[thirdparty/openssl.git] / crypto / rsa / rsa_gen.c

/*
 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * NB: these functions have been "upgraded", the deprecated versions (which
 * are compatibility wrappers using these functions) are in rsa_depr.c. -
 * Geoff
 */

/*
 * RSA low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include <openssl/self_test.h>
#include "rsa_local.h"

static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg);
static int rsa_keygen(OPENSSL_CTX *libctx, RSA *rsa, int bits, int primes,
                      BIGNUM *e_value, BN_GENCB *cb, int pairwise_test);

/*
 * NB: this wrapper would normally be placed in rsa_lib.c and the static
 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here
 * so that we don't introduce a new linker dependency. Eg. any application
 * that wasn't previously linking object code related to key-generation won't
 * have to now just because key-generation is part of RSA_METHOD.
 */
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
    if (rsa->meth->rsa_keygen != NULL)
        return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);

    return RSA_generate_multi_prime_key(rsa, bits, RSA_DEFAULT_PRIME_NUM,
                                        e_value, cb);
}

int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
                                 BIGNUM *e_value, BN_GENCB *cb)
{
#ifndef FIPS_MODULE
    /* multi-prime is only supported with the builtin key generation */
    if (rsa->meth->rsa_multi_prime_keygen != NULL) {
        return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
                                                 e_value, cb);
    } else if (rsa->meth->rsa_keygen != NULL) {
        /*
         * However, if rsa->meth implements only rsa_keygen, then we
         * have to honour it in 2-prime case and assume that it wouldn't
         * know what to do with multi-prime key generated by builtin
         * subroutine...
         */
        if (primes == 2)
            return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
        else
            return 0;
    }
#endif /* FIPS_MODULE */
    return rsa_keygen(NULL, rsa, bits, primes, e_value, cb, 0);
}

static int rsa_keygen(OPENSSL_CTX *libctx, RSA *rsa, int bits, int primes,
                      BIGNUM *e_value, BN_GENCB *cb, int pairwise_test)
{
    int ok = -1;
#ifdef FIPS_MODULE
    if (primes != 2)
        return 0;
    ok = rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
    pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
#else
    BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *prime;
    int n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0;
    int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0;
    RSA_PRIME_INFO *pinfo = NULL;
    STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
    BN_CTX *ctx = NULL;
    BN_ULONG bitst = 0;
    unsigned long error = 0;

    if (bits < RSA_MIN_MODULUS_BITS) {
        ok = 0;             /* we set our own err */
        RSAerr(0, RSA_R_KEY_SIZE_TOO_SMALL);
        goto err;
    }

    if (primes < RSA_DEFAULT_PRIME_NUM || primes > rsa_multip_cap(bits)) {
        ok = 0;             /* we set our own err */
        RSAerr(0, RSA_R_KEY_PRIME_NUM_INVALID);
        goto err;
    }

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    r0 = BN_CTX_get(ctx);
    r1 = BN_CTX_get(ctx);
    r2 = BN_CTX_get(ctx);
    if (r2 == NULL)
        goto err;

    /* divide bits into 'primes' pieces evenly */
    quo = bits / primes;
    rmd = bits % primes;

    for (i = 0; i < primes; i++)
        bitsr[i] = (i < rmd) ? quo + 1 : quo;

    rsa->dirty_cnt++;

    /* We need the RSA components non-NULL */
    if (!rsa->n && ((rsa->n = BN_new()) == NULL))
        goto err;
    if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->e && ((rsa->e = BN_new()) == NULL))
        goto err;
    if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
        goto err;

    /* initialize multi-prime components */
    if (primes > RSA_DEFAULT_PRIME_NUM) {
        rsa->version = RSA_ASN1_VERSION_MULTI;
        prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, primes - 2);
        if (prime_infos == NULL)
            goto err;
        if (rsa->prime_infos != NULL) {
            /* could this happen? */
            sk_RSA_PRIME_INFO_pop_free(rsa->prime_infos, rsa_multip_info_free);
        }
        rsa->prime_infos = prime_infos;

