3 files changed, 127 insertions, 65 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index e65319bda1..6db563f2a4 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.59 2023/04/15 18:48:52 tb Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -382,11 +382,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
        case RSA_PKCS1_PADDING:
                i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
                break;
+        case RSA_X931_PADDING:
+                i = RSA_padding_add_X931(buf, num, from, flen);
+                break;
        case RSA_NO_PADDING:
                i = RSA_padding_add_none(buf, num, from, flen);
                break;
        default:
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
                goto err;
        }
        if (i <= 0)
@@ -446,11 +449,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
                        goto err;
        if (padding == RSA_X931_PADDING) {
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                if (!BN_sub(f, rsa->n, ret))
-                goto err;
+                        goto err;
-        }
+                if (BN_cmp(ret, f) > 0)
+                        res = f;
-        res = ret;
+                else
+                        res = ret;
+        } else
+                res = ret;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
@@ -661,10 +667,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
            rsa->_method_mod_n))
                goto err;
-        if (padding == RSA_X931_PADDING) {
+        if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                if (!BN_sub(ret, rsa->n, ret))
-                goto err;
+                        goto err;
-        }
        p = buf;
        i = BN_bn2bin(ret, p);
@@ -673,6 +678,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
        case RSA_PKCS1_PADDING:
                r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
                break;
+        case RSA_X931_PADDING:
+                r = RSA_padding_check_X931(to, num, buf, i, num);
+                break;
        case RSA_NO_PADDING:
                r = RSA_padding_check_none(to, num, buf, i, num);
                break;
diff --git a/src/lib/libcrypto/rsa/rsa_local.h b/src/lib/libcrypto/rsa/rsa_local.h
index b438ab4eec..4bc2cee8cd 100644
--- a/src/lib/libcrypto/rsa/rsa_local.h
+++ b/src/lib/libcrypto/rsa/rsa_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */
+/* $OpenBSD: rsa_local.h,v 1.2 2023/05/05 12:21:44 tb Exp $ */
 __BEGIN_HIDDEN_DECLS
@@ -91,4 +91,10 @@ extern int int_rsa_verify(int dtype, const unsigned char *m,
    unsigned int m_len, unsigned char *rm, size_t *prm_len,
    const unsigned char *sigbuf, size_t siglen, RSA *rsa);
+int RSA_padding_add_X931(unsigned char *to, int tlen,
+    const unsigned char *f, int fl);
+int RSA_padding_check_X931(unsigned char *to, int tlen,
+    const unsigned char *f, int fl, int rsa_len);
+int RSA_X931_hash_id(int nid);
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 8e06365566..429524d73d 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.37 2023/04/25 15:48:48 tb Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.38 2023/05/05 12:21:44 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -187,7 +187,7 @@ static int
 pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
    const unsigned char *tbs, size_t tbslen)
 {
-        int ret = -1;
+        int ret;
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
@@ -197,11 +197,21 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                        return -1;
                }
-                if (rctx->pad_mode != RSA_PKCS1_PADDING &&
+                if (rctx->pad_mode == RSA_X931_PADDING) {
-                    rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
+                        if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
-                        return -1;
+                                RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
+                                return -1;
-                if (rctx->pad_mode == RSA_PKCS1_PADDING) {
+                        }
+                        if (!setup_tbuf(rctx, ctx)) {
+                                RSAerror(ERR_R_MALLOC_FAILURE);
+                                return -1;
+                        }
+                        memcpy(rctx->tbuf, tbs, tbslen);
+                        rctx->tbuf[tbslen] =
+                            RSA_X931_hash_id(EVP_MD_type(rctx->md));
+                        ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
+                            rsa, RSA_X931_PADDING);
+                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
