xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/hcrypto/rsa.c (revision d3273b5b76f5afaafe308cead5511dbb8df8c5e9) 
1*d3273b5bSchristos /*	$NetBSD: rsa.c,v 1.2 2017/01/28 21:31:47 christos Exp $	*/
2ca1c9b0cSelric 
3ca1c9b0cSelric /*
4ca1c9b0cSelric  * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
5ca1c9b0cSelric  * (Royal Institute of Technology, Stockholm, Sweden).
6ca1c9b0cSelric  * All rights reserved.
7ca1c9b0cSelric  *
8ca1c9b0cSelric  * Redistribution and use in source and binary forms, with or without
9ca1c9b0cSelric  * modification, are permitted provided that the following conditions
10ca1c9b0cSelric  * are met:
11ca1c9b0cSelric  *
12ca1c9b0cSelric  * 1. Redistributions of source code must retain the above copyright
13ca1c9b0cSelric  *    notice, this list of conditions and the following disclaimer.
14ca1c9b0cSelric  *
15ca1c9b0cSelric  * 2. Redistributions in binary form must reproduce the above copyright
16ca1c9b0cSelric  *    notice, this list of conditions and the following disclaimer in the
17ca1c9b0cSelric  *    documentation and/or other materials provided with the distribution.
18ca1c9b0cSelric  *
19ca1c9b0cSelric  * 3. Neither the name of the Institute nor the names of its contributors
20ca1c9b0cSelric  *    may be used to endorse or promote products derived from this software
21ca1c9b0cSelric  *    without specific prior written permission.
22ca1c9b0cSelric  *
23ca1c9b0cSelric  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24ca1c9b0cSelric  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25ca1c9b0cSelric  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26ca1c9b0cSelric  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27ca1c9b0cSelric  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28ca1c9b0cSelric  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29ca1c9b0cSelric  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30ca1c9b0cSelric  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31ca1c9b0cSelric  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32ca1c9b0cSelric  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33ca1c9b0cSelric  * SUCH DAMAGE.
34ca1c9b0cSelric  */
35ca1c9b0cSelric 
36ca1c9b0cSelric #include <config.h>
37b9d004c6Schristos #include <krb5/roken.h>
38ca1c9b0cSelric #include <krb5/krb5-types.h>
39ca1c9b0cSelric #include <krb5/rfc2459_asn1.h>
40ca1c9b0cSelric 
41ca1c9b0cSelric #include <krb5/der.h>
42ca1c9b0cSelric 
43ca1c9b0cSelric #include <rsa.h>
44ca1c9b0cSelric 
45ca1c9b0cSelric #include "common.h"
46ca1c9b0cSelric 
47ca1c9b0cSelric /**
48ca1c9b0cSelric  * @page page_rsa RSA - public-key cryptography
49ca1c9b0cSelric  *
50ca1c9b0cSelric  * RSA is named by its inventors (Ron Rivest, Adi Shamir, and Leonard
51ca1c9b0cSelric  * Adleman) (published in 1977), patented expired in 21 September 2000.
52ca1c9b0cSelric  *
53ca1c9b0cSelric  *
54ca1c9b0cSelric  * Speed for RSA in seconds
55ca1c9b0cSelric  *   no key blinding
56ca1c9b0cSelric  *   1000 iteration,
57ca1c9b0cSelric  *   same rsa keys (1024 and 2048)
58ca1c9b0cSelric  *   operation performed each eteration sign, verify, encrypt, decrypt on a random bit pattern
59ca1c9b0cSelric  *
60ca1c9b0cSelric  * name		1024	2048	4098
61ca1c9b0cSelric  * =================================
62ca1c9b0cSelric  * gmp: 	 0.73	  6.60	 44.80
63ca1c9b0cSelric  * tfm: 	 2.45	    --	    --
64ca1c9b0cSelric  * ltm:		 3.79	 20.74	105.41	(default in hcrypto)
65ca1c9b0cSelric  * openssl:	 4.04	 11.90	 82.59
66ca1c9b0cSelric  * cdsa:	15.89	102.89	721.40
67ca1c9b0cSelric  * imath: 	40.62	    --	    --
68ca1c9b0cSelric  *
69ca1c9b0cSelric  * See the library functions here: @ref hcrypto_rsa
70ca1c9b0cSelric  */
71ca1c9b0cSelric 
72ca1c9b0cSelric /**
73ca1c9b0cSelric  * Same as RSA_new_method() using NULL as engine.
74ca1c9b0cSelric  *
75ca1c9b0cSelric  * @return a newly allocated RSA object. Free with RSA_free().
76ca1c9b0cSelric  *
77ca1c9b0cSelric  * @ingroup hcrypto_rsa
78ca1c9b0cSelric  */
79ca1c9b0cSelric 
80ca1c9b0cSelric RSA *
RSA_new(void)81ca1c9b0cSelric RSA_new(void)
82ca1c9b0cSelric {
83ca1c9b0cSelric     return RSA_new_method(NULL);
84ca1c9b0cSelric }
85ca1c9b0cSelric 
86ca1c9b0cSelric /**
87ca1c9b0cSelric  * Allocate a new RSA object using the engine, if NULL is specified as
88ca1c9b0cSelric  * the engine, use the default RSA engine as returned by
89ca1c9b0cSelric  * ENGINE_get_default_RSA().
