]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/signature/rsa_sig.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix size_t/int mismatch in cms_ec.c and rsa_sig.c
[thirdparty/openssl.git] / providers / implementations / signature / rsa_sig.c
CommitLineData
6f4b7663 1/*
fecb3aae 2 * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
6f4b7663
RL		 3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
16#include <string.h>
17#include <openssl/crypto.h>
23c48d94 18#include <openssl/core_dispatch.h>
6f4b7663
RL		 19#include <openssl/core_names.h>
20#include <openssl/err.h>
21#include <openssl/rsa.h>
22#include <openssl/params.h>
23#include <openssl/evp.h>
2741128e 24#include <openssl/proverr.h>
6f4b7663
RL		 25#include "internal/cryptlib.h"
26#include "internal/nelem.h"
27#include "internal/sizes.h"
28#include "crypto/rsa.h"
f590a5ea 29#include "prov/providercommon.h"
6f4b7663
RL		 30#include "prov/implementations.h"
31#include "prov/provider_ctx.h"
6f5837dc 32#include "prov/der_rsa.h"
7a810fac 33#include "prov/securitycheck.h"
3f699197
SL		 34
35#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
6f4b7663 36
363b1e5d
DMSP		 37static OSSL_FUNC_signature_newctx_fn rsa_newctx;
38static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
39static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
40static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
41static OSSL_FUNC_signature_sign_fn rsa_sign;
42static OSSL_FUNC_signature_verify_fn rsa_verify;
43static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
44static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
45static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update;
46static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
47static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
48static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
49static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
50static OSSL_FUNC_signature_freectx_fn rsa_freectx;
51static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
52static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
53static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
54static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
55static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
56static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
57static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
58static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
59static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
6f4b7663
RL		 60
61static OSSL_ITEM padding_item[] = {
b8086652 62 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
b8086652
SL		 63 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },
64 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },
65 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },
6f4b7663
RL		 66 { 0, NULL }
67};
68
69/*
70 * What's passed as an actual key is defined by the KEYMGMT interface.
71 * We happen to know that our KEYMGMT simply passes RSA structures, so
72 * we use that here too.
73 */
74
75typedef struct {
b4250010 76 OSSL_LIB_CTX *libctx;
2c6094ba 77 char *propq;
6f4b7663 78 RSA *rsa;
0ec36bf1 79 int operation;
6f4b7663
RL		 80
81 /*
82 * Flag to determine if the hash function can be changed (1) or not (0)
83 * Because it's dangerous to change during a DigestSign or DigestVerify
84 * operation, this flag is cleared by their Init function, and set again
85 * by their Final function.
86 */
87 unsigned int flag_allow_md : 1;
bbde8566 88 unsigned int mgf1_md_set : 1;
6f4b7663
RL		 89
90 /* main digest */
91 EVP_MD *md;
92 EVP_MD_CTX *mdctx;
93 int mdnid;
94 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
95
96 /* RSA padding mode */
97 int pad_mode;
98 /* message digest for MGF1 */
99 EVP_MD *mgf1_md;
bbde8566 100 int mgf1_mdnid;
6f4b7663
RL		 101 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
102 /* PSS salt length */
103 int saltlen;
104 /* Minimum salt length or -1 if no PSS parameter restriction */
105 int min_saltlen;
106
107 /* Temp buffer */
108 unsigned char *tbuf;
109
110} PROV_RSA_CTX;
111
bbde8566
TM		 112/* True if PSS parameters are restricted */
113#define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
114
6f4b7663
RL		 115static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
116{
117 if (prsactx->md != NULL)
ed576acd 118 return EVP_MD_get_size(prsactx->md);
6f4b7663
RL		 119 return 0;
120}
121
bbde8566
TM		 122static int rsa_check_padding(const PROV_RSA_CTX *prsactx,
123 const char *mdname, const char *mgf1_mdname,
124 int mdnid)
6f4b7663 125{
1287dabd 126 switch (prsactx->pad_mode) {
bbde8566 127 case RSA_NO_PADDING:
07d189ce
TM		 128 if (mdname != NULL || mdnid != NID_undef) {
129 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
130 return 0;
131 }
132 break;
bbde8566
TM		 133 case RSA_X931_PADDING:
134 if (RSA_X931_hash_id(mdnid) == -1) {
135 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
136 return 0;
137 }
138 break;
139 case RSA_PKCS1_PSS_PADDING:
140 if (rsa_pss_restricted(prsactx))
141 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))
142 || (mgf1_mdname != NULL
143 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {
144 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
145 return 0;
146 }
147 break;
148 default:
149 break;
6f4b7663
RL		 150 }
151
152 return 1;
153}
154
bbde8566 155static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
2d553660
RL		 156{
157 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
158 int max_saltlen;
159
160 /* See if minimum salt length exceeds maximum possible */
ed576acd 161 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);
2d553660
RL		 162 if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
163 max_saltlen--;
bbde8566 164 if (min_saltlen < 0 || min_saltlen > max_saltlen) {
2d553660
RL		 165 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
166 return 0;
167 }
bbde8566 168 prsactx->min_saltlen = min_saltlen;
2d553660
RL		 169 }
170 return 1;
171}
172
2c6094ba 173static void *rsa_newctx(void *provctx, const char *propq)
6f4b7663 174{
2d553660
RL		 175 PROV_RSA_CTX *prsactx = NULL;
176 char *propq_copy = NULL;
6f4b7663 177
f590a5ea
P		 178 if (!ossl_prov_is_running())
179 return NULL;
180
2d553660
RL		 181 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
182 || (propq != NULL
183 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
184 OPENSSL_free(prsactx);
6f4b7663 185 return NULL;
2d553660 186 }
6f4b7663 187
a829b735 188 prsactx->libctx = PROV_LIBCTX_OF(provctx);
6f4b7663 189 prsactx->flag_allow_md = 1;
2d553660 190 prsactx->propq = propq_copy;
6c73ca4a
CL		 191 /* Maximum up to digest length for sign, auto for verify */
192 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
eaae5d69 193 prsactx->min_saltlen = -1;
6f4b7663
RL		 194 return prsactx;
195}
196
bbde8566
TM		 197static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
198{
199 int saltlen = ctx->saltlen;
6c73ca4a
CL		 200 int saltlenMax = -1;
201
202 /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
203 * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
204 * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
205 * the hash function output block (in bytes)."
