Path: blob/main/crypto/openssl/providers/implementations/signature/rsa_sig.c
109668 views
/*1* Copyright 2019-2026 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89/*10* RSA low level APIs are deprecated for public use, but still ok for11* internal use.12*/13#include "internal/deprecated.h"1415#include <string.h>16#include <openssl/crypto.h>17#include <openssl/core_dispatch.h>18#include <openssl/core_names.h>19#include <openssl/err.h>20#include <openssl/obj_mac.h>21#include <openssl/rsa.h>22#include <openssl/params.h>23#include <openssl/evp.h>24#include <openssl/proverr.h>25#include "internal/cryptlib.h"26#include "internal/nelem.h"27#include "internal/sizes.h"28#include "crypto/rsa.h"29#include "prov/providercommon.h"30#include "prov/implementations.h"31#include "prov/provider_ctx.h"32#include "prov/der_rsa.h"33#include "prov/securitycheck.h"3435#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA13637static OSSL_FUNC_signature_newctx_fn rsa_newctx;38static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;39static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;40static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;41static OSSL_FUNC_signature_sign_fn rsa_sign;42static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update;43static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final;44static OSSL_FUNC_signature_verify_fn rsa_verify;45static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;46static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update;47static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final;48static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;49static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update;50static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;51static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;52static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;53static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;54static OSSL_FUNC_signature_freectx_fn rsa_freectx;55static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;56static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;57static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;58static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;59static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;60static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;61static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;62static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;63static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;64static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;65static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;66static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;6768static OSSL_ITEM padding_item[] = {69{ RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },70{ RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },71{ RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },72{ RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },73{ 0, NULL }74};7576/*77* What's passed as an actual key is defined by the KEYMGMT interface.78* We happen to know that our KEYMGMT simply passes RSA structures, so79* we use that here too.80*/8182typedef struct {83OSSL_LIB_CTX *libctx;84char *propq;85RSA *rsa;86int operation;8788/*89* Flag to determine if a full sigalg is run (1) or if a composable90* signature algorithm is run (0).91*92* When a full sigalg is run (1), this currently affects the following93* other flags, which are to remain untouched after their initialization:94*95* - flag_allow_md (initialized to 0)96*/97unsigned int flag_sigalg : 1;98/*99* Flag to determine if the hash function can be changed (1) or not (0)100* Because it's dangerous to change during a DigestSign or DigestVerify101* operation, this flag is cleared by their Init function, and set again102* by their Final function.103* Implementations of full sigalgs (such as RSA-SHA256) hard-code this104* flag to not allow changes (0).105*/106unsigned int flag_allow_md : 1;107unsigned int mgf1_md_set : 1;108/*109* Flags to say what are the possible next external calls in what110* constitutes the life cycle of an algorithm. The relevant calls are:111* - init112* - update113* - final114* - oneshot115* All other external calls are regarded as utilitarian and are allowed116* at any time (they may be affected by other flags, like flag_allow_md,117* though).118*/119unsigned int flag_allow_update : 1;120unsigned int flag_allow_final : 1;121unsigned int flag_allow_oneshot : 1;122123/* main digest */124EVP_MD *md;125EVP_MD_CTX *mdctx;126int mdnid;127char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */128129/* RSA padding mode */130int pad_mode;131/* message digest for MGF1 */132EVP_MD *mgf1_md;133int mgf1_mdnid;134char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */135/* PSS salt length */136int saltlen;137/* Minimum salt length or -1 if no PSS parameter restriction */138int min_saltlen;139140/* Signature, for verification */141unsigned char *sig;142size_t siglen;143144#ifdef FIPS_MODULE145/*146* FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a147* message is not permitted. However, signing based on a digest is still148* permitted.149*/150int verify_message;151#endif152153/* Temp buffer */154unsigned char *tbuf;155156OSSL_FIPS_IND_DECLARE157} PROV_RSA_CTX;158159/* True if PSS parameters are restricted */160#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)161162static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)163{164int md_size;165166if (prsactx->md != NULL) {167md_size = EVP_MD_get_size(prsactx->md);168if (md_size <= 0)169return 0;170return md_size;171}172return 0;173}174175static int rsa_check_padding(const PROV_RSA_CTX *prsactx,176const char *mdname, const char *mgf1_mdname,177int mdnid)178{179switch (prsactx->pad_mode) {180case RSA_NO_PADDING:181if (mdname != NULL || mdnid != NID_undef) {182ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);183return 0;184}185break;186case RSA_X931_PADDING:187if (RSA_X931_hash_id(mdnid) == -1) {188ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);189return 0;190}191break;192case RSA_PKCS1_PSS_PADDING:193if (rsa_pss_restricted(prsactx))194if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))195|| (mgf1_mdname != NULL196&& !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {197ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);198return 0;199}200break;201default:202break;203}204205return 1;206}207208static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)209{210if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {211int max_saltlen;212213/* See if minimum salt length exceeds maximum possible */214max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);215if ((RSA_bits(prsactx->rsa) & 0x7) == 1)216max_saltlen--;217if (min_saltlen < 0 || min_saltlen > max_saltlen) {218ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);219return 0;220}221prsactx->min_saltlen = min_saltlen;222}223return 1;224}225226static void *rsa_newctx(void *provctx, const char *propq)227{228PROV_RSA_CTX *prsactx = NULL;229char *propq_copy = NULL;230231if (!ossl_prov_is_running())232return NULL;233234if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL235|| (propq != NULL236&& (propq_copy = OPENSSL_strdup(propq)) == NULL)) {237OPENSSL_free(prsactx);238return NULL;239}240241OSSL_FIPS_IND_INIT(prsactx)242prsactx->libctx = PROV_LIBCTX_OF(provctx);243prsactx->flag_allow_md = 1;244#ifdef FIPS_MODULE245prsactx->verify_message = 1;246#endif247prsactx->propq = propq_copy;248/* Maximum up to digest length for sign, auto for verify */249prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;250prsactx->min_saltlen = -1;251return prsactx;252}253254static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)255{256int saltlen = ctx->saltlen;257int saltlenMax = -1;258259/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection260* 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the261* salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of262* the hash function output block (in bytes)."263*264* Provide a way to use at most the digest length, so that the default does265* not violate FIPS 186-4. */266if (saltlen == RSA_PSS_SALTLEN_DIGEST) {267if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) {268ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);269return -1;270}271} else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {272saltlen = RSA_PSS_SALTLEN_MAX;273if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) {274ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);275return -1;276}277}278if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {279int mdsize, rsasize;280281if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) {282ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);283return -1;284}285if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) {286ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);287return -1;288}289saltlen = rsasize - mdsize - 2;290if ((RSA_bits(ctx->rsa) & 0x7) == 1)291saltlen--;292if (saltlenMax >= 0 && saltlen > saltlenMax)293saltlen = saltlenMax;294}295if (saltlen < 0) {296ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);297return -1;298} else if (saltlen < ctx->min_saltlen) {299ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,300"minimum salt length: %d, actual salt length: %d",301ctx->min_saltlen, saltlen);302return -1;303}304return saltlen;305}306307static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,308unsigned char *aid_buf,309size_t buf_len,310size_t *aid_len)311{312WPACKET pkt;313unsigned char *aid = NULL;314int saltlen;315RSA_PSS_PARAMS_30 pss_params;316int ret;317318if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {319ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB);320return NULL;321}322323switch (ctx->pad_mode) {324case RSA_PKCS1_PADDING:325ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,326ctx->mdnid);327328if (ret > 0) {329break;330} else if (ret == 0) {331ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);332goto cleanup;333}334ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,335"Algorithm ID generation - md NID: %d",336ctx->mdnid);337goto cleanup;338case RSA_PKCS1_PSS_PADDING:339saltlen = rsa_pss_compute_saltlen(ctx);340if (saltlen < 0)341goto cleanup;342if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)343|| !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)344|| !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,345ctx->mgf1_mdnid)346|| !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)347|| !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,348RSA_FLAG_TYPE_RSASSAPSS,349&pss_params)) {350ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);351goto cleanup;352}353break;354default:355ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,356"Algorithm ID generation - pad mode: %d",357ctx->pad_mode);358goto cleanup;359}360if (WPACKET_finish(&pkt)) {361WPACKET_get_total_written(&pkt, aid_len);362aid = WPACKET_get_curr(&pkt);363}364cleanup:365WPACKET_cleanup(&pkt);366return aid;367}368369static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,370const char *mdprops, const char *desc)371{372EVP_MD *md = NULL;373374if (mdprops == NULL)375mdprops = ctx->propq;376377if (mdname != NULL) {378int md_nid;379size_t mdname_len = strlen(mdname);380381md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);382383if (md == NULL) {384ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,385"%s could not be fetched", mdname);386goto err;387}388md_nid = ossl_digest_rsa_sign_get_md_nid(md);389if (md_nid == NID_undef) {390ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,391"digest=%s", mdname);392goto err;393}394/*395* XOF digests are not allowed except for RSA PSS.396* We don't support XOF digests with RSA PSS (yet), so just fail.397* When we do support them, uncomment the second clause.398*/399if (EVP_MD_xof(md)400/* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) {401ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);402goto err;403}404#ifdef FIPS_MODULE405{406int sha1_allowed407= ((ctx->operation408& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))409== 0);410411if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),412OSSL_FIPS_IND_SETTABLE1,413ctx->libctx,414md_nid, sha1_allowed, 1, desc,415ossl_fips_config_signature_digest_check))416goto err;417}418#endif419420if (!rsa_check_padding(ctx, mdname, NULL, md_nid))421goto err;422if (mdname_len >= sizeof(ctx->mdname)) {423ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,424"%s exceeds name buffer length", mdname);425goto err;426}427428if (!ctx->flag_allow_md) {429if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {430ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,431"digest %s != %s", mdname, ctx->mdname);432goto err;433}434EVP_MD_free(md);435return 1;436}437438if (!ctx->mgf1_md_set) {439if (!EVP_MD_up_ref(md)) {440goto err;441}442EVP_MD_free(ctx->mgf1_md);443ctx->mgf1_md = md;444ctx->mgf1_mdnid = md_nid;445OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));446}447448EVP_MD_CTX_free(ctx->mdctx);449EVP_MD_free(ctx->md);450451ctx->mdctx = NULL;452ctx->md = md;453ctx->mdnid = md_nid;454OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));455}456457return 1;458err:459EVP_MD_free(md);460return 0;461}462463static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,464const char *mdprops)465{466size_t len;467EVP_MD *md = NULL;468int mdnid;469470if (mdprops == NULL)471mdprops = ctx->propq;472473if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {474ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,475"%s could not be fetched", mdname);476return 0;477}478/* The default for mgf1 is SHA1 - so allow SHA1 */479if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0480|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {481if (mdnid <= 0)482ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,483"digest=%s", mdname);484EVP_MD_free(md);485return 0;486}487len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));488if (len >= sizeof(ctx->mgf1_mdname)) {489ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,490"%s exceeds name buffer length", mdname);491EVP_MD_free(md);492return 0;493}494495EVP_MD_free(ctx->mgf1_md);496ctx->mgf1_md = md;497ctx->mgf1_mdnid = mdnid;498ctx->mgf1_md_set = 1;499return 1;500}501502static int503rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,504OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,505const OSSL_PARAM params[], int operation,506const char *desc)507{508int protect;509510if (!ossl_prov_is_running() || prsactx == NULL)511return 0;512513if (vrsa == NULL && prsactx->rsa == NULL) {514ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);515return 0;516}517518if (vrsa != NULL) {519if (!RSA_up_ref(vrsa))520return 0;521RSA_free(prsactx->rsa);522prsactx->rsa = vrsa;523}524if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect))525return 0;526527prsactx->operation = operation;528prsactx->flag_allow_update = 1;529prsactx->flag_allow_final = 1;530prsactx->flag_allow_oneshot = 1;531532/* Maximize