        /* prime_info from 2 to |primes| -1 */
        for (i = 2; i < primes; i++) {
            pinfo = rsa_multip_info_new();
            if (pinfo == NULL)
                goto err;
            (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
        }
    }

    if (BN_copy(rsa->e, e_value) == NULL)
        goto err;

    /* generate p, q and other primes (if any) */
    for (i = 0; i < primes; i++) {
        adj = 0;
        retries = 0;

        if (i == 0) {
            prime = rsa->p;
        } else if (i == 1) {
            prime = rsa->q;
        } else {
            pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
            prime = pinfo->r;
        }
        BN_set_flags(prime, BN_FLG_CONSTTIME);

        for (;;) {
 redo:
            if (!BN_generate_prime_ex(prime, bitsr[i] + adj, 0, NULL, NULL, cb))
                goto err;
            /*
             * prime should not be equal to p, q, r_3...
             * (those primes prior to this one)
             */
            {
                int j;

                for (j = 0; j < i; j++) {
                    BIGNUM *prev_prime;

                    if (j == 0)
                        prev_prime = rsa->p;
                    else if (j == 1)
                        prev_prime = rsa->q;
                    else
                        prev_prime = sk_RSA_PRIME_INFO_value(prime_infos,
                                                             j - 2)->r;

                    if (!BN_cmp(prime, prev_prime)) {
                        goto redo;
                    }
                }
            }
            if (!BN_sub(r2, prime, BN_value_one()))
                goto err;
            ERR_set_mark();
            BN_set_flags(r2, BN_FLG_CONSTTIME);
            if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
               /* GCD == 1 since inverse exists */
                break;
            }
            error = ERR_peek_last_error();
            if (ERR_GET_LIB(error) == ERR_LIB_BN
                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
                /* GCD != 1 */
                ERR_pop_to_mark();
            } else {
                goto err;
            }
            if (!BN_GENCB_call(cb, 2, n++))
                goto err;
        }

        bitse += bitsr[i];

        /* calculate n immediately to see if it's sufficient */
        if (i == 1) {
            /* we get at least 2 primes */
            if (!BN_mul(r1, rsa->p, rsa->q, ctx))
                goto err;
        } else if (i != 0) {
            /* modulus n = p * q * r_3 * r_4 ... */
            if (!BN_mul(r1, rsa->n, prime, ctx))
                goto err;
        } else {
            /* i == 0, do nothing */
            if (!BN_GENCB_call(cb, 3, i))
                goto err;
            continue;
        }
        /*
         * if |r1|, product of factors so far, is not as long as expected
         * (by checking the first 4 bits are less than 0x9 or greater than
         * 0xF). If so, re-generate the last prime.
         *
         * NOTE: This actually can't happen in two-prime case, because of
         * the way factors are generated.
         *
         * Besides, another consideration is, for multi-prime case, even the
         * length modulus is as long as expected, the modulus could start at
         * 0x8, which could be utilized to distinguish a multi-prime private
         * key by using the modulus in a certificate. This is also covered
         * by checking the length should not be less than 0x9.
         */
        if (!BN_rshift(r2, r1, bitse - 4))
            goto err;
        bitst = BN_get_word(r2);

        if (bitst < 0x9 || bitst > 0xF) {
            /*
             * For keys with more than 4 primes, we attempt longer factor to
             * meet length requirement.
             *
             * Otherwise, we just re-generate the prime with the same length.
             *
             * This strategy has the following goals:
             *
             * 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
             * 2. stay the same logic with normal 2-prime key
             */
            bitse -= bitsr[i];
            if (!BN_GENCB_call(cb, 2, n++))
                goto err;
            if (primes > 4) {
                if (bitst < 0x9)
                    adj++;
                else
                    adj--;
            } else if (retries == 4) {
                /*
                 * re-generate all primes from scratch, mainly used
                 * in 4 prime case to avoid long loop. Max retry times
                 * is set to 4.
                 */
                i = -1;
                bitse = 0;
                continue;
            }
            retries++;
            goto redo;
        }
        /* save product of primes for further use, for multi-prime only */
        if (i > 1 && BN_copy(pinfo->pp, rsa->n) == NULL)
            goto err;
        if (BN_copy(rsa->n, r1) == NULL)
            goto err;
        if (!BN_GENCB_call(cb, 3, i))
            goto err;
    }

    if (BN_cmp(rsa->p, rsa->q) < 0) {
        tmp = rsa->p;
        rsa->p = rsa->q;
        rsa->q = tmp;
    }

