RSA: Update RSA keygen.

The documentation now reference(s) FIPS 186-5 instead of FIPS 186-4,
and clarifies the keygen method used.

This PR also adds the new FIPS 186-5 2 optional parameters that allow
the generated probable primes to be congruent to a value mod 8.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28349)

diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_5.c
similarity index 82%
rename from crypto/bn/bn_rsa_fips186_4.c
rename to crypto/bn/bn_rsa_fips186_5.c
index e42de63a352b51864a6304a81c54b51bbc524041..3a03ed9704dd1d6d424b5a9777011415d161dbb5 100644 (file)
--- a/crypto/bn/bn_rsa_fips186_4.c
+++ b/crypto/bn/bn_rsa_fips186_5.c
@@ -102,24 +102,29 @@ static int bn_rsa_fips186_5_aux_prime_min_size(int nbits)
  * (FIPS 186-5 has an entry for >= 4096 bits).
  * Params:
  *     nbits The key size in bits.
+ *     c If this is non zero then the probable prime is congruent to c mod 8
+ *       and is 3 bits smaller
  * Returns:
  *     The maximum length or 0 if nbits is invalid.
  */
-static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits)
+static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits,
+                                                                   uint32_t c)
 {
+    int reduce_bits = (c == 0) ? 0 : 3;
+
     if (nbits >= 4096)
-        return 2030;
+        return 2030 - reduce_bits;
     if (nbits >= 3072)
-        return 1518;
+        return 1518 - reduce_bits;
     if (nbits >= 2048)
-        return 1007;
+        return 1007 - reduce_bits;
     return 0;
 }
 
 /*
  * Find the first odd integer that is a probable prime.
  *
- * See section FIPS 186-4 B.3.6 (Steps 4.2/5.2).
+ * See section FIPS 186-5 A.1.6 (Steps 4.2/5.2).
  *
  * Params:
  *     Xp1 The passed in starting point to find a probably prime.
@@ -129,7 +134,7 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits)
  *     cb An optional BIGNUM callback.
  * Returns: 1 on success otherwise it returns 0.
  */
-static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
+static int bn_rsa_fips186_5_find_aux_prob_prime(const BIGNUM *Xp1,
                                                 BIGNUM *p1, BN_CTX *ctx,
                                                 int rounds,
                                                 BN_GENCB *cb)
@@ -165,7 +170,7 @@ err:
 /*
  * Generate a probable prime (p or q).
  *
- * See FIPS 186-4 B.3.6 (Steps 4 & 5)
+ * See FIPS 186-5 A.1.6 (Steps 4 & 5)
  *
  * Params:
  *     p The returned probable prime.
@@ -179,14 +184,17 @@ err:
  *     e The public exponent.
  *     ctx A BN_CTX object.
  *     cb An optional BIGNUM callback.
+ *     c An optional number with a value of 0, 1, 3, 5 or 7 that may be used
+ *       to add the requirement p is congruent to c mod 8. The value is ignored
+ *       if it is zero.
  * Returns: 1 on success otherwise it returns 0.
  */
-int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
+int ossl_bn_rsa_fips186_5_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
                                           BIGNUM *p1, BIGNUM *p2,
                                           const BIGNUM *Xp, const BIGNUM *Xp1,
                                           const BIGNUM *Xp2, int nlen,
                                           const BIGNUM *e, BN_CTX *ctx,
-                                          BN_GENCB *cb)
+                                          BN_GENCB *cb, uint32_t c)
 {
     int ret = 0;
     BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL;
@@ -225,16 +233,16 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
     }
 
     /* (Steps 4.2/5.2) - find first auxiliary probable primes */
-    if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb)
-            || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb))
+    if (!bn_rsa_fips186_5_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb)
+            || !bn_rsa_fips186_5_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb))
         goto err;
     /* (FIPS 186-5 Table A.1) auxiliary prime Max length check */
-    if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >
-            bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(nlen))
+    if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >=
+            bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(nlen, c))
         goto err;
     /* (Steps 4.3/5.3) - generate prime */
-    if (!ossl_bn_rsa_fips186_4_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e,
-                                            ctx, cb))
+    if (!ossl_bn_rsa_fips186_5_derive_prime(p, Xpout, Xp, p1i, p2i, nlen, e,
+                                            ctx, cb, c))
         goto err;
     ret = 1;
 err:
@@ -251,12 +259,29 @@ err:
     return ret;
 }
 
+static ossl_inline
+int get_multiple_of_y_congruent_to_cmod8(BIGNUM *y, const BIGNUM *r1r2x2, int c)
+{
+    int i = 0;
+
+    for (i = 0; i < 3; ++i) {
+        /* Check for Y = c mod 8 */
+        if ((int)(*bn_get_words(y) & 7) == c)
+            return 1;
+        /* Y = Y + 2r1r2 */
+        if (!BN_add(y, y, r1r2x2))
+            return 0;
+    }
+    /* Fall through for y = y + 6 * r1r2 */
+    return 1;
+}
+
 /*
  * Constructs a probable prime (a candidate for p or q) using 2 auxiliary
  * prime numbers and the Chinese Remainder Theorem.
  *
- * See FIPS 186-4 C.9 "Compute a Probable Prime Factor Based on Auxiliary
- * Primes". Used by FIPS 186-4 B.3.6 Section (4.3) for p and Section (5.3) for q.
+ * See FIPS 186-5 B.9 "Compute a Probable Prime Factor Based on Auxiliary
+ * Primes". Used by FIPS 186-5 A.1.6 Section (4.3) for p and Section (5.3) for q.
  *
  * Params:
  *     Y The returned prime factor (private_prime_factor) of the modulus n.
@@ -268,20 +293,24 @@ err:
  *     e The public exponent.
  *     ctx A BN_CTX object.
  *     cb An optional BIGNUM callback object.
+ *     c An optional parameter from the set {0, 1, 3, 5, 7} that
+ *       may be used to add the further requirement that the computed
+ *       prime is congruent to c mod 8. A value of 0 indicates that the option
+ *       is ignored.
  * Returns: 1 on success otherwise it returns 0.
  * Assumptions:
  *     Y, X, r1, r2, e are not NULL.
  */
-int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
+int ossl_bn_rsa_fips186_5_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
                                        const BIGNUM *r1, const BIGNUM *r2,
                                        int nlen, const BIGNUM *e,
-                                       BN_CTX *ctx, BN_GENCB *cb)
+                                       BN_CTX *ctx, BN_GENCB *cb, uint32_t c)
 {
     int ret = 0;
     int i, imax, rounds;
     int bits = nlen >> 1;
-    BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2;
-    BIGNUM *base, *range;
+    BIGNUM *tmp, *R, *r1r2x2, *r1r2x8, *y1, *r1x2;
+    BIGNUM *base, *range, *r1r2x2_step;
 
     BN_CTX_start(ctx);
 
