We should check the eight bytes starting at p[-9] for rollback attack
[openssl.git] / crypto / rsa / rsa_ameth.c
1 /* crypto/rsa/rsa_ameth.c */
2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3  * project 2006.
4  */
5 /* ====================================================================
6  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/asn1t.h>
62 #include <openssl/x509.h>
63 #include <openssl/rsa.h>
64 #include <openssl/bn.h>
65 #ifndef OPENSSL_NO_CMS
66 #include <openssl/cms.h>
67 #endif
68 #include "asn1_locl.h"
69
70 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
71         {
72         unsigned char *penc = NULL;
73         int penclen;
74         penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
75         if (penclen <= 0)
76                 return 0;
77         if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA),
78                                 V_ASN1_NULL, NULL, penc, penclen))
79                 return 1;
80
81         OPENSSL_free(penc);
82         return 0;
83         }
84
85 static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
86         {
87         const unsigned char *p;
88         int pklen;
89         RSA *rsa = NULL;
90         if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
91                 return 0;
92         if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen)))
93                 {
94                 RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
95                 return 0;
96                 }
97         EVP_PKEY_assign_RSA (pkey, rsa);
98         return 1;
99         }
100
101 static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
102         {
103         if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0
104                 || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0)
105                         return 0;
106         return 1;
107         }
108
109 static int old_rsa_priv_decode(EVP_PKEY *pkey,
110                                         const unsigned char **pder, int derlen)
111         {
112         RSA *rsa;
113         if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen)))
114                 {
115                 RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
116                 return 0;
117                 }
118         EVP_PKEY_assign_RSA(pkey, rsa);
119         return 1;
120         }
121
122 static int old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
123         {
124         return i2d_RSAPrivateKey(pkey->pkey.rsa, pder);
125         }
126
127 static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
128         {
129         unsigned char *rk = NULL;
130         int rklen;
131         rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
132
133         if (rklen <= 0)
134                 {
135                 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
136                 return 0;
137                 }
138
139         if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0,
140                                 V_ASN1_NULL, NULL, rk, rklen))
141                 {
142                 RSAerr(RSA_F_RSA_PRIV_ENCODE,ERR_R_MALLOC_FAILURE);
143                 return 0;
144                 }
145
146         return 1;
147         }
148
149 static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
150         {
151         const unsigned char *p;
152         int pklen;
153         if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8))
154                 return 0;
155         return old_rsa_priv_decode(pkey, &p, pklen);
156         }
157
158 static int int_rsa_size(const EVP_PKEY *pkey)
159         {
160         return RSA_size(pkey->pkey.rsa);
161         }
162
163 static int rsa_bits(const EVP_PKEY *pkey)
164         {
165         return BN_num_bits(pkey->pkey.rsa->n);
166         }
167
168 static void int_rsa_free(EVP_PKEY *pkey)
169         {
170         RSA_free(pkey->pkey.rsa);
171         }
172
173
174 static void update_buflen(const BIGNUM *b, size_t *pbuflen)
175         {
176         size_t i;
177         if (!b)
178                 return;
179         if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
180                         *pbuflen = i;
181         }
182
183 static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
184         {
185         char *str;
186         const char *s;
187         unsigned char *m=NULL;
188         int ret=0, mod_len = 0;
189         size_t buf_len=0;
190
191         update_buflen(x->n, &buf_len);
192         update_buflen(x->e, &buf_len);
193
194         if (priv)
195                 {
196                 update_buflen(x->d, &buf_len);
197                 update_buflen(x->p, &buf_len);
198                 update_buflen(x->q, &buf_len);
199                 update_buflen(x->dmp1, &buf_len);
200                 update_buflen(x->dmq1, &buf_len);
