1 /*
2 * Copyright 2019-2026 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <string.h>
17 #include <openssl/crypto.h>
18 #include <openssl/core_dispatch.h>
19 #include <openssl/core_names.h>
20 #include <openssl/err.h>
21 #include <openssl/obj_mac.h>
22 #include <openssl/rsa.h>
23 #include <openssl/params.h>
24 #include <openssl/evp.h>
25 #include <openssl/proverr.h>
26 #include "internal/cryptlib.h"
27 #include "internal/nelem.h"
28 #include "internal/sizes.h"
29 #include "crypto/rsa.h"
30 #include "prov/providercommon.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/der_rsa.h"
34 #include "prov/securitycheck.h"
35
36 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
37
38 static OSSL_FUNC_signature_newctx_fn rsa_newctx;
39 static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
40 static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
41 static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
42 static OSSL_FUNC_signature_sign_fn rsa_sign;
43 static OSSL_FUNC_signature_sign_message_update_fn rsa_signverify_message_update;
44 static OSSL_FUNC_signature_sign_message_final_fn rsa_sign_message_final;
45 static OSSL_FUNC_signature_verify_fn rsa_verify;
46 static OSSL_FUNC_signature_verify_recover_fn rsa_verify_recover;
47 static OSSL_FUNC_signature_verify_message_update_fn rsa_signverify_message_update;
48 static OSSL_FUNC_signature_verify_message_final_fn rsa_verify_message_final;
49 static OSSL_FUNC_signature_digest_sign_init_fn rsa_digest_sign_init;
50 static OSSL_FUNC_signature_digest_sign_update_fn rsa_digest_sign_update;
51 static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
52 static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
53 static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
54 static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
55 static OSSL_FUNC_signature_freectx_fn rsa_freectx;
56 static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
57 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
58 static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
59 static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
60 static OSSL_FUNC_signature_set_ctx_params_fn rsa_set_ctx_params;
61 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_settable_ctx_params;
62 static OSSL_FUNC_signature_get_ctx_md_params_fn rsa_get_ctx_md_params;
63 static OSSL_FUNC_signature_gettable_ctx_md_params_fn rsa_gettable_ctx_md_params;
64 static OSSL_FUNC_signature_set_ctx_md_params_fn rsa_set_ctx_md_params;
65 static OSSL_FUNC_signature_settable_ctx_md_params_fn rsa_settable_ctx_md_params;
66 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
67 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
68
69 static OSSL_ITEM padding_item[] = {
70 { RSA_PKCS1_PADDING, OSSL_PKEY_RSA_PAD_MODE_PKCSV15 },
71 { RSA_NO_PADDING, OSSL_PKEY_RSA_PAD_MODE_NONE },
72 { RSA_X931_PADDING, OSSL_PKEY_RSA_PAD_MODE_X931 },
73 { RSA_PKCS1_PSS_PADDING, OSSL_PKEY_RSA_PAD_MODE_PSS },
74 { 0, NULL }
75 };
76
77 /*
78 * What's passed as an actual key is defined by the KEYMGMT interface.
79 * We happen to know that our KEYMGMT simply passes RSA structures, so
80 * we use that here too.
81 */
82
83 typedef struct {
84 OSSL_LIB_CTX *libctx;
85 char *propq;
86 RSA *rsa;
87 int operation;
88
89 /*
90 * Flag to determine if a full sigalg is run (1) or if a composable
91 * signature algorithm is run (0).
92 *
93 * When a full sigalg is run (1), this currently affects the following
94 * other flags, which are to remain untouched after their initialization:
95 *
96 * - flag_allow_md (initialized to 0)
97 */
98 unsigned int flag_sigalg : 1;
99 /*
100 * Flag to determine if the hash function can be changed (1) or not (0)
101 * Because it's dangerous to change during a DigestSign or DigestVerify
102 * operation, this flag is cleared by their Init function, and set again
103 * by their Final function.
104 * Implementations of full sigalgs (such as RSA-SHA256) hard-code this
105 * flag to not allow changes (0).
106 */
107 unsigned int flag_allow_md : 1;
108 unsigned int mgf1_md_set : 1;
109 /*
110 * Flags to say what are the possible next external calls in what
111 * constitutes the life cycle of an algorithm. The relevant calls are:
112 * - init
113 * - update
114 * - final
115 * - oneshot
116 * All other external calls are regarded as utilitarian and are allowed
117 * at any time (they may be affected by other flags, like flag_allow_md,
118 * though).
119 */
120 unsigned int flag_allow_update : 1;
121 unsigned int flag_allow_final : 1;
122 unsigned int flag_allow_oneshot : 1;
123
124 /* main digest */
125 EVP_MD *md;
126 EVP_MD_CTX *mdctx;
127 int mdnid;
128 char mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
129
130 /* RSA padding mode */
131 int pad_mode;
132 /* message digest for MGF1 */
133 EVP_MD *mgf1_md;
134 int mgf1_mdnid;
135 char mgf1_mdname[OSSL_MAX_NAME_SIZE]; /* Purely informational */
136 /* PSS salt length */
137 int saltlen;
138 /* Minimum salt length or -1 if no PSS parameter restriction */
139 int min_saltlen;
140
141 /* Signature, for verification */
142 unsigned char *sig;
143 size_t siglen;
144
145 #ifdef FIPS_MODULE
146 /*
147 * FIPS 140-3 IG 2.4.B mandates that verification based on a digest of a
148 * message is not permitted. However, signing based on a digest is still
149 * permitted.
150 */
151 int verify_message;
152 #endif
153
154 /* Temp buffer */
155 unsigned char *tbuf;
156
157 OSSL_FIPS_IND_DECLARE
158 } PROV_RSA_CTX;
159
160 /* True if PSS parameters are restricted */
161 #define rsa_pss_restricted(prsactx) (prsactx->min_saltlen != -1)
162
rsa_get_md_size(const PROV_RSA_CTX * prsactx)163 static size_t rsa_get_md_size(const PROV_RSA_CTX *prsactx)
164 {
165 int md_size;
166
167 if (prsactx->md != NULL) {
168 md_size = EVP_MD_get_size(prsactx->md);
169 if (md_size <= 0)
170 return 0;
171 return md_size;
172 }
173 return 0;
174 }
175
rsa_check_padding(const PROV_RSA_CTX * prsactx,const char * mdname,const char * mgf1_mdname,int mdnid)176 static int rsa_check_padding(const PROV_RSA_CTX *prsactx,
177 const char *mdname, const char *mgf1_mdname,
178 int mdnid)
179 {
180 switch (prsactx->pad_mode) {
181 case RSA_NO_PADDING:
182 if (mdname != NULL || mdnid != NID_undef) {
183 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
184 return 0;
185 }
186 break;
187 case RSA_X931_PADDING:
188 if (RSA_X931_hash_id(mdnid) == -1) {
189 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST);
190 return 0;
191 }
192 break;
193 case RSA_PKCS1_PSS_PADDING:
194 if (rsa_pss_restricted(prsactx))
195 if ((mdname != NULL && !EVP_MD_is_a(prsactx->md, mdname))
196 || (mgf1_mdname != NULL
197 && !EVP_MD_is_a(prsactx->mgf1_md, mgf1_mdname))) {
198 ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED);
199 return 0;
200 }
201 break;
202 default:
203 break;
204 }
205
206 return 1;
207 }
208
rsa_check_parameters(PROV_RSA_CTX * prsactx,int min_saltlen)209 static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
210 {
211 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
212 int max_saltlen;
213
214 /* See if minimum salt length exceeds maximum possible */
215 max_saltlen = RSA_size(prsactx->rsa) - EVP_MD_get_size(prsactx->md);
216 if ((RSA_bits(prsactx->rsa) & 0x7) == 1)
217 max_saltlen--;
218 if (min_saltlen < 0 || min_saltlen > max_saltlen) {
219 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
220 return 0;
221 }
222 prsactx->min_saltlen = min_saltlen;
223 }
224 return 1;
225 }
226
rsa_newctx(void * provctx,const char * propq)227 static void *rsa_newctx(void *provctx, const char *propq)
228 {
229 PROV_RSA_CTX *prsactx = NULL;
230 char *propq_copy = NULL;
231
232 if (!ossl_prov_is_running())
233 return NULL;
234
235 if ((prsactx = OPENSSL_zalloc(sizeof(PROV_RSA_CTX))) == NULL
236 || (propq != NULL
237 && (propq_copy = OPENSSL_strdup(propq)) == NULL)) {
238 OPENSSL_free(prsactx);
239 return NULL;
240 }
241
242 OSSL_FIPS_IND_INIT(prsactx)
243 prsactx->libctx = PROV_LIBCTX_OF(provctx);
244 prsactx->flag_allow_md = 1;
245 #ifdef FIPS_MODULE
246 prsactx->verify_message = 1;
247 #endif
248 prsactx->propq = propq_copy;
249 /* Maximum up to digest length for sign, auto for verify */
250 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
251 prsactx->min_saltlen = -1;
252 return prsactx;
253 }
254
rsa_pss_compute_saltlen(PROV_RSA_CTX * ctx)255 static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
256 {
257 int saltlen = ctx->saltlen;
258 int saltlenMax = -1;
259
260 /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
261 * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
262 * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
263 * the hash function output block (in bytes)."