up to digest length for sign, auto for verify */533prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;534prsactx->min_saltlen = -1;535536switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {537case RSA_FLAG_TYPE_RSA:538prsactx->pad_mode = RSA_PKCS1_PADDING;539break;540case RSA_FLAG_TYPE_RSASSAPSS:541prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;542543{544const RSA_PSS_PARAMS_30 *pss = ossl_rsa_get0_pss_params_30(prsactx->rsa);545546if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {547int md_nid = ossl_rsa_pss_params_30_hashalg(pss);548int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);549int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);550const char *mdname, *mgf1mdname;551size_t len;552553mdname = ossl_rsa_oaeppss_nid2name(md_nid);554mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);555556if (mdname == NULL) {557ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,558"PSS restrictions lack hash algorithm");559return 0;560}561if (mgf1mdname == NULL) {562ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,563"PSS restrictions lack MGF1 hash algorithm");564return 0;565}566567len = OPENSSL_strlcpy(prsactx->mdname, mdname,568sizeof(prsactx->mdname));569if (len >= sizeof(prsactx->mdname)) {570ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,571"hash algorithm name too long");572return 0;573}574len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,575sizeof(prsactx->mgf1_mdname));576if (len >= sizeof(prsactx->mgf1_mdname)) {577ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,578"MGF1 hash algorithm name too long");579return 0;580}581prsactx->saltlen = min_saltlen;582583/* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */584if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)585|| !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)586|| !rsa_check_parameters(prsactx, min_saltlen))587return 0;588}589}590591break;592default:593ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);594return 0;595}596597OSSL_FIPS_IND_SET_APPROVED(prsactx)598if (!set_ctx_params(prsactx, params))599return 0;600#ifdef FIPS_MODULE601if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),602OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,603prsactx->rsa, desc, protect))604return 0;605#endif606return 1;607}608609static int setup_tbuf(PROV_RSA_CTX *ctx)610{611if (ctx->tbuf != NULL)612return 1;613if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL)614return 0;615return 1;616}617618static void clean_tbuf(PROV_RSA_CTX *ctx)619{620if (ctx->tbuf != NULL)621OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));622}623624static void free_tbuf(PROV_RSA_CTX *ctx)625{626clean_tbuf(ctx);627OPENSSL_free(ctx->tbuf);628ctx->tbuf = NULL;629}630631#ifdef FIPS_MODULE632static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen)633{634int mdsize = rsa_get_md_size(ctx);635/*636* Perform the check if the salt length is compliant to FIPS 186-5.637*638* According to FIPS 186-5 5.4 (g), the salt length shall be between zero639* and the output block length of the digest function (inclusive).640*/641int approved = (saltlen >= 0 && saltlen <= mdsize);642643if (!approved) {644if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,645ctx->libctx,646algoname, "PSS Salt Length",647ossl_fips_config_rsa_pss_saltlen_check)) {648ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);649return 0;650}651}652653return 1;654}655#endif656657static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])658{659PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;660661#ifdef FIPS_MODULE662if (prsactx != NULL)663prsactx->verify_message = 1;664#endif665666return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,667EVP_PKEY_OP_SIGN, "RSA Sign Init");668}669670/*671* Sign tbs without digesting it first. This is suitable for "primitive"672* signing and signing the digest of a message, i.e. should be used with673* implementations of the keytype related algorithms.674*/675static int rsa_sign_directly(PROV_RSA_CTX *prsactx,676unsigned char *sig, size_t *siglen, size_t sigsize,677const unsigned char *tbs, size_t tbslen)678{679int ret;680size_t rsasize = RSA_size(prsactx->rsa);681size_t mdsize = rsa_get_md_size(prsactx);682683if (!ossl_prov_is_running())684return 0;685686if (sig == NULL) {687*siglen = rsasize;688return 1;689}690691if (sigsize < rsasize) {692ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,693"is %zu, should be at least %zu", sigsize, rsasize);694return 0;695}696697if (mdsize != 0) {698if (tbslen != mdsize) {699ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);700return 0;701}702703#ifndef FIPS_MODULE704if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {705unsigned int sltmp;706707if (prsactx->pad_mode != RSA_PKCS1_PADDING) {708ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,709"only PKCS#1 padding supported with MDC2");710return 0;711}712ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,713prsactx->rsa);714715if (ret <= 0) {716ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);717return 0;718}719ret = sltmp;720goto end;721}722#endif723switch (prsactx->pad_mode) {724case RSA_X931_PADDING:725if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {726ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,727"RSA key size = %d, expected minimum = %d",728RSA_size(prsactx->rsa), tbslen + 1);729return 0;730}731if (!setup_tbuf(prsactx)) {732ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB);733return 0;734}735memcpy(prsactx->tbuf, tbs, tbslen);736prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);737ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,738sig, prsactx->rsa, RSA_X931_PADDING);739clean_tbuf(prsactx);740break;741case RSA_PKCS1_PADDING: {742unsigned int sltmp;743744ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,745prsactx->rsa);746if (ret <= 0) {747ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);748return 0;749}750ret = sltmp;751} break;752753case RSA_PKCS1_PSS_PADDING: {754int saltlen;755756/* Check PSS restrictions */757if (rsa_pss_restricted(prsactx)) {758switch (prsactx->saltlen) {759case RSA_PSS_SALTLEN_DIGEST:760if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {761ERR_raise_data(ERR_LIB_PROV,762PROV_R_PSS_SALTLEN_TOO_SMALL,763"minimum salt length set to %d, "764"but the digest only gives %d",765prsactx->min_saltlen,766EVP_MD_get_size(prsactx->md));767return 0;768}769/* FALLTHRU */770default:771if (prsactx->saltlen >= 0772&& prsactx->saltlen < prsactx->min_saltlen) {773ERR_raise_data(ERR_LIB_PROV,774PROV_R_PSS_SALTLEN_TOO_SMALL,775"minimum salt length set to %d, but the"776"actual salt length is only set to %d",777prsactx->min_saltlen,778prsactx->saltlen);779return 0;780}781break;782}783}784if (!setup_tbuf(prsactx))785return 0;786saltlen = prsactx->saltlen;787if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,788prsactx->tbuf, tbs,789prsactx->md, prsactx->mgf1_md,790&saltlen)) {791ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);792return 0;793}794#ifdef FIPS_MODULE795if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen))796return 0;797#endif798ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,799sig, prsactx->rsa, RSA_NO_PADDING);800clean_tbuf(prsactx);801} break;802803default:804ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,805"Only X.931, PKCS#1 v1.5 or PSS padding allowed");806return 0;807}808} else {809ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,810prsactx->pad_mode);811}812813#ifndef FIPS_MODULE814end:815#endif816if (ret <= 0) {817ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);818return 