1 | /* |
2 | * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <openssl/bn.h> |
11 | #include <openssl/err.h> |
12 | #include "rsa_local.h" |
13 | |
14 | int RSA_check_key(const RSA *key) |
15 | { |
16 | return RSA_check_key_ex(key, NULL); |
17 | } |
18 | |
19 | /* |
20 | * NOTE: Key validation requires separate checks to be able to be accessed |
21 | * individually. These should be visible from the PKEY API.. |
22 | * See rsa_sp800_56b_check_public, rsa_sp800_56b_check_private and |
23 | * rsa_sp800_56b_check_keypair. |
24 | */ |
25 | int RSA_check_key_ex(const RSA *key, BN_GENCB *cb) |
26 | { |
27 | #ifdef FIPS_MODE |
28 | return rsa_sp800_56b_check_public(key) |
29 | && rsa_sp800_56b_check_private(key) |
30 | && rsa_sp800_56b_check_keypair(key, NULL, -1, RSA_bits(key)); |
31 | #else |
32 | BIGNUM *i, *j, *k, *l, *m; |
33 | BN_CTX *ctx; |
34 | int ret = 1, ex_primes = 0, idx; |
35 | RSA_PRIME_INFO *pinfo; |
36 | |
37 | if (key->p == NULL || key->q == NULL || key->n == NULL |
38 | || key->e == NULL || key->d == NULL) { |
39 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_VALUE_MISSING); |
40 | return 0; |
41 | } |
42 | |
43 | /* multi-prime? */ |
44 | if (key->version == RSA_ASN1_VERSION_MULTI) { |
45 | ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos); |
46 | if (ex_primes <= 0 |
47 | || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) { |
48 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY); |
49 | return 0; |
50 | } |
51 | } |
52 | |
53 | i = BN_new(); |
54 | j = BN_new(); |
55 | k = BN_new(); |
56 | l = BN_new(); |
57 | m = BN_new(); |
58 | ctx = BN_CTX_new(); |
59 | if (i == NULL || j == NULL || k == NULL || l == NULL |
60 | || m == NULL || ctx == NULL) { |
61 | ret = -1; |
62 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, ERR_R_MALLOC_FAILURE); |
63 | goto err; |
64 | } |
65 | |
66 | if (BN_is_one(key->e)) { |
67 | ret = 0; |
68 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE); |
69 | } |
70 | if (!BN_is_odd(key->e)) { |
71 | ret = 0; |
72 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE); |
73 | } |
74 | |
75 | /* p prime? */ |
76 | if (BN_check_prime(key->p, NULL, cb) != 1) { |
77 | ret = 0; |
78 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME); |
79 | } |
80 | |
81 | /* q prime? */ |
82 | if (BN_check_prime(key->q, NULL, cb) != 1) { |
83 | ret = 0; |
84 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME); |
85 | } |
86 | |
87 | /* r_i prime? */ |
88 | for (idx = 0; idx < ex_primes; idx++) { |
89 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
90 | if (BN_check_prime(pinfo->r, NULL, cb) != 1) { |
91 | ret = 0; |
92 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_R_NOT_PRIME); |
93 | } |
94 | } |
95 | |
96 | /* n = p*q * r_3...r_i? */ |
97 | if (!BN_mul(i, key->p, key->q, ctx)) { |
98 | ret = -1; |
99 | goto err; |
100 | } |
101 | for (idx = 0; idx < ex_primes; idx++) { |
102 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
103 | if (!BN_mul(i, i, pinfo->r, ctx)) { |
104 | ret = -1; |
105 | goto err; |
106 | } |
107 | } |
108 | if (BN_cmp(i, key->n) != 0) { |
109 | ret = 0; |
110 | if (ex_primes) |
111 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, |
112 | RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES); |
113 | else |
114 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_P_Q); |
