providers/implementations/signature/rsa.c

   1 /*
   2  * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * RSA low level APIs are deprecated for public use, but still ok for
  12  * internal use.
  13  */
  14 #include "internal/deprecated.h"
  15
  16 #include <string.h>
  17 #include <openssl/crypto.h>
  18 #include <openssl/core_dispatch.h>
  19 #include <openssl/core_names.h>
  20 #include <openssl/err.h>
  21 #include <openssl/rsa.h>
  22 #include <openssl/params.h>
  23 #include <openssl/evp.h>
  24 #include "internal/cryptlib.h"
  25 #include "internal/nelem.h"
  26 #include "internal/sizes.h"
  27 #include "crypto/rsa.h"
  28 #include "prov/providercommonerr.h"
  29 #include "prov/implementations.h"
  30 #include "prov/provider_ctx.h"
  31 #include "prov/der_rsa.h"
  32
  33 static OSSL_FUNC_signature_newctx_fn rsa_newctx;
  34 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
  35 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
  36 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
  37 static OSSL_FUNC_signature_sign_fn rsa_sign;
  38 static OSSL_FUNC_signature_verify_fn rsa_verify;
  39 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
  40 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
  41 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_signverify_update;
  42 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
  43 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
  44 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
  45 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
  46 static OSSL_FUNC_signature_freectx_fn rsa_freectx;
  47 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
  48 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
  49 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
  50 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
  51 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
  52 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
  53 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
  54 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
  55 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
  56
  57 static OSSL_ITEM padding_item[] = {
  58     { RSA_PKCS1_PADDING,        OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
  59     { RSA_SSLV23_PADDING,       OSSL_PKEY_RSA_PAD_MODE_SSLV23 },
  60     { RSA_NO_PADDING,           OSSL_PKEY_RSA_PAD_MODE_NONE },
  61     { RSA_X931_PADDING,         OSSL_PKEY_RSA_PAD_MODE_X931 },
  62     { RSA_PKCS1_PSS_PADDING,    OSSL_PKEY_RSA_PAD_MODE_PSS },
  63     { 0,                        NULL     }
  64 };
  65
  66 /*
  67  * What's passed as an actual key is defined by the KEYMGMT interface.
  68  * We happen to know that our KEYMGMT simply passes RSA structures, so
  69  * we use that here too.
  70  */
  71
  72 typedef struct {
  73     OPENSSL_CTX *libctx;
  74     char *propq;
  75     RSA *rsa;
  76     int operation;
  77
  78     /*
  79      * Flag to determine if the hash function can be changed (1) or not (0)
  80      * Because it's dangerous to change during a DigestSign or DigestVerify
  81      * operation, this flag is cleared by their Init function, and set again
  82      * by their Final function.
  83      */
  84     unsigned int flag_allow_md : 1;
  85
  86     /* The Algorithm Identifier of the combined signature agorithm */
  87     unsigned char aid_buf[128];
  88     unsigned char *aid;
  89     size_t  aid_len;
  90
  91     /* main digest */
  92     EVP_MD *md;
  93     EVP_MD_CTX *mdctx;
  94     int mdnid;
  95     char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
  96
  97     /* RSA padding mode */
  98     int pad_mode;
  99     /* message digest for MGF1 */
 100     EVP_MD *mgf1_md;
 101     char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
 102     /* PSS salt length */
 103     int saltlen;
 104     /* Minimum salt length or -1 if no PSS parameter restriction */
 105     int min_saltlen;
 106
 107     /* Temp buffer */
 108     unsigned char *tbuf;
 109
 110 } PROV_RSA_CTX;
 111
 112 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
 113 {
 114     if (prsactx->md != NULL)
 115         return EVP_MD_size(prsactx->md);
 116     return 0;
 117 }
 118
 119 static int rsa_get_md_nid(const EVP_MD *md)
 120 {
 121     /*
 122      * Because the RSA library deals with NIDs, we need to translate.
 123      * We do so using EVP_MD_is_a(), and therefore need a name to NID
 124      * map.