0;819}820821*siglen = ret;822return 1;823}824825static int rsa_signverify_message_update(void *vprsactx,826const unsigned char *data,827size_t datalen)828{829PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;830831if (prsactx == NULL || prsactx->mdctx == NULL)832return 0;833834if (!prsactx->flag_allow_update) {835ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER);836return 0;837}838prsactx->flag_allow_oneshot = 0;839840return EVP_DigestUpdate(prsactx->mdctx, data, datalen);841}842843static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,844size_t *siglen, size_t sigsize)845{846PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;847unsigned char digest[EVP_MAX_MD_SIZE];848unsigned int dlen = 0;849850if (!ossl_prov_is_running() || prsactx == NULL)851return 0;852if (prsactx->mdctx == NULL)853return 0;854if (!prsactx->flag_allow_final) {855ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);856return 0;857}858859/*860* If sig is NULL then we're just finding out the sig size. Other fields861* are ignored. Defer to rsa_sign.862*/863if (sig != NULL) {864/*865* The digests used here are all known (see rsa_get_md_nid()), so they866* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.867*/868if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))869return 0;870871prsactx->flag_allow_update = 0;872prsactx->flag_allow_oneshot = 0;873prsactx->flag_allow_final = 0;874}875876return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);877}878879/*880* If signing a message, digest tbs and sign the result.881* Otherwise, sign tbs directly.882*/883static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,884size_t sigsize, const unsigned char *tbs, size_t tbslen)885{886PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;887888if (!ossl_prov_is_running() || prsactx == NULL)889return 0;890if (!prsactx->flag_allow_oneshot) {891ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);892return 0;893}894895if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) {896/*897* If |sig| is NULL, the caller is only looking for the sig length.898* DO NOT update the input in this case.899*/900if (sig == NULL)901return rsa_sign_message_final(prsactx, sig, siglen, sigsize);902903return rsa_signverify_message_update(prsactx, tbs, tbslen)904&& rsa_sign_message_final(prsactx, sig, siglen, sigsize);905}906return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen);907}908909static int rsa_verify_recover_init(void *vprsactx, void *vrsa,910const OSSL_PARAM params[])911{912PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;913914#ifdef FIPS_MODULE915if (prsactx != NULL)916prsactx->verify_message = 0;917#endif918919return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,920EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");921}922923/*924* There is no message variant of verify recover, so no need for925* 'rsa_verify_recover_directly', just use this function, er, directly.926*/927static int rsa_verify_recover(void *vprsactx,928unsigned char *rout, size_t *routlen,929size_t routsize,930const unsigned char *sig, size_t siglen)931{932PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;933int ret;934935if (!ossl_prov_is_running())936return 0;937938if (rout == NULL) {939*routlen = RSA_size(prsactx->rsa);940return 1;941}942943if (prsactx->md != NULL) {944switch (prsactx->pad_mode) {945case RSA_X931_PADDING:946if (!setup_tbuf(prsactx))947return 0;948ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,949RSA_X931_PADDING);950if (ret <= 0) {951ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);952return 0;953}954ret--;955if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {956ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);957return 0;958}959if (ret != EVP_MD_get_size(prsactx->md)) {960ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,961"Should be %d, but got %d",962EVP_MD_get_size(prsactx->md), ret);963return 0;964}965966*routlen = ret;967if (rout != prsactx->tbuf) {968if (routsize < (size_t)ret) {969ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,970"buffer size is %d, should be %d",971routsize, ret);972return 0;973}974memcpy(rout, prsactx->tbuf, ret);975}976break;977978case RSA_PKCS1_PADDING: {979size_t sltmp;980981ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,982sig, siglen, prsactx->rsa);983if (ret <= 0) {984ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);985return 0;986}987ret = sltmp;988} break;989990default:991ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,992"Only X.931 or PKCS#1 v1.5 padding allowed");993return 0;994}995} else {996ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,997prsactx->pad_mode);998if (ret <= 0) {999ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1000return 0;1001}1002}1003*routlen = ret;1004return 1;1005}10061007static int rsa_verify_init(void *vprsactx, void *vrsa,1008const OSSL_PARAM params[])1009{1010PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;10111012#ifdef FIPS_MODULE1013if (prsactx != NULL)1014prsactx->verify_message = 0;1015#endif10161017return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,1018EVP_PKEY_OP_VERIFY, "RSA Verify Init");1019}10201021static int rsa_verify_directly(PROV_RSA_CTX *prsactx,1022const unsigned char *sig, size_t siglen,1023const unsigned char *tbs, size_t tbslen)1024{1025size_t rslen;10261027if (!ossl_prov_is_running())1028return 0;1029if (prsactx->md != NULL) {1030switch (prsactx->pad_mode) {1031case RSA_PKCS1_PADDING:1032if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,1033prsactx->rsa)) {1034ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1035return 0;1036}1037return 1;1038case RSA_X931_PADDING:1039if (!setup_tbuf(prsactx))1040return 0;1041if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,1042sig, siglen)1043<= 0)1044return 0;1045break;1046case RSA_PKCS1_PSS_PADDING: {1047int ret;1048int saltlen;1049size_t mdsize;10501051/*1052* We need to check this for the RSA_verify_PKCS1_PSS_mgf1()1053* call1054*/1055mdsize = rsa_get_md_size(prsactx);1056if (tbslen != mdsize) {1057ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,1058"Should be %d, but got %d",1059mdsize, tbslen);1060return 0;1061}10621063if (!setup_tbuf(prsactx))1064return 0;1065ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,1066prsactx->rsa, RSA_NO_PADDING);1067if (ret <= 0) {1068ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1069return 0;1070}1071saltlen = prsactx->saltlen;1072ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,1073prsactx->md, prsactx->mgf1_md,1074prsactx->tbuf,1075&saltlen);1076if (ret <= 0) {1077ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1078return 0;1079}1080#ifdef FIPS_MODULE1081if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen))1082return 0;1083#endif1084return 1;1085}1086default:1087ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,1088"Only X.931, PKCS#1 v1.5 or PSS padding allowed");1089return 0;1090}1091} else {1092int ret;10931094if (!setup_tbuf(prsactx))1095return 0;1096ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,1097prsactx->pad_mode);1098if (ret <= 0) {1099ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1100return 0;1101}1102rslen = (size_t)ret;1103}11041105if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))1106return 0;11071108return 1;1109}11101111static int rsa_verify_set_sig(void *vprsactx,1112const unsigned char *sig, size_t siglen)1113{1114PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1115OSSL_PARAM params[2];11161117params[0] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,1118(unsigned