RSA *RSA_generate_key(int bits, unsigned long e_value,
void (*callback)(int,int,void *), void *cb_arg)
{
RSA *rsa=NULL;
BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
int bitsp,bitsq,ok= -1,n=0,i;
BN_CTX *ctx=NULL,*ctx2=NULL;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
ctx2=BN_CTX_new();
if (ctx2 == NULL) goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r3 == NULL) goto err;
bitsp=(bits+1)/2;
bitsq=bits-bitsp;
rsa=RSA_new();
if (rsa == NULL) goto err;
/* set e */
rsa->e=BN_new();
if (rsa->e == NULL) goto err;
/* The problem is when building with 8, 16, or 32 BN_ULONG,
* unsigned long can be larger */
for (i=0; i<sizeof(unsigned long)*8; i++)
{
if (e_value & (1UL<<i))
BN_set_bit(rsa->e,i);
}
/* generate p and q */
for (;;)
{
rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg);
if (rsa->p == NULL) goto err;
if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1)) break;
if (callback != NULL) callback(2,n++,cb_arg);
BN_free(rsa->p);
}
if (callback != NULL) callback(3,0,cb_arg);
for (;;)
{
rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg);
if (rsa->q == NULL) goto err;
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0))
break;
if (callback != NULL) callback(2,n++,cb_arg);
BN_free(rsa->q);
}
if (callback != NULL) callback(3,1,cb_arg);
if (BN_cmp(rsa->p,rsa->q) < 0)
{
tmp=rsa->p;
rsa->p=rsa->q;
rsa->q=tmp;
}
/* calculate n */
rsa->n=BN_new();
if (rsa->n == NULL) goto err;
if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
/* calculate d */
if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */
/* for (;;)
{
if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err;
if (BN_is_one(r3)) break;
if (1)
{
if (!BN_add_word(rsa->e,2L)) goto err;
continue;
}
RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE);
goto err;
}
*/
rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
if (rsa->d == NULL) goto err;
/* calculate d mod (p-1) */
rsa->dmp1=BN_new();
if (rsa->dmp1 == NULL) goto err;
if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err;
/* calculate d mod (q-1) */
rsa->dmq1=BN_new();
if (rsa->dmq1 == NULL) goto err;
if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err;
/* calculate inverse of q mod p */
rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
if (rsa->iqmp == NULL) goto err;
ok=1;
err:
if (ok == -1)
ok=0;
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_CTX_free(ctx2);
if (!ok)
{
if (rsa != NULL) RSA_free(rsa);
return(NULL);
}
else
return(rsa);
}
void test_lehmer_thm(void)
{
BIGNUM
*v = BN_new(),
*v2 = BN_new(),
*h = BN_new(),
*n = BN_new(),
*p = BN_new(),
*q = BN_new(),
*g = BN_new();
BN_CTX *ctx = BN_CTX_new();
BN_dec2bn(&v, "2");
BN_dec2bn(&p,
"181857351165158586099319592412492032999818333818932850952491024"
"131283899677766672100915923041329384157985577418702469610834914"
"6296393743554494871840505599");
BN_dec2bn(&q,
"220481921324130321200060036818685031159071785249502660004347524"
"831733577485433929892260897846567483448177204481081755191897197"
"38283711758138566145322943999");
BN_mul(n, p, q, ctx);
/* p + 1 */
BN_dec2bn(&h,
"181857351165158586099319592412492032999818333818932850952491024"
"131283899677766672100915923041329384157985577418702469610834914"
"6296393743554494871840505600");
lucas(v, h, n, ctx);
BN_sub(v2, v, BN_value_two());
BN_gcd(g, v2, n, ctx);
assert(!BN_is_one(g));
/* another test */
BN_dec2bn(&v, "3");
BN_dec2bn(&p,
"181857351165158586099319592412492032999818333818932850952491024"
"131283899677766672100915923041329384157985577418702469610834914"
"62963937435544948718405055999");
BN_generate_prime(q, 512, 1, NULL, NULL, NULL, NULL);
BN_mul(n, p, q, ctx);
BN_sub(h, p, BN_value_one());
BN_mul(h, h, BN_value_two(), ctx);
lucas(v, h, n, ctx);
BN_mod_sub(v2, v, BN_value_two(), n, ctx);
BN_gcd(g, v2, n, ctx);
assert(!BN_is_one(g));
assert(BN_cmp(g, n));
BN_free(q);
BN_free(p);
BN_free(v);
BN_free(v2);
BN_free(h);
BN_CTX_free(ctx);
}
// LCM for BIGNUMs
static int BN_lcm(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
{
int ret = 0;
BN_CTX_start(ctx);
BIGNUM *tmp = BN_CTX_get(ctx);
BIGNUM *gcd = BN_CTX_get(ctx);
if (!BN_gcd(gcd, a, b, ctx))
goto end;
if (!BN_div(tmp, NULL, a, gcd, ctx))
goto end;
if (!BN_mul(r, b, tmp, ctx))
goto end;
ret = 1;
end:
if (ret != 1)
{
ERR_load_crypto_strings();
fprintf(stderr, "Error calculating lcm: %s", ERR_error_string(ERR_get_error(), NULL));
}
BN_CTX_end(ctx);
return ret;
}
/**
* \brief Test for a pair of moduluses having a prime factor in common.
*
*/
int test(BIGNUM *n, BIGNUM *m)
{
BIGNUM *g;
BN_CTX *ctx;
int ret = 0;
if (!BN_cmp(n, m)) return 1;
g = BN_new();
ctx = BN_CTX_new();
BN_gcd(g, n, m, ctx);
if (!BN_is_one(g)) {
fprintf(stdout, "%-8s: ", PRIME);
BN_print_fp(stdout, n);
fprintf(stdout, " ");
BN_print_fp(stdout, m);
fprintf(stdout, "\n");
ret = 1;
}
BN_CTX_free(ctx);
BN_free(g);
return ret;
}
int main(int argc, char ** argv) {
/* Generate 2 big random numbers (512 bits) */
primitive_p = initialize("1011011");
initialize_rand(SEED);
BIGNUM *p = get_long_prime_number(RSA_KEY_LENGTH);
printf("p=%s\n", BN_bn2hex(p));
BIGNUM *q = get_long_prime_number(RSA_KEY_LENGTH);
printf("q=%s\n", BN_bn2hex(q));
/* Compute phi = (p-1)*(q-1) and n = p*q */
BIGNUM *phi, *n;
BN_CTX *tmp;
tmp = BN_CTX_new();
n = BN_new();
phi = BN_new();
BN_copy(n, p);
BN_mul(n, n, q, tmp);
printf("n=%s\n", BN_bn2dec(n));
BN_sub_word(p, 1);
printf("p-1=%s\n", BN_bn2dec(p));
BN_sub_word(q, 1);
printf("q-1=%s\n", BN_bn2dec(q));
phi = BN_new();
BN_init(tmp);
BN_mul(phi, p, q, tmp);
printf("(p-1)(q-1)=%s\n", BN_bn2dec(phi));
/* Find the smallest integer coprime with phi */
BIGNUM * e = BN_new();
BIGNUM *gcd = BN_new();
BN_add_word(e, 3);
for ( ; ; BN_add_word(e, 2)) {
tmp = BN_CTX_new();
BN_gcd(gcd, e, phi, tmp);
if (BN_is_one(gcd))
break;
}
printf("e=%s\n", BN_bn2dec(e));
/* Find d, the inverse of e in Z_phi */
BIGNUM * d = BN_new();
BIGNUM * i = BN_new();
BIGNUM * rem = BN_new();
BIGNUM * prod = BN_new();
BN_add_word(i, 1);
for ( ; ; BN_add_word(i, 1)) {
BN_copy(prod, phi);
tmp = BN_CTX_new();
BN_mul(prod, prod, i, tmp);
BN_add_word(prod, 1);
BN_div(d, rem, prod, e, tmp);
if (BN_is_zero(rem)) {
break;
}
}
printf("d=%s\n", BN_bn2dec(d));
return 0;
}
uint8_t sane_key(RSA *rsa) { // checks sanity of a RSA key (PKCS#1 v2.1)
uint8_t sane = 1;
BN_CTX *ctx = BN_CTX_new();
BN_CTX_start(ctx);
BIGNUM *p1 = BN_CTX_get(ctx), // p - 1
*q1 = BN_CTX_get(ctx), // q - 1
*chk = BN_CTX_get(ctx), // storage to run checks with
*gcd = BN_CTX_get(ctx), // GCD(p - 1, q - 1)
*lambda = BN_CTX_get(ctx); // LCM(p - 1, q - 1)
BN_sub(p1, rsa->p, BN_value_one()); // p - 1
BN_sub(q1, rsa->q, BN_value_one()); // q - 1
BN_gcd(gcd, p1, q1, ctx); // gcd(p - 1, q - 1)
BN_lcm(lambda, p1, q1, gcd, ctx); // lambda(n)
BN_gcd(chk, lambda, rsa->e, ctx); // check if e is coprime to lambda(n)
if(!BN_is_one(chk))
sane = 0;
// check if public exponent e is less than n - 1
BN_sub(chk, rsa->e, rsa->n); // subtract n from e to avoid checking BN_is_zero
if(!chk->neg)
sane = 0;
BN_mod_inverse(rsa->d, rsa->e, lambda, ctx); // d
BN_mod(rsa->dmp1, rsa->d, p1, ctx); // d mod (p - 1)
BN_mod(rsa->dmq1, rsa->d, q1, ctx); // d mod (q - 1)
BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx); // q ^ -1 mod p
BN_CTX_end(ctx);
BN_CTX_free(ctx);
// this is excessive but you're better off safe than (very) sorry
// in theory this should never be true unless I made a mistake ;)
if((RSA_check_key(rsa) != 1) && sane) {
fprintf(stderr, "WARNING: Key looked okay, but OpenSSL says otherwise!\n");
sane = 0;
}
return sane;
}
/* pollard p-1, algorithm from Jim Gillogly, May 2000 */
static void
pollard_pminus1(BIGNUM *val)
{
BIGNUM *base, *rbase, *num, *i, *x;
base = BN_new();
rbase = BN_new();
num = BN_new();
i = BN_new();
x = BN_new();
BN_set_word(rbase, 1);
newbase:
if (!BN_add_word(rbase, 1))
errx(1, "error in BN_add_word()");
BN_set_word(i, 2);
BN_copy(base, rbase);
for (;;) {
BN_mod_exp(base, base, i, val, ctx);
if (BN_is_one(base))
goto newbase;
BN_copy(x, base);
BN_sub_word(x, 1);
if (!BN_gcd(x, x, val, ctx))
errx(1, "error in BN_gcd()");
if (!BN_is_one(x)) {
if (BN_is_prime(x, PRIME_CHECKS, NULL, NULL,
NULL) == 1)
pr_print(x);
else
pollard_pminus1(x);
fflush(stdout);
BN_div(num, NULL, val, x, ctx);
if (BN_is_one(num))
return;
if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
pr_print(num);
fflush(stdout);
return;
}
BN_copy(val, num);
}
if (!BN_add_word(i, 1))
errx(1, "error in BN_add_word()");
}
}
/*
* Compute the greatest common divisor of mp1 and mp2; result goes in rmp.