 125      */
 126     static const OSSL_ITEM name_to_nid[] = {
 127         { NID_sha1,      OSSL_DIGEST_NAME_SHA1      },
 128         { NID_sha224,    OSSL_DIGEST_NAME_SHA2_224  },
 129         { NID_sha256,    OSSL_DIGEST_NAME_SHA2_256  },
 130         { NID_sha384,    OSSL_DIGEST_NAME_SHA2_384  },
 131         { NID_sha512,    OSSL_DIGEST_NAME_SHA2_512  },
 132         { NID_sha512_224, OSSL_DIGEST_NAME_SHA2_512_224 },
 133         { NID_sha512_256, OSSL_DIGEST_NAME_SHA2_512_256 },
 134         { NID_md5,       OSSL_DIGEST_NAME_MD5       },
 135         { NID_md5_sha1,  OSSL_DIGEST_NAME_MD5_SHA1  },
 136         { NID_md2,       OSSL_DIGEST_NAME_MD2       },
 137         { NID_md4,       OSSL_DIGEST_NAME_MD4       },
 138         { NID_mdc2,      OSSL_DIGEST_NAME_MDC2      },
 139         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
 140         { NID_sha3_224,  OSSL_DIGEST_NAME_SHA3_224  },
 141         { NID_sha3_256,  OSSL_DIGEST_NAME_SHA3_256  },
 142         { NID_sha3_384,  OSSL_DIGEST_NAME_SHA3_384  },
 143         { NID_sha3_512,  OSSL_DIGEST_NAME_SHA3_512  },
 144     };
 145     size_t i;
 146     int mdnid = NID_undef;
 147
 148     if (md == NULL)
 149         goto end;
 150
 151     for (i = 0; i < OSSL_NELEM(name_to_nid); i++) {
 152         if (EVP_MD_is_a(md, name_to_nid[i].ptr)) {
 153             mdnid = (int)name_to_nid[i].id;
 154             break;
 155         }
 156     }
 157
 158  end:
 159     return mdnid;
 160 }
 161
 162 static int rsa_check_padding(int mdnid, int padding)
 163 {
 164     if (padding == RSA_NO_PADDING) {
 165         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
 166         return 0;
 167     }
 168
 169     if (padding == RSA_X931_PADDING) {
 170         if (RSA_X931_hash_id(mdnid) == -1) {
 171             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
 172             return 0;
 173         }
 174     }
 175
 176     return 1;
 177 }
 178
 179 static int rsa_check_parameters(PROV_RSA_CTX *prsactx)
 180 {
 181     if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
 182         int max_saltlen;
 183
 184         /* See if minimum salt length exceeds maximum possible */
 185         max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_size(prsactx->md);
 186         if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
 187             max_saltlen--;
 188         if (prsactx->min_saltlen < 0 || prsactx->min_saltlen > max_saltlen) {
 189             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
 190             return 0;
 191         }
 192     }
 193     return 1;
 194 }
 195
 196 static void *rsa_newctx(void *provctx, const char *propq)
 197 {
 198     PROV_RSA_CTX *prsactx = NULL;
 199     char *propq_copy = NULL;
 200
 201     if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
 202         || (propq != NULL
 203             && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
 204         OPENSSL_free(prsactx);
 205         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 206         return NULL;
 207     }
 208
 209     prsactx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
 210     prsactx->flag_allow_md = 1;
 211     prsactx->propq = propq_copy;
 212     return prsactx;
 213 }
 214
 215 /* True if PSS parameters are restricted */
 216 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
 217
 218 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
 219                         const char *mdprops)
 220 {
 221     if (mdprops == NULL)
 222         mdprops = ctx->propq;
 223
 224     if (mdname != NULL) {
 225         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
 226         int md_nid = rsa_get_md_nid(md);
 227         WPACKET pkt;
 228         size_t mdname_len = strlen(mdname);
 229
 230         if (md == NULL
 231             || md_nid == NID_undef
 232             || !rsa_check_padding(md_nid, ctx->pad_mode)
 233             || mdname_len >= sizeof(ctx->mdname)) {
 234             if (md == NULL)
 235                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 236                                "%s could not be fetched", mdname);
 237             if (md_nid == NID_undef)
 238                 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
 239                                "digest=%s", mdname);
 240             if (mdname_len >= sizeof(ctx->mdname))
 241                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 242                                "%s exceeds name buffer length", mdname);
 243             EVP_MD_free(md);
 244             return 0;
 245         }
 246
 247         EVP_MD_CTX_free(ctx->mdctx);
 248         EVP_MD_free(ctx->md);
 249
 250         /*
 251          * TODO(3.0) Should we care about DER writing errors?
 252          * All it really means is that for some reason, there's no
 253          * AlgorithmIdentifier to be had (consider RSA with MD5-SHA1),
 254          * but the operation itself is still valid, just as long as it's
 255          * not used to construct anything that needs an AlgorithmIdentifier.
