1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 /*! \file */
13
14 #include <inttypes.h>
15 #include <stdbool.h>
16
17 #include <openssl/bn.h>
18 #include <openssl/err.h>
19 #include <openssl/objects.h>
20 #include <openssl/rsa.h>
21
22 #include <isc/mem.h>
23 #include <isc/result.h>
24 #include <isc/safe.h>
25 #include <isc/string.h>
26 #include <isc/util.h>
27
28 #include "dst_internal.h"
29 #include "dst_openssl.h"
30 #include "dst_parse.h"
31 #if !defined(OPENSSL_NO_ENGINE)
32 #include <openssl/engine.h>
33 #endif /* if !defined(OPENSSL_NO_ENGINE) */
34
35 /*
36 * Limit the size of public exponents.
37 */
38 #ifndef RSA_MAX_PUBEXP_BITS
39 #define RSA_MAX_PUBEXP_BITS 35
40 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
41
42 #define DST_RET(a) \
43 { \
44 ret = a; \
45 goto err; \
46 }
47
48 #if !HAVE_RSA_SET0_KEY
49 /* From OpenSSL 1.1.0 */
50 static int
RSA_set0_key(RSA * r,BIGNUM * n,BIGNUM * e,BIGNUM * d)51 RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
52 /*
53 * If the fields n and e in r are NULL, the corresponding input
54 * parameters MUST be non-NULL for n and e. d may be
55 * left NULL (in case only the public key is used).
56 */
57 if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
58 return (0);
59 }
60
61 if (n != NULL) {
62 BN_free(r->n);
63 r->n = n;
64 }
65 if (e != NULL) {
66 BN_free(r->e);
67 r->e = e;
68 }
69 if (d != NULL) {
70 BN_free(r->d);
71 r->d = d;
72 }
73
74 return (1);
75 }
76
77 static int
RSA_set0_factors(RSA * r,BIGNUM * p,BIGNUM * q)78 RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
79 /*
80 * If the fields p and q in r are NULL, the corresponding input
81 * parameters MUST be non-NULL.
82 */
83 if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
84 return (0);
85 }
86
87 if (p != NULL) {
88 BN_free(r->p);
89 r->p = p;
90 }
91 if (q != NULL) {
92 BN_free(r->q);
93 r->q = q;
94 }
95
96 return (1);
97 }
98
99 static int
RSA_set0_crt_params(RSA * r,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)100 RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
101 /*
102 * If the fields dmp1, dmq1 and iqmp in r are NULL, the
103 * corresponding input parameters MUST be non-NULL.
104 */
105 if ((r->dmp1 == NULL && dmp1 == NULL) ||
106 (r->dmq1 == NULL && dmq1 == NULL) ||
107 (r->iqmp == NULL && iqmp == NULL))
108 {
109 return (0);
110 }
111
112 if (dmp1 != NULL) {
113 BN_free(r->dmp1);
114 r->dmp1 = dmp1;
115 }
116 if (dmq1 != NULL) {
117 BN_free(r->dmq1);
118 r->dmq1 = dmq1;
119 }
120 if (iqmp != NULL) {
121 BN_free(r->iqmp);
122 r->iqmp = iqmp;
123 }
124
125 return (1);
126 }
127
128 static void
RSA_get0_key(const RSA * r,const BIGNUM ** n,const BIGNUM ** e,const BIGNUM ** d)129 RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
130 const BIGNUM **d) {
131 if (n != NULL) {
132 *n = r->n;
133 }
134 if (e != NULL) {
135 *e = r->e;
136 }
137 if (d != NULL) {
138 *d = r->d;
139 }
140 }
141
142 static void
RSA_get0_factors(const RSA * r,const BIGNUM ** p,const BIGNUM ** q)143 RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
144 if (p != NULL) {
145 *p = r->p;
146 }
147 if (q != NULL) {
148 *q = r->q;
149 }
150 }
151
152 static void
RSA_get0_crt_params(const RSA * r,const BIGNUM ** dmp1,const BIGNUM ** dmq1,const BIGNUM ** iqmp)153 RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
154 const BIGNUM **iqmp) {
155 if (dmp1 != NULL) {
156 *dmp1 = r->dmp1;
157 }
158 if (dmq1 != NULL) {
159 *dmq1 = r->dmq1;
160 }
161 if (iqmp != NULL) {
162 *iqmp = r->iqmp;
163 }
164 }
165
166 static int
RSA_test_flags(const RSA * r,int flags)167 RSA_test_flags(const RSA *r, int flags) {
168 return (r->flags & flags);
169 }
170
171 #endif /* !HAVE_RSA_SET0_KEY */
172
173 static isc_result_t
opensslrsa_createctx(dst_key_t * key,dst_context_t * dctx)174 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
175 EVP_MD_CTX *evp_md_ctx;
176 const EVP_MD *type = NULL;
177
178 UNUSED(key);
179 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
180 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
181 dctx->key->key_alg == DST_ALG_RSASHA256 ||
182 dctx->key->key_alg == DST_ALG_RSASHA512);
183
184 /*
185 * Reject incorrect RSA key lengths.