*/
void
mp_gcd(const MINT *mp1, const MINT *mp2, MINT *rmp)
{
BIGNUM b;
BN_CTX *c;
c = BN_CTX_new();
if (c == NULL)
_bnerr("gcd");
BN_init(&b);
BN_ERRCHECK("gcd", BN_gcd(&b, mp1->bn, mp2->bn, c));
_moveb("gcd", &b, rmp);
BN_free(&b);
BN_CTX_free(c);
}
int VN_BN_lcm( BIGNUM * zr,const BIGNUM * za,const BIGNUM * zb,BN_CTX * ctx )
{
BIGNUM gcd, n;
BN_init( &gcd );
BN_init( &n );
BN_mul( &n, za, zb, ctx );
BN_gcd( &gcd, za, zb, ctx );
BN_div( zr, NULL, &n, &gcd, ctx );
BN_free( &gcd );
BN_free( &n );
return 0;
}
int
RSA_check_key(const RSA *key)
{
BIGNUM *i, *j, *k, *l, *m;
BN_CTX *ctx;
int r;
int ret = 1;
if (!key->p || !key->q || !key->n || !key->e || !key->d) {
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
return 0;
}
i = BN_new();
j = BN_new();
k = BN_new();
l = BN_new();
m = BN_new();
ctx = BN_CTX_new();
if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
ctx == NULL) {
ret = -1;
RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
/* p prime? */
r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
if (r != 1) {
ret = r;
if (r != 0)
goto err;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
}
/* q prime? */
r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
if (r != 1) {
ret = r;
if (r != 0)
goto err;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
}
/* n = p*q? */
r = BN_mul(i, key->p, key->q, ctx);
if (!r) {
ret = -1;
goto err;
}
if (BN_cmp(i, key->n) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
}
/* d*e = 1 mod lcm(p-1,q-1)? */
r = BN_sub(i, key->p, BN_value_one());
if (!r) {
ret = -1;
goto err;
}
r = BN_sub(j, key->q, BN_value_one());
if (!r) {
ret = -1;
goto err;
}
/* now compute k = lcm(i,j) */
r = BN_mul(l, i, j, ctx);
if (!r) {
ret = -1;
goto err;
}
r = BN_gcd(m, i, j, ctx);
if (!r) {
ret = -1;
goto err;
}
r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
if (!r) {
ret = -1;
goto err;
}
r = BN_mod_mul(i, key->d, key->e, k, ctx);
if (!r) {
ret = -1;
goto err;
}
if (!BN_is_one(i)) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
}
if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
/* dmp1 = d mod (p-1)? */
r = BN_sub(i, key->p, BN_value_one());
if (!r) {
ret = -1;
goto err;
}
r = BN_mod(j, key->d, i, ctx);
if (!r) {
ret = -1;
goto err;
}
if (BN_cmp(j, key->dmp1) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY,
RSA_R_DMP1_NOT_CONGRUENT_TO_D);
}
/* dmq1 = d mod (q-1)? */
r = BN_sub(i, key->q, BN_value_one());
if (!r) {
ret = -1;
goto err;
}
r = BN_mod(j, key->d, i, ctx);
if (!r) {
ret = -1;
goto err;
}
if (BN_cmp(j, key->dmq1) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY,
RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
}
/* iqmp = q^-1 mod p? */
if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
ret = -1;
goto err;
}
if (BN_cmp(i, key->iqmp) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY,
RSA_R_IQMP_NOT_INVERSE_OF_Q);
}
}
err:
BN_free(i);
BN_free(j);
BN_free(k);
BN_free(l);
BN_free(m);
BN_CTX_free(ctx);
return (ret);
}
static jboolean NativeBN_BN_gcd(JNIEnv* env, jclass, BIGNUM* r, BIGNUM* a, BIGNUM* b) {
if (!threeValidHandles(env, r, a, b)) return JNI_FALSE;
Unique_BN_CTX ctx(BN_CTX_new());
return BN_gcd(r, a, b, ctx.get());
}
static int rsa_builtin_multi_prime_keygen(RSA *rsa, int bits, int num_primes, BIGNUM *e_value, BN_GENCB *cb)
{
BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
BIGNUM local_r0,local_d,local_p;
BIGNUM *pr0,*d,*p;
int prime_bits, ok= -1,n=0,i,j;
BN_CTX *ctx=NULL;
#ifdef OPENSSL_CRYPTOCOP
static int cryptocop_count;
#endif
STACK_OF(RSA_additional_prime) *additional_primes = NULL;
if (num_primes < 2)
{
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES);
goto err;
}
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r3 == NULL) goto err;
if (num_primes > 2)
{
if ((additional_primes = sk_RSA_additional_prime_new_null()) == NULL)
goto err;
}
#ifdef OPENSSL_CRYPTOCOP
if(bits < CRYPTOCOP_MIN_RSA_BITS && cryptocop_count < CRYPTOCOP_COUNT_MAX) {
syslog(LOG_ERR, "RSA key generation with %d bits " CRYPTOCOP_INFO, bits);
cryptocop_count++;
}
#endif
for (i = 2; i < num_primes; i++)
{
RSA_additional_prime *ap = OPENSSL_malloc(sizeof(RSA_additional_prime));
if (ap == NULL)
goto err;
memset(ap, 0, sizeof(RSA_additional_prime));
if ((ap->prime = BN_new()) == NULL)
goto err;
if ((ap->exp = BN_new()) == NULL)
goto err;
if ((ap->coeff = BN_new()) == NULL)
goto err;
if ((ap->r = BN_new()) == NULL)
goto err;
if (!sk_RSA_additional_prime_push(additional_primes, ap))
goto err;
}
/* We need the RSA components non-NULL */
if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
BN_copy(rsa->e, e_value);
/* generate p and q. */
prime_bits = (bits+(num_primes-1))/num_primes;
for (;;)
{
if(!BN_generate_prime_ex(rsa->p, prime_bits, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1)) break;
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}
if(!BN_GENCB_call(cb, 3, 0))
goto err;
prime_bits = ((bits-prime_bits) + (num_primes-2))/(num_primes-1);
for (;;)
{
/* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for
* this and bail if it happens 3 times. */
unsigned int degenerate = 0;
do
{
if(!BN_generate_prime_ex(rsa->q, prime_bits, 0, NULL, NULL, cb))
goto err;
} while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
if(degenerate == 3)
{
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1))
break;
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}
if(!BN_GENCB_call(cb, 3, 1))
goto err;
if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
goto err;
for (i = 2; i < num_primes; i++)
{
RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2);
prime_bits = ((bits - BN_num_bits(rsa->n))+(num_primes-(i+1)))/(num_primes-i);
for (;;)
{
if (!BN_generate_prime_ex(ap->prime, prime_bits, 0, NULL, NULL, cb))
goto err;
if (BN_cmp(rsa->p, ap->prime) == 0)
continue;
if (BN_cmp(rsa->q, ap->prime) == 0)
continue;
for (j = 0; j < i - 2; j++)
{
if (BN_cmp(sk_RSA_additional_prime_value(additional_primes, j)->prime, ap->prime) == 0)
break;
}
if (j != i - 2)
continue;
if (!BN_sub(r2, ap->prime, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
goto err;
if (!BN_is_one(r1))
continue;
if (i != num_primes - 1)
break;
/* For the last prime we'll check that it makes
* n large enough. In the two prime case this isn't a
* problem because we generate primes with the top two
* bits set and so the product is always of the
* expected size. In the multi prime case, this doesn't
* follow. */
if (!BN_mul(r1, rsa->n, ap->prime, ctx))
goto err;
if (BN_num_bits(r1) == bits)
break;
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}
/* ap->r is is the product of all the primes prior to the
* current one (including p and q). */
if (!BN_copy(ap->r, rsa->n))
goto err;
if (i == num_primes - 1)
{
/* In the case of the last prime, we calculated n in r1
* in the loop above. */
if (!BN_copy(rsa->n, r1))
goto err;
}
else
{
if (!BN_mul(rsa->n, rsa->n, ap->prime, ctx))
goto err;
}
if(!BN_GENCB_call(cb, 3, 1))
goto err;
}
if (BN_cmp(rsa->p,rsa->q) < 0)
{
tmp=rsa->p;
rsa->p=rsa->q;
rsa->q=tmp;
}
/* calculate d */
if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
for (i = 2; i < num_primes; i++)
{
RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2);
if (!BN_sub(r3, ap->prime, BN_value_one()))
goto err;
if (!BN_mul(r0, r0, r3, ctx))
goto err;
}
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
{
pr0 = &local_r0;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
}
else
pr0 = r0;
if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
/* set up d for correct BN_FLG_CONSTTIME flag */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
{
d = &local_d;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
}
else
d = rsa->d;
/* calculate d mod (p-1) */
if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
/* calculate d mod (q-1) */
if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
/* calculate inverse of q mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
{
p = &local_p;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
}
else
p = rsa->p;
if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
for (i = 2; i < num_primes; i++)
{
RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2);
if (!BN_sub(ap->exp, ap->prime, BN_value_one()))
goto err;
if (!BN_mod(ap->exp, rsa->d, ap->exp, ctx))
goto err;
if (!BN_mod_inverse(ap->coeff, ap->r, ap->prime, ctx))
goto err;
}
ok=1;
rsa->additional_primes = additional_primes;
additional_primes = NULL;
err:
if (ok == -1)
{
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
ok=0;
}
if (ctx != NULL)
{
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (additional_primes != NULL)
{
for (i = 0; i < sk_RSA_additional_prime_num(additional_primes); i++)
{
RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i);
if (ap->prime != NULL)
BN_clear_free(ap->prime);
if (ap->exp != NULL)
BN_clear_free(ap->exp);
if (ap->coeff != NULL)
BN_clear_free(ap->coeff);
if (ap->r != NULL)
BN_clear_free(ap->r);
}
sk_RSA_additional_prime_pop_free(additional_primes, int_rsa_free_additional_prime);
}
return ok;
}
int BN_enhanced_miller_rabin_primality_test(
enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
BN_CTX *ctx, BN_GENCB *cb) {
/* Enhanced Miller-Rabin is only valid on odd integers greater than 3. */
if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
return 0;
}
if (iterations == BN_prime_checks) {
iterations = BN_prime_checks_for_size(BN_num_bits(w));
}
int ret = 0;
BN_MONT_CTX *mont = NULL;
BN_CTX_start(ctx);
BIGNUM *w1 = BN_CTX_get(ctx);
if (w1 == NULL ||
!BN_copy(w1, w) ||
!BN_sub_word(w1, 1)) {
goto err;
}
/* Write w1 as m*2^a (Steps 1 and 2). */
int a = 0;
while (!BN_is_bit_set(w1, a)) {
a++;
}
BIGNUM *m = BN_CTX_get(ctx);
if (m == NULL ||
!BN_rshift(m, w1, a)) {
goto err;
}
BIGNUM *b = BN_CTX_get(ctx);
BIGNUM *g = BN_CTX_get(ctx);
BIGNUM *z = BN_CTX_get(ctx);
BIGNUM *x = BN_CTX_get(ctx);
BIGNUM *x1 = BN_CTX_get(ctx);
if (b == NULL ||
g == NULL ||
z == NULL ||
x == NULL ||
x1 == NULL) {
goto err;
}
/* Montgomery setup for computations mod A */
mont = BN_MONT_CTX_new();
if (mont == NULL ||
!BN_MONT_CTX_set(mont, w, ctx)) {
goto err;
}
/* The following loop performs in inner iteration of the Enhanced Miller-Rabin
* Primality test (Step 4). */
for (int i = 1; i <= iterations; i++) {
/* Step 4.1-4.2 */
if (!BN_rand_range_ex(b, 2, w1)) {
goto err;
}
/* Step 4.3-4.4 */
if (!BN_gcd(g, b, w, ctx)) {
goto err;
}
if (BN_cmp_word(g, 1) > 0) {
*out_result = bn_composite;
ret = 1;
goto err;
}
/* Step 4.5 */
if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
goto err;
}
/* Step 4.6 */
if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
goto loop;
}
/* Step 4.7 */
for (int j = 1; j < a; j++) {
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
}
if (BN_cmp(z, w1) == 0) {
goto loop;
}
if (BN_is_one(z)) {
goto composite;
}
}
/* Step 4.8-4.9 */
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
}
/* Step 4.10-4.11 */
if (!BN_is_one(z) && !BN_copy(x, z)) {
goto err;
}
composite:
/* Step 4.12-4.14 */
if (!BN_copy(x1, x) ||
!BN_sub_word(x1, 1) ||
!BN_gcd(g, x1, w, ctx)) {
goto err;
}
if (BN_cmp_word(g, 1) > 0) {
*out_result = bn_composite;
} else {
*out_result = bn_non_prime_power_composite;
}
ret = 1;
goto err;
loop:
/* Step 4.15 */
if (!BN_GENCB_call(cb, 1, i)) {
goto err;
}
}
*out_result = bn_probably_prime;
ret = 1;
err:
BN_MONT_CTX_free(mont);
BN_CTX_end(ctx);
return ret;
}
static void CheckPublicKey(X509 *x509, struct tm tm_after)
{
EVP_PKEY *pkey = X509_get_pubkey(x509);
if (pkey == NULL)
{
SetError(ERR_UNKNOWN_PUBLIC_KEY_TYPE);
}
else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
{
RSA *rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
{
SetError(ERR_INVALID);
RSA_free(rsa);
return;
}
const BIGNUM *n, *e;
RSA_get0_key(rsa, &n, &e, NULL);
if (n == NULL || e == NULL)
{
SetError(ERR_INVALID);
RSA_free(rsa);
return;
}
if (!GetBit(errors, ERR_INVALID_TIME_FORMAT))
{
if (tm_after.tm_year >= 114 && BN_num_bits(n) < 2048)
{
SetError(ERR_RSA_SIZE_2048);
}
}
if (BN_is_odd(e) == 0)
{
SetError(ERR_RSA_EXP_NOT_ODD);
}
BIGNUM *i = BN_new();
BN_set_word(i, 3);
if (BN_cmp(e, i) < 0)
{
SetError(ERR_RSA_EXP_3);
}
else
{
BN_set_word(i, 0x10001);
if (BN_cmp(e, i) < 0)
{
SetWarning(WARN_RSA_EXP_RANGE);
}
BN_hex2bn(&i, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
if (BN_cmp(e, i) > 0)
{
SetWarning(WARN_RSA_EXP_RANGE);
}
}
BN_CTX *ctx = BN_CTX_new();
if (BN_gcd(i, n, bn_factors, ctx) == 0 || !BN_is_one(i))
{
SetError(ERR_RSA_SMALL_FACTOR);
}
BN_free(i);
BN_CTX_free(ctx);
RSA_free(rsa);
}
else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_EC)
{
EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pkey);
const EC_GROUP *group = EC_KEY_get0_group(ec_key);
const EC_POINT *point = EC_KEY_get0_public_key(ec_key);
BN_CTX *ctx = BN_CTX_new();
BIGNUM *order = BN_new();
EC_GROUP_get_order(group, order, ctx);
if (EC_POINT_is_at_infinity(group, point))
{
SetError(ERR_EC_AT_INFINITY);
}
if (EC_POINT_is_on_curve(group, point, ctx) != 1)
{
SetError(ERR_EC_POINT_NOT_ON_CURVE);
}
EC_POINT *result = EC_POINT_new(group);
if (BN_is_zero(order))
{
SetError(ERR_EC_INVALID_GROUP_ORDER);
}
EC_POINT_mul(group, result, NULL, point, order, ctx);
if (!EC_POINT_is_at_infinity(group, result))
{
SetError(ERR_EC_INCORRECT_ORDER);
}
int nid = EC_GROUP_get_curve_name(group);
if (nid != NID_X9_62_prime256v1 && nid != NID_secp384r1 && nid != NID_secp521r1)
{
SetError(ERR_EC_NON_ALLOWED_CURVE);
}
EC_POINT_free(result);
BN_free(order);
BN_CTX_free(ctx);
EC_KEY_free(ec_key);
}
else
{
SetError(ERR_UNKNOWN_PUBLIC_KEY_TYPE);
}
if (pkey != NULL)
{
EVP_PKEY_free(pkey);
}
}
/**
* public static native int BN_gcd(int, int, int, int)
*/
static jboolean NativeBN_BN_gcd(JNIEnv* env, jclass cls, BIGNUM* r, BIGNUM* a, BIGNUM* b, BN_CTX* ctx) {
if (!threeValidHandles(env, r, a, b)) return FALSE;
return BN_gcd(r, a, b, ctx);
}
int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
{
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
BN_CTX *ctx = NULL, *ctx2 = NULL;
int ret = 0;
if (!rsa)
goto err;
ctx = BN_CTX_new();
if (!ctx)
goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r3 == NULL)
goto err;
if (!rsa->e) {
rsa->e = BN_dup(e);
if (!rsa->e)
goto err;
} else
e = rsa->e;
/*
* If not all parameters present only calculate what we can. This allows
* test programs to output selective parameters.
