Defines and strings for special salt length values, add tests

        saltlen = EVP_MD_size(sigmd);

    else if (saltlen == -2) {

        saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2;

        if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0)

        if ((EVP_PKEY_bits(pk) & 0x7) == 1)

            saltlen--;

    }

        rctx->pad_mode = RSA_PKCS1_PSS_PADDING;

    else

        rctx->pad_mode = RSA_PKCS1_PADDING;

    rctx->saltlen = -2;

    /* Maximum for sign, auto for verify */

    rctx->saltlen = RSA_PSS_SALTLEN_AUTO;

    rctx->min_saltlen = -1;

    ctx->data = rctx;

    ctx->keygen_info = rctx->gentmp;

        if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {

            *(int *)p2 = rctx->saltlen;

        } else {

            if (p1 < -2)

            if (p1 < RSA_PSS_SALTLEN_MAX)

                return -2;

            if (rsa_pss_restricted(rctx)) {

                if (p1 == -2 && ctx->operation == EVP_PKEY_OP_VERIFY) {

                if (p1 == RSA_PSS_SALTLEN_AUTO

                    && ctx->operation == EVP_PKEY_OP_VERIFY) {

                    RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PSS_SALTLEN);

                    return -2;

                }

                if ((p1 == -1 && rctx->min_saltlen > EVP_MD_size(rctx->md))

                if ((p1 == RSA_PSS_SALTLEN_DIGEST

                     && rctx->min_saltlen > EVP_MD_size(rctx->md))

                    || (p1 >= 0 && p1 < rctx->min_saltlen)) {

                    RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_PSS_SALTLEN_TOO_SMALL);

                    return 0;

    if (strcmp(type, "rsa_pss_saltlen") == 0) {

        int saltlen;

        if (!strcmp(value, "digest"))

            saltlen = RSA_PSS_SALTLEN_DIGEST;

        else if (!strcmp(value, "max"))

            saltlen = RSA_PSS_SALTLEN_MAX;

        else if (!strcmp(value, "auto"))

            saltlen = RSA_PSS_SALTLEN_AUTO;

        else

            saltlen = atoi(value);

        return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);

    }

    EVP_MD_CTX *ctx = EVP_MD_CTX_new();

    unsigned char H_[EVP_MAX_MD_SIZE];

    if (ctx == NULL)

        goto err;

     *      -2      salt length is autorecovered from signature

     *      -N      reserved

     */

    if (sLen == -1)

    if (sLen == RSA_PSS_SALTLEN_DIGEST)

        sLen = hLen;

    else if (sLen == -2)

        sLen = -2;

    else if (sLen < -2) {

    else if (sLen < RSA_PSS_SALTLEN_MAX) {

        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);

        goto err;

    }

        EM++;

        emLen--;

    }

    if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */

    if (sLen == RSA_PSS_SALTLEN_MAX) {

        sLen = emLen - hLen - 2;

    } else if (emLen < (hLen + sLen + 2)) { /* sLen can be small negative */

        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_DATA_TOO_LARGE);

        goto err;

    }

        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_RECOVERY_FAILED);

        goto err;

    }

    if (sLen >= 0 && (maskedDBLen - i) != sLen) {

    if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {

        RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);

        goto err;

    }

     *      -2      salt length is maximized

     *      -N      reserved

     */

    if (sLen == -1)

    if (sLen == RSA_PSS_SALTLEN_DIGEST)

        sLen = hLen;

    else if (sLen == -2)

        sLen = -2;

    else if (sLen < -2) {

    else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN)

        sLen = RSA_PSS_SALTLEN_MAX;

    else if (sLen < RSA_PSS_SALTLEN_MAX) {

        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);

        goto err;

    }

        *EM++ = 0;

        emLen--;

    }

    if (sLen == -2) {

    if (sLen == RSA_PSS_SALTLEN_MAX) {

        sLen = emLen - hLen - 2;

    } else if (emLen < (hLen + sLen + 2)) {

        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,

=item B<rsa_pss_saltlen:len>

For B<pss> mode only this option specifies the salt length. Two special values

are supported: -1 sets the salt length to the digest length. When signing -2

sets the salt length to the maximum permissible value. When verifying -2 causes

the salt length to be automatically determined based on the B<PSS> block

structure.

For B<pss> mode only this option specifies the salt length. Three special

values are supported: "digest" sets the salt length to the digest length,

"max" sets the salt length to the maximum permissible value. When verifying

"auto" causes the salt length to be automatically determined based on the

B<PSS> block structure.

=item B<rsa_mgf1_md:digest>

buffer is expected to be the algorithm identifier byte.

The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to

B<len> as its name implies it is only supported for PSS padding.  Two special

values are supported: -1 sets the salt length to the digest length. When

signing -2 sets the salt length to the maximum permissible value. When

verifying -2 causes the salt length to be automatically determined based on the

B<PSS> block structure. If this macro is not called a salt length value of -2

is used by default.

B<len> as its name implies it is only supported for PSS padding.  Three special

values are supported: RSA_PSS_SALTLEN_DIGEST sets the salt length to the

digest length, RSA_PSS_SALTLEN_MAX sets the salt length to the maximum

permissible value. When verifying RSA_PSS_SALTLEN_AUTO causes the salt length

to be automatically determined based on the B<PSS> block structure. If this

macro is not called maximum salt length is used when signing and auto detection

when verifying is used by default.

The EVP_PKEY_CTX_set_rsa_rsa_keygen_bits() macro sets the RSA key length for

RSA key generation to B<bits>. If not specified 1024 bits is used.