186 */
187 switch (dctx->key->key_alg) {
188 case DST_ALG_RSASHA1:
189 case DST_ALG_NSEC3RSASHA1:
190 /* From RFC 3110 */
191 if (dctx->key->key_size > 4096) {
192 return (ISC_R_FAILURE);
193 }
194 break;
195 case DST_ALG_RSASHA256:
196 /* From RFC 5702 */
197 if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
198 {
199 return (ISC_R_FAILURE);
200 }
201 break;
202 case DST_ALG_RSASHA512:
203 /* From RFC 5702 */
204 if ((dctx->key->key_size < 1024) ||
205 (dctx->key->key_size > 4096)) {
206 return (ISC_R_FAILURE);
207 }
208 break;
209 default:
210 INSIST(0);
211 ISC_UNREACHABLE();
212 }
213
214 evp_md_ctx = EVP_MD_CTX_create();
215 if (evp_md_ctx == NULL) {
216 return (ISC_R_NOMEMORY);
217 }
218
219 switch (dctx->key->key_alg) {
220 case DST_ALG_RSASHA1:
221 case DST_ALG_NSEC3RSASHA1:
222 type = EVP_sha1(); /* SHA1 + RSA */
223 break;
224 case DST_ALG_RSASHA256:
225 type = EVP_sha256(); /* SHA256 + RSA */
226 break;
227 case DST_ALG_RSASHA512:
228 type = EVP_sha512();
229 break;
230 default:
231 INSIST(0);
232 ISC_UNREACHABLE();
233 }
234
235 if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
236 EVP_MD_CTX_destroy(evp_md_ctx);
237 return (dst__openssl_toresult3(
238 dctx->category, "EVP_DigestInit_ex", ISC_R_FAILURE));
239 }
240 dctx->ctxdata.evp_md_ctx = evp_md_ctx;
241
242 return (ISC_R_SUCCESS);
243 }
244
245 static void
opensslrsa_destroyctx(dst_context_t * dctx)246 opensslrsa_destroyctx(dst_context_t *dctx) {
247 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
248
249 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
250 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
251 dctx->key->key_alg == DST_ALG_RSASHA256 ||
252 dctx->key->key_alg == DST_ALG_RSASHA512);
253
254 if (evp_md_ctx != NULL) {
255 EVP_MD_CTX_destroy(evp_md_ctx);
256 dctx->ctxdata.evp_md_ctx = NULL;
257 }
258 }
259
260 static isc_result_t
opensslrsa_adddata(dst_context_t * dctx,const isc_region_t * data)261 opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
262 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
263
264 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
265 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
266 dctx->key->key_alg == DST_ALG_RSASHA256 ||
267 dctx->key->key_alg == DST_ALG_RSASHA512);
268
269 if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
270 return (dst__openssl_toresult3(
271 dctx->category, "EVP_DigestUpdate", ISC_R_FAILURE));
272 }
273 return (ISC_R_SUCCESS);
274 }
275
276 static isc_result_t
opensslrsa_sign(dst_context_t * dctx,isc_buffer_t * sig)277 opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
278 dst_key_t *key = dctx->key;
279 isc_region_t r;
280 unsigned int siglen = 0;
281 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
282 EVP_PKEY *pkey = key->keydata.pkey;
283
284 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
285 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
286 dctx->key->key_alg == DST_ALG_RSASHA256 ||
287 dctx->key->key_alg == DST_ALG_RSASHA512);
288
289 isc_buffer_availableregion(sig, &r);
290
291 if (r.length < (unsigned int)EVP_PKEY_size(pkey)) {
292 return (ISC_R_NOSPACE);
293 }
294
295 if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
296 return (dst__openssl_toresult3(dctx->category, "EVP_SignFinal",
297 ISC_R_FAILURE));
298 }
299
300 isc_buffer_add(sig, siglen);
301
302 return (ISC_R_SUCCESS);
303 }
304
305 static isc_result_t
opensslrsa_verify2(dst_context_t * dctx,int maxbits,const isc_region_t * sig)306 opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
307 dst_key_t *key = dctx->key;
308 int status = 0;
309 const BIGNUM *e = NULL;
310 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
311 EVP_PKEY *pkey = key->keydata.pkey;
312 RSA *rsa;
313 int bits;
314
