RSA *RSA_generate_key(int bits, unsigned long e_value, void (*callback)(int,int,void *), void *cb_arg) { RSA *rsa=NULL; BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; int bitsp,bitsq,ok= -1,n=0,i; BN_CTX *ctx=NULL,*ctx2=NULL; ctx=BN_CTX_new(); if (ctx == NULL) goto err; ctx2=BN_CTX_new(); if (ctx2 == NULL) goto err; BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); r2 = BN_CTX_get(ctx); r3 = BN_CTX_get(ctx); if (r3 == NULL) goto err; bitsp=(bits+1)/2; bitsq=bits-bitsp; rsa=RSA_new(); if (rsa == NULL) goto err; /* set e */ rsa->e=BN_new(); if (rsa->e == NULL) goto err; /* The problem is when building with 8, 16, or 32 BN_ULONG, * unsigned long can be larger */ for (i=0; i<sizeof(unsigned long)*8; i++) { if (e_value & (1UL<<i)) BN_set_bit(rsa->e,i); } /* generate p and q */ for (;;) { rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg); if (rsa->p == NULL) goto err; if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; if (BN_is_one(r1)) break; if (callback != NULL) callback(2,n++,cb_arg); BN_free(rsa->p); } if (callback != NULL) callback(3,0,cb_arg); for (;;) { rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg); if (rsa->q == NULL) goto err; if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0)) break; if (callback != NULL) callback(2,n++,cb_arg); BN_free(rsa->q); } if (callback != NULL) callback(3,1,cb_arg); if (BN_cmp(rsa->p,rsa->q) < 0) { tmp=rsa->p; rsa->p=rsa->q; rsa->q=tmp; } /* calculate n */ rsa->n=BN_new(); if (rsa->n == NULL) goto err; if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; /* calculate d */ if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ /* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */ /* for (;;) { if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err; if (BN_is_one(r3)) break; if (1) { if (!BN_add_word(rsa->e,2L)) goto err; continue; } RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE); goto err; } */ rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ if (rsa->d == NULL) goto err; /* calculate d mod (p-1) */ rsa->dmp1=BN_new(); if (rsa->dmp1 == NULL) goto err; if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err; /* calculate d mod (q-1) */ rsa->dmq1=BN_new(); if (rsa->dmq1 == NULL) goto err; if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err; /* calculate inverse of q mod p */ rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); if (rsa->iqmp == NULL) goto err; ok=1; err: if (ok == -1) ok=0; BN_CTX_end(ctx); BN_CTX_free(ctx); BN_CTX_free(ctx2); if (!ok) { if (rsa != NULL) RSA_free(rsa); return(NULL); } else return(rsa); }
void test_lehmer_thm(void) { BIGNUM *v = BN_new(), *v2 = BN_new(), *h = BN_new(), *n = BN_new(), *p = BN_new(), *q = BN_new(), *g = BN_new(); BN_CTX *ctx = BN_CTX_new(); BN_dec2bn(&v, "2"); BN_dec2bn(&p, "181857351165158586099319592412492032999818333818932850952491024" "131283899677766672100915923041329384157985577418702469610834914" "6296393743554494871840505599"); BN_dec2bn(&q, "220481921324130321200060036818685031159071785249502660004347524" "831733577485433929892260897846567483448177204481081755191897197" "38283711758138566145322943999"); BN_mul(n, p, q, ctx); /* p + 1 */ BN_dec2bn(&h, "181857351165158586099319592412492032999818333818932850952491024" "131283899677766672100915923041329384157985577418702469610834914" "6296393743554494871840505600"); lucas(v, h, n, ctx); BN_sub(v2, v, BN_value_two()); BN_gcd(g, v2, n, ctx); assert(!BN_is_one(g)); /* another