 256          */
 257         ctx->aid_len = 0;
 258         if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
 259             && DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1, ctx->rsa,
 260                                                              md_nid)
 261             && WPACKET_finish(&pkt)) {
 262             WPACKET_get_total_written(&pkt, &ctx->aid_len);
 263             ctx->aid = WPACKET_get_curr(&pkt);
 264         }
 265         WPACKET_cleanup(&pkt);
 266
 267         ctx->mdctx = NULL;
 268         ctx->md = md;
 269         ctx->mdnid = md_nid;
 270         OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
 271     }
 272
 273     return 1;
 274 }
 275
 276 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
 277                              const char *mdprops)
 278 {
 279     size_t len;
 280
 281     if (mdprops == NULL)
 282         mdprops = ctx->propq;
 283
 284     if (ctx->mgf1_mdname[0] != '\0')
 285         EVP_MD_free(ctx->mgf1_md);
 286
 287     if ((ctx->mgf1_md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
 288         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 289                        "%s could not be fetched", mdname);
 290         return 0;
 291     }
 292     len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
 293     if (len >= sizeof(ctx->mgf1_mdname)) {
 294         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 295                        "%s exceeds name buffer length", mdname);
 296         return 0;
 297     }
 298
 299     return 1;
 300 }
 301
 302 static int rsa_signature_init(void *vprsactx, void *vrsa, int operation)
 303 {
 304     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 305
 306     if (prsactx == NULL || vrsa == NULL || !RSA_up_ref(vrsa))
 307         return 0;
 308
 309     RSA_free(prsactx->rsa);
 310     prsactx->rsa = vrsa;
 311     prsactx->operation = operation;
 312
 313     /* Maximum for sign, auto for verify */
 314     prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
 315     prsactx->min_saltlen = -1;
 316
 317     switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
 318     case RSA_FLAG_TYPE_RSA:
 319         prsactx->pad_mode = RSA_PKCS1_PADDING;
 320         break;
 321     case RSA_FLAG_TYPE_RSASSAPSS:
 322         prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
 323
 324         {
 325             const RSA_PSS_PARAMS_30 *pss =
 326                 rsa_get0_pss_params_30(prsactx->rsa);
 327
 328             if (!rsa_pss_params_30_is_unrestricted(pss)) {
 329                 int md_nid = rsa_pss_params_30_hashalg(pss);
 330                 int mgf1md_nid = rsa_pss_params_30_maskgenhashalg(pss);
 331                 int min_saltlen = rsa_pss_params_30_saltlen(pss);
 332                 const char *mdname, *mgf1mdname;
 333                 size_t len;
 334
 335                 mdname = rsa_oaeppss_nid2name(md_nid);
 336                 mgf1mdname = rsa_oaeppss_nid2name(mgf1md_nid);
 337                 prsactx->min_saltlen = min_saltlen;
 338
 339                 if (mdname == NULL) {
 340                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 341                                    "PSS restrictions lack hash algorithm");
 342                     return 0;
 343                 }
 344                 if (mgf1mdname == NULL) {
 345                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 346                                    "PSS restrictions lack MGF1 hash algorithm");
 347                     return 0;
 348                 }
 349
 350                 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
 351                                       sizeof(prsactx->mdname));
 352                 if (len >= sizeof(prsactx->mdname)) {
 353                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 354                                    "hash algorithm name too long");
 355                     return 0;
 356                 }
 357                 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
 358                                       sizeof(prsactx->mgf1_mdname));
 359                 if (len >= sizeof(prsactx->mgf1_mdname)) {
 360                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
 361                                    "MGF1 hash algorithm name too long");
 362                     return 0;
 363                 }
 364                 prsactx->saltlen = min_saltlen;
 365
 366                 return rsa_setup_md(prsactx, mdname, prsactx->propq)
 367                     && rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
 368                     && rsa_check_parameters(prsactx);
 369             }
 370         }
 371
 372         break;
 373     default:
 374         ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
 375         return 0;
 376     }
 377
 378     return 1;
 379 }
 380
 381 static int setup_tbuf(PROV_RSA_CTX *ctx)
 382 {
 383     if (ctx->tbuf != NULL)
 384         return 1;
 385     if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL) {
 386         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 387         return 0;
 388     }
 389     return 1;
 390 }
 391
 392 static void clean_tbuf(PROV_RSA_CTX *ctx)
 393 {
 394     if (ctx->tbuf != NULL)
 395         OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
 396 }
 397
 398 static void free_tbuf(PROV_RSA_CTX *ctx)
 399 {
 400     clean_tbuf(ctx);
 401     OPENSSL_free(ctx->tbuf);
 402     ctx->tbuf = NULL;
 403 }
 404
 405 static int rsa_sign_init(void *vprsactx, void *vrsa)
 406 {
 407     return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_SIGN);
 408 }
 409
 410 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
 411                     size_t sigsize, const unsigned char *tbs, size_t tbslen)
 412 {
 413     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 414     int ret;
 415     size_t rsasize = RSA_size(prsactx->rsa);
 416     size_t mdsize = rsa_get_md_size(prsactx);
 417
 418     if (sig == NULL) {
 419         *siglen = rsasize;
 420         return 1;
 421     }
 422
 423     if (sigsize < rsasize) {
 424         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
 425                        "is %zu, should be at least %zu", sigsize, rsasize);
 426         return 0;
 427     }
 428
 429     if (mdsize != 0) {
 430         if (tbslen != mdsize) {
 431             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
 432             return 0;
 433         }
 434
 435 #ifndef FIPS_MODULE
 436         if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
 437             unsigned int sltmp;
 438
 439             if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
 440                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
 441                                "only PKCS#1 padding supported with MDC2");
 442                 return 0;
 443             }
 444             ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
 445                                              prsactx->rsa);
 446
 447             if (ret <= 0) {
 448                 ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 449                 return 0;
 450             }
 451             ret = sltmp;
 452             goto end;
 453         }
 454 #endif