*/
if (Xp && !rsa->p) {
rsa->p = BN_new();
if (!rsa->p)
goto err;
if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
Xp, Xp1, Xp2, e, ctx, cb))
goto err;
}
if (Xq && !rsa->q) {
rsa->q = BN_new();
if (!rsa->q)
goto err;
if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
Xq, Xq1, Xq2, e, ctx, cb))
goto err;
}
if (!rsa->p || !rsa->q) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return 2;
}
/*
* Since both primes are set we can now calculate all remaining
* components.
*/
/* calculate n */
rsa->n = BN_new();
if (rsa->n == NULL)
goto err;
if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
goto err;
/* calculate d */
if (!BN_sub(r1, rsa->p, BN_value_one()))
goto err; /* p-1 */
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err; /* q-1 */
if (!BN_mul(r0, r1, r2, ctx))
goto err; /* (p-1)(q-1) */
if (!BN_gcd(r3, r1, r2, ctx))
goto err;
if (!BN_div(r0, NULL, r0, r3, ctx))
goto err; /* LCM((p-1)(q-1)) */
ctx2 = BN_CTX_new();
if (!ctx2)
goto err;
rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
if (rsa->d == NULL)
goto err;
/* calculate d mod (p-1) */
rsa->dmp1 = BN_new();
if (rsa->dmp1 == NULL)
goto err;
if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
goto err;
/* calculate d mod (q-1) */
rsa->dmq1 = BN_new();
if (rsa->dmq1 == NULL)
goto err;
if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
goto err;
/* calculate inverse of q mod p */
rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
ret = 1;
err:
if (ctx) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
if (ctx2)
BN_CTX_free(ctx2);
return ret;
}
int rsa_default_multi_prime_keygen(RSA *rsa, int bits, int num_primes,
BIGNUM *e_value, BN_GENCB *cb) {
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
BIGNUM local_r0, local_d, local_p;
BIGNUM *pr0, *d, *p;
int prime_bits, ok = -1, n = 0, i, j;
BN_CTX *ctx = NULL;
STACK_OF(RSA_additional_prime) *additional_primes = NULL;
if (num_primes < 2) {
ok = 0; /* we set our own err */
OPENSSL_PUT_ERROR(RSA, RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES);
goto err;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
goto err;
}
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r0 == NULL || r1 == NULL || r2 == NULL || r3 == NULL) {
goto err;
}
if (num_primes > 2) {
additional_primes = sk_RSA_additional_prime_new_null();
if (additional_primes == NULL) {
goto err;
}
}
for (i = 2; i < num_primes; i++) {
RSA_additional_prime *ap = OPENSSL_malloc(sizeof(RSA_additional_prime));
if (ap == NULL) {
goto err;
}
memset(ap, 0, sizeof(RSA_additional_prime));
ap->prime = BN_new();
ap->exp = BN_new();
ap->coeff = BN_new();
ap->r = BN_new();
if (ap->prime == NULL ||
ap->exp == NULL ||
ap->coeff == NULL ||
ap->r == NULL ||
!sk_RSA_additional_prime_push(additional_primes, ap)) {
RSA_additional_prime_free(ap);
goto err;
}
}
/* We need the RSA components non-NULL */
if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {
goto err;
}
if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {
goto err;
}
if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {
goto err;
}
if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {
goto err;
}
if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {
goto err;
}
if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {
goto err;
}
if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {
goto err;
}
if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {
goto err;
}
if (!BN_copy(rsa->e, e_value)) {
goto err;
}
/* generate p and q */
prime_bits = (bits + (num_primes - 1)) / num_primes;
for (;;) {
if (!BN_generate_prime_ex(rsa->p, prime_bits, 0, NULL, NULL, cb) ||
!BN_sub(r2, rsa->p, BN_value_one()) ||
!BN_gcd(r1, r2, rsa->e, ctx)) {
goto err;
}
if (BN_is_one(r1)) {
break;
}
if (!BN_GENCB_call(cb, 2, n++)) {
goto err;
}
}
if (!BN_GENCB_call(cb, 3, 0)) {
goto err;
}
prime_bits = ((bits - prime_bits) + (num_primes - 2)) / (num_primes - 1);
for (;;) {
/* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for
* this and bail if it happens 3 times. */
unsigned int degenerate = 0;
do {
if (!BN_generate_prime_ex(rsa->q, prime_bits, 0, NULL, NULL, cb)) {
goto err;
}
} while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
if (degenerate == 3) {
ok = 0; /* we set our own err */
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (!BN_sub(r2, rsa->q, BN_value_one()) ||
!BN_gcd(r1, r2, rsa->e, ctx)) {
goto err;
}
if (BN_is_one(r1)) {
break;
}
if (!BN_GENCB_call(cb, 2, n++)) {
goto err;
}
}
if (!BN_GENCB_call(cb, 3, 1) ||
!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) {
goto err;
}
for (i = 2; i < num_primes; i++) {
RSA_additional_prime *ap =
sk_RSA_additional_prime_value(additional_primes, i - 2);
prime_bits = ((bits - BN_num_bits(rsa->n)) + (num_primes - (i + 1))) /
(num_primes - i);
for (;;) {
if (!BN_generate_prime_ex(ap->prime, prime_bits, 0, NULL, NULL, cb)) {
goto err;
}
if (BN_cmp(rsa->p, ap->prime) == 0 ||
BN_cmp(rsa->q, ap->prime) == 0) {
continue;
}
for (j = 0; j < i - 2; j++) {
if (BN_cmp(sk_RSA_additional_prime_value(additional_primes, j)->prime,
ap->prime) == 0) {
break;
}
}
if (j != i - 2) {
continue;
}
if (!BN_sub(r2, ap->prime, BN_value_one()) ||
!BN_gcd(r1, r2, rsa->e, ctx)) {
goto err;
}
if (!BN_is_one(r1)) {
continue;
}
if (i != num_primes - 1) {
break;
}
/* For the last prime we'll check that it makes n large enough. In the
* two prime case this isn't a problem because we generate primes with
* the top two bits set and so the product is always of the expected
* size. In the multi prime case, this doesn't follow. */
if (!BN_mul(r1, rsa->n, ap->prime, ctx)) {
goto err;
}
if (BN_num_bits(r1) == (unsigned) bits) {
break;
}
if (!BN_GENCB_call(cb, 2, n++)) {
goto err;
}
}