206 *
207 * Provide a way to use at most the digest length, so that the default does
208 * not violate FIPS 186-4. */
bbde8566 209 if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
ed576acd 210 saltlen = EVP_MD_get_size(ctx->md);
6c73ca4a
CL		 211 } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
212 saltlen = RSA_PSS_SALTLEN_MAX;
213 saltlenMax = EVP_MD_get_size(ctx->md);
214 }
215 if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
ed576acd 216 saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2;
bbde8566
TM		 217 if ((RSA_bits(ctx->rsa) & 0x7) == 1)
218 saltlen--;
6c73ca4a
CL		 219 if (saltlenMax >= 0 && saltlen > saltlenMax)
220 saltlen = saltlenMax;
bbde8566
TM		 221 }
222 if (saltlen < 0) {
223 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
224 return -1;
225 } else if (saltlen < ctx->min_saltlen) {
226 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,
227 "minimum salt length: %d, actual salt length: %d",
228 ctx->min_saltlen, saltlen);
229 return -1;
230 }
231 return saltlen;
232}
233
234static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,
235 unsigned char *aid_buf,
236 size_t buf_len,
237 size_t *aid_len)
238{
239 WPACKET pkt;
240 unsigned char *aid = NULL;
241 int saltlen;
242 RSA_PSS_PARAMS_30 pss_params;
a56fcf20 243 int ret;
bbde8566
TM		 244
245 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {
e077455e 246 ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB);
bbde8566
TM		 247 return NULL;
248 }
249
1287dabd 250 switch (ctx->pad_mode) {
a56fcf20
TM		 251 case RSA_PKCS1_PADDING:
252 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,
253 ctx->mdnid);
254
255 if (ret > 0) {
bbde8566 256 break;
a56fcf20
TM		 257 } else if (ret == 0) {
258 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
259 goto cleanup;
260 }
261 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
262 "Algorithm ID generation - md NID: %d",
263 ctx->mdnid);
264 goto cleanup;
265 case RSA_PKCS1_PSS_PADDING:
266 saltlen = rsa_pss_compute_saltlen(ctx);
267 if (saltlen < 0)
bbde8566 268 goto cleanup;
a56fcf20
TM		 269 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
270 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)
271 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
272 ctx->mgf1_mdnid)
273 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
274 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,
275 RSA_FLAG_TYPE_RSASSAPSS,
276 &pss_params)) {
277 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
278 goto cleanup;
279 }
280 break;
281 default:
282 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
283 "Algorithm ID generation - pad mode: %d",
284 ctx->pad_mode);
285 goto cleanup;
bbde8566
TM		 286 }
287 if (WPACKET_finish(&pkt)) {
288 WPACKET_get_total_written(&pkt, aid_len);
289 aid = WPACKET_get_curr(&pkt);
290 }
291 cleanup:
292 WPACKET_cleanup(&pkt);
293 return aid;
294}
6f4b7663 295
6f4b7663
RL		 296static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
297 const char *mdprops)
298{
2c6094ba
RL		 299 if (mdprops == NULL)
300 mdprops = ctx->propq;
301
6f4b7663 302 if (mdname != NULL) {
3f699197 303 EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
49ed5ba8 304 int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
6ce58488
MC		 305 int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
306 sha1_allowed);
2de64666 307 size_t mdname_len = strlen(mdname);
6f4b7663 308
6f5837dc 309 if (md == NULL
6a2ab4a9 310 || md_nid <= 0
bbde8566 311 || !rsa_check_padding(ctx, mdname, NULL, md_nid)
2de64666 312 || mdname_len >= sizeof(ctx->mdname)) {
2d553660
RL		 313 if (md == NULL)
314 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
315 "%s could not be fetched", mdname);
6a2ab4a9 316 if (md_nid <= 0)
2d553660
RL		 317 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
318 "digest=%s", mdname);
2de64666
NT		 319 if (mdname_len >= sizeof(ctx->mdname))
320 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
321 "%s exceeds name buffer length", mdname);
6f4b7663
RL		 322 EVP_MD_free(md);
323 return 0;
324 }
325
033e987c
TM		 326 if (!ctx->flag_allow_md) {
327 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
328 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
329 "digest %s != %s", mdname, ctx->mdname);
330 EVP_MD_free(md);
331 return 0;
332 }
333 EVP_MD_free(md);
334 return 1;
335 }
336
bbde8566
TM		 337 if (!ctx->mgf1_md_set) {
338 if (!EVP_MD_up_ref(md)) {
339 EVP_MD_free(md);
340 return 0;
341 }
342 EVP_MD_free(ctx->mgf1_md);
343 ctx->mgf1_md = md;
344 ctx->mgf1_mdnid = md_nid;
345 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
346 }
347
6f4b7663
RL		 348 EVP_MD_CTX_free(ctx->mdctx);
349 EVP_MD_free(ctx->md);
6f4b7663 350
6f5837dc 351 ctx->mdctx = NULL;
6f4b7663
RL		 352 ctx->md = md;
353 ctx->mdnid = md_nid;
354 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
6f4b7663
RL		 355 }
356
357 return 1;
358}
359
360static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
2c6094ba 361 const char *mdprops)
6f4b7663 362{
2de64666 363 size_t len;
3f699197 364 EVP_MD *md = NULL;
bbde8566 365 int mdnid;
2de64666 366
2c6094ba
RL		 367 if (mdprops == NULL)
368 mdprops = ctx->propq;
369
3f699197 370 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
2d553660
RL		 371 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
372 "%s could not be fetched", mdname);
6f4b7663 373 return 0;
2d553660 374 }