@@ -290,6 +319,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
     R = BN_CTX_get(ctx);
     tmp = BN_CTX_get(ctx);
     r1r2x2 = BN_CTX_get(ctx);
+    r1r2x8 = BN_CTX_get(ctx);
     y1 = BN_CTX_get(ctx);
     r1x2 = BN_CTX_get(ctx);
     if (r1x2 == NULL)
@@ -340,6 +370,14 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
     if (BN_is_negative(R) && !BN_add(R, R, r1r2x2))
         goto err;
 
+    if (c == 0) {
+        r1r2x2_step = r1r2x2;
+    } else {
+        if (!BN_lshift(r1r2x8, r1r2x2, 2))
+            goto err;
+        r1r2x2_step = r1r2x8;
+    }
+
     /*
      * In FIPS 186-4 imax was set to 5 * nlen/2.
      * Analysis by Allen Roginsky
@@ -362,6 +400,15 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
         /* (Step 4) Y = X + ((R - X) mod 2r1r2) */
         if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X))
             goto err;
+        /*
+         * (Step 4.1) If there is an optional requirement that the
+         * computed prime is equal to c mod 8, then chose the value
+         * Y, Y + 2r1r2, Y + 4r1r2 OR Y + 6r1r2 that satisfies the requirement.
+         */
+        if (c != 0) {
+            if (!get_multiple_of_y_congruent_to_cmod8(Y, r1r2x2, c))
+                goto err;
+        }
         /* (Step 5) */
         i = 0;
         for (;;) {
@@ -392,7 +439,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
                 ERR_raise(ERR_LIB_BN, BN_R_NO_PRIME_CANDIDATE);
                 goto err;
             }
-            if (!BN_add(Y, Y, r1r2x2))
+            if (!BN_add(Y, Y, r1r2x2_step))
                 goto err;
         }
     }

diff --git a/crypto/bn/build.info b/crypto/bn/build.info
index cf30d057ad559bd716ca192752f8dc2474ae55c4..01e98e45443cb382dc9e97660ffc908c94f877c4 100644 (file)
--- a/crypto/bn/build.info
+++ b/crypto/bn/build.info
@@ -109,7 +109,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
         bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
         bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
         bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
-        bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
+        bn_intern.c bn_dh.c bn_rsa_fips186_5.c bn_const.c
 SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
 DEFINE[../../libcrypto]=$BNDEF
 IF[{- !$disabled{'deprecated-0.9.8'} -}]

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 0cbcebeced02cd844105d5384aeead3ecd1a4f5a..064e6757139fecb4d550854cd6c3581bf4a78861 100644 (file)
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -29,7 +29,8 @@
 
 static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg);
 static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
-                      BIGNUM *e_value, BN_GENCB *cb, int pairwise_test);
+                      BIGNUM *e_value, BN_GENCB *cb, int pairwise_test,
+                      uint32_t a, uint32_t b);
 
 /*
  * NB: this wrapper would normally be placed in rsa_lib.c and the static
@@ -47,8 +48,9 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
                                         e_value, cb);
 }
 
-int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
-                                 BIGNUM *e_value, BN_GENCB *cb)
+int ossl_rsa_generate_multi_prime_key(RSA *rsa, int bits, int primes,
+                                      BIGNUM *e_value, BN_GENCB *cb,
+                                      uint32_t a, uint32_t b)
 {
 #ifndef FIPS_MODULE
     /* multi-prime is only supported with the builtin key generation */
@@ -68,7 +70,13 @@ int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
             return 0;
     }
 #endif /* FIPS_MODULE */
-    return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0);
+    return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0, a, b);
+}
+
+int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
+                                 BIGNUM *e, BN_GENCB *cb)
+{
+    return ossl_rsa_generate_multi_prime_key(rsa, bits, primes, e, cb, 0, 0);
 }
 
 DEFINE_STACK_OF(BIGNUM)
@@ -607,12 +615,13 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
 #endif /* FIPS_MODULE */
 
 static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
-                      BIGNUM *e_value, BN_GENCB *cb, int pairwise_test)
+                      BIGNUM *e_value, BN_GENCB *cb, int pairwise_test,
+                      uint32_t a, uint32_t b)
 {
     int ok = 0;
 
 #ifdef FIPS_MODULE
-    ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
+    ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb, a, b);
     pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
 #else
     /*
@@ -622,7 +631,7 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
     if (primes == 2
             && bits >= 2048
             && (e_value == NULL || BN_num_bits(e_value) > 16))
-        ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
+        ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb, a, b);
     else
         ok = rsa_multiprime_keygen(rsa, bits, primes, e_value, cb);
 #endif /* FIPS_MODULE */

diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index bc6bd63996c5ded4ee051a8d069896f8d8ed3e01..8ab2bef3fb617b1fc5d263977f5564f4d1931eda 100644 (file)
--- a/crypto/rsa/rsa_local.h
+++ b/crypto/rsa/rsa_local.h
@@ -184,13 +184,13 @@ int ossl_rsa_sp800_56b_check_private(const RSA *rsa);
 int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
                                      int strength, int nbits);
 int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed,
-                                    BN_GENCB *cb);
+                                    BN_GENCB *cb, uint32_t a, uint32_t b);
 
 int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
                                              const BIGNUM *e, BN_CTX *ctx);
-int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
+int ossl_rsa_fips186_5_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
                                        int nbits, const BIGNUM *e, BN_CTX *ctx,
-                                       BN_GENCB *cb);
+                                       BN_GENCB *cb, uint32_t a, uint32_t b);
 
 int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to,
                                          int tlen, const unsigned char *from,

diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c
index c741cf3c3b0cf08a0b03898d77afb2ec24d5c605..940b8c04c02af11788908751de39921af19539c1 100644 (file)
--- a/crypto/rsa/rsa_sp800_56b_gen.c
+++ b/crypto/rsa/rsa_sp800_56b_gen.c
@@ -17,11 +17,11 @@
 #include "crypto/security_bits.h"
 #include "rsa_local.h"
 
-#define RSA_FIPS1864_MIN_KEYGEN_KEYSIZE 2048
-#define RSA_FIPS1864_MIN_KEYGEN_STRENGTH 112
+#define RSA_FIPS186_5_MIN_KEYGEN_KEYSIZE 2048
+#define RSA_FIPS186_5_MIN_KEYGEN_STRENGTH 112
 
 /*
- * Generate probable primes 'p' & 'q'. See FIPS 186-4 Section B.3.6
+ * Generate probable primes 'p' & 'q'. See FIPS 186-5 Section A.1.6
  * "Generation of Probable Primes with Conditions Based on Auxiliary Probable
  * Primes".
  *
@@ -46,15 +46,22 @@
  *     e The public exponent.
  *     ctx A BN_CTX object.
  *     cb An optional BIGNUM callback.
+ *     a An optional number with a value of 0, 1, 3, 5 or 7 that may be used
+ *       to add the requirement p is congruent to a mod 8. The value is ignored
+ *       if it is zero.
+ *     b An optional number with a value of 0, 1, 3, 5 or 7 that may be used
+ *       to add the requirement q is congruent to b mod 8. The value is ignored
+ *       if it is zero.
+ *
  * Returns: 1 if successful, or  0 otherwise.
  * Notes:
  *     p1, p2, q1, q2 are returned if they are not NULL.
  *     Xp, Xp1, Xp2, Xq, Xq1, Xq2 are optionally passed in.
  *     (Required for CAVS testing).
  */
-int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
+int ossl_rsa_fips186_5_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
                                        int nbits, const BIGNUM *e, BN_CTX *ctx,
-                                       BN_GENCB *cb)
+                                       BN_GENCB *cb, uint32_t a, uint32_t b)
 {
     int ret = 0, ok;
     /* Temp allocated BIGNUMS */
@@ -81,21 +88,24 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
     }
 #endif
 