                        unsigned int sltmp;
                        ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@@ -217,6 +227,8 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
                                return -1;
                        ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
                            sig, rsa, RSA_NO_PADDING);
+                } else {
+                        return -1;
                }
        } else {
                ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@@ -236,16 +248,36 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
        RSA_PKEY_CTX *rctx = ctx->data;
        if (rctx->md) {
-                size_t sltmp;
+                if (rctx->pad_mode == RSA_X931_PADDING) {
+                        if (!setup_tbuf(rctx, ctx))
+                                return -1;
+                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
+                            ctx->pkey->pkey.rsa, RSA_X931_PADDING);
+                        if (ret < 1)
+                                return 0;
+                        ret--;
+                        if (rctx->tbuf[ret] !=
+                            RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
+                                RSAerror(RSA_R_ALGORITHM_MISMATCH);
+                                return 0;
+                        }
+                        if (ret != EVP_MD_size(rctx->md)) {
+                                RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
+                                return 0;
+                        }
+                        if (rout)
+                                memcpy(rout, rctx->tbuf, ret);
+                } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
+                        size_t sltmp;
-                if (rctx->pad_mode != RSA_PKCS1_PADDING)
+                        ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
+                            rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
+                        if (ret <= 0)
+                                return 0;
+                        ret = sltmp;
+                } else {
                        return -1;
+                }
-                ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
-                    rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
-                if (ret <= 0)
-                        return 0;
-                ret = sltmp;
        } else {
                ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
                    rctx->pad_mode);
@@ -263,7 +295,6 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
        RSA_PKEY_CTX *rctx = ctx->data;
        RSA *rsa = ctx->pkey->pkey.rsa;
        size_t rslen;
-        int ret;
        if (rctx->md) {
                if (rctx->pad_mode == RSA_PKCS1_PADDING)
@@ -273,22 +304,30 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
                        RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
                        return -1;
                }
+                if (rctx->pad_mode == RSA_X931_PADDING) {
+                        if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
+                            siglen) <= 0)
+                                return 0;
+                } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
+                        int ret;
-                if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
+                        if (!setup_tbuf(rctx, ctx))
-                        return -1;
+                                return -1;
+                        ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
-                if (!setup_tbuf(rctx, ctx))
+                            rsa, RSA_NO_PADDING);
+                        if (ret <= 0)
+                                return 0;
+                        ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
+                            rctx->mgf1md, rctx->tbuf, rctx->saltlen);
+                        if (ret <= 0)
+                                return 0;
+                        return 1;
+                } else {
                        return -1;
-                ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
+                }
-                    rsa, RSA_NO_PADDING);
-                if (ret <= 0)
-                        return 0;
-                ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
-                    rctx->mgf1md, rctx->tbuf, rctx->saltlen);
-                if (ret <= 0)
-                        return 0;
-                return 1;
        } else {
+                int ret;
                if (!setup_tbuf(rctx, ctx))
                        return -1;
