdate+subscribe@googlegroups.com>","List-Unsubscribe":"\n <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,\n <https://groups.google.com/group/swupdate/subscribe>"}}]