115 | } |
116 | |
117 | /* d*e = 1 mod \lambda(n)? */ |
118 | if (!BN_sub(i, key->p, BN_value_one())) { |
119 | ret = -1; |
120 | goto err; |
121 | } |
122 | if (!BN_sub(j, key->q, BN_value_one())) { |
123 | ret = -1; |
124 | goto err; |
125 | } |
126 | |
127 | /* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */ |
128 | if (!BN_mul(l, i, j, ctx)) { |
129 | ret = -1; |
130 | goto err; |
131 | } |
132 | if (!BN_gcd(m, i, j, ctx)) { |
133 | ret = -1; |
134 | goto err; |
135 | } |
136 | for (idx = 0; idx < ex_primes; idx++) { |
137 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
138 | if (!BN_sub(k, pinfo->r, BN_value_one())) { |
139 | ret = -1; |
140 | goto err; |
141 | } |
142 | if (!BN_mul(l, l, k, ctx)) { |
143 | ret = -1; |
144 | goto err; |
145 | } |
146 | if (!BN_gcd(m, m, k, ctx)) { |
147 | ret = -1; |
148 | goto err; |
149 | } |
150 | } |
151 | if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ |
152 | ret = -1; |
153 | goto err; |
154 | } |
155 | if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { |
156 | ret = -1; |
157 | goto err; |
158 | } |
159 | |
160 | if (!BN_is_one(i)) { |
161 | ret = 0; |
162 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_D_E_NOT_CONGRUENT_TO_1); |
163 | } |
164 | |
165 | if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { |
166 | /* dmp1 = d mod (p-1)? */ |
167 | if (!BN_sub(i, key->p, BN_value_one())) { |
168 | ret = -1; |
169 | goto err; |
170 | } |
171 | if (!BN_mod(j, key->d, i, ctx)) { |
172 | ret = -1; |
173 | goto err; |
174 | } |
175 | if (BN_cmp(j, key->dmp1) != 0) { |
176 | ret = 0; |
177 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMP1_NOT_CONGRUENT_TO_D); |
178 | } |
179 | |
180 | /* dmq1 = d mod (q-1)? */ |
181 | if (!BN_sub(i, key->q, BN_value_one())) { |
182 | ret = -1; |
183 | goto err; |
184 | } |
185 | if (!BN_mod(j, key->d, i, ctx)) { |
186 | ret = -1; |
187 | goto err; |
188 | } |
189 | if (BN_cmp(j, key->dmq1) != 0) { |
190 | ret = 0; |
191 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); |
192 | } |
193 | |
194 | /* iqmp = q^-1 mod p? */ |
195 | if (!BN_mod_inverse(i, key->q, key->p, ctx)) { |
196 | ret = -1; |
197 | goto err; |
198 | } |
199 | if (BN_cmp(i, key->iqmp) != 0) { |
200 | ret = 0; |
201 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_IQMP_NOT_INVERSE_OF_Q); |
202 | } |
203 | } |
204 | |
205 | for (idx = 0; idx < ex_primes; idx++) { |
206 | pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); |
207 | /* d_i = d mod (r_i - 1)? */ |
208 | if (!BN_sub(i, pinfo->r, BN_value_one())) { |
209 | ret = -1; |
210 | goto err; |
211 | } |
212 | if (!BN_mod(j, key->d, i, ctx)) { |
213 | ret = -1; |
214 | goto err; |
215 | } |
216 | if (BN_cmp(j, pinfo->d) != 0) { |
217 | ret = 0; |
218 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D); |
219 | } |
220 | /* t_i = R_i ^ -1 mod r_i ? */ |
221 | if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) { |
222 | ret = -1; |
223 | goto err; |
224 | } |
225 | if (BN_cmp(i, pinfo->t) != 0) { |
226 | ret = 0; |
227 | RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R); |
228 | } |
229 | } |
230 | |
231 | err: |
232 | BN_free(i); |
233 | BN_free(j); |
234 | BN_free(k); |
235 | BN_free(l); |
236 | BN_free(m); |
237 | BN_CTX_free(ctx); |
238 | return ret; |
239 | #endif /* FIPS_MODE */ |
240 | } |
241 | |