1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * SPDX-License-Identifier: MPL-2.0
5 *
6 * This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0. If a copy of the MPL was not distributed with this
8 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
9 *
10 * See the COPYRIGHT file distributed with this work for additional
11 * information regarding copyright ownership.
12 */
13
14 #if !USE_PKCS11
15
16 #include <inttypes.h>
17 #include <stdbool.h>
18
19 #include <openssl/bn.h>
20 #include <openssl/err.h>
21 #include <openssl/objects.h>
22 #include <openssl/rsa.h>
23
24 #include <isc/mem.h>
25 #include <isc/safe.h>
26 #include <isc/string.h>
27 #include <isc/util.h>
28
29 #include <pk11/site.h>
30
31 #include <dst/result.h>
32
33 #include "dst_internal.h"
34 #include "dst_openssl.h"
35 #include "dst_parse.h"
36 #if !defined(OPENSSL_NO_ENGINE)
37 #include <openssl/engine.h>
38 #endif /* if !defined(OPENSSL_NO_ENGINE) */
39
40 /*
41 * Limit the size of public exponents.
42 */
43 #ifndef RSA_MAX_PUBEXP_BITS
44 #define RSA_MAX_PUBEXP_BITS 35
45 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
46
47 /*
48 * We don't use configure for windows so enforce the OpenSSL version
49 * here. Unlike with configure we don't support overriding this test.
50 */
51 #if defined(WIN32) && (OPENSSL_VERSION_NUMBER < 0x10000000L)
52 #error Please upgrade OpenSSL to 1.0.0 or greater.
53 #endif /* if defined(WIN32) && (OPENSSL_VERSION_NUMBER < 0x10000000L) */
54
55 #define DST_RET(a) \
56 { \
57 ret = a; \
58 goto err; \
59 }
60
61 #if !HAVE_RSA_SET0_KEY
62 /* From OpenSSL 1.1.0 */
63 static int
RSA_set0_key(RSA * r,BIGNUM * n,BIGNUM * e,BIGNUM * d)64 RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
65 /*
66 * If the fields n and e in r are NULL, the corresponding input
67 * parameters MUST be non-NULL for n and e. d may be
68 * left NULL (in case only the public key is used).
69 */
70 if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
71 return (0);
72 }
73
74 if (n != NULL) {
75 BN_free(r->n);
76 r->n = n;
77 }
78 if (e != NULL) {
79 BN_free(r->e);
80 r->e = e;
81 }
82 if (d != NULL) {
83 BN_free(r->d);
84 r->d = d;
85 }
86
87 return (1);
88 }
89
90 static int
RSA_set0_factors(RSA * r,BIGNUM * p,BIGNUM * q)91 RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
92 /*
93 * If the fields p and q in r are NULL, the corresponding input
94 * parameters MUST be non-NULL.
95 */
96 if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
97 return (0);
98 }
99
100 if (p != NULL) {
101 BN_free(r->p);
102 r->p = p;
103 }
104 if (q != NULL) {
105 BN_free(r->q);
106 r->q = q;
107 }
108
109 return (1);
110 }
111
112 static int
RSA_set0_crt_params(RSA * r,BIGNUM * dmp1,BIGNUM * dmq1,BIGNUM * iqmp)113 RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
114 /*
115 * If the fields dmp1, dmq1 and iqmp in r are NULL, the
116 * corresponding input parameters MUST be non-NULL.
117 */
118 if ((r->dmp1 == NULL && dmp1 == NULL) ||
119 (r->dmq1 == NULL && dmq1 == NULL) ||
120 (r->iqmp == NULL && iqmp == NULL))
121 {
122 return (0);
123 }
124
125 if (dmp1 != NULL) {
126 BN_free(r->dmp1);
127 r->dmp1 = dmp1;
128 }
129 if (dmq1 != NULL) {
130 BN_free(r->dmq1);
131 r->dmq1 = dmq1;
132 }
133 if (iqmp != NULL) {
134 BN_free(r->iqmp);
135 r->iqmp = iqmp;
136 }
137
138 return (1);
139 }
140
141 static void
RSA_get0_key(const RSA * r,const BIGNUM ** n,const BIGNUM ** e,const BIGNUM ** d)142 RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
143 const BIGNUM **d) {
144 if (n != NULL) {
145 *n = r->n;
146 }
147 if (e != NULL) {
148 *e = r->e;
149 }
150 if (d != NULL) {
151 *d = r->d;
152 }
153 }
154
155 static void
RSA_get0_factors(const RSA * r,const BIGNUM ** p,const BIGNUM ** q)156 RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
157 if (p != NULL) {
158 *p = r->p;
159 }
160 if (q != NULL) {
161 *q = r->q;
162 }
163 }
164
165 static void
RSA_get0_crt_params(const RSA * r,const BIGNUM ** dmp1,const BIGNUM ** dmq1,const BIGNUM ** iqmp)166 RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
167 const BIGNUM **iqmp) {
168 if (dmp1 != NULL) {
169 *dmp1 = r->dmp1;
170 }
171 if (dmq1 != NULL) {
172 *dmq1 = r->dmq1;
173 }
174 if (iqmp != NULL) {
175 *iqmp = r->iqmp;
176 }
177 }
178
179 static int
RSA_test_flags(const RSA * r,int flags)180 RSA_test_flags(const RSA *r, int flags) {
181 return (r->flags & flags);
182 }
183
184 #endif /* !HAVE_RSA_SET0_KEY */
185
186 static isc_result_t
opensslrsa_createctx(dst_key_t * key,dst_context_t * dctx)187 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
188 EVP_MD_CTX *evp_md_ctx;
189 const EVP_MD *type = NULL;
190
191 UNUSED(key);
192 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
193 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
194 dctx->key->key_alg == DST_ALG_RSASHA256 ||
195 dctx->key->key_alg == DST_ALG_RSASHA512);
196
197 /*
198 * Reject incorrect RSA key lengths.
