static int x25519_keygen(EC_KEY *eckey)
{
unsigned char *key;
if (x25519_init_private(eckey, NULL) == 0)
return 0;
key = eckey->custom_data;
if (RAND_bytes(key, EC_X25519_KEYLEN) <= 0)
return 0;
key[0] &= 248;
key[31] &= 127;
key[31] |= 64;
/*
* Although the private key is kept as an array in eckey->custom_data
* Set eckey->priv_key too so existing code which uses
* EC_KEY_get0_private_key() still works.
*/
if (eckey->priv_key == NULL)
eckey->priv_key = BN_secure_new();
if (eckey->priv_key == NULL)
return 0;
if (BN_lebin2bn(eckey->custom_data, EC_X25519_KEYLEN, eckey->priv_key) ==
NULL)
return 0;
if (eckey->pub_key == NULL)
eckey->pub_key = EC_POINT_new(eckey->group);
if (eckey->pub_key == NULL)
return 0;
return x25519_keygenpub(eckey);
}
static int bn_secure_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
{
*pval = (ASN1_VALUE *)BN_secure_new();
if (*pval)
return 1;
else
return 0;
}
static int dsa_builtin_keygen(DSA *dsa)
{
int ok = 0;
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (dsa->priv_key == NULL) {
if ((priv_key = BN_secure_new()) == NULL)
goto err;
} else
priv_key = dsa->priv_key;
do
if (!BN_rand_range(priv_key, dsa->q))
goto err;
while (BN_is_zero(priv_key)) ;
if (dsa->pub_key == NULL) {
if ((pub_key = BN_new()) == NULL)
goto err;
} else
pub_key = dsa->pub_key;
{
BIGNUM *local_prk = NULL;
BIGNUM *prk;
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
local_prk = prk = BN_new();
if (!local_prk)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else
prk = priv_key;
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
BN_free(local_prk);
goto err;
}
BN_free(local_prk);
}
dsa->priv_key = priv_key;
dsa->pub_key = pub_key;
ok = 1;
err:
if (pub_key != dsa->pub_key)
BN_free(pub_key);
if (priv_key != dsa->priv_key)
BN_free(priv_key);
BN_CTX_free(ctx);
return (ok);
}
static int dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
{
const unsigned char *p, *pm;
int pklen, pmlen;
int ptype;
void *pval;
ASN1_STRING *pstr;
X509_ALGOR *palg;
ASN1_INTEGER *privkey = NULL;
DH *dh = NULL;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
if (ptype != V_ASN1_SEQUENCE)
goto decerr;
if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)
goto decerr;
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL)
goto decerr;
/* We have parameters now set private key */
if ((dh->priv_key = BN_secure_new()) == NULL
|| !ASN1_INTEGER_to_BN(privkey, dh->priv_key)) {
DHerr(DH_F_DH_PRIV_DECODE, DH_R_BN_ERROR);
goto dherr;
}
/* Calculate public key */
if (!DH_generate_key(dh))
goto dherr;
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh);
ASN1_STRING_clear_free(privkey);
return 1;
decerr:
DHerr(DH_F_DH_PRIV_DECODE, EVP_R_DECODE_ERROR);
dherr:
DH_free(dh);
ASN1_STRING_clear_free(privkey);
return 0;
}
int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
{
if (eckey->priv_key == NULL)
eckey->priv_key = BN_secure_new();
if (eckey->priv_key == NULL) {
ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);
return 0;
}
eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
if (eckey->priv_key == NULL) {
ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
return 0;
}
return 1;
}
int EC_KEY_oct2priv(EC_KEY *eckey, unsigned char *buf, size_t len)
{
if (eckey->group == NULL || eckey->group->meth == NULL)
return 0;
if (eckey->priv_key == NULL)
eckey->priv_key = BN_secure_new();
if (eckey->priv_key == NULL) {
ECerr(EC_F_EC_KEY_OCT2PRIV, ERR_R_MALLOC_FAILURE);
return 0;
}
eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
if (eckey->priv_key == NULL) {
ECerr(EC_F_EC_KEY_OCT2PRIV, ERR_R_BN_LIB);
return 0;
}
return 1;
}
static int x25519_oct2priv(EC_KEY *eckey, unsigned char *buf, size_t len)
{
if (len != EC_X25519_KEYLEN)
return 0;
if (x25519_init_private(eckey, buf) == 0)
return 0;
/*
* Although the private key is kept as an array in eckey->custom_data
* Set eckey->priv_key too so existing code which uses
* EC_KEY_get0_private_key() still works.
