Path: blob/main/crypto/openssl/providers/implementations/signature/rsa_sig.c
48383 views
/*1* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89/*10* RSA low level APIs are deprecated for public use, but still ok for11* internal use.12*/13#include "internal/deprecated.h"1415#include <string.h>16#include <openssl/crypto.h>17#include <openssl/core_dispatch.h>18#include <openssl/core_names.h>19#include <openssl/err.h>20#include <openssl/obj_mac.h>21#include <openssl/rsa.h>22#include <openssl/params.h>23#include <openssl/evp.h>24#include <openssl/proverr.h>25#include "internal/cryptlib.h"26#include "internal/nelem.h"27#include "internal/sizes.h"28#include "crypto/rsa.h"29#include "prov/providercommon.h"30#include "prov/implementations.h"31#include "prov/provider_ctx.h"32#include "prov/der_rsa.h"33#include "prov/securitycheck.h"3435#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA13637static OSSL_FUNC_signature_newctx_fn rsa_newctx;38static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;39static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;40static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;41static OSSL_FUNC_signature_sign_fn rsa_sign;42static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update;43static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final;44static OSSL_FUNC_signature_verify_fn rsa_verify;45static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;46static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update;47static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final;48static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;49static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update;50static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;51static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;52static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;53static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;54static OSSL_FUNC_signature_freectx_fn rsa_freectx;55static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;56static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;57static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;58static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;59static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;60static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;61static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;62static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;63static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;64static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;65static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;66static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;6768static OSSL_ITEM padding_item[] = {69{ RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },70{ RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },71{ RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },72{ RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },73{ 0, NULL }74};7576/*77* What's passed as an actual key is defined by the KEYMGMT interface.78* We happen to know that our KEYMGMT simply passes RSA structures, so79* we use that here too.80*/8182typedef struct {83OSSL_LIB_CTX *libctx;84char *propq;85RSA *rsa;86int operation;8788/*89* Flag to determine if a full sigalg is run (1) or if a composable90* signature algorithm is run (0).91*92* When a full sigalg is run (1), this currently affects the following93* other flags, which are to remain untouched after their initialization:94*95* - flag_allow_md (initialized to 0)96*/97unsigned int flag_sigalg : 1;98/*99* Flag to determine if the hash function can be changed (1) or not (0)100* Because it's dangerous to change during a DigestSign or DigestVerify101* operation, this flag is cleared by their Init function, and set again102* by their Final function.103* Implementations of full sigalgs (such as RSA-SHA256) hard-code this104* flag to not allow changes (0).105*/106unsigned int flag_allow_md : 1;107unsigned int mgf1_md_set : 1;108/*109* Flags to say what are the possible next external calls in what110* consitutes the life cycle of an algorithm. The relevant calls are:111* - init112* - update113* - final114* - oneshot115* All other external calls are regarded as utilitarian and are allowed116* at any time (they may be affected by other flags, like flag_allow_md,117* though).118*/119unsigned int flag_allow_update : 1;120unsigned int flag_allow_final : 1;121unsigned int flag_allow_oneshot : 1;122123/* main digest */124EVP_MD *md;125EVP_MD_CTX *mdctx;126int mdnid;127char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */128129/* RSA padding mode */130int pad_mode;131/* message digest for MGF1 */132EVP_MD *mgf1_md;133int mgf1_mdnid;134char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */135/* PSS salt length */136int saltlen;137/* Minimum salt length or -1 if no PSS parameter restriction */138int min_saltlen;139140/* Signature, for verification */141unsigned char *sig;142size_t siglen;143144#ifdef FIPS_MODULE145/*146* FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a147* message is not permitted. However, signing based on a digest is still148* permitted.149*/150int verify_message;151#endif152153/* Temp buffer */154unsigned char *tbuf;155156OSSL_FIPS_IND_DECLARE157} PROV_RSA_CTX;158159/* True if PSS parameters are restricted */160#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)161162static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)163{164int md_size;165166if (prsactx->md != NULL) {167md_size = EVP_MD_get_size(prsactx->md);168if (md_size <= 0)169return 0;170return md_size;171}172return 0;173}174175static int rsa_check_padding(const PROV_RSA_CTX *prsactx,176const char *mdname, const char *mgf1_mdname,177int mdnid)178{179switch (prsactx->pad_mode) {180case RSA_NO_PADDING:181if (mdname != NULL || mdnid != NID_undef) {182ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);183return 0;184}185break;186case RSA_X931_PADDING:187if (RSA_X931_hash_id(mdnid) == -1) {188ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);189return 0;190}191break;192case RSA_PKCS1_PSS_PADDING:193if (rsa_pss_restricted(prsactx))194if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))195|| (mgf1_mdname != NULL196&& !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {197ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);198return 0;199}200break;201default:202break;203}204205return 1;206}207208static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)209{210if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {211int max_saltlen;212213/* See if minimum salt length exceeds maximum possible */214max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);215if ((RSA_bits(prsactx->rsa) & 0x7) == 1)216max_saltlen--;217if (min_saltlen < 0 || min_saltlen > max_saltlen) {218ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);219return 0;220}221prsactx->min_saltlen = min_saltlen;222}223return 1;224}225226static void *rsa_newctx(void *provctx, const char *propq)227{228PROV_RSA_CTX *prsactx = NULL;229char *propq_copy = NULL;230231if (!ossl_prov_is_running())232return NULL;233234if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL235|| (propq != NULL236&& (propq_copy = OPENSSL_strdup(propq)) == NULL)) {237OPENSSL_free(prsactx);238return NULL;239}240241OSSL_FIPS_IND_INIT(prsactx)242prsactx->libctx = PROV_LIBCTX_OF(provctx);243prsactx->flag_allow_md = 1;244#ifdef FIPS_MODULE245prsactx->verify_message = 1;246#endif247prsactx->propq = propq_copy;248/* Maximum up to digest length for sign, auto for verify */249prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;250prsactx->min_saltlen = -1;251return prsactx;252}253254static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)255{256int saltlen = ctx->saltlen;257int saltlenMax = -1;258259/* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection260* 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the261* salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of262* the hash function output block (in bytes)."263*264* Provide a way to use at most the digest length, so that the default does265* not violate FIPS 186-4. */266if (saltlen == RSA_PSS_SALTLEN_DIGEST) {267if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) {268ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);269return -1;270}271} else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {272saltlen = RSA_PSS_SALTLEN_MAX;273if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) {274ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);275return -1;276}277}278if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {279int mdsize, rsasize;280281if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) {282ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);283return -1;284}285if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) {286ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);287return -1;288}289saltlen = rsasize - mdsize - 2;290if ((RSA_bits(ctx->rsa) & 0x7) == 1)291saltlen--;292if (saltlenMax >= 0 && saltlen > saltlenMax)293saltlen = saltlenMax;294}295if (saltlen < 0) {296ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);297return -1;298} else if (saltlen < ctx->min_saltlen) {299ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,300"minimum salt length: %d, actual salt length: %d",301ctx->min_saltlen, saltlen);302return -1;303}304return saltlen;305}306307static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,308unsigned char *aid_buf,309size_t buf_len,310size_t *aid_len)311{312WPACKET pkt;313unsigned char *aid = NULL;314int saltlen;315RSA_PSS_PARAMS_30 pss_params;316int ret;317318if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {319ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB);320return NULL;321}322323switch (ctx->pad_mode) {324case RSA_PKCS1_PADDING:325ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,326ctx->mdnid);327328if (ret > 0) {329break;330} else if (ret == 0) {331ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);332goto cleanup;333}334ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,335"Algorithm ID generation - md NID: %d",336ctx->mdnid);337goto cleanup;338case RSA_PKCS1_PSS_PADDING:339saltlen = rsa_pss_compute_saltlen(ctx);340if (saltlen < 0)341goto cleanup;342if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)343|| !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)344|| !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,345ctx->mgf1_mdnid)346|| !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)347|| !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,348RSA_FLAG_TYPE_RSASSAPSS,349&pss_params)) {350ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);351goto cleanup;352}353break;354default:355ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,356"Algorithm ID generation - pad mode: %d",357ctx->pad_mode);358goto cleanup;359}360if (WPACKET_finish(&pkt)) {361WPACKET_get_total_written(&pkt, aid_len);362aid = WPACKET_get_curr(&pkt);363}364cleanup:365WPACKET_cleanup(&pkt);366return aid;367}368369static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,370const char *mdprops, const char *desc)371{372EVP_MD *md = NULL;373374if (mdprops == NULL)375mdprops = ctx->propq;376377if (mdname != NULL) {378int md_nid;379size_t mdname_len = strlen(mdname);380381md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);382383if (md == NULL) {384ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,385"%s could not be fetched", mdname);386goto err;387}388md_nid = ossl_digest_rsa_sign_get_md_nid(md);389if (md_nid == NID_undef) {390ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,391"digest=%s", mdname);392goto err;393}394/*395* XOF digests are not allowed except for RSA PSS.396* We don't support XOF digests with RSA PSS (yet), so just fail.397* When we do support them, uncomment the second clause.398*/399if (EVP_MD_xof(md)400/* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) {401ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);402goto err;403}404#ifdef FIPS_MODULE405{406int sha1_allowed407= ((ctx->operation408& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);409410if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),411OSSL_FIPS_IND_SETTABLE1,412ctx->libctx,413md_nid, sha1_allowed, 1, desc,414ossl_fips_config_signature_digest_check))415goto err;416}417#endif418419if (!rsa_check_padding(ctx, mdname, NULL, md_nid))420goto err;421if (mdname_len >= sizeof(ctx->mdname)) {422ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,423"%s exceeds name buffer length", mdname);424goto err;425}426427if (!ctx->flag_allow_md) {428if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {429ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,430"digest %s != %s", mdname, ctx->mdname);431goto err;432}433EVP_MD_free(md);434return 1;435}436437if (!ctx->mgf1_md_set) {438if (!EVP_MD_up_ref(md)) {439goto err;440}441EVP_MD_free(ctx->mgf1_md);442ctx->mgf1_md = md;443ctx->mgf1_mdnid = md_nid;444OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));445}446447EVP_MD_CTX_free(ctx->mdctx);448EVP_MD_free(ctx->md);449450ctx->mdctx = NULL;451ctx->md = md;452ctx->mdnid = md_nid;453OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));454}455456return 1;457err:458EVP_MD_free(md);459return 0;460}461462static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,463const char *mdprops)464{465size_t len;466EVP_MD *md = NULL;467int mdnid;468469if (mdprops == NULL)470mdprops = ctx->propq;471472if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {473ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,474"%s could not be fetched", mdname);475return 0;476}477/* The default for mgf1 is SHA1 - so allow SHA1 */478if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0479|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {480if (mdnid <= 0)481ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,482"digest=%s", mdname);483EVP_MD_free(md);484return 0;485}486len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));487if (len >= sizeof(ctx->mgf1_mdname)) {488ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,489"%s exceeds name buffer length", mdname);490EVP_MD_free(md);491return 0;492}493494EVP_MD_free(ctx->mgf1_md);495ctx->mgf1_md = md;496ctx->mgf1_mdnid = mdnid;497ctx->mgf1_md_set = 1;498return 1;499}500501static int502rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,503OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,504const OSSL_PARAM params[], int operation,505const char *desc)506{507int protect;508509if (!ossl_prov_is_running() || prsactx == NULL)510return 0;511512if (vrsa == NULL && prsactx->rsa == NULL) {513ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);514return 0;515}516517if (vrsa != NULL) {518if (!RSA_up_ref(vrsa))519return 0;520RSA_free(prsactx->rsa);521prsactx->rsa = vrsa;522}523if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect))524return 0;525526prsactx->operation = operation;527prsactx->flag_allow_update = 1;528prsactx->flag_allow_final = 1;529prsactx->flag_allow_oneshot = 