1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci/* 11e1051a39Sopenharmony_ci * NB: these functions have been "upgraded", the deprecated versions (which 12e1051a39Sopenharmony_ci * are compatibility wrappers using these functions) are in rsa_depr.c. - 13e1051a39Sopenharmony_ci * Geoff 14e1051a39Sopenharmony_ci */ 15e1051a39Sopenharmony_ci 16e1051a39Sopenharmony_ci/* 17e1051a39Sopenharmony_ci * RSA low level APIs are deprecated for public use, but still ok for 18e1051a39Sopenharmony_ci * internal use. 19e1051a39Sopenharmony_ci */ 20e1051a39Sopenharmony_ci#include "internal/deprecated.h" 21e1051a39Sopenharmony_ci 22e1051a39Sopenharmony_ci#include <stdio.h> 23e1051a39Sopenharmony_ci#include <time.h> 24e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 25e1051a39Sopenharmony_ci#include <openssl/bn.h> 26e1051a39Sopenharmony_ci#include <openssl/self_test.h> 27e1051a39Sopenharmony_ci#include "prov/providercommon.h" 28e1051a39Sopenharmony_ci#include "rsa_local.h" 29e1051a39Sopenharmony_ci 30e1051a39Sopenharmony_cistatic int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg); 31e1051a39Sopenharmony_cistatic int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, 32e1051a39Sopenharmony_ci BIGNUM *e_value, BN_GENCB *cb, int pairwise_test); 33e1051a39Sopenharmony_ci 34e1051a39Sopenharmony_ci/* 35e1051a39Sopenharmony_ci * NB: this wrapper would normally be placed in rsa_lib.c and the static 36e1051a39Sopenharmony_ci * implementation would probably be in rsa_eay.c. Nonetheless, is kept here 37e1051a39Sopenharmony_ci * so that we don't introduce a new linker dependency. Eg. any application 38e1051a39Sopenharmony_ci * that wasn't previously linking object code related to key-generation won't 39e1051a39Sopenharmony_ci * have to now just because key-generation is part of RSA_METHOD. 40e1051a39Sopenharmony_ci */ 41e1051a39Sopenharmony_ciint RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 42e1051a39Sopenharmony_ci{ 43e1051a39Sopenharmony_ci if (rsa->meth->rsa_keygen != NULL) 44e1051a39Sopenharmony_ci return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 45e1051a39Sopenharmony_ci 46e1051a39Sopenharmony_ci return RSA_generate_multi_prime_key(rsa, bits, RSA_DEFAULT_PRIME_NUM, 47e1051a39Sopenharmony_ci e_value, cb); 48e1051a39Sopenharmony_ci} 49e1051a39Sopenharmony_ci 50e1051a39Sopenharmony_ciint RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, 51e1051a39Sopenharmony_ci BIGNUM *e_value, BN_GENCB *cb) 52e1051a39Sopenharmony_ci{ 53e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 54e1051a39Sopenharmony_ci /* multi-prime is only supported with the builtin key generation */ 55e1051a39Sopenharmony_ci if (rsa->meth->rsa_multi_prime_keygen != NULL) { 56e1051a39Sopenharmony_ci return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes, 57e1051a39Sopenharmony_ci e_value, cb); 58e1051a39Sopenharmony_ci } else if (rsa->meth->rsa_keygen != NULL) { 59e1051a39Sopenharmony_ci /* 60e1051a39Sopenharmony_ci * However, if rsa->meth implements only rsa_keygen, then we 61e1051a39Sopenharmony_ci * have to honour it in 2-prime case and assume that it wouldn't 62e1051a39Sopenharmony_ci * know what to do with multi-prime key generated by builtin 63e1051a39Sopenharmony_ci * subroutine... 