199 */
200 switch (dctx->key->key_alg) {
201 case DST_ALG_RSASHA1:
202 case DST_ALG_NSEC3RSASHA1:
203 /* From RFC 3110 */
204 if (dctx->key->key_size > 4096) {
205 return (ISC_R_FAILURE);
206 }
207 break;
208 case DST_ALG_RSASHA256:
209 /* From RFC 5702 */
210 if ((dctx->key->key_size < 512) || (dctx->key->key_size > 4096))
211 {
212 return (ISC_R_FAILURE);
213 }
214 break;
215 case DST_ALG_RSASHA512:
216 /* From RFC 5702 */
217 if ((dctx->key->key_size < 1024) ||
218 (dctx->key->key_size > 4096)) {
219 return (ISC_R_FAILURE);
220 }
221 break;
222 default:
223 INSIST(0);
224 ISC_UNREACHABLE();
225 }
226
227 evp_md_ctx = EVP_MD_CTX_create();
228 if (evp_md_ctx == NULL) {
229 return (ISC_R_NOMEMORY);
230 }
231
232 switch (dctx->key->key_alg) {
233 case DST_ALG_RSASHA1:
234 case DST_ALG_NSEC3RSASHA1:
235 type = EVP_sha1(); /* SHA1 + RSA */
236 break;
237 case DST_ALG_RSASHA256:
238 type = EVP_sha256(); /* SHA256 + RSA */
239 break;
240 case DST_ALG_RSASHA512:
241 type = EVP_sha512();
242 break;
243 default:
244 INSIST(0);
245 ISC_UNREACHABLE();
246 }
247
248 if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
249 EVP_MD_CTX_destroy(evp_md_ctx);
250 return (dst__openssl_toresult3(
251 dctx->category, "EVP_DigestInit_ex", ISC_R_FAILURE));
252 }
253 dctx->ctxdata.evp_md_ctx = evp_md_ctx;
254
255 return (ISC_R_SUCCESS);
256 }
257
258 static void
opensslrsa_destroyctx(dst_context_t * dctx)259 opensslrsa_destroyctx(dst_context_t *dctx) {
260 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
261
262 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
263 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
264 dctx->key->key_alg == DST_ALG_RSASHA256 ||
265 dctx->key->key_alg == DST_ALG_RSASHA512);
266
267 if (evp_md_ctx != NULL) {
268 EVP_MD_CTX_destroy(evp_md_ctx);
269 dctx->ctxdata.evp_md_ctx = NULL;
270 }
271 }
272
273 static isc_result_t
opensslrsa_adddata(dst_context_t * dctx,const isc_region_t * data)274 opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
275 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
276
277 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
278 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
279 dctx->key->key_alg == DST_ALG_RSASHA256 ||
280 dctx->key->key_alg == DST_ALG_RSASHA512);
281
282 if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
283 return (dst__openssl_toresult3(
284 dctx->category, "EVP_DigestUpdate", ISC_R_FAILURE));
285 }
286 return (ISC_R_SUCCESS);
287 }
288
289 static isc_result_t
opensslrsa_sign(dst_context_t * dctx,isc_buffer_t * sig)290 opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
291 dst_key_t *key = dctx->key;
292 isc_region_t r;
293 unsigned int siglen = 0;
294 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
295 EVP_PKEY *pkey = key->keydata.pkey;
296
297 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
298 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
299 dctx->key->key_alg == DST_ALG_RSASHA256 ||
300 dctx->key->key_alg == DST_ALG_RSASHA512);
301
302 isc_buffer_availableregion(sig, &r);
303
304 if (r.length < (unsigned int)EVP_PKEY_size(pkey)) {
305 return (ISC_R_NOSPACE);
306 }
307
308 if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
309 return (dst__openssl_toresult3(dctx->category, "EVP_SignFinal",
310 ISC_R_FAILURE));
311 }
312
313 isc_buffer_add(sig, siglen);
314
315 return (ISC_R_SUCCESS);
316 }
317
318 static isc_result_t
opensslrsa_verify2(dst_context_t * dctx,int maxbits,const isc_region_t * sig)319 opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
320 dst_key_t *key = dctx->key;
321 int status = 0;
322 const BIGNUM *e = NULL;
323 EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