@@ -365,34 +404,41 @@ check_padding_md(const EVP_MD *md, int padding)
        if (md == NULL)
                return 1;
-        if (padding == RSA_NO_PADDING || padding == RSA_X931_PADDING) {
+        if (padding == RSA_NO_PADDING) {
-                RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+                RSAerror(RSA_R_INVALID_PADDING_MODE);
                return 0;
        }
-        /* List of all supported RSA digests. */
+        if (padding == RSA_X931_PADDING) {
-        /* RFC 8017 and NIST CSOR. */
+                if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
-        switch(EVP_MD_type(md)) {
+                        RSAerror(RSA_R_INVALID_X931_DIGEST);
-        case NID_sha1:
+                        return 0;
-        case NID_sha224:
+                }
-        case NID_sha256:
+        } else {
-        case NID_sha384:
+                /* List of all supported RSA digests. */
-        case NID_sha512:
+                /* RFC 8017 and NIST CSOR. */
-        case NID_sha512_224:
+                switch(EVP_MD_type(md)) {
-        case NID_sha512_256:
+                case NID_sha1:
-        case NID_sha3_224:
+                case NID_sha224:
-        case NID_sha3_256:
+                case NID_sha256:
-        case NID_sha3_384:
+                case NID_sha384:
-        case NID_sha3_512:
+                case NID_sha512:
-        case NID_md5:
+                case NID_sha512_224:
-        case NID_md5_sha1:
+                case NID_sha512_256:
-        case NID_md4:
+                case NID_sha3_224:
-        case NID_ripemd160:
+                case NID_sha3_256:
-                return 1;
+                case NID_sha3_384:
+                case NID_sha3_512:
+                case NID_md5:
+                case NID_md5_sha1:
+                case NID_md4:
+                case NID_ripemd160:
+                        return 1;
-        default:
+                default:
-                RSAerror(RSA_R_INVALID_DIGEST);
+                        RSAerror(RSA_R_INVALID_DIGEST);
-                return 0;
+                        return 0;
+                }
        }
        return 1;
@@ -598,6 +644,8 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
                        pm = RSA_PKCS1_OAEP_PADDING;
                else if (!strcmp(value, "oaep"))
                        pm = RSA_PKCS1_OAEP_PADDING;
+                else if (!strcmp(value, "x931"))
+                        pm = RSA_X931_PADDING;
                else if (!strcmp(value, "pss"))
                        pm = RSA_PKCS1_PSS_PADDING;
                else {

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index e65319bda1..6db563f2a4 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_eay.c,v 1.59 2023/04/15 18:48:52 tb Exp $ */	1	/* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -382,11 +382,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char from, unsigned char to,
382	case RSA_PKCS1_PADDING:	382	case RSA_PKCS1_PADDING:
383	i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);	383	i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
384	break;	384	break;
		385	case RSA_X931_PADDING:
		386	i = RSA_padding_add_X931(buf, num, from, flen);
		387	break;
385	case RSA_NO_PADDING:	388	case RSA_NO_PADDING:
386	i = RSA_padding_add_none(buf, num, from, flen);	389	i = RSA_padding_add_none(buf, num, from, flen);
387	break;	390	break;
388	default:	391	default:
389	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	392	RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
390	goto err;	393	goto err;
391	}	394	}
392	if (i <= 0)	395	if (i <= 0)
@@ -446,11 +449,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char from, unsigned char to,
446	goto err;	449	goto err;
447		450
448	if (padding == RSA_X931_PADDING) {	451	if (padding == RSA_X931_PADDING) {
449	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	452	if (!BN_sub(f, rsa->n, ret))
450	goto err;	453	goto err;
451	}	454	if (BN_cmp(ret, f) > 0)
452		455	res = f;
453	res = ret;	456	else
		457	res = ret;
		458	} else
		459	res = ret;
454		460
455	/* put in leading 0 bytes if the number is less than the	461	/* put in leading 0 bytes if the number is less than the
456	* length of the modulus */	462	* length of the modulus */
@@ -661,10 +667,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char from, unsigned char to,
661	rsa->_method_mod_n))	667	rsa->_method_mod_n))
662	goto err;	668	goto err;
663		669
664	if (padding == RSA_X931_PADDING) {	670	if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
665	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	671	if (!BN_sub(ret, rsa->n, ret))
666	goto err;	672	goto err;
667	}
668		673
669	p = buf;	674	p = buf;