264 *
265 * Provide a way to use at most the digest length, so that the default does
266 * not violate FIPS 186-4. */
267 if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
268 if ((saltlen = EVP_MD_get_size(ctx->md)) <= 0) {
269 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
270 return -1;
271 }
272 } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
273 saltlen = RSA_PSS_SALTLEN_MAX;
274 if ((saltlenMax = EVP_MD_get_size(ctx->md)) <= 0) {
275 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
276 return -1;
277 }
278 }
279 if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
280 int mdsize, rsasize;
281
282 if ((mdsize = EVP_MD_get_size(ctx->md)) <= 0) {
283 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
284 return -1;
285 }
286 if ((rsasize = RSA_size(ctx->rsa)) <= 2 || rsasize - 2 < mdsize) {
287 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
288 return -1;
289 }
290 saltlen = rsasize - mdsize - 2;
291 if ((RSA_bits(ctx->rsa) & 0x7) == 1)
292 saltlen--;
293 if (saltlenMax >= 0 && saltlen > saltlenMax)
294 saltlen = saltlenMax;
295 }
296 if (saltlen < 0) {
297 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
298 return -1;
299 } else if (saltlen < ctx->min_saltlen) {
300 ERR_raise_data(ERR_LIB_PROV, PROV_R_PSS_SALTLEN_TOO_SMALL,
301 "minimum salt length: %d, actual salt length: %d",
302 ctx->min_saltlen, saltlen);
303 return -1;
304 }
305 return saltlen;
306 }
307
rsa_generate_signature_aid(PROV_RSA_CTX * ctx,unsigned char * aid_buf,size_t buf_len,size_t * aid_len)308 static unsigned char *rsa_generate_signature_aid(PROV_RSA_CTX *ctx,
309 unsigned char *aid_buf,
310 size_t buf_len,
311 size_t *aid_len)
312 {
313 WPACKET pkt;
314 unsigned char *aid = NULL;
315 int saltlen;
316 RSA_PSS_PARAMS_30 pss_params;
317 int ret;
318
319 if (!WPACKET_init_der(&pkt, aid_buf, buf_len)) {
320 ERR_raise(ERR_LIB_PROV, ERR_R_CRYPTO_LIB);
321 return NULL;
322 }
323
324 switch (ctx->pad_mode) {
325 case RSA_PKCS1_PADDING:
326 ret = ossl_DER_w_algorithmIdentifier_MDWithRSAEncryption(&pkt, -1,
327 ctx->mdnid);
328
329 if (ret > 0) {
330 break;
331 } else if (ret == 0) {
332 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
333 goto cleanup;
334 }
335 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
336 "Algorithm ID generation - md NID: %d",
337 ctx->mdnid);
338 goto cleanup;
339 case RSA_PKCS1_PSS_PADDING:
340 saltlen = rsa_pss_compute_saltlen(ctx);
341 if (saltlen < 0)
342 goto cleanup;
343 if (!ossl_rsa_pss_params_30_set_defaults(&pss_params)
344 || !ossl_rsa_pss_params_30_set_hashalg(&pss_params, ctx->mdnid)
345 || !ossl_rsa_pss_params_30_set_maskgenhashalg(&pss_params,
346 ctx->mgf1_mdnid)
347 || !ossl_rsa_pss_params_30_set_saltlen(&pss_params, saltlen)
348 || !ossl_DER_w_algorithmIdentifier_RSA_PSS(&pkt, -1,
349 RSA_FLAG_TYPE_RSASSAPSS,
350 &pss_params)) {
351 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
352 goto cleanup;
353 }
354 break;
355 default:
356 ERR_raise_data(ERR_LIB_PROV, ERR_R_UNSUPPORTED,
357 "Algorithm ID generation - pad mode: %d",
358 ctx->pad_mode);
359 goto cleanup;
360 }
361 if (WPACKET_finish(&pkt)) {
362 WPACKET_get_total_written(&pkt, aid_len);
363 aid = WPACKET_get_curr(&pkt);
364 }
365 cleanup:
366 WPACKET_cleanup(&pkt);
367 return aid;
368 }
369
rsa_setup_md(PROV_RSA_CTX * ctx,const char * mdname,const char * mdprops,const char * desc)370 static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
371 const char *mdprops, const char *desc)
372 {
373 EVP_MD *md = NULL;
374
375 if (mdprops == NULL)
376 mdprops = ctx->propq;
377
378 if (mdname != NULL) {
379 int md_nid;
380 size_t mdname_len = strlen(mdname);
381
382 md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
383
384 if (md == NULL) {
385 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
386 "%s could not be fetched", mdname);
387 goto err;
388 }
389 md_nid = ossl_digest_rsa_sign_get_md_nid(md);
390 if (md_nid == NID_undef) {
391 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
392 "digest=%s", mdname);
393 goto err;
394 }
395 /*
396 * XOF digests are not allowed except for RSA PSS.
397 * We don't support XOF digests with RSA PSS (yet), so just fail.
398 * When we do support them, uncomment the second clause.
399 */
400 if (EVP_MD_xof(md)
401 /* && ctx->pad_mode != RSA_PKCS1_PSS_PADDING */) {
402 ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
403 goto err;
404 }
405 #ifdef FIPS_MODULE
406 {
407 int sha1_allowed
408 = ((ctx->operation
409 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
410 == 0);
411
412 if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
413 OSSL_FIPS_IND_SETTABLE1,
414 ctx->libctx,
415 md_nid, sha1_allowed, 1, desc,
416 ossl_fips_config_signature_digest_check))
417 goto err;
418 }
419 #endif
420
421 if (!rsa_check_padding(ctx, mdname, NULL, md_nid))
422 goto err;
423 if (mdname_len >= sizeof(ctx->mdname)) {
424 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
425 "%s exceeds name buffer length", mdname);
426 goto err;
427 }
428
429 if (!ctx->flag_allow_md) {
430 if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) {
431 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
432 "digest %s != %s", mdname, ctx->mdname);
433 goto err;
434 }
435 EVP_MD_free(md);
436 return 1;
437 }
438
439 if (!ctx->mgf1_md_set) {
440 if (!EVP_MD_up_ref(md)) {
441 goto err;
442 }
443 EVP_MD_free(ctx->mgf1_md);
444 ctx->mgf1_md = md;
445 ctx->mgf1_mdnid = md_nid;
446 OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
447 }
448
449 EVP_MD_CTX_free(ctx->mdctx);
450 EVP_MD_free(ctx->md);
451
452 ctx->mdctx = NULL;
453 ctx->md = md;
454 ctx->mdnid = md_nid;
455 OPENSSL_strlcpy(ctx->mdname, mdname, sizeof(ctx->mdname));
456 }
457
458 return 1;
459 err:
460 EVP_MD_free(md);
461 return 0;
462 }
463
rsa_setup_mgf1_md(PROV_RSA_CTX * ctx,const char * mdname,const char * mdprops)464 static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
465 const char *mdprops)
466 {
467 size_t len;
468 EVP_MD *md = NULL;
469 int mdnid;
470
471 if (mdprops == NULL)
472 mdprops = ctx->propq;
473
474 if ((md = EVP_MD_fetch(ctx->libctx, mdname, mdprops)) == NULL) {
475 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
476 "%s could not be fetched", mdname);
477 return 0;
478 }
479 /* The default for mgf1 is SHA1 - so allow SHA1 */
480 if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
481 || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
482 if (mdnid <= 0)
483 ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
484 "digest=%s", mdname);
485 EVP_MD_free(md);
486 return 0;
487 }
488 len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
489 if (len >= sizeof(ctx->mgf1_mdname)) {
490 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
491 "%s exceeds name buffer length", mdname);
492 EVP_MD_free(md);
493 return 0;
494 }
495
496 EVP_MD_free(ctx->mgf1_md);
497 ctx->mgf1_md = md;
498 ctx->mgf1_mdnid = mdnid;
499 ctx->mgf1_md_set = 1;
500 return 1;
501 }
502
503 static int
rsa_signverify_init(PROV_RSA_CTX * prsactx,void * vrsa,OSSL_FUNC_signature_set_ctx_params_fn * set_ctx_params,const OSSL_PARAM params[],int operation,const char * desc)504 rsa_signverify_init(PROV_RSA_CTX *prsactx, void *vrsa,
505 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
506 const OSSL_PARAM params[], int operation,
507 const char *desc)
508 {
509 int protect;
510
511 if (!ossl_prov_is_running() || prsactx == NULL)
512 return 0;
513
514 if (vrsa == NULL && prsactx->rsa == NULL) {
515 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
516 return 0;
517 }
518
519 if (vrsa != NULL) {
520 if (!RSA_up_ref(vrsa))
521 return 0;
522 RSA_free(prsactx->rsa);
523 prsactx->rsa = vrsa;
524 }
525 if (!ossl_rsa_key_op_get_protect(prsactx->rsa, operation, &protect))
526 return 0;
527
528 prsactx->operation = operation;
529 prsactx->flag_allow_update = 1;
530 prsactx->flag_allow_final = 1;
531 prsactx->flag_allow_oneshot = 1;
532
533 /* Maximize up to digest length for sign, auto for verify */
534 prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
535 prsactx->min_saltlen = -1;
536
537 switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
538 case RSA_FLAG_TYPE_RSA:
539 prsactx->pad_mode = RSA_PKCS1_PADDING;
540 break;
541 case RSA_FLAG_TYPE_RSASSAPSS:
542 prsactx->pad_mode = RSA_PKCS1_PSS_PADDING;
543
544 {
545 const RSA_PSS_PARAMS_30 *pss = ossl_rsa_get0_pss_params_30(prsactx->rsa);
546
547 if (!ossl_rsa_pss_params_30_is_unrestricted(pss)) {
548 int md_nid = ossl_rsa_pss_params_30_hashalg(pss);
549 int mgf1md_nid = ossl_rsa_pss_params_30_maskgenhashalg(pss);
550 int min_saltlen = ossl_rsa_pss_params_30_saltlen(pss);
551 const char *mdname, *mgf1mdname;
552 size_t len;
553
554 mdname = ossl_rsa_oaeppss_nid2name(md_nid);
555 mgf1mdname = ossl_rsa_oaeppss_nid2name(mgf1md_nid);
556
557 if (mdname == NULL) {
558 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
