Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
Apq
/
winscp
kopia lustrzana https://github.com/winscp/winscp.git
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Gałąź: thirdparty_dev
Gałęzie Tagi
winscp
/
libs
/
openssl
/
providers
/
implementations
/
signature
/
rsa_sig.c

rsa_sig.c 76 KB
Bezpośredni odnośnik Historia Czysty

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144 
  1. /*
    2. 

  2.  * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5.  * this file except in compliance with the License.  You can obtain a copy
    6. 

  6.  * in the file LICENSE in the source distribution or at
    7. 

  7.  * https://www.openssl.org/source/license.html
    8. 

  8.  */
    9. 

  9. 

  10. /*
    11. 

  11.  * RSA low level APIs are deprecated for public use, but still ok for
    12. 

  12.  * internal use.
    13. 

  13.  */
    14. 

  14. #include "internal/deprecated.h"
    15. 

  15. 

  16. #include <string.h>
    17. 

  17. #include <openssl/crypto.h>
    18. 

  18. #include <openssl/core_dispatch.h>
    19. 

  19. #include <openssl/core_names.h>
    20. 

  20. #include <openssl/err.h>
    21. 

  21. #include <openssl/obj_mac.h>
    22. 

  22. #include <openssl/rsa.h>
    23. 

  23. #include <openssl/params.h>
    24. 

  24. #include <openssl/evp.h>
    25. 

  25. #include <openssl/proverr.h>
    26. 

  26. #include "internal/cryptlib.h"
    27. 

  27. #include "internal/nelem.h"
    28. 

  28. #include "internal/sizes.h"
    29. 

  29. #include "crypto/rsa.h"
    30. 

  30. #include "prov/providercommon.h"
    31. 

  31. #include "prov/implementations.h"
    32. 

  32. #include "prov/provider_ctx.h"
    33. 

  33. #include "prov/der_rsa.h"
    34. 

  34. #include "prov/securitycheck.h"
    35. 

  35. 

  36. #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
    37. 

  37. 

  38. static OSSL_FUNC_signature_newctx_fn rsa_newctx;
    39. 

  39. static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
    40. 

  40. static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
    41. 

  41. static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
    42. 

  42. static OSSL_FUNC_signature_sign_fn rsa_sign;
    43. 

  43. static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update;
    44. 

  44. static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final;
    45. 

  45. static OSSL_FUNC_signature_verify_fn rsa_verify;
    46. 

  46. static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
    47. 

  47. static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update;
    48. 

  48. static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final;
    49. 

  49. static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
    50. 

  50. static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update;
    51. 

  51. static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
    52. 

  52. static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
    53. 

  53. static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
    54. 

  54. static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
    55. 

  55. static OSSL_FUNC_signature_freectx_fn rsa_freectx;
    56. 

  56. static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
    57. 

  57. static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
    58. 

  58. static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
    59. 

  59. static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
    60. 

  60. static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
    61. 

  61. static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
    62. 

  62. static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
    63. 

  63. static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
    64. 

  64. static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
    65. 

  65. static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
    66. 

  66. static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
    67. 

  67. static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
    68. 

  68. 

  69. static OSSL_ITEM padding_item[] = {
    70. 

  70.     { RSA_PKCS1_PADDING,        OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
    71. 

  71.     { RSA_NO_PADDING,           OSSL_PKEY_RSA_PAD_MODE_NONE },
    72. 

  72.     { RSA_X931_PADDING,         OSSL_PKEY_RSA_PAD_MODE_X931 },
    73. 

  73.     { RSA_PKCS1_PSS_PADDING,    OSSL_PKEY_RSA_PAD_MODE_PSS },
    74. 

  74.     { 0,                        NULL     }
    75. 

  75. };
    76. 

  76. 

  77. /*
    78. 

  78.  * What's passed as an actual key is defined by the KEYMGMT interface.
    79. 

  79.  * We happen to know that our KEYMGMT simply passes RSA structures, so
    80. 

  80.  * we use that here too.
    81. 

  81.  */
    82. 

  82. 

  83. typedef struct {
    84. 

  84.     OSSL_LIB_CTX *libctx;
    85. 

  85.     char *propq;
    86. 

  86.     RSA *rsa;
    87. 

  87.     int operation;
    88. 

  88. 

  89.     /*
    90. 

  90.      * Flag to determine if a full sigalg is run (1) or if a composable
    91. 

  91.      * signature algorithm is run (0).
    92. 

  92.      *
    93. 

  93.      * When a full sigalg is run (1), this currently affects the following
    94. 

  94.      * other flags, which are to remain untouched after their initialization:
    95. 

  95.      *
    96. 

  96.      * - flag_allow_md (initialized to 0)
    97. 

  97.      */
    98. 

  98.     unsigned int flag_sigalg : 1;
    99. 

  99.     /*
    100. 

  100.      * Flag to determine if the hash function can be changed (1) or not (0)
    101. 

  101.      * Because it's dangerous to change during a DigestSign or DigestVerify
    102. 

  102.      * operation, this flag is cleared by their Init function, and set again
    103. 

  103.      * by their Final function.
    104. 

  104.      * Implementations of full sigalgs (such as RSA-SHA256) hard-code this
    105. 

  105.      * flag to not allow changes (0).
    106. 

  106.      */
    107. 

  107.     unsigned int flag_allow_md : 1;
    108. 

  108.     unsigned int mgf1_md_set : 1;
    109. 

  109.     /*
    110. 

  110.      * Flags to say what are the possible next external calls in what
    111. 

  111.      * consitutes the life cycle of an algorithm.  The relevant calls are:
    112. 

  112.      * - init
    113. 

  113.      * - update
    114. 

  114.      * - final
    115. 

  115.      * - oneshot
    116. 

  116.      * All other external calls are regarded as utilitarian and are allowed
    117. 

  117.      * at any time (they may be affected by other flags, like flag_allow_md,
    118. 

  118.      * though).
    119. 

  119.      */
    120. 

  120.     unsigned int flag_allow_update : 1;
    121. 

  121.     unsigned int flag_allow_final : 1;
    122. 

  122.     unsigned int flag_allow_oneshot : 1;
    123. 

  123. 

  124.     /* main digest */
    125. 

  125.     EVP_MD *md;
    126. 

  126.     EVP_MD_CTX *mdctx;
    127. 

  127.     int mdnid;
    128. 

  128.     char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
    129. 

  129. 

  130.     /* RSA padding mode */
    131. 

  131.     int pad_mode;
    132. 

  132.     /* message digest for MGF1 */
    133. 

  133.     EVP_MD *mgf1_md;
    134. 

  134.     int mgf1_mdnid;
    135. 

  135.     char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
    136. 

  136.     /* PSS salt length */
    137. 

  137.     int saltlen;
    138. 

  138.     /* Minimum salt length or -1 if no PSS parameter restriction */
    139. 

  139.     int min_saltlen;
    140. 

  140. 

  141.     /* Signature, for verification */
    142. 

  142.     unsigned char *sig;
    143. 

  143.     size_t siglen;
    144. 

  144. 

  145. #ifdef FIPS_MODULE
    146. 

  146.     /*
    147. 

  147.      * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
    148. 

  148.      * message is not permitted.  However, signing based on a digest is still
    149. 

  149.      * permitted.
    150. 

  150.      */
    151. 

  151.     int verify_message;
    152. 

  152. #endif
    153. 

  153. 

  154.     /* Temp buffer */
    155. 

  155.     unsigned char *tbuf;
    156. 

  156. 

  157.     OSSL_FIPS_IND_DECLARE
    158. 

  158. } PROV_RSA_CTX;
    159. 

  159. 

  160. /* True if PSS parameters are restricted */
    161. 

  161. #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
    162. 

  162. 

  163. static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
    164. 

  164. {
    165. 

  165.     int md_size;
    166. 

  166. 

  167.     if (prsactx->md != NULL) {
    168. 

  168.         md_size = EVP_MD_get_size(prsactx->md);
    169. 

  169.         if (md_size <= 0)
    170. 

  170.             return 0;
    171. 

  171.         return md_size;
    172. 

  172.     }
    173. 

  173.     return 0;
    174. 

  174. }
    175. 

  175. 

  176. static int rsa_check_padding(const PROV_RSA_CTX *prsactx,
    177. 

  177.                              const char *mdname, const char *mgf1_mdname,
    178. 

  178.                              int mdnid)
    179. 

  179. {
    180. 

  180.     switch (prsactx->pad_mode) {
    181. 

  181.     case RSA_NO_PADDING:
    182. 

  182.         if (mdname != NULL || mdnid != NID_undef) {
    183. 

  183.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
    184. 

  184.             return 0;
    185. 

  185.         }
    186. 

  186.         break;
    187. 

  187.     case RSA_X931_PADDING:
    188. 

  188.         if (RSA_X931_hash_id(mdnid) == -1) {
    189. 

  189.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
    190. 

  190.             return 0;
    191. 

  191.         }
    192. 

  192.         break;
    193. 

  193.     case RSA_PKCS1_PSS_PADDING:
    194. 

  194.         if (rsa_pss_restricted(prsactx))
    195. 

  195.             if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))
    196. 

  196.                 || (mgf1_mdname != NULL
    197. 

  197.                     && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {
    198. 

  198.                 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
    199. 

  199.                 return 0;
    200. 

  200.             }
    201. 

  201.         break;
    202. 

  202.     default:
    203. 

  203.         break;
    204. 

  204.     }
    205. 

  205. 

  206.     return 1;
    207. 

  207. }
    208. 

  208. 

  209. static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
    210. 

  210. {
    211. 

  211.     if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
    212. 

  212.         int max_saltlen;
    213. 

  213. 

  214.         /* See if minimum salt length exceeds maximum possible */
    215. 

  215.         max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);
    216. 

  216.         if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
    217. 

  217.             max_saltlen--;
    218. 

  218.         if (min_saltlen < 0 || min_saltlen > max_saltlen) {
    219. 

  219.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
    220. 

  220.             return 0;
    221. 

  221.         }
    222. 

  222.         prsactx->min_saltlen = min_saltlen;
    223. 

  223.     }
    224. 

  224.     return 1;
    225. 

  225. }
    226. 

  226. 

  227. static void *rsa_newctx(void *provctx, const char *propq)
    228. 

  228. {
    229. 

  229.     PROV_RSA_CTX *prsactx = NULL;
    230. 

  230.     char *propq_copy = NULL;
    231. 

  231. 

  232.     if (!ossl_prov_is_running())
    233. 

  233.         return NULL;
    234. 

  234. 

  235.     if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
    236. 

  236.         || (propq != NULL
    237. 

  237.             && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
    238. 

  238.         OPENSSL_free(prsactx);
    239. 

  239.         return NULL;
    240. 

  240.     }
    241. 

  241. 

  242.     OSSL_FIPS_IND_INIT(prsactx)
    243. 

  243.     prsactx->libctx = PROV_LIBCTX_OF(provctx);
    244. 

  244.     prsactx->flag_allow_md = 1;
    245. 

  245. #ifdef FIPS_MODULE
    246. 

  246.     prsactx->verify_message = 1;
    247. 

  247. #endif
    248. 

  248.     prsactx->propq = propq_copy;
    249. 

  249.     /* Maximum up to digest length for sign, auto for verify */
    250. 

  250.     prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
    251. 

  251.     prsactx->min_saltlen = -1;
    252. 

  252.     return prsactx;
    253. 

  253. }
    254. 

  254. 

  255. static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
    256. 

  256. {
    257. 

  257.     int saltlen = ctx->saltlen;
    258. 

  258.     int saltlenMax = -1;
    259. 

  259. 

  260.     /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
    261. 

  261.      * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
    262. 

  262.      * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
    263. 

  263.      * the hash function output block (in bytes)."
    264. 

  264.      *
    265. 

  265.      * Provide a way to use at most the digest length, so that the default does
    266. 

  266.      * not violate FIPS 186-4. */
    267. 

  267.     if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
    268. 

  268.         if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) {
    269. 

  269.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
    270. 

  270.             return -1;
    271. 

  271.         }
    272. 

  272.     } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
    273. 