201                 update_buflen(x->iqmp, &buf_len);
202                 }
203
204         m=(unsigned char *)OPENSSL_malloc(buf_len+10);
205         if (m == NULL)
206                 {
207                 RSAerr(RSA_F_DO_RSA_PRINT,ERR_R_MALLOC_FAILURE);
208                 goto err;
209                 }
210
211         if (x->n != NULL)
212                 mod_len = BN_num_bits(x->n);
213
214         if(!BIO_indent(bp,off,128))
215                 goto err;
216
217         if (priv && x->d)
218                 {
219                 if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len)
220                         <= 0) goto err;
221                 str = "modulus:";
222                 s = "publicExponent:";
223                 }
224         else
225                 {
226                 if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
227                         <= 0) goto err;
228                 str = "Modulus:";
229                 s= "Exponent:";
230                 }
231         if (!ASN1_bn_print(bp,str,x->n,m,off)) goto err;
232         if (!ASN1_bn_print(bp,s,x->e,m,off))
233                 goto err;
234         if (priv)
235                 {
236                 if (!ASN1_bn_print(bp,"privateExponent:",x->d,m,off))
237                         goto err;
238                 if (!ASN1_bn_print(bp,"prime1:",x->p,m,off))
239                         goto err;
240                 if (!ASN1_bn_print(bp,"prime2:",x->q,m,off))
241                         goto err;
242                 if (!ASN1_bn_print(bp,"exponent1:",x->dmp1,m,off))
243                         goto err;
244                 if (!ASN1_bn_print(bp,"exponent2:",x->dmq1,m,off))
245                         goto err;
246                 if (!ASN1_bn_print(bp,"coefficient:",x->iqmp,m,off))
247                         goto err;
248                 }
249         ret=1;
250 err:
251         if (m != NULL) OPENSSL_free(m);
252         return(ret);
253         }
254
255 static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
256                                                         ASN1_PCTX *ctx)
257         {
258         return do_rsa_print(bp, pkey->pkey.rsa, indent, 0);
259         }
260
261
262 static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
263                                                         ASN1_PCTX *ctx)
264         {
265         return do_rsa_print(bp, pkey->pkey.rsa, indent, 1);
266         }
267
268
269 static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
270         {
271         X509_ALGOR *alg = NULL;
272         switch (op)
273                 {
274
275                 case ASN1_PKEY_CTRL_PKCS7_SIGN:
276                 if (arg1 == 0)
277                         PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg);
278                 break;
279
280                 case ASN1_PKEY_CTRL_PKCS7_ENCRYPT:
281                 if (arg1 == 0)
282                         PKCS7_RECIP_INFO_get0_alg(arg2, &alg);
283                 break;
284 #ifndef OPENSSL_NO_CMS
285                 case ASN1_PKEY_CTRL_CMS_SIGN:
286                 if (arg1 == 0)
287                         CMS_SignerInfo_get0_algs(arg2, NULL, NULL, NULL, &alg);
288                 break;
289
290                 case ASN1_PKEY_CTRL_CMS_ENVELOPE:
291                 if (arg1 == 0)
292                         CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
293                 break;
294 #endif
295
296                 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
297                 *(int *)arg2 = NID_sha1;
298                 return 1;
299
300                 default:
301                 return -2;
302
303                 }
304
305         if (alg)
306                 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
307                                                         V_ASN1_NULL, 0);
308
309         return 1;
310
311         }
312
313
314 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = 
315         {
316                 {
317                 EVP_PKEY_RSA,
318                 EVP_PKEY_RSA,
319                 ASN1_PKEY_SIGPARAM_NULL,
320
321                 "RSA",
322                 "OpenSSL RSA method",
323
324                 rsa_pub_decode,
325                 rsa_pub_encode,
326                 rsa_pub_cmp,
327                 rsa_pub_print,
328
329                 rsa_priv_decode,
330                 rsa_priv_encode,
331                 rsa_priv_print,
332
333                 int_rsa_size,
334                 rsa_bits,
335
336                 0,0,0,0,0,0,
337
338                 int_rsa_free,
339                 rsa_pkey_ctrl,
340                 old_rsa_priv_decode,
341                 old_rsa_priv_encode
342                 },
343
344                 {
345                 EVP_PKEY_RSA2,
346                 EVP_PKEY_RSA,
347                 ASN1_PKEY_ALIAS
348                 }
349         };