324 EVP_PKEY *pkey = key->keydata.pkey;
325 RSA *rsa;
326 int bits;
327
328 REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
329 dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
330 dctx->key->key_alg == DST_ALG_RSASHA256 ||
331 dctx->key->key_alg == DST_ALG_RSASHA512);
332
333 rsa = EVP_PKEY_get1_RSA(pkey);
334 if (rsa == NULL) {
335 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
336 }
337 RSA_get0_key(rsa, NULL, &e, NULL);
338 bits = BN_num_bits(e);
339 RSA_free(rsa);
340 if (bits > maxbits && maxbits != 0) {
341 return (DST_R_VERIFYFAILURE);
342 }
343
344 status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
345 switch (status) {
346 case 1:
347 return (ISC_R_SUCCESS);
348 case 0:
349 return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
350 default:
351 return (dst__openssl_toresult3(dctx->category,
352 "EVP_VerifyFinal",
353 DST_R_VERIFYFAILURE));
354 }
355 }
356
357 static isc_result_t
opensslrsa_verify(dst_context_t * dctx,const isc_region_t * sig)358 opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
359 return (opensslrsa_verify2(dctx, 0, sig));
360 }
361
362 static bool
opensslrsa_compare(const dst_key_t * key1,const dst_key_t * key2)363 opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
364 int status;
365 RSA *rsa1 = NULL, *rsa2 = NULL;
366 const BIGNUM *n1 = NULL, *n2 = NULL;
367 const BIGNUM *e1 = NULL, *e2 = NULL;
368 const BIGNUM *d1 = NULL, *d2 = NULL;
369 const BIGNUM *p1 = NULL, *p2 = NULL;
370 const BIGNUM *q1 = NULL, *q2 = NULL;
371 EVP_PKEY *pkey1, *pkey2;
372
373 pkey1 = key1->keydata.pkey;
374 pkey2 = key2->keydata.pkey;
375 /*
376 * The pkey reference will keep these around after
377 * the RSA_free() call.
378 */
379 if (pkey1 != NULL) {
380 rsa1 = EVP_PKEY_get1_RSA(pkey1);
381 RSA_free(rsa1);
382 }
383 if (pkey2 != NULL) {
384 rsa2 = EVP_PKEY_get1_RSA(pkey2);
385 RSA_free(rsa2);
386 }
387
388 if (rsa1 == NULL && rsa2 == NULL) {
389 return (true);
390 } else if (rsa1 == NULL || rsa2 == NULL) {
391 return (false);
392 }
393
394 RSA_get0_key(rsa1, &n1, &e1, &d1);
395 RSA_get0_key(rsa2, &n2, &e2, &d2);
396 status = BN_cmp(n1, n2) || BN_cmp(e1, e2);
397
398 if (status != 0) {
399 return (false);
400 }
401
402 if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
403 RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0)
404 {
405 if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
406 RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0)
407 {
408 return (false);
409 }
410 /*
411 * Can't compare private parameters, BTW does it make sense?
412 */
413 return (true);
414 }
415
416 if (d1 != NULL || d2 != NULL) {
417 if (d1 == NULL || d2 == NULL) {
418 return (false);
419 }
420 RSA_get0_factors(rsa1, &p1, &q1);
421 RSA_get0_factors(rsa2, &p2, &q2);
422 status = BN_cmp(d1, d2) || BN_cmp(p1, p2) || BN_cmp(q1, q2);
423
424 if (status != 0) {
425 return (false);
426 }
427 }
428 return (true);
429 }
430
431 static int
progress_cb(int p,int n,BN_GENCB * cb)432 progress_cb(int p, int n, BN_GENCB *cb) {
433 union {
434 void *dptr;
435 void (*fptr)(int);
436 } u;
437
438 UNUSED(n);
439
440 u.dptr = BN_GENCB_get_arg(cb);
441 if (u.fptr != NULL) {
442 u.fptr(p);
443 }
444 return (1);
445 }
446
447 static isc_result_t
opensslrsa_generate(dst_key_t * key,int exp,void (* callback)(int))448 opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
449 isc_result_t ret = DST_R_OPENSSLFAILURE;
450 union {
451 void *dptr;
452 void (*fptr)(int);
453 } u;
454 RSA *rsa = RSA_new();
455 BIGNUM *e = BN_new();
456 #if !HAVE_BN_GENCB_NEW
457 BN_GENCB _cb;
458 #endif /* !HAVE_BN_GENCB_NEW */
459 BN_GENCB *cb = BN_GENCB_new();
460 EVP_PKEY *pkey = EVP_PKEY_new();
461
462 /*
463 * Reject incorrect RSA key lengths.