    /* calculate d */

    /* p - 1 */
    if (!BN_sub(r1, rsa->p, BN_value_one()))
        goto err;
    /* q - 1 */
    if (!BN_sub(r2, rsa->q, BN_value_one()))
        goto err;
    /* (p - 1)(q - 1) */
    if (!BN_mul(r0, r1, r2, ctx))
        goto err;
    /* multi-prime */
    for (i = 2; i < primes; i++) {
        pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
        /* save r_i - 1 to pinfo->d temporarily */
        if (!BN_sub(pinfo->d, pinfo->r, BN_value_one()))
            goto err;
        if (!BN_mul(r0, r0, pinfo->d, ctx))
            goto err;
    }

    {
        BIGNUM *pr0 = BN_new();

        if (pr0 == NULL)
            goto err;

        BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
        if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
            BN_free(pr0);
            goto err;               /* d */
        }
        /* We MUST free pr0 before any further use of r0 */
        BN_free(pr0);
    }

    {
        BIGNUM *d = BN_new();

        if (d == NULL)
            goto err;

        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

        /* calculate d mod (p-1) and d mod (q - 1) */
        if (!BN_mod(rsa->dmp1, d, r1, ctx)
            || !BN_mod(rsa->dmq1, d, r2, ctx)) {
            BN_free(d);
            goto err;
        }

        /* calculate CRT exponents */
        for (i = 2; i < primes; i++) {
            pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
            /* pinfo->d == r_i - 1 */
            if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) {
                BN_free(d);
                goto err;
            }
        }

        /* We MUST free d before any further use of rsa->d */
        BN_free(d);
    }

    {
        BIGNUM *p = BN_new();

        if (p == NULL)
            goto err;
        BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);

        /* calculate inverse of q mod p */
        if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
            BN_free(p);
            goto err;
        }

        /* calculate CRT coefficient for other primes */
        for (i = 2; i < primes; i++) {
            pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
            BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME);
            if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) {
                BN_free(p);
                goto err;
            }
        }

        /* We MUST free p before any further use of rsa->p */
        BN_free(p);
    }

    ok = 1;
 err:
    if (ok == -1) {
        RSAerr(0, ERR_LIB_BN);
        ok = 0;
    }
    BN_CTX_end(ctx);
    BN_CTX_free(ctx);
#endif /* FIPS_MODULE */

    if (pairwise_test && ok > 0) {
        OSSL_CALLBACK *stcb = NULL;
        void *stcbarg = NULL;

        OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg);
        ok = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);
        if (!ok) {
            /* Clear intermediate results */
            BN_clear_free(rsa->d);
            BN_clear_free(rsa->p);
            BN_clear_free(rsa->q);
            BN_clear_free(rsa->dmp1);
            BN_clear_free(rsa->dmq1);
            BN_clear_free(rsa->iqmp);
        }
    }
    return ok;
}

/*
 * For RSA key generation it is not known whether the key pair will be used
 * for key transport or signatures. FIPS 140-2 IG 9.9 states that in this case
 * either a signature verification OR an encryption operation may be used to
 * perform the pairwise consistency check. The simpler encrypt/decrypt operation
 * has been chosen for this case.
 */
static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg)
{
    int ret = 0;
    unsigned int ciphertxt_len;
    unsigned char *ciphertxt = NULL;
    const unsigned char plaintxt[16] = {0};
    unsigned char decoded[256];
    unsigned int decoded_len;
    unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len);
    int padding = RSA_PKCS1_PADDING;
    OSSL_SELF_TEST *st = NULL;

    st = OSSL_SELF_TEST_new(cb, cbarg);
    if (st == NULL)
        goto err;
    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
                           OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1);

    ciphertxt_len = RSA_size(rsa);
    ciphertxt = OPENSSL_zalloc(ciphertxt_len);
    if (ciphertxt == NULL)
        goto err;

    ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa,
                                       padding);
    if (ciphertxt_len <= 0)
        goto err;
    if (ciphertxt_len == plaintxt_len
        && memcmp(decoded, plaintxt, plaintxt_len) == 0)
        goto err;

    OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt);

    decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa,
                                      padding);
    if (decoded_len != plaintxt_len
        || memcmp(decoded, plaintxt,  decoded_len) != 0)
        goto err;

    ret = 1;
err:
    OSSL_SELF_TEST_onend(st, ret);
    OSSL_SELF_TEST_free(st);
    OPENSSL_free(ciphertxt);

    return ret;
}
Commit	Line	Data
2039c421	1	/*
33388b44	2	* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
0f113f3e	3	*
2a7b6f39	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
d02b48c6 RE	8	*/
d02b48c6 RE	9
0f113f3e MC	10	/*
	11	* NB: these functions have been "upgraded", the deprecated versions (which
	12	* are compatibility wrappers using these functions) are in rsa_depr.c. -
	13	* Geoff
e9224c71 GT	14	*/
e9224c71 GT	15
c5f87134 P	16	/*
	17	* RSA low level APIs are deprecated for public use, but still ok for
	18	* internal use.
	19	*/
	20	#include "internal/deprecated.h"
	21
d02b48c6 RE	22	#include <stdio.h>
d02b48c6 RE	23	#include <time.h>
b39fc560	24	#include "internal/cryptlib.h"
ec577822	25	#include <openssl/bn.h>
47c239c6	26	#include <openssl/self_test.h>
706457b7	27	#include "rsa_local.h"
d02b48c6	28
47c239c6 SL	29	static int rsa_keygen_pairwise_test(RSA rsa, OSSL_CALLBACK cb, void *cbarg);
	30	static int rsa_keygen(OPENSSL_CTX libctx, RSA rsa, int bits, int primes,
	31	BIGNUM e_value, BN_GENCB cb, int pairwise_test);
2814c629	32
0f113f3e MC	33	/*
	34	* NB: this wrapper would normally be placed in rsa_lib.c and the static
	35	* implementation would probably be in rsa_eay.c. Nonetheless, is kept here
	36	* so that we don't introduce a new linker dependency. Eg. any application
	37	* that wasn't previously linking object code related to key-generation won't
	38	* have to now just because key-generation is part of RSA_METHOD.
	39	*/
bcfea9fb	40	int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
0f113f3e	41	{
665d899f	42	if (rsa->meth->rsa_keygen != NULL)
0f113f3e	43	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
665d899f PY	44
	45	return RSA_generate_multi_prime_key(rsa, bits, RSA_DEFAULT_PRIME_NUM,
	46	e_value, cb);
0f113f3e MC	47	}
0f113f3e MC	48
665d899f PY	49	int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
	50	BIGNUM e_value, BN_GENCB cb)
	51	{
f844f9eb	52	#ifndef FIPS_MODULE
665d899f	53	/* multi-prime is only supported with the builtin key generation */
e44480cc	54	if (rsa->meth->rsa_multi_prime_keygen != NULL) {
665d899f PY	55	return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
665d899f PY	56	e_value, cb);
e44480cc AP	57	} else if (rsa->meth->rsa_keygen != NULL) {
	58	/*
	59	* However, if rsa->meth implements only rsa_keygen, then we
	60	* have to honour it in 2-prime case and assume that it wouldn't
	61	* know what to do with multi-prime key generated by builtin
	62	* subroutine...
	63	*/
	64	if (primes == 2)
	65	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