315 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
316 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
317 dctx->key->key_alg == DST_ALG_RSASHA256 ||
318 dctx->key->key_alg == DST_ALG_RSASHA512);
319
320 rsa = EVP_PKEY_get1_RSA(pkey);
321 if (rsa == NULL) {
322 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
323 }
324 RSA_get0_key(rsa, NULL, &e, NULL);
325 bits = BN_num_bits(e);
326 RSA_free(rsa);
327 if (bits > maxbits && maxbits != 0) {
328 return (DST_R_VERIFYFAILURE);
329 }
330
331 status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
332 switch (status) {
333 case 1:
334 return (ISC_R_SUCCESS);
335 case 0:
336 return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
337 default:
338 return (dst__openssl_toresult3(dctx->category,
339 "EVP_VerifyFinal",
340 DST_R_VERIFYFAILURE));
341 }
342 }
343
344 static isc_result_t
opensslrsa_verify(dst_context_t * dctx,const isc_region_t * sig)345 opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
346 return (opensslrsa_verify2(dctx, 0, sig));
347 }
348
349 static bool
opensslrsa_compare(const dst_key_t * key1,const dst_key_t * key2)350 opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
351 int status;
352 RSA *rsa1 = NULL, *rsa2 = NULL;
353 const BIGNUM *n1 = NULL, *n2 = NULL;
354 const BIGNUM *e1 = NULL, *e2 = NULL;
355 const BIGNUM *d1 = NULL, *d2 = NULL;
356 const BIGNUM *p1 = NULL, *p2 = NULL;
357 const BIGNUM *q1 = NULL, *q2 = NULL;
358 EVP_PKEY *pkey1, *pkey2;
359
360 pkey1 = key1->keydata.pkey;
361 pkey2 = key2->keydata.pkey;
362 /*
363 * The pkey reference will keep these around after
364 * the RSA_free() call.
365 */
366 if (pkey1 != NULL) {
367 rsa1 = EVP_PKEY_get1_RSA(pkey1);
368 RSA_free(rsa1);
369 }
370 if (pkey2 != NULL) {
371 rsa2 = EVP_PKEY_get1_RSA(pkey2);
372 RSA_free(rsa2);
373 }
374
375 if (rsa1 == NULL && rsa2 == NULL) {
376 return (true);
377 } else if (rsa1 == NULL || rsa2 == NULL) {
378 return (false);
379 }
380
381 RSA_get0_key(rsa1, &n1, &e1, &d1);
382 RSA_get0_key(rsa2, &n2, &e2, &d2);
383 status = BN_cmp(n1, n2) || BN_cmp(e1, e2);
384
385 if (status != 0) {
386 return (false);
387 }
388
389 if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
390 RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0)
391 {
392 if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
393 RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0)
394 {
395 return (false);
396 }
397 /*
398 * Can't compare private parameters, BTW does it make sense?
399 */
400 return (true);
401 }
402
403 if (d1 != NULL || d2 != NULL) {
404 if (d1 == NULL || d2 == NULL) {
405 return (false);
406 }
407 RSA_get0_factors(rsa1, &p1, &q1);
408 RSA_get0_factors(rsa2, &p2, &q2);
409 status = BN_cmp(d1, d2) || BN_cmp(p1, p1) || BN_cmp(q1, q2);
410
411 if (status != 0) {
412 return (false);
413 }
414 }
415 return (true);
416 }
417
418 static int
progress_cb(int p,int n,BN_GENCB * cb)419 progress_cb(int p, int n, BN_GENCB *cb) {
420 union {
421 void *dptr;
422 void (*fptr)(int);
423 } u;
424
425 UNUSED(n);
426
427 u.dptr = BN_GENCB_get_arg(cb);
428 if (u.fptr != NULL) {
429 u.fptr(p);
430 }
431 return (1);
432 }
433
434 static isc_result_t
opensslrsa_generate(dst_key_t * key,int exp,void (* callback)(int))435 opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
436 isc_result_t ret = DST_R_OPENSSLFAILURE;
437 union {
438 void *dptr;
439 void (*fptr)(int);
440 } u;
441 RSA *rsa = RSA_new();
442 BIGNUM *e = BN_new();
443 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
444 BN_GENCB _cb;
445 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
446 * defined(LIBRESSL_VERSION_NUMBER) */
447 BN_GENCB *cb = BN_GENCB_new();
448 EVP_PKEY *pkey = EVP_PKEY_new();
449
450 /*
451 * Reject incorrect RSA key lengths.