 455         switch (prsactx->pad_mode) {
 456         case RSA_X931_PADDING:
 457             if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
 458                 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
 459                                "RSA key size = %d, expected minimum = %d",
 460                                RSA_size(prsactx->rsa), tbslen + 1);
 461                 return 0;
 462             }
 463             if (!setup_tbuf(prsactx)) {
 464                 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 465                 return 0;
 466             }
 467             memcpy(prsactx->tbuf, tbs, tbslen);
 468             prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
 469             ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
 470                                       sig, prsactx->rsa, RSA_X931_PADDING);
 471             clean_tbuf(prsactx);
 472             break;
 473
 474         case RSA_PKCS1_PADDING:
 475             {
 476                 unsigned int sltmp;
 477
 478                 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
 479                                prsactx->rsa);
 480                 if (ret <= 0) {
 481                     ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 482                     return 0;
 483                 }
 484                 ret = sltmp;
 485             }
 486             break;
 487
 488         case RSA_PKCS1_PSS_PADDING:
 489             /* Check PSS restrictions */
 490             if (rsa_pss_restricted(prsactx)) {
 491                 switch (prsactx->saltlen) {
 492                 case RSA_PSS_SALTLEN_DIGEST:
 493                     if (prsactx->min_saltlen > EVP_MD_size(prsactx->md)) {
 494                         ERR_raise_data(ERR_LIB_PROV,
 495                                        PROV_R_PSS_SALTLEN_TOO_SMALL,
 496                                        "minimum salt length set to %d, "
 497                                        "but the digest only gives %d",
 498                                        prsactx->min_saltlen,
 499                                        EVP_MD_size(prsactx->md));
 500                         return 0;
 501                     }
 502                     /* FALLTHRU */
 503                 default:
 504                     if (prsactx->saltlen >= 0
 505                         && prsactx->saltlen < prsactx->min_saltlen) {
 506                         ERR_raise_data(ERR_LIB_PROV,
 507                                        PROV_R_PSS_SALTLEN_TOO_SMALL,
 508                                        "minimum salt length set to %d, but the"
 509                                        "actual salt length is only set to %d",
 510                                        prsactx->min_saltlen,
 511                                        prsactx->saltlen);
 512                         return 0;
 513                     }
 514                     break;
 515                 }
 516             }
 517             if (!setup_tbuf(prsactx))
 518                 return 0;
 519             if (!RSA_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
 520                                                 prsactx->tbuf, tbs,
 521                                                 prsactx->md, prsactx->mgf1_md,
 522                                                 prsactx->saltlen)) {
 523                 ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 524                 return 0;
 525             }
 526             ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
 527                                       sig, prsactx->rsa, RSA_NO_PADDING);
 528             clean_tbuf(prsactx);
 529             break;
 530
 531         default:
 532             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
 533                            "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
 534             return 0;
 535         }
 536     } else {
 537         ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
 538                                   prsactx->pad_mode);
 539     }
 540
 541 #ifndef FIPS_MODULE
 542  end:
 543 #endif
 544     if (ret <= 0) {
 545         ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 546         return 0;
 547     }
 548
 549     *siglen = ret;
 550     return 1;
 551 }
 552
 553 static int rsa_verify_recover_init(void *vprsactx, void *vrsa)
 554 {
 555     return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFYRECOVER);
 556 }
 557
 558 static int rsa_verify_recover(void *vprsactx,
 559                               unsigned char *rout,
 560                               size_t *routlen,
 561                               size_t routsize,
 562                               const unsigned char *sig,
 563                               size_t siglen)
 564 {
 565     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 566     int ret;
 567
 568     if (rout == NULL) {
 569         *routlen = RSA_size(prsactx->rsa);
 570         return 1;
 571     }
 572
 573     if (prsactx->md != NULL) {
 574         switch (prsactx->pad_mode) {
 575         case RSA_X931_PADDING:
 576             if (!setup_tbuf(prsactx))
 577                 return 0;
 578             ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
 579                                      RSA_X931_PADDING);
 580             if (ret < 1) {
 581                 ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 582                 return 0;
 583             }
 584             ret--;
 585             if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
 586                 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
 587                 return 0;
 588             }
 589             if (ret != EVP_MD_size(prsactx->md)) {
 590                 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
 591                                "Should be %d, but got %d",
 592                                EVP_MD_size(prsactx->md), ret);
 593                 return 0;
 594             }
 595
 596             *routlen = ret;
 597             if (rout != prsactx->tbuf) {
 598                 if (routsize < (size_t)ret) {
 599                     ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
 600                                    "buffer size is %d, should be %d",
 601                                    routsize, ret);
 602                     return 0;
 603                 }
 604                 memcpy(rout, prsactx->tbuf, ret);
 605             }
 606             break;
 607
 608         case RSA_PKCS1_PADDING:
 609             {
 610                 size_t sltmp;
 611
 612                 ret = int_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
 613                                      sig, siglen, prsactx->rsa);
 614                 if (ret <= 0) {
 615                     ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 616                     return 0;
 617                 }
 618                 ret = sltmp;
 619             }
 620             break;
 621
 622         default:
 623             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
 624                            "Only X.931 or PKCS#1 v1.5 padding allowed");
 625             return 0;
 626         }
 627     } else {