char *)sig, siglen);1119params[1] = OSSL_PARAM_construct_end();1120return rsa_sigalg_set_ctx_params(prsactx, params);1121}11221123static int rsa_verify_message_final(void *vprsactx)1124{1125PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1126unsigned char digest[EVP_MAX_MD_SIZE];1127unsigned int dlen = 0;11281129if (!ossl_prov_is_running() || prsactx == NULL)1130return 0;1131if (prsactx->mdctx == NULL)1132return 0;1133if (!prsactx->flag_allow_final) {1134ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);1135return 0;1136}11371138/*1139* The digests used here are all known (see rsa_get_md_nid()), so they1140* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.1141*/1142if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))1143return 0;11441145prsactx->flag_allow_update = 0;1146prsactx->flag_allow_final = 0;1147prsactx->flag_allow_oneshot = 0;11481149return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,1150digest, dlen);1151}11521153/*1154* If verifying a message, digest tbs and verify the result.1155* Otherwise, verify tbs directly.1156*/1157static int rsa_verify(void *vprsactx,1158const unsigned char *sig, size_t siglen,1159const unsigned char *tbs, size_t tbslen)1160{1161PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;11621163if (!ossl_prov_is_running() || prsactx == NULL)1164return 0;1165if (!prsactx->flag_allow_oneshot) {1166ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);1167return 0;1168}11691170if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG)1171return rsa_verify_set_sig(prsactx, sig, siglen)1172&& rsa_signverify_message_update(prsactx, tbs, tbslen)1173&& rsa_verify_message_final(prsactx);1174return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen);1175}11761177/* DigestSign/DigestVerify wrappers */11781179static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,1180void *vrsa, const OSSL_PARAM params[],1181int operation, const char *desc)1182{1183PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;11841185#ifdef FIPS_MODULE1186if (prsactx != NULL)1187prsactx->verify_message = 1;1188#endif11891190if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,1191operation, desc))1192return 0;11931194if (mdname != NULL1195/* was rsa_setup_md already called in rsa_signverify_init()? */1196&& (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0)1197&& !rsa_setup_md(prsactx, mdname, prsactx->propq, desc))1198return 0;11991200prsactx->flag_allow_md = 0;12011202if (prsactx->mdctx == NULL) {1203prsactx->mdctx = EVP_MD_CTX_new();1204if (prsactx->mdctx == NULL)1205goto error;1206}12071208if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))1209goto error;12101211return 1;12121213error:1214EVP_MD_CTX_free(prsactx->mdctx);1215prsactx->mdctx = NULL;1216return 0;1217}12181219static int rsa_digest_sign_init(void *vprsactx, const char *mdname,1220void *vrsa, const OSSL_PARAM params[])1221{1222if (!ossl_prov_is_running())1223return 0;1224return rsa_digest_signverify_init(vprsactx, mdname, vrsa,1225params, EVP_PKEY_OP_SIGNMSG,1226"RSA Digest Sign Init");1227}12281229static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,1230size_t datalen)1231{1232PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;12331234if (prsactx == NULL)1235return 0;1236/* Sigalg implementations shouldn't do digest_sign */1237if (prsactx->flag_sigalg)1238return 0;12391240return rsa_signverify_message_update(prsactx, data, datalen);1241}12421243static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,1244size_t *siglen, size_t sigsize)1245{1246PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1247int ok = 0;12481249if (prsactx == NULL)1250return 0;1251/* Sigalg implementations shouldn't do digest_sign */1252if (prsactx->flag_sigalg)1253return 0;12541255if (rsa_sign_message_final(prsactx, sig, siglen, sigsize))1256ok = 1;12571258prsactx->flag_allow_md = 1;12591260return ok;1261}12621263static int rsa_digest_verify_init(void *vprsactx, const char *mdname,1264void *vrsa, const OSSL_PARAM params[])1265{1266if (!ossl_prov_is_running())1267return 0;1268return rsa_digest_signverify_init(vprsactx, mdname, vrsa,1269params, EVP_PKEY_OP_VERIFYMSG,1270"RSA Digest Verify Init");1271}12721273static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,1274size_t datalen)1275{1276PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;12771278if (prsactx == NULL)1279return 0;1280/* Sigalg implementations shouldn't do digest_sign */1281if (prsactx->flag_sigalg)1282return 0;12831284return rsa_signverify_message_update(prsactx, data, datalen);1285}12861287int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,1288size_t siglen)1289{1290PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1291int ok = 0;12921293if (prsactx == NULL)1294return 0;1295/* Sigalg implementations shouldn't do digest_verify */1296if (prsactx->flag_sigalg)1297return 0;12981299if (rsa_verify_set_sig(prsactx, sig, siglen)1300&& rsa_verify_message_final(vprsactx))1301ok = 1;13021303prsactx->flag_allow_md = 1;13041305return ok;1306}13071308static void rsa_freectx(void *vprsactx)1309{1310PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;13111312if (prsactx == NULL)1313return;13141315EVP_MD_CTX_free(prsactx->mdctx);1316EVP_MD_free(prsactx->md);1317EVP_MD_free(prsactx->mgf1_md);1318OPENSSL_free(prsactx->sig);1319OPENSSL_free(prsactx->propq);1320free_tbuf(prsactx);1321RSA_free(prsactx->rsa);13221323OPENSSL_clear_free(prsactx, sizeof(*prsactx));1324}13251326static void *rsa_dupctx(void *vprsactx)1327{1328PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;1329PROV_RSA_CTX *dstctx;13301331if (!ossl_prov_is_running())1332return NULL;13331334dstctx = OPENSSL_zalloc(sizeof(*srcctx));1335if (dstctx == NULL)1336return NULL;13371338*dstctx = *srcctx;1339dstctx->rsa = NULL;1340dstctx->md = NULL;1341dstctx->mgf1_md = NULL;1342dstctx->mdctx = NULL;1343dstctx->tbuf = NULL;1344dstctx->propq = NULL;1345dstctx->sig = NULL;13461347if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))1348goto err;1349dstctx->rsa = srcctx->rsa;13501351if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))1352goto err;1353dstctx->md = srcctx->md;13541355if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))1356goto err;1357dstctx->mgf1_md = srcctx->mgf1_md;13581359if (srcctx->mdctx != NULL) {1360dstctx->mdctx = EVP_MD_CTX_new();1361if (dstctx->mdctx == NULL1362|| !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))1363goto err;1364}13651366if (srcctx->propq != NULL) {1367dstctx->propq = OPENSSL_strdup(srcctx->propq);1368if (dstctx->propq == NULL)1369goto err;1370}13711372if (srcctx->sig != NULL) {1373dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen);1374if (dstctx->sig == NULL)1375goto err;1376}13771378return dstctx;1379err:1380rsa_freectx(dstctx);1381return NULL;1382}13831384static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)1385{1386PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1387OSSL_PARAM *p;13881389if (prsactx == NULL)1390return 0;13911392p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);1393if (p != NULL) {1394/* The Algorithm Identifier of the combined signature algorithm */1395unsigned char aid_buf[128];1396unsigned char *aid;1397size_t aid_len;13981399aid = rsa_generate_signature_aid(prsactx, aid_buf,1400sizeof(aid_buf), &aid_len);1401if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))1402return 0;1403}14041405p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);1406if (p != NULL)1407switch (p->data_type) {1408case OSSL_PARAM_INTEGER:1409if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))1410return 