1;530531/* Maximize up to digest length for sign, auto for verify */532prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;533prsactx->min_saltlen = -1;534535switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {536case RSA_FLAG_TYPE_RSA:537prsactx->pad_mode = RSA_PKCS1_PADDING;538break;539case RSA_FLAG_TYPE_RSASSAPSS:540prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;541542{543const RSA_PSS_PARAMS_30 *pss =544ossl_rsa_get0_pss_params_30(prsactx->rsa);545546if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {547int md_nid = ossl_rsa_pss_params_30_hashalg(pss);548int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);549int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);550const char *mdname, *mgf1mdname;551size_t len;552553mdname = ossl_rsa_oaeppss_nid2name(md_nid);554mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);555556if (mdname == NULL) {557ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,558"PSS restrictions lack hash algorithm");559return 0;560}561if (mgf1mdname == NULL) {562ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,563"PSS restrictions lack MGF1 hash algorithm");564return 0;565}566567len = OPENSSL_strlcpy(prsactx->mdname, mdname,568sizeof(prsactx->mdname));569if (len >= sizeof(prsactx->mdname)) {570ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,571"hash algorithm name too long");572return 0;573}574len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,575sizeof(prsactx->mgf1_mdname));576if (len >= sizeof(prsactx->mgf1_mdname)) {577ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,578"MGF1 hash algorithm name too long");579return 0;580}581prsactx->saltlen = min_saltlen;582583/* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */584if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)585|| !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)586|| !rsa_check_parameters(prsactx, min_saltlen))587return 0;588}589}590591break;592default:593ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);594return 0;595}596597OSSL_FIPS_IND_SET_APPROVED(prsactx)598if (!set_ctx_params(prsactx, params))599return 0;600#ifdef FIPS_MODULE601if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),602OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,603prsactx->rsa, desc, protect))604return 0;605#endif606return 1;607}608609static int setup_tbuf(PROV_RSA_CTX *ctx)610{611if (ctx->tbuf != NULL)612return 1;613if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL)614return 0;615return 1;616}617618static void clean_tbuf(PROV_RSA_CTX *ctx)619{620if (ctx->tbuf != NULL)621OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));622}623624static void free_tbuf(PROV_RSA_CTX *ctx)625{626clean_tbuf(ctx);627OPENSSL_free(ctx->tbuf);628ctx->tbuf = NULL;629}630631#ifdef FIPS_MODULE632static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen)633{634int mdsize = rsa_get_md_size(ctx);635/*636* Perform the check if the salt length is compliant to FIPS 186-5.637*638* According to FIPS 186-5 5.4 (g), the salt length shall be between zero639* and the output block length of the digest function (inclusive).640*/641int approved = (saltlen >= 0 && saltlen <= mdsize);642643if (!approved) {644if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,645ctx->libctx,646algoname, "PSS Salt Length",647ossl_fips_config_rsa_pss_saltlen_check)) {648ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);649return 0;650}651}652653return 1;654}655#endif656657static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])658{659PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;660661#ifdef FIPS_MODULE662if (prsactx != NULL)663prsactx->verify_message = 1;664#endif665666return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,667EVP_PKEY_OP_SIGN, "RSA Sign Init");668}669670/*671* Sign tbs without digesting it first. This is suitable for "primitive"672* signing and signing the digest of a message, i.e. should be used with673* implementations of the keytype related algorithms.674*/675static int rsa_sign_directly(PROV_RSA_CTX *prsactx,676unsigned char *sig, size_t *siglen, size_t sigsize,677const unsigned char *tbs, size_t tbslen)678{679int ret;680size_t rsasize = RSA_size(prsactx->rsa);681size_t mdsize = rsa_get_md_size(prsactx);682683if (!ossl_prov_is_running())684return 0;685686if (sig == NULL) {687*siglen = rsasize;688return 1;689}690691if (sigsize < rsasize) {692ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,693"is %zu, should be at least %zu", sigsize, rsasize);694return 0;695}696697if (mdsize != 0) {698if (tbslen != mdsize) {699ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);700return 0;701}702703#ifndef FIPS_MODULE704if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {705unsigned int sltmp;706707if (prsactx->pad_mode != RSA_PKCS1_PADDING) {708ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,709"only PKCS#1 padding supported with MDC2");710return 0;711}712ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,713prsactx->rsa);714715if (ret <= 0) {716ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);717return 0;718}719ret = sltmp;720goto end;721}722#endif723switch (prsactx->pad_mode) {724case RSA_X931_PADDING:725if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {726ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,727"RSA key size = %d, expected minimum = %d",728RSA_size(prsactx->rsa), tbslen + 1);729return 0;730}731if (!setup_tbuf(prsactx)) {732ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB);733return 0;734}735memcpy(prsactx->tbuf, tbs, tbslen);736prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);737ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,738sig, prsactx->rsa, RSA_X931_PADDING);739clean_tbuf(prsactx);740break;741case RSA_PKCS1_PADDING:742{743unsigned int sltmp;744745ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,746prsactx->rsa);747if (ret <= 0) {748ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);749return 0;750}751ret = sltmp;752}753break;754755case RSA_PKCS1_PSS_PADDING:756{757int saltlen;758759/* Check PSS restrictions */760if (rsa_pss_restricted(prsactx)) {761switch (prsactx->saltlen) {762case RSA_PSS_SALTLEN_DIGEST:763if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {764ERR_raise_data(ERR_LIB_PROV,765PROV_R_PSS_SALTLEN_TOO_SMALL,766"minimum salt length set to %d, "767"but the digest only gives %d",768prsactx->min_saltlen,769EVP_MD_get_size(prsactx->md));770return 0;771}772/* FALLTHRU */773default:774if (prsactx->saltlen >= 0775&& prsactx->saltlen < prsactx->min_saltlen) {776ERR_raise_data(ERR_LIB_PROV,777PROV_R_PSS_SALTLEN_TOO_SMALL,778"minimum salt length set to %d, but the"779"actual salt length is only set to %d",780prsactx->min_saltlen,781prsactx->saltlen);782return 0;783}784break;785}786}787if (!setup_tbuf(prsactx))788return 0;789saltlen = prsactx->saltlen;790if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,791prsactx->tbuf, tbs,792prsactx->md, prsactx->mgf1_md,793&saltlen)) {794ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);795return 0;796}797#ifdef FIPS_MODULE798if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen))799return 0;800#endif801ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,802sig, prsactx->rsa, RSA_NO_PADDING);803clean_tbuf(prsactx);804}805break;806807default:808ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,809"Only X.931, PKCS#1 v1.5 or PSS padding allowed");810return 0;811}812} else {813ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,814prsactx->pad_mode);815}816817#ifndef FIPS_MODULE818end:819#endif820if (ret <= 