 628         ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
 629                                  prsactx->pad_mode);
 630         if (ret < 0) {
 631             ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 632             return 0;
 633         }
 634     }
 635     *routlen = ret;
 636     return 1;
 637 }
 638
 639 static int rsa_verify_init(void *vprsactx, void *vrsa)
 640 {
 641     return rsa_signature_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFY);
 642 }
 643
 644 static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
 645                       const unsigned char *tbs, size_t tbslen)
 646 {
 647     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 648     size_t rslen;
 649
 650     if (prsactx->md != NULL) {
 651         switch (prsactx->pad_mode) {
 652         case RSA_PKCS1_PADDING:
 653             if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
 654                             prsactx->rsa)) {
 655                 ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 656                 return 0;
 657             }
 658             return 1;
 659         case RSA_X931_PADDING:
 660             if (!setup_tbuf(prsactx))
 661                 return 0;
 662             if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
 663                                    sig, siglen) <= 0)
 664                 return 0;
 665             break;
 666         case RSA_PKCS1_PSS_PADDING:
 667             {
 668                 int ret;
 669                 size_t mdsize;
 670
 671                 /*
 672                  * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
 673                  * call
 674                  */
 675                 mdsize = rsa_get_md_size(prsactx);
 676                 if (tbslen != mdsize) {
 677                     ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
 678                                    "Should be %d, but got %d",
 679                                    mdsize, tbslen);
 680                     return 0;
 681                 }
 682
 683                 if (!setup_tbuf(prsactx))
 684                     return 0;
 685                 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
 686                                          prsactx->rsa, RSA_NO_PADDING);
 687                 if (ret <= 0) {
 688                     ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 689                     return 0;
 690                 }
 691                 ret = RSA_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
 692                                                 prsactx->md, prsactx->mgf1_md,
 693                                                 prsactx->tbuf,
 694                                                 prsactx->saltlen);
 695                 if (ret <= 0) {
 696                     ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 697                     return 0;
 698                 }
 699                 return 1;
 700             }
 701         default:
 702             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
 703                            "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
 704             return 0;
 705         }
 706     } else {
 707         if (!setup_tbuf(prsactx))
 708             return 0;
 709         rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
 710                                    prsactx->pad_mode);
 711         if (rslen == 0) {
 712             ERR_raise(ERR_LIB_PROV, ERR_LIB_RSA);
 713             return 0;
 714         }
 715     }
 716
 717     if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
 718         return 0;
 719
 720     return 1;
 721 }
 722
 723 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
 724                                       void *vrsa, int operation)
 725 {
 726     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 727
 728     if (prsactx != NULL)
 729         prsactx->flag_allow_md = 0;
 730     if (!rsa_signature_init(vprsactx, vrsa, operation)
 731         || !rsa_setup_md(prsactx, mdname, NULL)) /* TODO RL */
 732         return 0;
 733
 734     prsactx->mdctx = EVP_MD_CTX_new();
 735     if (prsactx->mdctx == NULL) {
 736         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 737         goto error;
 738     }
 739
 740     if (!EVP_DigestInit_ex(prsactx->mdctx, prsactx->md, NULL))
 741         goto error;
 742
 743     return 1;
 744
 745  error:
 746     EVP_MD_CTX_free(prsactx->mdctx);
 747     EVP_MD_free(prsactx->md);
 748     prsactx->mdctx = NULL;
 749     prsactx->md = NULL;
 750     return 0;
 751 }
 752
 753 static int rsa_digest_signverify_update(void *vprsactx,
 754                                         const unsigned char *data,
 755                                         size_t datalen)
 756 {
 757     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 758
 759     if (prsactx == NULL || prsactx->mdctx == NULL)
 760         return 0;
 761
 762     return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
 763 }
 764
 765 static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
 766                                 void *vrsa)
 767 {
 768     return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
 769                                       EVP_PKEY_OP_SIGN);
 770 }
 771
 772 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
 773                                  size_t *siglen, size_t sigsize)
 774 {
 775     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 776     unsigned char digest[EVP_MAX_MD_SIZE];
 777     unsigned int dlen = 0;
 778
 779     if (prsactx == NULL)
 780         return 0;
 781     prsactx->flag_allow_md = 1;
 782     if (prsactx->mdctx == NULL)
 783         return 0;
 784     /*
 785      * If sig is NULL then we're just finding out the sig size. Other fields
 786      * are ignored. Defer to rsa_sign.
 787      */
 788     if (sig != NULL) {
 789         /*
 790          * TODO(3.0): There is the possibility that some externally provided
 791          * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
 792          * but that problem is much larger than just in RSA.
 793          */
 794         if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
 795             return 0;
 796     }
 797
 798     return rsa_sign(vprsactx, sig, siglen, sigsize, digest, (size_t)dlen);
 799 }
 800
 801 static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
 802                                   void *vrsa)
 803 {
 804     return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
 805                                       EVP_PKEY_OP_VERIFY);
 806 }
 807
 808 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
 809                             size_t siglen)
 810 {
 811     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 812     unsigned char digest[EVP_MAX_MD_SIZE];
 813     unsigned int dlen = 0;
 814
 815     if (prsactx == NULL)
 816         return 0;
 817     prsactx->flag_allow_md = 1;
 818     if (prsactx->mdctx == NULL)
 819         return 0;
 820
 821     /*
 822      * TODO(3.0): There is the possibility that some externally provided
 823      * digests exceed EVP_MAX_MD_SIZE. We should probably handle that somehow -
 824      * but that problem is much larger than just in RSA.