	66	else
	67	return 0;
	68	}
f844f9eb	69	#endif /* FIPS_MODULE */
47c239c6	70	return rsa_keygen(NULL, rsa, bits, primes, e_value, cb, 0);
665d899f PY	71	}
665d899f PY	72
47c239c6 SL	73	static int rsa_keygen(OPENSSL_CTX libctx, RSA rsa, int bits, int primes,
47c239c6 SL	74	BIGNUM e_value, BN_GENCB cb, int pairwise_test)
0f113f3e	75	{
47c239c6	76	int ok = -1;
f844f9eb	77	#ifdef FIPS_MODULE
8240d5fa SL	78	if (primes != 2)
8240d5fa SL	79	return 0;
47c239c6 SL	80	ok = rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
47c239c6 SL	81	pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
8240d5fa	82	#else
665d899f	83	BIGNUM r0 = NULL, r1 = NULL, r2 = NULL, tmp, *prime;
47c239c6	84	int n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0;
665d899f PY	85	int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0;
	86	RSA_PRIME_INFO *pinfo = NULL;
	87	STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
0f113f3e	88	BN_CTX *ctx = NULL;
665d899f	89	BN_ULONG bitst = 0;
8db7946e	90	unsigned long error = 0;
665d899f	91
cac19d19	92	if (bits < RSA_MIN_MODULUS_BITS) {
69795831	93	ok = 0; /* we set our own err */
47c239c6	94	RSAerr(0, RSA_R_KEY_SIZE_TOO_SMALL);
69795831 RS	95	goto err;
	96	}
	97
3bded9cd AP	98	if (primes < RSA_DEFAULT_PRIME_NUM \|\| primes > rsa_multip_cap(bits)) {
3bded9cd AP	99	ok = 0; /* we set our own err */
47c239c6	100	RSAerr(0, RSA_R_KEY_PRIME_NUM_INVALID);
665d899f PY	101	goto err;
	102	}
	103
0f113f3e MC	104	ctx = BN_CTX_new();
	105	if (ctx == NULL)
	106	goto err;
	107	BN_CTX_start(ctx);
	108	r0 = BN_CTX_get(ctx);
	109	r1 = BN_CTX_get(ctx);
	110	r2 = BN_CTX_get(ctx);
665d899f PY	111	if (r2 == NULL)
	112	goto err;
	113
	114	/* divide bits into 'primes' pieces evenly */
	115	quo = bits / primes;
	116	rmd = bits % primes;
	117
665d899f PY	118	for (i = 0; i < primes; i++)
665d899f PY	119	bitsr[i] = (i < rmd) ? quo + 1 : quo;
0f113f3e	120
29be6023 RL	121	rsa->dirty_cnt++;
29be6023 RL	122
0f113f3e MC	123	/* We need the RSA components non-NULL */
	124	if (!rsa->n && ((rsa->n = BN_new()) == NULL))
	125	goto err;
74924dcb	126	if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
0f113f3e MC	127	goto err;
	128	if (!rsa->e && ((rsa->e = BN_new()) == NULL))
	129	goto err;
74924dcb	130	if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
0f113f3e	131	goto err;
74924dcb	132	if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
0f113f3e	133	goto err;
74924dcb	134	if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
0f113f3e	135	goto err;
74924dcb	136	if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
0f113f3e	137	goto err;
74924dcb	138	if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
0f113f3e MC	139	goto err;
0f113f3e MC	140
665d899f PY	141	/* initialize multi-prime components */
	142	if (primes > RSA_DEFAULT_PRIME_NUM) {
	143	rsa->version = RSA_ASN1_VERSION_MULTI;
	144	prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, primes - 2);
	145	if (prime_infos == NULL)
	146	goto err;
	147	if (rsa->prime_infos != NULL) {
	148	/* could this happen? */
	149	sk_RSA_PRIME_INFO_pop_free(rsa->prime_infos, rsa_multip_info_free);
	150	}
	151	rsa->prime_infos = prime_infos;
	152
	153	/* prime_info from 2 to \|primes\| -1 */