452 */
453 switch (key->key_alg) {
454 case DST_ALG_RSASHA1:
455 case DST_ALG_NSEC3RSASHA1:
456 /* From RFC 3110 */
457 if (key->key_size > 4096) {
458 goto err;
459 }
460 break;
461 case DST_ALG_RSASHA256:
462 /* From RFC 5702 */
463 if ((key->key_size < 512) || (key->key_size > 4096)) {
464 goto err;
465 }
466 break;
467 case DST_ALG_RSASHA512:
468 /* From RFC 5702 */
469 if ((key->key_size < 1024) || (key->key_size > 4096)) {
470 goto err;
471 }
472 break;
473 default:
474 INSIST(0);
475 ISC_UNREACHABLE();
476 }
477
478 if (rsa == NULL || e == NULL || cb == NULL) {
479 goto err;
480 }
481 if (pkey == NULL) {
482 goto err;
483 }
484 if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
485 goto err;
486 }
487
488 if (exp == 0) {
489 /* RSA_F4 0x10001 */
490 BN_set_bit(e, 0);
491 BN_set_bit(e, 16);
492 } else {
493 /* (phased-out) F5 0x100000001 */
494 BN_set_bit(e, 0);
495 BN_set_bit(e, 32);
496 }
497
498 if (callback == NULL) {
499 BN_GENCB_set_old(cb, NULL, NULL);
500 } else {
501 u.fptr = callback;
502 BN_GENCB_set(cb, progress_cb, u.dptr);
503 }
504
505 if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
506 BN_free(e);
507 BN_GENCB_free(cb);
508 cb = NULL;
509 key->keydata.pkey = pkey;
510
511 RSA_free(rsa);
512 return (ISC_R_SUCCESS);
513 }
514 ret = dst__openssl_toresult2("RSA_generate_key_ex",
515 DST_R_OPENSSLFAILURE);
516
517 err:
518 if (pkey != NULL) {
519 EVP_PKEY_free(pkey);
520 pkey = NULL;
521 }
522 if (e != NULL) {
523 BN_free(e);
524 e = NULL;
525 }
526 if (rsa != NULL) {
527 RSA_free(rsa);
528 rsa = NULL;
529 }
530 if (cb != NULL) {
531 BN_GENCB_free(cb);
532 cb = NULL;
533 }
534 return (dst__openssl_toresult(ret));
535 }
536
537 static bool
opensslrsa_isprivate(const dst_key_t * key)538 opensslrsa_isprivate(const dst_key_t *key) {
539 const BIGNUM *d = NULL;
540 RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
541 INSIST(rsa != NULL);
542 RSA_free(rsa);
543 /* key->keydata.pkey still has a reference so rsa is still valid. */
544 if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) {
545 return (true);
546 }
547 RSA_get0_key(rsa, NULL, NULL, &d);
548 return (rsa != NULL && d != NULL);
549 }
550
551 static void
opensslrsa_destroy(dst_key_t * key)552 opensslrsa_destroy(dst_key_t *key) {
553 EVP_PKEY *pkey = key->keydata.pkey;
554 EVP_PKEY_free(pkey);
555 key->keydata.pkey = NULL;
556 }
557
558 static isc_result_t
opensslrsa_todns(const dst_key_t * key,isc_buffer_t * data)559 opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
560 isc_region_t r;
561 unsigned int e_bytes;
562 unsigned int mod_bytes;
563 isc_result_t ret;
564 RSA *rsa;
565 EVP_PKEY *pkey;
566 const BIGNUM *e = NULL, *n = NULL;
567
568 REQUIRE(key->keydata.pkey != NULL);
569
570 pkey = key->keydata.pkey;
571 rsa = EVP_PKEY_get1_RSA(pkey);
572 if (rsa == NULL) {
573 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
574 }
575
576 isc_buffer_availableregion(data, &r);
577
578 RSA_get0_key(rsa, &n, &e, NULL);
579 mod_bytes = BN_num_bytes(n);
580 e_bytes = BN_num_bytes(e);
581
582 if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
583 if (r.length < 1) {
584 DST_RET(ISC_R_NOSPACE);
585 }
586 isc_buffer_putuint8(data, (uint8_t)e_bytes);
587 isc_region_consume(&r, 1);
588 } else {
589 if (r.length < 3) {
590 DST_RET(ISC_R_NOSPACE);
591 }
592 isc_buffer_putuint8(data, 0);
593 isc_buffer_putuint16(data, (uint16_t)e_bytes);
594 isc_region_consume(&r, 3);
595 }
596
597 if (r.length < e_bytes + mod_bytes) {
598 DST_RET(ISC_R_NOSPACE);
599 }
600
601 RSA_get0_key(rsa, &n, &e, NULL);
602 BN_bn2bin(e, r.base);
603 isc_region_consume(&r, e_bytes);
604 BN_bn2bin(n, r.base);
605
606 isc_buffer_add(data, e_bytes + mod_bytes);
607
608 ret = ISC_R_SUCCESS;
609 err:
610 RSA_free(rsa);
611 return (ret);
612 }
613
614 static isc_result_t