464 */
465 switch (key->key_alg) {
466 case DST_ALG_RSASHA1:
467 case DST_ALG_NSEC3RSASHA1:
468 /* From RFC 3110 */
469 if (key->key_size > 4096) {
470 goto err;
471 }
472 break;
473 case DST_ALG_RSASHA256:
474 /* From RFC 5702 */
475 if ((key->key_size < 512) || (key->key_size > 4096)) {
476 goto err;
477 }
478 break;
479 case DST_ALG_RSASHA512:
480 /* From RFC 5702 */
481 if ((key->key_size < 1024) || (key->key_size > 4096)) {
482 goto err;
483 }
484 break;
485 default:
486 INSIST(0);
487 ISC_UNREACHABLE();
488 }
489
490 if (rsa == NULL || e == NULL || cb == NULL) {
491 goto err;
492 }
493 if (pkey == NULL) {
494 goto err;
495 }
496 if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
497 goto err;
498 }
499
500 if (exp == 0) {
501 /* RSA_F4 0x10001 */
502 BN_set_bit(e, 0);
503 BN_set_bit(e, 16);
504 } else {
505 /* (phased-out) F5 0x100000001 */
506 BN_set_bit(e, 0);
507 BN_set_bit(e, 32);
508 }
509
510 if (callback == NULL) {
511 BN_GENCB_set_old(cb, NULL, NULL);
512 } else {
513 u.fptr = callback;
514 BN_GENCB_set(cb, progress_cb, u.dptr);
515 }
516
517 if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
518 BN_free(e);
519 BN_GENCB_free(cb);
520 cb = NULL;
521 key->keydata.pkey = pkey;
522
523 RSA_free(rsa);
524 return (ISC_R_SUCCESS);
525 }
526 ret = dst__openssl_toresult2("RSA_generate_key_ex",
527 DST_R_OPENSSLFAILURE);
528
529 err:
530 if (pkey != NULL) {
531 EVP_PKEY_free(pkey);
532 pkey = NULL;
533 }
534 if (e != NULL) {
535 BN_free(e);
536 e = NULL;
537 }
538 if (rsa != NULL) {
539 RSA_free(rsa);
540 rsa = NULL;
541 }
542 if (cb != NULL) {
543 BN_GENCB_free(cb);
544 cb = NULL;
545 }
546 return (dst__openssl_toresult(ret));
547 }
548
549 static bool
opensslrsa_isprivate(const dst_key_t * key)550 opensslrsa_isprivate(const dst_key_t *key) {
551 const BIGNUM *d = NULL;
552 RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
553 INSIST(rsa != NULL);
554 RSA_free(rsa);
555 /* key->keydata.pkey still has a reference so rsa is still valid. */
556 if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) {
557 return (true);
558 }
559 RSA_get0_key(rsa, NULL, NULL, &d);
560 return (rsa != NULL && d != NULL);
561 }
562
563 static void
opensslrsa_destroy(dst_key_t * key)564 opensslrsa_destroy(dst_key_t *key) {
565 EVP_PKEY *pkey = key->keydata.pkey;
566 EVP_PKEY_free(pkey);
567 key->keydata.pkey = NULL;
568 }
569
570 static isc_result_t
opensslrsa_todns(const dst_key_t * key,isc_buffer_t * data)571 opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
572 isc_region_t r;
573 unsigned int e_bytes;
574 unsigned int mod_bytes;
575 isc_result_t ret;
576 RSA *rsa;
577 EVP_PKEY *pkey;
578 const BIGNUM *e = NULL, *n = NULL;
579
580 REQUIRE(key->keydata.pkey != NULL);
581
582 pkey = key->keydata.pkey;
583 rsa = EVP_PKEY_get1_RSA(pkey);
584 if (rsa == NULL) {
585 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
586 }
587
588 isc_buffer_availableregion(data, &r);
589
590 RSA_get0_key(rsa, &n, &e, NULL);
591 mod_bytes = BN_num_bytes(n);
592 e_bytes = BN_num_bytes(e);
593
594 if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
595 if (r.length < 1) {
596 DST_RET(ISC_R_NOSPACE);
597 }
598 isc_buffer_putuint8(data, (uint8_t)e_bytes);
599 isc_region_consume(&r, 1);
600 } else {
601 if (r.length < 3) {
602 DST_RET(ISC_R_NOSPACE);
603 }
604 isc_buffer_putuint8(data, 0);
605 isc_buffer_putuint16(data, (uint16_t)e_bytes);
606 isc_region_consume(&r, 3);
607 }
608
609 if (r.length < e_bytes + mod_bytes) {
610 DST_RET(ISC_R_NOSPACE);
611 }
612
613 RSA_get0_key(rsa, &n, &e, NULL);
614 BN_bn2bin(e, r.base);
615 isc_region_consume(&r, e_bytes);
616 BN_bn2bin(n, r.base);
617
618 isc_buffer_add(data, e_bytes + mod_bytes);
619
620 ret = ISC_R_SUCCESS;
621 err:
622 RSA_free(rsa);
623 return (ret);
624 }
625
626 static isc_result_t
