[thirdparty/openssl.git] / crypto / rsa / rsa_chk.c

/*
 * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/bn.h>
#include <openssl/err.h>
#include "crypto/rsa.h"
#include "rsa_local.h"

#ifndef FIPS_MODE
static int rsa_validate_keypair_multiprime(const RSA *key, BN_GENCB *cb)
{
    BIGNUM *i, *j, *k, *l, *m;
    BN_CTX *ctx;
    int ret = 1, ex_primes = 0, idx;
    RSA_PRIME_INFO *pinfo;

    if (key->p == NULL || key->q == NULL || key->n == NULL
            || key->e == NULL || key->d == NULL) {
        RSAerr(0, RSA_R_VALUE_MISSING);
        return 0;
    }

    /* multi-prime? */
    if (key->version == RSA_ASN1_VERSION_MULTI) {
        ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos);
        if (ex_primes <= 0
                || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) {
            RSAerr(0, RSA_R_INVALID_MULTI_PRIME_KEY);
            return 0;
        }
    }

    i = BN_new();
    j = BN_new();
    k = BN_new();
    l = BN_new();
    m = BN_new();
    ctx = BN_CTX_new();
    if (i == NULL || j == NULL || k == NULL || l == NULL
            || m == NULL || ctx == NULL) {
        ret = -1;
        RSAerr(0, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    if (BN_is_one(key->e)) {
        ret = 0;
        RSAerr(0, RSA_R_BAD_E_VALUE);
    }
    if (!BN_is_odd(key->e)) {
        ret = 0;
        RSAerr(0, RSA_R_BAD_E_VALUE);
    }

    /* p prime? */
    if (BN_check_prime(key->p, NULL, cb) != 1) {
        ret = 0;
        RSAerr(0, RSA_R_P_NOT_PRIME);
    }

    /* q prime? */
    if (BN_check_prime(key->q, NULL, cb) != 1) {
        ret = 0;
        RSAerr(0, RSA_R_Q_NOT_PRIME);
    }

    /* r_i prime? */
    for (idx = 0; idx < ex_primes; idx++) {
        pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
        if (BN_check_prime(pinfo->r, NULL, cb) != 1) {
            ret = 0;
            RSAerr(0, RSA_R_MP_R_NOT_PRIME);
        }
    }

    /* n = p*q * r_3...r_i? */
    if (!BN_mul(i, key->p, key->q, ctx)) {
        ret = -1;
        goto err;
    }
    for (idx = 0; idx < ex_primes; idx++) {
        pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
        if (!BN_mul(i, i, pinfo->r, ctx)) {
            ret = -1;
            goto err;
        }
    }
    if (BN_cmp(i, key->n) != 0) {
        ret = 0;
        if (ex_primes)
            RSAerr(0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES);
        else
            RSAerr(0, RSA_R_N_DOES_NOT_EQUAL_P_Q);
    }

    /* d*e = 1  mod \lambda(n)? */
    if (!BN_sub(i, key->p, BN_value_one())) {
        ret = -1;
        goto err;
    }
    if (!BN_sub(j, key->q, BN_value_one())) {
        ret = -1;
        goto err;
    }

    /* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */
    if (!BN_mul(l, i, j, ctx)) {
        ret = -1;
        goto err;
    }
    if (!BN_gcd(m, i, j, ctx)) {
        ret = -1;
        goto err;
    }
    for (idx = 0; idx < ex_primes; idx++) {
        pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
        if (!BN_sub(k, pinfo->r, BN_value_one())) {
            ret = -1;
            goto err;
        }
        if (!BN_mul(l, l, k, ctx)) {
            ret = -1;
            goto err;
        }
        if (!BN_gcd(m, m, k, ctx)) {
            ret = -1;
            goto err;
        }
    }
    if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */
        ret = -1;
        goto err;
    }
    if (!BN_mod_mul(i, key->d, key->e, k, ctx)) {
        ret = -1;
        goto err;
    }

    if (!BN_is_one(i)) {
        ret = 0;
        RSAerr(0, RSA_R_D_E_NOT_CONGRUENT_TO_1);
    }

    if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
        /* dmp1 = d mod (p-1)? */
        if (!BN_sub(i, key->p, BN_value_one())) {
            ret = -1;
            goto err;
        }
        if (!BN_mod(j, key->d, i, ctx)) {
            ret = -1;
            goto err;
        }
        if (BN_cmp(j, key->dmp1) != 0) {
            ret = 0;
            RSAerr(0, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
        }