test */ BN_dec2bn(&v, "3"); BN_dec2bn(&p, "181857351165158586099319592412492032999818333818932850952491024" "131283899677766672100915923041329384157985577418702469610834914" "62963937435544948718405055999"); BN_generate_prime(q, 512, 1, NULL, NULL, NULL, NULL); BN_mul(n, p, q, ctx); BN_sub(h, p, BN_value_one()); BN_mul(h, h, BN_value_two(), ctx); lucas(v, h, n, ctx); BN_mod_sub(v2, v, BN_value_two(), n, ctx); BN_gcd(g, v2, n, ctx); assert(!BN_is_one(g)); assert(BN_cmp(g, n)); BN_free(q); BN_free(p); BN_free(v); BN_free(v2); BN_free(h); BN_CTX_free(ctx); }
// LCM for BIGNUMs static int BN_lcm(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { int ret = 0; BN_CTX_start(ctx); BIGNUM *tmp = BN_CTX_get(ctx); BIGNUM *gcd = BN_CTX_get(ctx); if (!BN_gcd(gcd, a, b, ctx)) goto end; if (!BN_div(tmp, NULL, a, gcd, ctx)) goto end; if (!BN_mul(r, b, tmp, ctx)) goto end; ret = 1; end: if (ret != 1) { ERR_load_crypto_strings(); fprintf(stderr, "Error calculating lcm: %s", ERR_error_string(ERR_get_error(), NULL)); } BN_CTX_end(ctx); return ret; }
/** * \brief Test for a pair of moduluses having a prime factor in common. * */ int test(BIGNUM *n, BIGNUM *m) { BIGNUM *g; BN_CTX *ctx; int ret = 0; if (!BN_cmp(n, m)) return 1; g = BN_new(); ctx = BN_CTX_new(); BN_gcd(g, n, m, ctx); if (!BN_is_one(g)) { fprintf(stdout, "%-8s: ", PRIME); BN_print_fp(stdout, n); fprintf(stdout, " "); BN_print_fp(stdout, m); fprintf(stdout, "\n"); ret = 1; } BN_CTX_free(ctx); BN_free(g); return ret; }
int main(int argc, char ** argv) { /* Generate 2 big random numbers (512 bits) */ primitive_p = initialize("1011011"); initialize_rand(SEED); BIGNUM *p = get_long_prime_number(RSA_KEY_LENGTH); printf("p=%s\n", BN_bn2hex(p)); BIGNUM *q = get_long_prime_number(RSA_KEY_LENGTH); printf("q=%s\n", BN_bn2hex(q)); /* Compute phi = (p-1)*(q-1) and n = p*q */ BIGNUM *phi, *n; BN_CTX *tmp; tmp = BN_CTX_new(); n = BN_new(); phi = BN_new(); BN_copy(n, p); BN_mul(n, n, q, tmp); printf("n=%s\n", BN_bn2dec(n)); BN_sub_word(p, 1); printf("p-1=%s\n", BN_bn2dec(p)); BN_sub_word(q, 1); printf("q-1=%s\n", BN_bn2dec(q)); phi = BN_new(); BN_init(tmp); BN_mul(phi, p, q, tmp); printf("(p-1)(q-1)=%s\n", BN_bn2dec(phi)); /* Find the smallest integer coprime with phi */ BIGNUM * e = BN_new(); BIGNUM *gcd = BN_new(); BN_add_word(e, 3); for ( ; ; BN_add_word(e, 2)) { tmp = BN_CTX_new(); BN_gcd(gcd, e, phi, tmp); if (BN_is_one(gcd)) break; } printf("e=%s\n", BN_bn2dec(e)); /* Find d, the inverse of e in Z_phi */ BIGNUM * d = BN_new(); BIGNUM * i = BN_new(); BIGNUM * rem = BN_new(); BIGNUM * prod = BN_new(); BN_add_word(i, 1); for ( ; ; BN_add_word(i, 1)) { BN_copy(prod, phi); tmp = BN_CTX_new(); BN_mul(prod, prod, i, tmp); BN_add_word(prod, 1); BN_div(d, rem, prod, e, tmp); if (BN_is_zero(rem)) { break; } } printf("d=%s\n", BN_bn2dec(d)); return 0; }