-    /* (Step 1) Check key length
+    /*
+     * (Step 1) Check key length
      * NOTE: SP800-131A Rev1 Disallows key lengths of < 2048 bits for RSA
      * Signature Generation and Key Agree/Transport.
      */
-    if (nbits < RSA_FIPS1864_MIN_KEYGEN_KEYSIZE) {
+    if (nbits < RSA_FIPS186_5_MIN_KEYGEN_KEYSIZE) {
         ERR_raise(ERR_LIB_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
         return 0;
     }
 
+    /* (Step 2) Check exponent */
     if (!ossl_rsa_check_public_exponent(e)) {
         ERR_raise(ERR_LIB_RSA, RSA_R_PUB_EXPONENT_OUT_OF_RANGE);
         return 0;
     }
 
-    /* (Step 3) Determine strength and check rand generator strength is ok -
+    /*
+     * (Step 3) Determine strength and check rand generator strength is ok -
      * this step is redundant because the generator always returns a higher
      * strength than is required.
      */
@@ -119,13 +129,13 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
     BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
 
     /* (Step 4) Generate p, Xp */
-    if (!ossl_bn_rsa_fips186_4_gen_prob_primes(rsa->p, Xpo, p1, p2, Xp, Xp1, Xp2,
-                                               nbits, e, ctx, cb))
+    if (!ossl_bn_rsa_fips186_5_gen_prob_primes(rsa->p, Xpo, p1, p2, Xp, Xp1, Xp2,
+                                               nbits, e, ctx, cb, a))
         goto err;
     for (;;) {
         /* (Step 5) Generate q, Xq*/
-        if (!ossl_bn_rsa_fips186_4_gen_prob_primes(rsa->q, Xqo, q1, q2, Xq, Xq1,
-                                                   Xq2, nbits, e, ctx, cb))
+        if (!ossl_bn_rsa_fips186_5_gen_prob_primes(rsa->q, Xqo, q1, q2, Xq, Xq1,
+                                                   Xq2, nbits, e, ctx, cb, b))
             goto err;
 
         /* (Step 6) |Xp - Xq| > 2^(nbitlen/2 - 100) */
@@ -146,7 +156,7 @@ int ossl_rsa_fips186_4_gen_prob_primes(RSA *rsa, RSA_ACVP_TEST *test,
     rsa->dirty_cnt++;
     ret = 1;
 err:
-    /* Zeroize any internally generated values that are not returned */
+    /* (Step 7) Zeroize any internally generated values that are not returned */
     BN_clear(Xpo);
     BN_clear(Xqo);
     BN_clear(tmp);
@@ -176,7 +186,7 @@ int ossl_rsa_sp800_56b_validate_strength(int nbits, int strength)
     int s = (int)ossl_ifc_ffc_compute_security_bits(nbits);
 
 #ifdef FIPS_MODULE
-    if (s < RSA_FIPS1864_MIN_KEYGEN_STRENGTH) {
+    if (s < RSA_FIPS186_5_MIN_KEYGEN_STRENGTH) {
         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS);
         return 0;
     }
@@ -351,7 +361,7 @@ err:
  *    6.3.1.1 rsakpg1 - basic
  *    6.3.1.3 rsakpg1 - crt
  *
- * See also FIPS 186-4 Section B.3.6
+ * See also FIPS 186-5 Section A.1.6
  * "Generation of Probable Primes with Conditions Based on Auxiliary
  * Probable Primes."
  *
@@ -360,10 +370,16 @@ err:
  *     nbits The intended key size in bits.
  *     efixed The public exponent. If NULL a default of 65537 is used.
  *     cb An optional BIGNUM callback.
+ *     a An optional number with a value of 0, 1, 3, 5 or 7 that may be used
+ *       to add the requirement p is congruent to a mod 8. The value is ignored
+ *       if it is zero.
+ *     b An optional number with a value of 0, 1, 3, 5 or 7 that may be used
+ *       to add the requirement q is congruent to b mod 8. The value is ignored
+ *       if it is zero.
  * Returns: 1 if successfully generated otherwise it returns 0.
  */
 int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed,
-                                    BN_GENCB *cb)
+                                    BN_GENCB *cb, uint32_t a, uint32_t b)
 {
     int ret = 0;
     int ok;
@@ -400,7 +416,7 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed,
 
     for (;;) {
         /* (Step 2) Generate prime factors */
-        if (!ossl_rsa_fips186_4_gen_prob_primes(rsa, info, nbits, e, ctx, cb))
+        if (!ossl_rsa_fips186_5_gen_prob_primes(rsa, info, nbits, e, ctx, cb, a, b))
             goto err;
 
         /* p>q check and skipping in case of acvp test */

diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod
index 9c4a615b840195b3424a258123b06916cddac70e..8ba48a42d841ae4e1342e615fac84eb610cff5e2 100644 (file)
--- a/doc/man7/EVP_PKEY-RSA.pod
+++ b/doc/man7/EVP_PKEY-RSA.pod
@@ -13,6 +13,24 @@ the public exponent I<e>, the private exponent I<d>, and a collection of prime
 factors, exponents and coefficient for CRT calculations, of which the first
 few are known as I<p> and I<q>, I<dP> and I<dQ>, and I<qInv>.
 
+RSA key generation uses FIPS 186-5 Section A.1.6 "Generation of Probable
+Primes with Conditions Based on Auxiliary Probable Primes" for the OpenSSL FIPS
+provider. It is also used for the OpenSSL default provider when the generation
+parameters satisfy the following conditions:
+
+=over 4
+
+=item There are 2 "primes" (p, q)
+
+=item The exponent "e" >= 65537 and is odd
+
+=item The cryptographic length "bits" >= 2048
+
+=back
+
+Otherwise the OpenSSL default provider uses an older general multi-prime key
+generator.
+
 =head2 Common RSA parameters
 
 In addition to the common parameters that all keytypes should support (see
@@ -141,6 +159,20 @@ option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2,
 and OSSL_PARAM_RSA_N to be provided.  This option is ignored if
 OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter.
 
+=item "rsa-a" (B<OSSL_PKEY_PARAM_RSA_A>) <unsigned integer>
+
+Setting this value to one of 1, 3, 5 or 7 applies an additional constraint
+requiring that the computed prime p is congruent to this value mod 8. 
+If this value is zero then it is ignored. An error will occur if the value is not
+set to one of the above values.
+
+=item "rsa-b" (B<OSSL_PKEY_PARAM_RSA_B>) <unsigned integer>
+
+Setting this value to one of 1, 3, 5 or 7 applies an additional constraint
+requiring that the computed prime q is congruent to this value mod 8. 
+If this value is zero then it is ignored. An error will occur if the value is not
+set to one of the above values.
+
 =back
 
 =head2 RSA key generation parameters for FIPS module testing
@@ -215,9 +247,9 @@ OpenSSL default provider allows testing of the validity of multi-primes.
 