        /* dmq1 = d mod (q-1)? */
        if (!BN_sub(i, key->q, BN_value_one())) {
            ret = -1;
            goto err;
        }
        if (!BN_mod(j, key->d, i, ctx)) {
            ret = -1;
            goto err;
        }
        if (BN_cmp(j, key->dmq1) != 0) {
            ret = 0;
            RSAerr(0, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
        }

        /* iqmp = q^-1 mod p? */
        if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
            ret = -1;
            goto err;
        }
        if (BN_cmp(i, key->iqmp) != 0) {
            ret = 0;
            RSAerr(0, RSA_R_IQMP_NOT_INVERSE_OF_Q);
        }
    }

    for (idx = 0; idx < ex_primes; idx++) {
        pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
        /* d_i = d mod (r_i - 1)? */
        if (!BN_sub(i, pinfo->r, BN_value_one())) {
            ret = -1;
            goto err;
        }
        if (!BN_mod(j, key->d, i, ctx)) {
            ret = -1;
            goto err;
        }
        if (BN_cmp(j, pinfo->d) != 0) {
            ret = 0;
            RSAerr(0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D);
        }
        /* t_i = R_i ^ -1 mod r_i ? */
        if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) {
            ret = -1;
            goto err;
        }
        if (BN_cmp(i, pinfo->t) != 0) {
            ret = 0;
            RSAerr(0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R);
        }
    }

 err:
    BN_free(i);
    BN_free(j);
    BN_free(k);
    BN_free(l);
    BN_free(m);
    BN_CTX_free(ctx);
    return ret;
}
#endif /* FIPS_MODE */

int rsa_validate_public(const RSA *key)
{
    return rsa_sp800_56b_check_public(key);
}

int rsa_validate_private(const RSA *key)
{
    return rsa_sp800_56b_check_private(key);
}

int rsa_validate_pairwise(const RSA *key)
{
#ifdef FIPS_MODE
    return rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key));
#else
    return rsa_validate_keypair_multiprime(key, NULL);
#endif
}