  273.         saltlen = RSA_PSS_SALTLEN_MAX;
    274. 

  274.         if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) {
    275. 

  275.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
    276. 

  276.             return -1;
    277. 

  277.         }
    278. 

  278.     }
    279. 

  279.     if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
    280. 

  280.         int mdsize, rsasize;
    281. 

  281. 

  282.         if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) {
    283. 

  283.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
    284. 

  284.             return -1;
    285. 

  285.         }
    286. 

  286.         if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) {
    287. 

  287.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
    288. 

  288.             return -1;
    289. 

  289.         }
    290. 

  290.         saltlen = rsasize - mdsize - 2;
    291. 

  291.         if ((RSA_bits(ctx->rsa) & 0x7) == 1)
    292. 

  292.             saltlen--;
    293. 

  293.         if (saltlenMax >= 0 && saltlen > saltlenMax)
    294. 

  294.             saltlen = saltlenMax;
    295. 

  295.     }
    296. 

  296.     if (saltlen < 0) {
    297. 

  297.         ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
    298. 

  298.         return -1;
    299. 

  299.     } else if (saltlen < ctx->min_saltlen) {
    300. 

  300.         ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,
    301. 

  301.                        "minimum salt length: %d, actual salt length: %d",
    302. 

  302.                        ctx->min_saltlen, saltlen);
    303. 

  303.         return -1;
    304. 

  304.     }
    305. 

  305.     return saltlen;
    306. 

  306. }
    307. 

  307. 

  308. static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,
    309. 

  309.                                                  unsigned char *aid_buf,
    310. 

  310.                                                  size_t buf_len,
    311. 

  311.                                                  size_t *aid_len)
    312. 

  312. {
    313. 

  313.     WPACKET pkt;
    314. 

  314.     unsigned char *aid = NULL;
    315. 

  315.     int saltlen;
    316. 

  316.     RSA_PSS_PARAMS_30 pss_params;
    317. 

  317.     int ret;
    318. 

  318. 

  319.     if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {
    320. 

  320.         ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB);
    321. 

  321.         return NULL;
    322. 

  322.     }
    323. 

  323. 

  324.     switch (ctx->pad_mode) {
    325. 

  325.     case RSA_PKCS1_PADDING:
    326. 

  326.         ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,
    327. 

  327.                                                                  ctx->mdnid);
    328. 

  328. 

  329.         if (ret > 0) {
    330. 

  330.             break;
    331. 

  331.         } else if (ret == 0) {
    332. 

  332.             ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
    333. 

  333.             goto cleanup;
    334. 

  334.         }
    335. 

  335.         ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
    336. 

  336.                        "Algorithm ID generation - md NID: %d",
    337. 

  337.                        ctx->mdnid);
    338. 

  338.         goto cleanup;
    339. 

  339.     case RSA_PKCS1_PSS_PADDING:
    340. 

  340.         saltlen = rsa_pss_compute_saltlen(ctx);
    341. 

  341.         if (saltlen < 0)
    342. 

  342.             goto cleanup;
    343. 

  343.         if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
    344. 

  344.             || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)
    345. 

  345.             || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
    346. 

  346.                                                           ctx->mgf1_mdnid)
    347. 

  347.             || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
    348. 

  348.             || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,
    349. 

  349.                                                        RSA_FLAG_TYPE_RSASSAPSS,
    350. 

  350.                                                        &pss_params)) {
    351. 

  351.             ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
    352. 

  352.             goto cleanup;
    353. 

  353.         }
    354. 

  354.         break;
    355. 

  355.     default:
    356. 

  356.         ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
    357. 

  357.                        "Algorithm ID generation - pad mode: %d",
    358. 

  358.                        ctx->pad_mode);
    359. 

  359.         goto cleanup;
    360. 

  360.     }
    361. 

  361.     if (WPACKET_finish(&pkt)) {
    362. 

  362.         WPACKET_get_total_written(&pkt, aid_len);
    363. 

  363.         aid = WPACKET_get_curr(&pkt);
    364. 

  364.     }
    365. 

  365.  cleanup:
    366. 

  366.     WPACKET_cleanup(&pkt);
    367. 

  367.     return aid;
    368. 

  368. }
    369. 

  369. 

  370. static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
    371. 

  371.                         const char *mdprops, const char *desc)
    372. 

  372. {
    373. 

  373.     EVP_MD *md = NULL;
    374. 

  374. 

  375.     if (mdprops == NULL)
    376. 

  376.         mdprops = ctx->propq;
    377. 

  377. 

  378.     if (mdname != NULL) {
    379. 

  379.         int md_nid;
    380. 

  380.         size_t mdname_len = strlen(mdname);
    381. 

  381. 

  382.         md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
    383. 

  383. 

  384.         if (md == NULL) {
    385. 

  385.             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    386. 

  386.                            "%s could not be fetched", mdname);
    387. 

  387.             goto err;
    388. 

  388.         }
    389. 

  389.         md_nid = ossl_digest_rsa_sign_get_md_nid(md);
    390. 

  390.         if (md_nid == NID_undef) {
    391. 

  391.             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
    392. 

  392.                            "digest=%s", mdname);
    393. 

  393.             goto err;
    394. 

  394.         }
    395. 

  395.         /*
    396. 

  396.          * XOF digests are not allowed except for RSA PSS.
    397. 

  397.          * We don't support XOF digests with RSA PSS (yet), so just fail.
    398. 

  398.          * When we do support them, uncomment the second clause.
    399. 

  399.          */
    400. 

  400.         if (EVP_MD_xof(md)
    401. 

  401.                 /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) {
    402. 

  402.             ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
    403. 

  403.             goto err;
    404. 

  404.         }
    405. 

  405. #ifdef FIPS_MODULE
    406. 

  406.         {
    407. 

  407.             int sha1_allowed
    408. 

  408.                 = ((ctx->operation
    409. 

  409.                     & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
    410. 

  410. 

  411.             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
    412. 

  412.                                                  OSSL_FIPS_IND_SETTABLE1,
    413. 

  413.                                                  ctx->libctx,
    414. 

  414.                                                  md_nid, sha1_allowed, 1, desc,
    415. 

  415.                                                  ossl_fips_config_signature_digest_check))
    416. 

  416.                 goto err;
    417. 

  417.         }
    418. 

  418. #endif
    419. 

  419. 

  420.         if (!rsa_check_padding(ctx, mdname, NULL, md_nid))
    421. 

  421.             goto err;
    422. 

  422.         if (mdname_len >= sizeof(ctx->mdname)) {
    423. 

  423.             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    424. 

  424.                            "%s exceeds name buffer length", mdname);
    425. 

  425.             goto err;
    426. 

  426.         }
    427. 

  427. 

  428.         if (!ctx->flag_allow_md) {
    429. 

  429.             if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
    430. 

  430.                 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
    431. 

  431.                                "digest %s != %s", mdname, ctx->mdname);
    432. 

  432.                 goto err;
    433. 

  433.             }
    434. 

  434.             EVP_MD_free(md);
    435. 

  435.             return 1;
    436. 

  436.         }
    437. 

  437. 

  438.         if (!ctx->mgf1_md_set) {
    439. 

  439.             if (!EVP_MD_up_ref(md)) {
    440. 

  440.                 goto err;
    441. 

  441.             }
    442. 

  442.             EVP_MD_free(ctx->mgf1_md);
    443. 

  443.             ctx->mgf1_md = md;
    444. 

  444.             ctx->mgf1_mdnid = md_nid;
    445. 

  445.             OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
    446. 

  446.         }
    447. 

  447. 

  448.         EVP_MD_CTX_free(ctx->mdctx);
    449. 

  449.         EVP_MD_free(ctx->md);
    450. 

  450. 

  451.         ctx->mdctx = NULL;
    452. 

  452.         ctx->md = md;
    453. 

  453.         ctx->mdnid = md_nid;
    454. 

  454.         OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
    455. 

  455.     }
    456. 

  456. 

  457.     return 1;
    458. 

  458. err:
    459. 

  459.     EVP_MD_free(md);
    460. 

  460.     return 0;
    461. 

  461. }
    462. 

  462. 

  463. static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
    464. 

  464.                              const char *mdprops)
    465. 

  465. {
    466. 

  466.     size_t len;
    467. 

  467.     EVP_MD *md = NULL;
    468. 

  468.     int mdnid;
    469. 

  469. 

  470.     if (mdprops == NULL)
    471. 

  471.         mdprops = ctx->propq;
    472. 

  472. 

  473.     if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
    474. 

  474.         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    475. 

  475.                        "%s could not be fetched", mdname);
    476. 

  476.         return 0;
    477. 

  477.     }
    478. 

  478.     /* The default for mgf1 is SHA1 - so allow SHA1 */
    479. 

  479.     if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
    480. 

  480.         || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
    481. 

  481.         if (mdnid <= 0)
    482. 

  482.             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
    483. 

  483.                            "digest=%s", mdname);
    484. 

  484.         EVP_MD_free(md);
    485. 

  485.         return 0;
    486. 

  486.     }
    487. 

  487.     len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
    488. 

  488.     if (len >= sizeof(ctx->mgf1_mdname)) {
    489. 

  489.         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    490. 

  490.                        "%s exceeds name buffer length", mdname);
    491. 

  491.         EVP_MD_free(md);
    492. 

  492.         return 0;
    493. 

  493.     }
    494. 

  494. 

  495.     EVP_MD_free(ctx->mgf1_md);
    496. 

  496.     ctx->mgf1_md = md;
    497. 

  497.     ctx->mgf1_mdnid = mdnid;
    498. 

  498.     ctx->mgf1_md_set = 1;
    499. 

  499.     return 1;
    500. 

  500. }
    501. 

  501. 

  502. static int
    503. 

  503. rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,
    504. 

  504.                     OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
    505. 

  505.                     const OSSL_PARAM params[], int operation,
    506. 

  506.                     const char *desc)
    507. 

  507. {
    508. 

  508.     int protect;
    509. 

  509. 

  510.     if (!ossl_prov_is_running() || prsactx == NULL)
    511. 

  511.         return 0;
    512. 

  512. 

  513.     if (vrsa == NULL && prsactx->rsa == NULL) {
    514. 

  514.         ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
    515. 

  515.         return 0;
    516. 

  516.     }
    517. 

  517. 

  518.     if (vrsa != NULL) {
    519. 

  519.         if (!RSA_up_ref(vrsa))
    520. 

  520.             return 0;
    521. 

  521.         RSA_free(prsactx->rsa);
    522. 

  522.         prsactx->rsa = vrsa;
    523. 

  523.     }
    524. 

  524.     if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect))
    525. 

  525.         return 0;
    526. 

  526. 

  527.     prsactx->operation = operation;
    528. 

  528.     prsactx->flag_allow_update = 1;
    529. 

  529.     prsactx->flag_allow_final = 1;
    530. 

  530.     prsactx->flag_allow_oneshot = 1;
    531. 

  531. 

  532.     /* Maximize up to digest length for sign, auto for verify */
    533. 

  533.     prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
    534. 

  534.     prsactx->min_saltlen = -1;
    535. 

  535. 

  536.     switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
    537. 

  537.     case RSA_FLAG_TYPE_RSA:
    538. 

  538.         prsactx->pad_mode = RSA_PKCS1_PADDING;
    539. 

  539.         break;
    540. 

  540.     case RSA_FLAG_TYPE_RSASSAPSS:
    541. 

  541.         prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
    542. 

  542. 

  543.         {
    544. 

  544.             const RSA_PSS_PARAMS_30 *pss =
    545. 

  545.                 ossl_rsa_get0_pss_params_30(prsactx->rsa);
    546. 

  546. 

  547.             if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
    548. 

  548.                 int md_nid = ossl_rsa_pss_params_30_hashalg(pss);
    549. 

  549.                 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
    550. 

  550.                 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);
    551. 

  551.                 const char *mdname, *mgf1mdname;
    552. 

  552.                 size_t len;
    553. 

  553. 

  554.                 mdname = ossl_rsa_oaeppss_nid2name(md_nid);
    555. 

  555.                 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);
    556. 

  556. 

  557.                 if (mdname == NULL) {
    558. 

  558.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    559. 

