]>
Commit | Line | Data |
---|---|---|
2039c421 | 1 | /* |
12603de6 | 2 | * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. |
6519b2cb | 3 | * |
2a7b6f39 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
2039c421 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
6519b2cb BM |
8 | */ |
9 | ||
c5f87134 P |
10 | /* |
11 | * RSA low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
6519b2cb BM |
16 | #include <openssl/bn.h> |
17 | #include <openssl/err.h> | |
12603de6 | 18 | #include "crypto/rsa.h" |
706457b7 | 19 | #include "rsa_local.h" |
6519b2cb | 20 | |
12603de6 SL |
21 | #ifndef FIPS_MODE |
22 | static int rsa_validate_keypair_multiprime(const RSA *key, BN_GENCB *cb) | |
0f113f3e | 23 | { |
0f113f3e MC |
24 | BIGNUM *i, *j, *k, *l, *m; |
25 | BN_CTX *ctx; | |
665d899f PY |
26 | int ret = 1, ex_primes = 0, idx; |
27 | RSA_PRIME_INFO *pinfo; | |
0f113f3e | 28 | |
464d59a5 RS |
29 | if (key->p == NULL || key->q == NULL || key->n == NULL |
30 | || key->e == NULL || key->d == NULL) { | |
12603de6 | 31 | RSAerr(0, RSA_R_VALUE_MISSING); |
0f113f3e MC |
32 | return 0; |
33 | } | |
34 | ||
665d899f | 35 | /* multi-prime? */ |
3bded9cd AP |
36 | if (key->version == RSA_ASN1_VERSION_MULTI) { |
37 | ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos); | |
38 | if (ex_primes <= 0 | |
39 | || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) { | |
12603de6 | 40 | RSAerr(0, RSA_R_INVALID_MULTI_PRIME_KEY); |
3bded9cd AP |
41 | return 0; |
42 | } | |
665d899f PY |
43 | } |
44 | ||
0f113f3e MC |
45 | i = BN_new(); |
46 | j = BN_new(); | |
47 | k = BN_new(); | |
48 | l = BN_new(); | |
49 | m = BN_new(); | |
50 | ctx = BN_CTX_new(); | |
464d59a5 RS |
51 | if (i == NULL || j == NULL || k == NULL || l == NULL |
52 | || m == NULL || ctx == NULL) { | |
0f113f3e | 53 | ret = -1; |
12603de6 | 54 | RSAerr(0, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
55 | goto err; |
56 | } | |
57 | ||
464d59a5 RS |
58 | if (BN_is_one(key->e)) { |
59 | ret = 0; | |
12603de6 | 60 | RSAerr(0, RSA_R_BAD_E_VALUE); |
464d59a5 RS |
61 | } |
62 | if (!BN_is_odd(key->e)) { | |
63 | ret = 0; | |
12603de6 | 64 | RSAerr(0, RSA_R_BAD_E_VALUE); |
464d59a5 RS |
65 | } |
66 | ||
0f113f3e | 67 | /* p prime? */ |
42619397 | 68 | if (BN_check_prime(key->p, NULL, cb) != 1) { |
464d59a5 | 69 | ret = 0; |
12603de6 | 70 | RSAerr(0, RSA_R_P_NOT_PRIME); |
0f113f3e MC |
71 | } |
72 | ||
73 | /* q prime? */ | |
42619397 | 74 | if (BN_check_prime(key->q, NULL, cb) != 1) { |
464d59a5 | 75 | ret = 0; |
12603de6 | 76 | RSAerr(0, RSA_R_Q_NOT_PRIME); |
0f113f3e MC |
77 | } |
78 | ||
665d899f PY |
79 | /* r_i prime? */ |
80 | for (idx = 0; idx < ex_primes; idx++) { | |
81 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); | |
42619397 | 82 | if (BN_check_prime(pinfo->r, NULL, cb) != 1) { |
665d899f | 83 | ret = 0; |
12603de6 | 84 | RSAerr(0, RSA_R_MP_R_NOT_PRIME); |