	154	for (i = 2; i < primes; i++) {
	155	pinfo = rsa_multip_info_new();
	156	if (pinfo == NULL)
	157	goto err;
	158	(void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
	159	}
	160	}
	161
78e09b53 RS	162	if (BN_copy(rsa->e, e_value) == NULL)
78e09b53 RS	163	goto err;
0f113f3e	164
665d899f PY	165	/* generate p, q and other primes (if any) */
	166	for (i = 0; i < primes; i++) {
	167	adj = 0;
	168	retries = 0;
	169
	170	if (i == 0) {
	171	prime = rsa->p;
	172	} else if (i == 1) {
	173	prime = rsa->q;
	174	} else {
	175	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
	176	prime = pinfo->r;
	177	}
54f007af	178	BN_set_flags(prime, BN_FLG_CONSTTIME);
665d899f PY	179
	180	for (;;) {
	181	redo:
	182	if (!BN_generate_prime_ex(prime, bitsr[i] + adj, 0, NULL, NULL, cb))
	183	goto err;
	184	/*
	185	* prime should not be equal to p, q, r_3...
	186	* (those primes prior to this one)
	187	*/
	188	{
	189	int j;
	190
	191	for (j = 0; j < i; j++) {
	192	BIGNUM *prev_prime;
	193
	194	if (j == 0)
	195	prev_prime = rsa->p;
	196	else if (j == 1)
	197	prev_prime = rsa->q;
	198	else
	199	prev_prime = sk_RSA_PRIME_INFO_value(prime_infos,
	200	j - 2)->r;
	201
	202	if (!BN_cmp(prime, prev_prime)) {
	203	goto redo;
	204	}
	205	}
	206	}
	207	if (!BN_sub(r2, prime, BN_value_one()))
	208	goto err;
8db7946e SW	209	ERR_set_mark();
	210	BN_set_flags(r2, BN_FLG_CONSTTIME);
	211	if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
	212	/* GCD == 1 since inverse exists */
665d899f	213	break;
8db7946e SW	214	}
	215	error = ERR_peek_last_error();
	216	if (ERR_GET_LIB(error) == ERR_LIB_BN
	217	&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
	218	/* GCD != 1 */
	219	ERR_pop_to_mark();
	220	} else {
	221	goto err;
	222	}
665d899f PY	223	if (!BN_GENCB_call(cb, 2, n++))
	224	goto err;
	225	}
	226
	227	bitse += bitsr[i];
	228
	229	/* calculate n immediately to see if it's sufficient */
	230	if (i == 1) {
	231	/* we get at least 2 primes */
	232	if (!BN_mul(r1, rsa->p, rsa->q, ctx))
	233	goto err;
	234	} else if (i != 0) {
	235	/* modulus n = p * q * r_3 * r_4 ... */
	236	if (!BN_mul(r1, rsa->n, prime, ctx))
	237	goto err;
	238	} else {
	239	/* i == 0, do nothing */
	240	if (!BN_GENCB_call(cb, 3, i))
	241	goto err;
	242	continue;
	243	}
	244	/*
	245	* if \|r1\|, product of factors so far, is not as long as expected
	246	* (by checking the first 4 bits are less than 0x9 or greater than
	247	* 0xF). If so, re-generate the last prime.
	248	*
	249	* NOTE: This actually can't happen in two-prime case, because of
	250	* the way factors are generated.
	251	*
	252	* Besides, another consideration is, for multi-prime case, even the
	253	* length modulus is as long as expected, the modulus could start at
	254	* 0x8, which could be utilized to distinguish a multi-prime private
	255	* key by using the modulus in a certificate. This is also covered
	256	* by checking the length should not be less than 0x9.
	257	*/
	258	if (!BN_rshift(r2, r1, bitse - 4))
0f113f3e	259	goto err;
665d899f PY	260	bitst = BN_get_word(r2);
	261
	262	if (bitst < 0x9 \|\| bitst > 0xF) {
	263	/*
	264	* For keys with more than 4 primes, we attempt longer factor to
	265	* meet length requirement.
	266	*