0) {821ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);822return 0;823}824825*siglen = ret;826return 1;827}828829static int rsa_signverify_message_update(void *vprsactx,830const unsigned char *data,831size_t datalen)832{833PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;834835if (prsactx == NULL || prsactx->mdctx == NULL)836return 0;837838if (!prsactx->flag_allow_update) {839ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER);840return 0;841}842prsactx->flag_allow_oneshot = 0;843844return EVP_DigestUpdate(prsactx->mdctx, data, datalen);845}846847static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,848size_t *siglen, size_t sigsize)849{850PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;851unsigned char digest[EVP_MAX_MD_SIZE];852unsigned int dlen = 0;853854if (!ossl_prov_is_running() || prsactx == NULL)855return 0;856if (prsactx->mdctx == NULL)857return 0;858if (!prsactx->flag_allow_final) {859ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);860return 0;861}862863/*864* If sig is NULL then we're just finding out the sig size. Other fields865* are ignored. Defer to rsa_sign.866*/867if (sig != NULL) {868/*869* The digests used here are all known (see rsa_get_md_nid()), so they870* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.871*/872if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))873return 0;874875prsactx->flag_allow_update = 0;876prsactx->flag_allow_oneshot = 0;877prsactx->flag_allow_final = 0;878}879880return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);881}882883/*884* If signing a message, digest tbs and sign the result.885* Otherwise, sign tbs directly.886*/887static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,888size_t sigsize, const unsigned char *tbs, size_t tbslen)889{890PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;891892if (!ossl_prov_is_running() || prsactx == NULL)893return 0;894if (!prsactx->flag_allow_oneshot) {895ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);896return 0;897}898899if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) {900/*901* If |sig| is NULL, the caller is only looking for the sig length.902* DO NOT update the input in this case.903*/904if (sig == NULL)905return rsa_sign_message_final(prsactx, sig, siglen, sigsize);906907return rsa_signverify_message_update(prsactx, tbs, tbslen)908&& rsa_sign_message_final(prsactx, sig, siglen, sigsize);909}910return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen);911}912913static int rsa_verify_recover_init(void *vprsactx, void *vrsa,914const OSSL_PARAM params[])915{916PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;917918#ifdef FIPS_MODULE919if (prsactx != NULL)920prsactx->verify_message = 0;921#endif922923return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,924EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");925}926927/*928* There is no message variant of verify recover, so no need for929* 'rsa_verify_recover_directly', just use this function, er, directly.930*/931static int rsa_verify_recover(void *vprsactx,932unsigned char *rout, size_t *routlen,933size_t routsize,934const unsigned char *sig, size_t siglen)935{936PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;937int ret;938939if (!ossl_prov_is_running())940return 0;941942if (rout == NULL) {943*routlen = RSA_size(prsactx->rsa);944return 1;945}946947if (prsactx->md != NULL) {948switch (prsactx->pad_mode) {949case RSA_X931_PADDING:950if (!setup_tbuf(prsactx))951return 0;952ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,953RSA_X931_PADDING);954if (ret <= 0) {955ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);956return 0;957}958ret--;959if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {960ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);961return 0;962}963if (ret != EVP_MD_get_size(prsactx->md)) {964ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,965"Should be %d, but got %d",966EVP_MD_get_size(prsactx->md), ret);967return 0;968}969970*routlen = ret;971if (rout != prsactx->tbuf) {972if (routsize < (size_t)ret) {973ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,974"buffer size is %d, should be %d",975routsize, ret);976return 0;977}978memcpy(rout, prsactx->tbuf, ret);979}980break;981982case RSA_PKCS1_PADDING:983{984size_t sltmp;985986ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,987sig, siglen, prsactx->rsa);988if (ret <= 0) {989ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);990return 0;991}992ret = sltmp;993}994break;995996default:997ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,998"Only X.931 or PKCS#1 v1.5 padding allowed");999return 0;1000}1001} else {1002ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,1003prsactx->pad_mode);1004if (ret <= 0) {1005ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1006return 0;1007}1008}1009*routlen = ret;1010return 1;1011}10121013static int rsa_verify_init(void *vprsactx, void *vrsa,1014const OSSL_PARAM params[])1015{1016PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;10171018#ifdef FIPS_MODULE1019if (prsactx != NULL)1020prsactx->verify_message = 0;1021#endif10221023return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,1024EVP_PKEY_OP_VERIFY, "RSA Verify Init");1025}10261027static int rsa_verify_directly(PROV_RSA_CTX *prsactx,1028const unsigned char *sig, size_t siglen,1029const unsigned char *tbs, size_t tbslen)1030{1031size_t rslen;10321033if (!ossl_prov_is_running())1034return 0;1035if (prsactx->md != NULL) {1036switch (prsactx->pad_mode) {1037case RSA_PKCS1_PADDING:1038if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,1039prsactx->rsa)) {1040ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1041return 0;1042}1043return 1;1044case RSA_X931_PADDING:1045if (!setup_tbuf(prsactx))1046return 0;1047if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,1048sig, siglen) <= 0)1049return 0;1050break;1051case RSA_PKCS1_PSS_PADDING:1052{1053int ret;1054int saltlen;1055size_t mdsize;10561057/*1058* We need to check this for the RSA_verify_PKCS1_PSS_mgf1()1059* call1060*/1061mdsize = rsa_get_md_size(prsactx);1062if (tbslen != mdsize) {1063ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,1064"Should be %d, but got %d",1065mdsize, tbslen);1066return 0;1067}10681069if (!setup_tbuf(prsactx))1070return 0;1071ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,1072prsactx->rsa, RSA_NO_PADDING);1073if (ret <= 0) {1074ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1075return 0;1076}1077saltlen = prsactx->saltlen;1078ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,1079prsactx->md, prsactx->mgf1_md,1080prsactx->tbuf,1081&saltlen);1082if (ret <= 0) {1083ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1084return 0;1085}1086#ifdef FIPS_MODULE1087if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen))1088return 0;1089#endif1090return 1;1091}1092default:1093ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,1094"Only X.931, PKCS#1 v1.5 or PSS padding allowed");1095return 0;1096}1097} else {1098int ret;10991100if (!setup_tbuf(prsactx))1101return 0;1102ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,1103prsactx->pad_mode);1104if (ret <= 0) {1105ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);1106return 0;1107}1108rslen = (size_t)ret;1109}11101111if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))1112return 0;11131114return 1;1115}11161117static int rsa_verify_set_sig(void *vprsactx,1118const unsigned char *sig, size_t siglen)1119{1120PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1121OSSL_PARAM