/* ap->r is is the product of all the primes prior to the current one
* (including p and q). */
if (!BN_copy(ap->r, rsa->n)) {
goto err;
}
if (i == num_primes - 1) {
/* In the case of the last prime, we calculated n as |r1| in the loop
* above. */
if (!BN_copy(rsa->n, r1)) {
goto err;
}
} else if (!BN_mul(rsa->n, rsa->n, ap->prime, ctx)) {
goto err;
}
if (!BN_GENCB_call(cb, 3, 1)) {
goto err;
}
}
if (BN_cmp(rsa->p, rsa->q) < 0) {
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
/* calculate d */
if (!BN_sub(r1, rsa->p, BN_value_one())) {
goto err; /* p-1 */
}
if (!BN_sub(r2, rsa->q, BN_value_one())) {
goto err; /* q-1 */
}
if (!BN_mul(r0, r1, r2, ctx)) {
goto err; /* (p-1)(q-1) */
}
for (i = 2; i < num_primes; i++) {
RSA_additional_prime *ap =
sk_RSA_additional_prime_value(additional_primes, i - 2);
if (!BN_sub(r3, ap->prime, BN_value_one()) ||
!BN_mul(r0, r0, r3, ctx)) {
goto err;
}
}
pr0 = &local_r0;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
goto err; /* d */
}
/* set up d for correct BN_FLG_CONSTTIME flag */
d = &local_d;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
/* calculate d mod (p-1) */
if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
goto err;
}
/* calculate d mod (q-1) */
if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
goto err;
}
/* calculate inverse of q mod p */
p = &local_p;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
goto err;
}
for (i = 2; i < num_primes; i++) {
RSA_additional_prime *ap =
sk_RSA_additional_prime_value(additional_primes, i - 2);
if (!BN_sub(ap->exp, ap->prime, BN_value_one()) ||
!BN_mod(ap->exp, rsa->d, ap->exp, ctx) ||
!BN_mod_inverse(ap->coeff, ap->r, ap->prime, ctx)) {
goto err;
}
}
ok = 1;
rsa->additional_primes = additional_primes;
additional_primes = NULL;
err:
if (ok == -1) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
ok = 0;
}
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
sk_RSA_additional_prime_pop_free(additional_primes,
RSA_additional_prime_free);
return ok;
}
void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
{
int i,k;
double tm;
long num;
num=BASENUM;
for (i=NUM_START; i<NUM_SIZES; i++)
{
#ifdef C_PRIME
# ifdef TEST_SQRT
if (!BN_set_word(a, 64)) goto err;
if (!BN_set_word(b, P_MOD_64)) goto err;
# define ADD a
# define REM b
# else
# define ADD NULL
# define REM NULL
# endif
if (!BN_generate_prime(c,sizes[i],0,ADD,REM,genprime_cb,NULL)) goto err;
putc('\n', stderr);
fflush(stderr);
#endif
for (k=0; k<num; k++)
{
if (k%50 == 0) /* Average over num/50 different choices of random numbers. */
{
if (!BN_pseudo_rand(a,sizes[i],1,0)) goto err;
if (!BN_pseudo_rand(b,sizes[i],1,0)) goto err;
#ifndef C_PRIME
if (!BN_pseudo_rand(c,sizes[i],1,1)) goto err;
#endif
#ifdef TEST_SQRT
if (!BN_mod_sqr(a,a,c,ctx)) goto err;
if (!BN_mod_sqr(b,b,c,ctx)) goto err;
#else
if (!BN_nnmod(a,a,c,ctx)) goto err;
if (!BN_nnmod(b,b,c,ctx)) goto err;
#endif
if (k == 0)
Time_F(START);
}
#if defined(TEST_EXP)
if (!BN_mod_exp(r,a,b,c,ctx)) goto err;
#elif defined(TEST_MUL)
{
int i = 0;
for (i = 0; i < 50; i++)
if (!BN_mod_mul(r,a,b,c,ctx)) goto err;
}
#elif defined(TEST_SQR)
{
int i = 0;
for (i = 0; i < 50; i++)
{
if (!BN_mod_sqr(r,a,c,ctx)) goto err;
if (!BN_mod_sqr(r,b,c,ctx)) goto err;
}
}
#elif defined(TEST_GCD)
if (!BN_gcd(r,a,b,ctx)) goto err;
if (!BN_gcd(r,b,c,ctx)) goto err;
if (!BN_gcd(r,c,a,ctx)) goto err;
#elif defined(TEST_KRON)
if (-2 == BN_kronecker(a,b,ctx)) goto err;
if (-2 == BN_kronecker(b,c,ctx)) goto err;
if (-2 == BN_kronecker(c,a,ctx)) goto err;
#elif defined(TEST_INV)
if (!BN_mod_inverse(r,a,c,ctx)) goto err;
if (!BN_mod_inverse(r,b,c,ctx)) goto err;
#else /* TEST_SQRT */
if (!BN_mod_sqrt(r,a,c,ctx)) goto err;
if (!BN_mod_sqrt(r,b,c,ctx)) goto err;
#endif
}
tm=Time_F(STOP);
printf(
#if defined(TEST_EXP)
"modexp %4d ^ %4d %% %4d"
#elif defined(TEST_MUL)
"50*modmul %4d %4d %4d"
#elif defined(TEST_SQR)
"100*modsqr %4d %4d %4d"
#elif defined(TEST_GCD)
"3*gcd %4d %4d %4d"
#elif defined(TEST_KRON)
"3*kronecker %4d %4d %4d"
#elif defined(TEST_INV)
"2*inv %4d %4d mod %4d"
#else /* TEST_SQRT */
"2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
#endif
" -> %8.3fms %5.1f (%ld)\n",
#ifdef TEST_SQRT
P_MOD_64,
#endif
sizes[i],sizes[i],sizes[i],tm*1000.0/num,tm*mul_c[i]/num, num);
num/=7;
if (num <= 0) num=1;
}
return;
err:
ERR_print_errors_fp(stderr);
}
int
BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp,
const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx,
BN_GENCB *cb)
{
int ret = 0;
BIGNUM *t, *p1p2, *pm1;
/* Only even e supported */
if (!BN_is_odd(e))
return 0;
BN_CTX_start(ctx);
if (p1 == NULL) {
if ((p1 = BN_CTX_get(ctx)) == NULL)
goto err;
}
if (p2 == NULL) {
if ((p2 = BN_CTX_get(ctx)) == NULL)
goto err;
}
if ((t = BN_CTX_get(ctx)) == NULL)
goto err;
if ((p1p2 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((pm1 = BN_CTX_get(ctx)) == NULL)
goto err;
if (!bn_x931_derive_pi(p1, Xp1, ctx, cb))
goto err;
if (!bn_x931_derive_pi(p2, Xp2, ctx, cb))
goto err;
if (!BN_mul(p1p2, p1, p2, ctx))
goto err;
/* First set p to value of Rp */
if (!BN_mod_inverse(p, p2, p1, ctx))
goto err;
if (!BN_mul(p, p, p2, ctx))
goto err;
if (!BN_mod_inverse(t, p1, p2, ctx))
goto err;
if (!BN_mul(t, t, p1, ctx))
goto err;
if (!BN_sub(p, p, t))
goto err;
if (p->neg && !BN_add(p, p, p1p2))
goto err;
/* p now equals Rp */
if (!BN_mod_sub(p, p, Xp, p1p2, ctx))
goto err;
if (!BN_add(p, p, Xp))
goto err;
/* p now equals Yp0 */
for (;;) {
int i = 1;
BN_GENCB_call(cb, 0, i++);
if (!BN_copy(pm1, p))
goto err;
if (!BN_sub_word(pm1, 1))
goto err;
if (!BN_gcd(t, pm1, e, ctx))
goto err;
if (BN_is_one(t)
/* X9.31 specifies 8 MR and 1 Lucas test or any prime test
* offering similar or better guarantees 50 MR is considerably
* better.