 =over 4
 
-=item FIPS186-4
+=item FIPS186-5
 
-Section B.3.6  Generation of Probable Primes with Conditions Based on
+Section A.1.6 Generation of Probable Primes with Conditions Based on
 Auxiliary Probable Primes
 
 =item RFC 8017, excluding RSA-PSS and RSA-OAEP
@@ -271,6 +303,10 @@ An B<RSA> key can be generated with key generation parameters:
 
 L<EVP_RSA_gen(3)>, L<EVP_KEYMGMT(3)>, L<EVP_PKEY(3)>, L<provider-keymgmt(7)>
 
+=head1 HISTORY
+
+The RSA key generation parameters "a" and "b" were added in OpenSSL 4.0.
+
 =head1 COPYRIGHT
 
 Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 2acdeacfe899e5d2843f4c2cb5b161dd21e8f76b..ee50cd58b0896a47a8e200148929bfd9647da9b2 100644 (file)
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -111,17 +111,17 @@ int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
 
 const BIGNUM *ossl_bn_get0_small_factors(void);
 
-int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
+int ossl_bn_rsa_fips186_5_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
                                           BIGNUM *p1, BIGNUM *p2,
                                           const BIGNUM *Xp, const BIGNUM *Xp1,
                                           const BIGNUM *Xp2, int nlen,
                                           const BIGNUM *e, BN_CTX *ctx,
-                                          BN_GENCB *cb);
+                                          BN_GENCB *cb, uint32_t c);
 
-int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
+int ossl_bn_rsa_fips186_5_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
                                        const BIGNUM *r1, const BIGNUM *r2,
                                        int nlen, const BIGNUM *e, BN_CTX *ctx,
-                                       BN_GENCB *cb);
+                                       BN_GENCB *cb, uint32_t c);
 
 OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
 

diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
index 55cc814ce9136c1953e23ccbbed00fc2072c4666..b0d2174bbcd9f04f56e18b0533a780e7be4b357e 100644 (file)
--- a/include/crypto/rsa.h
+++ b/include/crypto/rsa.h
@@ -124,6 +124,10 @@ ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx);
 int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
                         const X509_ALGOR *sigalg, EVP_PKEY *pkey);
 
+int ossl_rsa_generate_multi_prime_key(RSA *rsa, int bits, int primes,
+                                      BIGNUM *e_value, BN_GENCB *cb,
+                                      uint32_t a, uint32_t b);
+
 # if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
 int ossl_rsa_acvp_test_gen_params_new(OSSL_PARAM **dst, const OSSL_PARAM src[]);
 void ossl_rsa_acvp_test_gen_params_free(OSSL_PARAM *dst);

diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 0fafcc7872b7ac20e5fb092f4113f280be10d84d..31d65586afd87fec0c2db93ca33bcb8b15370ad3 100644 (file)
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -439,6 +439,7 @@ struct rsa_gen_ctx {
     /* ACVP test parameters */
     OSSL_PARAM *acvp_test_params;
 #endif
+    uint32_t a, b;
 };
 
 static int rsa_gencb(int p, int n, BN_GENCB *cb)
@@ -526,6 +527,25 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
     if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E)) != NULL
         && !OSSL_PARAM_get_BN(p, &gctx->pub_exp))
         return 0;
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_A)) != NULL) {
+        if (!OSSL_PARAM_get_uint32(p, &gctx->a))
+            return 0;
+        /* a is an optional value that should be one of (0, 1, 3, 5, 7) */
+        if (gctx->a != 0 && (gctx->a > 7 || (gctx->a & 1) == 0)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
+            return 0;
+        }
+    }
+    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_B)) != NULL) {
+        if (!OSSL_PARAM_get_uint32(p, &gctx->b))
+            return 0;
+        /* b is an optional value that should be one of (0, 1, 3, 5, 7) */
+        if (gctx->b != 0 && (gctx->b > 7 || (gctx->b & 1) == 0)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DATA);
+            return 0;
+        }
+    }
+
     /* Only attempt to get PSS parameters when generating an RSA-PSS key */
     if (gctx->rsa_type == RSA_FLAG_TYPE_RSASSAPSS
         && !pss_params_fromdata(&gctx->pss_params, &gctx->pss_defaults_set, params,
@@ -542,8 +562,9 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
 #define rsa_gen_basic                                           \
     OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_BITS, NULL),          \
     OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, NULL),        \
-    OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0)
-
+    OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),              \
+    OSSL_PARAM_uint32(OSSL_PKEY_PARAM_RSA_A, NULL),             \
+    OSSL_PARAM_uint32(OSSL_PKEY_PARAM_RSA_B, NULL)
 /*
  * The following must be kept in sync with ossl_rsa_pss_params_30_fromdata()
  * in crypto/rsa/rsa_backend.c
@@ -620,9 +641,10 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
     }
 #endif
 
-    if (!RSA_generate_multi_prime_key(rsa_tmp,
-                                      (int)gctx->nbits, (int)gctx->primes,
-                                      gctx->pub_exp, gencb))
+    if (!ossl_rsa_generate_multi_prime_key(rsa_tmp,
+                                           (int)gctx->nbits, (int)gctx->primes,
+                                           gctx->pub_exp, gencb,
+                                           gctx->a, gctx->b))
         goto err;
 
     if (!ossl_rsa_pss_params_30_copy(ossl_rsa_get0_pss_params_30(rsa_tmp),

diff --git a/test/acvp_test.c b/test/acvp_test.c
index 2c3be0f2e88ebd21fd13e6951ffbf2aefc39cbb0..7d46b7c1789018361ba7b11d1394e955dde5609b 100644 (file)
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1329,6 +1329,10 @@ static int rsa_keygen_test(int id)
                                              xq2_bn))
         || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_TEST_XQ,
                                              xq_bn))
+        || !TEST_true(OSSL_PARAM_BLD_push_uint32(bld, OSSL_PKEY_PARAM_RSA_A,
+                                                 tst->a))
+        || !TEST_true(OSSL_PARAM_BLD_push_uint32(bld, OSSL_PKEY_PARAM_RSA_B,
+                                                 tst->b))
         || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
         goto err;
 
@@ -1357,14 +1361,14 @@ static int rsa_keygen_test(int id)
                                         &d, &d_len)))
         goto err;
 