 825      */
 826     if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
 827         return 0;
 828
 829     return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
 830 }
 831
 832 static void rsa_freectx(void *vprsactx)
 833 {
 834     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 835
 836     if (prsactx == NULL)
 837         return;
 838
 839     EVP_MD_CTX_free(prsactx->mdctx);
 840     EVP_MD_free(prsactx->md);
 841     EVP_MD_free(prsactx->mgf1_md);
 842     OPENSSL_free(prsactx->propq);
 843     free_tbuf(prsactx);
 844     RSA_free(prsactx->rsa);
 845
 846     OPENSSL_clear_free(prsactx, sizeof(*prsactx));
 847 }
 848
 849 static void *rsa_dupctx(void *vprsactx)
 850 {
 851     PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
 852     PROV_RSA_CTX *dstctx;
 853
 854     dstctx = OPENSSL_zalloc(sizeof(*srcctx));
 855     if (dstctx == NULL) {
 856         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 857         return NULL;
 858     }
 859
 860     *dstctx = *srcctx;
 861     dstctx->rsa = NULL;
 862     dstctx->md = NULL;
 863     dstctx->mdctx = NULL;
 864     dstctx->tbuf = NULL;
 865
 866     if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
 867         goto err;
 868     dstctx->rsa = srcctx->rsa;
 869
 870     if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
 871         goto err;
 872     dstctx->md = srcctx->md;
 873
 874     if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
 875         goto err;
 876     dstctx->mgf1_md = srcctx->mgf1_md;
 877
 878     if (srcctx->mdctx != NULL) {
 879         dstctx->mdctx = EVP_MD_CTX_new();
 880         if (dstctx->mdctx == NULL
 881                 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
 882             goto err;
 883     }
 884
 885     return dstctx;
 886  err:
 887     rsa_freectx(dstctx);
 888     return NULL;
 889 }
 890
 891 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
 892 {
 893     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 894     OSSL_PARAM *p;
 895
 896     if (prsactx == NULL || params == NULL)
 897         return 0;
 898
 899     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
 900     if (p != NULL
 901         && !OSSL_PARAM_set_octet_string(p, prsactx->aid, prsactx->aid_len))
 902         return 0;
 903
 904     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
 905     if (p != NULL)
 906         switch (p->data_type) {
 907         case OSSL_PARAM_INTEGER:
 908             if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
 909                 return 0;
 910             break;
 911         case OSSL_PARAM_UTF8_STRING:
 912             {
 913                 int i;
 914                 const char *word = NULL;
 915
 916                 for (i = 0; padding_item[i].id != 0; i++) {
 917                     if (prsactx->pad_mode == (int)padding_item[i].id) {
 918                         word = padding_item[i].ptr;
 919                         break;
 920                     }
 921                 }
 922
 923                 if (word != NULL) {
 924                     if (!OSSL_PARAM_set_utf8_string(p, word))
 925                         return 0;
 926                 } else {
 927                     ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
 928                 }
 929             }
 930             break;
 931         default:
 932             return 0;
 933         }
 934
 935     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
 936     if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
 937         return 0;
 938
 939     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
 940     if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
 941         return 0;
 942
 943     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
 944     if (p != NULL) {
 945         if (p->data_type == OSSL_PARAM_INTEGER) {
 946             if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
 947                 return 0;
 948         } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
 949             const char *value = NULL;
 950
 951             switch (prsactx->saltlen) {
 952             case RSA_PSS_SALTLEN_DIGEST:
 953                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
 954                 break;
 955             case RSA_PSS_SALTLEN_MAX:
 956                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
 957                 break;
 958             case RSA_PSS_SALTLEN_AUTO:
 959                 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
 960                 break;
 961             default:
 962                 {
 963                     int len = BIO_snprintf(p->data, p->data_size, "%d",
 964                                            prsactx->saltlen);
 965
 966                     if (len <= 0)
 967                         return 0;
 968                     p->return_size = len;
 969                     break;
 970                 }
 971             }
 972             if (value != NULL
 973                 && !OSSL_PARAM_set_utf8_string(p, value))
 974                 return 0;
 975         }
 976     }
 977
 978     return 1;
 979 }
 980
 981 static const OSSL_PARAM known_gettable_ctx_params[] = {
 982     OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
 983     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
 984     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
 985     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
 986     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
 987     OSSL_PARAM_END
 988 };
 989
 990 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *provctx)
 991 {
 992     return known_gettable_ctx_params;
 993 }
 994
 995 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
 996 {
 997     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 998     const OSSL_PARAM *p;
 999
1000     if (prsactx == NULL || params == NULL)
1001         return 0;
1002
1003     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