90ca1c9b0cSelric  *
91ca1c9b0cSelric  * @param engine Specific what ENGINE RSA provider should be used.
92ca1c9b0cSelric  *
93ca1c9b0cSelric  * @return a newly allocated RSA object. Free with RSA_free().
94ca1c9b0cSelric  *
95ca1c9b0cSelric  * @ingroup hcrypto_rsa
96ca1c9b0cSelric  */
97ca1c9b0cSelric 
98ca1c9b0cSelric RSA *
RSA_new_method(ENGINE * engine)99ca1c9b0cSelric RSA_new_method(ENGINE *engine)
100ca1c9b0cSelric {
101ca1c9b0cSelric     RSA *rsa;
102ca1c9b0cSelric 
103ca1c9b0cSelric     rsa = calloc(1, sizeof(*rsa));
104ca1c9b0cSelric     if (rsa == NULL)
105ca1c9b0cSelric 	return NULL;
106ca1c9b0cSelric 
107ca1c9b0cSelric     rsa->references = 1;
108ca1c9b0cSelric 
109ca1c9b0cSelric     if (engine) {
110ca1c9b0cSelric 	ENGINE_up_ref(engine);
111ca1c9b0cSelric 	rsa->engine = engine;
112ca1c9b0cSelric     } else {
113ca1c9b0cSelric 	rsa->engine = ENGINE_get_default_RSA();
114ca1c9b0cSelric     }
115ca1c9b0cSelric 
116ca1c9b0cSelric     if (rsa->engine) {
117ca1c9b0cSelric 	rsa->meth = ENGINE_get_RSA(rsa->engine);
118ca1c9b0cSelric 	if (rsa->meth == NULL) {
119ca1c9b0cSelric 	    ENGINE_finish(engine);
120ca1c9b0cSelric 	    free(rsa);
121ca1c9b0cSelric 	    return 0;
122ca1c9b0cSelric 	}
123ca1c9b0cSelric     }
124ca1c9b0cSelric 
125ca1c9b0cSelric     if (rsa->meth == NULL)
126ca1c9b0cSelric 	rsa->meth = rk_UNCONST(RSA_get_default_method());
127ca1c9b0cSelric 
128ca1c9b0cSelric     (*rsa->meth->init)(rsa);
129ca1c9b0cSelric 
130ca1c9b0cSelric     return rsa;
131ca1c9b0cSelric }
132ca1c9b0cSelric 
133ca1c9b0cSelric /**
134ca1c9b0cSelric  * Free an allocation RSA object.
135ca1c9b0cSelric  *
136ca1c9b0cSelric  * @param rsa the RSA object to free.
137ca1c9b0cSelric  * @ingroup hcrypto_rsa
138ca1c9b0cSelric  */
139ca1c9b0cSelric 
140ca1c9b0cSelric void
RSA_free(RSA * rsa)141ca1c9b0cSelric RSA_free(RSA *rsa)
142ca1c9b0cSelric {
143ca1c9b0cSelric     if (rsa->references <= 0)
144ca1c9b0cSelric 	abort();
145ca1c9b0cSelric 
146ca1c9b0cSelric     if (--rsa->references > 0)
147ca1c9b0cSelric 	return;
148ca1c9b0cSelric 
149ca1c9b0cSelric     (*rsa->meth->finish)(rsa);
150ca1c9b0cSelric 
151ca1c9b0cSelric     if (rsa->engine)
152ca1c9b0cSelric 	ENGINE_finish(rsa->engine);
153ca1c9b0cSelric 
154ca1c9b0cSelric #define free_if(f) if (f) { BN_free(f); }
155ca1c9b0cSelric     free_if(rsa->n);
156ca1c9b0cSelric     free_if(rsa->e);
157ca1c9b0cSelric     free_if(rsa->d);
158ca1c9b0cSelric     free_if(rsa->p);
159ca1c9b0cSelric     free_if(rsa->q);
160ca1c9b0cSelric     free_if(rsa->dmp1);
161ca1c9b0cSelric     free_if(rsa->dmq1);
162ca1c9b0cSelric     free_if(rsa->iqmp);
163ca1c9b0cSelric #undef free_if
164ca1c9b0cSelric 
165ca1c9b0cSelric     memset(rsa, 0, sizeof(*rsa));
166ca1c9b0cSelric     free(rsa);
167ca1c9b0cSelric }
168ca1c9b0cSelric 
169ca1c9b0cSelric /**
170ca1c9b0cSelric  * Add an extra reference to the RSA object. The object should be free
171ca1c9b0cSelric  * with RSA_free() to drop the reference.
172ca1c9b0cSelric  *
173ca1c9b0cSelric  * @param rsa the object to add reference counting too.
174ca1c9b0cSelric  *
175ca1c9b0cSelric  * @return the current reference count, can't safely be used except
176ca1c9b0cSelric  * for debug printing.