-    if (!TEST_mem_eq(tst->p1, tst->p1_len, p1, p1_len)
-        || !TEST_mem_eq(tst->p2, tst->p2_len, p2, p2_len)
+    if ((tst->p1 != NULL && !TEST_mem_eq(tst->p1, tst->p1_len, p1, p1_len))
+        || (tst->p2 != NULL && !TEST_mem_eq(tst->p2, tst->p2_len, p2, p2_len))
+        || (tst->q1 != NULL && !TEST_mem_eq(tst->q1, tst->q1_len, q1, q1_len))
+        || (tst->q2 != NULL && !TEST_mem_eq(tst->q2, tst->q2_len, q2, q2_len))
         || !TEST_mem_eq(tst->p, tst->p_len, p, p_len)
-        || !TEST_mem_eq(tst->q1, tst->q1_len, q1, q1_len)
-        || !TEST_mem_eq(tst->q2, tst->q2_len, q2, q2_len)
         || !TEST_mem_eq(tst->q, tst->q_len, q, q_len)
         || !TEST_mem_eq(tst->n, tst->n_len, n, n_len)
-        || !TEST_mem_eq(tst->d, tst->d_len, d, d_len))
+        || (tst->d != NULL && !TEST_mem_eq(tst->d, tst->d_len, d, d_len)))
         goto err;
 
     test_output_memory("p1", p1, p1_len);

diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index 9ca157743716d3bb4d0eb31f58a2f66f87a87f74..3384742f0afd64d3a17fd940d2a5a3bece05d943 100644 (file)
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -10,6 +10,7 @@
 #define PASS 1
 #define FAIL 0
 #define ITM(x) x, sizeof(x)
+#define ITM_NULL NULL, 0
 
 #ifndef OPENSSL_NO_EC
 
@@ -1193,6 +1194,8 @@ struct rsa_keygen_st {
     size_t n_len;
     const unsigned char *d;
     size_t d_len;
+    uint32_t a;
+    uint32_t b;
 };
 
 static const unsigned char rsa_keygen0_e[] = {
@@ -1318,6 +1321,265 @@ static const unsigned char rsa_keygen0_d[] = {
     0x61
 };
 