opensslrsa_fromdns(dst_key_t * key,isc_buffer_t * data)627 opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
628 RSA *rsa;
629 isc_region_t r;
630 unsigned int e_bytes;
631 unsigned int length;
632 EVP_PKEY *pkey;
633 BIGNUM *e = NULL, *n = NULL;
634
635 isc_buffer_remainingregion(data, &r);
636 if (r.length == 0) {
637 return (ISC_R_SUCCESS);
638 }
639 length = r.length;
640
641 rsa = RSA_new();
642 if (rsa == NULL) {
643 return (dst__openssl_toresult(ISC_R_NOMEMORY));
644 }
645
646 if (r.length < 1) {
647 RSA_free(rsa);
648 return (DST_R_INVALIDPUBLICKEY);
649 }
650 e_bytes = *r.base;
651 isc_region_consume(&r, 1);
652
653 if (e_bytes == 0) {
654 if (r.length < 2) {
655 RSA_free(rsa);
656 return (DST_R_INVALIDPUBLICKEY);
657 }
658 e_bytes = (*r.base) << 8;
659 isc_region_consume(&r, 1);
660 e_bytes += *r.base;
661 isc_region_consume(&r, 1);
662 }
663
664 if (r.length < e_bytes) {
665 RSA_free(rsa);
666 return (DST_R_INVALIDPUBLICKEY);
667 }
668 e = BN_bin2bn(r.base, e_bytes, NULL);
669 isc_region_consume(&r, e_bytes);
670 n = BN_bin2bn(r.base, r.length, NULL);
671 if (RSA_set0_key(rsa, n, e, NULL) == 0) {
672 if (n != NULL) {
673 BN_free(n);
674 }
675 if (e != NULL) {
676 BN_free(e);
677 }
678 RSA_free(rsa);
679 return (ISC_R_NOMEMORY);
680 }
681 key->key_size = BN_num_bits(n);
682
683 isc_buffer_forward(data, length);
684
685 pkey = EVP_PKEY_new();
686 if (pkey == NULL) {
687 RSA_free(rsa);
688 return (ISC_R_NOMEMORY);
689 }
690 if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
691 EVP_PKEY_free(pkey);
692 RSA_free(rsa);
693 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
694 }
695 key->keydata.pkey = pkey;
696 RSA_free(rsa);
697
698 return (ISC_R_SUCCESS);
699 }
700
701 static isc_result_t
opensslrsa_tofile(const dst_key_t * key,const char * directory)702 opensslrsa_tofile(const dst_key_t *key, const char *directory) {
703 int i;
704 RSA *rsa;
705 dst_private_t priv;
706 unsigned char *bufs[8];
707 isc_result_t result;
708 const BIGNUM *n = NULL, *e = NULL, *d = NULL;
709 const BIGNUM *p = NULL, *q = NULL;
710 const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
711
712 if (key->external) {
713 priv.nelements = 0;
714 return (dst__privstruct_writefile(key, &priv, directory));
715 }
716
717 if (key->keydata.pkey == NULL) {
718 return (DST_R_NULLKEY);
719 }
720 rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
721 if (rsa == NULL) {
722 return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
723 }
724 memset(bufs, 0, sizeof(bufs));
725
726 RSA_get0_key(rsa, &n, &e, &d);
727 RSA_get0_factors(rsa, &p, &q);
728 RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
729
730 for (i = 0; i < 8; i++) {
731 bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n));
732 }
733
734 i = 0;
735
736 priv.elements[i].tag = TAG_RSA_MODULUS;
737 priv.elements[i].length = BN_num_bytes(n);
738 BN_bn2bin(n, bufs[i]);
739 priv.elements[i].data = bufs[i];
740 i++;
741
742 priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
743 priv.elements[i].length = BN_num_bytes(e);
744 BN_bn2bin(e, bufs[i]);
745 priv.elements[i].data = bufs[i];
746 i++;
747
748 if (d != NULL) {
749 priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
750 priv.elements[i].length = BN_num_bytes(d);
751 BN_bn2bin(d, bufs[i]);
752 priv.elements[i].data = bufs[i];
753 i++;
754 }
755
756 if (p != NULL) {
757 priv.elements[i].tag = TAG_RSA_PRIME1;
758 priv.elements[i].length = BN_num_bytes(p);
759 BN_bn2bin(p, bufs[i]);
760 priv.elements[i].data = bufs[i];
761 i++;
762 }
763
764 if (q != NULL) {
765 priv.elements[i].tag = TAG_RSA_PRIME2;
766 priv.elements[i].length = BN_num_bytes(q);
767 BN_bn2bin(q, bufs[i]);
768 priv.elements[i].data = bufs[i];
769 i++;
770 }
771
772 if (dmp1 != NULL) {
773 priv.elements[i].tag = TAG_RSA_EXPONENT1;
774 priv.elements[i].length = BN_num_bytes(dmp1);
775 BN_bn2bin(dmp1, bufs[i]);