177ca1c9b0cSelric  *
178ca1c9b0cSelric  * @ingroup hcrypto_rsa
179ca1c9b0cSelric  */
180ca1c9b0cSelric 
181ca1c9b0cSelric int
RSA_up_ref(RSA * rsa)182ca1c9b0cSelric RSA_up_ref(RSA *rsa)
183ca1c9b0cSelric {
184ca1c9b0cSelric     return ++rsa->references;
185ca1c9b0cSelric }
186ca1c9b0cSelric 
187ca1c9b0cSelric /**
188ca1c9b0cSelric  * Return the RSA_METHOD used for this RSA object.
189ca1c9b0cSelric  *
190ca1c9b0cSelric  * @param rsa the object to get the method from.
191ca1c9b0cSelric  *
192ca1c9b0cSelric  * @return the method used for this RSA object.
193ca1c9b0cSelric  *
194ca1c9b0cSelric  * @ingroup hcrypto_rsa
195ca1c9b0cSelric  */
196ca1c9b0cSelric 
197ca1c9b0cSelric const RSA_METHOD *
RSA_get_method(const RSA * rsa)198ca1c9b0cSelric RSA_get_method(const RSA *rsa)
199ca1c9b0cSelric {
200ca1c9b0cSelric     return rsa->meth;
201ca1c9b0cSelric }
202ca1c9b0cSelric 
203ca1c9b0cSelric /**
204ca1c9b0cSelric  * Set a new method for the RSA keypair.
205ca1c9b0cSelric  *
206ca1c9b0cSelric  * @param rsa rsa parameter.
207ca1c9b0cSelric  * @param method the new method for the RSA parameter.
208ca1c9b0cSelric  *
209ca1c9b0cSelric  * @return 1 on success.
210ca1c9b0cSelric  *
211ca1c9b0cSelric  * @ingroup hcrypto_rsa
212ca1c9b0cSelric  */
213ca1c9b0cSelric 
214ca1c9b0cSelric int
RSA_set_method(RSA * rsa,const RSA_METHOD * method)215ca1c9b0cSelric RSA_set_method(RSA *rsa, const RSA_METHOD *method)
216ca1c9b0cSelric {
217ca1c9b0cSelric     (*rsa->meth->finish)(rsa);
218ca1c9b0cSelric 
219ca1c9b0cSelric     if (rsa->engine) {
220ca1c9b0cSelric 	ENGINE_finish(rsa->engine);
221ca1c9b0cSelric 	rsa->engine = NULL;
222ca1c9b0cSelric     }
223ca1c9b0cSelric 
224ca1c9b0cSelric     rsa->meth = method;
225ca1c9b0cSelric     (*rsa->meth->init)(rsa);
226ca1c9b0cSelric     return 1;
227ca1c9b0cSelric }
228ca1c9b0cSelric 
229ca1c9b0cSelric /**
230ca1c9b0cSelric  * Set the application data for the RSA object.
231ca1c9b0cSelric  *
232ca1c9b0cSelric  * @param rsa the rsa object to set the parameter for
233ca1c9b0cSelric  * @param arg the data object to store
234ca1c9b0cSelric  *
235ca1c9b0cSelric  * @return 1 on success.
236ca1c9b0cSelric  *
237ca1c9b0cSelric  * @ingroup hcrypto_rsa
238ca1c9b0cSelric  */
239ca1c9b0cSelric 
240ca1c9b0cSelric int
RSA_set_app_data(RSA * rsa,void * arg)241ca1c9b0cSelric RSA_set_app_data(RSA *rsa, void *arg)
242ca1c9b0cSelric {
243ca1c9b0cSelric     rsa->ex_data.sk = arg;
244ca1c9b0cSelric     return 1;
245ca1c9b0cSelric }
246ca1c9b0cSelric 
247ca1c9b0cSelric /**
248ca1c9b0cSelric  * Get the application data for the RSA object.
249ca1c9b0cSelric  *
250ca1c9b0cSelric  * @param rsa the rsa object to get the parameter for
251ca1c9b0cSelric  *
252ca1c9b0cSelric  * @return the data object
253ca1c9b0cSelric  *
254ca1c9b0cSelric  * @ingroup hcrypto_rsa
255ca1c9b0cSelric  */
256ca1c9b0cSelric 
257ca1c9b0cSelric void *
RSA_get_app_data(const RSA * rsa)258ca1c9b0cSelric RSA_get_app_data(const RSA *rsa)
259ca1c9b0cSelric {
260ca1c9b0cSelric     return rsa->ex_data.sk;
261ca1c9b0cSelric }
262ca1c9b0cSelric 
263ca1c9b0cSelric int
RSA_check_key(const RSA * key)264ca1c9b0cSelric RSA_check_key(const RSA *key)
265ca1c9b0cSelric {
266ca1c9b0cSelric     static const unsigned char inbuf[] = "hello, world!";
267ca1c9b0cSelric     RSA *rsa = rk_UNCONST(key);
268ca1c9b0cSelric     void *buffer;
269ca1c9b0cSelric     int ret;
270ca1c9b0cSelric 
271ca1c9b0cSelric     /*
272ca1c9b0cSelric      * XXX I have no clue how to implement this w/o a bignum library.
273ca1c9b0cSelric      * Well, when we have a RSA key pair, we can try to encrypt/sign
274ca1c9b0cSelric      * and then decrypt/verify.