opensslrsa_fromdns(dst_key_t * key,isc_buffer_t * data)615 opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
616 RSA *rsa;
617 isc_region_t r;
618 unsigned int e_bytes;
619 unsigned int length;
620 EVP_PKEY *pkey;
621 BIGNUM *e = NULL, *n = NULL;
622
623 isc_buffer_remainingregion(data, &r);
624 if (r.length == 0) {
625 return (ISC_R_SUCCESS);
626 }
627 length = r.length;
628
629 rsa = RSA_new();
630 if (rsa == NULL) {
631 return (dst__openssl_toresult(ISC_R_NOMEMORY));
632 }
633
634 if (r.length < 1) {
635 RSA_free(rsa);
636 return (DST_R_INVALIDPUBLICKEY);
637 }
638 e_bytes = *r.base;
639 isc_region_consume(&r, 1);
640
641 if (e_bytes == 0) {
642 if (r.length < 2) {
643 RSA_free(rsa);
644 return (DST_R_INVALIDPUBLICKEY);
645 }
646 e_bytes = (*r.base) << 8;
647 isc_region_consume(&r, 1);
648 e_bytes += *r.base;
649 isc_region_consume(&r, 1);
650 }
651
652 if (r.length < e_bytes) {
653 RSA_free(rsa);
654 return (DST_R_INVALIDPUBLICKEY);
655 }
656 e = BN_bin2bn(r.base, e_bytes, NULL);
657 isc_region_consume(&r, e_bytes);
658 n = BN_bin2bn(r.base, r.length, NULL);
659 if (RSA_set0_key(rsa, n, e, NULL) == 0) {
660 if (n != NULL) {
661 BN_free(n);
662 }
663 if (e != NULL) {
664 BN_free(e);
665 }
666 RSA_free(rsa);
667 return (ISC_R_NOMEMORY);
668 }
669 key->key_size = BN_num_bits(n);
670
671 isc_buffer_forward(data, length);
672
673 pkey = EVP_PKEY_new();
674 if (pkey == NULL) {
675 RSA_free(rsa);
676 return (ISC_R_NOMEMORY);
677 }
678 if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
679 EVP_PKEY_free(pkey);
680 RSA_free(rsa);
681 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
682 }
683 key->keydata.pkey = pkey;
684 RSA_free(rsa);
685
686 return (ISC_R_SUCCESS);
687 }
688
689 static isc_result_t
opensslrsa_tofile(const dst_key_t * key,const char * directory)690 opensslrsa_tofile(const dst_key_t *key, const char *directory) {
691 int i;
692 RSA *rsa;
693 dst_private_t priv;
694 unsigned char *bufs[8];
695 isc_result_t result;
696 const BIGNUM *n = NULL, *e = NULL, *d = NULL;
697 const BIGNUM *p = NULL, *q = NULL;
698 const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
699
700 if (key->external) {
701 priv.nelements = 0;
702 return (dst__privstruct_writefile(key, &priv, directory));
703 }
704
705 if (key->keydata.pkey == NULL) {
706 return (DST_R_NULLKEY);
707 }
708 rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
709 if (rsa == NULL) {
710 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
711 }
712 memset(bufs, 0, sizeof(bufs));
713
714 RSA_get0_key(rsa, &n, &e, &d);
715 RSA_get0_factors(rsa, &p, &q);
716 RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
717
718 for (i = 0; i < 8; i++) {
719 bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n));
720 }
721
722 i = 0;
723
724 priv.elements[i].tag = TAG_RSA_MODULUS;
725 priv.elements[i].length = BN_num_bytes(n);
726 BN_bn2bin(n, bufs[i]);
727 priv.elements[i].data = bufs[i];
728 i++;
729
730 priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
731 priv.elements[i].length = BN_num_bytes(e);
732 BN_bn2bin(e, bufs[i]);
733 priv.elements[i].data = bufs[i];
734 i++;
735
736 if (d != NULL) {
737 priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
738 priv.elements[i].length = BN_num_bytes(d);
739 BN_bn2bin(d, bufs[i]);
740 priv.elements[i].data = bufs[i];
741 i++;
742 }
743
744 if (p != NULL) {
745 priv.elements[i].tag = TAG_RSA_PRIME1;
746 priv.elements[i].length = BN_num_bytes(p);
747 BN_bn2bin(p, bufs[i]);
748 priv.elements[i].data = bufs[i];
749 i++;
750 }
751
752 if (q != NULL) {
753 priv.elements[i].tag = TAG_RSA_PRIME2;
754 priv.elements[i].length = BN_num_bytes(q);
755 BN_bn2bin(q, bufs[i]);
756 priv.elements[i].data = bufs[i];
757 i++;
758 }
759
760 if (dmp1 != NULL) {
761 priv.elements[i].tag = TAG_RSA_EXPONENT1;
762 priv.elements[i].length = BN_num_bytes(dmp1);
763 BN_bn2bin(dmp1, bufs[i]);