*/
if (eckey->priv_key == NULL)
eckey->priv_key = BN_secure_new();
if (eckey->priv_key == NULL)
return 0;
if (BN_lebin2bn(buf, EC_X25519_KEYLEN, eckey->priv_key) == NULL)
return 0;
return 1;
}
static int dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
{
const unsigned char *p, *pm;
int pklen, pmlen;
int ptype;
const void *pval;
const ASN1_STRING *pstr;
const X509_ALGOR *palg;
ASN1_INTEGER *privkey = NULL;
BN_CTX *ctx = NULL;
DSA *dsa = NULL;
int ret = 0;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)
goto decerr;
if (privkey->type == V_ASN1_NEG_INTEGER || ptype != V_ASN1_SEQUENCE)
goto decerr;
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
if ((dsa = d2i_DSAparams(NULL, &pm, pmlen)) == NULL)
goto decerr;
/* We have parameters now set private key */
if ((dsa->priv_key = BN_secure_new()) == NULL
|| !ASN1_INTEGER_to_BN(privkey, dsa->priv_key)) {
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
goto dsaerr;
}
/* Calculate public key */
if ((dsa->pub_key = BN_new()) == NULL) {
DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE);
goto dsaerr;
}
if ((ctx = BN_CTX_new()) == NULL) {
DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE);
goto dsaerr;
}
BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
goto dsaerr;
}
EVP_PKEY_assign_DSA(pkey, dsa);
ret = 1;
goto done;
decerr:
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_DECODE_ERROR);
dsaerr:
DSA_free(dsa);
done:
BN_CTX_free(ctx);
ASN1_STRING_clear_free(privkey);
return ret;
}
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BN_GENCB *cb)
{
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r3 == NULL)
goto err;
bitsp = (bits + 1) / 2;
bitsq = bits - bitsp;
/* We need the RSA components non-NULL */
if (!rsa->n && ((rsa->n = BN_new()) == NULL))
goto err;
if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
goto err;
if (!rsa->e && ((rsa->e = BN_new()) == NULL))
goto err;
if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
goto err;
if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
goto err;
if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
goto err;
if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
goto err;
if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
goto err;
BN_copy(rsa->e, e_value);
/* generate p and q */
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (BN_is_one(r1))
break;
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 0))
goto err;
for (;;) {
/*
* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for this and
* bail if it happens 3 times.
*/
unsigned int degenerate = 0;
do {
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
} while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
if (degenerate == 3) {
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (BN_is_one(r1))
break;
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
if (!BN_GENCB_call(cb, 3, 1))
goto err;
if (BN_cmp(rsa->p, rsa->q) < 0) {
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
/* calculate n */
if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
goto err;
/* calculate d */
if (!BN_sub(r1, rsa->p, BN_value_one()))
goto err; /* p-1 */
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err; /* q-1 */
if (!BN_mul(r0, r1, r2, ctx))
goto err; /* (p-1)(q-1) */
{
BIGNUM *local_r0 = NULL, *pr0;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
pr0 = local_r0 = BN_new();
if (local_r0 == NULL)
goto err;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
} else {
pr0 = r0;
}
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
BN_free(local_r0);
goto err; /* d */
}
/* We MUST free local_r0 before any further use of r0 */
BN_free(local_r0);
}
{
BIGNUM *local_d = NULL, *d;
/* set up d for correct BN_FLG_CONSTTIME flag */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
d = local_d = BN_new();
if (local_d == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else {
d = rsa->d;
}
if ( /* calculate d mod (p-1) */
!BN_mod(rsa->dmp1, d, r1, ctx)
/* calculate d mod (q-1) */
|| !BN_mod(rsa->dmq1, d, r2, ctx)) {
BN_free(local_d);
goto err;
}
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d);
}
{
BIGNUM *local_p = NULL, *p;
/* calculate inverse of q mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
p = local_p = BN_new();