275ca1c9b0cSelric      */
276ca1c9b0cSelric 
277ca1c9b0cSelric     if ((rsa->d == NULL || rsa->n == NULL) &&
278ca1c9b0cSelric 	(rsa->p == NULL || rsa->q || rsa->dmp1 == NULL || rsa->dmq1 == NULL || rsa->iqmp == NULL))
279ca1c9b0cSelric 	return 0;
280ca1c9b0cSelric 
281ca1c9b0cSelric     buffer = malloc(RSA_size(rsa));
282ca1c9b0cSelric     if (buffer == NULL)
283ca1c9b0cSelric 	return 0;
284ca1c9b0cSelric 
285ca1c9b0cSelric     ret = RSA_private_encrypt(sizeof(inbuf), inbuf, buffer,
286ca1c9b0cSelric 			     rsa, RSA_PKCS1_PADDING);
287ca1c9b0cSelric     if (ret == -1) {
288ca1c9b0cSelric 	free(buffer);
289ca1c9b0cSelric 	return 0;
290ca1c9b0cSelric     }
291ca1c9b0cSelric 
292ca1c9b0cSelric     ret = RSA_public_decrypt(ret, buffer, buffer,
293ca1c9b0cSelric 			      rsa, RSA_PKCS1_PADDING);
294ca1c9b0cSelric     if (ret == -1) {
295ca1c9b0cSelric 	free(buffer);
296ca1c9b0cSelric 	return 0;
297ca1c9b0cSelric     }
298ca1c9b0cSelric 
299ca1c9b0cSelric     if (ret == sizeof(inbuf) && ct_memcmp(buffer, inbuf, sizeof(inbuf)) == 0) {
300ca1c9b0cSelric 	free(buffer);
301ca1c9b0cSelric 	return 1;
302ca1c9b0cSelric     }
303ca1c9b0cSelric     free(buffer);
304ca1c9b0cSelric     return 0;
305ca1c9b0cSelric }
306ca1c9b0cSelric 
307ca1c9b0cSelric int
RSA_size(const RSA * rsa)308ca1c9b0cSelric RSA_size(const RSA *rsa)
309ca1c9b0cSelric {
310ca1c9b0cSelric     return BN_num_bytes(rsa->n);
311ca1c9b0cSelric }
312ca1c9b0cSelric 
313ca1c9b0cSelric #define RSAFUNC(name, body) \
314ca1c9b0cSelric int \
315ca1c9b0cSelric name(int flen,const unsigned char* f, unsigned char* t, RSA* r, int p){\
316ca1c9b0cSelric     return body; \
317ca1c9b0cSelric }
318ca1c9b0cSelric 
319ca1c9b0cSelric RSAFUNC(RSA_public_encrypt, (r)->meth->rsa_pub_enc(flen, f, t, r, p))
320ca1c9b0cSelric RSAFUNC(RSA_public_decrypt, (r)->meth->rsa_pub_dec(flen, f, t, r, p))
321ca1c9b0cSelric RSAFUNC(RSA_private_encrypt, (r)->meth->rsa_priv_enc(flen, f, t, r, p))
322ca1c9b0cSelric RSAFUNC(RSA_private_decrypt, (r)->meth->rsa_priv_dec(flen, f, t, r, p))
323ca1c9b0cSelric 
324ca1c9b0cSelric static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") };
325ca1c9b0cSelric 
326ca1c9b0cSelric static const unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 };
327ca1c9b0cSelric static const AlgorithmIdentifier _signature_sha1_data = {
328ca1c9b0cSelric     { 6, rk_UNCONST(sha1_oid_tree) }, rk_UNCONST(&null_entry_oid)
329ca1c9b0cSelric };
330ca1c9b0cSelric static const unsigned sha256_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 };
331ca1c9b0cSelric static const AlgorithmIdentifier _signature_sha256_data = {
332ca1c9b0cSelric     { 9, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid)
333ca1c9b0cSelric };
334ca1c9b0cSelric static const unsigned md5_oid_tree[] = { 1, 2, 840, 113549, 2, 5 };
335ca1c9b0cSelric static const AlgorithmIdentifier _signature_md5_data = {
336ca1c9b0cSelric     { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid)
337ca1c9b0cSelric };
338ca1c9b0cSelric 
339ca1c9b0cSelric 
340ca1c9b0cSelric int
RSA_sign(int type,const unsigned char * from,unsigned int flen,unsigned char * to,unsigned int * tlen,RSA * rsa)341ca1c9b0cSelric RSA_sign(int type, const unsigned char *from, unsigned int flen,
342ca1c9b0cSelric 	 unsigned char *to, unsigned int *tlen, RSA *rsa)
343ca1c9b0cSelric {
344ca1c9b0cSelric     if (rsa->meth->rsa_sign)
345ca1c9b0cSelric 	return rsa->meth->rsa_sign(type, from, flen, to, tlen, rsa);
346ca1c9b0cSelric 
347ca1c9b0cSelric     if (rsa->meth->rsa_priv_enc) {
348ca1c9b0cSelric 	heim_octet_string indata;
349ca1c9b0cSelric 	DigestInfo di;
350ca1c9b0cSelric 	size_t size;
351ca1c9b0cSelric 	int ret;
352ca1c9b0cSelric 
353ca1c9b0cSelric 	memset(&di, 0, sizeof(di));
354ca1c9b0cSelric 
355ca1c9b0cSelric 	if (type == NID_sha1) {
356ca1c9b0cSelric 	    di.digestAlgorithm = _signature_sha1_data;
357ca1c9b0cSelric 	} else if (type == NID_md5) {
358ca1c9b0cSelric 	    di.digestAlgorithm = _signature_md5_data;