64e1051a39Sopenharmony_ci */ 65e1051a39Sopenharmony_ci if (primes == 2) 66e1051a39Sopenharmony_ci return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 67e1051a39Sopenharmony_ci else 68e1051a39Sopenharmony_ci return 0; 69e1051a39Sopenharmony_ci } 70e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 71e1051a39Sopenharmony_ci return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0); 72e1051a39Sopenharmony_ci} 73e1051a39Sopenharmony_ci 74e1051a39Sopenharmony_ci#ifndef FIPS_MODULE 75e1051a39Sopenharmony_cistatic int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, 76e1051a39Sopenharmony_ci BIGNUM *e_value, BN_GENCB *cb) 77e1051a39Sopenharmony_ci{ 78e1051a39Sopenharmony_ci BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *prime; 79e1051a39Sopenharmony_ci int n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0; 80e1051a39Sopenharmony_ci int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0; 81e1051a39Sopenharmony_ci RSA_PRIME_INFO *pinfo = NULL; 82e1051a39Sopenharmony_ci STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL; 83e1051a39Sopenharmony_ci BN_CTX *ctx = NULL; 84e1051a39Sopenharmony_ci BN_ULONG bitst = 0; 85e1051a39Sopenharmony_ci unsigned long error = 0; 86e1051a39Sopenharmony_ci int ok = -1; 87e1051a39Sopenharmony_ci 88e1051a39Sopenharmony_ci if (bits < RSA_MIN_MODULUS_BITS) { 89e1051a39Sopenharmony_ci ok = 0; /* we set our own err */ 90e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL); 91e1051a39Sopenharmony_ci goto err; 92e1051a39Sopenharmony_ci } 93e1051a39Sopenharmony_ci 94e1051a39Sopenharmony_ci /* A bad value for e can cause infinite loops */ 95e1051a39Sopenharmony_ci if (e_value != NULL && !ossl_rsa_check_public_exponent(e_value)) { 96e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_PUB_EXPONENT_OUT_OF_RANGE); 97e1051a39Sopenharmony_ci return 0; 98e1051a39Sopenharmony_ci } 99e1051a39Sopenharmony_ci 100e1051a39Sopenharmony_ci if (primes < RSA_DEFAULT_PRIME_NUM || primes > ossl_rsa_multip_cap(bits)) { 101e1051a39Sopenharmony_ci ok = 0; /* we set our own err */ 102e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, RSA_R_KEY_PRIME_NUM_INVALID); 103e1051a39Sopenharmony_ci goto err; 104e1051a39Sopenharmony_ci } 105e1051a39Sopenharmony_ci 106e1051a39Sopenharmony_ci ctx = BN_CTX_new_ex(rsa->libctx); 107e1051a39Sopenharmony_ci if (ctx == NULL) 108e1051a39Sopenharmony_ci goto err; 109e1051a39Sopenharmony_ci BN_CTX_start(ctx); 110e1051a39Sopenharmony_ci r0 = BN_CTX_get(ctx); 111e1051a39Sopenharmony_ci r1 = BN_CTX_get(ctx); 112e1051a39Sopenharmony_ci r2 = BN_CTX_get(ctx); 113e1051a39Sopenharmony_ci if (r2 == NULL) 114e1051a39Sopenharmony_ci goto err; 115e1051a39Sopenharmony_ci 116e1051a39Sopenharmony_ci /* divide bits into 'primes' pieces evenly */ 117e1051a39Sopenharmony_ci quo = bits / primes; 118e1051a39Sopenharmony_ci rmd = bits % primes; 119e1051a39Sopenharmony_ci 120e1051a39Sopenharmony_ci for (i = 0; i < primes; i++) 121e1051a39Sopenharmony_ci bitsr[i] = (i < rmd) ? quo + 1 : quo; 122e1051a39Sopenharmony_ci 123e1051a39Sopenharmony_ci rsa->dirty_cnt++; 124e1051a39Sopenharmony_ci 125e1051a39Sopenharmony_ci /* We need the RSA components non-NULL */ 126e1051a39Sopenharmony_ci if (!rsa->n && ((rsa->n = BN_new()) == NULL)) 127e1051a39Sopenharmony_ci goto err; 128e1051a39Sopenharmony_ci if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) 129e1051a39Sopenharmony_ci goto err; 130e1051a39Sopenharmony_ci BN_set_flags(rsa->d, BN_FLG_CONSTTIME); 