0;1411break;1412case OSSL_PARAM_UTF8_STRING: {1413int i;1414const char *word = NULL;14151416for (i = 0; padding_item[i].id != 0; i++) {1417if (prsactx->pad_mode == (int)padding_item[i].id) {1418word = padding_item[i].ptr;1419break;1420}1421}14221423if (word != NULL) {1424if (!OSSL_PARAM_set_utf8_string(p, word))1425return 0;1426} else {1427ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);1428}1429} break;1430default:1431return 0;1432}14331434p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);1435if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))1436return 0;14371438p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);1439if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))1440return 0;14411442p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);1443if (p != NULL) {1444if (p->data_type == OSSL_PARAM_INTEGER) {1445if (!OSSL_PARAM_set_int(p, prsactx->saltlen))1446return 0;1447} else if (p->data_type == OSSL_PARAM_UTF8_STRING) {1448const char *value = NULL;14491450switch (prsactx->saltlen) {1451case RSA_PSS_SALTLEN_DIGEST:1452value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;1453break;1454case RSA_PSS_SALTLEN_MAX:1455value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;1456break;1457case RSA_PSS_SALTLEN_AUTO:1458value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;1459break;1460case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:1461value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;1462break;1463default: {1464int len = BIO_snprintf(p->data, p->data_size, "%d",1465prsactx->saltlen);14661467if (len <= 0)1468return 0;1469p->return_size = len;1470break;1471}1472}1473if (value != NULL1474&& !OSSL_PARAM_set_utf8_string(p, value))1475return 0;1476}1477}14781479#ifdef FIPS_MODULE1480p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);1481if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))1482return 0;1483#endif14841485if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))1486return 0;1487return 1;1488}14891490static const OSSL_PARAM known_gettable_ctx_params[] = {1491OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),1492OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),1493OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),1494OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),1495OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),1496#ifdef FIPS_MODULE1497OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),1498#endif1499OSSL_FIPS_IND_GETTABLE_CTX_PARAM()1500OSSL_PARAM_END1501};15021503static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,1504ossl_unused void *provctx)1505{1506return known_gettable_ctx_params;1507}15081509#ifdef FIPS_MODULE1510static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx)1511{1512if ((ctx->operation1513& (EVP_PKEY_OP_SIGNMSG | EVP_PKEY_OP_SIGN))1514!= 0) {1515if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,1516ctx->libctx,1517"RSA Sign set ctx", "X931 Padding",1518ossl_fips_config_rsa_sign_x931_disallowed)) {1519ERR_raise(ERR_LIB_PROV,1520PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);1521return 0;1522}1523}1524return 1;1525}1526#endif15271528static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])1529{1530PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1531const OSSL_PARAM *p;1532int pad_mode;1533int saltlen;1534char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;1535char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;1536char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;1537char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;15381539if (prsactx == NULL)1540return 0;1541if (ossl_param_is_empty(params))1542return 1;15431544if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,1545OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))1546return 0;15471548if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,1549OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))1550return 0;15511552if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params,1553OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK))1554return 0;15551556if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params,1557OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK))1558return 0;15591560pad_mode = prsactx->pad_mode;1561saltlen = prsactx->saltlen;15621563p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);1564if (p != NULL) {1565const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params,1566OSSL_SIGNATURE_PARAM_PROPERTIES);15671568pmdname = mdname;1569if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))1570return 0;15711572if (propsp != NULL) {1573pmdprops = mdprops;1574if (!OSSL_PARAM_get_utf8_string(propsp,1575&pmdprops, sizeof(mdprops)))1576return 0;1577}1578}15791580p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);1581if (p != NULL) {1582const char *err_extra_text = NULL;15831584switch (p->data_type) {1585case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */1586if (!OSSL_PARAM_get_int(p, &pad_mode))1587return 0;1588break;1589case OSSL_PARAM_UTF8_STRING: {1590int i;15911592if (p->data == NULL)1593return 0;15941595for (i = 0; padding_item[i].id != 0; i++) {1596if (strcmp(p->data, padding_item[i].ptr) == 0) {1597pad_mode = padding_item[i].id;1598break;1599}1600}1601} break;1602default:1603return 0;1604}16051606switch (pad_mode) {1607case RSA_PKCS1_OAEP_PADDING:1608/*1609* OAEP padding is for asymmetric cipher only so is not compatible1610* with signature use.1611*/1612err_extra_text = "OAEP padding not allowed for signing / verifying";1613goto bad_pad;1614case RSA_PKCS1_PSS_PADDING:1615if ((prsactx->operation1616& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG1617| EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG))1618== 0) {1619err_extra_text = "PSS padding only allowed for sign and verify operations";1620goto bad_pad;1621}1622break;1623case RSA_PKCS1_PADDING:1624err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";1625goto cont;1626case RSA_NO_PADDING:1627err_extra_text = "No padding not allowed with RSA-PSS";1628goto cont;1629case RSA_X931_PADDING:1630#ifdef FIPS_MODULE1631/* X9.31 only allows sizes of 1024 + 256 * s (bits) */1632if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) {1633ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);1634return 0;1635}1636/* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */1637if (!rsa_x931_padding_allowed(prsactx))1638return 0;1639#endif1640err_extra_text = "X.931 padding not allowed with RSA-PSS";1641cont:1642if (RSA_test_flags(prsactx->rsa,1643RSA_FLAG_TYPE_MASK)1644== RSA_FLAG_TYPE_RSA)1645break;1646/* FALLTHRU */1647default:1648bad_pad:1649if (err_extra_text == NULL)1650ERR_raise(ERR_LIB_PROV,1651PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);1652else1653ERR_raise_data(ERR_LIB_PROV,1654PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,1655err_extra_text);1656return 0;1657}1658}16591660p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);1661if (p != NULL) {1662if (pad_mode != RSA_PKCS1_PSS_PADDING) {1663ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,1664"PSS saltlen can only be specified if "1665"PSS padding has been specified first");1666return 0;1667}16681669switch (p->data_type) {1670case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */1671if (!OSSL_PARAM_get_int(p, &saltlen))1672return 0;1673break;1674case OSSL_PARAM_UTF8_STRING:1675if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)1676saltlen = RSA_PSS_SALTLEN_DIGEST;1677else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)1678saltlen = RSA_PSS_SALTLEN_MAX;1679else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)1680saltlen = RSA_PSS_SALTLEN_AUTO;1681else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)1682saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;1683else1684saltlen = atoi(p->data);1685break;1686default:1687return 0;1688}16891690/*1691* RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.1692* Contrary to what it's name suggests, it's the currently lowest1693* saltlen number possible.1694*/1695if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {1696ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);1697return 0;1698}16991700if (rsa_pss_restricted(prsactx)) {1701switch (saltlen) {1702case RSA_PSS_SALTLEN_AUTO:1703case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:1704if ((prsactx->operation1705& (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG))1706== 0) {1707ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,1708"Cannot use autodetected salt length");1709return 0;1710}1711break;1712case RSA_PSS_SALTLEN_DIGEST:1713if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {1714ERR_raise_data(ERR_LIB_PROV,1715PROV_R_PSS_SALTLEN_TOO_SMALL,1716"Should be more than %d, but would be "1717"set to match digest size (%d)",1718prsactx->min_saltlen,1719EVP_MD_get_size(prsactx->md));1720return 0;1721}1722break;1723default:1724if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {1725ERR_raise_data(ERR_LIB_PROV,1726PROV_R_PSS_SALTLEN_TOO_SMALL,1727"Should be more than %d, "1728"but would be set to %d",1729prsactx->min_saltlen, saltlen);1730return 0;1731}1732}1733}1734}17351736p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);1737if (p != NULL) {1738const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params,1739OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);17401741pmgf1mdname = mgf1mdname;1742if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))1743return 0;17441745if (propsp != NULL) {1746pmgf1mdprops = mgf1mdprops;1747if (!OSSL_PARAM_get_utf8_string(propsp,1748&pmgf1mdprops, sizeof(mgf1mdprops)))1749return 0;1750}17511752if (pad_mode != RSA_PKCS1_PSS_PADDING) {1753ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);1754return 0;1755}1756}17571758prsactx->saltlen = saltlen;1759prsactx->pad_mode = pad_mode;17601761if (prsactx->md == NULL && pmdname == NULL1762&& pad_mode == RSA_PKCS1_PSS_PADDING)1763pmdname = RSA_DEFAULT_DIGEST_NAME;17641765if (pmgf1mdname != NULL1766&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))1767return 0;17681769if (pmdname != NULL) {1770if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx"))1771return 0;1772} else {1773if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))1774return 0;1775}1776return 1;1777}17781779static const OSSL_PARAM settable_ctx_params[] = {1780OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),1781OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),1782OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),1783OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),1784OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),1785OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),1786OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)1787OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)1788OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)1789OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)1790OSSL_PARAM_END1791};17921793static const OSSL_PARAM settable_ctx_params_no_digest[] = {1794OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),1795OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),1796OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),1797OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),1798OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)1799OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)1800OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)1801OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)1802OSSL_PARAM_END1803};18041805static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,1806ossl_unused void *provctx)1807{1808PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18091810if (prsactx != NULL && !prsactx->flag_allow_md)1811return settable_ctx_params_no_digest;1812return settable_ctx_params;1813}18141815static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)1816{1817PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18181819if (prsactx->mdctx == NULL)1820return 0;18211822return EVP_MD_CTX_get_params(prsactx->mdctx, params);1823}18241825static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)1826{1827PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18281829if (prsactx->md == NULL)1830return 0;18311832return EVP_MD_gettable_ctx_params(prsactx->md);1833}18341835static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])1836{1837PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18381839if (prsactx->mdctx == NULL)1840return 0;18411842return EVP_MD_CTX_set_params(prsactx->mdctx, params);1843}18441845static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)1846{1847PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18481849if (prsactx->md == NULL)1850return 0;18511852return EVP_MD_settable_ctx_params(prsactx->md);1853}18541855const OSSL_DISPATCH ossl_rsa_signature_functions[] = {1856{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },1857{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },1858{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },1859{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },1860{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },1861{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,1862(void (*)(void))rsa_verify_recover_init },1863{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,1864(void (*)(void))rsa_verify_recover },1865{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,1866(void (*)(void))rsa_digest_sign_init },1867{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,1868(void (*)(void))rsa_digest_sign_update },1869{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,1870(void (*)(void))rsa_digest_sign_final },1871{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,1872(void (*)(void))rsa_digest_verify_init },1873{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,1874(void (*)(void))rsa_digest_verify_update },1875{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,1876(void (*)(void))rsa_digest_verify_final },1877{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },1878{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },1879{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },1880{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,1881(void (*)(void))rsa_gettable_ctx_params },1882{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },1883{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,1884(void (*)(void))rsa_settable_ctx_params },1885{ OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,1886(void (*)(void))rsa_get_ctx_md_params },1887{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,1888(void (*)(void))rsa_gettable_ctx_md_params },1889{ OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,1890(void (*)(void))rsa_set_ctx_md_params },1891{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,1892(void (*)(void))rsa_settable_ctx_md_params },1893OSSL_DISPATCH_END1894};18951896/* ------------------------------------------------------------------ */18971898/*1899* So called sigalgs (composite RSA+hash) implemented below. They1900* are pretty much hard coded, and rely on the hash implementation1901* being