776 priv.elements[i].data = bufs[i];
777 i++;
778 }
779
780 if (dmq1 != NULL) {
781 priv.elements[i].tag = TAG_RSA_EXPONENT2;
782 priv.elements[i].length = BN_num_bytes(dmq1);
783 BN_bn2bin(dmq1, bufs[i]);
784 priv.elements[i].data = bufs[i];
785 i++;
786 }
787
788 if (iqmp != NULL) {
789 priv.elements[i].tag = TAG_RSA_COEFFICIENT;
790 priv.elements[i].length = BN_num_bytes(iqmp);
791 BN_bn2bin(iqmp, bufs[i]);
792 priv.elements[i].data = bufs[i];
793 i++;
794 }
795
796 if (key->engine != NULL) {
797 priv.elements[i].tag = TAG_RSA_ENGINE;
798 priv.elements[i].length = (unsigned short)strlen(key->engine) +
799 1;
800 priv.elements[i].data = (unsigned char *)key->engine;
801 i++;
802 }
803
804 if (key->label != NULL) {
805 priv.elements[i].tag = TAG_RSA_LABEL;
806 priv.elements[i].length = (unsigned short)strlen(key->label) +
807 1;
808 priv.elements[i].data = (unsigned char *)key->label;
809 i++;
810 }
811
812 priv.nelements = i;
813 result = dst__privstruct_writefile(key, &priv, directory);
814
815 RSA_free(rsa);
816 for (i = 0; i < 8; i++) {
817 if (bufs[i] == NULL) {
818 break;
819 }
820 isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n));
821 }
822 return (result);
823 }
824
825 static isc_result_t
rsa_check(RSA * rsa,RSA * pub)826 rsa_check(RSA *rsa, RSA *pub) {
827 const BIGNUM *n1 = NULL, *n2 = NULL;
828 const BIGNUM *e1 = NULL, *e2 = NULL;
829 BIGNUM *n = NULL, *e = NULL;
830
831 /*
832 * Public parameters should be the same but if they are not set
833 * copy them from the public key.
834 */
835 RSA_get0_key(rsa, &n1, &e1, NULL);
836 if (pub != NULL) {
837 RSA_get0_key(pub, &n2, &e2, NULL);
838 if (n1 != NULL) {
839 if (BN_cmp(n1, n2) != 0) {
840 return (DST_R_INVALIDPRIVATEKEY);
841 }
842 } else {
843 n = BN_dup(n2);
844 }
845 if (e1 != NULL) {
846 if (BN_cmp(e1, e2) != 0) {
847 return (DST_R_INVALIDPRIVATEKEY);
848 }
849 } else {
850 e = BN_dup(e2);
851 }
852 if (RSA_set0_key(rsa, n, e, NULL) == 0) {
853 if (n != NULL) {
854 BN_free(n);
855 }
856 if (e != NULL) {
857 BN_free(e);
858 }
859 }
860 }
861 RSA_get0_key(rsa, &n1, &e1, NULL);
862 if (n1 == NULL || e1 == NULL) {
863 return (DST_R_INVALIDPRIVATEKEY);
864 }
865 return (ISC_R_SUCCESS);
866 }
867
868 static isc_result_t
opensslrsa_parse(dst_key_t * key,isc_lex_t * lexer,dst_key_t * pub)869 opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
870 dst_private_t priv;
871 isc_result_t ret;
872 int i;
873 RSA *rsa = NULL, *pubrsa = NULL;
874 #if !defined(OPENSSL_NO_ENGINE)
875 ENGINE *ep = NULL;
876 const BIGNUM *ex = NULL;
877 #endif /* if !defined(OPENSSL_NO_ENGINE) */
878 isc_mem_t *mctx = key->mctx;
879 const char *engine = NULL, *label = NULL;
880 EVP_PKEY *pkey = NULL;
881 BIGNUM *n = NULL, *e = NULL, *d = NULL;
882 BIGNUM *p = NULL, *q = NULL;
883 BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
884
885 /* read private key file */
886 ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
887 if (ret != ISC_R_SUCCESS) {
888 goto err;
889 }
890
891 if (key->external) {
892 if (priv.nelements != 0) {
893 DST_RET(DST_R_INVALIDPRIVATEKEY);
894 }
895 if (pub == NULL) {
896 DST_RET(DST_R_INVALIDPRIVATEKEY);
897 }
898 key->keydata.pkey = pub->keydata.pkey;
899 pub->keydata.pkey = NULL;
900 key->key_size = pub->key_size;
901 dst__privstruct_free(&priv, mctx);
902 isc_safe_memwipe(&priv, sizeof(priv));
903 return (ISC_R_SUCCESS);
904 }
905
906 if (pub != NULL && pub->keydata.pkey != NULL) {
907 pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
908 }
909
910 for (i = 0; i < priv.nelements; i++) {
911 switch (priv.elements[i].tag) {
912 case TAG_RSA_ENGINE:
913 engine = (char *)priv.elements[i].data;
914 break;
915 case TAG_RSA_LABEL:
916 label = (char *)priv.elements[i].data;
917 break;
918 default:
919 break;
920 }
921 }
922
923 /*
924 * Is this key is stored in a HSM?