131e1051a39Sopenharmony_ci if (!rsa->e && ((rsa->e = BN_new()) == NULL)) 132e1051a39Sopenharmony_ci goto err; 133e1051a39Sopenharmony_ci if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) 134e1051a39Sopenharmony_ci goto err; 135e1051a39Sopenharmony_ci BN_set_flags(rsa->p, BN_FLG_CONSTTIME); 136e1051a39Sopenharmony_ci if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) 137e1051a39Sopenharmony_ci goto err; 138e1051a39Sopenharmony_ci BN_set_flags(rsa->q, BN_FLG_CONSTTIME); 139e1051a39Sopenharmony_ci if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) 140e1051a39Sopenharmony_ci goto err; 141e1051a39Sopenharmony_ci BN_set_flags(rsa->dmp1, BN_FLG_CONSTTIME); 142e1051a39Sopenharmony_ci if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) 143e1051a39Sopenharmony_ci goto err; 144e1051a39Sopenharmony_ci BN_set_flags(rsa->dmq1, BN_FLG_CONSTTIME); 145e1051a39Sopenharmony_ci if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) 146e1051a39Sopenharmony_ci goto err; 147e1051a39Sopenharmony_ci BN_set_flags(rsa->iqmp, BN_FLG_CONSTTIME); 148e1051a39Sopenharmony_ci 149e1051a39Sopenharmony_ci /* initialize multi-prime components */ 150e1051a39Sopenharmony_ci if (primes > RSA_DEFAULT_PRIME_NUM) { 151e1051a39Sopenharmony_ci rsa->version = RSA_ASN1_VERSION_MULTI; 152e1051a39Sopenharmony_ci prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, primes - 2); 153e1051a39Sopenharmony_ci if (prime_infos == NULL) 154e1051a39Sopenharmony_ci goto err; 155e1051a39Sopenharmony_ci if (rsa->prime_infos != NULL) { 156e1051a39Sopenharmony_ci /* could this happen? */ 157e1051a39Sopenharmony_ci sk_RSA_PRIME_INFO_pop_free(rsa->prime_infos, 158e1051a39Sopenharmony_ci ossl_rsa_multip_info_free); 159e1051a39Sopenharmony_ci } 160e1051a39Sopenharmony_ci rsa->prime_infos = prime_infos; 161e1051a39Sopenharmony_ci 162e1051a39Sopenharmony_ci /* prime_info from 2 to |primes| -1 */ 163e1051a39Sopenharmony_ci for (i = 2; i < primes; i++) { 164e1051a39Sopenharmony_ci pinfo = ossl_rsa_multip_info_new(); 165e1051a39Sopenharmony_ci if (pinfo == NULL) 166e1051a39Sopenharmony_ci goto err; 167e1051a39Sopenharmony_ci (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo); 168e1051a39Sopenharmony_ci } 169e1051a39Sopenharmony_ci } 170e1051a39Sopenharmony_ci 171e1051a39Sopenharmony_ci if (BN_copy(rsa->e, e_value) == NULL) 172e1051a39Sopenharmony_ci goto err; 173e1051a39Sopenharmony_ci 174e1051a39Sopenharmony_ci /* generate p, q and other primes (if any) */ 175e1051a39Sopenharmony_ci for (i = 0; i < primes; i++) { 176e1051a39Sopenharmony_ci adj = 0; 177e1051a39Sopenharmony_ci retries = 0; 178e1051a39Sopenharmony_ci 179e1051a39Sopenharmony_ci if (i == 0) { 180e1051a39Sopenharmony_ci prime = rsa->p; 181e1051a39Sopenharmony_ci } else if (i == 1) { 182e1051a39Sopenharmony_ci prime = rsa->q; 183e1051a39Sopenharmony_ci } else { 184e1051a39Sopenharmony_ci pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); 185e1051a39Sopenharmony_ci prime = pinfo->r; 186e1051a39Sopenharmony_ci } 187e1051a39Sopenharmony_ci BN_set_flags(prime, BN_FLG_CONSTTIME); 188e1051a39Sopenharmony_ci 189e1051a39Sopenharmony_ci for (;;) { 190e1051a39Sopenharmony_ci redo: 191e1051a39Sopenharmony_ci if (!BN_generate_prime_ex2(prime, bitsr[i] + adj, 0, NULL, NULL, 192e1051a39Sopenharmony_ci cb, ctx)) 193e1051a39Sopenharmony_ci goto err; 194e1051a39Sopenharmony_ci /* 195e1051a39Sopenharmony_ci * prime should not be equal to p, q, r_3... 