available as per what OPENSSL_NO_ macros allow.1902*/19031904static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;1905static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;1906static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;19071908/*1909* rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(),1910* just doesn't allow fetching an MD from whatever the user chooses.1911*/1912static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,1913OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,1914const OSSL_PARAM params[],1915const char *mdname,1916int operation, int pad_mode,1917const char *desc)1918{1919PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;19201921if (!ossl_prov_is_running())1922return 0;19231924if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,1925desc))1926return 0;19271928/* PSS is currently not supported as a sigalg */1929if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {1930ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);1931return 0;1932}19331934if (!rsa_setup_md(prsactx, mdname, NULL, desc))1935return 0;19361937prsactx->pad_mode = pad_mode;1938prsactx->flag_sigalg = 1;1939prsactx->flag_allow_md = 0;19401941if (prsactx->mdctx == NULL) {1942prsactx->mdctx = EVP_MD_CTX_new();1943if (prsactx->mdctx == NULL)1944goto error;1945}19461947if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))1948goto error;19491950return 1;19511952error:1953EVP_MD_CTX_free(prsactx->mdctx);1954prsactx->mdctx = NULL;1955return 0;1956}19571958static const char **rsa_sigalg_query_key_types(void)1959{1960static const char *keytypes[] = { "RSA", NULL };19611962return keytypes;1963}19641965static const OSSL_PARAM settable_sigalg_ctx_params[] = {1966OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),1967OSSL_PARAM_END1968};19691970static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx,1971ossl_unused void *provctx)1972{1973PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;19741975if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG)1976return settable_sigalg_ctx_params;1977return NULL;1978}19791980static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])1981{1982PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1983const OSSL_PARAM *p;19841985if (prsactx == NULL)1986return 0;1987if (ossl_param_is_empty(params))1988return 1;19891990if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) {1991p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);1992if (p != NULL) {1993OPENSSL_free(prsactx->sig);1994prsactx->sig = NULL;1995prsactx->siglen = 0;1996if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig,19970, &prsactx->siglen))1998return 0;1999}2000}2001return 1;2002}20032004#define IMPL_RSA_SIGALG(md, MD) \2005static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \2006static OSSL_FUNC_signature_sign_message_init_fn \2007rsa_##md##_sign_message_init; \2008static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \2009static OSSL_FUNC_signature_verify_message_init_fn \2010rsa_##md##_verify_message_init; \2011\2012static int \2013rsa_##md##_sign_init(void *vprsactx, void *vrsa, \2014const OSSL_PARAM params[]) \2015{ \2016static const char desc[] = "RSA Sigalg Sign Init"; \2017\2018return rsa_sigalg_signverify_init(vprsactx, vrsa, \2019rsa_sigalg_set_ctx_params, \2020params, #MD, \2021EVP_PKEY_OP_SIGN, \2022RSA_PKCS1_PADDING, \2023desc); \2024} \2025\2026static int \2027rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \2028const OSSL_PARAM params[]) \2029{ \2030static const char desc[] = "RSA Sigalg Sign Message Init"; \2031\2032return rsa_sigalg_signverify_init(vprsactx, vrsa, \2033rsa_sigalg_set_ctx_params, \2034params, #MD, \2035EVP_PKEY_OP_SIGNMSG, \2036RSA_PKCS1_PADDING, \2037desc); \2038} \2039\2040static int \2041rsa_##md##_verify_init(void *vprsactx, void *vrsa, \2042const OSSL_PARAM params[]) \2043{ \2044static const char desc[] = "RSA Sigalg Verify Init"; \2045\2046return rsa_sigalg_signverify_init(vprsactx, vrsa, \2047rsa_sigalg_set_ctx_params, \2048params, #MD, \2049EVP_PKEY_OP_VERIFY, \2050RSA_PKCS1_PADDING, \2051desc); \2052} \2053\2054static int \2055rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \2056const OSSL_PARAM params[]) \2057{ \2058static const char desc[] = "RSA Sigalg Verify Recover Init"; \2059\2060return rsa_sigalg_signverify_init(vprsactx, vrsa, \2061rsa_sigalg_set_ctx_params, \2062params, #MD, \2063EVP_PKEY_OP_VERIFYRECOVER, \2064RSA_PKCS1_PADDING, \2065desc); \2066} \2067\2068static int \2069rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \2070const OSSL_PARAM params[]) \2071{ \2072static const char desc[] = "RSA Sigalg Verify Message Init"; \2073\2074return rsa_sigalg_signverify_init(vprsactx, vrsa, \2075rsa_sigalg_set_ctx_params, \2076params, #MD, \2077EVP_PKEY_OP_VERIFYMSG, \2078RSA_PKCS1_PADDING, \2079desc); \2080} \2081\2082const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \2083{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \2084{ OSSL_FUNC_SIGNATURE_SIGN_INIT, \2085(void (*)(void))rsa_##md##_sign_init }, \2086{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \2087{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \2088(void (*)(void))rsa_##md##_sign_message_init }, \2089{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \2090(void (*)(void))rsa_signverify_message_update }, \2091{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \2092(void (*)(void))rsa_sign_message_final }, \2093{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, \2094(void (*)(void))rsa_##md##_verify_init }, \2095{ OSSL_FUNC_SIGNATURE_VERIFY, \2096(void (*)(void))rsa_verify }, \2097{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \2098(void (*)(void))rsa_##md##_verify_message_init }, \2099{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \2100(void (*)(void))rsa_signverify_message_update }, \2101{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \2102(void (*)(void))rsa_verify_message_final }, \2103{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \2104(void (*)(void))rsa_##md##_verify_recover_init }, \2105{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \2106(void (*)(void))rsa_verify_recover }, \2107{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \2108{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \2109{ OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \2110(void (*)(void))rsa_sigalg_query_key_types }, \2111{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \2112(void (*)(void))rsa_get_ctx_params }, \2113{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \2114(void (*)(void))rsa_gettable_ctx_params }, \2115{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \2116(void (*)(void))rsa_sigalg_set_ctx_params }, \2117{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \2118(void (*)(void))rsa_sigalg_settable_ctx_params }, \2119OSSL_DISPATCH_END \2120}21212122/* clang-format off */2123#if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)2124IMPL_RSA_SIGALG(ripemd160, RIPEMD160);2125#endif2126IMPL_RSA_SIGALG(sha1, SHA1);2127IMPL_RSA_SIGALG(sha224, SHA2-224);2128IMPL_RSA_SIGALG(sha256, SHA2-256);2129IMPL_RSA_SIGALG(sha384, SHA2-384);2130IMPL_RSA_SIGALG(sha512, SHA2-512);2131IMPL_RSA_SIGALG(sha512_224, SHA2-512/224);2132IMPL_RSA_SIGALG(sha512_256, SHA2-512/256);2133IMPL_RSA_SIGALG(sha3_224, SHA3-224);2134IMPL_RSA_SIGALG(sha3_256, SHA3-256);2135IMPL_RSA_SIGALG(sha3_384, SHA3-384);2136IMPL_RSA_SIGALG(sha3_512, SHA3-512);2137#if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE)2138IMPL_RSA_SIGALG(sm3, SM3);2139#endif2140/* clang-format on */214121422143