params[2];11221123params[0] =1124OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,1125(unsigned char *)sig, siglen);1126params[1] = OSSL_PARAM_construct_end();1127return rsa_sigalg_set_ctx_params(prsactx, params);1128}11291130static int rsa_verify_message_final(void *vprsactx)1131{1132PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1133unsigned char digest[EVP_MAX_MD_SIZE];1134unsigned int dlen = 0;11351136if (!ossl_prov_is_running() || prsactx == NULL)1137return 0;1138if (prsactx->mdctx == NULL)1139return 0;1140if (!prsactx->flag_allow_final) {1141ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);1142return 0;1143}11441145/*1146* The digests used here are all known (see rsa_get_md_nid()), so they1147* should not exceed the internal buffer size of EVP_MAX_MD_SIZE.1148*/1149if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))1150return 0;11511152prsactx->flag_allow_update = 0;1153prsactx->flag_allow_final = 0;1154prsactx->flag_allow_oneshot = 0;11551156return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,1157digest, dlen);1158}11591160/*1161* If verifying a message, digest tbs and verify the result.1162* Otherwise, verify tbs directly.1163*/1164static int rsa_verify(void *vprsactx,1165const unsigned char *sig, size_t siglen,1166const unsigned char *tbs, size_t tbslen)1167{1168PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;11691170if (!ossl_prov_is_running() || prsactx == NULL)1171return 0;1172if (!prsactx->flag_allow_oneshot) {1173ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);1174return 0;1175}11761177if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG)1178return rsa_verify_set_sig(prsactx, sig, siglen)1179&& rsa_signverify_message_update(prsactx, tbs, tbslen)1180&& rsa_verify_message_final(prsactx);1181return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen);1182}11831184/* DigestSign/DigestVerify wrappers */11851186static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,1187void *vrsa, const OSSL_PARAM params[],1188int operation, const char *desc)1189{1190PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;11911192#ifdef FIPS_MODULE1193if (prsactx != NULL)1194prsactx->verify_message = 1;1195#endif11961197if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,1198operation, desc))1199return 0;12001201if (mdname != NULL1202/* was rsa_setup_md already called in rsa_signverify_init()? */1203&& (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0)1204&& !rsa_setup_md(prsactx, mdname, prsactx->propq, desc))1205return 0;12061207prsactx->flag_allow_md = 0;12081209if (prsactx->mdctx == NULL) {1210prsactx->mdctx = EVP_MD_CTX_new();1211if (prsactx->mdctx == NULL)1212goto error;1213}12141215if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))1216goto error;12171218return 1;12191220error:1221EVP_MD_CTX_free(prsactx->mdctx);1222prsactx->mdctx = NULL;1223return 0;1224}12251226static int rsa_digest_sign_init(void *vprsactx, const char *mdname,1227void *vrsa, const OSSL_PARAM params[])1228{1229if (!ossl_prov_is_running())1230return 0;1231return rsa_digest_signverify_init(vprsactx, mdname, vrsa,1232params, EVP_PKEY_OP_SIGNMSG,1233"RSA Digest Sign Init");1234}12351236static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,1237size_t datalen)1238{1239PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;12401241if (prsactx == NULL)1242return 0;1243/* Sigalg implementations shouldn't do digest_sign */1244if (prsactx->flag_sigalg)1245return 0;12461247return rsa_signverify_message_update(prsactx, data, datalen);1248}12491250static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,1251size_t *siglen, size_t sigsize)1252{1253PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1254int ok = 0;12551256if (prsactx == NULL)1257return 0;1258/* Sigalg implementations shouldn't do digest_sign */1259if (prsactx->flag_sigalg)1260return 0;12611262if (rsa_sign_message_final(prsactx, sig, siglen, sigsize))1263ok = 1;12641265prsactx->flag_allow_md = 1;12661267return ok;1268}12691270static int rsa_digest_verify_init(void *vprsactx, const char *mdname,1271void *vrsa, const OSSL_PARAM params[])1272{1273if (!ossl_prov_is_running())1274return 0;1275return rsa_digest_signverify_init(vprsactx, mdname, vrsa,1276params, EVP_PKEY_OP_VERIFYMSG,1277"RSA Digest Verify Init");1278}12791280static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,1281size_t datalen)1282{1283PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;12841285if (prsactx == NULL)1286return 0;1287/* Sigalg implementations shouldn't do digest_sign */1288if (prsactx->flag_sigalg)1289return 0;12901291return rsa_signverify_message_update(prsactx, data, datalen);1292}12931294int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,1295size_t siglen)1296{1297PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1298int ok = 0;12991300if (prsactx == NULL)1301return 0;1302/* Sigalg implementations shouldn't do digest_verify */1303if (prsactx->flag_sigalg)1304return 0;13051306if (rsa_verify_set_sig(prsactx, sig, siglen)1307&& rsa_verify_message_final(vprsactx))1308ok = 1;13091310prsactx->flag_allow_md = 1;13111312return ok;1313}13141315static void rsa_freectx(void *vprsactx)1316{1317PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;13181319if (prsactx == NULL)1320return;13211322EVP_MD_CTX_free(prsactx->mdctx);1323EVP_MD_free(prsactx->md);1324EVP_MD_free(prsactx->mgf1_md);1325OPENSSL_free(prsactx->sig);1326OPENSSL_free(prsactx->propq);1327free_tbuf(prsactx);1328RSA_free(prsactx->rsa);13291330OPENSSL_clear_free(prsactx, sizeof(*prsactx));1331}13321333static void *rsa_dupctx(void *vprsactx)1334{1335PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;1336PROV_RSA_CTX *dstctx;13371338if (!ossl_prov_is_running())1339return NULL;13401341dstctx = OPENSSL_zalloc(sizeof(*srcctx));1342if (dstctx == NULL)1343return NULL;13441345*dstctx = *srcctx;1346dstctx->rsa = NULL;1347dstctx->md = NULL;1348dstctx->mgf1_md = NULL;1349dstctx->mdctx = NULL;1350dstctx->tbuf = NULL;1351dstctx->propq = NULL;13521353if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))1354goto err;1355dstctx->rsa = srcctx->rsa;13561357if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))1358goto err;1359dstctx->md = srcctx->md;13601361if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))1362goto err;1363dstctx->mgf1_md = srcctx->mgf1_md;13641365if (srcctx->mdctx != NULL) {1366dstctx->mdctx = EVP_MD_CTX_new();1367if (dstctx->mdctx == NULL1368|| !