559 "PSS restrictions lack hash algorithm");
560 return 0;
561 }
562 if (mgf1mdname == NULL) {
563 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
564 "PSS restrictions lack MGF1 hash algorithm");
565 return 0;
566 }
567
568 len = OPENSSL_strlcpy(prsactx->mdname, mdname,
569 sizeof(prsactx->mdname));
570 if (len >= sizeof(prsactx->mdname)) {
571 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
572 "hash algorithm name too long");
573 return 0;
574 }
575 len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
576 sizeof(prsactx->mgf1_mdname));
577 if (len >= sizeof(prsactx->mgf1_mdname)) {
578 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
579 "MGF1 hash algorithm name too long");
580 return 0;
581 }
582 prsactx->saltlen = min_saltlen;
583
584 /* call rsa_setup_mgf1_md before rsa_setup_md to avoid duplication */
585 if (!rsa_setup_mgf1_md(prsactx, mgf1mdname, prsactx->propq)
586 || !rsa_setup_md(prsactx, mdname, prsactx->propq, desc)
587 || !rsa_check_parameters(prsactx, min_saltlen))
588 return 0;
589 }
590 }
591
592 break;
593 default:
594 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
595 return 0;
596 }
597
598 OSSL_FIPS_IND_SET_APPROVED(prsactx)
599 if (!set_ctx_params(prsactx, params))
600 return 0;
601 #ifdef FIPS_MODULE
602 if (!ossl_fips_ind_rsa_key_check(OSSL_FIPS_IND_GET(prsactx),
603 OSSL_FIPS_IND_SETTABLE0, prsactx->libctx,
604 prsactx->rsa, desc, protect))
605 return 0;
606 #endif
607 return 1;
608 }
609
setup_tbuf(PROV_RSA_CTX * ctx)610 static int setup_tbuf(PROV_RSA_CTX *ctx)
611 {
612 if (ctx->tbuf != NULL)
613 return 1;
614 if ((ctx->tbuf = OPENSSL_malloc(RSA_size(ctx->rsa))) == NULL)
615 return 0;
616 return 1;
617 }
618
clean_tbuf(PROV_RSA_CTX * ctx)619 static void clean_tbuf(PROV_RSA_CTX *ctx)
620 {
621 if (ctx->tbuf != NULL)
622 OPENSSL_cleanse(ctx->tbuf, RSA_size(ctx->rsa));
623 }
624
free_tbuf(PROV_RSA_CTX * ctx)625 static void free_tbuf(PROV_RSA_CTX *ctx)
626 {
627 clean_tbuf(ctx);
628 OPENSSL_free(ctx->tbuf);
629 ctx->tbuf = NULL;
630 }
631
632 #ifdef FIPS_MODULE
rsa_pss_saltlen_check_passed(PROV_RSA_CTX * ctx,const char * algoname,int saltlen)633 static int rsa_pss_saltlen_check_passed(PROV_RSA_CTX *ctx, const char *algoname, int saltlen)
634 {
635 int mdsize = rsa_get_md_size(ctx);
636 /*
637 * Perform the check if the salt length is compliant to FIPS 186-5.
638 *
639 * According to FIPS 186-5 5.4 (g), the salt length shall be between zero
640 * and the output block length of the digest function (inclusive).
641 */
642 int approved = (saltlen >= 0 && saltlen <= mdsize);
643
644 if (!approved) {
645 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE3,
646 ctx->libctx,
647 algoname, "PSS Salt Length",
648 ossl_fips_config_rsa_pss_saltlen_check)) {
649 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
650 return 0;
651 }
652 }
653
654 return 1;
655 }
656 #endif
657
rsa_sign_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])658 static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
659 {
660 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
661
662 #ifdef FIPS_MODULE
663 if (prsactx != NULL)
664 prsactx->verify_message = 1;
665 #endif
666
667 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
668 EVP_PKEY_OP_SIGN, "RSA Sign Init");
669 }
670
671 /*
672 * Sign tbs without digesting it first. This is suitable for "primitive"
673 * signing and signing the digest of a message, i.e. should be used with
674 * implementations of the keytype related algorithms.
675 */
rsa_sign_directly(PROV_RSA_CTX * prsactx,unsigned char * sig,size_t * siglen,size_t sigsize,const unsigned char * tbs,size_t tbslen)676 static int rsa_sign_directly(PROV_RSA_CTX *prsactx,
677 unsigned char *sig, size_t *siglen, size_t sigsize,
678 const unsigned char *tbs, size_t tbslen)
679 {
680 int ret;
681 size_t rsasize = RSA_size(prsactx->rsa);
682 size_t mdsize = rsa_get_md_size(prsactx);
683
684 if (!ossl_prov_is_running())
685 return 0;
686
687 if (sig == NULL) {
688 *siglen = rsasize;
689 return 1;
690 }
691
692 if (sigsize < rsasize) {
693 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SIGNATURE_SIZE,
694 "is %zu, should be at least %zu", sigsize, rsasize);
695 return 0;
696 }
697
698 if (mdsize != 0) {
699 if (tbslen != mdsize) {
700 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
701 return 0;
702 }
703
704 #ifndef FIPS_MODULE
705 if (EVP_MD_is_a(prsactx->md, OSSL_DIGEST_NAME_MDC2)) {
706 unsigned int sltmp;
707
708 if (prsactx->pad_mode != RSA_PKCS1_PADDING) {
709 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
710 "only PKCS#1 padding supported with MDC2");
711 return 0;
712 }
713 ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp,
714 prsactx->rsa);
715
716 if (ret <= 0) {
717 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
718 return 0;
719 }
720 ret = sltmp;
721 goto end;
722 }
723 #endif
724 switch (prsactx->pad_mode) {
725 case RSA_X931_PADDING:
726 if ((size_t)RSA_size(prsactx->rsa) < tbslen + 1) {
727 ERR_raise_data(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL,
728 "RSA key size = %d, expected minimum = %d",
729 RSA_size(prsactx->rsa), tbslen + 1);
730 return 0;
731 }
732 if (!setup_tbuf(prsactx)) {
733 ERR_raise(ERR_LIB_PROV, ERR_R_PROV_LIB);
734 return 0;
735 }
736 memcpy(prsactx->tbuf, tbs, tbslen);
737 prsactx->tbuf[tbslen] = RSA_X931_hash_id(prsactx->mdnid);
738 ret = RSA_private_encrypt(tbslen + 1, prsactx->tbuf,
739 sig, prsactx->rsa, RSA_X931_PADDING);
740 clean_tbuf(prsactx);
741 break;
742 case RSA_PKCS1_PADDING: {
743 unsigned int sltmp;
744
745 ret = RSA_sign(prsactx->mdnid, tbs, tbslen, sig, &sltmp,
746 prsactx->rsa);
747 if (ret <= 0) {
748 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
749 return 0;
750 }
751 ret = sltmp;
752 } break;
753
754 case RSA_PKCS1_PSS_PADDING: {
755 int saltlen;
756
757 /* Check PSS restrictions */
758 if (rsa_pss_restricted(prsactx)) {
759 switch (prsactx->saltlen) {
760 case RSA_PSS_SALTLEN_DIGEST:
761 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
762 ERR_raise_data(ERR_LIB_PROV,
763 PROV_R_PSS_SALTLEN_TOO_SMALL,
764 "minimum salt length set to %d, "
765 "but the digest only gives %d",
766 prsactx->min_saltlen,
767 EVP_MD_get_size(prsactx->md));
768 return 0;
769 }
770 /* FALLTHRU */
771 default:
772 if (prsactx->saltlen >= 0
773 && prsactx->saltlen < prsactx->min_saltlen) {
774 ERR_raise_data(ERR_LIB_PROV,
775 PROV_R_PSS_SALTLEN_TOO_SMALL,
776 "minimum salt length set to %d, but the"
777 "actual salt length is only set to %d",
778 prsactx->min_saltlen,
779 prsactx->saltlen);
780 return 0;
781 }
782 break;
783 }
784 }
785 if (!setup_tbuf(prsactx))
786 return 0;
787 saltlen = prsactx->saltlen;
788 if (!ossl_rsa_padding_add_PKCS1_PSS_mgf1(prsactx->rsa,
789 prsactx->tbuf, tbs,
790 prsactx->md, prsactx->mgf1_md,
791 &saltlen)) {
792 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
793 return 0;
794 }
795 #ifdef FIPS_MODULE
796 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Sign", saltlen))
797 return 0;
798 #endif
799 ret = RSA_private_encrypt(RSA_size(prsactx->rsa), prsactx->tbuf,
800 sig, prsactx->rsa, RSA_NO_PADDING);
801 clean_tbuf(prsactx);
802 } break;
803
804 default:
805 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
806 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
807 return 0;
808 }
809 } else {
810 ret = RSA_private_encrypt(tbslen, tbs, sig, prsactx->rsa,
811 prsactx->pad_mode);
812 }
813
814 #ifndef FIPS_MODULE
815 end:
816 #endif
817 if (ret <= 0) {
818 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
819 return 0;
820 }
821
822 *siglen = ret;
823 return 1;
824 }
825
rsa_signverify_message_update(void * vprsactx,const unsigned char * data,size_t datalen)826 static int rsa_signverify_message_update(void *vprsactx,
827 const unsigned char *data,
828 size_t datalen)
829 {
830 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
831
832 if (prsactx == NULL || prsactx->mdctx == NULL)
833 return 0;
834
835 if (!prsactx->flag_allow_update) {
836 ERR_raise(ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER);
837 return 0;
838 }
839 prsactx->flag_allow_oneshot = 0;
840
841 return EVP_DigestUpdate(prsactx->mdctx, data, datalen);
842 }
843
rsa_sign_message_final(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize)844 static int rsa_sign_message_final(void *vprsactx, unsigned char *sig,
845 size_t *siglen, size_t sigsize)
846 {
847 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
848 unsigned char digest[EVP_MAX_MD_SIZE];
849 unsigned int dlen = 0;
850
851 if (!ossl_prov_is_running() || prsactx == NULL)
852 return 0;
853 if (prsactx->mdctx == NULL)
854 return 0;
855 if (!prsactx->flag_allow_final) {
856 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
857 return 0;
858 }
859
860 /*
861 * If sig is NULL then we're just finding out the sig size. Other fields
862 * are ignored. Defer to rsa_sign.