if (local_p == NULL)
goto err;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
} else {
p = rsa->p;
}
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
BN_free(local_p);
goto err;
}
/* We MUST free local_p before any further use of rsa->p */
BN_free(local_p);
}
ok = 1;
err:
if (ok == -1) {
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
ok = 0;
}
if (ctx != NULL)
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ok;
}
static int generate_key(DH *dh)
{
int ok = 0;
int generate_new_key = 0;
unsigned l;
BN_CTX *ctx;
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (dh->priv_key == NULL) {
priv_key = BN_secure_new();
if (priv_key == NULL)
goto err;
generate_new_key = 1;
} else
priv_key = dh->priv_key;
if (dh->pub_key == NULL) {
pub_key = BN_new();
if (pub_key == NULL)
goto err;
} else
pub_key = dh->pub_key;
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
if (!mont)
goto err;
}
if (generate_new_key) {
if (dh->q) {
do {
if (!BN_rand_range(priv_key, dh->q))
goto err;
}
while (BN_is_zero(priv_key) || BN_is_one(priv_key));
} else {
/* secret exponent length */
l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
if (!BN_rand(priv_key, l, 0, 0))
goto err;
}
}
{
BIGNUM *local_prk = NULL;
BIGNUM *prk;
if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
local_prk = prk = BN_new();
if (local_prk == NULL)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else {
prk = priv_key;
}
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
BN_free(local_prk);
goto err;
}
/* We MUST free local_prk before any further use of priv_key */
BN_free(local_prk);
}
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
err:
if (ok != 1)
DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
if (pub_key != dh->pub_key)
BN_free(pub_key);
if (priv_key != dh->priv_key)
BN_free(priv_key);
BN_CTX_free(ctx);
return (ok);
}
static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
{
const unsigned char *p, *pm;
int pklen, pmlen;
int ptype;
void *pval;
ASN1_STRING *pstr;
X509_ALGOR *palg;
ASN1_INTEGER *privkey = NULL;
BN_CTX *ctx = NULL;
STACK_OF(ASN1_TYPE) *ndsa = NULL;
DSA *dsa = NULL;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
/* Check for broken DSA PKCS#8, UGH! */
if (*p == (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)) {
ASN1_TYPE *t1, *t2;
if ((ndsa = d2i_ASN1_SEQUENCE_ANY(NULL, &p, pklen)) == NULL)
goto decerr;
if (sk_ASN1_TYPE_num(ndsa) != 2)
goto decerr;
/*-
* Handle Two broken types:
* SEQUENCE {parameters, priv_key}
* SEQUENCE {pub_key, priv_key}
*/
t1 = sk_ASN1_TYPE_value(ndsa, 0);
t2 = sk_ASN1_TYPE_value(ndsa, 1);
if (t1->type == V_ASN1_SEQUENCE) {
p8->broken = PKCS8_EMBEDDED_PARAM;
pval = t1->value.ptr;
} else if (ptype == V_ASN1_SEQUENCE)
p8->broken = PKCS8_NS_DB;
else
goto decerr;
if (t2->type != V_ASN1_INTEGER)
goto decerr;
privkey = t2->value.integer;
} else {
const unsigned char *q = p;
if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)
goto decerr;
if (privkey->type == V_ASN1_NEG_INTEGER) {
p8->broken = PKCS8_NEG_PRIVKEY;
ASN1_STRING_clear_free(privkey);
if ((privkey = d2i_ASN1_UINTEGER(NULL, &q, pklen)) == NULL)
goto decerr;
}
if (ptype != V_ASN1_SEQUENCE)
goto decerr;
}
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
if ((dsa = d2i_DSAparams(NULL, &pm, pmlen)) == NULL)
goto decerr;
/* We have parameters now set private key */
if ((dsa->priv_key = BN_secure_new()) == NULL
|| !ASN1_INTEGER_to_BN(privkey, dsa->priv_key)) {
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
goto dsaerr;
}
/* Calculate public key */
if ((dsa->pub_key = BN_new()) == NULL) {
DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE);
goto dsaerr;
}
if ((ctx = BN_CTX_new()) == NULL) {
DSAerr(DSA_F_DSA_PRIV_DECODE, ERR_R_MALLOC_FAILURE);
goto dsaerr;
}
if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
DSAerr(DSA_F_DSA_PRIV_DECODE, DSA_R_BN_ERROR);
goto dsaerr;
}
EVP_PKEY_assign_DSA(pkey, dsa);
BN_CTX_free(ctx);
if (ndsa)
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
else
ASN1_STRING_clear_free(privkey);
return 1;
decerr:
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
dsaerr:
BN_CTX_free(ctx);
ASN1_STRING_clear_free(privkey);
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
DSA_free(dsa);
return 0;
}