49ed5ba8 375 /* The default for mgf1 is SHA1 - so allow SHA1 */
6a2ab4a9 376 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, 1)) <= 0
bbde8566 377 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
6a2ab4a9 378 if (mdnid <= 0)
bbde8566
TM		 379 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
380 "digest=%s", mdname);
3f699197
SL		 381 EVP_MD_free(md);
382 return 0;
383 }
2de64666
NT		 384 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
385 if (len >= sizeof(ctx->mgf1_mdname)) {
386 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
387 "%s exceeds name buffer length", mdname);
bbde8566 388 EVP_MD_free(md);
2de64666
NT		 389 return 0;
390 }
6f4b7663 391
bbde8566
TM		 392 EVP_MD_free(ctx->mgf1_md);
393 ctx->mgf1_md = md;
394 ctx->mgf1_mdnid = mdnid;
395 ctx->mgf1_md_set = 1;
6f4b7663
RL		 396 return 1;
397}
398
556b8937
P		 399static int rsa_signverify_init(void *vprsactx, void *vrsa,
400 const OSSL_PARAM params[], int operation)
2d553660
RL		 401{
402 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
403
3ffd23e9 404 if (!ossl_prov_is_running() || prsactx == NULL)
f590a5ea
P		 405 return 0;
406
3ffd23e9
TM		 407 if (vrsa == NULL && prsactx->rsa == NULL) {
408 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
2d553660 409 return 0;
3ffd23e9 410 }
2d553660 411
3ffd23e9
TM		 412 if (vrsa != NULL) {
413 if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
414 return 0;
415
416 if (!RSA_up_ref(vrsa))
417 return 0;
418 RSA_free(prsactx->rsa);
419 prsactx->rsa = vrsa;
420 }
0cfbc828 421
2d553660
RL		 422 prsactx->operation = operation;
423
6c73ca4a
CL		 424 /* Maximize up to digest length for sign, auto for verify */
425 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
2d553660
RL		 426 prsactx->min_saltlen = -1;
427
428 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
429 case RSA_FLAG_TYPE_RSA:
430 prsactx->pad_mode = RSA_PKCS1_PADDING;
431 break;
432 case RSA_FLAG_TYPE_RSASSAPSS:
433 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
434
435 {
436 const RSA_PSS_PARAMS_30 *pss =
23b2fc0b 437 ossl_rsa_get0_pss_params_30(prsactx->rsa);
2d553660 438
23b2fc0b
P		 439 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
440 int md_nid = ossl_rsa_pss_params_30_hashalg(pss);
441 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
442 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);
2d553660 443 const char *mdname, *mgf1mdname;
2de64666 444 size_t len;
2d553660 445
23b2fc0b
P		 446 mdname = ossl_rsa_oaeppss_nid2name(md_nid);
447 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);
2d553660
RL		 448
449 if (mdname == NULL) {
450 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
451 "PSS restrictions lack hash algorithm");
452 return 0;
453 }
454 if (mgf1mdname == NULL) {
455 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
456 "PSS restrictions lack MGF1 hash algorithm");
457 return 0;
458 }
459
2de64666
NT		 460 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
461 sizeof(prsactx->mdname));
462 if (len >= sizeof(prsactx->mdname)) {
463 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
464 "hash algorithm name too long");
465 return 0;
466 }
467 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
468 sizeof(prsactx->mgf1_mdname));
469 if (len >= sizeof(prsactx->mgf1_mdname)) {
470 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
471 "MGF1 hash algorithm name too long");
472 return 0;
473 }
2d553660
RL		 474 prsactx->saltlen = min_saltlen;
475
bbde8566 476 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */
eaae5d69
TM		 477 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
478 || !rsa_setup_md(prsactx, mdname, prsactx->propq)
479 || !rsa_check_parameters(prsactx, min_saltlen))
480 return 0;
2d553660
RL		 481 }
482 }
483
484 break;
485 default:
486 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
487 return 0;
488 }
489
eaae5d69
TM		 490 if (!rsa_set_ctx_params(prsactx, params))
491 return 0;
492
2d553660
RL		 493 return 1;
494}
495
6f4b7663
RL		 496static int setup_tbuf(PROV_RSA_CTX *ctx)
497{
498 if (ctx->tbuf != NULL)
499 return 1;
e077455e 500 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL)
6f4b7663 501 return 0;
6f4b7663
RL		 502 return 1;
503}
504
505static void clean_tbuf(PROV_RSA_CTX *ctx)
506{
507 if (ctx->tbuf != NULL)
508 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
509}
510
511static void free_tbuf(PROV_RSA_CTX *ctx)
512{
2d553660
RL		 513 clean_tbuf(ctx);
514 OPENSSL_free(ctx->tbuf);
6f4b7663
RL		 515 ctx->tbuf = NULL;
516}
517
556b8937 518static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
0ec36bf1 519{
f590a5ea
P		 520 if (!ossl_prov_is_running())
521 return 0;
556b8937 522 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN);
0ec36bf1
RL		 523}
524
6f4b7663
RL		 525static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
526 size_t sigsize, const unsigned char *tbs, size_t tbslen)
527{
528 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
529 int ret;
530 size_t rsasize = RSA_size(prsactx->rsa);
531 size_t mdsize = rsa_get_md_size(prsactx);
532
f590a5ea
P		 533 if (!ossl_prov_is_running())
534 return 0;
535
6f4b7663
RL		 536 if (sig == NULL) {
537 *siglen = rsasize;
538 return 1;
539 }
540
2d553660
RL		 541 if (sigsize < rsasize) {
542 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
543 "is %zu, should be at least %zu", sigsize, rsasize);
6f4b7663 544 return 0;
2d553660 545 }
6f4b7663
RL		 546