863 */
864 if (sig != NULL) {
865 /*
866 * The digests used here are all known (see rsa_get_md_nid()), so they
867 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
868 */
869 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
870 return 0;
871
872 prsactx->flag_allow_update = 0;
873 prsactx->flag_allow_oneshot = 0;
874 prsactx->flag_allow_final = 0;
875 }
876
877 return rsa_sign_directly(prsactx, sig, siglen, sigsize, digest, dlen);
878 }
879
880 /*
881 * If signing a message, digest tbs and sign the result.
882 * Otherwise, sign tbs directly.
883 */
rsa_sign(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize,const unsigned char * tbs,size_t tbslen)884 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
885 size_t sigsize, const unsigned char *tbs, size_t tbslen)
886 {
887 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
888
889 if (!ossl_prov_is_running() || prsactx == NULL)
890 return 0;
891 if (!prsactx->flag_allow_oneshot) {
892 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
893 return 0;
894 }
895
896 if (prsactx->operation == EVP_PKEY_OP_SIGNMSG) {
897 /*
898 * If |sig| is NULL, the caller is only looking for the sig length.
899 * DO NOT update the input in this case.
900 */
901 if (sig == NULL)
902 return rsa_sign_message_final(prsactx, sig, siglen, sigsize);
903
904 return rsa_signverify_message_update(prsactx, tbs, tbslen)
905 && rsa_sign_message_final(prsactx, sig, siglen, sigsize);
906 }
907 return rsa_sign_directly(prsactx, sig, siglen, sigsize, tbs, tbslen);
908 }
909
rsa_verify_recover_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])910 static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
911 const OSSL_PARAM params[])
912 {
913 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
914
915 #ifdef FIPS_MODULE
916 if (prsactx != NULL)
917 prsactx->verify_message = 0;
918 #endif
919
920 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
921 EVP_PKEY_OP_VERIFYRECOVER, "RSA VerifyRecover Init");
922 }
923
924 /*
925 * There is no message variant of verify recover, so no need for
926 * 'rsa_verify_recover_directly', just use this function, er, directly.
927 */
rsa_verify_recover(void * vprsactx,unsigned char * rout,size_t * routlen,size_t routsize,const unsigned char * sig,size_t siglen)928 static int rsa_verify_recover(void *vprsactx,
929 unsigned char *rout, size_t *routlen,
930 size_t routsize,
931 const unsigned char *sig, size_t siglen)
932 {
933 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
934 int ret;
935
936 if (!ossl_prov_is_running())
937 return 0;
938
939 if (rout == NULL) {
940 *routlen = RSA_size(prsactx->rsa);
941 return 1;
942 }
943
944 if (prsactx->md != NULL) {
945 switch (prsactx->pad_mode) {
946 case RSA_X931_PADDING:
947 if (!setup_tbuf(prsactx))
948 return 0;
949 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
950 RSA_X931_PADDING);
951 if (ret <= 0) {
952 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
953 return 0;
954 }
955 ret--;
956 if (prsactx->tbuf[ret] != RSA_X931_hash_id(prsactx->mdnid)) {
957 ERR_raise(ERR_LIB_PROV, PROV_R_ALGORITHM_MISMATCH);
958 return 0;
959 }
960 if (ret != EVP_MD_get_size(prsactx->md)) {
961 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
962 "Should be %d, but got %d",
963 EVP_MD_get_size(prsactx->md), ret);
964 return 0;
965 }
966
967 *routlen = ret;
968 if (rout != prsactx->tbuf) {
969 if (routsize < (size_t)ret) {
970 ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
971 "buffer size is %d, should be %d",
972 routsize, ret);
973 return 0;
974 }
975 memcpy(rout, prsactx->tbuf, ret);
976 }
977 break;
978
979 case RSA_PKCS1_PADDING: {
980 size_t sltmp;
981
982 ret = ossl_rsa_verify(prsactx->mdnid, NULL, 0, rout, &sltmp,
983 sig, siglen, prsactx->rsa);
984 if (ret <= 0) {
985 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
986 return 0;
987 }
988 ret = sltmp;
989 } break;
990
991 default:
992 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
993 "Only X.931 or PKCS#1 v1.5 padding allowed");
994 return 0;
995 }
996 } else {
997 ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa,
998 prsactx->pad_mode);
999 if (ret <= 0) {
1000 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1001 return 0;
1002 }
1003 }
1004 *routlen = ret;
1005 return 1;
1006 }
1007
rsa_verify_init(void * vprsactx,void * vrsa,const OSSL_PARAM params[])1008 static int rsa_verify_init(void *vprsactx, void *vrsa,
1009 const OSSL_PARAM params[])
1010 {
1011 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1012
1013 #ifdef FIPS_MODULE
1014 if (prsactx != NULL)
1015 prsactx->verify_message = 0;
1016 #endif
1017
1018 return rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
1019 EVP_PKEY_OP_VERIFY, "RSA Verify Init");
1020 }
1021
rsa_verify_directly(PROV_RSA_CTX * prsactx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)1022 static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
1023 const unsigned char *sig, size_t siglen,
1024 const unsigned char *tbs, size_t tbslen)
1025 {
1026 size_t rslen;
1027
1028 if (!ossl_prov_is_running())
1029 return 0;
1030 if (prsactx->md != NULL) {
1031 switch (prsactx->pad_mode) {
1032 case RSA_PKCS1_PADDING:
1033 if (!RSA_verify(prsactx->mdnid, tbs, tbslen, sig, siglen,
1034 prsactx->rsa)) {
1035 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1036 return 0;
1037 }
1038 return 1;
1039 case RSA_X931_PADDING:
1040 if (!setup_tbuf(prsactx))
1041 return 0;
1042 if (rsa_verify_recover(prsactx, prsactx->tbuf, &rslen, 0,
1043 sig, siglen)
1044 <= 0)
1045 return 0;
1046 break;
1047 case RSA_PKCS1_PSS_PADDING: {
1048 int ret;
1049 int saltlen;
1050 size_t mdsize;
1051
1052 /*
1053 * We need to check this for the RSA_verify_PKCS1_PSS_mgf1()
1054 * call
1055 */
1056 mdsize = rsa_get_md_size(prsactx);
1057 if (tbslen != mdsize) {
1058 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH,
1059 "Should be %d, but got %d",
1060 mdsize, tbslen);
1061 return 0;
1062 }
1063
1064 if (!setup_tbuf(prsactx))
1065 return 0;
1066 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf,
1067 prsactx->rsa, RSA_NO_PADDING);
1068 if (ret <= 0) {
1069 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1070 return 0;
1071 }
1072 saltlen = prsactx->saltlen;
1073 ret = ossl_rsa_verify_PKCS1_PSS_mgf1(prsactx->rsa, tbs,
1074 prsactx->md, prsactx->mgf1_md,
1075 prsactx->tbuf,
1076 &saltlen);
1077 if (ret <= 0) {
1078 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1079 return 0;
1080 }
1081 #ifdef FIPS_MODULE
1082 if (!rsa_pss_saltlen_check_passed(prsactx, "RSA Verify", saltlen))
1083 return 0;
1084 #endif
1085 return 1;
1086 }
1087 default:
1088 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE,
1089 "Only X.931, PKCS#1 v1.5 or PSS padding allowed");
1090 return 0;
1091 }
1092 } else {
1093 int ret;
1094
1095 if (!setup_tbuf(prsactx))
1096 return 0;
1097 ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
1098 prsactx->pad_mode);
1099 if (ret <= 0) {
1100 ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
1101 return 0;
1102 }
1103 rslen = (size_t)ret;
1104 }
1105
1106 if ((rslen != tbslen) || memcmp(tbs, prsactx->tbuf, rslen))
1107 return 0;
1108
1109 return 1;
1110 }
1111
rsa_verify_set_sig(void * vprsactx,const unsigned char * sig,size_t siglen)1112 static int rsa_verify_set_sig(void *vprsactx,
1113 const unsigned char *sig, size_t siglen)
1114 {
1115 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1116 OSSL_PARAM params[2];
1117
1118 params[0] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE,
1119 (unsigned char *)sig, siglen);
1120 params[1] = OSSL_PARAM_construct_end();
1121 return rsa_sigalg_set_ctx_params(prsactx, params);
1122 }
1123
rsa_verify_message_final(void * vprsactx)1124 static int rsa_verify_message_final(void *vprsactx)
1125 {
1126 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1127 unsigned char digest[EVP_MAX_MD_SIZE];
1128 unsigned int dlen = 0;
1129
1130 if (!ossl_prov_is_running() || prsactx == NULL)
1131 return 0;
1132 if (prsactx->mdctx == NULL)
1133 return 0;
1134 if (!prsactx->flag_allow_final) {
1135 ERR_raise(ERR_LIB_PROV, PROV_R_FINAL_CALL_OUT_OF_ORDER);
1136 return 0;
1137 }
1138
1139 /*
1140 * The digests used here are all known (see rsa_get_md_nid()), so they
1141 * should not exceed the internal buffer size of EVP_MAX_MD_SIZE.
