| 1 | /* |
|---|---|
| 2 | * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include <openssl/bn.h> |
| 11 | #include <openssl/err.h> |
| 12 | #include "rsa_local.h" |
| 13 | |
| 14 | int RSA_check_key(const RSA *key) |
| 15 | { |
| 16 | return RSA_check_key_ex(key, NULL); |
| 17 | } |
| 18 | |
| 19 | /* |
| 20 | * NOTE: Key validation requires separate checks to be able to be accessed |
| 21 | * individually. These should be visible from the PKEY API.. |
| 22 | * See rsa_sp800_56b_check_public, rsa_sp800_56b_check_private and |
| 23 | * rsa_sp800_56b_check_keypair. |
| 24 | */ |
| 25 | int RSA_check_key_ex(const RSA *key, BN_GENCB *cb) |
| 26 | { |
| 27 | #ifdef FIPS_MODE |
| 28 | return rsa_sp800_56b_check_public(key) |
| 29 | && rsa_sp800_56b_check_private(key) |
| 30 | && rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key)); |
| 31 | #else |
| 32 | BIGNUM *i, *j, *k, *l, *m; |
| 33 | BN_CTX *ctx; |
| 34 | int ret = 1, ex_primes = 0, idx; |
| 35 | RSA_PRIME_INFO *pinfo; |
| 36 | |
| 37 | if (key->p == NULL || key->q == NULL || key->n == NULL |
| 38 | || key->e == NULL || key->d == NULL) { |
| 39 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_VALUE_MISSING); |
| 40 | return 0; |
| 41 | } |
| 42 | |
| 43 | /* multi-prime? */ |
| 44 | if (key->version == RSA_ASN1_VERSION_MULTI) { |
| 45 | ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos); |
| 46 | if (ex_primes <= 0 |
| 47 | || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) { |
| 48 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY); |
| 49 | return 0; |
| 50 | } |
| 51 | } |
| 52 | |
| 53 | i = BN_new(); |
| 54 | j = BN_new(); |
| 55 | k = BN_new(); |
| 56 | l = BN_new(); |
| 57 | m = BN_new(); |
| 58 | ctx = BN_CTX_new(); |
| 59 | if (i == NULL || j == NULL || k == NULL || l == NULL |
| 60 | || m == NULL || ctx == NULL) { |
| 61 | ret = -1; |
| 62 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, ERR_R_MALLOC_FAILURE); |
| 63 | goto err; |
| 64 | } |
| 65 | |
| 66 | if (BN_is_one(key->e)) { |
| 67 | ret = 0; |
| 68 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE); |
| 69 | } |
| 70 | if (!BN_is_odd(key->e)) { |
| 71 | ret = 0; |
| 72 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE); |
| 73 | } |
| 74 | |
| 75 | /* p prime? */ |
| 76 | if (BN_check_prime(key->p, NULL, cb) != 1) { |
| 77 | ret = 0; |
| 78 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME); |
| 79 | } |
| 80 | |
| 81 | /* q prime? */ |
| 82 | if (BN_check_prime(key->q, NULL, cb) != 1) { |
| 83 | ret = 0; |
| 84 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME); |
| 85 | } |
| 86 | |
| 87 | /* r_i prime? */ |
| 88 | for (idx = 0; idx < ex_primes; idx++) { |
| 89 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
| 90 | if (BN_check_prime(pinfo->r, NULL, cb) != 1) { |
| 91 | ret = 0; |
| 92 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_R_NOT_PRIME); |
| 93 | } |
| 94 | } |
| 95 | |
| 96 | /* n = p*q * r_3...r_i? */ |
| 97 | if (!BN_mul(i, key->p, key->q, ctx)) { |
| 98 | ret = -1; |
| 99 | goto err; |
| 100 | } |
| 101 | for (idx = 0; idx < ex_primes; idx++) { |
| 102 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
| 103 | if (!BN_mul(i, i, pinfo->r, ctx)) { |
| 104 | ret = -1; |
| 105 | goto err; |
| 106 | } |
| 107 | } |
| 108 | if (BN_cmp(i, key->n) != 0) { |
| 109 | ret = 0; |
| 110 | if (ex_primes) |
| 111 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, |
| 112 | RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES); |
| 113 | else |
| 114 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_P_Q); |
| 115 | } |
| 116 | |