+static const unsigned char rsa_keygen1_e[] = {
+    0x6e,0x79,0x10,0x4e,0x3d,0xd3
+};
+static const unsigned char rsa_keygen1_xp1[] = {
+    0x02,0x10,0x31,0x3d,0xac,0x51,0x0e,0x45,
+    0x22,0x0c,0x35,0xa0,0xe4,0xd7,0xc7,0xf0,
+    0xba,0xe7,0xd1,0x17,0x0d,0x35,0xa3,0x84,
+    0x04,0xc2,0xf4,0xf6,0x21,0x34,0xe4,0x73,
+    0x8a,0xd9,0xec,0x50,0xe2,0x3c,0xee,0x60,
+    0x99,0x26,0x9a,0x9b,0x1d,0x68,0xaf,0xb3,
+    0x67,0xc9,0x41,0x46,0xdc,0x26,0xf2,0x6a,
+    0x60,0x14,0x79,0x9b,0xb2,0xa8,0x6c,0xbc,
+    0xa7,0x53,0x08,0x94,0x8a,0x2f,0xba,0xfb,
+    0x2d,0xad,0x3f,
+};
+static const unsigned char rsa_keygen1_xp2[] = {
+    0x48,0x3f,0xbb,0xa5,0xc1,0x8c,0x2c,0xbd,
+    0x15,0x9c,0x3b,0xf7,0x18,0x55,0x48,0xad,
+    0x85,0x68,0x7b,0xf4,0xb6,0x92,0x53,0xc7,
+    0x15,0xa3,0xe7,0xdb,0x12,0xd8,0x3d,0xea,
+    0xf4,0x15,0x88,0xf2,0x81,0x07,0x8f,0x82,
+    0x18,0x65,0xf7,0x98,0x64,0xec,0xbe,0x71,
+    0xa8,0x0c,0x61,0x69,0x9c,0x19,
+};
+static const unsigned char rsa_keygen1_xp[] = {
+    0xdf,0x44,0xca,0x63,0x57,0xd3,0xb5,0x67,
+    0x46,0xa5,0x52,0x99,0xfa,0xa7,0x9e,0x20,
+    0x1c,0x45,0xcc,0x38,0x61,0xb2,0xb4,0x92,
+    0xca,0xaa,0x6c,0x0e,0x4e,0x59,0x26,0x12,
+    0xfd,0x41,0x84,0xcb,0x81,0xfe,0xf8,0xf5,
+    0x0f,0xac,0x41,0xf4,0xca,0xbc,0xab,0x97,
+    0x86,0xd5,0x55,0x60,0xed,0x8e,0x1a,0x76,
+    0x7e,0x22,0xfd,0xea,0x64,0xb1,0x03,0x9a,
+    0x7e,0xd7,0x4c,0xdd,0xfe,0x06,0x00,0xfb,
+    0x2c,0x1a,0x0a,0xd7,0xb4,0xcf,0x97,0xd0,
+    0x11,0x96,0xfc,0x38,0x6d,0xc0,0xfa,0x5a,
+    0xe1,0xc7,0xda,0x9b,0x21,0xac,0x95,0x08,
+    0x38,0xbd,0x3f,0xf6,0x18,0xcf,0x2e,0x92,
+    0xd2,0x2e,0x9e,0xa1,0xf4,0x2e,0xb1,0x72,
+    0x3c,0x98,0xf6,0x7c,0x0e,0xbc,0x70,0x71,
+    0xf4,0x50,0x0d,0x89,0x9e,0x2a,0x7a,0x5f,
+    0xf4,0x6a,0xfd,0x44,0x11,0xa8,0xcc,0x29,
+    0x47,0x9e,0x95,0x9c,0x68,0x87,0xba,0x15,
+    0xff,0x8f,0xec,0x60,0x1a,0xe1,0xbb,0x75,
+    0x2d,0x9f,0x31,0x65,0xb3,0x18,0xb8,0xc4,
+    0x74,0xbc,0xf9,0x40,0x41,0xd8,0x85,0x88,
+    0x3f,0x54,0x84,0x30,0xee,0x66,0x31,0xc7,
+    0xed,0x52,0x55,0xcf,0xb1,0x46,0xe1,0x98,
+    0x4e,0x95,0x95,0xc9,0xfc,0x74,0xd8,0x3a,
+    0x1e,0x65,0xba,0x6f,0x69,0x6a,0x96,0x87,
+    0xd3,0x7d,0x51,0x42,0xf9,0x6b,0x0d,0x5a,
+    0x2a,0x51,0x60,0x0f,0x4e,0x8a,0x1e,0xf3,
+    0x47,0xe1,0xc9,0x0d,0xcd,0xbd,0x4a,0x55,
+    0x38,0x1b,0xd5,0xcd,0xad,0xeb,0x31,0x11,
+    0x0c,0xeb,0xe5,0xac,0x26,0xac,0xe3,0x45,
+    0x52,0xfe,0x23,0xd2,0x68,0xd3,0x89,0x9f,
+    0x41,0xae,0x5d,0x76,0x64,0x38,0xde,0x08,
+};
+static const unsigned char rsa_keygen1_xq1[] = {
+    0x00,0xc7,0xf2,0x3d,0xa5,0xa7,0x51,0xb0,
+    0xcc,0x3b,0x73,0xd1,0x9d,0x71,0x9d,0x4e,
+    0x43,0xad,0x77,0xf9,0xdc,0xcb,0x32,0x9f,
+    0x4b,0x8f,0xf5,0x36,0x99,0x54,0x09,0x1e,
+    0xe3,0xa0,0x29,0xc6,0x6d,0x55,0x21,0x9e,
+    0x96,0xec,0xdf,0xad,0x08,0x5d,0x7a,0xef,
+    0x03,0xe2,0x35,0x9f,0xd0,0x77,0xdd,0xaa,
+    0x8d,0x60,0x92,0xc7,0x46,0xe8,0x9d,0xab,
+    0xe9,0x7c,0x2f,0x18,0x60,0xa1,0x31,0x79,
+    0x4d,0x48,0x71,0xb9,0x76,0xbf,0xff,0xde,
+    0x56,0x3b,0x1f,0x36,0x00,0xf3,0x9b,0x12,
+    0xb8,0x8a,0x68,0x9f,0xce,0x6e,0xe7,0x08,
+    0xa5,0x55,0x6d,0x08,0x3b,0xd1,0x2b,0x23,
+    0x19,0x35,0x93,0x6c,0x89,0x95,0x35,0xf6,
+    0xff,0x60,0x36,0x2e,0xf0,0x42,0x01,0x57,
+    0x84,0x6a,0xe9,0x8c,0xc5,0x4a,0xae,0xe0,
+    0xb5,0xfa,0x4f,0xab,0xb5,0xff,0x3f,0x8d,
+    0x6a,0x10,0x79,0x01,0x4a,0x1f,0x7c,0xa2,
+    0x16,0x2d,0xea,0x7c,0x4f,0x9c,0x02,0xf5,
+};
+static const unsigned char rsa_keygen1_xq2[] = {
+    0x17,0x70,0xca,0x10,0xbc,0x02,0x01,0xac,
+    0xe7,0x60,0x58,0xc8,0x06,0x82,0x3a,0xc9,
+    0x9e,0xd2,0x2b,0x32,0x81,0xb4,0xa1,0xb7,
+    0xc0,0x0a,0xc0,0xb2,0x77,0xd1,0x05,0x62,
+    0x17,0xc5,0x65,0x9f,0x49,0x6a,0xac,0x0e,
+    0xe9,0x4d,0xe5,0xe8,0x88,0xcd,0xab,0x11,
+    0x02,0xb8,0x28,0x1f,0x11,0x73,0x26,0x9d,
+    0x0f,0x14,0x7b,0x69,0x11,0xeb,0xf9,0xcc,
+    0x49,0xe1,0x96,0xb1,0x94,0x3c,0x81,
+};
+static const unsigned char rsa_keygen1_xq[] = {
+    0xd7,0x4b,0x7b,0x53,0x8c,0x07,0x03,0x4a,
+    0x7c,0xa1,0x09,0x46,0xe4,0x15,0x3e,0x3a,
+    0x22,0x81,0x29,0xf8,0xea,0x35,0xd7,0xcb,
+    0x9d,0x97,0x92,0xe4,0x7b,0x65,0x86,0xac,
+    0x5a,0xf1,0xb8,0x83,0xb0,0x3c,0xfc,0xa9,
+    0x69,0x9b,0x82,0x31,0xa9,0x21,0x09,0xe1,
+    0xfa,0xdd,0x43,0x63,0x4a,0x26,0xf4,0xa3,
+    0x3e,0x03,0x2c,0x21,0x4b,0x59,0xd8,0x0f,
+    0xb7,0x6b,0x60,0x23,0xb6,0x19,0x23,0xee,
+    0x6a,0xd6,0x65,0x39,0x64,0xb1,0xaf,0xd0,
+    0x36,0xa6,0x7b,0x39,0xef,0x5b,0x27,0xca,
+    0xd7,0xb3,0xa6,0xec,0x54,0xee,0x03,0xbd,
+    0x8a,0xab,0x5e,0xec,0x7e,0x51,0x86,0x85,
+    0xdb,0x9e,0x3c,0x2b,0xfc,0xfd,0xc8,0xfe,
+    0x6d,0xf8,0x6f,0xd3,0x6b,0xe1,0xd4,0xcb,
+    0x7d,0xc7,0xd6,0x98,0xa4,0x54,0xdf,0x3b,
+    0x39,0xcd,0x2f,0x0a,0x7e,0xf1,0x2c,0xc7,
+    0xac,0x79,0xbb,0x81,0x5a,0x3f,0xa2,0xd3,
+    0xfb,0x63,0x68,0xf6,0x37,0x96,0xd3,0xf8,
+    0xe1,0x2b,0x71,0x2b,0xd1,0xd6,0x86,0xf3,
+    0xc9,0x4c,0x3a,0x31,0xd0,0xea,0xe3,0x36,
+    0x35,0xea,0x8f,0xa4,0x97,0x80,0x17,0x90,
+    0x2a,0x3b,0x22,0xa4,0x0b,0xff,0x4b,0x1f,
+    0xa2,0x57,0x6e,0x96,0xf3,0xcb,0x0b,0xab,
+    0x6e,0x33,0xb8,0x45,0xea,0x90,0x3c,0x4f,
+    0x7b,0x53,0xa0,0xc9,0x36,0xd6,0x52,0xe8,
+    0x83,0x88,0x7b,0x62,0x7d,0xa9,0x1c,0x46,
+    0xac,0xa4,0xdf,0x43,0xa8,0xc3,0xce,0x9a,
+    0x55,0x64,0xb4,0xbc,0x54,0x28,0x32,0x6a,
+    0x47,0xe7,0xd9,0x03,0x33,0x7d,0x2d,0xb0,
+    0x4b,0xb0,0xf6,0x4f,0x04,0x23,0x43,0xce,
+    0xff,0x50,0x71,0xf7,0xe3,0x1a,0xa1,0xa4,
+};
+static const unsigned char rsa_keygen1_p[] = {
+    0xdf,0x44,0xca,0x63,0x57,0xd3,0xb5,0x67,
+    0x46,0xa5,0x52,0x99,0xfa,0xa7,0x9e,0x20,
+    0x1c,0x45,0xcc,0x38,0x61,0xb2,0xb4,0x92,
+    0xca,0xaa,0x6c,0x0e,0x4e,0x59,0x26,0x12,
+    0xfd,0x41,0x84,0xcb,0x81,0xfe,0xf8,0xf5,
+    0x0f,0xac,0x41,0xf4,0xca,0xbc,0xab,0x97,
+    0x86,0xd5,0x55,0x60,0xed,0x8e,0x1a,0x76,
+    0x7e,0x22,0xfd,0xea,0x64,0xb1,0x03,0x9a,
+    0x7e,0xd7,0x4c,0xdd,0xfe,0x06,0x00,0xfb,
+    0x2c,0x1a,0x0a,0xd7,0xb4,0xcf,0x97,0xd0,
+    0x11,0x96,0xfc,0x38,0x6d,0xc0,0xfa,0x5a,
+    0xe1,0xc7,0xda,0x9b,0x21,0xac,0x95,0x08,
+    0x38,0xbd,0x3f,0xf6,0x18,0xcf,0x2e,0x92,
