xref: /third_party/openssl/crypto/rsa/rsa_x931g.c (revision e1051a39) 
1/*
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License").  You may not use
5 * this file except in compliance with the License.  You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#define OPENSSL_SUPPRESS_DEPRECATED
15
16#include <stdio.h>
17#include <string.h>
18#include <time.h>
19#include <openssl/err.h>
20#include <openssl/bn.h>
21#include "rsa_local.h"
22
23/* X9.31 RSA key derivation and generation */
24
25int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
26                       BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
27                       const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
28                       const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
29{
30    BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
31    BN_CTX *ctx = NULL, *ctx2 = NULL;
32    int ret = 0;
33
34    if (!rsa)
35        goto err;
36
37    ctx = BN_CTX_new();
38    if (ctx == NULL)
39        goto err;
40    BN_CTX_start(ctx);
41
42    r0 = BN_CTX_get(ctx);
43    r1 = BN_CTX_get(ctx);
44    r2 = BN_CTX_get(ctx);
45    r3 = BN_CTX_get(ctx);
46
47    if (r3 == NULL)
48        goto err;
49    if (!rsa->e) {
50        rsa->e = BN_dup(e);
51        if (!rsa->e)
52            goto err;
53    } else {
54        e = rsa->e;
55    }
56
57    /*
58     * If not all parameters present only calculate what we can. This allows
59     * test programs to output selective parameters.
60     */
61
62    if (Xp && rsa->p == NULL) {
63        rsa->p = BN_new();
64        if (rsa->p == NULL)
65            goto err;
66
67        if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
68                                     Xp, Xp1, Xp2, e, ctx, cb))
69            goto err;
70    }
71
72    if (Xq && rsa->q == NULL) {
73        rsa->q = BN_new();
74        if (rsa->q == NULL)
75            goto err;
76        if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
77                                     Xq, Xq1, Xq2, e, ctx, cb))
78            goto err;
79    }
80
81    if (rsa->p == NULL || rsa->q == NULL) {
82        BN_CTX_end(ctx);
83        BN_CTX_free(ctx);
84        return 2;
85    }
86
87    /*
88     * Since both primes are set we can now calculate all remaining
89     * components.
90     */
91
92    /* calculate n */
93    rsa->n = BN_new();
94    if (rsa->n == NULL)
95        goto err;
96    if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
97        goto err;
98
99    /* calculate d */
100    if (!BN_sub(r1, rsa->p, BN_value_one()))
101        goto err;               /* p-1 */
102    if (!BN_sub(r2, rsa->q, BN_value_one()))
103        goto err;               /* q-1 */
104    if (!BN_mul(r0, r1, r2, ctx))
105        goto err;               /* (p-1)(q-1) */
106
107    if (!BN_gcd(r3, r1, r2, ctx))
108        goto err;
109
110    if (!BN_div(r0, NULL, r0, r3, ctx))
111        goto err;               /* LCM((p-1)(q-1)) */
112
113    ctx2 = BN_CTX_new();
114    if (ctx2 == NULL)
115        goto err;
116
117    rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
118    if (rsa->d == NULL)
119        goto err;
120
121    /* calculate d mod (p-1) */
122    rsa->dmp1 = BN_new();
123    if (rsa->dmp1 == NULL)
124        goto err;
125    if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
126        goto err;
127
128    /* calculate d mod (q-1) */
129    rsa->dmq1 = BN_new();
130    if (rsa->dmq1 == NULL)
131        goto err;
132    if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
133        goto err;
134
135    /* calculate inverse of q mod p */
136    rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
137    if (rsa->iqmp == NULL)
138        goto err;
139
140    rsa->dirty_cnt++;
141    ret = 1;
142 err:
143    BN_CTX_end(ctx);
144    BN_CTX_free(ctx);
145    BN_CTX_free(ctx2);
146
147    return ret;
148
149}
150
151int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
152                             BN_GENCB *cb)
153{
154    int ok = 0;
155    BIGNUM *Xp = NULL, *Xq = NULL;
156    BN_CTX *ctx = NULL;
157
158    ctx = BN_CTX_new();
159    if (ctx == NULL)
160        goto error;
161
162    BN_CTX_start(ctx);
163    Xp = BN_CTX_get(ctx);
164    Xq = BN_CTX_get(ctx);
165    if (Xq == NULL)
166        goto error;
167    if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
168        goto error;
169
170    rsa->p = BN_new();
171    rsa->q = BN_new();
172    if (rsa->p == NULL || rsa->q == NULL)
173        goto error;
174
175    /* Generate two primes from Xp, Xq */
176
177    if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
178                                   e, ctx, cb))
179        goto error;
180
181    if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
182                                   e, ctx, cb))
183        goto error;
184
185    /*
186     * Since rsa->p and rsa->q are valid this call will just derive remaining
187     * RSA components.
188     */
189
190    if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
191                            NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
192        goto error;
193
194    rsa->dirty_cnt++;
195    ok = 1;
196
197 error:
198    BN_CTX_end(ctx);
199    BN_CTX_free(ctx);
200
201    if (ok)
202        return 1;
203
204    return 0;
205
206}
207