359ca1c9b0cSelric 	} else if (type == NID_sha256) {
360ca1c9b0cSelric 	    di.digestAlgorithm = _signature_sha256_data;
361ca1c9b0cSelric 	} else
362ca1c9b0cSelric 	    return -1;
363ca1c9b0cSelric 
364ca1c9b0cSelric 	di.digest.data = rk_UNCONST(from);
365ca1c9b0cSelric 	di.digest.length = flen;
366ca1c9b0cSelric 
367ca1c9b0cSelric 	ASN1_MALLOC_ENCODE(DigestInfo,
368ca1c9b0cSelric 			   indata.data,
369ca1c9b0cSelric 			   indata.length,
370ca1c9b0cSelric 			   &di,
371ca1c9b0cSelric 			   &size,
372ca1c9b0cSelric 			   ret);
373ca1c9b0cSelric 	if (ret)
374ca1c9b0cSelric 	    return ret;
375ca1c9b0cSelric 	if (indata.length != size)
376ca1c9b0cSelric 	    abort();
377ca1c9b0cSelric 
378ca1c9b0cSelric 	ret = rsa->meth->rsa_priv_enc(indata.length, indata.data, to,
379ca1c9b0cSelric 				      rsa, RSA_PKCS1_PADDING);
380ca1c9b0cSelric 	free(indata.data);
381ca1c9b0cSelric 	if (ret > 0) {
382ca1c9b0cSelric 	    *tlen = ret;
383ca1c9b0cSelric 	    ret = 1;
384ca1c9b0cSelric 	} else
385ca1c9b0cSelric 	    ret = 0;
386ca1c9b0cSelric 
387ca1c9b0cSelric 	return ret;
388ca1c9b0cSelric     }
389ca1c9b0cSelric 
390ca1c9b0cSelric     return 0;
391ca1c9b0cSelric }
392ca1c9b0cSelric 
393ca1c9b0cSelric int
RSA_verify(int type,const unsigned char * from,unsigned int flen,unsigned char * sigbuf,unsigned int siglen,RSA * rsa)394ca1c9b0cSelric RSA_verify(int type, const unsigned char *from, unsigned int flen,
395ca1c9b0cSelric 	   unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
396ca1c9b0cSelric {
397ca1c9b0cSelric     if (rsa->meth->rsa_verify)
398ca1c9b0cSelric 	return rsa->meth->rsa_verify(type, from, flen, sigbuf, siglen, rsa);
399ca1c9b0cSelric 
400ca1c9b0cSelric     if (rsa->meth->rsa_pub_dec) {
401ca1c9b0cSelric 	const AlgorithmIdentifier *digest_alg;
402ca1c9b0cSelric 	void *data;
403ca1c9b0cSelric 	DigestInfo di;
404ca1c9b0cSelric 	size_t size;
405ca1c9b0cSelric 	int ret, ret2;
406ca1c9b0cSelric 
407ca1c9b0cSelric 	data = malloc(RSA_size(rsa));
408ca1c9b0cSelric 	if (data == NULL)
409ca1c9b0cSelric 	    return -1;
410ca1c9b0cSelric 
411ca1c9b0cSelric 	memset(&di, 0, sizeof(di));
412ca1c9b0cSelric 
413ca1c9b0cSelric 	ret = rsa->meth->rsa_pub_dec(siglen, sigbuf, data, rsa, RSA_PKCS1_PADDING);
414ca1c9b0cSelric 	if (ret <= 0) {
415ca1c9b0cSelric 	    free(data);
416ca1c9b0cSelric 	    return -2;
417ca1c9b0cSelric 	}
418ca1c9b0cSelric 
419ca1c9b0cSelric 	ret2 = decode_DigestInfo(data, ret, &di, &size);
420ca1c9b0cSelric 	free(data);
421ca1c9b0cSelric 	if (ret2 != 0)
422ca1c9b0cSelric 	    return -3;
423ca1c9b0cSelric 	if (ret != size) {
424ca1c9b0cSelric 	    free_DigestInfo(&di);
425ca1c9b0cSelric 	    return -4;
426ca1c9b0cSelric 	}
427ca1c9b0cSelric 
428ca1c9b0cSelric 	if (flen != di.digest.length || memcmp(di.digest.data, from, flen) != 0) {
429ca1c9b0cSelric 	    free_DigestInfo(&di);
430ca1c9b0cSelric 	    return -5;
431ca1c9b0cSelric 	}
432ca1c9b0cSelric 
433ca1c9b0cSelric 	if (type == NID_sha1) {
434ca1c9b0cSelric 	    digest_alg = &_signature_sha1_data;
435ca1c9b0cSelric 	} else if (type == NID_md5) {
436ca1c9b0cSelric 	    digest_alg = &_signature_md5_data;
437ca1c9b0cSelric 	} else if (type == NID_sha256) {
438ca1c9b0cSelric 	    digest_alg = &_signature_sha256_data;
439ca1c9b0cSelric 	} else {
440ca1c9b0cSelric 	    free_DigestInfo(&di);
441ca1c9b0cSelric 	    return -1;
442ca1c9b0cSelric 	}
443ca1c9b0cSelric 
444ca1c9b0cSelric 	ret = der_heim_oid_cmp(&digest_alg->algorithm,
445ca1c9b0cSelric 			       &di.digestAlgorithm.algorithm);
446ca1c9b0cSelric 	free_DigestInfo(&di);
447ca1c9b0cSelric 
448ca1c9b0cSelric 	if (ret != 0)
449ca1c9b0cSelric 	    return 0;
450ca1c9b0cSelric 	return 1;
451ca1c9b0cSelric     }
452ca1c9b0cSelric 
453ca1c9b0cSelric     return 0;
454ca1c9b0cSelric }
455ca1c9b0cSelric 
456ca1c9b0cSelric /*
457ca1c9b0cSelric  * A NULL RSA_METHOD that returns failure for all operations. This is
458ca1c9b0cSelric  * used as the default RSA method if we don't have any native
459ca1c9b0cSelric  * support.