+    0xd2,0x2e,0x9e,0xa1,0xf4,0x2e,0xb1,0x72,
+    0x3c,0x98,0xf6,0x7c,0x0e,0xbc,0x70,0x71,
+    0xf4,0x50,0x0d,0x89,0x9e,0x2a,0x7c,0x93,
+    0x72,0x90,0x53,0xe0,0x35,0xd6,0x0b,0x36,
+    0x9a,0xe2,0x3b,0x09,0xf7,0x06,0xb7,0x36,
+    0x1b,0x44,0x18,0x7c,0x6d,0xdb,0xda,0x76,
+    0xb1,0x05,0x69,0xc9,0x39,0xf6,0x69,0xc5,
+    0x28,0x22,0xbc,0x6e,0xef,0x4e,0x9c,0x6c,
+    0x78,0x28,0xe9,0xfa,0x9d,0xfb,0x91,0x56,
+    0x10,0x95,0x49,0xa3,0x07,0x1d,0xb9,0xff,
+    0xe9,0x7e,0x03,0x59,0x64,0x6d,0x39,0x0b,
+    0x3d,0xdb,0xef,0xd0,0xc2,0x62,0x84,0x82,
+    0xac,0xb8,0x98,0x2a,0xb5,0xe7,0x93,0x9c,
+    0x7e,0x90,0xfd,0xea,0x88,0x4e,0xab,0x1d,
+    0xf5,0x36,0x1d,0x23,0x40,0x89,0xa2,0x47,
+    0x28,0x50,0x94,0xf1,0xff,0xa1,0xce,0xcc,
+    0x0b,0xdb,0xfa,0x88,0x9d,0xdc,0x6a,0xcb,
+    0x1d,0x4d,0xd5,0x94,0x21,0x84,0x8c,0xb7,
+    0xac,0x82,0x56,0xa5,0xde,0x1d,0x85,0x6b,
+};
+static const unsigned char rsa_keygen1_q[] = {
+    0xd7,0x4b,0x7b,0x53,0x8c,0x07,0x03,0x4a,
+    0x7c,0xa1,0x09,0x46,0xe4,0x15,0x3e,0x3a,
+    0x22,0x81,0x29,0xf8,0xea,0x35,0xd7,0xcb,
+    0x9d,0x97,0x92,0xe4,0x7b,0x65,0x86,0xac,
+    0x5d,0x89,0x0d,0xf3,0x4d,0xcc,0x69,0x74,
+    0x96,0xb2,0x07,0x71,0x2e,0xb9,0xde,0x66,
+    0x15,0x21,0x01,0xcc,0xde,0x74,0xfb,0xe6,
+    0x3e,0xd2,0x29,0x0b,0xd1,0xba,0x59,0x7e,
+    0xb0,0xb0,0x09,0x67,0xe7,0xd9,0xfc,0x80,
+    0x19,0x76,0x21,0x3d,0xc4,0x14,0xe3,0xfc,
+    0xa4,0x44,0xf0,0x8c,0xbe,0x06,0x0c,0x75,
+    0x5e,0xd0,0x77,0x08,0x90,0x93,0x5d,0x5f,
+    0x47,0x99,0x4f,0x8f,0xf8,0xba,0x5d,0xde,
+    0x32,0x4f,0xa9,0x4c,0xf4,0x29,0x84,0x6d,
+    0xed,0x60,0xfe,0x74,0xf7,0xbb,0x04,0xfc,
+    0x1f,0xa8,0x86,0x5d,0x56,0x14,0x11,0xc3,
+    0xe2,0xef,0x3b,0x30,0x6b,0x81,0xe5,0x5f,
+    0xa1,0x6b,0xd2,0x55,0x03,0xce,0xa7,0xbc,
+    0x3a,0xaf,0xe6,0xa2,0xa0,0x94,0xb5,0x3d,
+    0xf5,0x1c,0x40,0xd5,0xd4,0x18,0x4b,0xfa,
+    0xc0,0xf4,0x2f,0x8b,0xa0,0x79,0x3a,0x91,
+    0x0a,0x32,0xd4,0xa4,0xf3,0x8d,0x13,0xa7,
+    0x20,0x8e,0x06,0x43,0xc3,0xaf,0xca,0xa8,
+    0xee,0xd2,0xc5,0x2a,0xef,0x69,0xc1,0xef,
+    0x95,0x16,0xb4,0x3b,0x18,0x8e,0x19,0xba,
+    0xf8,0xc1,0x6f,0x5c,0xa0,0xdb,0xdd,0x5a,
+    0xe9,0x97,0x3b,0xf4,0x84,0x27,0x51,0xa7,
+    0x56,0x44,0xe3,0x68,0x10,0xb2,0x88,0x0b,
+    0xff,0x03,0x4a,0x91,0x7f,0x52,0x18,0x65,
+    0x78,0x1a,0x2b,0x09,0xa5,0xba,0x3d,0x60,
+    0xf4,0x5b,0x99,0x7c,0xb8,0x7b,0xfc,0xf7,
+    0x18,0x2e,0x03,0x3d,0x2c,0x98,0xc4,0x8d,
+};
+static const unsigned char rsa_keygen1_n[] = {
+    0xbb,0xc4,0x9a,0xaf,0xa4,0x88,0x9e,0x36,
+    0xb5,0x15,0x97,0x5b,0xcf,0x8e,0x5e,0x10,
+    0xee,0x03,0xff,0x06,0x2a,0xa8,0x32,0x83,
+    0xb2,0x72,0x4f,0x1d,0xe4,0x23,0x05,0xa2,
+    0x2c,0x4e,0xc9,0xb3,0xd5,0x60,0x8f,0x49,
+    0x8b,0xbf,0x8d,0x4a,0x9c,0x99,0x5b,0xbf,
+    0xce,0x2b,0xd1,0x24,0x60,0x9c,0x52,0x7c,
+    0xbc,0xd6,0x4c,0x78,0x7c,0x4a,0x26,0xe4,
+    0x17,0xf9,0x2f,0xeb,0x20,0x0a,0x8c,0x69,
+    0x0a,0xd1,0x93,0x9a,0xc3,0xf5,0x2e,0xf5,
+    0x50,0x90,0xcc,0xe4,0xec,0x87,0xb1,0x2f,
+    0x34,0x9a,0x6d,0x2b,0x4b,0x73,0x41,0x12,
+    0xe6,0x1d,0x26,0x80,0xf9,0x5e,0x71,0x70,
+    0xaa,0xa1,0x25,0x6c,0x61,0xcd,0x91,0xb2,
+    0x47,0x66,0x79,0x1f,0x90,0x4c,0x2e,0x56,
+    0x2c,0x5f,0xe0,0x50,0xe5,0x89,0x52,0xe9,
+    0xe6,0x17,0xfa,0xab,0x7e,0x67,0xa1,0x67,
+    0x16,0x1b,0xee,0x18,0xd6,0xd0,0x0a,0xec,
+    0xf6,0x9b,0x5d,0x6f,0xe1,0x2e,0xad,0x1a,
+    0x09,0x14,0xab,0xd5,0x78,0x52,0x00,0x74,
+    0xec,0x66,0xbb,0x49,0xad,0xcb,0xd0,0x77,
+    0xe2,0x3e,0x45,0x4f,0x89,0xf4,0x04,0x47,
+    0x5b,0xe2,0xc5,0xd2,0x3e,0xaf,0x65,0x8e,
+    0x0c,0xfc,0x80,0x6d,0x71,0xab,0x3d,0x81,
+    0x6f,0xfe,0xce,0x9d,0xa3,0x40,0x24,0x18,
+    0x15,0x2b,0x7f,0xd5,0xfe,0xe0,0x09,0xe3,
+    0xbb,0xb8,0xf4,0x5b,0x8a,0x5f,0x37,0xeb,
+    0x33,0xff,0x07,0x4b,0x4b,0x0d,0xcf,0x6d,
+    0x2b,0x56,0xf1,0xa3,0x25,0xd7,0x4c,0xfa,
+    0x64,0x77,0x2c,0x54,0x76,0xa2,0xdc,0x56,
+    0x81,0x0a,0xc1,0x0f,0xc7,0x6f,0xf6,0xe4,
+    0xe7,0x12,0xb0,0x24,0x33,0x77,0x26,0x6c,
+    0x84,0x2a,0xe4,0x4e,0x73,0x8b,0xe6,0xaf,
+    0x6e,0x39,0x6f,0x6e,0x4c,0xb1,0x24,0x6d,
+    0x4c,0x55,0x67,0xaf,0x37,0xf8,0x65,0x0a,
+    0x68,0x27,0x01,0xb0,0x59,0x8d,0xc9,0x30,
+    0x21,0x3b,0x5d,0x03,0x4e,0xbe,0x1d,0xae,
+    0xa5,0xd1,0x07,0x61,0xa9,0x3c,0xe9,0x79,
+    0x34,0xb1,0x6c,0x3a,0x95,0xd6,0x64,0xa0,
+    0xc7,0x58,0xe6,0x3c,0x19,0x67,0x12,0x63,
+    0x63,0x9e,0xe8,0x1d,0x80,0xba,0xc6,0x57,
+    0x4c,0x90,0x06,0xb3,0xe5,0x4f,0xfe,0xf6,
+    0x7c,0x68,0x4e,0x3e,0xd8,0x4c,0x8c,0x19,
+    0xab,0x36,0x50,0x07,0x40,0xff,0x78,0x90,
+    0x33,0xd8,0x1c,0xe4,0x29,0xcb,0x50,0x79,
+    0xa6,0xa2,0x62,0xaa,0x4b,0x7c,0x7e,0x8a,
+    0x6c,0xe3,0x9b,0xf3,0x0a,0x85,0xb7,0xe7,
+    0x5d,0xef,0x0f,0x26,0x6c,0x6e,0xb8,0xb2,
+    0xd6,0xc8,0xf0,0x78,0x55,0x15,0xf5,0xc6,
+    0x50,0x4d,0xef,0x75,0x3c,0xe8,0xb2,0x17,
+    0x08,0x70,0x6b,0xc5,0x05,0x14,0xa6,0x00,
+    0x83,0x95,0x03,0x6c,0xe2,0x49,0xfd,0x51,
+    0x6c,0xc4,0xea,0xc4,0xce,0x4e,0x33,0xbf,
+    0x37,0x3d,0xe8,0x8d,0x0c,0x3c,0x49,0xf7,
+    0x06,0xca,0x77,0x09,0x12,0x4f,0x5e,0xdb,
+    0xd0,0xad,0x40,0xf0,0x36,0x54,0xc3,0x5b,
+    0x39,0x37,0xca,0x80,0x96,0x86,0x62,0xb8,
+    0x1a,0x8b,0xc1,0x60,0xaf,0xf8,0xbe,0xc5,
+    0x04,0xcd,0x2d,0xb6,0x38,0x8c,0x95,0x15,
+    0x35,0xf0,0x74,0xae,0x89,0x9f,0x90,0x95,
+    0x28,0x04,0x25,0xbc,0xac,0x23,0x64,0x54,
+    0x38,0x5f,0x6c,0x25,0x34,0x72,0x0b,0xbc,
+    0x48,0xfa,0x05,0x0e,0x31,0x60,0x48,0xb3,
+    0x09,0x9c,0xb7,0x5e,0x8b,0xf0,0x67,0xef,
+};
+
 static const struct rsa_keygen_st rsa_keygen_data[] = {
     {
         2048,
@@ -1339,6 +1601,25 @@ static const struct rsa_keygen_st rsa_keygen_data[] = {
         ITM(rsa_keygen0_n),
         ITM(rsa_keygen0_d),
     },
+    {
+        4096,
+        ITM(rsa_keygen1_e),
+        ITM(rsa_keygen1_xp1),
+        ITM(rsa_keygen1_xp2),
+        ITM(rsa_keygen1_xp),
+        ITM(rsa_keygen1_xq1),
+        ITM(rsa_keygen1_xq2),
+        ITM(rsa_keygen1_xq),
+        ITM_NULL,
+        ITM_NULL,
+        ITM_NULL,
+        ITM_NULL,
+        ITM(rsa_keygen1_p),
+        ITM(rsa_keygen1_q),
+        ITM(rsa_keygen1_n),
+        ITM_NULL,
+        3, 5
+    }
 };
 