670	i = BN_bn2bin(ret, p);	675	i = BN_bn2bin(ret, p);
@@ -673,6 +678,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char from, unsigned char to,
673	case RSA_PKCS1_PADDING:	678	case RSA_PKCS1_PADDING:
674	r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);	679	r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
675	break;	680	break;
		681	case RSA_X931_PADDING:
		682	r = RSA_padding_check_X931(to, num, buf, i, num);
		683	break;
676	case RSA_NO_PADDING:	684	case RSA_NO_PADDING:
677	r = RSA_padding_check_none(to, num, buf, i, num);	685	r = RSA_padding_check_none(to, num, buf, i, num);
678	break;	686	break;


diff --git a/src/lib/libcrypto/rsa/rsa_local.h b/src/lib/libcrypto/rsa/rsa_local.h index b438ab4eec..4bc2cee8cd 100644 --- a/src/lib/libcrypto/rsa/rsa_local.h +++ b/src/lib/libcrypto/rsa/rsa_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */	1	/* $OpenBSD: rsa_local.h,v 1.2 2023/05/05 12:21:44 tb Exp $ */
2		2
3	__BEGIN_HIDDEN_DECLS	3	__BEGIN_HIDDEN_DECLS
4		4
@@ -91,4 +91,10 @@ extern int int_rsa_verify(int dtype, const unsigned char *m,
91	unsigned int m_len, unsigned char rm, size_t prm_len,	91	unsigned int m_len, unsigned char rm, size_t prm_len,
92	const unsigned char sigbuf, size_t siglen, RSA rsa);	92	const unsigned char sigbuf, size_t siglen, RSA rsa);
93		93
		94	int RSA_padding_add_X931(unsigned char *to, int tlen,
		95	const unsigned char *f, int fl);
		96	int RSA_padding_check_X931(unsigned char *to, int tlen,
		97	const unsigned char *f, int fl, int rsa_len);
		98	int RSA_X931_hash_id(int nid);
		99
94	__END_HIDDEN_DECLS	100	__END_HIDDEN_DECLS


diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c index 8e06365566..429524d73d 100644 --- a/src/lib/libcrypto/rsa/rsa_pmeth.c +++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_pmeth.c,v 1.37 2023/04/25 15:48:48 tb Exp $ */	1	/* $OpenBSD: rsa_pmeth.c,v 1.38 2023/05/05 12:21:44 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -187,7 +187,7 @@ static int
187	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,	187	pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
188	const unsigned char *tbs, size_t tbslen)	188	const unsigned char *tbs, size_t tbslen)
189	{	189	{
190	int ret = -1;	190	int ret;
191	RSA_PKEY_CTX *rctx = ctx->data;	191	RSA_PKEY_CTX *rctx = ctx->data;
192	RSA *rsa = ctx->pkey->pkey.rsa;	192	RSA *rsa = ctx->pkey->pkey.rsa;
193		193
@@ -197,11 +197,21 @@ pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
197	return -1;	197	return -1;
198	}	198	}
199		199
200	if (rctx->pad_mode != RSA_PKCS1_PADDING &&	200	if (rctx->pad_mode == RSA_X931_PADDING) {
201	rctx->pad_mode != RSA_PKCS1_PSS_PADDING)	201	if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
202	return -1;	202	RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
203		203	return -1;
204	if (rctx->pad_mode == RSA_PKCS1_PADDING) {	204	}
		205	if (!setup_tbuf(rctx, ctx)) {
		206	RSAerror(ERR_R_MALLOC_FAILURE);
		207	return -1;
		208	}
		209	memcpy(rctx->tbuf, tbs, tbslen);
		210	rctx->tbuf[tbslen] =
		211	RSA_X931_hash_id(EVP_MD_type(rctx->md));
		212	ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
		213	rsa, RSA_X931_PADDING);
		214	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
205	unsigned int sltmp;	215	unsigned int sltmp;
206		216
207	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,	217	ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@@ -217,6 +227,8 @@ pkey_rsa_sign(EVP_PKEY_CTX ctx, unsigned char sig, size_t *siglen,
217	return -1;	227	return -1;
218	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,	228	ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
219	sig, rsa, RSA_NO_PADDING);	229	sig, rsa, RSA_NO_PADDING);
		230	} else {
		231	return -1;
220	}	232	}
221	} else {	233	} else {
222	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,	234	ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@@ -236,16 +248,36 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX ctx, unsigned char rout, size_t *routlen,
236	RSA_PKEY_CTX *rctx = ctx->data;	248	RSA_PKEY_CTX *rctx = ctx->data;
237		249
238	if (rctx->md) {	250	if (rctx->md) {
239	size_t sltmp;	251	if (rctx->pad_mode == RSA_X931_PADDING) {
		252	if (!setup_tbuf(rctx, ctx))
		253	return -1;
		254	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
		255	ctx->pkey->pkey.rsa, RSA_X931_PADDING);
		256	if (ret < 1)
		257	return 0;
		258	ret--;
		259	if (rctx->tbuf[ret] !=
		260	RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
		261	RSAerror(RSA_R_ALGORITHM_MISMATCH);
		262	return 0;
		263	}
		264	if (ret != EVP_MD_size(rctx->md)) {
		265	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
		266	return 0;
		267	}
		268	if (rout)
		269	memcpy(rout, rctx->tbuf, ret);
