]>
Commit | Line | Data |
---|---|---|
93a17f79 | 1 | /* crypto/rsa/rsa_chk.c */ |
6519b2cb | 2 | /* ==================================================================== |
32ef0494 | 3 | * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. |
6519b2cb BM |
4 | * |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions | |
7 | * are met: | |
8 | * | |
9 | * 1. Redistributions of source code must retain the above copyright | |
ae5c8664 | 10 | * notice, this list of conditions and the following disclaimer. |
6519b2cb BM |
11 | * |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in | |
14 | * the documentation and/or other materials provided with the | |
15 | * distribution. | |
16 | * | |
17 | * 3. All advertising materials mentioning features or use of this | |
18 | * software must display the following acknowledgment: | |
19 | * "This product includes software developed by the OpenSSL Project | |
20 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
21 | * | |
22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
23 | * endorse or promote products derived from this software without | |
24 | * prior written permission. For written permission, please contact | |
25 | * openssl-core@OpenSSL.org. | |
26 | * | |
27 | * 5. Products derived from this software may not be called "OpenSSL" | |
28 | * nor may "OpenSSL" appear in their names without prior written | |
29 | * permission of the OpenSSL Project. | |
30 | * | |
31 | * 6. Redistributions of any form whatsoever must retain the following | |
32 | * acknowledgment: | |
33 | * "This product includes software developed by the OpenSSL Project | |
34 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
35 | * | |
36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
48 | * ==================================================================== | |
49 | */ | |
50 | ||
51 | #include <openssl/bn.h> | |
52 | #include <openssl/err.h> | |
53 | #include <openssl/rsa.h> | |
54 | ||
29c1f061 | 55 | int RSA_check_key(const RSA *key) |
ae5c8664 MC |
56 | { |
57 | BIGNUM *i, *j, *k, *l, *m; | |
58 | BN_CTX *ctx; | |
ae5c8664 MC |
59 | int ret = 1; |
60 | ||
61 | if (!key->p || !key->q || !key->n || !key->e || !key->d) { | |
62 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); | |
63 | return 0; | |
64 | } | |
65 | ||
adaebd81 CPG |
66 | /* Set consant-time flag on private parameters */ |
67 | BN_set_flags(key->p, BN_FLG_CONSTTIME); | |
68 | BN_set_flags(key->q, BN_FLG_CONSTTIME); | |
69 | BN_set_flags(key->d, BN_FLG_CONSTTIME); | |
ae5c8664 MC |
70 | i = BN_new(); |
71 | j = BN_new(); | |
72 | k = BN_new(); | |
73 | l = BN_new(); | |
74 | m = BN_new(); | |
75 | ctx = BN_CTX_new(); | |
561530da RS |
76 | if (i == NULL || j == NULL || k == NULL || l == NULL |
77 | || m == NULL || ctx == NULL) { | |
ae5c8664 MC |
78 | ret = -1; |
79 | RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); | |
80 | goto err; | |
81 | } | |
82 | ||
561530da RS |
83 | if (BN_is_one(key->e)) { |
84 | ret = 0; | |
85 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE); | |
86 | } | |
87 | if (!BN_is_odd(key->e)) { | |
88 | ret = 0; | |
89 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE); | |
90 | } | |
91 | ||
ae5c8664 | 92 | /* p prime? */ |
561530da RS |
93 | if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL) != 1) { |
94 | ret = 0; | |
ae5c8664 MC |
95 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); |
96 | } | |
97 | ||
98 | /* q prime? */ | |
561530da RS |
99 | if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL) != 1) { |
100 | ret = 0; | |
ae5c8664 MC |
101 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); |
102 | } | |
103 | ||
104 | /* n = p*q? */ | |
561530da | 105 | if (!BN_mul(i, key->p, key->q, ctx)) { |
ae5c8664 MC |
106 | ret = -1; |
107 | goto err; | |
108 | } | |
ae5c8664 MC |
109 | if (BN_cmp(i, key->n) != 0) { |
110 | ret = 0; | |
111 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); | |
112 | } | |
113 | ||
114 | /* d*e = 1 mod lcm(p-1,q-1)? */ | |
561530da | 115 | if (!BN_sub(i, key->p, BN_value_one())) { |
ae5c8664 MC |
116 | ret = -1; |
117 | goto err; | |
118 | } | |
561530da | 119 | if (!BN_sub(j, key->q, BN_value_one())) { |
ae5c8664 MC |
120 | ret = -1; |
121 | goto err; | |
122 | } | |
123 | ||
124 | /* now compute k = lcm(i,j) */ | |
561530da | 125 | if (!BN_mul(l, i, j, ctx)) { |
ae5c8664 MC |
126 | ret = -1; |
127 | goto err; | |
128 | } | |
561530da | 129 | if (!BN_gcd(m, i, j, ctx)) { |
ae5c8664 MC |
130 | ret = -1; |
131 | goto err; | |
132 | } | |
561530da | 133 | if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ |
ae5c8664 MC |
134 | ret = -1; |
135 | goto err; | |
136 | } | |
561530da | 137 | if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { |
ae5c8664 MC |
138 | ret = -1; |
139 | goto err; | |
140 | } | |
141 | ||
142 | if (!BN_is_one(i)) { | |
143 | ret = 0; | |
144 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); | |
145 | } | |
146 | ||
147 | if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { | |
adaebd81 CPG |
148 | /* Set consant-time flag on CRT parameters */ |
149 | BN_set_flags(key->dmp1, BN_FLG_CONSTTIME); | |
150 | BN_set_flags(key->dmq1, BN_FLG_CONSTTIME); | |
151 | BN_set_flags(key->iqmp, BN_FLG_CONSTTIME); | |
ae5c8664 | 152 | /* dmp1 = d mod (p-1)? */ |
561530da | 153 | if (!BN_sub(i, key->p, BN_value_one())) { |
ae5c8664 MC |
154 | ret = -1; |
155 | goto err; | |
156 | } | |
561530da | 157 | if (!BN_mod(j, key->d, i, ctx)) { |
ae5c8664 MC |
158 | ret = -1; |
159 | goto err; | |
160 | } | |
ae5c8664 MC |
161 | if (BN_cmp(j, key->dmp1) != 0) { |
162 | ret = 0; | |
163 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D); | |
164 | } | |
165 | ||
166 | /* dmq1 = d mod (q-1)? */ | |
561530da | 167 | if (!BN_sub(i, key->q, BN_value_one())) { |
ae5c8664 MC |
168 | ret = -1; |
169 | goto err; | |
170 | } | |
561530da | 171 | if (!BN_mod(j, key->d, i, ctx)) { |
ae5c8664 MC |
172 | ret = -1; |
173 | goto err; | |
174 | } | |
ae5c8664 MC |
175 | if (BN_cmp(j, key->dmq1) != 0) { |
176 | ret = 0; | |
177 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); | |
178 | } | |
179 | ||
180 | /* iqmp = q^-1 mod p? */ | |
181 | if (!BN_mod_inverse(i, key->q, key->p, ctx)) { | |
182 | ret = -1; | |
183 | goto err; | |
184 | } | |
ae5c8664 MC |
185 | if (BN_cmp(i, key->iqmp) != 0) { |
186 | ret = 0; | |
187 | RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q); | |
188 | } | |
189 | } | |
4f6235f7 | 190 | |
6519b2cb | 191 | err: |
561530da RS |
192 | BN_free(i); |
193 | BN_free(j); | |
194 | BN_free(k); | |
195 | BN_free(l); | |
196 | BN_free(m); | |
197 | BN_CTX_free(ctx); | |
198 | return ret; | |
ae5c8664 | 199 | } |