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))1369goto err;1370}13711372if (srcctx->propq != NULL) {1373dstctx->propq = OPENSSL_strdup(srcctx->propq);1374if (dstctx->propq == NULL)1375goto err;1376}13771378return dstctx;1379err:1380rsa_freectx(dstctx);1381return NULL;1382}13831384static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)1385{1386PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1387OSSL_PARAM *p;13881389if (prsactx == NULL)1390return 0;13911392p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);1393if (p != NULL) {1394/* The Algorithm Identifier of the combined signature algorithm */1395unsigned char aid_buf[128];1396unsigned char *aid;1397size_t aid_len;13981399aid = rsa_generate_signature_aid(prsactx, aid_buf,1400sizeof(aid_buf), &aid_len);1401if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))1402return 0;1403}14041405p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);1406if (p != NULL)1407switch (p->data_type) {1408case OSSL_PARAM_INTEGER:1409if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))1410return 0;1411break;1412case OSSL_PARAM_UTF8_STRING:1413{1414int i;1415const char *word = NULL;14161417for (i = 0; padding_item[i].id != 0; i++) {1418if (prsactx->pad_mode == (int)padding_item[i].id) {1419word = padding_item[i].ptr;1420break;1421}1422}14231424if (word != NULL) {1425if (!OSSL_PARAM_set_utf8_string(p, word))1426return 0;1427} else {1428ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);1429}1430}1431break;1432default:1433return 0;1434}14351436p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);1437if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))1438return 0;14391440p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);1441if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))1442return 0;14431444p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);1445if (p != NULL) {1446if (p->data_type == OSSL_PARAM_INTEGER) {1447if (!OSSL_PARAM_set_int(p, prsactx->saltlen))1448return 0;1449} else if (p->data_type == OSSL_PARAM_UTF8_STRING) {1450const char *value = NULL;14511452switch (prsactx->saltlen) {1453case RSA_PSS_SALTLEN_DIGEST:1454value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;1455break;1456case RSA_PSS_SALTLEN_MAX:1457value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;1458break;1459case RSA_PSS_SALTLEN_AUTO:1460value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;1461break;1462case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:1463value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;1464break;1465default:1466{1467int len = BIO_snprintf(p->data, p->data_size, "%d",1468prsactx->saltlen);14691470if (len <= 0)1471return 0;1472p->return_size = len;1473break;1474}1475}1476if (value != NULL1477&& !OSSL_PARAM_set_utf8_string(p, value))1478return 0;1479}1480}14811482#ifdef FIPS_MODULE1483p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);1484if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))1485return 0;1486#endif14871488if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))1489return 0;1490return 1;1491}14921493static const OSSL_PARAM known_gettable_ctx_params[] = {1494OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),1495OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),1496OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),1497OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),1498OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),1499#ifdef FIPS_MODULE1500OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),1501#endif1502OSSL_FIPS_IND_GETTABLE_CTX_PARAM()1503OSSL_PARAM_END1504};15051506static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,1507ossl_unused void *provctx)1508{1509return known_gettable_ctx_params;1510}15111512#ifdef FIPS_MODULE1513static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx)1514{1515int approved = ((ctx->operation & EVP_PKEY_OP_SIGN) == 0);15161517if (!approved) {1518if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,1519ctx->libctx,1520"RSA Sign set ctx", "X931 Padding",1521ossl_fips_config_rsa_sign_x931_disallowed)) {1522ERR_raise(ERR_LIB_PROV,1523PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);1524return 0;1525}1526}1527return 1;1528}1529#endif15301531static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])1532{1533PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1534const OSSL_PARAM *p;1535int pad_mode;1536int saltlen;1537char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;1538char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;1539char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;1540char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;15411542if (prsactx == NULL)1543return 0;1544if (ossl_param_is_empty(params))1545return 1;15461547if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,1548OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))1549return 0;15501551if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,1552OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))1553return 0;15541555if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params,1556OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK))1557return 0;15581559if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params,1560OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK))1561return 0;15621563pad_mode = prsactx->pad_mode;1564saltlen = prsactx->saltlen;15651566p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);1567if (p != NULL) {1568const OSSL_PARAM *propsp =1569OSSL_PARAM_locate_const(params,1570OSSL_SIGNATURE_PARAM_PROPERTIES);15711572pmdname = mdname;1573if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))1574return 0;15751576if (propsp != NULL) {1577pmdprops = mdprops;1578if (!OSSL_PARAM_get_utf8_string(propsp,1579&pmdprops, sizeof(mdprops)))1580return 0;1581}1582}15831584p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);1585if (p != NULL) {1586const char *err_extra_text = NULL;15871588switch (p->data_type) {1589case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */1590if (!OSSL_PARAM_get_int(p, &pad_mode))1591return 0;1592break;1593case OSSL_PARAM_UTF8_STRING:1594{1595int i;15961597if (p->data == NULL)1598return 0;15991600for (i = 0; padding_item[i].id != 0; i++) {1601if (strcmp(p->data, padding_item[i].ptr) == 0) {1602pad_mode = padding_item[i].id;1603break;1604}1605}1606}1607break;1608default:1609return 0;1610}16111612switch (pad_mode) {1613case RSA_PKCS1_OAEP_PADDING:1614/*1615* OAEP padding is for asymmetric cipher only so is not compatible1616* with signature use.1617*/1618err_extra_text = "OAEP padding not allowed for signing / verifying";1619goto bad_pad;1620case RSA_PKCS1_PSS_PADDING:1621if ((prsactx->operation1622& (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG1623| EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {1624err_extra_text =1625"PSS padding only allowed for sign and verify operations";1626goto bad_pad;1627}1628break;1629case RSA_PKCS1_PADDING:1630err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";1631goto cont;1632case RSA_NO_PADDING:1633err_extra_text = "No padding not allowed with RSA-PSS";1634goto cont;1635case RSA_X931_PADDING:1636#ifdef FIPS_MODULE1637/* X9.31 only allows sizes of 1024 + 256 * s (bits) */1638if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) {1639ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);1640return 0;1641}1642/* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */1643if (!rsa_x931_padding_allowed(prsactx))1644return 0;1645#endif1646err_extra_text = "X.931 padding not allowed with RSA-PSS";1647cont:1648if (RSA_test_flags(prsactx->rsa,1649RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)1650break;1651/* FALLTHRU */1652default:1653bad_pad:1654if (err_extra_text == NULL)1655ERR_raise(ERR_LIB_PROV,1656PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);1657else1658ERR_raise_data(ERR_LIB_PROV,1659PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,1660err_extra_text);1661return 0;1662}1663}16641665p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);1666if (p != NULL) {1667if (pad_mode != RSA_PKCS1_PSS_PADDING) {1668ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,1669"PSS saltlen can only be specified if "1670"PSS padding has been specified first");1671return 0;1672}16731674switch (p->data_type) {1675case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */1676if (!OSSL_PARAM_get_int(p, &saltlen))1677return 0;1678break;1679case OSSL_PARAM_UTF8_STRING:1680if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)1681saltlen = RSA_PSS_SALTLEN_DIGEST;1682else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)1683saltlen = RSA_PSS_SALTLEN_MAX;1684else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)1685saltlen = RSA_PSS_SALTLEN_AUTO;1686else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)1687saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;1688else1689saltlen = atoi(p->data);1690break;1691default:1692return 0;1693}16941695/*1696* RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.1697* Contrary to what it's name suggests, it's the currently lowest1698* saltlen number possible.1699*/1700if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {1701ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);1702return 0;1703}17041705if (rsa_pss_restricted(prsactx)) {1706switch (saltlen) {1707case RSA_PSS_SALTLEN_AUTO:1708case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:1709if ((prsactx->operation1710& (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {1711ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,1712"Cannot use autodetected salt length");1713return 0;1714}1715break;1716case RSA_PSS_SALTLEN_DIGEST:1717if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {1718ERR_raise_data(ERR_LIB_PROV,1719PROV_R_PSS_SALTLEN_TOO_SMALL,1720"Should be more than %d, but would be "1721"set to match digest size (%d)",1722prsactx->min_saltlen,1723EVP_MD_get_size(prsactx->md));1724return 0;1725}1726break;1727default:1728if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {1729ERR_raise_data(ERR_LIB_PROV,1730PROV_R_PSS_SALTLEN_TOO_SMALL,1731"Should be more than %d, "1732"but would be set to %d",1733prsactx->min_saltlen, saltlen);1734return 0;1735}1736}1737}1738}17391740p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);1741if (p != NULL) {1742const OSSL_PARAM *propsp =1743OSSL_PARAM_locate_const(params,1744OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);17451746pmgf1mdname = mgf1mdname;1747if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))1748return 0;17491750if (propsp != NULL) {1751pmgf1mdprops = mgf1mdprops;1752if (!OSSL_PARAM_get_utf8_string(propsp,1753&pmgf1mdprops, sizeof(mgf1mdprops)))1754return 0;1755}17561757if (pad_mode != RSA_PKCS1_PSS_PADDING) {1758ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);1759return 0;1760}1761}17621763prsactx->saltlen = saltlen;1764prsactx->pad_mode = pad_mode;17651766if (prsactx->md == NULL && pmdname == NULL1767&& pad_mode == RSA_PKCS1_PSS_PADDING)1768pmdname = RSA_DEFAULT_DIGEST_NAME;17691770if (pmgf1mdname != NULL1771&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))1772return 0;17731774if (pmdname != NULL) {1775if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx"))1776return 0;1777} else {1778if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))1779return 0;1780}1781return 1;1782}17831784static const OSSL_PARAM settable_ctx_params[] = {1785OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),1786OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),1787OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),1788OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),1789OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),1790OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),1791OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)1792OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)1793OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)1794OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)1795OSSL_PARAM_END1796};17971798static const OSSL_PARAM settable_ctx_params_no_digest[] = {1799OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),1800OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),1801OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),1802OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),1803OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)1804OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)1805OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)1806OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)1807OSSL_PARAM_END1808};18091810static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,1811ossl_unused void *provctx)1812{1813PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18141815if (prsactx != NULL && !prsactx->flag_allow_md)1816return settable_ctx_params_no_digest;1817return settable_ctx_params;1818}18191820static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)1821{1822PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18231824if (prsactx->mdctx == NULL)1825return 0;18261827return EVP_MD_CTX_get_params(prsactx->mdctx, params);1828}18291830static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)1831{1832PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18331834if (prsactx->md == NULL)1835return 0;18361837return EVP_MD_gettable_ctx_params(prsactx->md);1838}18391840static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])1841{1842PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18431844if (prsactx->mdctx == NULL)1845return 0;18461847return EVP_MD_CTX_set_params(prsactx->mdctx, params);1848}18491850static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)1851{1852PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;18531854if (prsactx->md == NULL)1855return 0;18561857return EVP_MD_settable_ctx_params(prsactx->md);1858}18591860const OSSL_DISPATCH ossl_rsa_signature_functions[] = {1861{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },1862{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },1863{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },1864{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },1865{ OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },1866{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,1867(void (*)(void))rsa_verify_recover_init },1868{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,1869(void (*)(void))rsa_verify_recover },1870{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,1871(void (*)(void))rsa_digest_sign_init },1872{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,1873(void (*)(void))rsa_digest_sign_update },1874{ OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,1875(void (*)(void))rsa_digest_sign_final },1876{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,1877(void (*)(void))rsa_digest_verify_init },1878{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,1879(void (*)(void))rsa_digest_verify_update },1880{ OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,1881(void (*)(void))rsa_digest_verify_final },1882{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },1883{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },1884{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },1885{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,1886(void (*)(void))rsa_gettable_ctx_params },1887{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },1888{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,1889(void (*)(void))rsa_settable_ctx_params },1890{ OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,1891(void (*)(void))rsa_get_ctx_md_params },1892{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,1893(void (*)(void))rsa_gettable_ctx_md_params },1894{ OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,1895(void (*)(void))rsa_set_ctx_md_params },1896{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,1897(void (*)(void))rsa_settable_ctx_md_params },1898OSSL_DISPATCH_END1899};19001901/* ------------------------------------------------------------------ */19021903/*1904* So called sigalgs (composite RSA+hash) implemented below. They1905* are pretty much hard coded, and rely on the hash