764 priv.elements[i].data = bufs[i];
765 i++;
766 }
767
768 if (dmq1 != NULL) {
769 priv.elements[i].tag = TAG_RSA_EXPONENT2;
770 priv.elements[i].length = BN_num_bytes(dmq1);
771 BN_bn2bin(dmq1, bufs[i]);
772 priv.elements[i].data = bufs[i];
773 i++;
774 }
775
776 if (iqmp != NULL) {
777 priv.elements[i].tag = TAG_RSA_COEFFICIENT;
778 priv.elements[i].length = BN_num_bytes(iqmp);
779 BN_bn2bin(iqmp, bufs[i]);
780 priv.elements[i].data = bufs[i];
781 i++;
782 }
783
784 if (key->engine != NULL) {
785 priv.elements[i].tag = TAG_RSA_ENGINE;
786 priv.elements[i].length = (unsigned short)strlen(key->engine) +
787 1;
788 priv.elements[i].data = (unsigned char *)key->engine;
789 i++;
790 }
791
792 if (key->label != NULL) {
793 priv.elements[i].tag = TAG_RSA_LABEL;
794 priv.elements[i].length = (unsigned short)strlen(key->label) +
795 1;
796 priv.elements[i].data = (unsigned char *)key->label;
797 i++;
798 }
799
800 priv.nelements = i;
801 result = dst__privstruct_writefile(key, &priv, directory);
802
803 RSA_free(rsa);
804 for (i = 0; i < 8; i++) {
805 if (bufs[i] == NULL) {
806 break;
807 }
808 isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n));
809 }
810 return (result);
811 }
812
813 static isc_result_t
rsa_check(RSA * rsa,RSA * pub)814 rsa_check(RSA *rsa, RSA *pub) {
815 const BIGNUM *n1 = NULL, *n2 = NULL;
816 const BIGNUM *e1 = NULL, *e2 = NULL;
817 BIGNUM *n = NULL, *e = NULL;
818
819 /*
820 * Public parameters should be the same but if they are not set
821 * copy them from the public key.
822 */
823 RSA_get0_key(rsa, &n1, &e1, NULL);
824 if (pub != NULL) {
825 RSA_get0_key(pub, &n2, &e2, NULL);
826 if (n1 != NULL) {
827 if (BN_cmp(n1, n2) != 0) {
828 return (DST_R_INVALIDPRIVATEKEY);
829 }
830 } else {
831 n = BN_dup(n2);
832 }
833 if (e1 != NULL) {
834 if (BN_cmp(e1, e2) != 0) {
835 return (DST_R_INVALIDPRIVATEKEY);
836 }
837 } else {
838 e = BN_dup(e2);
839 }
840 if (RSA_set0_key(rsa, n, e, NULL) == 0) {
841 if (n != NULL) {
842 BN_free(n);
843 }
844 if (e != NULL) {
845 BN_free(e);
846 }
847 }
848 }
849 RSA_get0_key(rsa, &n1, &e1, NULL);
850 if (n1 == NULL || e1 == NULL) {
851 return (DST_R_INVALIDPRIVATEKEY);
852 }
853 return (ISC_R_SUCCESS);
854 }
855
856 static isc_result_t
opensslrsa_parse(dst_key_t * key,isc_lex_t * lexer,dst_key_t * pub)857 opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
858 dst_private_t priv;
859 isc_result_t ret;
860 int i;
861 RSA *rsa = NULL, *pubrsa = NULL;
862 #if !defined(OPENSSL_NO_ENGINE)
863 ENGINE *ep = NULL;
864 const BIGNUM *ex = NULL;
865 #endif /* if !defined(OPENSSL_NO_ENGINE) */
866 isc_mem_t *mctx = key->mctx;
867 const char *engine = NULL, *label = NULL;
868 EVP_PKEY *pkey = NULL;
869 BIGNUM *n = NULL, *e = NULL, *d = NULL;
870 BIGNUM *p = NULL, *q = NULL;
871 BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
872
873 /* read private key file */
874 ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
875 if (ret != ISC_R_SUCCESS) {
876 goto err;
877 }
878
879 if (key->external) {
880 if (priv.nelements != 0) {
881 DST_RET(DST_R_INVALIDPRIVATEKEY);
882 }
883 if (pub == NULL) {
884 DST_RET(DST_R_INVALIDPRIVATEKEY);
885 }
886 key->keydata.pkey = pub->keydata.pkey;
887 pub->keydata.pkey = NULL;
888 key->key_size = pub->key_size;
889 dst__privstruct_free(&priv, mctx);
890 isc_safe_memwipe(&priv, sizeof(priv));
891 return (ISC_R_SUCCESS);
892 }
893
894 if (pub != NULL && pub->keydata.pkey != NULL) {
895 pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
896 }
897
898 for (i = 0; i < priv.nelements; i++) {
899 switch (priv.elements[i].tag) {
900 case TAG_RSA_ENGINE:
901 engine = (char *)priv.elements[i].data;
902 break;
903 case TAG_RSA_LABEL:
904 label = (char *)priv.elements[i].data;
905 break;
906 default:
907 break;
908 }
909 }
910
911 /*
912 * Is this key is stored in a HSM?
