• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 2000.
3  */
4 /* ====================================================================
5  * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com). */
55 
56 #include <openssl/rsa.h>
57 
58 #include <assert.h>
59 #include <limits.h>
60 #include <string.h>
61 
62 #include <openssl/bn.h>
63 #include <openssl/bytestring.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66 
67 #include "../fipsmodule/rsa/internal.h"
68 #include "../bytestring/internal.h"
69 #include "../internal.h"
70 
71 
parse_integer_buggy(CBS * cbs,BIGNUM ** out,int buggy)72 static int parse_integer_buggy(CBS *cbs, BIGNUM **out, int buggy) {
73   assert(*out == NULL);
74   *out = BN_new();
75   if (*out == NULL) {
76     return 0;
77   }
78   if (buggy) {
79     return BN_parse_asn1_unsigned_buggy(cbs, *out);
80   }
81   return BN_parse_asn1_unsigned(cbs, *out);
82 }
83 
parse_integer(CBS * cbs,BIGNUM ** out)84 static int parse_integer(CBS *cbs, BIGNUM **out) {
85   return parse_integer_buggy(cbs, out, 0 /* not buggy */);
86 }
87 
marshal_integer(CBB * cbb,BIGNUM * bn)88 static int marshal_integer(CBB *cbb, BIGNUM *bn) {
89   if (bn == NULL) {
90     /* An RSA object may be missing some components. */
91     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
92     return 0;
93   }
94   return BN_marshal_asn1(cbb, bn);
95 }
96 
parse_public_key(CBS * cbs,int buggy)97 static RSA *parse_public_key(CBS *cbs, int buggy) {
98   RSA *ret = RSA_new();
99   if (ret == NULL) {
100     return NULL;
101   }
102   CBS child;
103   if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
104       !parse_integer_buggy(&child, &ret->n, buggy) ||
105       !parse_integer(&child, &ret->e) ||
106       CBS_len(&child) != 0) {
107     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
108     RSA_free(ret);
109     return NULL;
110   }
111 
112   if (!BN_is_odd(ret->e) ||
113       BN_num_bits(ret->e) < 2) {
114     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
115     RSA_free(ret);
116     return NULL;
117   }
118 
119   return ret;
120 }
121 
RSA_parse_public_key(CBS * cbs)122 RSA *RSA_parse_public_key(CBS *cbs) {
123   return parse_public_key(cbs, 0 /* not buggy */);
124 }
125 
RSA_parse_public_key_buggy(CBS * cbs)126 RSA *RSA_parse_public_key_buggy(CBS *cbs) {
127   /* Estonian IDs issued between September 2014 to September 2015 are
128    * broken. See https://crbug.com/532048 and https://crbug.com/534766.
129    *
130    * TODO(davidben): Remove this code and callers in March 2016. */
131   return parse_public_key(cbs, 1 /* buggy */);
132 }
133 
RSA_public_key_from_bytes(const uint8_t * in,size_t in_len)134 RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {
135   CBS cbs;
136   CBS_init(&cbs, in, in_len);
137   RSA *ret = RSA_parse_public_key(&cbs);
138   if (ret == NULL || CBS_len(&cbs) != 0) {
139     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
140     RSA_free(ret);
141     return NULL;
142   }
143   return ret;
144 }
145 
RSA_marshal_public_key(CBB * cbb,const RSA * rsa)146 int RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {
147   CBB child;
148   if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
149       !marshal_integer(&child, rsa->n) ||
150       !marshal_integer(&child, rsa->e) ||
151       !CBB_flush(cbb)) {
152     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
153     return 0;
154   }
155   return 1;
156 }
157 
RSA_public_key_to_bytes(uint8_t ** out_bytes,size_t * out_len,const RSA * rsa)158 int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
159                             const RSA *rsa) {
160   CBB cbb;
161   CBB_zero(&cbb);
162   if (!CBB_init(&cbb, 0) ||
163       !RSA_marshal_public_key(&cbb, rsa) ||
164       !CBB_finish(&cbb, out_bytes, out_len)) {
165     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
166     CBB_cleanup(&cbb);
167     return 0;
168   }
169   return 1;
170 }
171 
172 /* kVersionTwoPrime is the value of the version field for a two-prime
173  * RSAPrivateKey structure (RFC 3447). */
174 static const uint64_t kVersionTwoPrime = 0;
175 
RSA_parse_private_key(CBS * cbs)176 RSA *RSA_parse_private_key(CBS *cbs) {
177   RSA *ret = RSA_new();
178   if (ret == NULL) {
179     return NULL;
180   }
181 
182   CBS child;
183   uint64_t version;
184   if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||
185       !CBS_get_asn1_uint64(&child, &version)) {
186     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
187     goto err;
188   }
189 
190   if (version != kVersionTwoPrime) {
191     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);