  559.                                    "PSS restrictions lack hash algorithm");
    560. 

  560.                     return 0;
    561. 

  561.                 }
    562. 

  562.                 if (mgf1mdname == NULL) {
    563. 

  563.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    564. 

  564.                                    "PSS restrictions lack MGF1 hash algorithm");
    565. 

  565.                     return 0;
    566. 

  566.                 }
    567. 

  567. 

  568.                 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
    569. 

  569.                                       sizeof(prsactx->mdname));
    570. 

  570.                 if (len >= sizeof(prsactx->mdname)) {
    571. 

  571.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    572. 

  572.                                    "hash algorithm name too long");
    573. 

  573.                     return 0;
    574. 

  574.                 }
    575. 

  575.                 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
    576. 

  576.                                       sizeof(prsactx->mgf1_mdname));
    577. 

  577.                 if (len >= sizeof(prsactx->mgf1_mdname)) {
    578. 

  578.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
    579. 

  579.                                    "MGF1 hash algorithm name too long");
    580. 

  580.                     return 0;
    581. 

  581.                 }
    582. 

  582.                 prsactx->saltlen = min_saltlen;
    583. 

  583. 

  584.                 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */
    585. 

  585.                 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
    586. 

  586.                     || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)
    587. 

  587.                     || !rsa_check_parameters(prsactx, min_saltlen))
    588. 

  588.                     return 0;
    589. 

  589.             }
    590. 

  590.         }
    591. 

  591. 

  592.         break;
    593. 

  593.     default:
    594. 

  594.         ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
    595. 

  595.         return 0;
    596. 

  596.     }
    597. 

  597. 

  598.     OSSL_FIPS_IND_SET_APPROVED(prsactx)
    599. 

  599.     if (!set_ctx_params(prsactx, params))
    600. 

  600.         return 0;
    601. 

  601. #ifdef FIPS_MODULE
    602. 

  602.     if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
    603. 

  603.                                      OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,
    604. 

  604.                                      prsactx->rsa, desc, protect))
    605. 

  605.         return 0;
    606. 

  606. #endif
    607. 

  607.     return 1;
    608. 

  608. }
    609. 

  609. 

  610. static int setup_tbuf(PROV_RSA_CTX *ctx)
    611. 

  611. {
    612. 

  612.     if (ctx->tbuf != NULL)
    613. 

  613.         return 1;
    614. 

  614.     if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL)
    615. 

  615.         return 0;
    616. 

  616.     return 1;
    617. 

  617. }
    618. 

  618. 

  619. static void clean_tbuf(PROV_RSA_CTX *ctx)
    620. 

  620. {
    621. 

  621.     if (ctx->tbuf != NULL)
    622. 

  622.         OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
    623. 

  623. }
    624. 

  624. 

  625. static void free_tbuf(PROV_RSA_CTX *ctx)
    626. 

  626. {
    627. 

  627.     clean_tbuf(ctx);
    628. 

  628.     OPENSSL_free(ctx->tbuf);
    629. 

  629.     ctx->tbuf = NULL;
    630. 

  630. }
    631. 

  631. 

  632. #ifdef FIPS_MODULE
    633. 

  633. static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen)
    634. 

  634. {
    635. 

  635.     int mdsize = rsa_get_md_size(ctx);
    636. 

  636.     /*
    637. 

  637.      * Perform the check if the salt length is compliant to FIPS 186-5.
    638. 

  638.      *
    639. 

  639.      * According to FIPS 186-5 5.4 (g), the salt length shall be between zero
    640. 

  640.      * and the output block length of the digest function (inclusive).
    641. 

  641.      */
    642. 

  642.     int approved = (saltlen >= 0 && saltlen <= mdsize);
    643. 

  643. 

  644.     if (!approved) {
    645. 

  645.         if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
    646. 

  646.                                          ctx->libctx,
    647. 

  647.                                          algoname, "PSS Salt Length",
    648. 

  648.                                          ossl_fips_config_rsa_pss_saltlen_check)) {
    649. 

  649.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
    650. 

  650.             return 0;
    651. 

  651.         }
    652. 

  652.     }
    653. 

  653. 

  654.     return 1;
    655. 

  655. }
    656. 

  656. #endif
    657. 

  657. 

  658. static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
    659. 

  659. {
    660. 

  660.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    661. 

  661. 

  662. #ifdef FIPS_MODULE
    663. 

  663.     if (prsactx != NULL)
    664. 

  664.         prsactx->verify_message = 1;
    665. 

  665. #endif
    666. 

  666. 

  667.     return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
    668. 

  668.                                EVP_PKEY_OP_SIGN, "RSA Sign Init");
    669. 

  669. }
    670. 

  670. 

  671. /*
    672. 

  672.  * Sign tbs without digesting it first.  This is suitable for "primitive"
    673. 

  673.  * signing and signing the digest of a message, i.e. should be used with
    674. 

  674.  * implementations of the keytype related algorithms.
    675. 

  675.  */
    676. 

  676. static int rsa_sign_directly(PROV_RSA_CTX *prsactx,
    677. 

  677.                              unsigned char *sig, size_t *siglen, size_t sigsize,
    678. 

  678.                              const unsigned char *tbs, size_t tbslen)
    679. 

  679. {
    680. 

  680.     int ret;
    681. 

  681.     size_t rsasize = RSA_size(prsactx->rsa);
    682. 

  682.     size_t mdsize = rsa_get_md_size(prsactx);
    683. 

  683. 

  684.     if (!ossl_prov_is_running())
    685. 

  685.         return 0;
    686. 

  686. 

  687.     if (sig == NULL) {
    688. 

  688.         *siglen = rsasize;
    689. 

  689.         return 1;
    690. 

  690.     }
    691. 

  691. 

  692.     if (sigsize < rsasize) {
    693. 

  693.         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
    694. 

  694.                        "is %zu, should be at least %zu", sigsize, rsasize);
    695. 

  695.         return 0;
    696. 

  696.     }
    697. 

  697. 

  698.     if (mdsize != 0) {
    699. 

  699.         if (tbslen != mdsize) {
    700. 

  700.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
    701. 

  701.             return 0;
    702. 

  702.         }
    703. 

  703. 

  704. #ifndef FIPS_MODULE
    705. 

  705.         if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
    706. 

  706.             unsigned int sltmp;
    707. 

  707. 

  708.             if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
    709. 

  709.                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
    710. 

  710.                                "only PKCS#1 padding supported with MDC2");
    711. 

  711.                 return 0;
    712. 

  712.             }
    713. 

  713.             ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
    714. 

  714.                                              prsactx->rsa);
    715. 

  715. 

  716.             if (ret <= 0) {
    717. 

  717.                 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    718. 

  718.                 return 0;
    719. 

  719.             }
    720. 

  720.             ret = sltmp;
    721. 

  721.             goto end;
    722. 

  722.         }
    723. 

  723. #endif
    724. 

  724.         switch (prsactx->pad_mode) {
    725. 

  725.         case RSA_X931_PADDING:
    726. 

  726.             if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
    727. 

  727.                 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
    728. 

  728.                                "RSA key size = %d, expected minimum = %d",
    729. 

  729.                                RSA_size(prsactx->rsa), tbslen + 1);
    730. 

  730.                 return 0;
    731. 

  731.             }
    732. 

  732.             if (!setup_tbuf(prsactx)) {
    733. 

  733.                 ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB);
    734. 

  734.                 return 0;
    735. 

  735.             }
    736. 

  736.             memcpy(prsactx->tbuf, tbs, tbslen);
    737. 

  737.             prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
    738. 

  738.             ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
    739. 

  739.                                       sig, prsactx->rsa, RSA_X931_PADDING);
    740. 

  740.             clean_tbuf(prsactx);
    741. 

  741.             break;
    742. 

  742.         case RSA_PKCS1_PADDING:
    743. 

  743.             {
    744. 

  744.                 unsigned int sltmp;
    745. 

  745. 

  746.                 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
    747. 

  747.                                prsactx->rsa);
    748. 

  748.                 if (ret <= 0) {
    749. 

  749.                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    750. 

  750.                     return 0;
    751. 

  751.                 }
    752. 

  752.                 ret = sltmp;
    753. 

  753.             }
    754. 

  754.             break;
    755. 

  755. 

  756.         case RSA_PKCS1_PSS_PADDING:
    757. 

  757.             {
    758. 

  758.                 int saltlen;
    759. 

  759. 

  760.                 /* Check PSS restrictions */
    761. 

  761.                 if (rsa_pss_restricted(prsactx)) {
    762. 

  762.                     switch (prsactx->saltlen) {
    763. 

  763.                     case RSA_PSS_SALTLEN_DIGEST:
    764. 

  764.                         if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
    765. 

  765.                             ERR_raise_data(ERR_LIB_PROV,
    766. 

  766.                                            PROV_R_PSS_SALTLEN_TOO_SMALL,
    767. 

  767.                                            "minimum salt length set to %d, "
    768. 

  768.                                            "but the digest only gives %d",
    769. 

  769.                                            prsactx->min_saltlen,
    770. 

  770.                                            EVP_MD_get_size(prsactx->md));
    771. 

  771.                             return 0;
    772. 

  772.                         }
    773. 

  773.                         /* FALLTHRU */
    774. 

  774.                     default:
    775. 

  775.                         if (prsactx->saltlen >= 0
    776. 

  776.                             && prsactx->saltlen < prsactx->min_saltlen) {
    777. 

  777.                             ERR_raise_data(ERR_LIB_PROV,
    778. 

  778.                                            PROV_R_PSS_SALTLEN_TOO_SMALL,
    779. 

  779.                                            "minimum salt length set to %d, but the"
    780. 

  780.                                            "actual salt length is only set to %d",
    781. 

  781.                                            prsactx->min_saltlen,
    782. 

  782.                                            prsactx->saltlen);
    783. 

  783.                             return 0;
    784. 

  784.                         }
    785. 

  785.                         break;
    786. 

  786.                     }
    787. 

  787.                 }
    788. 

  788.                 if (!setup_tbuf(prsactx))
    789. 

  789.                     return 0;
    790. 

  790.                 saltlen = prsactx->saltlen;
    791. 

  791.                 if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
    792. 

  792.                                                          prsactx->tbuf, tbs,
    793. 

  793.                                                          prsactx->md, prsactx->mgf1_md,
    794. 

  794.                                                          &saltlen)) {
    795. 

  795.                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    796. 

  796.                     return 0;
    797. 

  797.                 }
    798. 

  798. #ifdef FIPS_MODULE
    799. 

  799.                 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen))
    800. 

  800.                     return 0;
    801. 

  801. #endif
    802. 

  802.                 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
    803. 

  803.                                           sig, prsactx->rsa, RSA_NO_PADDING);
    804. 

  804.                 clean_tbuf(prsactx);
    805. 

  805.             }
    806. 

  806.             break;
    807. 

  807. 

  808.         default:
    809. 

  809.             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
    810. 

  810.                            "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
    811. 

  811.             return 0;
    812. 

  812.         }
    813. 

  813.     } else {
    814. 

  814.         ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
    815. 

  815.                                   prsactx->pad_mode);
    816. 

  816.     }
    817. 

  817. 

  818. #ifndef FIPS_MODULE
    819. 

  819.  end:
    820. 

  820. #endif
    821. 

  821.     if (ret <= 0) {
    822. 

  822.         ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    823. 

  823.         return 0;
    824. 

  824.     }
    825. 

  825. 

  826.     *siglen = ret;
    827. 

  827.     return 1;
    828. 

  828. }
    829. 

  829. 

  830. static int rsa_signverify_message_update(void *vprsactx,
    831. 

  831.                                          const unsigned char *data,
    832. 

  832.                                          size_t datalen)
    833. 

  833. {
    834. 

  834.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    835. 

  835. 

  836.     if (prsactx == NULL || prsactx->mdctx == NULL)
    837. 

  837.         return 0;
    838. 

  838. 

  839.     if (!prsactx->flag_allow_update) {
    840. 

  840.         ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER);
    841. 

  841.         return 0;
    842. 

  842.     }
    843. 

  843.     prsactx->flag_allow_oneshot = 0;
    844. 

  844. 