196e1051a39Sopenharmony_ci * (those primes prior to this one) 197e1051a39Sopenharmony_ci */ 198e1051a39Sopenharmony_ci { 199e1051a39Sopenharmony_ci int j; 200e1051a39Sopenharmony_ci 201e1051a39Sopenharmony_ci for (j = 0; j < i; j++) { 202e1051a39Sopenharmony_ci BIGNUM *prev_prime; 203e1051a39Sopenharmony_ci 204e1051a39Sopenharmony_ci if (j == 0) 205e1051a39Sopenharmony_ci prev_prime = rsa->p; 206e1051a39Sopenharmony_ci else if (j == 1) 207e1051a39Sopenharmony_ci prev_prime = rsa->q; 208e1051a39Sopenharmony_ci else 209e1051a39Sopenharmony_ci prev_prime = sk_RSA_PRIME_INFO_value(prime_infos, 210e1051a39Sopenharmony_ci j - 2)->r; 211e1051a39Sopenharmony_ci 212e1051a39Sopenharmony_ci if (!BN_cmp(prime, prev_prime)) { 213e1051a39Sopenharmony_ci goto redo; 214e1051a39Sopenharmony_ci } 215e1051a39Sopenharmony_ci } 216e1051a39Sopenharmony_ci } 217e1051a39Sopenharmony_ci if (!BN_sub(r2, prime, BN_value_one())) 218e1051a39Sopenharmony_ci goto err; 219e1051a39Sopenharmony_ci ERR_set_mark(); 220e1051a39Sopenharmony_ci BN_set_flags(r2, BN_FLG_CONSTTIME); 221e1051a39Sopenharmony_ci if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { 222e1051a39Sopenharmony_ci /* GCD == 1 since inverse exists */ 223e1051a39Sopenharmony_ci break; 224e1051a39Sopenharmony_ci } 225e1051a39Sopenharmony_ci error = ERR_peek_last_error(); 226e1051a39Sopenharmony_ci if (ERR_GET_LIB(error) == ERR_LIB_BN 227e1051a39Sopenharmony_ci && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { 228e1051a39Sopenharmony_ci /* GCD != 1 */ 229e1051a39Sopenharmony_ci ERR_pop_to_mark(); 230e1051a39Sopenharmony_ci } else { 231e1051a39Sopenharmony_ci goto err; 232e1051a39Sopenharmony_ci } 233e1051a39Sopenharmony_ci if (!BN_GENCB_call(cb, 2, n++)) 234e1051a39Sopenharmony_ci goto err; 235e1051a39Sopenharmony_ci } 236e1051a39Sopenharmony_ci 237e1051a39Sopenharmony_ci bitse += bitsr[i]; 238e1051a39Sopenharmony_ci 239e1051a39Sopenharmony_ci /* calculate n immediately to see if it's sufficient */ 240e1051a39Sopenharmony_ci if (i == 1) { 241e1051a39Sopenharmony_ci /* we get at least 2 primes */ 242e1051a39Sopenharmony_ci if (!BN_mul(r1, rsa->p, rsa->q, ctx)) 243e1051a39Sopenharmony_ci goto err; 244e1051a39Sopenharmony_ci } else if (i != 0) { 245e1051a39Sopenharmony_ci /* modulus n = p * q * r_3 * r_4 ... */ 246e1051a39Sopenharmony_ci if (!BN_mul(r1, rsa->n, prime, ctx)) 247e1051a39Sopenharmony_ci goto err; 248e1051a39Sopenharmony_ci } else { 249e1051a39Sopenharmony_ci /* i == 0, do nothing */ 250e1051a39Sopenharmony_ci if (!BN_GENCB_call(cb, 3, i)) 251e1051a39Sopenharmony_ci goto err; 252e1051a39Sopenharmony_ci continue; 253e1051a39Sopenharmony_ci } 254e1051a39Sopenharmony_ci /* 255e1051a39Sopenharmony_ci * if |r1|, product of factors so far, is not as long as expected 256e1051a39Sopenharmony_ci * (by checking the first 4 bits are less than 0x9 or greater than 257e1051a39Sopenharmony_ci * 0xF). If so, re-generate the last prime. 258e1051a39Sopenharmony_ci * 259e1051a39Sopenharmony_ci * NOTE: This actually can't happen in two-prime case, because of 260e1051a39Sopenharmony_ci * the way factors are generated. 