implementation1906* being available as per what OPENSSL_NO_ macros allow.1907*/19081909static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;1910static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;1911static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;19121913/*1914* rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(),1915* just doesn't allow fetching an MD from whatever the user chooses.1916*/1917static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,1918OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,1919const OSSL_PARAM params[],1920const char *mdname,1921int operation, int pad_mode,1922const char *desc)1923{1924PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;19251926if (!ossl_prov_is_running())1927return 0;19281929if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,1930desc))1931return 0;19321933/* PSS is currently not supported as a sigalg */1934if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {1935ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);1936return 0;1937}19381939if (!rsa_setup_md(prsactx, mdname, NULL, desc))1940return 0;19411942prsactx->pad_mode = pad_mode;1943prsactx->flag_sigalg = 1;1944prsactx->flag_allow_md = 0;19451946if (prsactx->mdctx == NULL) {1947prsactx->mdctx = EVP_MD_CTX_new();1948if (prsactx->mdctx == NULL)1949goto error;1950}19511952if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))1953goto error;19541955return 1;19561957error:1958EVP_MD_CTX_free(prsactx->mdctx);1959prsactx->mdctx = NULL;1960return 0;1961}19621963static const char **rsa_sigalg_query_key_types(void)1964{1965static const char *keytypes[] = { "RSA", NULL };19661967return keytypes;1968}19691970static const OSSL_PARAM settable_sigalg_ctx_params[] = {1971OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),1972OSSL_PARAM_END1973};19741975static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx,1976ossl_unused void *provctx)1977{1978PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;19791980if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG)1981return settable_sigalg_ctx_params;1982return NULL;1983}19841985static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])1986{1987PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;1988const OSSL_PARAM *p;19891990if (prsactx == NULL)1991return 0;1992if (ossl_param_is_empty(params))1993return 1;19941995if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) {1996p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);1997if (p != NULL) {1998OPENSSL_free(prsactx->sig);1999prsactx->sig = NULL;2000prsactx->siglen = 0;2001if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig,20020, &prsactx->siglen))2003return 0;2004}2005}2006return 1;2007}20082009#define IMPL_RSA_SIGALG(md, MD) \2010static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \2011static OSSL_FUNC_signature_sign_message_init_fn \2012rsa_##md##_sign_message_init; \2013static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \2014static OSSL_FUNC_signature_verify_message_init_fn \2015rsa_##md##_verify_message_init; \2016\2017static int \2018rsa_##md##_sign_init(void *vprsactx, void *vrsa, \2019const OSSL_PARAM params[]) \2020{ \2021static const char desc[] = "RSA Sigalg Sign Init"; \2022\2023return rsa_sigalg_signverify_init(vprsactx, vrsa, \2024rsa_sigalg_set_ctx_params, \2025params, #MD, \2026EVP_PKEY_OP_SIGN, \2027RSA_PKCS1_PADDING, \2028desc); \2029} \2030\2031static int \2032rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \2033const OSSL_PARAM params[]) \2034{ \2035static const char desc[] = "RSA Sigalg Sign Message Init"; \2036\2037return rsa_sigalg_signverify_init(vprsactx, vrsa, \2038rsa_sigalg_set_ctx_params, \2039params, #MD, \2040EVP_PKEY_OP_SIGNMSG, \2041RSA_PKCS1_PADDING, \2042desc); \2043} \2044\2045static int \2046rsa_##md##_verify_init(void *vprsactx, void *vrsa, \2047const OSSL_PARAM params[]) \2048{ \2049static const char desc[] = "RSA Sigalg Verify Init"; \2050\2051return rsa_sigalg_signverify_init(vprsactx, vrsa, \2052rsa_sigalg_set_ctx_params, \2053params, #MD, \2054EVP_PKEY_OP_VERIFY, \2055RSA_PKCS1_PADDING, \2056desc); \2057} \2058\2059static int \2060rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \2061const OSSL_PARAM params[]) \2062{ \2063static const char desc[] = "RSA Sigalg Verify Recover Init"; \2064\2065return rsa_sigalg_signverify_init(vprsactx, vrsa, \2066rsa_sigalg_set_ctx_params, \2067params, #MD, \2068EVP_PKEY_OP_VERIFYRECOVER, \2069RSA_PKCS1_PADDING, \2070desc); \2071} \2072\2073static int \2074rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \2075const OSSL_PARAM params[]) \2076{ \2077static const char desc[] = "RSA Sigalg Verify Message Init"; \2078\2079return rsa_sigalg_signverify_init(vprsactx, vrsa, \2080rsa_sigalg_set_ctx_params, \2081params, #MD, \2082EVP_PKEY_OP_VERIFYMSG, \2083RSA_PKCS1_PADDING, \2084desc); \2085} \2086\2087const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \2088{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \2089{ OSSL_FUNC_SIGNATURE_SIGN_INIT, \2090(void (*)(void))rsa_##md##_sign_init }, \2091{ OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \2092{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \2093(void (*)(void))rsa_##md##_sign_message_init }, \2094{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \2095(void (*)(void))rsa_signverify_message_update }, \2096{ OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \2097(void (*)(void))rsa_sign_message_final }, \2098{ OSSL_FUNC_SIGNATURE_VERIFY_INIT, \2099(void (*)(void))rsa_##md##_verify_init }, \2100{ OSSL_FUNC_SIGNATURE_VERIFY, \2101(void (*)(void))rsa_verify }, \2102{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \2103(void (*)(void))rsa_##md##_verify_message_init }, \2104{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \2105(void (*)(void))rsa_signverify_message_update }, \2106{ OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \2107(void (*)(void))rsa_verify_message_final }, \2108{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \2109(void (*)(void))rsa_##md##_verify_recover_init }, \2110{ OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \2111(void (*)(void))rsa_verify_recover }, \2112{ OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \2113{ OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \2114{ OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \2115(void (*)(void))rsa_sigalg_query_key_types }, \2116{ OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \2117(void (*)(void))rsa_get_ctx_params }, \2118{ OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \2119(void (*)(void))rsa_gettable_ctx_params }, \2120{ OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \2121(void (*)(void))rsa_sigalg_set_ctx_params }, \2122{ OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \2123(void (*)(void))rsa_sigalg_settable_ctx_params }, \2124OSSL_DISPATCH_END \2125}21262127#if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)2128IMPL_RSA_SIGALG(ripemd160, RIPEMD160);2129#endif2130IMPL_RSA_SIGALG(sha1, SHA1);2131IMPL_RSA_SIGALG(sha224, SHA2-224);2132IMPL_RSA_SIGALG(sha256, SHA2-256);2133IMPL_RSA_SIGALG(sha384, SHA2-384);2134IMPL_RSA_SIGALG(sha512, SHA2-512);2135IMPL_RSA_SIGALG(sha512_224, SHA2-512/224);2136IMPL_RSA_SIGALG(sha512_256, SHA2-512/256);2137IMPL_RSA_SIGALG(sha3_224, SHA3-224);2138IMPL_RSA_SIGALG(sha3_256, SHA3-256);2139IMPL_RSA_SIGALG(sha3_384, SHA3-384);2140IMPL_RSA_SIGALG(sha3_512, SHA3-512);2141#if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE)2142IMPL_RSA_SIGALG(sm3, SM3);2143#endif214421452146