  845.     return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
    846. 

  846. }
    847. 

  847. 

  848. static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,
    849. 

  849.                                   size_t *siglen, size_t sigsize)
    850. 

  850. {
    851. 

  851.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    852. 

  852.     unsigned char digest[EVP_MAX_MD_SIZE];
    853. 

  853.     unsigned int dlen = 0;
    854. 

  854. 

  855.     if (!ossl_prov_is_running() || prsactx == NULL)
    856. 

  856.         return 0;
    857. 

  857.     if (prsactx->mdctx == NULL)
    858. 

  858.         return 0;
    859. 

  859.     if (!prsactx->flag_allow_final) {
    860. 

  860.         ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
    861. 

  861.         return 0;
    862. 

  862.     }
    863. 

  863. 

  864.     /*
    865. 

  865.      * If sig is NULL then we're just finding out the sig size. Other fields
    866. 

  866.      * are ignored. Defer to rsa_sign.
    867. 

  867.      */
    868. 

  868.     if (sig != NULL) {
    869. 

  869.         /*
    870. 

  870.          * The digests used here are all known (see rsa_get_md_nid()), so they
    871. 

  871.          * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
    872. 

  872.          */
    873. 

  873.         if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
    874. 

  874.             return 0;
    875. 

  875. 

  876.         prsactx->flag_allow_update = 0;
    877. 

  877.         prsactx->flag_allow_oneshot = 0;
    878. 

  878.         prsactx->flag_allow_final = 0;
    879. 

  879.     }
    880. 

  880. 

  881.     return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);
    882. 

  882. }
    883. 

  883. 

  884. /*
    885. 

  885.  * If signing a message, digest tbs and sign the result.
    886. 

  886.  * Otherwise, sign tbs directly.
    887. 

  887.  */
    888. 

  888. static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
    889. 

  889.                     size_t sigsize, const unsigned char *tbs, size_t tbslen)
    890. 

  890. {
    891. 

  891.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    892. 

  892. 

  893.     if (!ossl_prov_is_running() || prsactx == NULL)
    894. 

  894.         return 0;
    895. 

  895.     if (!prsactx->flag_allow_oneshot) {
    896. 

  896.         ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
    897. 

  897.         return 0;
    898. 

  898.     }
    899. 

  899. 

  900.     if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) {
    901. 

  901.         /*
    902. 

  902.          * If |sig| is NULL, the caller is only looking for the sig length.
    903. 

  903.          * DO NOT update the input in this case.
    904. 

  904.          */
    905. 

  905.         if (sig == NULL)
    906. 

  906.             return rsa_sign_message_final(prsactx, sig, siglen, sigsize);
    907. 

  907. 

  908.         return rsa_signverify_message_update(prsactx, tbs, tbslen)
    909. 

  909.             && rsa_sign_message_final(prsactx, sig, siglen, sigsize);
    910. 

  910.     }
    911. 

  911.     return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen);
    912. 

  912. }
    913. 

  913. 

  914. static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
    915. 

  915.                                    const OSSL_PARAM params[])
    916. 

  916. {
    917. 

  917.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    918. 

  918. 

  919. #ifdef FIPS_MODULE
    920. 

  920.     if (prsactx != NULL)
    921. 

  921.         prsactx->verify_message = 0;
    922. 

  922. #endif
    923. 

  923. 

  924.     return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
    925. 

  925.                                EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");
    926. 

  926. }
    927. 

  927. 

  928. /*
    929. 

  929.  * There is no message variant of verify recover, so no need for
    930. 

  930.  * 'rsa_verify_recover_directly', just use this function, er, directly.
    931. 

  931.  */
    932. 

  932. static int rsa_verify_recover(void *vprsactx,
    933. 

  933.                               unsigned char *rout, size_t *routlen,
    934. 

  934.                               size_t routsize,
    935. 

  935.                               const unsigned char *sig, size_t siglen)
    936. 

  936. {
    937. 

  937.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    938. 

  938.     int ret;
    939. 

  939. 

  940.     if (!ossl_prov_is_running())
    941. 

  941.         return 0;
    942. 

  942. 

  943.     if (rout == NULL) {
    944. 

  944.         *routlen = RSA_size(prsactx->rsa);
    945. 

  945.         return 1;
    946. 

  946.     }
    947. 

  947. 

  948.     if (prsactx->md != NULL) {
    949. 

  949.         switch (prsactx->pad_mode) {
    950. 

  950.         case RSA_X931_PADDING:
    951. 

  951.             if (!setup_tbuf(prsactx))
    952. 

  952.                 return 0;
    953. 

  953.             ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
    954. 

  954.                                      RSA_X931_PADDING);
    955. 

  955.             if (ret <= 0) {
    956. 

  956.                 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    957. 

  957.                 return 0;
    958. 

  958.             }
    959. 

  959.             ret--;
    960. 

  960.             if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
    961. 

  961.                 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
    962. 

  962.                 return 0;
    963. 

  963.             }
    964. 

  964.             if (ret != EVP_MD_get_size(prsactx->md)) {
    965. 

  965.                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
    966. 

  966.                                "Should be %d, but got %d",
    967. 

  967.                                EVP_MD_get_size(prsactx->md), ret);
    968. 

  968.                 return 0;
    969. 

  969.             }
    970. 

  970. 

  971.             *routlen = ret;
    972. 

  972.             if (rout != prsactx->tbuf) {
    973. 

  973.                 if (routsize < (size_t)ret) {
    974. 

  974.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
    975. 

  975.                                    "buffer size is %d, should be %d",
    976. 

  976.                                    routsize, ret);
    977. 

  977.                     return 0;
    978. 

  978.                 }
    979. 

  979.                 memcpy(rout, prsactx->tbuf, ret);
    980. 

  980.             }
    981. 

  981.             break;
    982. 

  982. 

  983.         case RSA_PKCS1_PADDING:
    984. 

  984.             {
    985. 

  985.                 size_t sltmp;
    986. 

  986. 

  987.                 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
    988. 

  988.                                       sig, siglen, prsactx->rsa);
    989. 

  989.                 if (ret <= 0) {
    990. 

  990.                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    991. 

  991.                     return 0;
    992. 

  992.                 }
    993. 

  993.                 ret = sltmp;
    994. 

  994.             }
    995. 

  995.             break;
    996. 

  996. 

  997.         default:
    998. 

  998.             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
    999. 

  999.                            "Only X.931 or PKCS#1 v1.5 padding allowed");
    1000. 

  1000.             return 0;
    1001. 

  1001.         }
    1002. 

  1002.     } else {
    1003. 

  1003.         ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
    1004. 

  1004.                                  prsactx->pad_mode);
    1005. 

  1005.         if (ret <= 0) {
    1006. 

  1006.             ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    1007. 

  1007.             return 0;
    1008. 

  1008.         }
    1009. 

  1009.     }
    1010. 

  1010.     *routlen = ret;
    1011. 

  1011.     return 1;
    1012. 

  1012. }
    1013. 

  1013. 

  1014. static int rsa_verify_init(void *vprsactx, void *vrsa,
    1015. 

  1015.                            const OSSL_PARAM params[])
    1016. 

  1016. {
    1017. 

  1017.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1018. 

  1018. 

  1019. #ifdef FIPS_MODULE
    1020. 

  1020.     if (prsactx != NULL)
    1021. 

  1021.         prsactx->verify_message = 0;
    1022. 

  1022. #endif
    1023. 

  1023. 

  1024.     return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
    1025. 

  1025.                                EVP_PKEY_OP_VERIFY, "RSA Verify Init");
    1026. 

  1026. }
    1027. 

  1027. 

  1028. static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
    1029. 

  1029.                                const unsigned char *sig, size_t siglen,
    1030. 

  1030.                                const unsigned char *tbs, size_t tbslen)
    1031. 

  1031. {
    1032. 

  1032.     size_t rslen;
    1033. 

  1033. 

  1034.     if (!ossl_prov_is_running())
    1035. 

  1035.         return 0;
    1036. 

  1036.     if (prsactx->md != NULL) {
    1037. 

  1037.         switch (prsactx->pad_mode) {
    1038. 

  1038.         case RSA_PKCS1_PADDING:
    1039. 

  1039.             if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
    1040. 

  1040.                             prsactx->rsa)) {
    1041. 

  1041.                 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    1042. 

  1042.                 return 0;
    1043. 

  1043.             }
    1044. 

  1044.             return 1;
    1045. 

  1045.         case RSA_X931_PADDING:
    1046. 

  1046.             if (!setup_tbuf(prsactx))
    1047. 

  1047.                 return 0;
    1048. 

  1048.             if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
    1049. 

  1049.                                    sig, siglen) <= 0)
    1050. 

  1050.                 return 0;
    1051. 

  1051.             break;
    1052. 

  1052.         case RSA_PKCS1_PSS_PADDING:
    1053. 

  1053.             {
    1054. 

  1054.                 int ret;
    1055. 

  1055.                 int saltlen;
    1056. 

  1056.                 size_t mdsize;
    1057. 

  1057. 

  1058.                 /*
    1059. 

  1059.                  * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
    1060. 

  1060.                  * call
    1061. 

  1061.                  */
    1062. 

  1062.                 mdsize = rsa_get_md_size(prsactx);
    1063. 

  1063.                 if (tbslen != mdsize) {
    1064. 

  1064.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
    1065. 

  1065.                                    "Should be %d, but got %d",
    1066. 

  1066.                                    mdsize, tbslen);
    1067. 

  1067.                     return 0;
    1068. 

  1068.                 }
    1069. 

  1069. 

  1070.                 if (!setup_tbuf(prsactx))
    1071. 

  1071.                     return 0;
    1072. 

  1072.                 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
    1073. 

  1073.                                          prsactx->rsa, RSA_NO_PADDING);
    1074. 

  1074.                 if (ret <= 0) {
    1075. 

  1075.                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    1076. 

  1076.                     return 0;
    1077. 

  1077.                 }
    1078. 

  1078.                 saltlen = prsactx->saltlen;
    1079. 

  1079.                 ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
    1080. 

  1080.                                                      prsactx->md, prsactx->mgf1_md,
    1081. 

  1081.                                                      prsactx->tbuf,
    1082. 

  1082.                                                      &saltlen);
    1083. 

  1083.                 if (ret <= 0) {
    1084. 

  1084.                     ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    1085. 

  1085.                     return 0;
    1086. 

  1086.                 }
    1087. 

  1087. #ifdef FIPS_MODULE
    1088. 

  1088.                 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen))
    1089. 

  1089.                     return 0;
    1090. 

  1090. #endif
    1091. 

  1091.                 return 1;
    1092. 

  1092.             }
    1093. 

  1093.         default:
    1094. 

  1094.             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
    1095. 

  1095.                            "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
    1096. 

  1096.             return 0;
    1097. 

  1097.         }
    1098. 

  1098.     } else {
    1099. 

  1099.         int ret;
    1100. 

  1100. 

  1101.         if (!setup_tbuf(prsactx))
    1102. 

  1102.             return 0;
    1103. 

  1103.         ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
    1104. 

  1104.                                  prsactx->pad_mode);
    1105. 

  1105.         if (ret <= 0) {
    1106. 

  1106.             ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
    1107. 

  1107.             return 0;
    1108. 

  1108.         }
    1109. 

  1109.         rslen = (size_t)ret;
    1110. 

  1110.     }
    1111. 

  1111. 

  1112.     if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
    1113. 

  1113.         return 0;
    1114. 

  1114. 

  1115.     return 1;
    1116. 

  1116. }
    1117. 

  1117. 

  1118. static int rsa_verify_set_sig(void *vprsactx,
    1119. 

  1119.                               const unsigned char *sig, size_t siglen)
    1120. 

  1120. {
    1121. 

  1121.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1122. 

  1122.     OSSL_PARAM params[2];
    1123. 

  1123. 

  1124.     params[0] =
    1125. 

  1125.         OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,
    1126. 

  1126.                                           (unsigned char *)sig, siglen);
    1127. 

  1127.     params[1] = OSSL_PARAM_construct_end();
    1128. 

  1128.     return rsa_sigalg_set_ctx_params(prsactx, params);
    1129. 