1004     /* Not allowed during certain operations */
1005     if (p != NULL && !prsactx->flag_allow_md)
1006         return 0;
1007     if (p != NULL) {
1008         char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname;
1009         char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops;
1010         const OSSL_PARAM *propsp =
1011             OSSL_PARAM_locate_const(params,
1012                                     OSSL_SIGNATURE_PARAM_PROPERTIES);
1013
1014         if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1015             return 0;
1016
1017         if (propsp == NULL)
1018             pmdprops = NULL;
1019         else if (!OSSL_PARAM_get_utf8_string(propsp,
1020                                              &pmdprops, sizeof(mdprops)))
1021             return 0;
1022
1023         if (rsa_pss_restricted(prsactx)) {
1024             /* TODO(3.0) figure out what to do for prsactx->md == NULL */
1025             if (prsactx->md == NULL || EVP_MD_is_a(prsactx->md, mdname))
1026                 return 1;
1027             ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
1028             return 0;
1029         }
1030
1031         /* non-PSS code follows */
1032         if (!rsa_setup_md(prsactx, mdname, pmdprops))
1033             return 0;
1034     }
1035
1036     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1037     if (p != NULL) {
1038         int pad_mode = 0;
1039         const char *err_extra_text = NULL;
1040
1041         switch (p->data_type) {
1042         case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1043             if (!OSSL_PARAM_get_int(p, &pad_mode))
1044                 return 0;
1045             break;
1046         case OSSL_PARAM_UTF8_STRING:
1047             {
1048                 int i;
1049
1050                 if (p->data == NULL)
1051                     return 0;
1052
1053                 for (i = 0; padding_item[i].id != 0; i++) {
1054                     if (strcmp(p->data, padding_item[i].ptr) == 0) {
1055                         pad_mode = padding_item[i].id;
1056                         break;
1057                     }
1058                 }
1059             }
1060             break;
1061         default:
1062             return 0;
1063         }
1064
1065         switch (pad_mode) {
1066         case RSA_PKCS1_OAEP_PADDING:
1067             /*
1068              * OAEP padding is for asymmetric cipher only so is not compatible
1069              * with signature use.
1070              */
1071             err_extra_text = "OAEP padding not allowed for signing / verifying";
1072             goto bad_pad;
1073         case RSA_PKCS1_PSS_PADDING:
1074             if ((prsactx->operation
1075                  & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY)) == 0) {
1076                 err_extra_text =
1077                     "PSS padding only allowed for sign and verify operations";
1078                 goto bad_pad;
1079             }
1080             if (prsactx->md == NULL
1081                 && !rsa_setup_md(prsactx, OSSL_DIGEST_NAME_SHA1, NULL)) {
1082                 return 0;
1083             }
1084             break;
1085         case RSA_PKCS1_PADDING:
1086             err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
1087             goto cont;
1088         case RSA_SSLV23_PADDING:
1089             err_extra_text = "SSLv3 padding not allowed with RSA-PSS";
1090             goto cont;
1091         case RSA_NO_PADDING:
1092             err_extra_text = "No padding not allowed with RSA-PSS";
1093             goto cont;
1094         case RSA_X931_PADDING:
1095             err_extra_text = "X.931 padding not allowed with RSA-PSS";
1096         cont:
1097             if (RSA_test_flags(prsactx->rsa,
1098                                RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
1099                 break;
1100             /* FALLTHRU */
1101         default:
1102         bad_pad:
1103             if (err_extra_text == NULL)
1104                 ERR_raise(ERR_LIB_PROV,
1105                           PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1106             else
1107                 ERR_raise_data(ERR_LIB_PROV,
1108                                PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
1109                                err_extra_text);
1110             return 0;
1111         }
1112         if (!rsa_check_padding(prsactx->mdnid, pad_mode))
1113             return 0;
1114         prsactx->pad_mode = pad_mode;
1115     }
1116
1117     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1118     if (p != NULL) {
1119         int saltlen;
1120
1121         if (prsactx->pad_mode != RSA_PKCS1_PSS_PADDING) {
1122             ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
1123                            "PSS saltlen can only be specified if "
1124                            "PSS padding has been specified first");
1125             return 0;
1126         }
1127
1128         switch (p->data_type) {
1129         case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1130             if (!OSSL_PARAM_get_int(p, &saltlen))
1131                 return 0;
1132             break;
1133         case OSSL_PARAM_UTF8_STRING:
1134             if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
1135                 saltlen = RSA_PSS_SALTLEN_DIGEST;
1136             else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
1137                 saltlen = RSA_PSS_SALTLEN_MAX;
1138             else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
1139                 saltlen = RSA_PSS_SALTLEN_AUTO;
1140             else
1141                 saltlen = atoi(p->data);
1142             break;
1143         default:
1144             return 0;
1145         }
1146
1147         /*
1148          * RSA_PSS_SALTLEN_MAX seems curiously named in this check.
1149          * Contrary to what it's name suggests, it's the currently
1150          * lowest saltlen number possible.