261e1051a39Sopenharmony_ci * 262e1051a39Sopenharmony_ci * Besides, another consideration is, for multi-prime case, even the 263e1051a39Sopenharmony_ci * length modulus is as long as expected, the modulus could start at 264e1051a39Sopenharmony_ci * 0x8, which could be utilized to distinguish a multi-prime private 265e1051a39Sopenharmony_ci * key by using the modulus in a certificate. This is also covered 266e1051a39Sopenharmony_ci * by checking the length should not be less than 0x9. 267e1051a39Sopenharmony_ci */ 268e1051a39Sopenharmony_ci if (!BN_rshift(r2, r1, bitse - 4)) 269e1051a39Sopenharmony_ci goto err; 270e1051a39Sopenharmony_ci bitst = BN_get_word(r2); 271e1051a39Sopenharmony_ci 272e1051a39Sopenharmony_ci if (bitst < 0x9 || bitst > 0xF) { 273e1051a39Sopenharmony_ci /* 274e1051a39Sopenharmony_ci * For keys with more than 4 primes, we attempt longer factor to 275e1051a39Sopenharmony_ci * meet length requirement. 276e1051a39Sopenharmony_ci * 277e1051a39Sopenharmony_ci * Otherwise, we just re-generate the prime with the same length. 278e1051a39Sopenharmony_ci * 279e1051a39Sopenharmony_ci * This strategy has the following goals: 280e1051a39Sopenharmony_ci * 281e1051a39Sopenharmony_ci * 1. 1024-bit factors are efficient when using 3072 and 4096-bit key 282e1051a39Sopenharmony_ci * 2. stay the same logic with normal 2-prime key 283e1051a39Sopenharmony_ci */ 284e1051a39Sopenharmony_ci bitse -= bitsr[i]; 285e1051a39Sopenharmony_ci if (!BN_GENCB_call(cb, 2, n++)) 286e1051a39Sopenharmony_ci goto err; 287e1051a39Sopenharmony_ci if (primes > 4) { 288e1051a39Sopenharmony_ci if (bitst < 0x9) 289e1051a39Sopenharmony_ci adj++; 290e1051a39Sopenharmony_ci else 291e1051a39Sopenharmony_ci adj--; 292e1051a39Sopenharmony_ci } else if (retries == 4) { 293e1051a39Sopenharmony_ci /* 294e1051a39Sopenharmony_ci * re-generate all primes from scratch, mainly used 295e1051a39Sopenharmony_ci * in 4 prime case to avoid long loop. Max retry times 296e1051a39Sopenharmony_ci * is set to 4. 297e1051a39Sopenharmony_ci */ 298e1051a39Sopenharmony_ci i = -1; 299e1051a39Sopenharmony_ci bitse = 0; 300e1051a39Sopenharmony_ci continue; 301e1051a39Sopenharmony_ci } 302e1051a39Sopenharmony_ci retries++; 303e1051a39Sopenharmony_ci goto redo; 304e1051a39Sopenharmony_ci } 305e1051a39Sopenharmony_ci /* save product of primes for further use, for multi-prime only */ 306e1051a39Sopenharmony_ci if (i > 1 && BN_copy(pinfo->pp, rsa->n) == NULL) 307e1051a39Sopenharmony_ci goto err; 308e1051a39Sopenharmony_ci if (BN_copy(rsa->n, r1) == NULL) 309e1051a39Sopenharmony_ci goto err; 310e1051a39Sopenharmony_ci if (!BN_GENCB_call(cb, 3, i)) 311e1051a39Sopenharmony_ci goto err; 312e1051a39Sopenharmony_ci } 313e1051a39Sopenharmony_ci 314e1051a39Sopenharmony_ci if (BN_cmp(rsa->p, rsa->q) < 0) { 315e1051a39Sopenharmony_ci tmp = rsa->p; 316e1051a39Sopenharmony_ci rsa->p = rsa->q; 317e1051a39Sopenharmony_ci rsa->q = tmp; 318e1051a39Sopenharmony_ci } 319e1051a39Sopenharmony_ci 320e1051a39Sopenharmony_ci /* calculate d */ 321e1051a39Sopenharmony_ci 322e1051a39Sopenharmony_ci /* p - 1 */ 323e1051a39Sopenharmony_ci if (!BN_sub(r1, rsa->p, BN_value_one())) 324e1051a39Sopenharmony_ci goto err; 325e1051a39Sopenharmony_ci /* q - 1 */ 326e1051a39Sopenharmony_ci if (!BN_sub(r2, rsa->q, BN_value_one())) 327e1051a39Sopenharmony_ci goto err; 328e1051a39Sopenharmony_ci /* (p - 1)(q - 1) */ 329e1051a39Sopenharmony_ci if (!BN_mul(r0, r1, r2, ctx)) 330e1051a39Sopenharmony_ci goto err; 