  1129. }
    1130. 

  1130. 

  1131. static int rsa_verify_message_final(void *vprsactx)
    1132. 

  1132. {
    1133. 

  1133.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1134. 

  1134.     unsigned char digest[EVP_MAX_MD_SIZE];
    1135. 

  1135.     unsigned int dlen = 0;
    1136. 

  1136. 

  1137.     if (!ossl_prov_is_running() || prsactx == NULL)
    1138. 

  1138.         return 0;
    1139. 

  1139.     if (prsactx->mdctx == NULL)
    1140. 

  1140.         return 0;
    1141. 

  1141.     if (!prsactx->flag_allow_final) {
    1142. 

  1142.         ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
    1143. 

  1143.         return 0;
    1144. 

  1144.     }
    1145. 

  1145. 

  1146.     /*
    1147. 

  1147.      * The digests used here are all known (see rsa_get_md_nid()), so they
    1148. 

  1148.      * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
    1149. 

  1149.      */
    1150. 

  1150.     if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
    1151. 

  1151.         return 0;
    1152. 

  1152. 

  1153.     prsactx->flag_allow_update = 0;
    1154. 

  1154.     prsactx->flag_allow_final = 0;
    1155. 

  1155.     prsactx->flag_allow_oneshot = 0;
    1156. 

  1156. 

  1157.     return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,
    1158. 

  1158.                                digest, dlen);
    1159. 

  1159. }
    1160. 

  1160. 

  1161. /*
    1162. 

  1162.  * If verifying a message, digest tbs and verify the result.
    1163. 

  1163.  * Otherwise, verify tbs directly.
    1164. 

  1164.  */
    1165. 

  1165. static int rsa_verify(void *vprsactx,
    1166. 

  1166.                       const unsigned char *sig, size_t siglen,
    1167. 

  1167.                       const unsigned char *tbs, size_t tbslen)
    1168. 

  1168. {
    1169. 

  1169.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1170. 

  1170. 

  1171.     if (!ossl_prov_is_running() || prsactx == NULL)
    1172. 

  1172.         return 0;
    1173. 

  1173.     if (!prsactx->flag_allow_oneshot) {
    1174. 

  1174.         ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
    1175. 

  1175.         return 0;
    1176. 

  1176.     }
    1177. 

  1177. 

  1178.     if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
    1179. 

  1179.         return rsa_verify_set_sig(prsactx, sig, siglen)
    1180. 

  1180.             && rsa_signverify_message_update(prsactx, tbs, tbslen)
    1181. 

  1181.             && rsa_verify_message_final(prsactx);
    1182. 

  1182.     return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen);
    1183. 

  1183. }
    1184. 

  1184. 

  1185. /* DigestSign/DigestVerify wrappers */
    1186. 

  1186. 

  1187. static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
    1188. 

  1188.                                       void *vrsa, const OSSL_PARAM params[],
    1189. 

  1189.                                       int operation, const char *desc)
    1190. 

  1190. {
    1191. 

  1191.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1192. 

  1192. 

  1193. #ifdef FIPS_MODULE
    1194. 

  1194.     if (prsactx != NULL)
    1195. 

  1195.         prsactx->verify_message = 1;
    1196. 

  1196. #endif
    1197. 

  1197. 

  1198.     if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
    1199. 

  1199.                              operation, desc))
    1200. 

  1200.         return 0;
    1201. 

  1201. 

  1202.     if (mdname != NULL
    1203. 

  1203.         /* was rsa_setup_md already called in rsa_signverify_init()? */
    1204. 

  1204.         && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0)
    1205. 

  1205.         && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc))
    1206. 

  1206.         return 0;
    1207. 

  1207. 

  1208.     prsactx->flag_allow_md = 0;
    1209. 

  1209. 

  1210.     if (prsactx->mdctx == NULL) {
    1211. 

  1211.         prsactx->mdctx = EVP_MD_CTX_new();
    1212. 

  1212.         if (prsactx->mdctx == NULL)
    1213. 

  1213.             goto error;
    1214. 

  1214.     }
    1215. 

  1215. 

  1216.     if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
    1217. 

  1217.         goto error;
    1218. 

  1218. 

  1219.     return 1;
    1220. 

  1220. 

  1221.  error:
    1222. 

  1222.     EVP_MD_CTX_free(prsactx->mdctx);
    1223. 

  1223.     prsactx->mdctx = NULL;
    1224. 

  1224.     return 0;
    1225. 

  1225. }
    1226. 

  1226. 

  1227. static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
    1228. 

  1228.                                 void *vrsa, const OSSL_PARAM params[])
    1229. 

  1229. {
    1230. 

  1230.     if (!ossl_prov_is_running())
    1231. 

  1231.         return 0;
    1232. 

  1232.     return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
    1233. 

  1233.                                       params, EVP_PKEY_OP_SIGNMSG,
    1234. 

  1234.                                       "RSA Digest Sign Init");
    1235. 

  1235. }
    1236. 

  1236. 

  1237. static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,
    1238. 

  1238.                                   size_t datalen)
    1239. 

  1239. {
    1240. 

  1240.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1241. 

  1241. 

  1242.     if (prsactx == NULL)
    1243. 

  1243.         return 0;
    1244. 

  1244.     /* Sigalg implementations shouldn't do digest_sign */
    1245. 

  1245.     if (prsactx->flag_sigalg)
    1246. 

  1246.         return 0;
    1247. 

  1247. 

  1248.     return rsa_signverify_message_update(prsactx, data, datalen);
    1249. 

  1249. }
    1250. 

  1250. 

  1251. static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
    1252. 

  1252.                                  size_t *siglen, size_t sigsize)
    1253. 

  1253. {
    1254. 

  1254.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1255. 

  1255.     int ok = 0;
    1256. 

  1256. 

  1257.     if (prsactx == NULL)
    1258. 

  1258.         return 0;
    1259. 

  1259.     /* Sigalg implementations shouldn't do digest_sign */
    1260. 

  1260.     if (prsactx->flag_sigalg)
    1261. 

  1261.         return 0;
    1262. 

  1262. 

  1263.     if (rsa_sign_message_final(prsactx, sig, siglen, sigsize))
    1264. 

  1264.         ok = 1;
    1265. 

  1265. 

  1266.     prsactx->flag_allow_md = 1;
    1267. 

  1267. 

  1268.     return ok;
    1269. 

  1269. }
    1270. 

  1270. 

  1271. static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
    1272. 

  1272.                                   void *vrsa, const OSSL_PARAM params[])
    1273. 

  1273. {
    1274. 

  1274.     if (!ossl_prov_is_running())
    1275. 

  1275.         return 0;
    1276. 

  1276.     return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
    1277. 

  1277.                                       params, EVP_PKEY_OP_VERIFYMSG,
    1278. 

  1278.                                       "RSA Digest Verify Init");
    1279. 

  1279. }
    1280. 

  1280. 

  1281. static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,
    1282. 

  1282.                                     size_t datalen)
    1283. 

  1283. {
    1284. 

  1284.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1285. 

  1285. 

  1286.     if (prsactx == NULL)
    1287. 

  1287.         return 0;
    1288. 

  1288.     /* Sigalg implementations shouldn't do digest_sign */
    1289. 

  1289.     if (prsactx->flag_sigalg)
    1290. 

  1290.         return 0;
    1291. 

  1291. 

  1292.     return rsa_signverify_message_update(prsactx, data, datalen);
    1293. 

  1293. }
    1294. 

  1294. 

  1295. int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
    1296. 

  1296.                             size_t siglen)
    1297. 

  1297. {
    1298. 

  1298.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1299. 

  1299.     int ok = 0;
    1300. 

  1300. 

  1301.     if (prsactx == NULL)
    1302. 

  1302.         return 0;
    1303. 

  1303.     /* Sigalg implementations shouldn't do digest_verify */
    1304. 

  1304.     if (prsactx->flag_sigalg)
    1305. 

  1305.         return 0;
    1306. 

  1306. 

  1307.     if (rsa_verify_set_sig(prsactx, sig, siglen)
    1308. 

  1308.         && rsa_verify_message_final(vprsactx))
    1309. 

  1309.         ok = 1;
    1310. 

  1310. 

  1311.     prsactx->flag_allow_md = 1;
    1312. 

  1312. 

  1313.     return ok;
    1314. 

  1314. }
    1315. 

  1315. 

  1316. static void rsa_freectx(void *vprsactx)
    1317. 

  1317. {
    1318. 

  1318.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1319. 

  1319. 

  1320.     if (prsactx == NULL)
    1321. 

  1321.         return;
    1322. 

  1322. 

  1323.     EVP_MD_CTX_free(prsactx->mdctx);
    1324. 

  1324.     EVP_MD_free(prsactx->md);
    1325. 

  1325.     EVP_MD_free(prsactx->mgf1_md);
    1326. 

  1326.     OPENSSL_free(prsactx->sig);
    1327. 

  1327.     OPENSSL_free(prsactx->propq);
    1328. 

  1328.     free_tbuf(prsactx);
    1329. 

  1329.     RSA_free(prsactx->rsa);
    1330. 

  1330. 

  1331.     OPENSSL_clear_free(prsactx, sizeof(*prsactx));
    1332. 

  1332. }
    1333. 

  1333. 

  1334. static void *rsa_dupctx(void *vprsactx)
    1335. 

  1335. {
    1336. 

  1336.     PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
    1337. 

  1337.     PROV_RSA_CTX *dstctx;
    1338. 

  1338. 

  1339.     if (!ossl_prov_is_running())
    1340. 

  1340.         return NULL;
    1341. 

  1341. 

  1342.     dstctx = OPENSSL_zalloc(sizeof(*srcctx));
    1343. 

  1343.     if (dstctx == NULL)
    1344. 

  1344.         return NULL;
    1345. 

  1345. 

  1346.     *dstctx = *srcctx;
    1347. 

  1347.     dstctx->rsa = NULL;
    1348. 

  1348.     dstctx->md = NULL;
    1349. 

  1349.     dstctx->mgf1_md = NULL;
    1350. 

  1350.     dstctx->mdctx = NULL;
    1351. 

  1351.     dstctx->tbuf = NULL;
    1352. 

  1352.     dstctx->propq = NULL;
    1353. 

  1353. 

  1354.     if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
    1355. 

  1355.         goto err;
    1356. 

  1356.     dstctx->rsa = srcctx->rsa;
    1357. 

  1357. 

  1358.     if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
    1359. 

  1359.         goto err;
    1360. 

  1360.     dstctx->md = srcctx->md;
    1361. 

  1361. 

  1362.     if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
    1363. 

  1363.         goto err;
    1364. 

  1364.     dstctx->mgf1_md = srcctx->mgf1_md;
    1365. 

  1365. 

  1366.     if (srcctx->mdctx != NULL) {
    1367. 

  1367.         dstctx->mdctx = EVP_MD_CTX_new();
    1368. 

  1368.         if (dstctx->mdctx == NULL
    1369. 

  1369.                 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
    1370. 

  1370.             goto err;
    1371. 

  1371.     }
    1372. 

  1372. 

  1373.     if (srcctx->propq != NULL) {
    1374. 

  1374.         dstctx->propq = OPENSSL_strdup(srcctx->propq);
    1375. 

  1375.         if (dstctx->propq == NULL)
    1376. 

  1376.             goto err;
    1377. 

  1377.     }
    1378. 

  1378. 

  1379.     return dstctx;
    1380. 

  1380.  err:
    1381. 

  1381.     rsa_freectx(dstctx);
    1382. 

  1382.     return NULL;
    1383. 

  1383. }
    1384. 

  1384. 

  1385. static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
    1386. 

  1386. {
    1387. 

  1387.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1388. 

  1388.     OSSL_PARAM *p;
    1389. 

  1389. 

  1390.     if (prsactx == NULL)
    1391. 

  1391.         return 0;
    1392. 

  1392. 

  1393.     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
    1394. 

  1394.     if (p != NULL) {
    1395. 

  1395.         /* The Algorithm Identifier of the combined signature algorithm */
    1396. 

  1396.         unsigned char aid_buf[128];
    1397. 

  1397.         unsigned char *aid;
    1398. 