547 if (mdsize != 0) {
548 if (tbslen != mdsize) {
549 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
550 return 0;
551 }
552
f844f9eb 553#ifndef FIPS_MODULE
6f4b7663
RL		 554 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
555 unsigned int sltmp;
556
557 if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
558 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
559 "only PKCS#1 padding supported with MDC2");
560 return 0;
561 }
562 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
563 prsactx->rsa);
564
565 if (ret <= 0) {
c5689319 566 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 567 return 0;
568 }
569 ret = sltmp;
570 goto end;
571 }
1b6ea308 572#endif
6f4b7663
RL		 573 switch (prsactx->pad_mode) {
574 case RSA_X931_PADDING:
575 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
2d553660
RL		 576 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
577 "RSA key size = %d, expected minimum = %d",
578 RSA_size(prsactx->rsa), tbslen + 1);
6f4b7663
RL		 579 return 0;
580 }
581 if (!setup_tbuf(prsactx)) {
e077455e 582 ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB);
6f4b7663
RL		 583 return 0;
584 }
585 memcpy(prsactx->tbuf, tbs, tbslen);
586 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
587 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
588 sig, prsactx->rsa, RSA_X931_PADDING);
589 clean_tbuf(prsactx);
590 break;
591
592 case RSA_PKCS1_PADDING:
593 {
594 unsigned int sltmp;
595
596 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
597 prsactx->rsa);
598 if (ret <= 0) {
c5689319 599 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 600 return 0;
601 }
602 ret = sltmp;
603 }
604 break;
605
606 case RSA_PKCS1_PSS_PADDING:
607 /* Check PSS restrictions */
608 if (rsa_pss_restricted(prsactx)) {
609 switch (prsactx->saltlen) {
610 case RSA_PSS_SALTLEN_DIGEST:
ed576acd 611 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
2d553660
RL		 612 ERR_raise_data(ERR_LIB_PROV,
613 PROV_R_PSS_SALTLEN_TOO_SMALL,
614 "minimum salt length set to %d, "
615 "but the digest only gives %d",
616 prsactx->min_saltlen,
ed576acd 617 EVP_MD_get_size(prsactx->md));
6f4b7663
RL		 618 return 0;
619 }
620 /* FALLTHRU */
621 default:
622 if (prsactx->saltlen >= 0
623 && prsactx->saltlen < prsactx->min_saltlen) {
2d553660
RL		 624 ERR_raise_data(ERR_LIB_PROV,
625 PROV_R_PSS_SALTLEN_TOO_SMALL,
626 "minimum salt length set to %d, but the"
627 "actual salt length is only set to %d",
628 prsactx->min_saltlen,
629 prsactx->saltlen);
6f4b7663
RL		 630 return 0;
631 }
632 break;
633 }
634 }
635 if (!setup_tbuf(prsactx))
636 return 0;
637 if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
638 prsactx->tbuf, tbs,
639 prsactx->md, prsactx->mgf1_md,
640 prsactx->saltlen)) {
c5689319 641 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 642 return 0;
643 }
644 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
645 sig, prsactx->rsa, RSA_NO_PADDING);
646 clean_tbuf(prsactx);
647 break;
648
649 default:
650 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
651 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
652 return 0;
653 }
654 } else {
655 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
656 prsactx->pad_mode);
657 }
658
f844f9eb 659#ifndef FIPS_MODULE
6f4b7663
RL		 660 end:
661#endif
662 if (ret <= 0) {
c5689319 663 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 664 return 0;
665 }
666
667 *siglen = ret;
668 return 1;
669}
670
556b8937
P		 671static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
672 const OSSL_PARAM params[])
0ec36bf1 673{
f590a5ea
P		 674 if (!ossl_prov_is_running())
675 return 0;
556b8937
P		 676 return rsa_signverify_init(vprsactx, vrsa, params,
677 EVP_PKEY_OP_VERIFYRECOVER);
0ec36bf1
RL		 678}
679
6f4b7663
RL		 680static int rsa_verify_recover(void *vprsactx,
681 unsigned char *rout,
682 size_t *routlen,
683 size_t routsize,
684 const unsigned char *sig,
685 size_t siglen)
686{
687 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
688 int ret;
689
f590a5ea
P		 690 if (!ossl_prov_is_running())
691 return 0;
692
6f4b7663
RL		 693 if (rout == NULL) {
694 *routlen = RSA_size(prsactx->rsa);
695 return 1;
696 }
697
698 if (prsactx->md != NULL) {
699 switch (prsactx->pad_mode) {
700 case RSA_X931_PADDING:
701 if (!setup_tbuf(prsactx))
702 return 0;
703 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
704 RSA_X931_PADDING);
705 if (ret < 1) {
c5689319 706 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 707 return 0;
708 }
709 ret--;
710 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
711 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
712 return 0;
713 }
ed576acd 714 if (ret != EVP_MD_get_size(prsactx->md)) {
6f4b7663
RL		 715 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
716 "Should be %d, but got %d",
ed576acd 717 EVP_MD_get_size(prsactx->md), ret);
6f4b7663
RL		 718 return 0;
719 }
720
721 *routlen = ret;
4f2271d5
SL		 722 if (rout != prsactx->tbuf) {
723 if (routsize < (size_t)ret) {
724 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
725 "buffer size is %d, should be %d",
726 routsize, ret);
727 return 0;
728 }
729 memcpy(rout, prsactx->tbuf, ret);
6f4b7663 730 }
6f4b7663
RL		 731 break;
732
733 case RSA_PKCS1_PADDING:
734 {
735 size_t sltmp;
736
4158b0dc
SL		 737 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
738 sig, siglen, prsactx->rsa);
6f4b7663 739 if (ret <= 0) {