460ca1c9b0cSelric  */
461ca1c9b0cSelric 
462ca1c9b0cSelric static RSAFUNC(null_rsa_public_encrypt, -1)
463ca1c9b0cSelric static RSAFUNC(null_rsa_public_decrypt, -1)
464ca1c9b0cSelric static RSAFUNC(null_rsa_private_encrypt, -1)
465ca1c9b0cSelric static RSAFUNC(null_rsa_private_decrypt, -1)
466ca1c9b0cSelric 
467ca1c9b0cSelric /*
468ca1c9b0cSelric  *
469ca1c9b0cSelric  */
470ca1c9b0cSelric 
471ca1c9b0cSelric int
RSA_generate_key_ex(RSA * r,int bits,BIGNUM * e,BN_GENCB * cb)472ca1c9b0cSelric RSA_generate_key_ex(RSA *r, int bits, BIGNUM *e, BN_GENCB *cb)
473ca1c9b0cSelric {
474ca1c9b0cSelric     if (r->meth->rsa_keygen)
475ca1c9b0cSelric 	return (*r->meth->rsa_keygen)(r, bits, e, cb);
476ca1c9b0cSelric     return 0;
477ca1c9b0cSelric }
478ca1c9b0cSelric 
479ca1c9b0cSelric 
480ca1c9b0cSelric /*
481ca1c9b0cSelric  *
482ca1c9b0cSelric  */
483ca1c9b0cSelric 
484ca1c9b0cSelric static int
null_rsa_init(RSA * rsa)485ca1c9b0cSelric null_rsa_init(RSA *rsa)
486ca1c9b0cSelric {
487ca1c9b0cSelric     return 1;
488ca1c9b0cSelric }
489ca1c9b0cSelric 
490ca1c9b0cSelric static int
null_rsa_finish(RSA * rsa)491ca1c9b0cSelric null_rsa_finish(RSA *rsa)
492ca1c9b0cSelric {
493ca1c9b0cSelric     return 1;
494ca1c9b0cSelric }
495ca1c9b0cSelric 
496ca1c9b0cSelric static const RSA_METHOD rsa_null_method = {
497ca1c9b0cSelric     "hcrypto null RSA",
498ca1c9b0cSelric     null_rsa_public_encrypt,
499ca1c9b0cSelric     null_rsa_public_decrypt,
500ca1c9b0cSelric     null_rsa_private_encrypt,
501ca1c9b0cSelric     null_rsa_private_decrypt,
502ca1c9b0cSelric     NULL,
503ca1c9b0cSelric     NULL,
504ca1c9b0cSelric     null_rsa_init,
505ca1c9b0cSelric     null_rsa_finish,
506ca1c9b0cSelric     0,
507ca1c9b0cSelric     NULL,
508ca1c9b0cSelric     NULL,
509b9d004c6Schristos     NULL,
510ca1c9b0cSelric     NULL
511ca1c9b0cSelric };
512ca1c9b0cSelric 
513ca1c9b0cSelric const RSA_METHOD *
RSA_null_method(void)514ca1c9b0cSelric RSA_null_method(void)
515ca1c9b0cSelric {
516ca1c9b0cSelric     return &rsa_null_method;
517ca1c9b0cSelric }
518ca1c9b0cSelric 
519ca1c9b0cSelric extern const RSA_METHOD hc_rsa_gmp_method;
520ca1c9b0cSelric extern const RSA_METHOD hc_rsa_tfm_method;
521ca1c9b0cSelric extern const RSA_METHOD hc_rsa_ltm_method;
522ca1c9b0cSelric static const RSA_METHOD *default_rsa_method = &hc_rsa_ltm_method;
523ca1c9b0cSelric 
524ca1c9b0cSelric 
525ca1c9b0cSelric const RSA_METHOD *
RSA_get_default_method(void)526ca1c9b0cSelric RSA_get_default_method(void)
527ca1c9b0cSelric {
528ca1c9b0cSelric     return default_rsa_method;
529ca1c9b0cSelric }
530ca1c9b0cSelric 
531ca1c9b0cSelric void
RSA_set_default_method(const RSA_METHOD * meth)532ca1c9b0cSelric RSA_set_default_method(const RSA_METHOD *meth)
533ca1c9b0cSelric {
534ca1c9b0cSelric     default_rsa_method = meth;
535ca1c9b0cSelric }
536ca1c9b0cSelric 
537ca1c9b0cSelric /*
538ca1c9b0cSelric  *
539ca1c9b0cSelric  */
540ca1c9b0cSelric 
541ca1c9b0cSelric RSA *
d2i_RSAPrivateKey(RSA * rsa,const unsigned char ** pp,size_t len)542ca1c9b0cSelric d2i_RSAPrivateKey(RSA *rsa, const unsigned char **pp, size_t len)
543ca1c9b0cSelric {
544ca1c9b0cSelric     RSAPrivateKey data;
545ca1c9b0cSelric     RSA *k = rsa;
546ca1c9b0cSelric     size_t size;