  1398.         size_t  aid_len;
    1399. 

  1399. 

  1400.         aid = rsa_generate_signature_aid(prsactx, aid_buf,
    1401. 

  1401.                                          sizeof(aid_buf), &aid_len);
    1402. 

  1402.         if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))
    1403. 

  1403.             return 0;
    1404. 

  1404.     }
    1405. 

  1405. 

  1406.     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
    1407. 

  1407.     if (p != NULL)
    1408. 

  1408.         switch (p->data_type) {
    1409. 

  1409.         case OSSL_PARAM_INTEGER:
    1410. 

  1410.             if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
    1411. 

  1411.                 return 0;
    1412. 

  1412.             break;
    1413. 

  1413.         case OSSL_PARAM_UTF8_STRING:
    1414. 

  1414.             {
    1415. 

  1415.                 int i;
    1416. 

  1416.                 const char *word = NULL;
    1417. 

  1417. 

  1418.                 for (i = 0; padding_item[i].id != 0; i++) {
    1419. 

  1419.                     if (prsactx->pad_mode == (int)padding_item[i].id) {
    1420. 

  1420.                         word = padding_item[i].ptr;
    1421. 

  1421.                         break;
    1422. 

  1422.                     }
    1423. 

  1423.                 }
    1424. 

  1424. 

  1425.                 if (word != NULL) {
    1426. 

  1426.                     if (!OSSL_PARAM_set_utf8_string(p, word))
    1427. 

  1427.                         return 0;
    1428. 

  1428.                 } else {
    1429. 

  1429.                     ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
    1430. 

  1430.                 }
    1431. 

  1431.             }
    1432. 

  1432.             break;
    1433. 

  1433.         default:
    1434. 

  1434.             return 0;
    1435. 

  1435.         }
    1436. 

  1436. 

  1437.     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
    1438. 

  1438.     if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
    1439. 

  1439.         return 0;
    1440. 

  1440. 

  1441.     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
    1442. 

  1442.     if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
    1443. 

  1443.         return 0;
    1444. 

  1444. 

  1445.     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
    1446. 

  1446.     if (p != NULL) {
    1447. 

  1447.         if (p->data_type == OSSL_PARAM_INTEGER) {
    1448. 

  1448.             if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
    1449. 

  1449.                 return 0;
    1450. 

  1450.         } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
    1451. 

  1451.             const char *value = NULL;
    1452. 

  1452. 

  1453.             switch (prsactx->saltlen) {
    1454. 

  1454.             case RSA_PSS_SALTLEN_DIGEST:
    1455. 

  1455.                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
    1456. 

  1456.                 break;
    1457. 

  1457.             case RSA_PSS_SALTLEN_MAX:
    1458. 

  1458.                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
    1459. 

  1459.                 break;
    1460. 

  1460.             case RSA_PSS_SALTLEN_AUTO:
    1461. 

  1461.                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
    1462. 

  1462.                 break;
    1463. 

  1463.             case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
    1464. 

  1464.                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
    1465. 

  1465.                 break;
    1466. 

  1466.             default:
    1467. 

  1467.                 {
    1468. 

  1468.                     int len = BIO_snprintf(p->data, p->data_size, "%d",
    1469. 

  1469.                                            prsactx->saltlen);
    1470. 

  1470. 

  1471.                     if (len <= 0)
    1472. 

  1472.                         return 0;
    1473. 

  1473.                     p->return_size = len;
    1474. 

  1474.                     break;
    1475. 

  1475.                 }
    1476. 

  1476.             }
    1477. 

  1477.             if (value != NULL
    1478. 

  1478.                 && !OSSL_PARAM_set_utf8_string(p, value))
    1479. 

  1479.                 return 0;
    1480. 

  1480.         }
    1481. 

  1481.     }
    1482. 

  1482. 

  1483. #ifdef FIPS_MODULE
    1484. 

  1484.     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
    1485. 

  1485.     if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))
    1486. 

  1486.         return 0;
    1487. 

  1487. #endif
    1488. 

  1488. 

  1489.     if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))
    1490. 

  1490.         return 0;
    1491. 

  1491.     return 1;
    1492. 

  1492. }
    1493. 

  1493. 

  1494. static const OSSL_PARAM known_gettable_ctx_params[] = {
    1495. 

  1495.     OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
    1496. 

  1496.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
    1497. 

  1497.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    1498. 

  1498.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
    1499. 

  1499.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
    1500. 

  1500. #ifdef FIPS_MODULE
    1501. 

  1501.     OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
    1502. 

  1502. #endif
    1503. 

  1503.     OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
    1504. 

  1504.     OSSL_PARAM_END
    1505. 

  1505. };
    1506. 

  1506. 

  1507. static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
    1508. 

  1508.                                                  ossl_unused void *provctx)
    1509. 

  1509. {
    1510. 

  1510.     return known_gettable_ctx_params;
    1511. 

  1511. }
    1512. 

  1512. 

  1513. #ifdef FIPS_MODULE
    1514. 

  1514. static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx)
    1515. 

  1515. {
    1516. 

  1516.     int approved = ((ctx->operation & EVP_PKEY_OP_SIGN) == 0);
    1517. 

  1517. 

  1518.     if (!approved) {
    1519. 

  1519.         if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
    1520. 

  1520.                                          ctx->libctx,
    1521. 

  1521.                                          "RSA Sign set ctx", "X931 Padding",
    1522. 

  1522.                                          ossl_fips_config_rsa_sign_x931_disallowed)) {
    1523. 

  1523.             ERR_raise(ERR_LIB_PROV,
    1524. 

  1524.                       PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
    1525. 

  1525.             return 0;
    1526. 

  1526.         }
    1527. 

  1527.     }
    1528. 

  1528.     return 1;
    1529. 

  1529. }
    1530. 

  1530. #endif
    1531. 

  1531. 

  1532. static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
    1533. 

  1533. {
    1534. 

  1534.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1535. 

  1535.     const OSSL_PARAM *p;
    1536. 

  1536.     int pad_mode;
    1537. 

  1537.     int saltlen;
    1538. 

  1538.     char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;
    1539. 

  1539.     char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;
    1540. 

  1540.     char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
    1541. 

  1541.     char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
    1542. 

  1542. 

  1543.     if (prsactx == NULL)
    1544. 

  1544.         return 0;
    1545. 

  1545.     if (ossl_param_is_empty(params))
    1546. 

  1546.         return 1;
    1547. 

  1547. 

  1548.     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
    1549. 

  1549.                                      OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))
    1550. 

  1550.         return 0;
    1551. 

  1551. 

  1552.     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,
    1553. 

  1553.                                      OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))
    1554. 

  1554.         return 0;
    1555. 

  1555. 

  1556.     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params,
    1557. 

  1557.                                      OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK))
    1558. 

  1558.         return 0;
    1559. 

  1559. 

  1560.     if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params,
    1561. 

  1561.                                      OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK))
    1562. 

  1562.         return 0;
    1563. 

  1563. 

  1564.     pad_mode = prsactx->pad_mode;
    1565. 

  1565.     saltlen = prsactx->saltlen;
    1566. 

  1566. 

  1567.     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
    1568. 

  1568.     if (p != NULL) {
    1569. 

  1569.         const OSSL_PARAM *propsp =
    1570. 

  1570.             OSSL_PARAM_locate_const(params,
    1571. 

  1571.                                     OSSL_SIGNATURE_PARAM_PROPERTIES);
    1572. 

  1572. 

  1573.         pmdname = mdname;
    1574. 

  1574.         if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
    1575. 

  1575.             return 0;
    1576. 

  1576. 

  1577.         if (propsp != NULL) {
    1578. 

  1578.             pmdprops = mdprops;
    1579. 

  1579.             if (!OSSL_PARAM_get_utf8_string(propsp,
    1580. 

  1580.                                             &pmdprops, sizeof(mdprops)))
    1581. 

  1581.                 return 0;
    1582. 

  1582.         }
    1583. 

  1583.     }
    1584. 

  1584. 

  1585.     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
    1586. 

  1586.     if (p != NULL) {
    1587. 

  1587.         const char *err_extra_text = NULL;
    1588. 

  1588. 

  1589.         switch (p->data_type) {
    1590. 

  1590.         case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
    1591. 

  1591.             if (!OSSL_PARAM_get_int(p, &pad_mode))
    1592. 

  1592.                 return 0;
    1593. 

  1593.             break;
    1594. 

  1594.         case OSSL_PARAM_UTF8_STRING:
    1595. 

  1595.             {
    1596. 

  1596.                 int i;
    1597. 

  1597. 

  1598.                 if (p->data == NULL)
    1599. 

  1599.                     return 0;
    1600. 

  1600. 

  1601.                 for (i = 0; padding_item[i].id != 0; i++) {
    1602. 

  1602.                     if (strcmp(p->data, padding_item[i].ptr) == 0) {
    1603. 

  1603.                         pad_mode = padding_item[i].id;
    1604. 

  1604.                         break;
    1605. 

  1605.                     }
    1606. 

  1606.                 }
    1607. 

  1607.             }
    1608. 

  1608.             break;
    1609. 

  1609.         default:
    1610. 

  1610.             return 0;
    1611. 

  1611.         }
    1612. 

  1612. 

  1613.         switch (pad_mode) {
    1614. 

  1614.         case RSA_PKCS1_OAEP_PADDING:
    1615. 

  1615.             /*
    1616. 

  1616.              * OAEP padding is for asymmetric cipher only so is not compatible
    1617. 

  1617.              * with signature use.
    1618. 

  1618.              */
    1619. 

  1619.             err_extra_text = "OAEP padding not allowed for signing / verifying";
    1620. 

  1620.             goto bad_pad;
    1621. 

  1621.         case RSA_PKCS1_PSS_PADDING:
    1622. 

  1622.             if ((prsactx->operation
    1623. 

  1623.                  & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG
    1624. 

  1624.                     | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {
    1625. 

  1625.                 err_extra_text =
    1626. 

  1626.                     "PSS padding only allowed for sign and verify operations";
    1627. 

  1627.                 goto bad_pad;
    1628. 

  1628.             }
    1629. 

  1629.             break;
    1630. 

  1630.         case RSA_PKCS1_PADDING:
    1631. 

  1631.             err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
    1632. 

  1632.             goto cont;
    1633. 

  1633.         case RSA_NO_PADDING:
    1634. 

  1634.             err_extra_text = "No padding not allowed with RSA-PSS";
    1635. 

  1635.             goto cont;
    1636. 

  1636.         case RSA_X931_PADDING:
    1637. 

  1637. #ifdef FIPS_MODULE
    1638. 

  1638.             /* X9.31 only allows sizes of 1024 + 256 * s (bits) */
    1639. 

  1639.             if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) {
    1640. 

  1640.                 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
    1641. 

  1641.                 return 0;
    1642. 

  1642.             }
    1643. 

  1643.             /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */
    1644. 

  1644.             if (!rsa_x931_padding_allowed(prsactx))
    1645. 

  1645.                 return 0;
    1646. 

  1646. #endif
    1647. 

  1647.             err_extra_text = "X.931 padding not allowed with RSA-PSS";
    1648. 

  1648.         cont:
    1649. 

  1649.             if (RSA_test_flags(prsactx->rsa,
    1650. 

  1650.                                RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
    1651. 

  1651.                 break;
    1652. 

  1652.             /* FALLTHRU */
    1653. 

  1653.         default:
    1654. 

  1654.         bad_pad:
    1655. 

  1655.             if (err_extra_text == NULL)
    1656. 

  1656.                 ERR_raise(ERR_LIB_PROV,
    1657. 

  1657.                           PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
    1658. 

  1658.             else
    1659. 

  1659.                 ERR_raise_data(ERR_LIB_PROV,
    1660. 

  1660.                                PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
    1661. 

  1661.                                err_extra_text);
    1662. 

  1662.             return 0;
    1663. 

  1663.         }
    1664. 

  1664.     }
    1665. 

  1665. 

  1666.     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
    1667. 

  1667.     if (p != NULL) {
    1668. 

  1668.         if (pad_mode != RSA_PKCS1_PSS_PADDING) {
    1669. 

  1669.             ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
    1670. 