665d899f PY |
85 | } |
86 | } | |
87 | ||
88 | /* n = p*q * r_3...r_i? */ | |
464d59a5 | 89 | if (!BN_mul(i, key->p, key->q, ctx)) { |
0f113f3e MC |
90 | ret = -1; |
91 | goto err; | |
92 | } | |
665d899f PY |
93 | for (idx = 0; idx < ex_primes; idx++) { |
94 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); | |
95 | if (!BN_mul(i, i, pinfo->r, ctx)) { | |
96 | ret = -1; | |
97 | goto err; | |
98 | } | |
99 | } | |
0f113f3e MC |
100 | if (BN_cmp(i, key->n) != 0) { |
101 | ret = 0; | |
665d899f | 102 | if (ex_primes) |
12603de6 | 103 | RSAerr(0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES); |
665d899f | 104 | else |
12603de6 | 105 | RSAerr(0, RSA_R_N_DOES_NOT_EQUAL_P_Q); |
0f113f3e MC |
106 | } |
107 | ||
665d899f | 108 | /* d*e = 1 mod \lambda(n)? */ |
464d59a5 | 109 | if (!BN_sub(i, key->p, BN_value_one())) { |
0f113f3e MC |
110 | ret = -1; |
111 | goto err; | |
112 | } | |
464d59a5 | 113 | if (!BN_sub(j, key->q, BN_value_one())) { |
0f113f3e MC |
114 | ret = -1; |
115 | goto err; | |
116 | } | |
117 | ||
665d899f | 118 | /* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */ |
464d59a5 | 119 | if (!BN_mul(l, i, j, ctx)) { |
0f113f3e MC |
120 | ret = -1; |
121 | goto err; | |
122 | } | |
464d59a5 | 123 | if (!BN_gcd(m, i, j, ctx)) { |
0f113f3e MC |
124 | ret = -1; |
125 | goto err; | |
126 | } | |
665d899f PY |
127 | for (idx = 0; idx < ex_primes; idx++) { |
128 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); | |
129 | if (!BN_sub(k, pinfo->r, BN_value_one())) { | |
130 | ret = -1; | |
131 | goto err; | |
132 | } | |
133 | if (!BN_mul(l, l, k, ctx)) { | |
134 | ret = -1; | |
135 | goto err; | |
136 | } | |
137 | if (!BN_gcd(m, m, k, ctx)) { | |
138 | ret = -1; | |
139 | goto err; | |
140 | } | |
141 | } | |
464d59a5 | 142 | if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ |
0f113f3e MC |
143 | ret = -1; |
144 | goto err; | |
145 | } | |
464d59a5 | 146 | if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { |
0f113f3e MC |
147 | ret = -1; |
148 | goto err; | |
149 | } | |
150 | ||
151 | if (!BN_is_one(i)) { | |
152 | ret = 0; | |
12603de6 | 153 | RSAerr(0, RSA_R_D_E_NOT_CONGRUENT_TO_1); |
0f113f3e MC |
154 | } |
155 | ||
156 | if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { | |
157 | /* dmp1 = d mod (p-1)? */ | |
464d59a5 | 158 | if (!BN_sub(i, key->p, BN_value_one())) { |
0f113f3e MC |
159 | ret = -1; |
160 | goto err; | |
161 | } | |
464d59a5 | 162 | if (!BN_mod(j, key->d, i, ctx)) { |
0f113f3e MC |
163 | ret = -1; |
164 | goto err; | |
165 | } | |
0f113f3e MC |
166 | if (BN_cmp(j, key->dmp1) != 0) { |
167 | ret = 0; | |
12603de6 | 168 | RSAerr(0, RSA_R_DMP1_NOT_CONGRUENT_TO_D); |
0f113f3e MC |
169 | } |
170 | ||
171 | /* dmq1 = d mod (q-1)? */ | |
464d59a5 | 172 | if (!BN_sub(i, key->q, BN_value_one())) { |
0f113f3e MC |
173 | ret = -1; |