*/
&& BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb))
break;
if (!BN_add(p, p, p1p2))
goto err;
}
BN_GENCB_call(cb, 3, 0);
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
int rsa_keypair (int bits, unsigned long e_value, char **public_key, char **secret_key)
{
BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL;
BIGNUM *r0=NULL, *r1=NULL, *r2=NULL, *r3=NULL, *tmp;
int bitsp, bitsq, i;
BN_CTX *ctx=NULL, *ctx2=NULL;
char *buf1, *buf2, *buf3;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
ctx2=BN_CTX_new();
if (ctx2 == NULL) goto err;
r0 = &(ctx->bn[0]);
r1 = &(ctx->bn[1]);
r2 = &(ctx->bn[2]);
r3 = &(ctx->bn[3]);
ctx->tos += 4;
bitsp = (bits+1)/2;
bitsq = bits-bitsp;
/* set e */
e = BN_new();
if (e == NULL) goto err;
/* The problem is when building with 8, 16, or 32 BN_ULONG,
* unsigned long can be larger */
for (i=0; i<sizeof(unsigned long)*8; i++)
{
if (e_value & (1<<i))
BN_set_bit(e,i);
}
/* generate p and q */
for (;;)
{
p = BN_generate_prime (NULL, bitsp, 1, NULL, NULL, NULL, NULL);
if (p == NULL) goto err;
if (!BN_sub (r2, p, BN_value_one())) goto err;
if (!BN_gcd (r1, r2, e, ctx)) goto err;
if (BN_is_one(r1)) break;
BN_free(p);
}
for (;;)
{
q = BN_generate_prime (NULL, bitsq, 1, NULL, NULL, NULL, NULL);
if (q == NULL) goto err;
if (!BN_sub (r2, q, BN_value_one())) goto err;
if (!BN_gcd (r1, r2, e, ctx)) goto err;
if (BN_is_one (r1) && (BN_cmp (p, q) != 0)) break;
BN_free(q);
}
if (BN_cmp (p, q) < 0) tmp = p, p = q, q = tmp;
/* calculate n */
n = BN_new();
if (n == NULL) goto err;
if (!BN_mul (n, p, q, ctx)) goto err;
/* calculate d */
if (!BN_sub (r1, p, BN_value_one())) goto err; /* p-1 */
if (!BN_sub (r2, q, BN_value_one())) goto err; /* q-1 */
if (!BN_mul (r0, r1, r2, ctx)) goto err; /* (p-1)(q-1) */
d = BN_mod_inverse (NULL, e, r0, ctx2); /* d */
if (d == NULL) goto err;
BN_CTX_free(ctx);
BN_CTX_free(ctx2);
// n, d, e are ready. secret key: n:d, public key: n:e
buf1 = BN_bn2hex (n);
buf2 = BN_bn2hex (d);
buf3 = BN_bn2hex (e);
*secret_key = malloc (strlen(buf1) + strlen(buf2) + 2);
*public_key = malloc (strlen(buf1) + strlen(buf3) + 2);
strcpy (*secret_key, buf1); strcat (*secret_key, ":"); strcat (*secret_key, buf2);
strcpy (*public_key, buf1); strcat (*public_key, ":"); strcat (*public_key, buf3);
free (buf1); free (buf2); free (buf3);
// cleanup
BN_clear_free (n); BN_clear_free (e);
BN_clear_free (d); BN_clear_free (p);
BN_clear_free (q);
return 0;
err:
BN_CTX_free(ctx);
BN_CTX_free(ctx2);
return -1;
}
int generateRandomKeys(paillierKeys *keys, int *key_len, BN_CTX *ctx)
{
int ret = 1, final_key_l = 0;
BIGNUM *p, *q, *tmp, *n, *n2, *g, *lamda, *mu;
if (key_len != NULL && *key_len == 0)
{
*key_len = DEFAULT_KEY_LEN;
final_key_l = *key_len;
}
else if (key_len != NULL)
{
final_key_l = *key_len;
}
else
{
final_key_l = DEFAULT_KEY_LEN;
}
if (final_key_l < 32)
{
fprintf(stderr, "Key lenght too short. Minimum lenght 32 bits");
goto end;
}
BN_CTX_start(ctx);
// Temp BIGNUMs
p = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
tmp = BN_CTX_get(ctx);
// Part of the keys BIGNUMs
n = BN_new();
n2 = BN_new();
g = BN_new();
lamda = BN_new();
mu = BN_new();
// 1. Choose two large prime numbers
// This numbers have to hold gcd(pq, (p-1)(q-1)) = 1
unsigned char buffer;
do
{
if (!RAND_bytes(&buffer, sizeof(buffer)))
goto end;
srandom((int)buffer);
if (!BN_generate_prime_ex(p, final_key_l / 2, 0, NULL, NULL, NULL))
goto end;
if (!BN_generate_prime_ex(q, final_key_l / 2, 0, NULL, NULL, NULL))
goto end;
// 2. Compute n = pq
if (!BN_mul(n, p, q, ctx))
goto end;
// Test if primes are ok
if (!BN_sub_word(p, 1))
goto end;
if (!BN_sub_word(q, 1))
goto end;
if (!BN_mul(tmp, p, q, ctx))
goto end;
}
while (BN_cmp(p, q) == 0 || BN_gcd(tmp, tmp, n, ctx) != 1);
// and lamda = lcm(p-1,q-1)
if (!BN_lcm(lamda, p, q, ctx))
goto end;
if (!BN_mul(n2, n, n, ctx))
goto end;
do
{
// 3. Select a random integer g moz n2
do
{
if (!BN_rand_range(g, n2))
goto end;
}
while (BN_is_zero(g));
// 4. Ensure n divides the order of g
if (!BN_mod_exp(tmp, g, lamda, n2, ctx))
goto end;
if (L(tmp, tmp, n, ctx) != 0)
goto end;
BN_mod_inverse(mu, tmp, n, ctx);
}
while (mu == NULL);
keys->pub.n = n;
keys->pub.n2 = n2;
keys->pub.g = g;
keys->priv.n = BN_dup(n);
keys->priv.n2 = BN_dup(n2);
keys->priv.lamda = lamda;
keys->priv.mu = mu;
keys->n = BN_dup(n);
keys->n2 = BN_dup(n2);
ret = 0;
end:
if (ret)
{
ERR_load_crypto_strings();
fprintf(stderr, "Error generating keys: %s", ERR_error_string(ERR_get_error(), NULL));
}
BN_CTX_end(ctx);
return ret;
}
extern "C" void Java_java_math_NativeBN_BN_1gcd(JNIEnv* env, jclass, jlong r, jlong a, jlong b) {
if (!threeValidHandles(env, r, a, b)) return;
Unique_BN_CTX ctx(BN_CTX_new());
BN_gcd(toBigNum(r), toBigNum(a), toBigNum(b), ctx.get());
throwExceptionIfNecessary(env);
}
int RSA_check_fips(RSA *key) {
if (RSA_is_opaque(key)) {
/* Opaque keys can't be checked. */
OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
return 0;
}
if (!RSA_check_key(key)) {
return 0;
}
BN_CTX *ctx = BN_CTX_new();
if (ctx == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
return 0;
}
BIGNUM small_gcd;
BN_init(&small_gcd);
int ret = 1;
/* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
enum bn_primality_result_t primality_result;
if (BN_num_bits(key->e) <= 16 ||
BN_num_bits(key->e) > 256 ||
!BN_is_odd(key->n) ||
!BN_is_odd(key->e) ||
!BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||
!BN_is_one(&small_gcd) ||
!BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,
BN_prime_checks, ctx, NULL) ||
primality_result != bn_non_prime_power_composite) {
OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
ret = 0;
}
BN_free(&small_gcd);
BN_CTX_free(ctx);
if (!ret || key->d == NULL || key->p == NULL) {
/* On a failure or on only a public key, there's nothing else can be
* checked. */
return ret;
}
/* FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
* section 9.9, it is not known whether |rsa| will be used for signing or
* encryption, so either pair-wise consistency self-test is acceptable. We
* perform a signing test. */
uint8_t data[32] = {0};
unsigned sig_len = RSA_size(key);
uint8_t *sig = OPENSSL_malloc(sig_len);
if (sig == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
ret = 0;
goto cleanup;
}
#if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT)
data[0] = ~data[0];
#endif
if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
ret = 0;
}
cleanup:
OPENSSL_free(sig);
return ret;
}
int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
{
BIGNUM *i, *j, *k, *l, *m;
BN_CTX *ctx;
int ret = 1, ex_primes = 0, idx;
RSA_PRIME_INFO *pinfo;
if (key->p == NULL || key->q == NULL || key->n == NULL
|| key->e == NULL || key->d == NULL) {
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_VALUE_MISSING);
return 0;
}
/* multi-prime? */
if (key->version == RSA_ASN1_VERSION_MULTI) {
ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos);
if (ex_primes <= 0
|| (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) {
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY);
return 0;
}
}
i = BN_new();
j = BN_new();
k = BN_new();
l = BN_new();
m = BN_new();
ctx = BN_CTX_new();
if (i == NULL || j == NULL || k == NULL || l == NULL
|| m == NULL || ctx == NULL) {
ret = -1;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, ERR_R_MALLOC_FAILURE);
goto err;
}
if (BN_is_one(key->e)) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE);
}
if (!BN_is_odd(key->e)) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE);
}
/* p prime? */
if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, cb) != 1) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME);
}
/* q prime? */
if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, cb) != 1) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME);
}
/* r_i prime? */
for (idx = 0; idx < ex_primes; idx++) {
pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
if (BN_is_prime_ex(pinfo->r, BN_prime_checks, NULL, cb) != 1) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_R_NOT_PRIME);
}
}
/* n = p*q * r_3...r_i? */
if (!BN_mul(i, key->p, key->q, ctx)) {
ret = -1;
goto err;
}
for (idx = 0; idx < ex_primes; idx++) {
pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
if (!BN_mul(i, i, pinfo->r, ctx)) {
ret = -1;
goto err;
}
}
if (BN_cmp(i, key->n) != 0) {