331e1051a39Sopenharmony_ci /* multi-prime */ 332e1051a39Sopenharmony_ci for (i = 2; i < primes; i++) { 333e1051a39Sopenharmony_ci pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); 334e1051a39Sopenharmony_ci /* save r_i - 1 to pinfo->d temporarily */ 335e1051a39Sopenharmony_ci if (!BN_sub(pinfo->d, pinfo->r, BN_value_one())) 336e1051a39Sopenharmony_ci goto err; 337e1051a39Sopenharmony_ci if (!BN_mul(r0, r0, pinfo->d, ctx)) 338e1051a39Sopenharmony_ci goto err; 339e1051a39Sopenharmony_ci } 340e1051a39Sopenharmony_ci 341e1051a39Sopenharmony_ci { 342e1051a39Sopenharmony_ci BIGNUM *pr0 = BN_new(); 343e1051a39Sopenharmony_ci 344e1051a39Sopenharmony_ci if (pr0 == NULL) 345e1051a39Sopenharmony_ci goto err; 346e1051a39Sopenharmony_ci 347e1051a39Sopenharmony_ci BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); 348e1051a39Sopenharmony_ci if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { 349e1051a39Sopenharmony_ci BN_free(pr0); 350e1051a39Sopenharmony_ci goto err; /* d */ 351e1051a39Sopenharmony_ci } 352e1051a39Sopenharmony_ci /* We MUST free pr0 before any further use of r0 */ 353e1051a39Sopenharmony_ci BN_free(pr0); 354e1051a39Sopenharmony_ci } 355e1051a39Sopenharmony_ci 356e1051a39Sopenharmony_ci { 357e1051a39Sopenharmony_ci BIGNUM *d = BN_new(); 358e1051a39Sopenharmony_ci 359e1051a39Sopenharmony_ci if (d == NULL) 360e1051a39Sopenharmony_ci goto err; 361e1051a39Sopenharmony_ci 362e1051a39Sopenharmony_ci BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 363e1051a39Sopenharmony_ci 364e1051a39Sopenharmony_ci /* calculate d mod (p-1) and d mod (q - 1) */ 365e1051a39Sopenharmony_ci if (!BN_mod(rsa->dmp1, d, r1, ctx) 366e1051a39Sopenharmony_ci || !BN_mod(rsa->dmq1, d, r2, ctx)) { 367e1051a39Sopenharmony_ci BN_free(d); 368e1051a39Sopenharmony_ci goto err; 369e1051a39Sopenharmony_ci } 370e1051a39Sopenharmony_ci 371e1051a39Sopenharmony_ci /* calculate CRT exponents */ 372e1051a39Sopenharmony_ci for (i = 2; i < primes; i++) { 373e1051a39Sopenharmony_ci pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); 374e1051a39Sopenharmony_ci /* pinfo->d == r_i - 1 */ 375e1051a39Sopenharmony_ci if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) { 376e1051a39Sopenharmony_ci BN_free(d); 377e1051a39Sopenharmony_ci goto err; 378e1051a39Sopenharmony_ci } 379e1051a39Sopenharmony_ci } 380e1051a39Sopenharmony_ci 381e1051a39Sopenharmony_ci /* We MUST free d before any further use of rsa->d */ 382e1051a39Sopenharmony_ci BN_free(d); 383e1051a39Sopenharmony_ci } 384e1051a39Sopenharmony_ci 385e1051a39Sopenharmony_ci { 386e1051a39Sopenharmony_ci BIGNUM *p = BN_new(); 387e1051a39Sopenharmony_ci 388e1051a39Sopenharmony_ci if (p == NULL) 389e1051a39Sopenharmony_ci goto err; 390e1051a39Sopenharmony_ci BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 391e1051a39Sopenharmony_ci 392e1051a39Sopenharmony_ci /* calculate inverse of q mod p */ 393e1051a39Sopenharmony_ci if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { 394e1051a39Sopenharmony_ci BN_free(p); 395e1051a39Sopenharmony_ci goto err; 396e1051a39Sopenharmony_ci } 397e1051a39Sopenharmony_ci 398e1051a39Sopenharmony_ci /* calculate CRT coefficient for other primes */ 399e1051a39Sopenharmony_ci for (i = 2; i < primes; i++) { 400e1051a39Sopenharmony_ci pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); 401e1051a39Sopenharmony_ci BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME); 402e1051a39Sopenharmony_ci if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) { 403e1051a39Sopenharmony_ci BN_free(p); 404e1051a39Sopenharmony_ci goto err; 405e1051a39Sopenharmony_ci } 406e1051a39Sopenharmony_ci } 407e1051a39Sopenharmony_ci 408e1051a39Sopenharmony_ci /* We MUST free p before any further use of rsa->p */ 409e1051a39Sopenharmony_ci BN_free(p); 410e1051a39Sopenharmony_ci } 411e1051a39Sopenharmony_ci 412e1051a39Sopenharmony_ci ok = 1; 413e1051a39Sopenharmony_ci err: 414e1051a39Sopenharmony_ci if (ok == -1) { 415e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); 416e1051a39Sopenharmony_ci ok = 0; 417e1051a39Sopenharmony_ci } 418e1051a39Sopenharmony_ci BN_CTX_end(ctx); 419e1051a39Sopenharmony_ci BN_CTX_free(ctx); 420e1051a39Sopenharmony_ci return ok; 421e1051a39Sopenharmony_ci} 422e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 423e1051a39Sopenharmony_ci 424e1051a39Sopenharmony_cistatic int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, 425e1051a39Sopenharmony_ci BIGNUM *e_value, BN_GENCB *cb, int pairwise_test) 426e1051a39Sopenharmony_ci{ 427e1051a39Sopenharmony_ci int ok = 0; 428e1051a39Sopenharmony_ci 429e1051a39Sopenharmony_ci#ifdef FIPS_MODULE 430e1051a39Sopenharmony_ci ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); 431e1051a39Sopenharmony_ci pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */ 432e1051a39Sopenharmony_ci#else 433e1051a39Sopenharmony_ci /* 434e1051a39Sopenharmony_ci * Only multi-prime keys or insecure keys with a small key length or a 435e1051a39Sopenharmony_ci * public exponent <= 2^16 will use the older rsa_multiprime_keygen(). 436e1051a39Sopenharmony_ci */ 437e1051a39Sopenharmony_ci if (primes == 2 438e1051a39Sopenharmony_ci && bits >= 2048 439e1051a39Sopenharmony_ci && (e_value == NULL || BN_num_bits(e_value) > 16)) 440e1051a39Sopenharmony_ci ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); 441e1051a39Sopenharmony_ci else 442e1051a39Sopenharmony_ci ok = rsa_multiprime_keygen(rsa, bits, primes, e_value, cb); 443e1051a39Sopenharmony_ci#endif /* FIPS_MODULE */ 444e1051a39Sopenharmony_ci 445e1051a39Sopenharmony_ci if (pairwise_test && ok > 0) { 446e1051a39Sopenharmony_ci OSSL_CALLBACK *stcb = NULL; 447e1051a39Sopenharmony_ci void *stcbarg = NULL; 448e1051a39Sopenharmony_ci 449e1051a39Sopenharmony_ci OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg); 450e1051a39Sopenharmony_ci ok = rsa_keygen_pairwise_test(rsa, stcb, stcbarg); 451e1051a39Sopenharmony_ci if (!ok) { 452e1051a39Sopenharmony_ci ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); 453e1051a39Sopenharmony_ci /* Clear intermediate results */ 454e1051a39Sopenharmony_ci BN_clear_free(rsa->d); 455e1051a39Sopenharmony_ci BN_clear_free(rsa->p); 456e1051a39Sopenharmony_ci BN_clear_free(rsa->q); 457e1051a39Sopenharmony_ci BN_clear_free(rsa->dmp1); 458e1051a39Sopenharmony_ci BN_clear_free(rsa->dmq1); 459e1051a39Sopenharmony_ci BN_clear_free(rsa->iqmp); 460e1051a39Sopenharmony_ci rsa->d = NULL; 461e1051a39Sopenharmony_ci rsa->p = NULL; 462e1051a39Sopenharmony_ci rsa->q = NULL; 463e1051a39Sopenharmony_ci rsa->dmp1 = NULL; 464e1051a39Sopenharmony_ci rsa->dmq1 = NULL; 465e1051a39Sopenharmony_ci rsa->iqmp = NULL; 466e1051a39Sopenharmony_ci } 467e1051a39Sopenharmony_ci } 468e1051a39Sopenharmony_ci return ok; 