uint8_t sane_key(RSA *rsa) { // checks sanity of a RSA key (PKCS#1 v2.1) uint8_t sane = 1; BN_CTX *ctx = BN_CTX_new(); BN_CTX_start(ctx); BIGNUM *p1 = BN_CTX_get(ctx), // p - 1 *q1 = BN_CTX_get(ctx), // q - 1 *chk = BN_CTX_get(ctx), // storage to run checks with *gcd = BN_CTX_get(ctx), // GCD(p - 1, q - 1) *lambda = BN_CTX_get(ctx); // LCM(p - 1, q - 1) BN_sub(p1, rsa->p, BN_value_one()); // p - 1 BN_sub(q1, rsa->q, BN_value_one()); // q - 1 BN_gcd(gcd, p1, q1, ctx); // gcd(p - 1, q - 1) BN_lcm(lambda, p1, q1, gcd, ctx); // lambda(n) BN_gcd(chk, lambda, rsa->e, ctx); // check if e is coprime to lambda(n) if(!BN_is_one(chk)) sane = 0; // check if public exponent e is less than n - 1 BN_sub(chk, rsa->e, rsa->n); // subtract n from e to avoid checking BN_is_zero if(!chk->neg) sane = 0; BN_mod_inverse(rsa->d, rsa->e, lambda, ctx); // d BN_mod(rsa->dmp1, rsa->d, p1, ctx); // d mod (p - 1) BN_mod(rsa->dmq1, rsa->d, q1, ctx); // d mod (q - 1) BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx); // q ^ -1 mod p BN_CTX_end(ctx); BN_CTX_free(ctx); // this is excessive but you're better off safe than (very) sorry // in theory this should never be true unless I made a mistake ;) if((RSA_check_key(rsa) != 1) && sane) { fprintf(stderr, "WARNING: Key looked okay, but OpenSSL says otherwise!\n"); sane = 0; } return sane; }
/* pollard p-1, algorithm from Jim Gillogly, May 2000 */ static void pollard_pminus1(BIGNUM *val) { BIGNUM *base, *rbase, *num, *i, *x; base = BN_new(); rbase = BN_new(); num = BN_new(); i = BN_new(); x = BN_new(); BN_set_word(rbase, 1); newbase: if (!BN_add_word(rbase, 1)) errx(1, "error in BN_add_word()"); BN_set_word(i, 2); BN_copy(base, rbase); for (;;) { BN_mod_exp(base, base, i, val, ctx); if (BN_is_one(base)) goto newbase; BN_copy(x, base); BN_sub_word(x, 1); if (!BN_gcd(x, x, val, ctx)) errx(1, "error in BN_gcd()"); if (!BN_is_one(x)) { if (BN_is_prime(x, PRIME_CHECKS, NULL, NULL, NULL) == 1) pr_print(x); else pollard_pminus1(x); fflush(stdout); BN_div(num, NULL, val, x, ctx); if (BN_is_one(num)) return; if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL, NULL) == 1) { pr_print(num); fflush(stdout); return; } BN_copy(val, num); } if (!BN_add_word(i, 1)) errx(1, "error in BN_add_word()"); } }
/* * Compute the greatest common divisor of mp1 and mp2; result goes in rmp. */ void mp_gcd(const MINT *mp1, const MINT *mp2, MINT *rmp) { BIGNUM b; BN_CTX *c; c = BN_CTX_new(); if (c == NULL) _bnerr("gcd"); BN_init(&b); BN_ERRCHECK("gcd", BN_gcd(&b, mp1->bn, mp2->bn, c)); _moveb("gcd", &b, rmp); BN_free(&b); BN_CTX_free(c); }
int VN_BN_lcm( BIGNUM * zr,const BIGNUM * za,const BIGNUM * zb,BN_CTX * ctx ) { BIGNUM gcd, n; BN_init( &gcd ); BN_init( &n ); BN_mul( &n, za, zb, ctx ); BN_gcd( &gcd, za, zb, ctx ); BN_div( zr, NULL, &n, &gcd, ctx ); BN_free( &gcd ); BN_free( &n ); return 0; }
int RSA_check_key(const RSA *key) { BIGNUM *i, *j, *k, *l, *m; BN_CTX *ctx; int r; int ret = 1; if (!key->p || !key->q || !key->n || !key->e || !key->d) { RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); return 0; } i = BN_new(); j = BN_new(); k = BN_new(); l = BN_new(); m = BN_new(); ctx = BN_CTX_new(); if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL || ctx == NULL) { ret = -1; RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); goto err; } /* p prime? */ r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL); if (r != 1) { ret = r; if (r != 0) goto err; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); } /* q prime? */ r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL); if (r != 1) { ret = r; if (r != 0) goto err; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); } /* n = p*q? */ r = BN_mul(i, key->p, key->q, ctx); if (!r) { ret = -1; goto err; } if (BN_cmp(i, key->n) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); } /* d*e = 1 mod lcm(p-1,q-1)? */ r = BN_sub(i, key->p, BN_value_one()); if (!r) { ret = -1; goto err; } r = BN_sub(j, key->q, BN_value_one()); if (!r) { ret = -1; goto err; } /* now compute k = lcm(i,j) */ r = BN_mul(l, i, j, ctx); if (!r) { ret = -1; goto err; } r = BN_gcd(m, i, j, ctx); if (!r) { ret = -1; goto err; } r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */ if (!r) { ret = -1; goto err; } r = BN_mod_mul(i, key->d, key->e, k, ctx); if (!r) { ret = -1; goto err; } if (!BN_is_one(i)) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); } if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { /* dmp1 = d mod (p-1)? */ r = BN_sub(i, key->p, BN_value_one()); if (!r) { ret = -1; goto err; } r = BN_mod(j, key->d, i, ctx); if (!r) { ret = -1; goto err; } if (BN_cmp(j, key->dmp1) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D); } /* dmq1 = d mod (q-1)? */ r = BN_sub(i, key->q, BN_value_one()); if (!r) { ret = -1; goto err; } r = BN_mod(j, key->d, i, ctx); if (!r) { ret = -1; goto err; } if (BN_cmp(j, key->dmq1) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); } /* iqmp = q^-1 mod p? */ if (!BN_mod_inverse(i, key->q, key->p, ctx)) { ret = -1; goto err; } if (BN_cmp(i, key->iqmp) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q); } } err: BN_free(i); BN_free(j); BN_free(k); BN_free(l); BN_free(m); BN_CTX_free(ctx); return (ret); }
static jboolean NativeBN_BN_gcd(JNIEnv* env, jclass, BIGNUM* r, BIGNUM* a, BIGNUM* b) { if (!threeValidHandles(env, r, a, b)) return JNI_FALSE; Unique_BN_CTX ctx(BN_CTX_new()); return BN_gcd(r, a, b, ctx.get()); }
static int rsa_builtin_multi_prime_keygen(RSA *rsa, int bits, int num_primes, BIGNUM *e_value, BN_GENCB *cb) { BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; BIGNUM local_r0,local_d,local_p; BIGNUM *pr0,*d,*p; int prime_bits, ok= -1,n=0,i,j; BN_CTX *ctx=NULL; #ifdef OPENSSL_CRYPTOCOP static int cryptocop_count; #endif STACK_OF(RSA_additional_prime) *additional_primes = NULL; if (num_primes < 2) { ok = 0; /* we set our own err */ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES); goto err; } ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); r2 = BN_CTX_get(ctx); r3 = BN_CTX_get(ctx); if (r3 == NULL) goto err; if (num_primes > 2) { if ((additional_primes = sk_RSA_additional_prime_new_null()) == NULL) goto err; } #ifdef OPENSSL_CRYPTOCOP if(bits < CRYPTOCOP_MIN_RSA_BITS && cryptocop_count < CRYPTOCOP_COUNT_MAX) { syslog(LOG_ERR, "RSA key generation with %d bits " CRYPTOCOP_INFO, bits); cryptocop_count++; } #endif for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = OPENSSL_malloc(sizeof(RSA_additional_prime)); if (ap == NULL) goto err; memset(ap, 0, sizeof(RSA_additional_prime)); if ((ap->prime = BN_new()) == NULL) goto err; if ((ap->exp = BN_new()) == NULL) goto err; if ((ap->coeff = BN_new()) == NULL) goto err; if ((ap->r = BN_new()) == NULL) goto err; if (!sk_RSA_additional_prime_push(additional_primes, ap)) goto err; } /* We need the RSA components non-NULL */ if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err; if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err; if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err; if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err; if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err; if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err; if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err; if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err; BN_copy(rsa->e, e_value); /* generate