int RSA_check_key(const RSA *key)
{
    return RSA_check_key_ex(key, NULL);
}

int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
{
#ifdef FIPS_MODE
    return rsa_validate_public(key)
           && rsa_validate_private(key)
           && rsa_validate_pairwise(key);
#else
    return rsa_validate_keypair_multiprime(key, cb);
#endif /* FIPS_MODE */
}
Commit	Line	Data
2039c421	1	/*
12603de6	2	* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
6519b2cb	3	*
2a7b6f39	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
6519b2cb BM	8	*/
6519b2cb BM	9
c5f87134 P	10	/*
	11	* RSA low level APIs are deprecated for public use, but still ok for
	12	* internal use.
	13	*/
	14	#include "internal/deprecated.h"
	15
6519b2cb BM	16	#include <openssl/bn.h>
6519b2cb BM	17	#include <openssl/err.h>
12603de6	18	#include "crypto/rsa.h"
706457b7	19	#include "rsa_local.h"
6519b2cb	20
12603de6 SL	21	#ifndef FIPS_MODE
12603de6 SL	22	static int rsa_validate_keypair_multiprime(const RSA key, BN_GENCB cb)
0f113f3e	23	{
0f113f3e MC	24	BIGNUM i, j, k, l, *m;
0f113f3e MC	25	BN_CTX *ctx;
665d899f PY	26	int ret = 1, ex_primes = 0, idx;
665d899f PY	27	RSA_PRIME_INFO *pinfo;
0f113f3e	28
464d59a5 RS	29	if (key->p == NULL \|\| key->q == NULL \|\| key->n == NULL
464d59a5 RS	30	\|\| key->e == NULL \|\| key->d == NULL) {
12603de6	31	RSAerr(0, RSA_R_VALUE_MISSING);
0f113f3e MC	32	return 0;
	33	}
	34
665d899f	35	/* multi-prime? */
3bded9cd AP	36	if (key->version == RSA_ASN1_VERSION_MULTI) {
	37	ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos);
	38	if (ex_primes <= 0
	39	\|\| (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) {
12603de6	40	RSAerr(0, RSA_R_INVALID_MULTI_PRIME_KEY);
3bded9cd AP	41	return 0;
3bded9cd AP	42	}
665d899f PY	43	}
665d899f PY	44
0f113f3e MC	45	i = BN_new();
	46	j = BN_new();
	47	k = BN_new();
	48	l = BN_new();
	49	m = BN_new();
	50	ctx = BN_CTX_new();
464d59a5 RS	51	if (i == NULL \|\| j == NULL \|\| k == NULL \|\| l == NULL
464d59a5 RS	52	\|\| m == NULL \|\| ctx == NULL) {
0f113f3e	53	ret = -1;
12603de6	54	RSAerr(0, ERR_R_MALLOC_FAILURE);
0f113f3e MC	55	goto err;
	56	}
	57
464d59a5 RS	58	if (BN_is_one(key->e)) {
464d59a5 RS	59	ret = 0;
12603de6	60	RSAerr(0, RSA_R_BAD_E_VALUE);
464d59a5 RS	61	}
	62	if (!BN_is_odd(key->e)) {
	63	ret = 0;
12603de6	64	RSAerr(0, RSA_R_BAD_E_VALUE);
464d59a5 RS	65	}
464d59a5 RS	66
0f113f3e	67	/* p prime? */
42619397	68	if (BN_check_prime(key->p, NULL, cb) != 1) {
464d59a5	69	ret = 0;
12603de6	70	RSAerr(0, RSA_R_P_NOT_PRIME);
0f113f3e MC	71	}
	72
	73	/* q prime? */
42619397	74	if (BN_check_prime(key->q, NULL, cb) != 1) {
464d59a5	75	ret = 0;
12603de6	76	RSAerr(0, RSA_R_Q_NOT_PRIME);
0f113f3e MC	77	}
0f113f3e MC	78
665d899f PY	79	/* r_i prime? */
	80	for (idx = 0; idx < ex_primes; idx++) {
	81	pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
42619397	82	if (BN_check_prime(pinfo->r, NULL, cb) != 1) {
665d899f	83	ret = 0;
12603de6	84	RSAerr(0, RSA_R_MP_R_NOT_PRIME);
665d899f PY	85	}
	86	}
	87
	88	/* n = pq r_3...r_i? */
464d59a5	89	if (!BN_mul(i, key->p, key->q, ctx)) {
0f113f3e MC	90	ret = -1;
	91	goto err;
	92	}
665d899f PY	93	for (idx = 0; idx < ex_primes; idx++) {
	94	pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
	95	if (!BN_mul(i, i, pinfo->r, ctx)) {
	96	ret = -1;
	97	goto err;
	98	}
	99	}
0f113f3e MC	100	if (BN_cmp(i, key->n) != 0) {
0f113f3e MC	101	ret = 0;
665d899f	102	if (ex_primes)
12603de6	103	RSAerr(0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES);
665d899f	104	else
12603de6	105	RSAerr(0, RSA_R_N_DOES_NOT_EQUAL_P_Q);
0f113f3e MC	106	}
0f113f3e MC	107
665d899f	108	/* de = 1 mod \lambda(n)? /
464d59a5	109	if (!BN_sub(i, key->p, BN_value_one())) {
0f113f3e MC	110	ret = -1;
	111	goto err;
	112	}
464d59a5	113	if (!BN_sub(j, key->q, BN_value_one())) {
0f113f3e MC	114	ret = -1;
	115	goto err;
	116	}
	117
665d899f	118	/* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */
464d59a5	119	if (!BN_mul(l, i, j, ctx)) {
0f113f3e MC	120	ret = -1;
	121	goto err;
	122	}
464d59a5	123	if (!BN_gcd(m, i, j, ctx)) {
0f113f3e MC	124	ret = -1;
	125	goto err;
	126	}
665d899f PY	127	for (idx = 0; idx < ex_primes; idx++) {
	128	pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
	129	if (!BN_sub(k, pinfo->r, BN_value_one())) {
	130	ret = -1;
	131	goto err;
	132	}
	133	if (!BN_mul(l, l, k, ctx)) {
	134	ret = -1;
	135	goto err;
	136	}
	137	if (!BN_gcd(m, m, k, ctx)) {
	138	ret = -1;
	139	goto err;
	140	}
	141	}
464d59a5	142	if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */
0f113f3e MC	143	ret = -1;
	144	goto err;
	145	}
464d59a5	146	if (!BN_mod_mul(i, key->d, key->e, k, ctx)) {
0f113f3e MC	147	ret = -1;
	148	goto err;
	149	}
	150
	151	if (!BN_is_one(i)) {
	152	ret = 0;
12603de6	153	RSAerr(0, RSA_R_D_E_NOT_CONGRUENT_TO_1);
0f113f3e MC	154	}
	155
	156	if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
	157	/* dmp1 = d mod (p-1)? */
464d59a5	158	if (!BN_sub(i, key->p, BN_value_one())) {
0f113f3e MC	159	ret = -1;
	160	goto err;
	161	}
464d59a5	162	if (!BN_mod(j, key->d, i, ctx)) {
0f113f3e MC	163	ret = -1;
	164	goto err;
	165	}
0f113f3e MC	166	if (BN_cmp(j, key->dmp1) != 0) {
0f113f3e MC	167	ret = 0;
12603de6	168	RSAerr(0, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
0f113f3e MC	169	}
	170
	171	/* dmq1 = d mod (q-1)? */
464d59a5	172	if (!BN_sub(i, key->q, BN_value_one())) {
0f113f3e MC	173	ret = -1;
	174	goto err;
	175	}
464d59a5	176	if (!BN_mod(j, key->d, i, ctx)) {
0f113f3e MC	177	ret = -1;
	178	goto err;
	179	}
0f113f3e MC	180	if (BN_cmp(j, key->dmq1) != 0) {
0f113f3e MC	181	ret = 0;
12603de6	182	RSAerr(0, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
0f113f3e MC	183	}
	184
	185	/* iqmp = q^-1 mod p? */
	186	if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
	187	ret = -1;
	188	goto err;
	189	}
0f113f3e MC	190	if (BN_cmp(i, key->iqmp) != 0) {
0f113f3e MC	191	ret = 0;
12603de6	192	RSAerr(0, RSA_R_IQMP_NOT_INVERSE_OF_Q);
0f113f3e MC	193	}
0f113f3e MC	194	}
4f6235f7	195
665d899f PY	196	for (idx = 0; idx < ex_primes; idx++) {
	197	pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
	198	/* d_i = d mod (r_i - 1)? */
	199	if (!BN_sub(i, pinfo->r, BN_value_one())) {
	200	ret = -1;
	201	goto err;
	202	}
	203	if (!BN_mod(j, key->d, i, ctx)) {
	204	ret = -1;
	205	goto err;
	206	}
	207	if (BN_cmp(j, pinfo->d) != 0) {
	208	ret = 0;
12603de6	209	RSAerr(0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D);
665d899f PY	210	}
	211	/* t_i = R_i ^ -1 mod r_i ? */
	212	if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) {
	213	ret = -1;
	214	goto err;
	215	}
	216	if (BN_cmp(i, pinfo->t) != 0) {
	217	ret = 0;
12603de6	218	RSAerr(0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R);
665d899f PY	219	}
	220	}
	221
6519b2cb	222	err:
23a1d5e9 RS	223	BN_free(i);
	224	BN_free(j);
	225	BN_free(k);
	226	BN_free(l);
	227	BN_free(m);
	228	BN_CTX_free(ctx);
464d59a5	229	return ret;
12603de6 SL	230	}
	231	#endif /* FIPS_MODE */
	232
	233	int rsa_validate_public(const RSA *key)
	234	{
	235	return rsa_sp800_56b_check_public(key);
	236	}
	237
	238	int rsa_validate_private(const RSA *key)
	239	{
	240	return rsa_sp800_56b_check_private(key);
	241	}
	242
	243	int rsa_validate_pairwise(const RSA *key)
	244	{
	245	#ifdef FIPS_MODE
	246	return rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key));
	247	#else
	248	return rsa_validate_keypair_multiprime(key, NULL);
	249	#endif
	250	}
	251
	252	int RSA_check_key(const RSA *key)
	253	{
	254	return RSA_check_key_ex(key, NULL);
	255	}
	256
	257	int RSA_check_key_ex(const RSA key, BN_GENCB cb)
	258	{
	259	#ifdef FIPS_MODE
	260	return rsa_validate_public(key)
	261	&& rsa_validate_private(key)
	262	&& rsa_validate_pairwise(key);
	263	#else
	264	return rsa_validate_keypair_multiprime(key, cb);
8240d5fa	265	#endif /* FIPS_MODE */
0f113f3e	266	}