c5689319 740 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 741 return 0;
742 }
743 ret = sltmp;
744 }
745 break;
746
747 default:
748 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
749 "Only X.931 or PKCS#1 v1.5 padding allowed");
750 return 0;
751 }
752 } else {
753 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
754 prsactx->pad_mode);
755 if (ret < 0) {
c5689319 756 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 757 return 0;
758 }
759 }
760 *routlen = ret;
761 return 1;
762}
763
556b8937
P		 764static int rsa_verify_init(void *vprsactx, void *vrsa,
765 const OSSL_PARAM params[])
0ec36bf1 766{
f590a5ea
P		 767 if (!ossl_prov_is_running())
768 return 0;
556b8937 769 return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY);
0ec36bf1
RL		 770}
771
6f4b7663
RL		 772static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
773 const unsigned char *tbs, size_t tbslen)
774{
775 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
776 size_t rslen;
777
f590a5ea
P		 778 if (!ossl_prov_is_running())
779 return 0;
6f4b7663
RL		 780 if (prsactx->md != NULL) {
781 switch (prsactx->pad_mode) {
782 case RSA_PKCS1_PADDING:
783 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
784 prsactx->rsa)) {
c5689319 785 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 786 return 0;
787 }
788 return 1;
789 case RSA_X931_PADDING:
4f2271d5
SL		 790 if (!setup_tbuf(prsactx))
791 return 0;
792 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
793 sig, siglen) <= 0)
6f4b7663
RL		 794 return 0;
795 break;
796 case RSA_PKCS1_PSS_PADDING:
797 {
798 int ret;
799 size_t mdsize;
800
6f4b7663
RL		 801 /*
802 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
803 * call
804 */
805 mdsize = rsa_get_md_size(prsactx);
806 if (tbslen != mdsize) {
807 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
808 "Should be %d, but got %d",
809 mdsize, tbslen);
810 return 0;
811 }
812
813 if (!setup_tbuf(prsactx))
814 return 0;
815 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
816 prsactx->rsa, RSA_NO_PADDING);
817 if (ret <= 0) {
c5689319 818 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 819 return 0;
820 }
821 ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
822 prsactx->md, prsactx->mgf1_md,
823 prsactx->tbuf,
824 prsactx->saltlen);
825 if (ret <= 0) {
c5689319 826 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 827 return 0;
828 }
829 return 1;
830 }
831 default:
832 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
833 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
834 return 0;
835 }
836 } else {
559e078d
TM		 837 int ret;
838
6f4b7663
RL		 839 if (!setup_tbuf(prsactx))
840 return 0;
559e078d
TM		 841 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
842 prsactx->pad_mode);
843 if (ret <= 0) {
c5689319 844 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
6f4b7663
RL		 845 return 0;
846 }
559e078d 847 rslen = (size_t)ret;
6f4b7663
RL		 848 }
849
850 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
851 return 0;
852
853 return 1;
854}
855
856static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
556b8937
P		 857 void *vrsa, const OSSL_PARAM params[],
858 int operation)
6f4b7663
RL		 859{
860 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
861
f590a5ea
P		 862 if (!ossl_prov_is_running())
863 return 0;
864
556b8937 865 if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
bbde8566 866 return 0;
3ffd23e9 867
bbde8566
TM		 868 if (mdname != NULL
869 /* was rsa_setup_md already called in rsa_signverify_init()? */
fba140c7 870 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0)
bbde8566 871 && !rsa_setup_md(prsactx, mdname, prsactx->propq))
6f4b7663
RL		 872 return 0;
873
033e987c 874 prsactx->flag_allow_md = 0;
3ffd23e9 875
2d553660 876 if (prsactx->mdctx == NULL) {
3ffd23e9
TM		 877 prsactx->mdctx = EVP_MD_CTX_new();
878 if (prsactx->mdctx == NULL)
879 goto error;
2d553660 880 }
6f4b7663 881
556b8937 882 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
6f4b7663
RL		 883 goto error;
884
885 return 1;
886
887 error:
888 EVP_MD_CTX_free(prsactx->mdctx);
6f4b7663 889 prsactx->mdctx = NULL;
6f4b7663
RL		 890 return 0;
891}
892
0ec36bf1
RL		 893static int rsa_digest_signverify_update(void *vprsactx,
894 const unsigned char *data,
895 size_t datalen)
6f4b7663
RL		 896{
897 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
898
899 if (prsactx == NULL || prsactx->mdctx == NULL)
900 return 0;
901
902 return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
903}
904
0ec36bf1 905static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
556b8937 906 void *vrsa, const OSSL_PARAM params[])
0ec36bf1 907{
f590a5ea
P		 908 if (!ossl_prov_is_running())
909 return 0;
2d553660 910 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
556b8937 911 params, EVP_PKEY_OP_SIGN);
0ec36bf1
RL		 912}
913
914static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
915 size_t *siglen, size_t sigsize)
6f4b7663
RL		 916{
917 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
918 unsigned char digest[EVP_MAX_MD_SIZE];
919 unsigned int dlen = 0;
920
f590a5ea 921 if (!ossl_prov_is_running() || prsactx == NULL)
51bba73e 922 return 0;
6f4b7663 923 prsactx->flag_allow_md = 1;
51bba73e 924 if (prsactx->mdctx == NULL)
6f4b7663 925 return 0;
6f4b7663
RL		 926 /*
927 * If sig is NULL then we're just finding out the sig size. Other fields
928 * are ignored. Defer to rsa_sign.