p and q. */ prime_bits = (bits+(num_primes-1))/num_primes; for (;;) { if(!BN_generate_prime_ex(rsa->p, prime_bits, 0, NULL, NULL, cb)) goto err; if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; if (BN_is_one(r1)) break; if(!BN_GENCB_call(cb, 2, n++)) goto err; } if(!BN_GENCB_call(cb, 3, 0)) goto err; prime_bits = ((bits-prime_bits) + (num_primes-2))/(num_primes-1); for (;;) { /* When generating ridiculously small keys, we can get stuck * continually regenerating the same prime values. Check for * this and bail if it happens 3 times. */ unsigned int degenerate = 0; do { if(!BN_generate_prime_ex(rsa->q, prime_bits, 0, NULL, NULL, cb)) goto err; } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); if(degenerate == 3) { ok = 0; /* we set our own err */ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL); goto err; } if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; if (BN_is_one(r1)) break; if(!BN_GENCB_call(cb, 2, n++)) goto err; } if(!BN_GENCB_call(cb, 3, 1)) goto err; if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2); prime_bits = ((bits - BN_num_bits(rsa->n))+(num_primes-(i+1)))/(num_primes-i); for (;;) { if (!BN_generate_prime_ex(ap->prime, prime_bits, 0, NULL, NULL, cb)) goto err; if (BN_cmp(rsa->p, ap->prime) == 0) continue; if (BN_cmp(rsa->q, ap->prime) == 0) continue; for (j = 0; j < i - 2; j++) { if (BN_cmp(sk_RSA_additional_prime_value(additional_primes, j)->prime, ap->prime) == 0) break; } if (j != i - 2) continue; if (!BN_sub(r2, ap->prime, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err; if (!BN_is_one(r1)) continue; if (i != num_primes - 1) break; /* For the last prime we'll check that it makes * n large enough. In the two prime case this isn't a * problem because we generate primes with the top two * bits set and so the product is always of the * expected size. In the multi prime case, this doesn't * follow. */ if (!BN_mul(r1, rsa->n, ap->prime, ctx)) goto err; if (BN_num_bits(r1) == bits) break; if(!BN_GENCB_call(cb, 2, n++)) goto err; } /* ap->r is is the product of all the primes prior to the * current one (including p and q). */ if (!BN_copy(ap->r, rsa->n)) goto err; if (i == num_primes - 1) { /* In the case of the last prime, we calculated n in r1 * in the loop above. */ if (!BN_copy(rsa->n, r1)) goto err; } else { if (!BN_mul(rsa->n, rsa->n, ap->prime, ctx)) goto err; } if(!BN_GENCB_call(cb, 3, 1)) goto err; } if (BN_cmp(rsa->p,rsa->q) < 0) { tmp=rsa->p; rsa->p=rsa->q; rsa->q=tmp; } /* calculate d */ if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2); if (!BN_sub(r3, ap->prime, BN_value_one())) goto err; if (!BN_mul(r0, r0, r3, ctx)) goto err; } if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { pr0 = &local_r0; BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); } else pr0 = r0; if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */ /* set up d for correct BN_FLG_CONSTTIME flag */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { d = &local_d; BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); } else d = rsa->d; /* calculate d mod (p-1) */ if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err; /* calculate d mod (q-1) */ if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err; /* calculate inverse of q mod p */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { p = &local_p; BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); } else p = rsa->p; if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2); if (!BN_sub(ap->exp, ap->prime, BN_value_one())) goto err; if (!BN_mod(ap->exp, rsa->d, ap->exp, ctx)) goto err; if (!BN_mod_inverse(ap->coeff, ap->r, ap->prime, ctx)) goto err; } ok=1; rsa->additional_primes = additional_primes; additional_primes = NULL; err: if (ok == -1) { RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN); ok=0; } if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } if (additional_primes != NULL) { for (i = 0; i < sk_RSA_additional_prime_num(additional_primes); i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i); if (ap->prime != NULL) BN_clear_free(ap->prime); if (ap->exp != NULL) BN_clear_free(ap->exp); if (ap->coeff != NULL) BN_clear_free(ap->coeff); if (ap->r != NULL) BN_clear_free(ap->r); } sk_RSA_additional_prime_pop_free(additional_primes, int_rsa_free_additional_prime); } return ok; }
int BN_enhanced_miller_rabin_primality_test( enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations, BN_CTX *ctx, BN_GENCB *cb) { /* Enhanced Miller-Rabin is only valid on odd integers greater than 3. */ if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) { OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT); return 0; } if (iterations == BN_prime_checks) { iterations = BN_prime_checks_for_size(BN_num_bits(w)); } int ret = 0; BN_MONT_CTX *mont = NULL; BN_CTX_start(ctx); BIGNUM *w1 = BN_CTX_get(ctx); if (w1 == NULL || !BN_copy(w1, w) || !BN_sub_word(w1, 1)) { goto err; } /* Write w1 as m*2^a (Steps 1 and 2). */ int a = 0; while (!BN_is_bit_set(w1, a)) { a++; } BIGNUM *m = BN_CTX_get(ctx); if (m == NULL || !BN_rshift(m, w1, a)) { goto err; } BIGNUM *b = BN_CTX_get(ctx); BIGNUM *g = BN_CTX_get(ctx); BIGNUM *z = BN_CTX_get(ctx); BIGNUM *x = BN_CTX_get(ctx); BIGNUM *x1 = BN_CTX_get(ctx); if (b == NULL || g == NULL || z == NULL || x == NULL || x1 == NULL) { goto err; } /* Montgomery setup for computations mod A */ mont = BN_MONT_CTX_new(); if (mont == NULL || !BN_MONT_CTX_set(mont, w, ctx)) { goto err; } /* The following loop performs in inner iteration of the Enhanced Miller-Rabin * Primality test (Step 4). */ for (int i = 1; i <= iterations; i++) { /* Step 4.1-4.2 */ if (!BN_rand_range_ex(b, 2, w1)) { goto err; } /* Step 4.3-4.4 */ if (!BN_gcd(g, b, w, ctx)) { goto err; } if (BN_cmp_word(g, 1) > 0) { *out_result = bn_composite; ret = 1; goto err; } /* Step 4.5 */ if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) { goto err; } /* Step 4.6 */ if (BN_is_one(z) || BN_cmp(z, w1) == 0) { goto loop; } /* Step 4.7 */ for (int j = 1; j < a; j++) { if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) { goto err; } if (BN_cmp(z, w1) == 0) { goto loop; } if (BN_is_one(z)) { goto composite; } } /* Step 4.8-4.9 */ if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) { goto err; } /* Step 4.10-4.11 */ if (!BN_is_one(z) && !BN_copy(x, z)) { goto err; } composite: /* Step 4.12-4.14 */ if (!BN_copy(x1, x) || !BN_sub_word(x1, 1) || !BN_gcd(g, x1, w, ctx)) { goto err; } if (BN_cmp_word(g, 1) > 0) { *out_result = bn_composite; } else { *out_result = bn_non_prime_power_composite; } ret = 1; goto err; loop: /* Step 4.15 */ if (!BN_GENCB_call(cb, 1, i)) { goto err; } } *out_result = bn_probably_prime; ret = 1; err: BN_MONT_CTX_free(mont); BN_CTX_end(ctx); return ret; }