547ca1c9b0cSelric     int ret;
548ca1c9b0cSelric 
549ca1c9b0cSelric     ret = decode_RSAPrivateKey(*pp, len, &data, &size);
550ca1c9b0cSelric     if (ret)
551ca1c9b0cSelric 	return NULL;
552ca1c9b0cSelric 
553ca1c9b0cSelric     *pp += size;
554ca1c9b0cSelric 
555ca1c9b0cSelric     if (k == NULL) {
556ca1c9b0cSelric 	k = RSA_new();
557ca1c9b0cSelric 	if (k == NULL) {
558ca1c9b0cSelric 	    free_RSAPrivateKey(&data);
559ca1c9b0cSelric 	    return NULL;
560ca1c9b0cSelric 	}
561ca1c9b0cSelric     }
562ca1c9b0cSelric 
563ca1c9b0cSelric     k->n = _hc_integer_to_BN(&data.modulus, NULL);
564ca1c9b0cSelric     k->e = _hc_integer_to_BN(&data.publicExponent, NULL);
565ca1c9b0cSelric     k->d = _hc_integer_to_BN(&data.privateExponent, NULL);
566ca1c9b0cSelric     k->p = _hc_integer_to_BN(&data.prime1, NULL);
567ca1c9b0cSelric     k->q = _hc_integer_to_BN(&data.prime2, NULL);
568ca1c9b0cSelric     k->dmp1 = _hc_integer_to_BN(&data.exponent1, NULL);
569ca1c9b0cSelric     k->dmq1 = _hc_integer_to_BN(&data.exponent2, NULL);
570ca1c9b0cSelric     k->iqmp = _hc_integer_to_BN(&data.coefficient, NULL);
571ca1c9b0cSelric     free_RSAPrivateKey(&data);
572ca1c9b0cSelric 
573ca1c9b0cSelric     if (k->n == NULL || k->e == NULL || k->d == NULL || k->p == NULL ||
574ca1c9b0cSelric 	k->q == NULL || k->dmp1 == NULL || k->dmq1 == NULL || k->iqmp == NULL)
575ca1c9b0cSelric     {
576ca1c9b0cSelric 	RSA_free(k);
577ca1c9b0cSelric 	return NULL;
578ca1c9b0cSelric     }
579ca1c9b0cSelric 
580ca1c9b0cSelric     return k;
581ca1c9b0cSelric }
582ca1c9b0cSelric 
583ca1c9b0cSelric int
i2d_RSAPrivateKey(RSA * rsa,unsigned char ** pp)584ca1c9b0cSelric i2d_RSAPrivateKey(RSA *rsa, unsigned char **pp)
585ca1c9b0cSelric {
586ca1c9b0cSelric     RSAPrivateKey data;
587ca1c9b0cSelric     size_t size;
588ca1c9b0cSelric     int ret;
589ca1c9b0cSelric 
590ca1c9b0cSelric     if (rsa->n == NULL || rsa->e == NULL || rsa->d == NULL || rsa->p == NULL ||
591ca1c9b0cSelric 	rsa->q == NULL || rsa->dmp1 == NULL || rsa->dmq1 == NULL ||
592ca1c9b0cSelric 	rsa->iqmp == NULL)
593ca1c9b0cSelric 	return -1;
594ca1c9b0cSelric 
595ca1c9b0cSelric     memset(&data, 0, sizeof(data));
596ca1c9b0cSelric 
597ca1c9b0cSelric     ret  = _hc_BN_to_integer(rsa->n, &data.modulus);
598ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->e, &data.publicExponent);
599ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->d, &data.privateExponent);
600ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->p, &data.prime1);
601ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->q, &data.prime2);
602ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->dmp1, &data.exponent1);
603ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->dmq1, &data.exponent2);
604ca1c9b0cSelric     ret |= _hc_BN_to_integer(rsa->iqmp, &data.coefficient);
605ca1c9b0cSelric     if (ret) {
606ca1c9b0cSelric 	free_RSAPrivateKey(&data);
607ca1c9b0cSelric 	return -1;
608ca1c9b0cSelric     }
609ca1c9b0cSelric 
610ca1c9b0cSelric     if (pp == NULL) {
611ca1c9b0cSelric 	size = length_RSAPrivateKey(&data);
612ca1c9b0cSelric 	free_RSAPrivateKey(&data);
613ca1c9b0cSelric     } else {
614ca1c9b0cSelric 	void *p;
615ca1c9b0cSelric 	size_t len;