929 */
930 if (sig != NULL) {
931 /*
3f699197
SL		 932 * The digests used here are all known (see rsa_get_md_nid()), so they
933 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
6f4b7663
RL		 934 */
935 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
936 return 0;
937 }
938
939 return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen);
940}
941
0ec36bf1 942static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
556b8937 943 void *vrsa, const OSSL_PARAM params[])
0ec36bf1 944{
f590a5ea
P		 945 if (!ossl_prov_is_running())
946 return 0;
2d553660 947 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
556b8937 948 params, EVP_PKEY_OP_VERIFY);
0ec36bf1 949}
6f4b7663
RL		 950
951int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
952 size_t siglen)
953{
954 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
955 unsigned char digest[EVP_MAX_MD_SIZE];
956 unsigned int dlen = 0;
957
f590a5ea
P		 958 if (!ossl_prov_is_running())
959 return 0;
960
db1319b7
SL		 961 if (prsactx == NULL)
962 return 0;
6f4b7663 963 prsactx->flag_allow_md = 1;
db1319b7 964 if (prsactx->mdctx == NULL)
6f4b7663
RL		 965 return 0;
966
967 /*
3f699197
SL		 968 * The digests used here are all known (see rsa_get_md_nid()), so they
969 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
6f4b7663
RL		 970 */
971 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
972 return 0;
973
974 return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
975}
976
977static void rsa_freectx(void *vprsactx)
978{
979 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
980
981 if (prsactx == NULL)
982 return;
983
6f4b7663
RL		 984 EVP_MD_CTX_free(prsactx->mdctx);
985 EVP_MD_free(prsactx->md);
986 EVP_MD_free(prsactx->mgf1_md);
2c6094ba 987 OPENSSL_free(prsactx->propq);
6f4b7663 988 free_tbuf(prsactx);
fdf6118b 989 RSA_free(prsactx->rsa);
6f4b7663 990
26c5ea8f 991 OPENSSL_clear_free(prsactx, sizeof(*prsactx));
6f4b7663
RL		 992}
993
994static void *rsa_dupctx(void *vprsactx)
995{
996 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
997 PROV_RSA_CTX *dstctx;
998
f590a5ea
P		 999 if (!ossl_prov_is_running())
1000 return NULL;
1001
6f4b7663 1002 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
e077455e 1003 if (dstctx == NULL)
6f4b7663
RL		 1004 return NULL;
1005
1006 *dstctx = *srcctx;
1007 dstctx->rsa = NULL;
1008 dstctx->md = NULL;
1009 dstctx->mdctx = NULL;
1010 dstctx->tbuf = NULL;
c2386b81 1011 dstctx->propq = NULL;
6f4b7663
RL		 1012
1013 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
1014 goto err;
1015 dstctx->rsa = srcctx->rsa;
1016
1017 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
1018 goto err;
1019 dstctx->md = srcctx->md;
1020
1021 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
1022 goto err;
1023 dstctx->mgf1_md = srcctx->mgf1_md;
1024
1025 if (srcctx->mdctx != NULL) {
1026 dstctx->mdctx = EVP_MD_CTX_new();
1027 if (dstctx->mdctx == NULL
1028 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
1029 goto err;
1030 }
1031
c2386b81
SL		 1032 if (srcctx->propq != NULL) {
1033 dstctx->propq = OPENSSL_strdup(srcctx->propq);
1034 if (dstctx->propq == NULL)
1035 goto err;
1036 }
1037
6f4b7663
RL		 1038 return dstctx;
1039 err:
1040 rsa_freectx(dstctx);
1041 return NULL;
1042}
1043
1044static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
1045{
1046 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1047 OSSL_PARAM *p;
1048
556b8937 1049 if (prsactx == NULL)
6f4b7663
RL		 1050 return 0;
1051
1052 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
bbde8566
TM		 1053 if (p != NULL) {
1054 /* The Algorithm Identifier of the combined signature algorithm */
1055 unsigned char aid_buf[128];
1056 unsigned char *aid;
1057 size_t aid_len;
1058
1059 aid = rsa_generate_signature_aid(prsactx, aid_buf,
1060 sizeof(aid_buf), &aid_len);
1061 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))
1062 return 0;
1063 }
6f4b7663
RL		 1064
1065 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1066 if (p != NULL)
1067 switch (p->data_type) {
1068 case OSSL_PARAM_INTEGER:
1069 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
1070 return 0;
1071 break;
1072 case OSSL_PARAM_UTF8_STRING:
1073 {
1074 int i;
1075 const char *word = NULL;
1076
1077 for (i = 0; padding_item[i].id != 0; i++) {
1078 if (prsactx->pad_mode == (int)padding_item[i].id) {
1079 word = padding_item[i].ptr;
1080 break;
1081 }
1082 }
1083
1084 if (word != NULL) {
1085 if (!OSSL_PARAM_set_utf8_string(p, word))
1086 return 0;
1087 } else {
1088 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
1089 }
1090 }
1091 break;
1092 default:
1093 return 0;
1094 }
1095
1096 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
1097 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
1098 return 0;
1099
1100 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1101 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
1102 return 0;
1103
1104 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1105 if (p != NULL) {
1106 if (p->data_type == OSSL_PARAM_INTEGER) {
1107 if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
1108 return 0;
1109 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
b8086652
SL		 1110 const char *value = NULL;
1111
6f4b7663
RL		 1112 switch (prsactx->saltlen) {
1113 case RSA_PSS_SALTLEN_DIGEST:
b8086652 1114 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
6f4b7663
RL		 1115 break;
1116 case RSA_PSS_SALTLEN_MAX:
b8086652 1117 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
6f4b7663
RL		 1118 break;
1119 case RSA_PSS_SALTLEN_AUTO:
b8086652 1120 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
6f4b7663 1121 break;
6c73ca4a
CL		 1122 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