1151          */
1152         if (saltlen < RSA_PSS_SALTLEN_MAX) {
1153             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN);
1154             return 0;
1155         }
1156
1157         if (rsa_pss_restricted(prsactx)) {
1158             switch (saltlen) {
1159             case RSA_PSS_SALTLEN_AUTO:
1160                 if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
1161                     ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PSS_SALTLEN);
1162                     return 0;
1163                 }
1164                 break;
1165             case RSA_PSS_SALTLEN_DIGEST:
1166                 if (prsactx->min_saltlen > EVP_MD_size(prsactx->md)) {
1167                     ERR_raise_data(ERR_LIB_PROV,
1168                                    PROV_R_PSS_SALTLEN_TOO_SMALL,
1169                                    "Should be more than %d, but would be "
1170                                    "set to match digest size (%d)",
1171                                    prsactx->min_saltlen,
1172                                    EVP_MD_size(prsactx->md));
1173                     return 0;
1174                 }
1175                 break;
1176             default:
1177                 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
1178                     ERR_raise_data(ERR_LIB_PROV,
1179                                    PROV_R_PSS_SALTLEN_TOO_SMALL,
1180                                    "Should be more than %d, "
1181                                    "but would be set to %d",
1182                                    prsactx->min_saltlen, saltlen);
1183                     return 0;
1184                 }
1185             }
1186         }
1187
1188         prsactx->saltlen = saltlen;
1189     }
1190
1191     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1192     if (p != NULL) {
1193         char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname;
1194         char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops;
1195         const OSSL_PARAM *propsp =
1196             OSSL_PARAM_locate_const(params,
1197                                     OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
1198
1199         if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1200             return 0;
1201
1202         if (propsp == NULL)
1203             pmdprops = NULL;
1204         else if (!OSSL_PARAM_get_utf8_string(propsp,
1205                                              &pmdprops, sizeof(mdprops)))
1206             return 0;
1207
1208         if (prsactx->pad_mode != RSA_PKCS1_PSS_PADDING) {
1209             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
1210             return  0;
1211         }
1212
1213         if (rsa_pss_restricted(prsactx)) {
1214             /* TODO(3.0) figure out what to do for prsactx->mgf1_md == NULL */
1215             if (prsactx->mgf1_md == NULL
1216                 || EVP_MD_is_a(prsactx->mgf1_md, mdname))
1217                 return 1;
1218             ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
1219             return 0;
1220         }
1221
1222         /* non-PSS code follows */
1223         if (!rsa_setup_mgf1_md(prsactx, mdname, pmdprops))
1224             return 0;
1225     }
1226
1227     return 1;
1228 }
1229
1230 static const OSSL_PARAM known_settable_ctx_params[] = {
1231     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1232     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1233     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
1234     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1235     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1236     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1237     OSSL_PARAM_END
1238 };
1239
1240 static const OSSL_PARAM *rsa_settable_ctx_params(ossl_unused void *provctx)
1241 {
1242     /*
1243      * TODO(3.0): Should this function return a different set of settable ctx
1244      * params if the ctx is being used for a DigestSign/DigestVerify? In that
1245      * case it is not allowed to set the digest size/digest name because the
1246      * digest is explicitly set as part of the init.
1247      */
1248     return known_settable_ctx_params;
1249 }
1250
1251 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
1252 {
1253     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1254
1255     if (prsactx->mdctx == NULL)
1256         return 0;
1257
1258     return EVP_MD_CTX_get_params(prsactx->mdctx, params);
1259 }
1260
1261 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
1262 {
1263     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1264
1265     if (prsactx->md == NULL)
1266         return 0;
1267
1268     return EVP_MD_gettable_ctx_params(prsactx->md);
1269 }
1270
1271 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
1272 {
1273     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1274
1275     if (prsactx->mdctx == NULL)
1276         return 0;
1277
1278     return EVP_MD_CTX_set_params(prsactx->mdctx, params);
1279 }
1280
1281 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
1282 {
1283     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1284
1285     if (prsactx->md == NULL)
1286         return 0;
1287
1288     return EVP_MD_settable_ctx_params(prsactx->md);
1289 }
1290
1291 const OSSL_DISPATCH rsa_signature_functions[] = {
1292     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
1293     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
1294     { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
1295     { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
1296     { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
1297     { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
1298       (void (*)(void))rsa_verify_recover_init },
1299     { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
1300       (void (*)(void))rsa_verify_recover },
1301     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
1302       (void (*)(void))rsa_digest_sign_init },
1303     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
1304       (void (*)(void))rsa_digest_signverify_update },
1305     { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
1306       (void (*)(void))rsa_digest_sign_final },
1307     { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
1308       (void (*)(void))rsa_digest_verify_init },
1309     { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
1310       (void (*)(void))rsa_digest_signverify_update },
1311     { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
1312       (void (*)(void))rsa_digest_verify_final },
1313     { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
1314     { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
1315     { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
1316     { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
1317       (void (*)(void))rsa_gettable_ctx_params },
1318     { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
1319     { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
1320       (void (*)(void))rsa_settable_ctx_params },
1321     { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
1322       (void (*)(void))rsa_get_ctx_md_params },
1323     { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
1324       (void (*)(void))rsa_gettable_ctx_md_params },
1325     { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
1326       (void (*)(void))rsa_set_ctx_md_params },
1327     { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
1328       (void (*)(void))rsa_settable_ctx_md_params },
1329     { 0, NULL }
1330 };