From fd0b9b903753dc78bab8cb83ce198c9301430c05 Mon Sep 17 00:00:00 2001
From: Mark Atwood <mark@wolfssl.com>
Date: Sun, 12 Apr 2026 18:24:01 -0700
Subject: [PATCH] fix: skip RSA_MIN_PAD_SZ check for PSS padding in
 RsaPublicEncryptEx

The RSA_MIN_PAD_SZ guard (inLen > sz - 11) is a PKCS#1 v1.5 constraint.
PSS has its own length check inside RsaPad_PSS (emLen >= hLen + sLen + 2
per RFC 8017) and does not need this guard. For keys in the range
[hLen+2, hLen+10] bytes, the outer guard fires and returns RSA_BUFFER_E
before RsaPad_PSS ever runs, even though PSS with saltLen=0 would be
geometrically valid for those key sizes.

Add a WC_RSA_PSS ifdef that skips the RSA_BUFFER_E return when
pad_type == WC_RSA_PSS_PAD, mirroring the existing WC_RSA_NO_PADDING
exception for raw (no-pad) mode.
---
 wolfcrypt/src/rsa.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index a2dae120f99..5c24f6926bf 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -3455,6 +3455,11 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
         /* In the case that no padding is used the input length can and should
          * be the same size as the RSA key. */
         if (pad_type != WC_RSA_NO_PAD)
+#endif
+#ifdef WC_RSA_PSS
+        /* PSS performs its own input-length check inside RsaPad_PSS; the
+         * RSA_MIN_PAD_SZ guard applies only to PKCS#1 v1.5 padding. */
+        if (pad_type != WC_RSA_PSS_PAD)
 #endif
         return RSA_BUFFER_E;
     }