174 | goto err; | |
175 | } | |
464d59a5 | 176 | if (!BN_mod(j, key->d, i, ctx)) { |
0f113f3e MC |
177 | ret = -1; |
178 | goto err; | |
179 | } | |
0f113f3e MC |
180 | if (BN_cmp(j, key->dmq1) != 0) { |
181 | ret = 0; | |
12603de6 | 182 | RSAerr(0, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); |
0f113f3e MC |
183 | } |
184 | ||
185 | /* iqmp = q^-1 mod p? */ | |
186 | if (!BN_mod_inverse(i, key->q, key->p, ctx)) { | |
187 | ret = -1; | |
188 | goto err; | |
189 | } | |
0f113f3e MC |
190 | if (BN_cmp(i, key->iqmp) != 0) { |
191 | ret = 0; | |
12603de6 | 192 | RSAerr(0, RSA_R_IQMP_NOT_INVERSE_OF_Q); |
0f113f3e MC |
193 | } |
194 | } | |
4f6235f7 | 195 | |
665d899f PY |
196 | for (idx = 0; idx < ex_primes; idx++) { |
197 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); | |
198 | /* d_i = d mod (r_i - 1)? */ | |
199 | if (!BN_sub(i, pinfo->r, BN_value_one())) { | |
200 | ret = -1; | |
201 | goto err; | |
202 | } | |
203 | if (!BN_mod(j, key->d, i, ctx)) { | |
204 | ret = -1; | |
205 | goto err; | |
206 | } | |
207 | if (BN_cmp(j, pinfo->d) != 0) { | |
208 | ret = 0; | |
12603de6 | 209 | RSAerr(0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D); |
665d899f PY |
210 | } |
211 | /* t_i = R_i ^ -1 mod r_i ? */ | |
212 | if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) { | |
213 | ret = -1; | |
214 | goto err; | |
215 | } | |
216 | if (BN_cmp(i, pinfo->t) != 0) { | |
217 | ret = 0; | |
12603de6 | 218 | RSAerr(0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R); |
665d899f PY |
219 | } |
220 | } | |
221 | ||
6519b2cb | 222 | err: |
23a1d5e9 RS |
223 | BN_free(i); |
224 | BN_free(j); | |
225 | BN_free(k); | |
226 | BN_free(l); | |
227 | BN_free(m); | |
228 | BN_CTX_free(ctx); | |
464d59a5 | 229 | return ret; |
12603de6 SL |
230 | } |
231 | #endif /* FIPS_MODE */ | |
232 | ||
233 | int rsa_validate_public(const RSA *key) | |
234 | { | |
235 | return rsa_sp800_56b_check_public(key); | |
236 | } | |
237 | ||
238 | int rsa_validate_private(const RSA *key) | |
239 | { | |
240 | return rsa_sp800_56b_check_private(key); | |
241 | } | |
242 | ||
243 | int rsa_validate_pairwise(const RSA *key) | |
244 | { | |
245 | #ifdef FIPS_MODE | |
246 | return rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key)); | |
247 | #else | |
248 | return rsa_validate_keypair_multiprime(key, NULL); | |
249 | #endif | |
250 | } | |
251 | ||
252 | int RSA_check_key(const RSA *key) | |
253 | { | |
254 | return RSA_check_key_ex(key, NULL); | |
255 | } | |
256 | ||
257 | int RSA_check_key_ex(const RSA *key, BN_GENCB *cb) | |
258 | { | |
259 | #ifdef FIPS_MODE | |
260 | return rsa_validate_public(key) | |
261 | && rsa_validate_private(key) | |
262 | && rsa_validate_pairwise(key); | |
263 | #else | |
264 | return rsa_validate_keypair_multiprime(key, cb); | |
8240d5fa | 265 | #endif /* FIPS_MODE */ |
0f113f3e | 266 | } |