ret = 0;
if (ex_primes)
RSAerr(RSA_F_RSA_CHECK_KEY_EX,
RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES);
else
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_P_Q);
}
/* d*e = 1 mod \lambda(n)? */
if (!BN_sub(i, key->p, BN_value_one())) {
ret = -1;
goto err;
}
if (!BN_sub(j, key->q, BN_value_one())) {
ret = -1;
goto err;
}
/* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */
if (!BN_mul(l, i, j, ctx)) {
ret = -1;
goto err;
}
if (!BN_gcd(m, i, j, ctx)) {
ret = -1;
goto err;
}
for (idx = 0; idx < ex_primes; idx++) {
pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
if (!BN_sub(k, pinfo->r, BN_value_one())) {
ret = -1;
goto err;
}
if (!BN_mul(l, l, k, ctx)) {
ret = -1;
goto err;
}
if (!BN_gcd(m, m, k, ctx)) {
ret = -1;
goto err;
}
}
if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */
ret = -1;
goto err;
}
if (!BN_mod_mul(i, key->d, key->e, k, ctx)) {
ret = -1;
goto err;
}
if (!BN_is_one(i)) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_D_E_NOT_CONGRUENT_TO_1);
}
if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
/* dmp1 = d mod (p-1)? */
if (!BN_sub(i, key->p, BN_value_one())) {
ret = -1;
goto err;
}
if (!BN_mod(j, key->d, i, ctx)) {
ret = -1;
goto err;
}
if (BN_cmp(j, key->dmp1) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
}
/* dmq1 = d mod (q-1)? */
if (!BN_sub(i, key->q, BN_value_one())) {
ret = -1;
goto err;
}
if (!BN_mod(j, key->d, i, ctx)) {
ret = -1;
goto err;
}
if (BN_cmp(j, key->dmq1) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
}
/* iqmp = q^-1 mod p? */
if (!BN_mod_inverse(i, key->q, key->p, ctx)) {
ret = -1;
goto err;
}
if (BN_cmp(i, key->iqmp) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_IQMP_NOT_INVERSE_OF_Q);
}
}
for (idx = 0; idx < ex_primes; idx++) {
pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx);
/* d_i = d mod (r_i - 1)? */
if (!BN_sub(i, pinfo->r, BN_value_one())) {
ret = -1;
goto err;
}
if (!BN_mod(j, key->d, i, ctx)) {
ret = -1;
goto err;
}
if (BN_cmp(j, pinfo->d) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D);
}
/* t_i = R_i ^ -1 mod r_i ? */
if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) {
ret = -1;
goto err;
}
if (BN_cmp(i, pinfo->t) != 0) {
ret = 0;
RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R);
}
}
err:
BN_free(i);
BN_free(j);
BN_free(k);
BN_free(l);
BN_free(m);
BN_CTX_free(ctx);
return ret;
}
int RSA_check_key(const RSA *key) {
BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q;
BN_CTX *ctx;
int ok = 0, has_crt_values;
if (RSA_is_opaque(key)) {
/* Opaque keys can't be checked. */
return 1;
}
if ((key->p != NULL) != (key->q != NULL)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);
return 0;
}
if (!key->n || !key->e) {
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
return 0;
}
if (!key->d || !key->p) {
/* For a public key, or without p and q, there's nothing that can be
* checked. */
return 1;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
return 0;
}
BN_init(&n);
BN_init(&pm1);
BN_init(&qm1);
BN_init(&lcm);
BN_init(&gcd);
BN_init(&de);
BN_init(&dmp1);
BN_init(&dmq1);
BN_init(&iqmp_times_q);
if (!BN_mul(&n, key->p, key->q, ctx) ||
/* lcm = lcm(p, q) */
!BN_sub(&pm1, key->p, BN_value_one()) ||
!BN_sub(&qm1, key->q, BN_value_one()) ||
!BN_mul(&lcm, &pm1, &qm1, ctx) ||
!BN_gcd(&gcd, &pm1, &qm1, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
goto out;
}
if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
!BN_gcd(&gcd, &pm1, &qm1, ctx) ||
/* de = d*e mod lcm(p, q). */
!BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
goto out;
}
if (BN_cmp(&n, key->n) != 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);
goto out;
}
if (!BN_is_one(&de)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);
goto out;
}
has_crt_values = key->dmp1 != NULL;
if (has_crt_values != (key->dmq1 != NULL) ||
has_crt_values != (key->iqmp != NULL)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);
goto out;
}
if (has_crt_values) {
if (/* dmp1 = d mod (p-1) */
!BN_mod(&dmp1, key->d, &pm1, ctx) ||
/* dmq1 = d mod (q-1) */
!BN_mod(&dmq1, key->d, &qm1, ctx) ||
/* iqmp = q^-1 mod p */
!BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
goto out;
}
if (BN_cmp(&dmp1, key->dmp1) != 0 ||
BN_cmp(&dmq1, key->dmq1) != 0 ||
BN_cmp(key->iqmp, key->p) >= 0 ||
!BN_is_one(&iqmp_times_q)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);
goto out;
}
}
ok = 1;
out:
BN_free(&n);
BN_free(&pm1);
BN_free(&qm1);
BN_free(&lcm);
BN_free(&gcd);
BN_free(&de);
BN_free(&dmp1);
BN_free(&dmq1);
BN_free(&iqmp_times_q);
BN_CTX_free(ctx);
return ok;
}
/*
* Refer to FIPS 186-4 C.3.2 Enhanced Miller-Rabin Probabilistic Primality Test.
* OR C.3.1 Miller-Rabin Probabilistic Primality Test (if enhanced is zero).
* The Step numbers listed in the code refer to the enhanced case.
*
* if enhanced is set, then status returns one of the following:
* BN_PRIMETEST_PROBABLY_PRIME
* BN_PRIMETEST_COMPOSITE_WITH_FACTOR
* BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME
* if enhanced is zero, then status returns either
* BN_PRIMETEST_PROBABLY_PRIME or
* BN_PRIMETEST_COMPOSITE
*
* returns 0 if there was an error, otherwise it returns 1.
*/
int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
BN_GENCB *cb, int enhanced, int *status)
{
int i, j, a, ret = 0;
BIGNUM *g, *w1, *w3, *x, *m, *z, *b;
BN_MONT_CTX *mont = NULL;
/* w must be odd */
if (!BN_is_odd(w))
return 0;
BN_CTX_start(ctx);
g = BN_CTX_get(ctx);
w1 = BN_CTX_get(ctx);
w3 = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
z = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
if (!(b != NULL
/* w1 := w - 1 */
&& BN_copy(w1, w)
&& BN_sub_word(w1, 1)
/* w3 := w - 3 */
&& BN_copy(w3, w)
&& BN_sub_word(w3, 3)))
goto err;
/* check w is larger than 3, otherwise the random b will be too small */
if (BN_is_zero(w3) || BN_is_negative(w3))
goto err;
/* (Step 1) Calculate largest integer 'a' such that 2^a divides w-1 */
a = 1;
while (!BN_is_bit_set(w1, a))
a++;
/* (Step 2) m = (w-1) / 2^a */
if (!BN_rshift(m, w1, a))
goto err;
/* Montgomery setup for computations mod a */
mont = BN_MONT_CTX_new();
if (mont == NULL || !BN_MONT_CTX_set(mont, w, ctx))
goto err;
if (iterations == BN_prime_checks)
iterations = BN_prime_checks_for_size(BN_num_bits(w));
/* (Step 4) */
for (i = 0; i < iterations; ++i) {
/* (Step 4.1) obtain a Random string of bits b where 1 < b < w-1 */
if (!BN_priv_rand_range(b, w3) || !BN_add_word(b, 2)) /* 1 < b < w-1 */
goto err;
if (enhanced) {
/* (Step 4.3) */
if (!BN_gcd(g, b, w, ctx))
goto err;
/* (Step 4.4) */
if (!BN_is_one(g)) {
*status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR;
ret = 1;
goto err;
}
}
/* (Step 4.5) z = b^m mod w */
if (!BN_mod_exp_mont(z, b, m, w, ctx, mont))
goto err;
/* (Step 4.6) if (z = 1 or z = w-1) */
if (BN_is_one(z) || BN_cmp(z, w1) == 0)
goto outer_loop;
/* (Step 4.7) for j = 1 to a-1 */
for (j = 1; j < a ; ++j) {
/* (Step 4.7.1 - 4.7.2) x = z. z = x^2 mod w */
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx))
goto err;
/* (Step 4.7.3) */
if (BN_cmp(z, w1) == 0)
goto outer_loop;
/* (Step 4.7.4) */
if (BN_is_one(z))
goto composite;
}
/* At this point z = b^((w-1)/2) mod w */
/* (Steps 4.8 - 4.9) x = z, z = x^2 mod w */
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx))
goto err;
/* (Step 4.10) */
if (BN_is_one(z))
goto composite;
/* (Step 4.11) x = b^(w-1) mod w */
if (!BN_copy(x, z))
goto err;
composite:
if (enhanced) {
/* (Step 4.1.2) g = GCD(x-1, w) */
if (!BN_sub_word(x, 1) || !BN_gcd(g, x, w, ctx))
goto err;
/* (Steps 4.1.3 - 4.1.4) */
if (BN_is_one(g))
*status = BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME;
else
*status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR;
} else {
*status = BN_PRIMETEST_COMPOSITE;
}
ret = 1;
goto err;
outer_loop: ;
/* (Step 4.1.5) */
if (!BN_GENCB_call(cb, 1, i))
goto err;
}
/* (Step 5) */
*status = BN_PRIMETEST_PROBABLY_PRIME;
ret = 1;
err:
BN_clear(g);
BN_clear(w1);
BN_clear(w3);
BN_clear(x);
BN_clear(m);
BN_clear(z);
BN_clear(b);
BN_CTX_end(ctx);
BN_MONT_CTX_free(mont);
return ret;
}
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
// See FIPS 186-4 appendix B.3. This function implements a generalized version
// of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
// for FIPS-compliant key generation.