925 * See if we can fetch it.
926 */
927 if (label != NULL) {
928 #if !defined(OPENSSL_NO_ENGINE)
929 if (engine == NULL) {
930 DST_RET(DST_R_NOENGINE);
931 }
932 ep = dst__openssl_getengine(engine);
933 if (ep == NULL) {
934 DST_RET(DST_R_NOENGINE);
935 }
936 pkey = ENGINE_load_private_key(ep, label, NULL, NULL);
937 if (pkey == NULL) {
938 DST_RET(dst__openssl_toresult2("ENGINE_load_private_"
939 "key",
940 ISC_R_NOTFOUND));
941 }
942 key->engine = isc_mem_strdup(key->mctx, engine);
943 key->label = isc_mem_strdup(key->mctx, label);
944 rsa = EVP_PKEY_get1_RSA(pkey);
945 if (rsa == NULL) {
946 DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
947 }
948 if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
949 DST_RET(DST_R_INVALIDPRIVATEKEY);
950 }
951 RSA_get0_key(rsa, NULL, &ex, NULL);
952 if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
953 DST_RET(ISC_R_RANGE);
954 }
955 if (pubrsa != NULL) {
956 RSA_free(pubrsa);
957 }
958 key->key_size = EVP_PKEY_bits(pkey);
959 key->keydata.pkey = pkey;
960 RSA_free(rsa);
961 dst__privstruct_free(&priv, mctx);
962 isc_safe_memwipe(&priv, sizeof(priv));
963 return (ISC_R_SUCCESS);
964 #else /* if !defined(OPENSSL_NO_ENGINE) */
965 DST_RET(DST_R_NOENGINE);
966 #endif /* if !defined(OPENSSL_NO_ENGINE) */
967 }
968
969 rsa = RSA_new();
970 if (rsa == NULL) {
971 DST_RET(ISC_R_NOMEMORY);
972 }
973
974 pkey = EVP_PKEY_new();
975 if (pkey == NULL) {
976 DST_RET(ISC_R_NOMEMORY);
977 }
978 if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
979 DST_RET(ISC_R_FAILURE);
980 }
981 key->keydata.pkey = pkey;
982
983 for (i = 0; i < priv.nelements; i++) {
984 BIGNUM *bn;
985 switch (priv.elements[i].tag) {
986 case TAG_RSA_ENGINE:
987 continue;
988 case TAG_RSA_LABEL:
989 continue;
990 default:
991 bn = BN_bin2bn(priv.elements[i].data,
992 priv.elements[i].length, NULL);
993 if (bn == NULL) {
994 DST_RET(ISC_R_NOMEMORY);
995 }
996 switch (priv.elements[i].tag) {
997 case TAG_RSA_MODULUS:
998 n = bn;
999 break;
1000 case TAG_RSA_PUBLICEXPONENT:
1001 e = bn;
1002 break;
1003 case TAG_RSA_PRIVATEEXPONENT:
1004 d = bn;
1005 break;
1006 case TAG_RSA_PRIME1:
1007 p = bn;
1008 break;
1009 case TAG_RSA_PRIME2:
1010 q = bn;
1011 break;
1012 case TAG_RSA_EXPONENT1:
1013 dmp1 = bn;
1014 break;
1015 case TAG_RSA_EXPONENT2:
1016 dmq1 = bn;
1017 break;
1018 case TAG_RSA_COEFFICIENT:
1019 iqmp = bn;
1020 break;
1021 }
1022 }
1023 }
1024 dst__privstruct_free(&priv, mctx);
1025 isc_safe_memwipe(&priv, sizeof(priv));
1026
1027 if (RSA_set0_key(rsa, n, e, d) == 0) {
1028 if (n != NULL) {
1029 BN_free(n);
1030 }
1031 if (e != NULL) {
1032 BN_free(e);
1033 }
1034 if (d != NULL) {
1035 BN_free(d);
1036 }
1037 }
1038 if (RSA_set0_factors(rsa, p, q) == 0) {
1039 if (p != NULL) {
1040 BN_free(p);
1041 }
1042 if (q != NULL) {
1043 BN_free(q);
1044 }
1045 }
1046 if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) {
1047 if (dmp1 != NULL) {
1048 BN_free(dmp1);
1049 }
1050 if (dmq1 != NULL) {
1051 BN_free(dmq1);
1052 }
1053 if (iqmp != NULL) {
1054 BN_free(iqmp);
1055 }
1056 }
1057
1058 if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
1059 DST_RET(DST_R_INVALIDPRIVATEKEY);
1060 }
1061 if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
1062 DST_RET(ISC_R_RANGE);
1063 }
1064 key->key_size = BN_num_bits(n);
1065 if (pubrsa != NULL) {
1066 RSA_free(pubrsa);
1067 }
1068 RSA_free(rsa);
1069
1070 return (ISC_R_SUCCESS);