913 * See if we can fetch it.
914 */
915 if (label != NULL) {
916 #if !defined(OPENSSL_NO_ENGINE)
917 if (engine == NULL) {
918 DST_RET(DST_R_NOENGINE);
919 }
920 ep = dst__openssl_getengine(engine);
921 if (ep == NULL) {
922 DST_RET(DST_R_NOENGINE);
923 }
924 pkey = ENGINE_load_private_key(ep, label, NULL, NULL);
925 if (pkey == NULL) {
926 DST_RET(dst__openssl_toresult2("ENGINE_load_private_"
927 "key",
928 ISC_R_NOTFOUND));
929 }
930 key->engine = isc_mem_strdup(key->mctx, engine);
931 key->label = isc_mem_strdup(key->mctx, label);
932 rsa = EVP_PKEY_get1_RSA(pkey);
933 if (rsa == NULL) {
934 DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
935 }
936 if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
937 DST_RET(DST_R_INVALIDPRIVATEKEY);
938 }
939 RSA_get0_key(rsa, NULL, &ex, NULL);
940 if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
941 DST_RET(ISC_R_RANGE);
942 }
943 if (pubrsa != NULL) {
944 RSA_free(pubrsa);
945 }
946 key->key_size = EVP_PKEY_bits(pkey);
947 key->keydata.pkey = pkey;
948 RSA_free(rsa);
949 dst__privstruct_free(&priv, mctx);
950 isc_safe_memwipe(&priv, sizeof(priv));
951 return (ISC_R_SUCCESS);
952 #else /* if !defined(OPENSSL_NO_ENGINE) */
953 DST_RET(DST_R_NOENGINE);
954 #endif /* if !defined(OPENSSL_NO_ENGINE) */
955 }
956
957 rsa = RSA_new();
958 if (rsa == NULL) {
959 DST_RET(ISC_R_NOMEMORY);
960 }
961
962 pkey = EVP_PKEY_new();
963 if (pkey == NULL) {
964 DST_RET(ISC_R_NOMEMORY);
965 }
966 if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
967 DST_RET(ISC_R_FAILURE);
968 }
969 key->keydata.pkey = pkey;
970
971 for (i = 0; i < priv.nelements; i++) {
972 BIGNUM *bn;
973 switch (priv.elements[i].tag) {
974 case TAG_RSA_ENGINE:
975 continue;
976 case TAG_RSA_LABEL:
977 continue;
978 default:
979 bn = BN_bin2bn(priv.elements[i].data,
980 priv.elements[i].length, NULL);
981 if (bn == NULL) {
982 DST_RET(ISC_R_NOMEMORY);
983 }
984 switch (priv.elements[i].tag) {
985 case TAG_RSA_MODULUS:
986 n = bn;
987 break;
988 case TAG_RSA_PUBLICEXPONENT:
989 e = bn;
990 break;
991 case TAG_RSA_PRIVATEEXPONENT:
992 d = bn;
993 break;
994 case TAG_RSA_PRIME1:
995 p = bn;
996 break;
997 case TAG_RSA_PRIME2:
998 q = bn;
999 break;
1000 case TAG_RSA_EXPONENT1:
1001 dmp1 = bn;
1002 break;
1003 case TAG_RSA_EXPONENT2:
1004 dmq1 = bn;
1005 break;
1006 case TAG_RSA_COEFFICIENT:
1007 iqmp = bn;
1008 break;
1009 }
1010 }
1011 }
1012 dst__privstruct_free(&priv, mctx);
1013 isc_safe_memwipe(&priv, sizeof(priv));
1014
1015 if (RSA_set0_key(rsa, n, e, d) == 0) {
1016 if (n != NULL) {
1017 BN_free(n);
1018 }
1019 if (e != NULL) {
1020 BN_free(e);
1021 }
1022 if (d != NULL) {
1023 BN_free(d);
1024 }
1025 }
1026 if (RSA_set0_factors(rsa, p, q) == 0) {
1027 if (p != NULL) {
1028 BN_free(p);
1029 }
1030 if (q != NULL) {
1031 BN_free(q);
1032 }
1033 }
1034 if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) {
1035 if (dmp1 != NULL) {
1036 BN_free(dmp1);
1037 }
1038 if (dmq1 != NULL) {
1039 BN_free(dmq1);
1040 }
1041 if (iqmp != NULL) {
1042 BN_free(iqmp);
1043 }
1044 }
1045
1046 if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
1047 DST_RET(DST_R_INVALIDPRIVATEKEY);
1048 }
1049 if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
1050 DST_RET(ISC_R_RANGE);
1051 }
1052 key->key_size = BN_num_bits(n);
1053 if (pubrsa != NULL) {
1054 RSA_free(pubrsa);
1055 }
1056 RSA_free(rsa);