// Always generate RSA keys which are a multiple of 128 bits. Round |bits|
// down as needed.
bits &= ~127;
// Reject excessively small keys.
if (bits < 256) {
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
int ret = 0;
BN_CTX *ctx = BN_CTX_new();
if (ctx == NULL) {
goto bn_err;
}
BN_CTX_start(ctx);
BIGNUM *totient = BN_CTX_get(ctx);
BIGNUM *pm1 = BN_CTX_get(ctx);
BIGNUM *qm1 = BN_CTX_get(ctx);
BIGNUM *gcd = BN_CTX_get(ctx);
BIGNUM *sqrt2 = BN_CTX_get(ctx);
if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL ||
sqrt2 == NULL) {
goto bn_err;
}
// We need the RSA components non-NULL.
if (!ensure_bignum(&rsa->n) ||
!ensure_bignum(&rsa->d) ||
!ensure_bignum(&rsa->e) ||
!ensure_bignum(&rsa->p) ||
!ensure_bignum(&rsa->q) ||
!ensure_bignum(&rsa->dmp1) ||
!ensure_bignum(&rsa->dmq1)) {
goto bn_err;
}
if (!BN_copy(rsa->e, e_value)) {
goto bn_err;
}
int prime_bits = bits / 2;
// Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.
if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {
goto bn_err;
}
int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;
assert(sqrt2_bits == (int)BN_num_bits(sqrt2));
if (sqrt2_bits > prime_bits) {
// For key sizes up to 3072 (prime_bits = 1536), this is exactly
// ⌊2^(prime_bits-1)×√2⌋.
if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) {
goto bn_err;
}
} else if (prime_bits > sqrt2_bits) {
// For key sizes beyond 3072, this is approximate. We err towards retrying
// to ensure our key is the right size and round up.
if (!BN_add_word(sqrt2, 1) ||
!BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) {
goto bn_err;
}
}
assert(prime_bits == (int)BN_num_bits(sqrt2));
do {
// Generate p and q, each of size |prime_bits|, using the steps outlined in
// appendix FIPS 186-4 appendix B.3.3.
if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, ctx, cb) ||
!BN_GENCB_call(cb, 3, 0) ||
!generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, ctx, cb) ||
!BN_GENCB_call(cb, 3, 1)) {
goto bn_err;
}
if (BN_cmp(rsa->p, rsa->q) < 0) {
BIGNUM *tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
}
// Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
// from typical RSA implementations which use (p-1)*(q-1).
//
// Note this means the size of d might reveal information about p-1 and
// q-1. However, we do operations with Chinese Remainder Theorem, so we only
// use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
// does not affect those two values.
if (!BN_sub(pm1, rsa->p, BN_value_one()) ||
!BN_sub(qm1, rsa->q, BN_value_one()) ||
!BN_mul(totient, pm1, qm1, ctx) ||
!BN_gcd(gcd, pm1, qm1, ctx) ||
!BN_div(totient, NULL, totient, gcd, ctx) ||
!BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) {
goto bn_err;
}
// Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
// appendix B.3.1's guidance on values for d.
} while (!rsa_greater_than_pow2(rsa->d, prime_bits));
if (// Calculate n.
!BN_mul(rsa->n, rsa->p, rsa->q, ctx) ||
// Calculate d mod (p-1).
!BN_mod(rsa->dmp1, rsa->d, pm1, ctx) ||
// Calculate d mod (q-1)
!BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) {
goto bn_err;
}
// Sanity-check that |rsa->n| has the specified size. This is implied by
// |generate_prime|'s bounds.
if (BN_num_bits(rsa->n) != (unsigned)bits) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
// Call |freeze_private_key| to compute the inverse of q mod p, by way of
// |rsa->mont_p|.
if (!freeze_private_key(rsa, ctx)) {
goto bn_err;
}
// The key generation process is complex and thus error-prone. It could be
// disastrous to generate and then use a bad key so double-check that the key
// makes sense.
if (!RSA_check_key(rsa)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
goto err;
}
ret = 1;
bn_err:
if (!ret) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
}
err:
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
return ret;
}
// generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
// relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
// |p|.
static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
const BIGNUM *p, const BIGNUM *sqrt2, BN_CTX *ctx,
BN_GENCB *cb) {
if (bits < 128 || (bits % BN_BITS2) != 0) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
}
// See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2.
// Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3,
// the 186-4 limit is too low, so we use a higher one. Note this case is not
// reachable from |RSA_generate_key_fips|.
if (bits >= INT_MAX/32) {
OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
return 0;
}
int limit = BN_is_word(e, 3) ? bits * 32 : bits * 5;
int ret = 0, tries = 0, rand_tries = 0;
BN_CTX_start(ctx);
BIGNUM *tmp = BN_CTX_get(ctx);
if (tmp == NULL) {
goto err;
}
for (;;) {
// Generate a random number of length |bits| where the bottom bit is set
// (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
// bound checked below in steps 4.4 and 5.5).
if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
!BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
goto err;
}
if (p != NULL) {
// If |p| and |out| are too close, try again (step 5.4).
if (!BN_sub(tmp, out, p)) {
goto err;
}
BN_set_negative(tmp, 0);
if (!rsa_greater_than_pow2(tmp, bits - 100)) {
continue;
}
}
// If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent
// to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes.
//
// For larger keys, the comparison is approximate, leaning towards
// retrying. That is, we reject a negligible fraction of primes that are
// within the FIPS bound, but we will never accept a prime outside the
// bound, ensuring the resulting RSA key is the right size.
if (BN_cmp(out, sqrt2) <= 0) {
continue;
}
// Check gcd(out-1, e) is one (steps 4.5 and 5.6).
if (!BN_sub(tmp, out, BN_value_one()) ||
!BN_gcd(tmp, tmp, e, ctx)) {
goto err;
}
if (BN_is_one(tmp)) {
// Test |out| for primality (steps 4.5.1 and 5.6.1).
int is_probable_prime;
if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1,
cb)) {
goto err;
}
if (is_probable_prime) {
ret = 1;
goto err;
}
}
// If we've tried too many times to find a prime, abort (steps 4.7 and
// 5.8).
tries++;
if (tries >= limit) {
OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
goto err;
}
if (!BN_GENCB_call(cb, 2, tries)) {
goto err;
}
}
err:
BN_CTX_end(ctx);
return ret;
}
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
BIGNUM local_r0,local_d,local_p;
BIGNUM *pr0,*d,*p;
int bitsp,bitsq,ok= -1,n=0;
BN_CTX *ctx=NULL;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
BN_CTX_start(ctx);
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
r3 = BN_CTX_get(ctx);
if (r3 == NULL) goto err;
bitsp=(bits+1)/2;
bitsq=bits-bitsp;
/* We need the RSA components non-NULL */
if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
BN_copy(rsa->e, e_value);
/* generate p and q */
for (;;)
{
if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1)) break;
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}
if(!BN_GENCB_call(cb, 3, 0))
goto err;
for (;;)
{
/* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for
* this and bail if it happens 3 times. */
unsigned int degenerate = 0;
do
{
if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
} while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
if(degenerate == 3)
{
ok = 0; /* we set our own err */
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
if (BN_is_one(r1))
break;
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}
if(!BN_GENCB_call(cb, 3, 1))
goto err;
if (BN_cmp(rsa->p,rsa->q) < 0)
{
tmp=rsa->p;
rsa->p=rsa->q;
rsa->q=tmp;
}
/* calculate n */
if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
/* calculate d */
if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
{
pr0 = &local_r0;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
}
else
pr0 = r0;
if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
/* set up d for correct BN_FLG_CONSTTIME flag */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
{
d = &local_d;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
}
else
d = rsa->d;
/* calculate d mod (p-1) */
if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
/* calculate d mod (q-1) */
if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
/* calculate inverse of q mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
{
p = &local_p;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
}
else
p = rsa->p;
if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
ok=1;
err:
if (ok == -1)
{
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
ok=0;
}
if (ctx != NULL)
{
BN_CTX_end(ctx);
BN_CTX_free(ctx);
}
return ok;
}
static void
pollard_rho(BIGNUM *val)
{
BIGNUM *x, *y, *tmp, *num;
BN_ULONG a;
unsigned int steps_taken, steps_limit;
x = BN_new();
y = BN_new();
tmp = BN_new();
num = BN_new();
a = 1;
restart:
steps_taken = 0;
steps_limit = 2;
BN_set_word(x, 1);
BN_copy(y, x);
for (;;) {
BN_sqr(tmp, x, ctx);
BN_add_word(tmp, a);
BN_mod(x, tmp, val, ctx);
BN_sub(tmp, x, y);
if (BN_is_zero(tmp)) {
#ifdef DEBUG
printf(" (loop)");
#endif
a++;
goto restart;
}
BN_gcd(tmp, tmp, val, ctx);
if (!BN_is_one(tmp)) {
if (BN_is_prime(tmp, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
putchar(' ');
BN_print_dec_fp(stdout, tmp);
} else {
#ifdef DEBUG
printf(" (recurse for ");
BN_print_dec_fp(stdout, tmp);
putchar(')');
#endif
pollard_rho(BN_dup(tmp));
#ifdef DEBUG
printf(" (back)");
#endif
}
fflush(stdout);
BN_div(num, NULL, val, tmp, ctx);
if (BN_is_one(num))
return;
if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL,
NULL) == 1) {
putchar(' ');
BN_print_dec_fp(stdout, num);
fflush(stdout);
return;
}
BN_copy(val, num);
goto restart;
}
steps_taken++;
if (steps_taken == steps_limit) {
BN_copy(y, x); /* teleport the turtle */
steps_taken = 0;
steps_limit *= 2;
if (steps_limit == 0) {
#ifdef DEBUG
printf(" (overflow)");
#endif
a++;
goto restart;
}
}
}
}