| 117 | /* d*e = 1 mod \lambda(n)? */ |
| 118 | if (!BN_sub(i, key->p, BN_value_one())) { |
| 119 | ret = -1; |
| 120 | goto err; |
| 121 | } |
| 122 | if (!BN_sub(j, key->q, BN_value_one())) { |
| 123 | ret = -1; |
| 124 | goto err; |
| 125 | } |
| 126 | |
| 127 | /* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */ |
| 128 | if (!BN_mul(l, i, j, ctx)) { |
| 129 | ret = -1; |
| 130 | goto err; |
| 131 | } |
| 132 | if (!BN_gcd(m, i, j, ctx)) { |
| 133 | ret = -1; |
| 134 | goto err; |
| 135 | } |
| 136 | for (idx = 0; idx < ex_primes; idx++) { |
| 137 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
| 138 | if (!BN_sub(k, pinfo->r, BN_value_one())) { |
| 139 | ret = -1; |
| 140 | goto err; |
| 141 | } |
| 142 | if (!BN_mul(l, l, k, ctx)) { |
| 143 | ret = -1; |
| 144 | goto err; |
| 145 | } |
| 146 | if (!BN_gcd(m, m, k, ctx)) { |
| 147 | ret = -1; |
| 148 | goto err; |
| 149 | } |
| 150 | } |
| 151 | if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ |
| 152 | ret = -1; |
| 153 | goto err; |
| 154 | } |
| 155 | if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { |
| 156 | ret = -1; |
| 157 | goto err; |
| 158 | } |
| 159 | |
| 160 | if (!BN_is_one(i)) { |
| 161 | ret = 0; |
| 162 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_D_E_NOT_CONGRUENT_TO_1); |
| 163 | } |
| 164 | |
| 165 | if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { |
| 166 | /* dmp1 = d mod (p-1)? */ |
| 167 | if (!BN_sub(i, key->p, BN_value_one())) { |
| 168 | ret = -1; |
| 169 | goto err; |
| 170 | } |
| 171 | if (!BN_mod(j, key->d, i, ctx)) { |
| 172 | ret = -1; |
| 173 | goto err; |
| 174 | } |
| 175 | if (BN_cmp(j, key->dmp1) != 0) { |
| 176 | ret = 0; |
| 177 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMP1_NOT_CONGRUENT_TO_D); |
| 178 | } |
| 179 | |
| 180 | /* dmq1 = d mod (q-1)? */ |
| 181 | if (!BN_sub(i, key->q, BN_value_one())) { |
| 182 | ret = -1; |
| 183 | goto err; |
| 184 | } |
| 185 | if (!BN_mod(j, key->d, i, ctx)) { |
| 186 | ret = -1; |
| 187 | goto err; |
| 188 | } |
| 189 | if (BN_cmp(j, key->dmq1) != 0) { |
| 190 | ret = 0; |
| 191 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); |
| 192 | } |
| 193 | |
| 194 | /* iqmp = q^-1 mod p? */ |
| 195 | if (!BN_mod_inverse(i, key->q, key->p, ctx)) { |
| 196 | ret = -1; |
| 197 | goto err; |
| 198 | } |
| 199 | if (BN_cmp(i, key->iqmp) != 0) { |
| 200 | ret = 0; |
| 201 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_IQMP_NOT_INVERSE_OF_Q); |
| 202 | } |
| 203 | } |
| 204 | |
| 205 | for (idx = 0; idx < ex_primes; idx++) { |
| 206 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
| 207 | /* d_i = d mod (r_i - 1)? */ |
| 208 | if (!BN_sub(i, pinfo->r, BN_value_one())) { |
| 209 | ret = -1; |
| 210 | goto err; |
| 211 | } |
| 212 | if (!BN_mod(j, key->d, i, ctx)) { |
| 213 | ret = -1; |
| 214 | goto err; |
| 215 | } |
| 216 | if (BN_cmp(j, pinfo->d) != 0) { |
| 217 | ret = 0; |
| 218 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D); |
| 219 | } |
| 220 | /* t_i = R_i ^ -1 mod r_i ? */ |
| 221 | if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) { |
| 222 | ret = -1; |
| 223 | goto err; |
| 224 | } |
| 225 | if (BN_cmp(i, pinfo->t) != 0) { |
| 226 | ret = 0; |
| 227 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R); |
| 228 | } |
| 229 | } |
| 230 | |
| 231 | err: |
| 232 | BN_free(i); |
| 233 | BN_free(j); |
| 234 | BN_free(k); |
| 235 | BN_free(l); |
| 236 | BN_free(m); |
| 237 | BN_CTX_free(ctx); |
| 238 | return ret; |
| 239 | #endif /* FIPS_MODE */ |
| 240 | } |
| 241 |
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.