1142 */
1143 if (!EVP_DigestFinal_ex(prsactx->mdctx, digest, &dlen))
1144 return 0;
1145
1146 prsactx->flag_allow_update = 0;
1147 prsactx->flag_allow_final = 0;
1148 prsactx->flag_allow_oneshot = 0;
1149
1150 return rsa_verify_directly(prsactx, prsactx->sig, prsactx->siglen,
1151 digest, dlen);
1152 }
1153
1154 /*
1155 * If verifying a message, digest tbs and verify the result.
1156 * Otherwise, verify tbs directly.
1157 */
rsa_verify(void * vprsactx,const unsigned char * sig,size_t siglen,const unsigned char * tbs,size_t tbslen)1158 static int rsa_verify(void *vprsactx,
1159 const unsigned char *sig, size_t siglen,
1160 const unsigned char *tbs, size_t tbslen)
1161 {
1162 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1163
1164 if (!ossl_prov_is_running() || prsactx == NULL)
1165 return 0;
1166 if (!prsactx->flag_allow_oneshot) {
1167 ERR_raise(ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER);
1168 return 0;
1169 }
1170
1171 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
1172 return rsa_verify_set_sig(prsactx, sig, siglen)
1173 && rsa_signverify_message_update(prsactx, tbs, tbslen)
1174 && rsa_verify_message_final(prsactx);
1175 return rsa_verify_directly(prsactx, sig, siglen, tbs, tbslen);
1176 }
1177
1178 /* DigestSign/DigestVerify wrappers */
1179
rsa_digest_signverify_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[],int operation,const char * desc)1180 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
1181 void *vrsa, const OSSL_PARAM params[],
1182 int operation, const char *desc)
1183 {
1184 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1185
1186 #ifdef FIPS_MODULE
1187 if (prsactx != NULL)
1188 prsactx->verify_message = 1;
1189 #endif
1190
1191 if (!rsa_signverify_init(prsactx, vrsa, rsa_set_ctx_params, params,
1192 operation, desc))
1193 return 0;
1194
1195 if (mdname != NULL
1196 /* was rsa_setup_md already called in rsa_signverify_init()? */
1197 && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0)
1198 && !rsa_setup_md(prsactx, mdname, prsactx->propq, desc))
1199 return 0;
1200
1201 prsactx->flag_allow_md = 0;
1202
1203 if (prsactx->mdctx == NULL) {
1204 prsactx->mdctx = EVP_MD_CTX_new();
1205 if (prsactx->mdctx == NULL)
1206 goto error;
1207 }
1208
1209 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
1210 goto error;
1211
1212 return 1;
1213
1214 error:
1215 EVP_MD_CTX_free(prsactx->mdctx);
1216 prsactx->mdctx = NULL;
1217 return 0;
1218 }
1219
rsa_digest_sign_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[])1220 static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
1221 void *vrsa, const OSSL_PARAM params[])
1222 {
1223 if (!ossl_prov_is_running())
1224 return 0;
1225 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
1226 params, EVP_PKEY_OP_SIGNMSG,
1227 "RSA Digest Sign Init");
1228 }
1229
rsa_digest_sign_update(void * vprsactx,const unsigned char * data,size_t datalen)1230 static int rsa_digest_sign_update(void *vprsactx, const unsigned char *data,
1231 size_t datalen)
1232 {
1233 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1234
1235 if (prsactx == NULL)
1236 return 0;
1237 /* Sigalg implementations shouldn't do digest_sign */
1238 if (prsactx->flag_sigalg)
1239 return 0;
1240
1241 return rsa_signverify_message_update(prsactx, data, datalen);
1242 }
1243
rsa_digest_sign_final(void * vprsactx,unsigned char * sig,size_t * siglen,size_t sigsize)1244 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
1245 size_t *siglen, size_t sigsize)
1246 {
1247 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1248 int ok = 0;
1249
1250 if (prsactx == NULL)
1251 return 0;
1252 /* Sigalg implementations shouldn't do digest_sign */
1253 if (prsactx->flag_sigalg)
1254 return 0;
1255
1256 if (rsa_sign_message_final(prsactx, sig, siglen, sigsize))
1257 ok = 1;
1258
1259 prsactx->flag_allow_md = 1;
1260
1261 return ok;
1262 }
1263
rsa_digest_verify_init(void * vprsactx,const char * mdname,void * vrsa,const OSSL_PARAM params[])1264 static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
1265 void *vrsa, const OSSL_PARAM params[])
1266 {
1267 if (!ossl_prov_is_running())
1268 return 0;
1269 return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
1270 params, EVP_PKEY_OP_VERIFYMSG,
1271 "RSA Digest Verify Init");
1272 }
1273
rsa_digest_verify_update(void * vprsactx,const unsigned char * data,size_t datalen)1274 static int rsa_digest_verify_update(void *vprsactx, const unsigned char *data,
1275 size_t datalen)
1276 {
1277 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1278
1279 if (prsactx == NULL)
1280 return 0;
1281 /* Sigalg implementations shouldn't do digest_sign */
1282 if (prsactx->flag_sigalg)
1283 return 0;
1284
1285 return rsa_signverify_message_update(prsactx, data, datalen);
1286 }
1287
rsa_digest_verify_final(void * vprsactx,const unsigned char * sig,size_t siglen)1288 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
1289 size_t siglen)
1290 {
1291 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1292 int ok = 0;
1293
1294 if (prsactx == NULL)
1295 return 0;
1296 /* Sigalg implementations shouldn't do digest_verify */
1297 if (prsactx->flag_sigalg)
1298 return 0;
1299
1300 if (rsa_verify_set_sig(prsactx, sig, siglen)
1301 && rsa_verify_message_final(vprsactx))
1302 ok = 1;
1303
1304 prsactx->flag_allow_md = 1;
1305
1306 return ok;
1307 }
1308
rsa_freectx(void * vprsactx)1309 static void rsa_freectx(void *vprsactx)
1310 {
1311 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1312
1313 if (prsactx == NULL)
1314 return;
1315
1316 EVP_MD_CTX_free(prsactx->mdctx);
1317 EVP_MD_free(prsactx->md);
1318 EVP_MD_free(prsactx->mgf1_md);
1319 OPENSSL_free(prsactx->sig);
1320 OPENSSL_free(prsactx->propq);
1321 free_tbuf(prsactx);
1322 RSA_free(prsactx->rsa);
1323
1324 OPENSSL_clear_free(prsactx, sizeof(*prsactx));
1325 }
1326
rsa_dupctx(void * vprsactx)1327 static void *rsa_dupctx(void *vprsactx)
1328 {
1329 PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
1330 PROV_RSA_CTX *dstctx;
1331
1332 if (!ossl_prov_is_running())
1333 return NULL;
1334
1335 dstctx = OPENSSL_zalloc(sizeof(*srcctx));
1336 if (dstctx == NULL)
1337 return NULL;
1338
1339 *dstctx = *srcctx;
1340 dstctx->rsa = NULL;
1341 dstctx->md = NULL;
1342 dstctx->mgf1_md = NULL;
1343 dstctx->mdctx = NULL;
1344 dstctx->tbuf = NULL;
1345 dstctx->propq = NULL;
1346 dstctx->sig = NULL;
1347
1348 if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
1349 goto err;
1350 dstctx->rsa = srcctx->rsa;
1351
1352 if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
1353 goto err;
1354 dstctx->md = srcctx->md;
1355
1356 if (srcctx->mgf1_md != NULL && !EVP_MD_up_ref(srcctx->mgf1_md))
1357 goto err;
1358 dstctx->mgf1_md = srcctx->mgf1_md;
1359
1360 if (srcctx->mdctx != NULL) {
1361 dstctx->mdctx = EVP_MD_CTX_new();
1362 if (dstctx->mdctx == NULL
1363 || !EVP_MD_CTX_copy_ex(dstctx->mdctx, srcctx->mdctx))
1364 goto err;
1365 }
1366
1367 if (srcctx->propq != NULL) {
1368 dstctx->propq = OPENSSL_strdup(srcctx->propq);
1369 if (dstctx->propq == NULL)
1370 goto err;
1371 }
1372
1373 if (srcctx->sig != NULL) {
1374 dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen);
1375 if (dstctx->sig == NULL)
1376 goto err;
1377 }
1378
1379 return dstctx;
1380 err:
1381 rsa_freectx(dstctx);
1382 return NULL;
1383 }
1384
rsa_get_ctx_params(void * vprsactx,OSSL_PARAM * params)1385 static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
1386 {
1387 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1388 OSSL_PARAM *p;
1389
1390 if (prsactx == NULL)
1391 return 0;
1392
1393 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
1394 if (p != NULL) {
1395 /* The Algorithm Identifier of the combined signature algorithm */
1396 unsigned char aid_buf[128];
1397 unsigned char *aid;
1398 size_t aid_len;
1399
1400 aid = rsa_generate_signature_aid(prsactx, aid_buf,
1401 sizeof(aid_buf), &aid_len);
1402 if (aid == NULL || !OSSL_PARAM_set_octet_string(p, aid, aid_len))
1403 return 0;
1404 }
1405
1406 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1407 if (p != NULL)
1408 switch (p->data_type) {
1409 case OSSL_PARAM_INTEGER:
1410 if (!OSSL_PARAM_set_int(p, prsactx->pad_mode))
1411 return 0;
1412 break;
1413 case OSSL_PARAM_UTF8_STRING: {
1414 int i;
1415 const char *word = NULL;
1416
1417 for (i = 0; padding_item[i].id != 0; i++) {
1418 if (prsactx->pad_mode == (int)padding_item[i].id) {
1419 word = padding_item[i].ptr;
1420 break;
1421 }
1422 }
1423
1424 if (word != NULL) {