	267	* Otherwise, we just re-generate the prime with the same length.
	268	*
	269	* This strategy has the following goals:
	270	*
c2969ff6	271	* 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
665d899f PY	272	* 2. stay the same logic with normal 2-prime key
	273	*/
	274	bitse -= bitsr[i];
	275	if (!BN_GENCB_call(cb, 2, n++))
0f113f3e	276	goto err;
665d899f PY	277	if (primes > 4) {
	278	if (bitst < 0x9)
	279	adj++;
	280	else
	281	adj--;
	282	} else if (retries == 4) {
	283	/*
	284	* re-generate all primes from scratch, mainly used
	285	* in 4 prime case to avoid long loop. Max retry times
	286	* is set to 4.
	287	*/
	288	i = -1;
	289	bitse = 0;
	290	continue;
	291	}
	292	retries++;
	293	goto redo;
	294	}
	295	/* save product of primes for further use, for multi-prime only */
	296	if (i > 1 && BN_copy(pinfo->pp, rsa->n) == NULL)
0f113f3e	297	goto err;
665d899f	298	if (BN_copy(rsa->n, r1) == NULL)
0f113f3e	299	goto err;
665d899f	300	if (!BN_GENCB_call(cb, 3, i))
0f113f3e MC	301	goto err;
0f113f3e MC	302	}
665d899f	303
0f113f3e MC	304	if (BN_cmp(rsa->p, rsa->q) < 0) {
	305	tmp = rsa->p;
	306	rsa->p = rsa->q;
	307	rsa->q = tmp;
	308	}
	309
0f113f3e	310	/* calculate d */
665d899f PY	311
665d899f PY	312	/* p - 1 */
0f113f3e	313	if (!BN_sub(r1, rsa->p, BN_value_one()))
665d899f PY	314	goto err;
665d899f PY	315	/* q - 1 */
0f113f3e	316	if (!BN_sub(r2, rsa->q, BN_value_one()))
665d899f PY	317	goto err;
665d899f PY	318	/* (p - 1)(q - 1) */
0f113f3e	319	if (!BN_mul(r0, r1, r2, ctx))
665d899f PY	320	goto err;
	321	/* multi-prime */
	322	for (i = 2; i < primes; i++) {
	323	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
	324	/* save r_i - 1 to pinfo->d temporarily */
	325	if (!BN_sub(pinfo->d, pinfo->r, BN_value_one()))
	326	goto err;
	327	if (!BN_mul(r0, r0, pinfo->d, ctx))
	328	goto err;
	329	}
	330
fd7d2520	331	{
5584f65a MC	332	BIGNUM *pr0 = BN_new();
	333
	334	if (pr0 == NULL)
	335	goto err;
665d899f	336
5584f65a	337	BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
fd7d2520	338	if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
5584f65a	339	BN_free(pr0);
fd7d2520 MC	340	goto err; /* d */
fd7d2520 MC	341	}
5584f65a MC	342	/* We MUST free pr0 before any further use of r0 */
5584f65a MC	343	BN_free(pr0);
fd7d2520	344	}
0f113f3e	345
fd7d2520	346	{
5584f65a MC	347	BIGNUM *d = BN_new();
	348
	349	if (d == NULL)
	350	goto err;
665d899f	351
5584f65a	352	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
0f113f3e	353
665d899f PY	354	/* calculate d mod (p-1) and d mod (q - 1) */
665d899f PY	355	if (!BN_mod(rsa->dmp1, d, r1, ctx)
fd7d2520	356	\|\| !BN_mod(rsa->dmq1, d, r2, ctx)) {
5584f65a	357	BN_free(d);
fd7d2520 MC	358	goto err;
fd7d2520 MC	359	}
665d899f PY	360
	361	/* calculate CRT exponents */
	362	for (i = 2; i < primes; i++) {
	363	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
	364	/* pinfo->d == r_i - 1 */
	365	if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) {
	366	BN_free(d);
	367	goto err;
	368	}
	369	}
	370
5584f65a MC	371	/* We MUST free d before any further use of rsa->d */
5584f65a MC	372	BN_free(d);
fd7d2520 MC	373	}
	374
	375	{
5584f65a MC	376	BIGNUM *p = BN_new();
	377
	378	if (p == NULL)
	379	goto err;
	380	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