616ca1c9b0cSelric 
617ca1c9b0cSelric 	ASN1_MALLOC_ENCODE(RSAPrivateKey, p, len, &data, &size, ret);
618ca1c9b0cSelric 	free_RSAPrivateKey(&data);
619ca1c9b0cSelric 	if (ret)
620ca1c9b0cSelric 	    return -1;
621ca1c9b0cSelric 	if (len != size)
622ca1c9b0cSelric 	    abort();
623ca1c9b0cSelric 
624ca1c9b0cSelric 	memcpy(*pp, p, size);
625ca1c9b0cSelric 	free(p);
626ca1c9b0cSelric 
627ca1c9b0cSelric 	*pp += size;
628ca1c9b0cSelric 
629ca1c9b0cSelric     }
630ca1c9b0cSelric     return size;
631ca1c9b0cSelric }
632ca1c9b0cSelric 
633ca1c9b0cSelric int
i2d_RSAPublicKey(RSA * rsa,unsigned char ** pp)634ca1c9b0cSelric i2d_RSAPublicKey(RSA *rsa, unsigned char **pp)
635ca1c9b0cSelric {
636ca1c9b0cSelric     RSAPublicKey data;
637ca1c9b0cSelric     size_t size;
638ca1c9b0cSelric     int ret;
639ca1c9b0cSelric 
640ca1c9b0cSelric     memset(&data, 0, sizeof(data));
641ca1c9b0cSelric 
642ca1c9b0cSelric     if (_hc_BN_to_integer(rsa->n, &data.modulus) ||
643ca1c9b0cSelric 	_hc_BN_to_integer(rsa->e, &data.publicExponent))
644ca1c9b0cSelric     {
645ca1c9b0cSelric 	free_RSAPublicKey(&data);
646ca1c9b0cSelric 	return -1;
647ca1c9b0cSelric     }
648ca1c9b0cSelric 
649ca1c9b0cSelric     if (pp == NULL) {
650ca1c9b0cSelric 	size = length_RSAPublicKey(&data);
651ca1c9b0cSelric 	free_RSAPublicKey(&data);
652ca1c9b0cSelric     } else {
653ca1c9b0cSelric 	void *p;
654ca1c9b0cSelric 	size_t len;
655ca1c9b0cSelric 
656ca1c9b0cSelric 	ASN1_MALLOC_ENCODE(RSAPublicKey, p, len, &data, &size, ret);
657ca1c9b0cSelric 	free_RSAPublicKey(&data);
658ca1c9b0cSelric 	if (ret)
659ca1c9b0cSelric 	    return -1;
660ca1c9b0cSelric 	if (len != size)
661ca1c9b0cSelric 	    abort();
662ca1c9b0cSelric 
663ca1c9b0cSelric 	memcpy(*pp, p, size);
664ca1c9b0cSelric 	free(p);
665ca1c9b0cSelric 
666ca1c9b0cSelric 	*pp += size;
667ca1c9b0cSelric     }
668ca1c9b0cSelric 
669ca1c9b0cSelric     return size;
670ca1c9b0cSelric }
671ca1c9b0cSelric 
672ca1c9b0cSelric RSA *
d2i_RSAPublicKey(RSA * rsa,const unsigned char ** pp,size_t len)673ca1c9b0cSelric d2i_RSAPublicKey(RSA *rsa, const unsigned char **pp, size_t len)
674ca1c9b0cSelric {
675ca1c9b0cSelric     RSAPublicKey data;
676ca1c9b0cSelric     RSA *k = rsa;
677ca1c9b0cSelric     size_t size;
678ca1c9b0cSelric     int ret;
679ca1c9b0cSelric 
680ca1c9b0cSelric     ret = decode_RSAPublicKey(*pp, len, &data, &size);
681ca1c9b0cSelric     if (ret)
682ca1c9b0cSelric 	return NULL;
683ca1c9b0cSelric 
684ca1c9b0cSelric     *pp += size;
685ca1c9b0cSelric 
686ca1c9b0cSelric     if (k == NULL) {
687ca1c9b0cSelric 	k = RSA_new();
688ca1c9b0cSelric 	if (k == NULL) {
689ca1c9b0cSelric 	    free_RSAPublicKey(&data);
690ca1c9b0cSelric 	    return NULL;
691ca1c9b0cSelric 	}
692ca1c9b0cSelric     }
693ca1c9b0cSelric 
694ca1c9b0cSelric     k->n = _hc_integer_to_BN(&data.modulus, NULL);
695ca1c9b0cSelric     k->e = _hc_integer_to_BN(&data.publicExponent, NULL);
696ca1c9b0cSelric 
697ca1c9b0cSelric     free_RSAPublicKey(&data);
698ca1c9b0cSelric 
699ca1c9b0cSelric     if (k->n == NULL || k->e == NULL) {
700ca1c9b0cSelric 	RSA_free(k);
701ca1c9b0cSelric 	return NULL;
702ca1c9b0cSelric     }
703ca1c9b0cSelric 
704ca1c9b0cSelric     return k;
705ca1c9b0cSelric }
706