192     goto err;
193   }
194 
195   if (!parse_integer(&child, &ret->n) ||
196       !parse_integer(&child, &ret->e) ||
197       !parse_integer(&child, &ret->d) ||
198       !parse_integer(&child, &ret->p) ||
199       !parse_integer(&child, &ret->q) ||
200       !parse_integer(&child, &ret->dmp1) ||
201       !parse_integer(&child, &ret->dmq1) ||
202       !parse_integer(&child, &ret->iqmp)) {
203     goto err;
204   }
205 
206   if (CBS_len(&child) != 0) {
207     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
208     goto err;
209   }
210 
211   if (!RSA_check_key(ret)) {
212     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
213     goto err;
214   }
215 
216   return ret;
217 
218 err:
219   RSA_free(ret);
220   return NULL;
221 }
222 
RSA_private_key_from_bytes(const uint8_t * in,size_t in_len)223 RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {
224   CBS cbs;
225   CBS_init(&cbs, in, in_len);
226   RSA *ret = RSA_parse_private_key(&cbs);
227   if (ret == NULL || CBS_len(&cbs) != 0) {
228     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);
229     RSA_free(ret);
230     return NULL;
231   }
232   return ret;
233 }
234 
RSA_marshal_private_key(CBB * cbb,const RSA * rsa)235 int RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {
236   CBB child;
237   if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||
238       !CBB_add_asn1_uint64(&child, kVersionTwoPrime) ||
239       !marshal_integer(&child, rsa->n) ||
240       !marshal_integer(&child, rsa->e) ||
241       !marshal_integer(&child, rsa->d) ||
242       !marshal_integer(&child, rsa->p) ||
243       !marshal_integer(&child, rsa->q) ||
244       !marshal_integer(&child, rsa->dmp1) ||
245       !marshal_integer(&child, rsa->dmq1) ||
246       !marshal_integer(&child, rsa->iqmp) ||
247       !CBB_flush(cbb)) {
248     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
249     return 0;
250   }
251   return 1;
252 }
253 
RSA_private_key_to_bytes(uint8_t ** out_bytes,size_t * out_len,const RSA * rsa)254 int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
255                              const RSA *rsa) {
256   CBB cbb;
257   CBB_zero(&cbb);
258   if (!CBB_init(&cbb, 0) ||
259       !RSA_marshal_private_key(&cbb, rsa) ||
260       !CBB_finish(&cbb, out_bytes, out_len)) {
261     OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);
262     CBB_cleanup(&cbb);
263     return 0;
264   }
265   return 1;
266 }
267 
d2i_RSAPublicKey(RSA ** out,const uint8_t ** inp,long len)268 RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) {
269   if (len < 0) {
270     return NULL;
271   }
272   CBS cbs;
273   CBS_init(&cbs, *inp, (size_t)len);
274   RSA *ret = RSA_parse_public_key(&cbs);
275   if (ret == NULL) {
276     return NULL;
277   }
278   if (out != NULL) {
279     RSA_free(*out);
280     *out = ret;
281   }
282   *inp = CBS_data(&cbs);
283   return ret;
284 }
285 
i2d_RSAPublicKey(const RSA * in,uint8_t ** outp)286 int i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {
287   CBB cbb;
288   if (!CBB_init(&cbb, 0) ||
289       !RSA_marshal_public_key(&cbb, in)) {
290     CBB_cleanup(&cbb);
291     return -1;
292   }
293   return CBB_finish_i2d(&cbb, outp);
294 }
295 
d2i_RSAPrivateKey(RSA ** out,const uint8_t ** inp,long len)296 RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) {
297   if (len < 0) {
298     return NULL;
299   }
300   CBS cbs;
301   CBS_init(&cbs, *inp, (size_t)len);
302   RSA *ret = RSA_parse_private_key(&cbs);
303   if (ret == NULL) {
304     return NULL;
305   }
306   if (out != NULL) {
307     RSA_free(*out);
308     *out = ret;
309   }
310   *inp = CBS_data(&cbs);
311   return ret;
312 }
313 
i2d_RSAPrivateKey(const RSA * in,uint8_t ** outp)314 int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {
315   CBB cbb;
316   if (!CBB_init(&cbb, 0) ||
317       !RSA_marshal_private_key(&cbb, in)) {
318     CBB_cleanup(&cbb);
319     return -1;
320   }
321   return CBB_finish_i2d(&cbb, outp);
322 }
323 
RSAPublicKey_dup(const RSA * rsa)324 RSA *RSAPublicKey_dup(const RSA *rsa) {
325   uint8_t *der;
326   size_t der_len;
327   if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {
328     return NULL;
329   }
330   RSA *ret = RSA_public_key_from_bytes(der, der_len);
331   OPENSSL_free(der);
332   return ret;
333 }
334 
RSAPrivateKey_dup(const RSA * rsa)335 RSA *RSAPrivateKey_dup(const RSA *rsa) {
336   uint8_t *der;
337   size_t der_len;
338   if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {
339     return NULL;
340   }
341   RSA *ret = RSA_private_key_from_bytes(der, der_len);
342   OPENSSL_free(der);
343   return ret;
344 }
345