  1670.                            "PSS saltlen can only be specified if "
    1671. 

  1671.                            "PSS padding has been specified first");
    1672. 

  1672.             return 0;
    1673. 

  1673.         }
    1674. 

  1674. 

  1675.         switch (p->data_type) {
    1676. 

  1676.         case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
    1677. 

  1677.             if (!OSSL_PARAM_get_int(p, &saltlen))
    1678. 

  1678.                 return 0;
    1679. 

  1679.             break;
    1680. 

  1680.         case OSSL_PARAM_UTF8_STRING:
    1681. 

  1681.             if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
    1682. 

  1682.                 saltlen = RSA_PSS_SALTLEN_DIGEST;
    1683. 

  1683.             else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
    1684. 

  1684.                 saltlen = RSA_PSS_SALTLEN_MAX;
    1685. 

  1685.             else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
    1686. 

  1686.                 saltlen = RSA_PSS_SALTLEN_AUTO;
    1687. 

  1687.             else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
    1688. 

  1688.                 saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
    1689. 

  1689.             else
    1690. 

  1690.                 saltlen = atoi(p->data);
    1691. 

  1691.             break;
    1692. 

  1692.         default:
    1693. 

  1693.             return 0;
    1694. 

  1694.         }
    1695. 

  1695. 

  1696.         /*
    1697. 

  1697.          * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
    1698. 

  1698.          * Contrary to what it's name suggests, it's the currently lowest
    1699. 

  1699.          * saltlen number possible.
    1700. 

  1700.          */
    1701. 

  1701.         if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
    1702. 

  1702.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
    1703. 

  1703.             return 0;
    1704. 

  1704.         }
    1705. 

  1705. 

  1706.         if (rsa_pss_restricted(prsactx)) {
    1707. 

  1707.             switch (saltlen) {
    1708. 

  1708.             case RSA_PSS_SALTLEN_AUTO:
    1709. 

  1709.             case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
    1710. 

  1710.                 if ((prsactx->operation
    1711. 

  1711.                      & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG)) == 0) {
    1712. 

  1712.                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
    1713. 

  1713.                                    "Cannot use autodetected salt length");
    1714. 

  1714.                     return 0;
    1715. 

  1715.                 }
    1716. 

  1716.                 break;
    1717. 

  1717.             case RSA_PSS_SALTLEN_DIGEST:
    1718. 

  1718.                 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
    1719. 

  1719.                     ERR_raise_data(ERR_LIB_PROV,
    1720. 

  1720.                                    PROV_R_PSS_SALTLEN_TOO_SMALL,
    1721. 

  1721.                                    "Should be more than %d, but would be "
    1722. 

  1722.                                    "set to match digest size (%d)",
    1723. 

  1723.                                    prsactx->min_saltlen,
    1724. 

  1724.                                    EVP_MD_get_size(prsactx->md));
    1725. 

  1725.                     return 0;
    1726. 

  1726.                 }
    1727. 

  1727.                 break;
    1728. 

  1728.             default:
    1729. 

  1729.                 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
    1730. 

  1730.                     ERR_raise_data(ERR_LIB_PROV,
    1731. 

  1731.                                    PROV_R_PSS_SALTLEN_TOO_SMALL,
    1732. 

  1732.                                    "Should be more than %d, "
    1733. 

  1733.                                    "but would be set to %d",
    1734. 

  1734.                                    prsactx->min_saltlen, saltlen);
    1735. 

  1735.                     return 0;
    1736. 

  1736.                 }
    1737. 

  1737.             }
    1738. 

  1738.         }
    1739. 

  1739.     }
    1740. 

  1740. 

  1741.     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
    1742. 

  1742.     if (p != NULL) {
    1743. 

  1743.         const OSSL_PARAM *propsp =
    1744. 

  1744.             OSSL_PARAM_locate_const(params,
    1745. 

  1745.                                     OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
    1746. 

  1746. 

  1747.         pmgf1mdname = mgf1mdname;
    1748. 

  1748.         if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))
    1749. 

  1749.             return 0;
    1750. 

  1750. 

  1751.         if (propsp != NULL) {
    1752. 

  1752.             pmgf1mdprops = mgf1mdprops;
    1753. 

  1753.             if (!OSSL_PARAM_get_utf8_string(propsp,
    1754. 

  1754.                                             &pmgf1mdprops, sizeof(mgf1mdprops)))
    1755. 

  1755.                 return 0;
    1756. 

  1756.         }
    1757. 

  1757. 

  1758.         if (pad_mode != RSA_PKCS1_PSS_PADDING) {
    1759. 

  1759.             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
    1760. 

  1760.             return  0;
    1761. 

  1761.         }
    1762. 

  1762.     }
    1763. 

  1763. 

  1764.     prsactx->saltlen = saltlen;
    1765. 

  1765.     prsactx->pad_mode = pad_mode;
    1766. 

  1766. 

  1767.     if (prsactx->md == NULL && pmdname == NULL
    1768. 

  1768.         && pad_mode == RSA_PKCS1_PSS_PADDING)
    1769. 

  1769.         pmdname = RSA_DEFAULT_DIGEST_NAME;
    1770. 

  1770. 

  1771.     if (pmgf1mdname != NULL
    1772. 

  1772.         && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
    1773. 

  1773.         return 0;
    1774. 

  1774. 

  1775.     if (pmdname != NULL) {
    1776. 

  1776.         if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx"))
    1777. 

  1777.             return 0;
    1778. 

  1778.     } else {
    1779. 

  1779.         if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))
    1780. 

  1780.             return 0;
    1781. 

  1781.     }
    1782. 

  1782.     return 1;
    1783. 

  1783. }
    1784. 

  1784. 

  1785. static const OSSL_PARAM settable_ctx_params[] = {
    1786. 

  1786.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
    1787. 

  1787.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
    1788. 

  1788.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
    1789. 

  1789.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
    1790. 

  1790.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
    1791. 

  1791.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
    1792. 

  1792.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
    1793. 

  1793.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
    1794. 

  1794.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
    1795. 

  1795.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
    1796. 

  1796.     OSSL_PARAM_END
    1797. 

  1797. };
    1798. 

  1798. 

  1799. static const OSSL_PARAM settable_ctx_params_no_digest[] = {
    1800. 

  1800.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
    1801. 

  1801.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
    1802. 

  1802.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
    1803. 

  1803.     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
    1804. 

  1804.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
    1805. 

  1805.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
    1806. 

  1806.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
    1807. 

  1807.     OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
    1808. 

  1808.     OSSL_PARAM_END
    1809. 

  1809. };
    1810. 

  1810. 

  1811. static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,
    1812. 

  1812.                                                  ossl_unused void *provctx)
    1813. 

  1813. {
    1814. 

  1814.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1815. 

  1815. 

  1816.     if (prsactx != NULL && !prsactx->flag_allow_md)
    1817. 

  1817.         return settable_ctx_params_no_digest;
    1818. 

  1818.     return settable_ctx_params;
    1819. 

  1819. }
    1820. 

  1820. 

  1821. static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
    1822. 

  1822. {
    1823. 

  1823.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1824. 

  1824. 

  1825.     if (prsactx->mdctx == NULL)
    1826. 

  1826.         return 0;
    1827. 

  1827. 

  1828.     return EVP_MD_CTX_get_params(prsactx->mdctx, params);
    1829. 

  1829. }
    1830. 

  1830. 

  1831. static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
    1832. 

  1832. {
    1833. 

  1833.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1834. 

  1834. 

  1835.     if (prsactx->md == NULL)
    1836. 

  1836.         return 0;
    1837. 

  1837. 

  1838.     return EVP_MD_gettable_ctx_params(prsactx->md);
    1839. 

  1839. }
    1840. 

  1840. 

  1841. static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
    1842. 

  1842. {
    1843. 

  1843.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1844. 

  1844. 

  1845.     if (prsactx->mdctx == NULL)
    1846. 

  1846.         return 0;
    1847. 

  1847. 

  1848.     return EVP_MD_CTX_set_params(prsactx->mdctx, params);
    1849. 

  1849. }
    1850. 

  1850. 

  1851. static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
    1852. 

  1852. {
    1853. 

  1853.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1854. 

  1854. 

  1855.     if (prsactx->md == NULL)
    1856. 

  1856.         return 0;
    1857. 

  1857. 

  1858.     return EVP_MD_settable_ctx_params(prsactx->md);
    1859. 

  1859. }
    1860. 

  1860. 

  1861. const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
    1862. 

  1862.     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
    1863. 

  1863.     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
    1864. 

  1864.     { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
    1865. 

  1865.     { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
    1866. 

  1866.     { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
    1867. 

  1867.     { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
    1868. 

  1868.       (void (*)(void))rsa_verify_recover_init },
    1869. 

  1869.     { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
    1870. 

  1870.       (void (*)(void))rsa_verify_recover },
    1871. 

  1871.     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
    1872. 

  1872.       (void (*)(void))rsa_digest_sign_init },
    1873. 

  1873.     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
    1874. 

  1874.       (void (*)(void))rsa_digest_sign_update },
    1875. 

  1875.     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
    1876. 

  1876.       (void (*)(void))rsa_digest_sign_final },
    1877. 

  1877.     { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
    1878. 

  1878.       (void (*)(void))rsa_digest_verify_init },
    1879. 

  1879.     { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
    1880. 

  1880.       (void (*)(void))rsa_digest_verify_update },
    1881. 

  1881.     { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
    1882. 

  1882.       (void (*)(void))rsa_digest_verify_final },
    1883. 

  1883.     { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
    1884. 

  1884.     { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
    1885. 

  1885.     { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
    1886. 

  1886.     { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
    1887. 

  1887.       (void (*)(void))rsa_gettable_ctx_params },
    1888. 

  1888.     { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
    1889. 

  1889.     { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
    1890. 

  1890.       (void (*)(void))rsa_settable_ctx_params },
    1891. 

  1891.     { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
    1892. 

  1892.       (void (*)(void))rsa_get_ctx_md_params },
    1893. 

  1893.     { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
    1894. 

  1894.       (void (*)(void))rsa_gettable_ctx_md_params },
    1895. 

  1895.     { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
    1896. 

  1896.       (void (*)(void))rsa_set_ctx_md_params },
    1897. 

  1897.     { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
    1898. 

  1898.       (void (*)(void))rsa_settable_ctx_md_params },
    1899. 

  1899.     OSSL_DISPATCH_END
    1900. 

  1900. };
    1901. 

  1901. 

  1902. /* ------------------------------------------------------------------ */
    1903. 

  1903. 

  1904. /*
    1905. 

  1905.  * So called sigalgs (composite RSA+hash) implemented below.  They
    1906. 

  1906.  * are pretty much hard coded, and rely on the hash implementation
    1907. 

  1907.  * being available as per what OPENSSL_NO_ macros allow.
    1908. 

  1908.  */
    1909. 

  1909. 

  1910. static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
    1911. 

  1911. static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
    1912. 

  1912. static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
    1913. 

  1913. 

  1914. /*
    1915. 

  1915.  * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(),
    1916. 

  1916.  * just doesn't allow fetching an MD from whatever the user chooses.
    1917. 

  1917.  */
    1918. 

  1918. static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,
    1919. 

  1919.                                       OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
    1920. 

  1920.                                       const OSSL_PARAM params[],
    1921. 

  1921.                                       const char *mdname,
    1922. 

  1922.                                       int operation, int pad_mode,
    1923. 

  1923.                                       const char *desc)
    1924. 

  1924. {
    1925. 

  1925.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1926. 

  1926. 

  1927.     if (!ossl_prov_is_running())
    1928. 

  1928.         return 0;
    1929. 

  1929. 

  1930.     if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,
    1931. 

  1931.                              desc))
    1932. 

  1932.         return 0;
    1933. 

  1933. 

  1934.     /* PSS is currently not supported as a sigalg */
    1935. 

  1935.     if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
    1936. 

  1936.         ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
    1937. 

  1937.         return 0;
    1938. 

  1938.     }
    1939. 

  1939. 

  1940.     if (!rsa_setup_md(prsactx, mdname, NULL, desc))
    1941. 

  1941.         return 0;
    1942. 