1057
1058 return (ISC_R_SUCCESS);
1059
1060 err:
1061 if (pkey != NULL) {
1062 EVP_PKEY_free(pkey);
1063 }
1064 if (rsa != NULL) {
1065 RSA_free(rsa);
1066 }
1067 if (pubrsa != NULL) {
1068 RSA_free(pubrsa);
1069 }
1070 key->keydata.generic = NULL;
1071 dst__privstruct_free(&priv, mctx);
1072 isc_safe_memwipe(&priv, sizeof(priv));
1073 return (ret);
1074 }
1075
1076 static isc_result_t
opensslrsa_fromlabel(dst_key_t * key,const char * engine,const char * label,const char * pin)1077 opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
1078 const char *pin) {
1079 #if !defined(OPENSSL_NO_ENGINE)
1080 ENGINE *e = NULL;
1081 isc_result_t ret;
1082 EVP_PKEY *pkey = NULL;
1083 RSA *rsa = NULL, *pubrsa = NULL;
1084 const BIGNUM *ex = NULL;
1085
1086 UNUSED(pin);
1087
1088 if (engine == NULL) {
1089 DST_RET(DST_R_NOENGINE);
1090 }
1091 e = dst__openssl_getengine(engine);
1092 if (e == NULL) {
1093 DST_RET(DST_R_NOENGINE);
1094 }
1095 pkey = ENGINE_load_public_key(e, label, NULL, NULL);
1096 if (pkey != NULL) {
1097 pubrsa = EVP_PKEY_get1_RSA(pkey);
1098 EVP_PKEY_free(pkey);
1099 if (pubrsa == NULL) {
1100 DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
1101 }
1102 }
1103 pkey = ENGINE_load_private_key(e, label, NULL, NULL);
1104 if (pkey == NULL) {
1105 DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
1106 ISC_R_NOTFOUND));
1107 }
1108 key->engine = isc_mem_strdup(key->mctx, engine);
1109 key->label = isc_mem_strdup(key->mctx, label);
1110 rsa = EVP_PKEY_get1_RSA(pkey);
1111 if (rsa == NULL) {
1112 DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
1113 }
1114 if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
1115 DST_RET(DST_R_INVALIDPRIVATEKEY);
1116 }
1117 RSA_get0_key(rsa, NULL, &ex, NULL);
1118 if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
1119 DST_RET(ISC_R_RANGE);
1120 }
1121 if (pubrsa != NULL) {
1122 RSA_free(pubrsa);
1123 }
1124 key->key_size = EVP_PKEY_bits(pkey);
1125 key->keydata.pkey = pkey;
1126 RSA_free(rsa);
1127 return (ISC_R_SUCCESS);
1128
1129 err:
1130 if (rsa != NULL) {
1131 RSA_free(rsa);
1132 }
1133 if (pubrsa != NULL) {
1134 RSA_free(pubrsa);
1135 }
1136 if (pkey != NULL) {
1137 EVP_PKEY_free(pkey);
1138 }
1139 return (ret);
1140 #else /* if !defined(OPENSSL_NO_ENGINE) */
1141 UNUSED(key);
1142 UNUSED(engine);
1143 UNUSED(label);
1144 UNUSED(pin);
1145 return (DST_R_NOENGINE);
1146 #endif /* if !defined(OPENSSL_NO_ENGINE) */
1147 }
1148
1149 static dst_func_t opensslrsa_functions = {
1150 opensslrsa_createctx,
1151 NULL, /*%< createctx2 */
1152 opensslrsa_destroyctx,
1153 opensslrsa_adddata,
1154 opensslrsa_sign,
1155 opensslrsa_verify,
1156 opensslrsa_verify2,
1157 NULL, /*%< computesecret */
1158 opensslrsa_compare,
1159 NULL, /*%< paramcompare */
1160 opensslrsa_generate,
1161 opensslrsa_isprivate,
1162 opensslrsa_destroy,
1163 opensslrsa_todns,
1164 opensslrsa_fromdns,
1165 opensslrsa_tofile,
1166 opensslrsa_parse,
1167 NULL, /*%< cleanup */
1168 opensslrsa_fromlabel,
1169 NULL, /*%< dump */
1170 NULL, /*%< restore */
1171 };
1172
1173 isc_result_t
dst__opensslrsa_init(dst_func_t ** funcp,unsigned char algorithm)1174 dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
1175 REQUIRE(funcp != NULL);
1176
1177 UNUSED(algorithm);
1178
1179 if (*funcp == NULL) {
1180 *funcp = &opensslrsa_functions;
1181 }
1182 return (ISC_R_SUCCESS);
1183 }
1184