1425 if (!OSSL_PARAM_set_utf8_string(p, word))
1426 return 0;
1427 } else {
1428 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
1429 }
1430 } break;
1431 default:
1432 return 0;
1433 }
1434
1435 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_DIGEST);
1436 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mdname))
1437 return 0;
1438
1439 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1440 if (p != NULL && !OSSL_PARAM_set_utf8_string(p, prsactx->mgf1_mdname))
1441 return 0;
1442
1443 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1444 if (p != NULL) {
1445 if (p->data_type == OSSL_PARAM_INTEGER) {
1446 if (!OSSL_PARAM_set_int(p, prsactx->saltlen))
1447 return 0;
1448 } else if (p->data_type == OSSL_PARAM_UTF8_STRING) {
1449 const char *value = NULL;
1450
1451 switch (prsactx->saltlen) {
1452 case RSA_PSS_SALTLEN_DIGEST:
1453 value = OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST;
1454 break;
1455 case RSA_PSS_SALTLEN_MAX:
1456 value = OSSL_PKEY_RSA_PSS_SALT_LEN_MAX;
1457 break;
1458 case RSA_PSS_SALTLEN_AUTO:
1459 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
1460 break;
1461 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
1462 value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
1463 break;
1464 default: {
1465 int len = BIO_snprintf(p->data, p->data_size, "%d",
1466 prsactx->saltlen);
1467
1468 if (len <= 0)
1469 return 0;
1470 p->return_size = len;
1471 break;
1472 }
1473 }
1474 if (value != NULL
1475 && !OSSL_PARAM_set_utf8_string(p, value))
1476 return 0;
1477 }
1478 }
1479
1480 #ifdef FIPS_MODULE
1481 p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE);
1482 if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->verify_message))
1483 return 0;
1484 #endif
1485
1486 if (!OSSL_FIPS_IND_GET_CTX_PARAM(prsactx, params))
1487 return 0;
1488 return 1;
1489 }
1490
1491 static const OSSL_PARAM known_gettable_ctx_params[] = {
1492 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0),
1493 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1494 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1495 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1496 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1497 #ifdef FIPS_MODULE
1498 OSSL_PARAM_uint(OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE, NULL),
1499 #endif
1500 OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
1501 OSSL_PARAM_END
1502 };
1503
rsa_gettable_ctx_params(ossl_unused void * vprsactx,ossl_unused void * provctx)1504 static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
1505 ossl_unused void *provctx)
1506 {
1507 return known_gettable_ctx_params;
1508 }
1509
1510 #ifdef FIPS_MODULE
rsa_x931_padding_allowed(PROV_RSA_CTX * ctx)1511 static int rsa_x931_padding_allowed(PROV_RSA_CTX *ctx)
1512 {
1513 if ((ctx->operation
1514 & (EVP_PKEY_OP_SIGNMSG | EVP_PKEY_OP_SIGN))
1515 != 0) {
1516 if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE2,
1517 ctx->libctx,
1518 "RSA Sign set ctx", "X931 Padding",
1519 ossl_fips_config_rsa_sign_x931_disallowed)) {
1520 ERR_raise(ERR_LIB_PROV,
1521 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1522 return 0;
1523 }
1524 }
1525 return 1;
1526 }
1527 #endif
1528
rsa_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])1529 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1530 {
1531 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1532 const OSSL_PARAM *p;
1533 int pad_mode;
1534 int saltlen;
1535 char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = NULL;
1536 char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = NULL;
1537 char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
1538 char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
1539
1540 if (prsactx == NULL)
1541 return 0;
1542 if (ossl_param_is_empty(params))
1543 return 1;
1544
1545 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE0, params,
1546 OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK))
1547 return 0;
1548
1549 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE1, params,
1550 OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK))
1551 return 0;
1552
1553 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE2, params,
1554 OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK))
1555 return 0;
1556
1557 if (!OSSL_FIPS_IND_SET_CTX_PARAM(prsactx, OSSL_FIPS_IND_SETTABLE3, params,
1558 OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK))
1559 return 0;
1560
1561 pad_mode = prsactx->pad_mode;
1562 saltlen = prsactx->saltlen;
1563
1564 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
1565 if (p != NULL) {
1566 const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params,
1567 OSSL_SIGNATURE_PARAM_PROPERTIES);
1568
1569 pmdname = mdname;
1570 if (!OSSL_PARAM_get_utf8_string(p, &pmdname, sizeof(mdname)))
1571 return 0;
1572
1573 if (propsp != NULL) {
1574 pmdprops = mdprops;
1575 if (!OSSL_PARAM_get_utf8_string(propsp,
1576 &pmdprops, sizeof(mdprops)))
1577 return 0;
1578 }
1579 }
1580
1581 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
1582 if (p != NULL) {
1583 const char *err_extra_text = NULL;
1584
1585 switch (p->data_type) {
1586 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1587 if (!OSSL_PARAM_get_int(p, &pad_mode))
1588 return 0;
1589 break;
1590 case OSSL_PARAM_UTF8_STRING: {
1591 int i;
1592
1593 if (p->data == NULL)
1594 return 0;
1595
1596 for (i = 0; padding_item[i].id != 0; i++) {
1597 if (strcmp(p->data, padding_item[i].ptr) == 0) {
1598 pad_mode = padding_item[i].id;
1599 break;
1600 }
1601 }
1602 } break;
1603 default:
1604 return 0;
1605 }
1606
1607 switch (pad_mode) {
1608 case RSA_PKCS1_OAEP_PADDING:
1609 /*
1610 * OAEP padding is for asymmetric cipher only so is not compatible
1611 * with signature use.
1612 */
1613 err_extra_text = "OAEP padding not allowed for signing / verifying";
1614 goto bad_pad;
1615 case RSA_PKCS1_PSS_PADDING:
1616 if ((prsactx->operation
1617 & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG
1618 | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG))
1619 == 0) {
1620 err_extra_text = "PSS padding only allowed for sign and verify operations";
1621 goto bad_pad;
1622 }
1623 break;
1624 case RSA_PKCS1_PADDING:
1625 err_extra_text = "PKCS#1 padding not allowed with RSA-PSS";
1626 goto cont;
1627 case RSA_NO_PADDING:
1628 err_extra_text = "No padding not allowed with RSA-PSS";
1629 goto cont;
1630 case RSA_X931_PADDING:
1631 #ifdef FIPS_MODULE
1632 /* X9.31 only allows sizes of 1024 + 256 * s (bits) */
1633 if ((RSA_bits(prsactx->rsa) & 0xFF) != 0) {
1634 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
1635 return 0;
1636 }
1637 /* RSA Signing with X9.31 padding is not allowed in FIPS 140-3 */
1638 if (!rsa_x931_padding_allowed(prsactx))
1639 return 0;
1640 #endif
1641 err_extra_text = "X.931 padding not allowed with RSA-PSS";
1642 cont:
1643 if (RSA_test_flags(prsactx->rsa,
1644 RSA_FLAG_TYPE_MASK)
1645 == RSA_FLAG_TYPE_RSA)
1646 break;
1647 /* FALLTHRU */
1648 default:
1649 bad_pad:
1650 if (err_extra_text == NULL)
1651 ERR_raise(ERR_LIB_PROV,
1652 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
1653 else
1654 ERR_raise_data(ERR_LIB_PROV,
1655 PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE,
1656 err_extra_text);
1657 return 0;
1658 }
1659 }
1660
1661 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);
1662 if (p != NULL) {
1663 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
1664 ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
1665 "PSS saltlen can only be specified if "
1666 "PSS padding has been specified first");
1667 return 0;
1668 }
1669
1670 switch (p->data_type) {
1671 case OSSL_PARAM_INTEGER: /* Support for legacy pad mode number */
1672 if (!OSSL_PARAM_get_int(p, &saltlen))
1673 return 0;
1674 break;
1675 case OSSL_PARAM_UTF8_STRING:
1676 if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST) == 0)
1677 saltlen = RSA_PSS_SALTLEN_DIGEST;
1678 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_MAX) == 0)
1679 saltlen = RSA_PSS_SALTLEN_MAX;
1680 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
1681 saltlen = RSA_PSS_SALTLEN_AUTO;
1682 else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
1683 saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
1684 else
1685 saltlen = atoi(p->data);
1686 break;
1687 default:
1688 return 0;
1689 }
1690
1691 /*
1692 * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
1693 * Contrary to what it's name suggests, it's the currently lowest
1694 * saltlen number possible.