  1942. 

  1943.     prsactx->pad_mode = pad_mode;
    1944. 

  1944.     prsactx->flag_sigalg = 1;
    1945. 

  1945.     prsactx->flag_allow_md = 0;
    1946. 

  1946. 

  1947.     if (prsactx->mdctx == NULL) {
    1948. 

  1948.         prsactx->mdctx = EVP_MD_CTX_new();
    1949. 

  1949.         if (prsactx->mdctx == NULL)
    1950. 

  1950.             goto error;
    1951. 

  1951.     }
    1952. 

  1952. 

  1953.     if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
    1954. 

  1954.         goto error;
    1955. 

  1955. 

  1956.     return 1;
    1957. 

  1957. 

  1958.  error:
    1959. 

  1959.     EVP_MD_CTX_free(prsactx->mdctx);
    1960. 

  1960.     prsactx->mdctx = NULL;
    1961. 

  1961.     return 0;
    1962. 

  1962. }
    1963. 

  1963. 

  1964. static const char **rsa_sigalg_query_key_types(void)
    1965. 

  1965. {
    1966. 

  1966.     static const char *keytypes[] = { "RSA", NULL };
    1967. 

  1967. 

  1968.     return keytypes;
    1969. 

  1969. }
    1970. 

  1970. 

  1971. static const OSSL_PARAM settable_sigalg_ctx_params[] = {
    1972. 

  1972.     OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
    1973. 

  1973.     OSSL_PARAM_END
    1974. 

  1974. };
    1975. 

  1975. 

  1976. static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx,
    1977. 

  1977.                                                         ossl_unused void *provctx)
    1978. 

  1978. {
    1979. 

  1979.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1980. 

  1980. 

  1981.     if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
    1982. 

  1982.         return settable_sigalg_ctx_params;
    1983. 

  1983.     return NULL;
    1984. 

  1984. }
    1985. 

  1985. 

  1986. static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
    1987. 

  1987. {
    1988. 

  1988.     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
    1989. 

  1989.     const OSSL_PARAM *p;
    1990. 

  1990. 

  1991.     if (prsactx == NULL)
    1992. 

  1992.         return 0;
    1993. 

  1993.     if (ossl_param_is_empty(params))
    1994. 

  1994.         return 1;
    1995. 

  1995. 

  1996.     if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) {
    1997. 

  1997.         p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
    1998. 

  1998.         if (p != NULL) {
    1999. 

  1999.             OPENSSL_free(prsactx->sig);
    2000. 

  2000.             prsactx->sig = NULL;
    2001. 

  2001.             prsactx->siglen = 0;
    2002. 

  2002.             if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig,
    2003. 

  2003.                                              0, &prsactx->siglen))
    2004. 

  2004.                 return 0;
    2005. 

  2005.         }
    2006. 

  2006.     }
    2007. 

  2007.     return 1;
    2008. 

  2008. }
    2009. 

  2009. 

  2010. #define IMPL_RSA_SIGALG(md, MD)                                         \
    2011. 

  2011.     static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init;       \
    2012. 

  2012.     static OSSL_FUNC_signature_sign_message_init_fn                     \
    2013. 

  2013.         rsa_##md##_sign_message_init;                                   \
    2014. 

  2014.     static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init;   \
    2015. 

  2015.     static OSSL_FUNC_signature_verify_message_init_fn                   \
    2016. 

  2016.         rsa_##md##_verify_message_init;                                 \
    2017. 

  2017.                                                                         \
    2018. 

  2018.     static int                                                          \
    2019. 

  2019.     rsa_##md##_sign_init(void *vprsactx, void *vrsa,                    \
    2020. 

  2020.                          const OSSL_PARAM params[])                     \
    2021. 

  2021.     {                                                                   \
    2022. 

  2022.         static const char desc[] = "RSA Sigalg Sign Init";              \
    2023. 

  2023.                                                                         \
    2024. 

  2024.         return rsa_sigalg_signverify_init(vprsactx, vrsa,               \
    2025. 

  2025.                                           rsa_sigalg_set_ctx_params,    \
    2026. 

  2026.                                           params, #MD,                  \
    2027. 

  2027.                                           EVP_PKEY_OP_SIGN,             \
    2028. 

  2028.                                           RSA_PKCS1_PADDING,            \
    2029. 

  2029.                                           desc);                        \
    2030. 

  2030.     }                                                                   \
    2031. 

  2031.                                                                         \
    2032. 

  2032.     static int                                                          \
    2033. 

  2033.     rsa_##md##_sign_message_init(void *vprsactx, void *vrsa,            \
    2034. 

  2034.                                  const OSSL_PARAM params[])             \
    2035. 

  2035.     {                                                                   \
    2036. 

  2036.         static const char desc[] = "RSA Sigalg Sign Message Init";      \
    2037. 

  2037.                                                                         \
    2038. 

  2038.         return rsa_sigalg_signverify_init(vprsactx, vrsa,               \
    2039. 

  2039.                                           rsa_sigalg_set_ctx_params,    \
    2040. 

  2040.                                           params, #MD,                  \
    2041. 

  2041.                                           EVP_PKEY_OP_SIGNMSG,          \
    2042. 

  2042.                                           RSA_PKCS1_PADDING,            \
    2043. 

  2043.                                           desc);                        \
    2044. 

  2044.     }                                                                   \
    2045. 

  2045.                                                                         \
    2046. 

  2046.     static int                                                          \
    2047. 

  2047.     rsa_##md##_verify_init(void *vprsactx, void *vrsa,                  \
    2048. 

  2048.                            const OSSL_PARAM params[])                   \
    2049. 

  2049.     {                                                                   \
    2050. 

  2050.         static const char desc[] = "RSA Sigalg Verify Init";            \
    2051. 

  2051.                                                                         \
    2052. 

  2052.         return rsa_sigalg_signverify_init(vprsactx, vrsa,               \
    2053. 

  2053.                                           rsa_sigalg_set_ctx_params,    \
    2054. 

  2054.                                           params, #MD,                  \
    2055. 

  2055.                                           EVP_PKEY_OP_VERIFY,           \
    2056. 

  2056.                                           RSA_PKCS1_PADDING,            \
    2057. 

  2057.                                           desc);                        \
    2058. 

  2058.     }                                                                   \
    2059. 

  2059.                                                                         \
    2060. 

  2060.     static int                                                          \
    2061. 

  2061.     rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa,          \
    2062. 

  2062.                                    const OSSL_PARAM params[])           \
    2063. 

  2063.     {                                                                   \
    2064. 

  2064.         static const char desc[] = "RSA Sigalg Verify Recover Init";    \
    2065. 

  2065.                                                                         \
    2066. 

  2066.         return rsa_sigalg_signverify_init(vprsactx, vrsa,               \
    2067. 

  2067.                                           rsa_sigalg_set_ctx_params,    \
    2068. 

  2068.                                           params, #MD,                  \
    2069. 

  2069.                                           EVP_PKEY_OP_VERIFYRECOVER,    \
    2070. 

  2070.                                           RSA_PKCS1_PADDING,            \
    2071. 

  2071.                                           desc);                        \
    2072. 

  2072.     }                                                                   \
    2073. 

  2073.                                                                         \
    2074. 

  2074.     static int                                                          \
    2075. 

  2075.     rsa_##md##_verify_message_init(void *vprsactx, void *vrsa,          \
    2076. 

  2076.                                    const OSSL_PARAM params[])           \
    2077. 

  2077.     {                                                                   \
    2078. 

  2078.         static const char desc[] = "RSA Sigalg Verify Message Init";    \
    2079. 

  2079.                                                                         \
    2080. 

  2080.         return rsa_sigalg_signverify_init(vprsactx, vrsa,               \
    2081. 

  2081.                                           rsa_sigalg_set_ctx_params,    \
    2082. 

  2082.                                           params, #MD,                  \
    2083. 

  2083.                                           EVP_PKEY_OP_VERIFYMSG,        \
    2084. 

  2084.                                           RSA_PKCS1_PADDING,            \
    2085. 

  2085.                                           desc);                        \
    2086. 

  2086.     }                                                                   \
    2087. 

  2087.                                                                         \
    2088. 

  2088.     const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = {       \
    2089. 

  2089.         { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },     \
    2090. 

  2090.         { OSSL_FUNC_SIGNATURE_SIGN_INIT,                                \
    2091. 

  2091.           (void (*)(void))rsa_##md##_sign_init },                       \
    2092. 

  2092.         { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },         \
    2093. 

  2093.         { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT,                        \
    2094. 

  2094.           (void (*)(void))rsa_##md##_sign_message_init },               \
    2095. 

  2095.         { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE,                      \
    2096. 

  2096.           (void (*)(void))rsa_signverify_message_update },              \
    2097. 

  2097.         { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL,                       \
    2098. 

  2098.           (void (*)(void))rsa_sign_message_final },                     \
    2099. 

  2099.         { OSSL_FUNC_SIGNATURE_VERIFY_INIT,                              \
    2100. 

  2100.           (void (*)(void))rsa_##md##_verify_init },                     \
    2101. 

  2101.         { OSSL_FUNC_SIGNATURE_VERIFY,                                   \
    2102. 

  2102.           (void (*)(void))rsa_verify },                                 \
    2103. 

  2103.         { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT,                      \
    2104. 

  2104.           (void (*)(void))rsa_##md##_verify_message_init },             \
    2105. 

  2105.         { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE,                    \
    2106. 

  2106.           (void (*)(void))rsa_signverify_message_update },              \
    2107. 

  2107.         { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL,                     \
    2108. 

  2108.           (void (*)(void))rsa_verify_message_final },                   \
    2109. 

  2109.         { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,                      \
    2110. 

  2110.           (void (*)(void))rsa_##md##_verify_recover_init },             \
    2111. 

  2111.         { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,                           \
    2112. 

  2112.           (void (*)(void))rsa_verify_recover },                         \
    2113. 

  2113.         { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },   \
    2114. 

  2114.         { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },     \
    2115. 

  2115.         { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES,                          \
    2116. 

  2116.           (void (*)(void))rsa_sigalg_query_key_types },                 \
    2117. 

  2117.         { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS,                           \
    2118. 

  2118.           (void (*)(void))rsa_get_ctx_params },                         \
    2119. 

  2119.         { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,                      \
    2120. 

  2120.           (void (*)(void))rsa_gettable_ctx_params },                    \
    2121. 

  2121.         { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS,                           \
    2122. 

  2122.           (void (*)(void))rsa_sigalg_set_ctx_params },                  \
    2123. 

  2123.         { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,                      \
    2124. 

  2124.           (void (*)(void))rsa_sigalg_settable_ctx_params },             \
    2125. 

  2125.         OSSL_DISPATCH_END                                               \
    2126. 

  2126.     }
    2127. 

  2127. 

  2128. #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)
    2129. 

  2129. IMPL_RSA_SIGALG(ripemd160, RIPEMD160);
    2130. 

  2130. #endif
    2131. 

  2131. IMPL_RSA_SIGALG(sha1, SHA1);
    2132. 

  2132. IMPL_RSA_SIGALG(sha224, SHA2-224);
    2133. 

  2133. IMPL_RSA_SIGALG(sha256, SHA2-256);
    2134. 

  2134. IMPL_RSA_SIGALG(sha384, SHA2-384);
    2135. 

  2135. IMPL_RSA_SIGALG(sha512, SHA2-512);
    2136. 

  2136. IMPL_RSA_SIGALG(sha512_224, SHA2-512/224);
    2137. 

  2137. IMPL_RSA_SIGALG(sha512_256, SHA2-512/256);
    2138. 

  2138. IMPL_RSA_SIGALG(sha3_224, SHA3-224);
    2139. 

  2139. IMPL_RSA_SIGALG(sha3_256, SHA3-256);
    2140. 

  2140. IMPL_RSA_SIGALG(sha3_384, SHA3-384);
    2141. 

  2141. IMPL_RSA_SIGALG(sha3_512, SHA3-512);
    2142. 

  2142. #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE)
    2143. 

  2143. IMPL_RSA_SIGALG(sm3, SM3);
    2144. 

  2144. #endif
    2145.