1123 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
1124 break;
6f4b7663 1125 default:
b8086652
SL		 1126 {
1127 int len = BIO_snprintf(p->data, p->data_size, "%d",
1128 prsactx->saltlen);
1129
1130 if (len <= 0)
1131 return 0;
1132 p->return_size = len;
1133 break;
1134 }
6f4b7663 1135 }
b8086652
SL		 1136 if (value != NULL
1137 && !OSSL_PARAM_set_utf8_string(p, value))
1138 return 0;
6f4b7663
RL		 1139 }
1140 }
1141
1142 return 1;
1143}
1144
1145static const OSSL_PARAM known_gettable_ctx_params[] = {
1146 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
1147 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1148 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1149 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1150 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1151 OSSL_PARAM_END
1152};
1153
fb67126e
TM		 1154static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
1155 ossl_unused void *provctx)
6f4b7663
RL		 1156{
1157 return known_gettable_ctx_params;
1158}
1159
1160static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1161{
1162 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1163 const OSSL_PARAM *p;
93e43f4c
BK		 1164 int pad_mode;
1165 int saltlen;
bbde8566
TM		 1166 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;
1167 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;
1168 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
1169 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
6f4b7663 1170
556b8937 1171 if (prsactx == NULL)
6f4b7663 1172 return 0;
556b8937
P		 1173 if (params == NULL)
1174 return 1;
1175
93e43f4c
BK		 1176 pad_mode = prsactx->pad_mode;
1177 saltlen = prsactx->saltlen;
6f4b7663
RL		 1178
1179 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
6f4b7663 1180 if (p != NULL) {
6f4b7663
RL		 1181 const OSSL_PARAM *propsp =
1182 OSSL_PARAM_locate_const(params,
1183 OSSL_SIGNATURE_PARAM_PROPERTIES);
1184
bbde8566 1185 pmdname = mdname;
6f4b7663
RL		 1186 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1187 return 0;
2c6094ba 1188
bbde8566
TM		 1189 if (propsp != NULL) {
1190 pmdprops = mdprops;
1191 if (!OSSL_PARAM_get_utf8_string(propsp,
1192 &pmdprops, sizeof(mdprops)))
1193 return 0;
6f4b7663 1194 }
6f4b7663
RL		 1195 }
1196
1197 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1198 if (p != NULL) {
0ec36bf1 1199 const char *err_extra_text = NULL;
6f4b7663
RL		 1200
1201 switch (p->data_type) {
1202 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1203 if (!OSSL_PARAM_get_int(p, &pad_mode))
1204 return 0;
1205 break;
1206 case OSSL_PARAM_UTF8_STRING:
1207 {
1208 int i;
1209
1210 if (p->data == NULL)
1211 return 0;
1212
1213 for (i = 0; padding_item[i].id != 0; i++) {
1214 if (strcmp(p->data, padding_item[i].ptr) == 0) {
1215 pad_mode = padding_item[i].id;
1216 break;
1217 }
1218 }
1219 }
1220 break;
1221 default:
1222 return 0;
1223 }
1224
1225 switch (pad_mode) {
1226 case RSA_PKCS1_OAEP_PADDING:
1227 /*
1228 * OAEP padding is for asymmetric cipher only so is not compatible
1229 * with signature use.
1230 */
0ec36bf1
RL		 1231 err_extra_text = "OAEP padding not allowed for signing / verifying";
1232 goto bad_pad;
6f4b7663 1233 case RSA_PKCS1_PSS_PADDING:
0ec36bf1
RL		 1234 if ((prsactx->operation
1235 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) {
1236 err_extra_text =
1237 "PSS padding only allowed for sign and verify operations";
1238 goto bad_pad;
1239 }
0ec36bf1 1240 break;
6f4b7663 1241 case RSA_PKCS1_PADDING:
0ec36bf1
RL		 1242 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
1243 goto cont;
6f4b7663 1244 case RSA_NO_PADDING:
0ec36bf1
RL		 1245 err_extra_text = "No padding not allowed with RSA-PSS";
1246 goto cont;
6f4b7663 1247 case RSA_X931_PADDING:
0ec36bf1 1248 err_extra_text = "X.931 padding not allowed with RSA-PSS";
6f4b7663 1249 cont:
2d553660
RL		 1250 if (RSA_test_flags(prsactx->rsa,
1251 RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
0ec36bf1
RL		 1252 break;
1253 /* FALLTHRU */
6f4b7663 1254 default:
0ec36bf1
RL		 1255 bad_pad:
1256 if (err_extra_text == NULL)
1257 ERR_raise(ERR_LIB_PROV,
1258 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1259 else
1260 ERR_raise_data(ERR_LIB_PROV,
1261 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
1262 err_extra_text);
6f4b7663
RL		 1263 return 0;
1264 }
6f4b7663
RL		 1265 }
1266
1267 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1268 if (p != NULL) {
bbde8566 1269 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
6f4b7663
RL		 1270 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
1271 "PSS saltlen can only be specified if "
1272 "PSS padding has been specified first");
1273 return 0;
1274 }
1275
1276 switch (p->data_type) {
1277 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1278 if (!OSSL_PARAM_get_int(p, &saltlen))
1279 return 0;
1280 break;
1281 case OSSL_PARAM_UTF8_STRING:
b8086652 1282 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
6f4b7663 1283 saltlen = RSA_PSS_SALTLEN_DIGEST;
b8086652 1284 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
6f4b7663 1285 saltlen = RSA_PSS_SALTLEN_MAX;
b8086652 1286 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
6f4b7663 1287 saltlen = RSA_PSS_SALTLEN_AUTO;
6c73ca4a
CL		 1288 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
1289 saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
6f4b7663
RL		 1290 else
1291 saltlen = atoi(p->data);
1292 break;
1293 default:
1294 return 0;
1295 }
1296
1297 /*
6c73ca4a
CL		 1298 * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
1299 * Contrary to what it's name suggests, it's the currently lowest
1300 * saltlen number possible.