1695 */
1696 if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
1697 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
1698 return 0;
1699 }
1700
1701 if (rsa_pss_restricted(prsactx)) {
1702 switch (saltlen) {
1703 case RSA_PSS_SALTLEN_AUTO:
1704 case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
1705 if ((prsactx->operation
1706 & (EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYMSG))
1707 == 0) {
1708 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
1709 "Cannot use autodetected salt length");
1710 return 0;
1711 }
1712 break;
1713 case RSA_PSS_SALTLEN_DIGEST:
1714 if (prsactx->min_saltlen > EVP_MD_get_size(prsactx->md)) {
1715 ERR_raise_data(ERR_LIB_PROV,
1716 PROV_R_PSS_SALTLEN_TOO_SMALL,
1717 "Should be more than %d, but would be "
1718 "set to match digest size (%d)",
1719 prsactx->min_saltlen,
1720 EVP_MD_get_size(prsactx->md));
1721 return 0;
1722 }
1723 break;
1724 default:
1725 if (saltlen >= 0 && saltlen < prsactx->min_saltlen) {
1726 ERR_raise_data(ERR_LIB_PROV,
1727 PROV_R_PSS_SALTLEN_TOO_SMALL,
1728 "Should be more than %d, "
1729 "but would be set to %d",
1730 prsactx->min_saltlen, saltlen);
1731 return 0;
1732 }
1733 }
1734 }
1735 }
1736
1737 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_MGF1_DIGEST);
1738 if (p != NULL) {
1739 const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params,
1740 OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES);
1741
1742 pmgf1mdname = mgf1mdname;
1743 if (!OSSL_PARAM_get_utf8_string(p, &pmgf1mdname, sizeof(mgf1mdname)))
1744 return 0;
1745
1746 if (propsp != NULL) {
1747 pmgf1mdprops = mgf1mdprops;
1748 if (!OSSL_PARAM_get_utf8_string(propsp,
1749 &pmgf1mdprops, sizeof(mgf1mdprops)))
1750 return 0;
1751 }
1752
1753 if (pad_mode != RSA_PKCS1_PSS_PADDING) {
1754 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MGF1_MD);
1755 return 0;
1756 }
1757 }
1758
1759 prsactx->saltlen = saltlen;
1760 prsactx->pad_mode = pad_mode;
1761
1762 if (prsactx->md == NULL && pmdname == NULL
1763 && pad_mode == RSA_PKCS1_PSS_PADDING)
1764 pmdname = RSA_DEFAULT_DIGEST_NAME;
1765
1766 if (pmgf1mdname != NULL
1767 && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
1768 return 0;
1769
1770 if (pmdname != NULL) {
1771 if (!rsa_setup_md(prsactx, pmdname, pmdprops, "RSA Sign Set Ctx"))
1772 return 0;
1773 } else {
1774 if (!rsa_check_padding(prsactx, NULL, NULL, prsactx->mdnid))
1775 return 0;
1776 }
1777 return 1;
1778 }
1779
1780 static const OSSL_PARAM settable_ctx_params[] = {
1781 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
1782 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0),
1783 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1784 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1785 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1786 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1787 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
1788 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
1789 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
1790 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
1791 OSSL_PARAM_END
1792 };
1793
1794 static const OSSL_PARAM settable_ctx_params_no_digest[] = {
1795 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, NULL, 0),
1796 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
1797 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES, NULL, 0),
1798 OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
1799 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK)
1800 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK)
1801 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK)
1802 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK)
1803 OSSL_PARAM_END
1804 };
1805
rsa_settable_ctx_params(void * vprsactx,ossl_unused void * provctx)1806 static const OSSL_PARAM *rsa_settable_ctx_params(void *vprsactx,
1807 ossl_unused void *provctx)
1808 {
1809 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1810
1811 if (prsactx != NULL && !prsactx->flag_allow_md)
1812 return settable_ctx_params_no_digest;
1813 return settable_ctx_params;
1814 }
1815
rsa_get_ctx_md_params(void * vprsactx,OSSL_PARAM * params)1816 static int rsa_get_ctx_md_params(void *vprsactx, OSSL_PARAM *params)
1817 {
1818 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1819
1820 if (prsactx->mdctx == NULL)
1821 return 0;
1822
1823 return EVP_MD_CTX_get_params(prsactx->mdctx, params);
1824 }
1825
rsa_gettable_ctx_md_params(void * vprsactx)1826 static const OSSL_PARAM *rsa_gettable_ctx_md_params(void *vprsactx)
1827 {
1828 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1829
1830 if (prsactx->md == NULL)
1831 return 0;
1832
1833 return EVP_MD_gettable_ctx_params(prsactx->md);
1834 }
1835
rsa_set_ctx_md_params(void * vprsactx,const OSSL_PARAM params[])1836 static int rsa_set_ctx_md_params(void *vprsactx, const OSSL_PARAM params[])
1837 {
1838 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1839
1840 if (prsactx->mdctx == NULL)
1841 return 0;
1842
1843 return EVP_MD_CTX_set_params(prsactx->mdctx, params);
1844 }
1845
rsa_settable_ctx_md_params(void * vprsactx)1846 static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
1847 {
1848 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1849
1850 if (prsactx->md == NULL)
1851 return 0;
1852
1853 return EVP_MD_settable_ctx_params(prsactx->md);
1854 }
1855
1856 const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
1857 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
1858 { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
1859 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign },
1860 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, (void (*)(void))rsa_verify_init },
1861 { OSSL_FUNC_SIGNATURE_VERIFY, (void (*)(void))rsa_verify },
1862 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT,
1863 (void (*)(void))rsa_verify_recover_init },
1864 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER,
1865 (void (*)(void))rsa_verify_recover },
1866 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT,
1867 (void (*)(void))rsa_digest_sign_init },
1868 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE,
1869 (void (*)(void))rsa_digest_sign_update },
1870 { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL,
1871 (void (*)(void))rsa_digest_sign_final },
1872 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT,
1873 (void (*)(void))rsa_digest_verify_init },
1874 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE,
1875 (void (*)(void))rsa_digest_verify_update },
1876 { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL,
1877 (void (*)(void))rsa_digest_verify_final },
1878 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx },
1879 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx },
1880 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))rsa_get_ctx_params },
1881 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS,
1882 (void (*)(void))rsa_gettable_ctx_params },
1883 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))rsa_set_ctx_params },
1884 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS,
1885 (void (*)(void))rsa_settable_ctx_params },
1886 { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS,
1887 (void (*)(void))rsa_get_ctx_md_params },
1888 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS,
1889 (void (*)(void))rsa_gettable_ctx_md_params },
1890 { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS,
1891 (void (*)(void))rsa_set_ctx_md_params },
1892 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS,
1893 (void (*)(void))rsa_settable_ctx_md_params },
1894 OSSL_DISPATCH_END
1895 };
1896
1897 /* ------------------------------------------------------------------ */
1898
1899 /*
1900 * So called sigalgs (composite RSA+hash) implemented below. They
1901 * are pretty much hard coded, and rely on the hash implementation
1902 * being available as per what OPENSSL_NO_ macros allow.
1903 */
1904
1905 static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
1906 static OSSL_FUNC_signature_settable_ctx_params_fn rsa_sigalg_settable_ctx_params;
1907 static OSSL_FUNC_signature_set_ctx_params_fn rsa_sigalg_set_ctx_params;
1908
1909 /*
1910 * rsa_sigalg_signverify_init() is almost like rsa_digest_signverify_init(),
1911 * just doesn't allow fetching an MD from whatever the user chooses.