 #define NO_PSS_SALT_LEN -1

diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
index f009bf61724ef4d23f0ac3e054ee5982ec7b6a79..0efebb389ed5f7abf912861b73df149c4b0e3bbb 100644 (file)
--- a/test/rsa_sp800_56b_test.c
+++ b/test/rsa_sp800_56b_test.c
@@ -491,7 +491,7 @@ static int test_sp80056b_keygen(int id)
     int sz = keygen_size[id];
 
     ret = TEST_ptr(key = RSA_new())
-          && TEST_true(ossl_rsa_sp800_56b_generate_key(key, sz, NULL, NULL))
+          && TEST_true(ossl_rsa_sp800_56b_generate_key(key, sz, NULL, NULL, 0, 0))
           && TEST_true(ossl_rsa_sp800_56b_check_public(key))
           && TEST_true(ossl_rsa_sp800_56b_check_private(key))
           && TEST_true(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, sz));

diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index b9c53b0047fd961d438b05943ecbd1c2b2daf1cd..eed78467df3a1e532b2a88af744e1982f6f70df1 100644 (file)
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -421,6 +421,8 @@ my %params = (
     'OSSL_PKEY_PARAM_RSA_MGF1_DIGEST' =>      '*OSSL_PKEY_PARAM_MGF1_DIGEST',
     'OSSL_PKEY_PARAM_RSA_PSS_SALTLEN' =>      "saltlen",
     'OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ'    =>     "rsa-derive-from-pq",
+    'OSSL_PKEY_PARAM_RSA_A' =>                "rsa-a",
+    'OSSL_PKEY_PARAM_RSA_B' =>                "rsa-b",
 
 # EC, X25519 and X448 Key generation parameters
     'OSSL_PKEY_PARAM_DHKEM_IKM' =>        "dhkem-ikm",