fd7d2520 MC	381
fd7d2520 MC	382	/* calculate inverse of q mod p */
fd7d2520	383	if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
5584f65a	384	BN_free(p);
fd7d2520 MC	385	goto err;
fd7d2520 MC	386	}
665d899f PY	387
	388	/* calculate CRT coefficient for other primes */
	389	for (i = 2; i < primes; i++) {
	390	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
	391	BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME);
	392	if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) {
	393	BN_free(p);
	394	goto err;
	395	}
	396	}
	397
5584f65a MC	398	/* We MUST free p before any further use of rsa->p */
5584f65a MC	399	BN_free(p);
fd7d2520	400	}
0f113f3e MC	401
	402	ok = 1;
	403	err:
0f113f3e	404	if (ok == -1) {
47c239c6	405	RSAerr(0, ERR_LIB_BN);
0f113f3e MC	406	ok = 0;
0f113f3e MC	407	}
ce1415ed	408	BN_CTX_end(ctx);
23a1d5e9	409	BN_CTX_free(ctx);
f844f9eb	410	#endif /* FIPS_MODULE */
47c239c6 SL	411
	412	if (pairwise_test && ok > 0) {
	413	OSSL_CALLBACK *stcb = NULL;
	414	void *stcbarg = NULL;
	415
	416	OSSL_SELF_TEST_get_callback(libctx, &stcb, &stcbarg);
	417	ok = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);
	418	if (!ok) {
	419	/* Clear intermediate results */
	420	BN_clear_free(rsa->d);
	421	BN_clear_free(rsa->p);
	422	BN_clear_free(rsa->q);
	423	BN_clear_free(rsa->dmp1);
	424	BN_clear_free(rsa->dmq1);
	425	BN_clear_free(rsa->iqmp);
	426	}
	427	}
	428	return ok;
	429	}
	430
	431	/*
	432	* For RSA key generation it is not known whether the key pair will be used
	433	* for key transport or signatures. FIPS 140-2 IG 9.9 states that in this case
	434	* either a signature verification OR an encryption operation may be used to
	435	* perform the pairwise consistency check. The simpler encrypt/decrypt operation
	436	* has been chosen for this case.
	437	*/
	438	static int rsa_keygen_pairwise_test(RSA rsa, OSSL_CALLBACK cb, void *cbarg)
	439	{
	440	int ret = 0;
	441	unsigned int ciphertxt_len;
	442	unsigned char *ciphertxt = NULL;
	443	const unsigned char plaintxt[16] = {0};
	444	unsigned char decoded[256];
	445	unsigned int decoded_len;
	446	unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len);
	447	int padding = RSA_PKCS1_PADDING;
	448	OSSL_SELF_TEST *st = NULL;
	449
	450	st = OSSL_SELF_TEST_new(cb, cbarg);
	451	if (st == NULL)
	452	goto err;
	453	OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
	454	OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1);
	455
	456	ciphertxt_len = RSA_size(rsa);
	457	ciphertxt = OPENSSL_zalloc(ciphertxt_len);
	458	if (ciphertxt == NULL)
	459	goto err;
	460
	461	ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa,
	462	padding);
	463	if (ciphertxt_len <= 0)
	464	goto err;
	465	if (ciphertxt_len == plaintxt_len
	466	&& memcmp(decoded, plaintxt, plaintxt_len) == 0)
	467	goto err;
	468
	469	OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt);
	470
	471	decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa,
	472	padding);
	473	if (decoded_len != plaintxt_len
	474	\|\| memcmp(decoded, plaintxt, decoded_len) != 0)
475	goto err;
476
477	ret = 1;
478	err:
479	OSSL_SELF_TEST_onend(st, ret);
480	OSSL_SELF_TEST_free(st);
481	OPENSSL_free(ciphertxt);
482
483	return ret;
0f113f3e	484	}