		270	} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
		271	size_t sltmp;
240		272
241	if (rctx->pad_mode != RSA_PKCS1_PADDING)	273	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
		274	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
		275	if (ret <= 0)
		276	return 0;
		277	ret = sltmp;
		278	} else {
242	return -1;	279	return -1;
243		280	}
244	ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
245	rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
246	if (ret <= 0)
247	return 0;
248	ret = sltmp;
249	} else {	281	} else {
250	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,	282	ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
251	rctx->pad_mode);	283	rctx->pad_mode);
@@ -263,7 +295,6 @@ pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
263	RSA_PKEY_CTX *rctx = ctx->data;	295	RSA_PKEY_CTX *rctx = ctx->data;
264	RSA *rsa = ctx->pkey->pkey.rsa;	296	RSA *rsa = ctx->pkey->pkey.rsa;
265	size_t rslen;	297	size_t rslen;
266	int ret;
267		298
268	if (rctx->md) {	299	if (rctx->md) {
269	if (rctx->pad_mode == RSA_PKCS1_PADDING)	300	if (rctx->pad_mode == RSA_PKCS1_PADDING)
@@ -273,22 +304,30 @@ pkey_rsa_verify(EVP_PKEY_CTX ctx, const unsigned char sig, size_t siglen,
273	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);	304	RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
274	return -1;	305	return -1;
275	}	306	}
		307	if (rctx->pad_mode == RSA_X931_PADDING) {
		308	if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
		309	siglen) <= 0)
		310	return 0;
		311	} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
		312	int ret;
276		313
277	if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)	314	if (!setup_tbuf(rctx, ctx))
278	return -1;	315	return -1;
279		316	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
280	if (!setup_tbuf(rctx, ctx))	317	rsa, RSA_NO_PADDING);
		318	if (ret <= 0)
		319	return 0;
		320	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
		321	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
		322	if (ret <= 0)
		323	return 0;
		324	return 1;
		325	} else {
281	return -1;	326	return -1;
282	ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,	327	}
283	rsa, RSA_NO_PADDING);
284	if (ret <= 0)
285	return 0;
286	ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
287	rctx->mgf1md, rctx->tbuf, rctx->saltlen);
288	if (ret <= 0)
289	return 0;
290	return 1;
291	} else {	328	} else {
		329	int ret;
		330
292	if (!setup_tbuf(rctx, ctx))	331	if (!setup_tbuf(rctx, ctx))
293	return -1;	332	return -1;
294		333
@@ -365,34 +404,41 @@ check_padding_md(const EVP_MD *md, int padding)
365	if (md == NULL)	404	if (md == NULL)
366	return 1;	405	return 1;
367		406
368	if (padding == RSA_NO_PADDING \|\| padding == RSA_X931_PADDING) {	407	if (padding == RSA_NO_PADDING) {
369	RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);	408	RSAerror(RSA_R_INVALID_PADDING_MODE);
370	return 0;	409	return 0;
371	}	410	}
372		411
373	/* List of all supported RSA digests. */	412	if (padding == RSA_X931_PADDING) {
374	/* RFC 8017 and NIST CSOR. */	413	if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
375	switch(EVP_MD_type(md)) {	414	RSAerror(RSA_R_INVALID_X931_DIGEST);
376	case NID_sha1:	415	return 0;
377	case NID_sha224:	416	}
378	case NID_sha256:	417	} else {
379	case NID_sha384:	418	/* List of all supported RSA digests. */
380	case NID_sha512:	419	/* RFC 8017 and NIST CSOR. */
381	case NID_sha512_224:	420	switch(EVP_MD_type(md)) {
382	case NID_sha512_256:	421	case NID_sha1:
383	case NID_sha3_224:	422	case NID_sha224:
384	case NID_sha3_256:	423	case NID_sha256:
385	case NID_sha3_384:	424	case NID_sha384:
386	case NID_sha3_512:	425	case NID_sha512:
387	case NID_md5:	426	case NID_sha512_224:
388	case NID_md5_sha1:	427	case NID_sha512_256:
389	case NID_md4:	428	case NID_sha3_224:
390	case NID_ripemd160:	429	case NID_sha3_256:
391	return 1;	430	case NID_sha3_384:
		431	case NID_sha3_512:
		432	case NID_md5:
		433	case NID_md5_sha1:
		434	case NID_md4:
		435	case NID_ripemd160:
		436	return 1;
392		437
393	default:	438	default:
394	RSAerror(RSA_R_INVALID_DIGEST);	439	RSAerror(RSA_R_INVALID_DIGEST);
395	return 0;	440	return 0;
		441	}
396	}	442	}
397		443
398	return 1;	444	return 1;
@@ -598,6 +644,8 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX ctx, const char type, const char *value)
598	pm = RSA_PKCS1_OAEP_PADDING;	644	pm = RSA_PKCS1_OAEP_PADDING;
599	else if (!strcmp(value, "oaep"))	645	else if (!strcmp(value, "oaep"))
600	pm = RSA_PKCS1_OAEP_PADDING;	646	pm = RSA_PKCS1_OAEP_PADDING;
		647	else if (!strcmp(value, "x931"))
		648	pm = RSA_X931_PADDING;
601	else if (!strcmp(value, "pss"))	649	else if (!strcmp(value, "pss"))
602	pm = RSA_PKCS1_PSS_PADDING;	650	pm = RSA_PKCS1_PSS_PADDING;
603	else {	651	else {