6f4b7663 1301 */
6c73ca4a 1302 if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
f5f29796 1303 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
6f4b7663
RL		 1304 return 0;
1305 }
1306
0ec36bf1 1307 if (rsa_pss_restricted(prsactx)) {
6ce6ad39 1308 switch (saltlen) {
0ec36bf1 1309 case RSA_PSS_SALTLEN_AUTO:
6c73ca4a 1310 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
0ec36bf1 1311 if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
f5f29796
TM		 1312 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
1313 "Cannot use autodetected salt length");
0ec36bf1
RL		 1314 return 0;
1315 }
1316 break;
1317 case RSA_PSS_SALTLEN_DIGEST:
ed576acd 1318 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
0ec36bf1
RL		 1319 ERR_raise_data(ERR_LIB_PROV,
1320 PROV_R_PSS_SALTLEN_TOO_SMALL,
1321 "Should be more than %d, but would be "
1322 "set to match digest size (%d)",
1323 prsactx->min_saltlen,
ed576acd 1324 EVP_MD_get_size(prsactx->md));
0ec36bf1
RL		 1325 return 0;
1326 }
6ce6ad39 1327 break;
0ec36bf1
RL		 1328 default:
1329 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
1330 ERR_raise_data(ERR_LIB_PROV,
1331 PROV_R_PSS_SALTLEN_TOO_SMALL,
1332 "Should be more than %d, "
1333 "but would be set to %d",
1334 prsactx->min_saltlen, saltlen);
1335 return 0;
1336 }
1337 }
1338 }
6f4b7663
RL		 1339 }
1340
1341 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1342 if (p != NULL) {
6f4b7663
RL		 1343 const OSSL_PARAM *propsp =
1344 OSSL_PARAM_locate_const(params,
1345 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
1346
bbde8566
TM		 1347 pmgf1mdname = mgf1mdname;
1348 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))
6f4b7663 1349 return 0;
2c6094ba 1350
bbde8566
TM		 1351 if (propsp != NULL) {
1352 pmgf1mdprops = mgf1mdprops;
1353 if (!OSSL_PARAM_get_utf8_string(propsp,
1354 &pmgf1mdprops, sizeof(mgf1mdprops)))
1355 return 0;
1356 }
6f4b7663 1357
bbde8566 1358 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
6f4b7663
RL		 1359 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
1360 return 0;
1361 }
bbde8566 1362 }
6f4b7663 1363
bbde8566
TM		 1364 prsactx->saltlen = saltlen;
1365 prsactx->pad_mode = pad_mode;
1366
1367 if (prsactx->md == NULL && pmdname == NULL
1368 && pad_mode == RSA_PKCS1_PSS_PADDING)
1369 pmdname = RSA_DEFAULT_DIGEST_NAME;
6f4b7663 1370
bbde8566
TM		 1371 if (pmgf1mdname != NULL
1372 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
1373 return 0;
1374
1375 if (pmdname != NULL) {
1376 if (!rsa_setup_md(prsactx, pmdname, pmdprops))
1377 return 0;
1378 } else {
1379 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))
6f4b7663
RL		 1380 return 0;
1381 }
6f4b7663
RL		 1382 return 1;
1383}
1384
fb67126e 1385static const OSSL_PARAM settable_ctx_params[] = {
6f4b7663
RL		 1386 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1387 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
fb67126e 1388 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
6f4b7663
RL		 1389 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1390 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1391 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1392 OSSL_PARAM_END
1393};
1394
fb67126e
TM		 1395static const OSSL_PARAM settable_ctx_params_no_digest[] = {
1396 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1397 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1398 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1399 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1400 OSSL_PARAM_END
1401};
1402
1403static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,
1404 ossl_unused void *provctx)
6f4b7663 1405{
fb67126e
TM		 1406 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1407
1408 if (prsactx != NULL && !prsactx->flag_allow_md)
1409 return settable_ctx_params_no_digest;
1410 return settable_ctx_params;
6f4b7663
RL		 1411}
1412
1413static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
1414{
1415 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1416
1417 if (prsactx->mdctx == NULL)
1418 return 0;
1419
1420 return EVP_MD_CTX_get_params(prsactx->mdctx, params);
1421}
1422
1423static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
1424{
1425 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1426
1427 if (prsactx->md == NULL)
1428 return 0;
1429
1430 return EVP_MD_gettable_ctx_params(prsactx->md);
1431}
1432
1433static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
1434{
1435 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1436
1437 if (prsactx->mdctx == NULL)
1438 return 0;
1439
1440 return EVP_MD_CTX_set_params(prsactx->mdctx, params);
1441}
1442
1443static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
1444{
1445 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1446
1447 if (prsactx->md == NULL)
1448 return 0;
1449
1450 return EVP_MD_settable_ctx_params(prsactx->md);
1451}
1452
1be63951 1453const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
6f4b7663 1454 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
0ec36bf1 1455 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
6f4b7663 1456 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
0ec36bf1 1457 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
6f4b7663 1458 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
0ec36bf1
RL		 1459 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
1460 (void (*)(void))rsa_verify_recover_init },
1461 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
1462 (void (*)(void))rsa_verify_recover },
6f4b7663 1463 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
0ec36bf1 1464 (void (*)(void))rsa_digest_sign_init },
6f4b7663
RL		 1465 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
1466 (void (*)(void))rsa_digest_signverify_update },
1467 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
1468 (void (*)(void))rsa_digest_sign_final },
1469 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
0ec36bf1 1470 (void (*)(void))rsa_digest_verify_init },
6f4b7663
RL		 1471 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
1472 (void (*)(void))rsa_digest_signverify_update },
1473 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
1474 (void (*)(void))rsa_digest_verify_final },
1475 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
1476 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
1477 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
1478 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
1479 (void (*)(void))rsa_gettable_ctx_params },
1480 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
1481 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
1482 (void (*)(void))rsa_settable_ctx_params },
1483 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
1484 (void (*)(void))rsa_get_ctx_md_params },
1485 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
1486 (void (*)(void))rsa_gettable_ctx_md_params },
1487 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
1488 (void (*)(void))rsa_set_ctx_md_params },
1489 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
1490 (void (*)(void))rsa_settable_ctx_md_params },
1491 { 0, NULL }
1492};
A mirror of the official openssl repository