1071
1072 err:
1073 if (pkey != NULL) {
1074 EVP_PKEY_free(pkey);
1075 }
1076 if (rsa != NULL) {
1077 RSA_free(rsa);
1078 }
1079 if (pubrsa != NULL) {
1080 RSA_free(pubrsa);
1081 }
1082 key->keydata.generic = NULL;
1083 dst__privstruct_free(&priv, mctx);
1084 isc_safe_memwipe(&priv, sizeof(priv));
1085 return (ret);
1086 }
1087
1088 static isc_result_t
opensslrsa_fromlabel(dst_key_t * key,const char * engine,const char * label,const char * pin)1089 opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
1090 const char *pin) {
1091 #if !defined(OPENSSL_NO_ENGINE)
1092 ENGINE *e = NULL;
1093 isc_result_t ret;
1094 EVP_PKEY *pkey = NULL;
1095 RSA *rsa = NULL, *pubrsa = NULL;
1096 const BIGNUM *ex = NULL;
1097
1098 UNUSED(pin);
1099
1100 if (engine == NULL) {
1101 DST_RET(DST_R_NOENGINE);
1102 }
1103 e = dst__openssl_getengine(engine);
1104 if (e == NULL) {
1105 DST_RET(DST_R_NOENGINE);
1106 }
1107 pkey = ENGINE_load_public_key(e, label, NULL, NULL);
1108 if (pkey != NULL) {
1109 pubrsa = EVP_PKEY_get1_RSA(pkey);
1110 EVP_PKEY_free(pkey);
1111 if (pubrsa == NULL) {
1112 DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
1113 }
1114 }
1115 pkey = ENGINE_load_private_key(e, label, NULL, NULL);
1116 if (pkey == NULL) {
1117 DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
1118 ISC_R_NOTFOUND));
1119 }
1120 key->engine = isc_mem_strdup(key->mctx, engine);
1121 key->label = isc_mem_strdup(key->mctx, label);
1122 rsa = EVP_PKEY_get1_RSA(pkey);
1123 if (rsa == NULL) {
1124 DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
1125 }
1126 if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
1127 DST_RET(DST_R_INVALIDPRIVATEKEY);
1128 }
1129 RSA_get0_key(rsa, NULL, &ex, NULL);
1130 if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
1131 DST_RET(ISC_R_RANGE);
1132 }
1133 if (pubrsa != NULL) {
1134 RSA_free(pubrsa);
1135 }
1136 key->key_size = EVP_PKEY_bits(pkey);
1137 key->keydata.pkey = pkey;
1138 RSA_free(rsa);
1139 return (ISC_R_SUCCESS);
1140
1141 err:
1142 if (rsa != NULL) {
1143 RSA_free(rsa);
1144 }
1145 if (pubrsa != NULL) {
1146 RSA_free(pubrsa);
1147 }
1148 if (pkey != NULL) {
1149 EVP_PKEY_free(pkey);
1150 }
1151 return (ret);
1152 #else /* if !defined(OPENSSL_NO_ENGINE) */
1153 UNUSED(key);
1154 UNUSED(engine);
1155 UNUSED(label);
1156 UNUSED(pin);
1157 return (DST_R_NOENGINE);
1158 #endif /* if !defined(OPENSSL_NO_ENGINE) */
1159 }
1160
1161 static dst_func_t opensslrsa_functions = {
1162 opensslrsa_createctx,
1163 NULL, /*%< createctx2 */
1164 opensslrsa_destroyctx,
1165 opensslrsa_adddata,
1166 opensslrsa_sign,
1167 opensslrsa_verify,
1168 opensslrsa_verify2,
1169 NULL, /*%< computesecret */
1170 opensslrsa_compare,
1171 NULL, /*%< paramcompare */
1172 opensslrsa_generate,
1173 opensslrsa_isprivate,
1174 opensslrsa_destroy,
1175 opensslrsa_todns,
1176 opensslrsa_fromdns,
1177 opensslrsa_tofile,
1178 opensslrsa_parse,
1179 NULL, /*%< cleanup */
1180 opensslrsa_fromlabel,
1181 NULL, /*%< dump */
1182 NULL, /*%< restore */
1183 };
1184
1185 isc_result_t
dst__opensslrsa_init(dst_func_t ** funcp,unsigned char algorithm)1186 dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
1187 REQUIRE(funcp != NULL);
1188
1189 UNUSED(algorithm);
1190
1191 if (*funcp == NULL) {
1192 *funcp = &opensslrsa_functions;
1193 }
1194 return (ISC_R_SUCCESS);
1195 }
1196
1197 #endif /* !USE_PKCS11 */
1198
1199 /*! \file */
1200