469e1051a39Sopenharmony_ci} 470e1051a39Sopenharmony_ci 471e1051a39Sopenharmony_ci/* 472e1051a39Sopenharmony_ci * For RSA key generation it is not known whether the key pair will be used 473e1051a39Sopenharmony_ci * for key transport or signatures. FIPS 140-2 IG 9.9 states that in this case 474e1051a39Sopenharmony_ci * either a signature verification OR an encryption operation may be used to 475e1051a39Sopenharmony_ci * perform the pairwise consistency check. The simpler encrypt/decrypt operation 476e1051a39Sopenharmony_ci * has been chosen for this case. 477e1051a39Sopenharmony_ci */ 478e1051a39Sopenharmony_cistatic int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg) 479e1051a39Sopenharmony_ci{ 480e1051a39Sopenharmony_ci int ret = 0; 481e1051a39Sopenharmony_ci unsigned int ciphertxt_len; 482e1051a39Sopenharmony_ci unsigned char *ciphertxt = NULL; 483e1051a39Sopenharmony_ci const unsigned char plaintxt[16] = {0}; 484e1051a39Sopenharmony_ci unsigned char *decoded = NULL; 485e1051a39Sopenharmony_ci unsigned int decoded_len; 486e1051a39Sopenharmony_ci unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len); 487e1051a39Sopenharmony_ci int padding = RSA_PKCS1_PADDING; 488e1051a39Sopenharmony_ci OSSL_SELF_TEST *st = NULL; 489e1051a39Sopenharmony_ci 490e1051a39Sopenharmony_ci st = OSSL_SELF_TEST_new(cb, cbarg); 491e1051a39Sopenharmony_ci if (st == NULL) 492e1051a39Sopenharmony_ci goto err; 493e1051a39Sopenharmony_ci OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, 494e1051a39Sopenharmony_ci OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1); 495e1051a39Sopenharmony_ci 496e1051a39Sopenharmony_ci ciphertxt_len = RSA_size(rsa); 497e1051a39Sopenharmony_ci /* 498e1051a39Sopenharmony_ci * RSA_private_encrypt() and RSA_private_decrypt() requires the 'to' 499e1051a39Sopenharmony_ci * parameter to be a maximum of RSA_size() - allocate space for both. 500e1051a39Sopenharmony_ci */ 501e1051a39Sopenharmony_ci ciphertxt = OPENSSL_zalloc(ciphertxt_len * 2); 502e1051a39Sopenharmony_ci if (ciphertxt == NULL) 503e1051a39Sopenharmony_ci goto err; 504e1051a39Sopenharmony_ci decoded = ciphertxt + ciphertxt_len; 505e1051a39Sopenharmony_ci 506e1051a39Sopenharmony_ci ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa, 507e1051a39Sopenharmony_ci padding); 508e1051a39Sopenharmony_ci if (ciphertxt_len <= 0) 509e1051a39Sopenharmony_ci goto err; 510e1051a39Sopenharmony_ci if (ciphertxt_len == plaintxt_len 511e1051a39Sopenharmony_ci && memcmp(ciphertxt, plaintxt, plaintxt_len) == 0) 512e1051a39Sopenharmony_ci goto err; 513e1051a39Sopenharmony_ci 514e1051a39Sopenharmony_ci OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt); 515e1051a39Sopenharmony_ci 516e1051a39Sopenharmony_ci decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa, 517e1051a39Sopenharmony_ci padding); 518e1051a39Sopenharmony_ci if (decoded_len != plaintxt_len 519e1051a39Sopenharmony_ci || memcmp(decoded, plaintxt, decoded_len) != 0) 520e1051a39Sopenharmony_ci goto err; 521e1051a39Sopenharmony_ci 522e1051a39Sopenharmony_ci ret = 1; 523e1051a39Sopenharmony_cierr: 524e1051a39Sopenharmony_ci OSSL_SELF_TEST_onend(st, ret); 525e1051a39Sopenharmony_ci OSSL_SELF_TEST_free(st); 526e1051a39Sopenharmony_ci OPENSSL_free(ciphertxt); 527e1051a39Sopenharmony_ci 528e1051a39Sopenharmony_ci return ret; 529e1051a39Sopenharmony_ci} 530