1912 */
rsa_sigalg_signverify_init(void * vprsactx,void * vrsa,OSSL_FUNC_signature_set_ctx_params_fn * set_ctx_params,const OSSL_PARAM params[],const char * mdname,int operation,int pad_mode,const char * desc)1913 static int rsa_sigalg_signverify_init(void *vprsactx, void *vrsa,
1914 OSSL_FUNC_signature_set_ctx_params_fn *set_ctx_params,
1915 const OSSL_PARAM params[],
1916 const char *mdname,
1917 int operation, int pad_mode,
1918 const char *desc)
1919 {
1920 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1921
1922 if (!ossl_prov_is_running())
1923 return 0;
1924
1925 if (!rsa_signverify_init(prsactx, vrsa, set_ctx_params, params, operation,
1926 desc))
1927 return 0;
1928
1929 /* PSS is currently not supported as a sigalg */
1930 if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
1931 ERR_raise(ERR_LIB_RSA, PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
1932 return 0;
1933 }
1934
1935 if (!rsa_setup_md(prsactx, mdname, NULL, desc))
1936 return 0;
1937
1938 prsactx->pad_mode = pad_mode;
1939 prsactx->flag_sigalg = 1;
1940 prsactx->flag_allow_md = 0;
1941
1942 if (prsactx->mdctx == NULL) {
1943 prsactx->mdctx = EVP_MD_CTX_new();
1944 if (prsactx->mdctx == NULL)
1945 goto error;
1946 }
1947
1948 if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
1949 goto error;
1950
1951 return 1;
1952
1953 error:
1954 EVP_MD_CTX_free(prsactx->mdctx);
1955 prsactx->mdctx = NULL;
1956 return 0;
1957 }
1958
rsa_sigalg_query_key_types(void)1959 static const char **rsa_sigalg_query_key_types(void)
1960 {
1961 static const char *keytypes[] = { "RSA", NULL };
1962
1963 return keytypes;
1964 }
1965
1966 static const OSSL_PARAM settable_sigalg_ctx_params[] = {
1967 OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_SIGNATURE, NULL, 0),
1968 OSSL_PARAM_END
1969 };
1970
rsa_sigalg_settable_ctx_params(void * vprsactx,ossl_unused void * provctx)1971 static const OSSL_PARAM *rsa_sigalg_settable_ctx_params(void *vprsactx,
1972 ossl_unused void *provctx)
1973 {
1974 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1975
1976 if (prsactx != NULL && prsactx->operation == EVP_PKEY_OP_VERIFYMSG)
1977 return settable_sigalg_ctx_params;
1978 return NULL;
1979 }
1980
rsa_sigalg_set_ctx_params(void * vprsactx,const OSSL_PARAM params[])1981 static int rsa_sigalg_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
1982 {
1983 PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
1984 const OSSL_PARAM *p;
1985
1986 if (prsactx == NULL)
1987 return 0;
1988 if (ossl_param_is_empty(params))
1989 return 1;
1990
1991 if (prsactx->operation == EVP_PKEY_OP_VERIFYMSG) {
1992 p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_SIGNATURE);
1993 if (p != NULL) {
1994 OPENSSL_free(prsactx->sig);
1995 prsactx->sig = NULL;
1996 prsactx->siglen = 0;
1997 if (!OSSL_PARAM_get_octet_string(p, (void **)&prsactx->sig,
1998 0, &prsactx->siglen))
1999 return 0;
2000 }
2001 }
2002 return 1;
2003 }
2004
2005 #define IMPL_RSA_SIGALG(md, MD) \
2006 static OSSL_FUNC_signature_sign_init_fn rsa_##md##_sign_init; \
2007 static OSSL_FUNC_signature_sign_message_init_fn \
2008 rsa_##md##_sign_message_init; \
2009 static OSSL_FUNC_signature_verify_init_fn rsa_##md##_verify_init; \
2010 static OSSL_FUNC_signature_verify_message_init_fn \
2011 rsa_##md##_verify_message_init; \
2012 \
2013 static int \
2014 rsa_##md##_sign_init(void *vprsactx, void *vrsa, \
2015 const OSSL_PARAM params[]) \
2016 { \
2017 static const char desc[] = "RSA Sigalg Sign Init"; \
2018 \
2019 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2020 rsa_sigalg_set_ctx_params, \
2021 params, #MD, \
2022 EVP_PKEY_OP_SIGN, \
2023 RSA_PKCS1_PADDING, \
2024 desc); \
2025 } \
2026 \
2027 static int \
2028 rsa_##md##_sign_message_init(void *vprsactx, void *vrsa, \
2029 const OSSL_PARAM params[]) \
2030 { \
2031 static const char desc[] = "RSA Sigalg Sign Message Init"; \
2032 \
2033 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2034 rsa_sigalg_set_ctx_params, \
2035 params, #MD, \
2036 EVP_PKEY_OP_SIGNMSG, \
2037 RSA_PKCS1_PADDING, \
2038 desc); \
2039 } \
2040 \
2041 static int \
2042 rsa_##md##_verify_init(void *vprsactx, void *vrsa, \
2043 const OSSL_PARAM params[]) \
2044 { \
2045 static const char desc[] = "RSA Sigalg Verify Init"; \
2046 \
2047 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2048 rsa_sigalg_set_ctx_params, \
2049 params, #MD, \
2050 EVP_PKEY_OP_VERIFY, \
2051 RSA_PKCS1_PADDING, \
2052 desc); \
2053 } \
2054 \
2055 static int \
2056 rsa_##md##_verify_recover_init(void *vprsactx, void *vrsa, \
2057 const OSSL_PARAM params[]) \
2058 { \
2059 static const char desc[] = "RSA Sigalg Verify Recover Init"; \
2060 \
2061 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2062 rsa_sigalg_set_ctx_params, \
2063 params, #MD, \
2064 EVP_PKEY_OP_VERIFYRECOVER, \
2065 RSA_PKCS1_PADDING, \
2066 desc); \
2067 } \
2068 \
2069 static int \
2070 rsa_##md##_verify_message_init(void *vprsactx, void *vrsa, \
2071 const OSSL_PARAM params[]) \
2072 { \
2073 static const char desc[] = "RSA Sigalg Verify Message Init"; \
2074 \
2075 return rsa_sigalg_signverify_init(vprsactx, vrsa, \
2076 rsa_sigalg_set_ctx_params, \
2077 params, #MD, \
2078 EVP_PKEY_OP_VERIFYMSG, \
2079 RSA_PKCS1_PADDING, \
2080 desc); \
2081 } \
2082 \
2083 const OSSL_DISPATCH ossl_rsa_##md##_signature_functions[] = { \
2084 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, \
2085 { OSSL_FUNC_SIGNATURE_SIGN_INIT, \
2086 (void (*)(void))rsa_##md##_sign_init }, \
2087 { OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))rsa_sign }, \
2088 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT, \
2089 (void (*)(void))rsa_##md##_sign_message_init }, \
2090 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE, \
2091 (void (*)(void))rsa_signverify_message_update }, \
2092 { OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL, \
2093 (void (*)(void))rsa_sign_message_final }, \
2094 { OSSL_FUNC_SIGNATURE_VERIFY_INIT, \
2095 (void (*)(void))rsa_##md##_verify_init }, \
2096 { OSSL_FUNC_SIGNATURE_VERIFY, \
2097 (void (*)(void))rsa_verify }, \
2098 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT, \
2099 (void (*)(void))rsa_##md##_verify_message_init }, \
2100 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE, \
2101 (void (*)(void))rsa_signverify_message_update }, \
2102 { OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL, \
2103 (void (*)(void))rsa_verify_message_final }, \
2104 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, \
2105 (void (*)(void))rsa_##md##_verify_recover_init }, \
2106 { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, \
2107 (void (*)(void))rsa_verify_recover }, \
2108 { OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))rsa_freectx }, \
2109 { OSSL_FUNC_SIGNATURE_DUPCTX, (void (*)(void))rsa_dupctx }, \
2110 { OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES, \
2111 (void (*)(void))rsa_sigalg_query_key_types }, \
2112 { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, \
2113 (void (*)(void))rsa_get_ctx_params }, \
2114 { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, \
2115 (void (*)(void))rsa_gettable_ctx_params }, \
2116 { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, \
2117 (void (*)(void))rsa_sigalg_set_ctx_params }, \
2118 { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, \
2119 (void (*)(void))rsa_sigalg_settable_ctx_params }, \
2120 OSSL_DISPATCH_END \
2121 }
2122
2123 /* clang-format off */
2124 #if !defined(OPENSSL_NO_RMD160) && !defined(FIPS_MODULE)
2125 IMPL_RSA_SIGALG(ripemd160, RIPEMD160);
2126 #endif
2127 IMPL_RSA_SIGALG(sha1, SHA1);
2128 IMPL_RSA_SIGALG(sha224, SHA2-224);
2129 IMPL_RSA_SIGALG(sha256, SHA2-256);
2130 IMPL_RSA_SIGALG(sha384, SHA2-384);
2131 IMPL_RSA_SIGALG(sha512, SHA2-512);
2132 IMPL_RSA_SIGALG(sha512_224, SHA2-512/224);
2133 IMPL_RSA_SIGALG(sha512_256, SHA2-512/256);
2134 IMPL_RSA_SIGALG(sha3_224, SHA3-224);
2135 IMPL_RSA_SIGALG(sha3_256, SHA3-256);
2136 IMPL_RSA_SIGALG(sha3_384, SHA3-384);
2137 IMPL_RSA_SIGALG(sha3_512, SHA3-512);
2138 #if !defined(OPENSSL_NO_SM3) && !defined(FIPS_MODULE)
2139 IMPL_RSA_SIGALG(sm3, SM3);
2140 #endif
2141 /* clang-format on */
2142