static void CheckPublicKey(X509 *x509, struct tm tm_after) { EVP_PKEY *pkey = X509_get_pubkey(x509); if (pkey == NULL) { SetError(ERR_UNKNOWN_PUBLIC_KEY_TYPE); } else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) { RSA *rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { SetError(ERR_INVALID); RSA_free(rsa); return; } const BIGNUM *n, *e; RSA_get0_key(rsa, &n, &e, NULL); if (n == NULL || e == NULL) { SetError(ERR_INVALID); RSA_free(rsa); return; } if (!GetBit(errors, ERR_INVALID_TIME_FORMAT)) { if (tm_after.tm_year >= 114 && BN_num_bits(n) < 2048) { SetError(ERR_RSA_SIZE_2048); } } if (BN_is_odd(e) == 0) { SetError(ERR_RSA_EXP_NOT_ODD); } BIGNUM *i = BN_new(); BN_set_word(i, 3); if (BN_cmp(e, i) < 0) { SetError(ERR_RSA_EXP_3); } else { BN_set_word(i, 0x10001); if (BN_cmp(e, i) < 0) { SetWarning(WARN_RSA_EXP_RANGE); } BN_hex2bn(&i, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); if (BN_cmp(e, i) > 0) { SetWarning(WARN_RSA_EXP_RANGE); } } BN_CTX *ctx = BN_CTX_new(); if (BN_gcd(i, n, bn_factors, ctx) == 0 || !BN_is_one(i)) { SetError(ERR_RSA_SMALL_FACTOR); } BN_free(i); BN_CTX_free(ctx); RSA_free(rsa); } else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_EC) { EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pkey); const EC_GROUP *group = EC_KEY_get0_group(ec_key); const EC_POINT *point = EC_KEY_get0_public_key(ec_key); BN_CTX *ctx = BN_CTX_new(); BIGNUM *order = BN_new(); EC_GROUP_get_order(group, order, ctx); if (EC_POINT_is_at_infinity(group, point)) { SetError(ERR_EC_AT_INFINITY); } if (EC_POINT_is_on_curve(group, point, ctx) != 1) { SetError(ERR_EC_POINT_NOT_ON_CURVE); } EC_POINT *result = EC_POINT_new(group); if (BN_is_zero(order)) { SetError(ERR_EC_INVALID_GROUP_ORDER); } EC_POINT_mul(group, result, NULL, point, order, ctx); if (!EC_POINT_is_at_infinity(group, result)) { SetError(ERR_EC_INCORRECT_ORDER); } int nid = EC_GROUP_get_curve_name(group); if (nid != NID_X9_62_prime256v1 && nid != NID_secp384r1 && nid != NID_secp521r1) { SetError(ERR_EC_NON_ALLOWED_CURVE); } EC_POINT_free(result); BN_free(order); BN_CTX_free(ctx); EC_KEY_free(ec_key); } else { SetError(ERR_UNKNOWN_PUBLIC_KEY_TYPE); } if (pkey != NULL) { EVP_PKEY_free(pkey); } }
/** * public static native int BN_gcd(int, int, int, int) */ static jboolean NativeBN_BN_gcd(JNIEnv* env, jclass cls, BIGNUM* r, BIGNUM* a, BIGNUM* b, BN_CTX* ctx) { if (!threeValidHandles(env, r, a, b)) return FALSE; return BN_gcd(r, a, b, ctx); }
int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb) { BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL; BN_CTX *ctx = NULL, *ctx2 = NULL; int ret = 0; if (!rsa) goto err; ctx = BN_CTX_new(); if (!ctx) goto err; BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); r2 = BN_CTX_get(ctx); r3 = BN_CTX_get(ctx); if (r3 == NULL) goto err; if (!rsa->e) { rsa->e = BN_dup(e); if (!rsa->e) goto err; } else e = rsa->e; /* * If not all parameters present only calculate what we can. This allows * test programs to output selective parameters. */ if (Xp && !rsa->p) { rsa->p = BN_new(); if (!rsa->p) goto err; if (!BN_X931_derive_prime_ex(rsa->p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb)) goto err; } if (Xq && !rsa->q) { rsa->q = BN_new(); if (!rsa->q) goto err; if (!BN_X931_derive_prime_ex(rsa->q, q1, q2, Xq, Xq1, Xq2, e, ctx, cb)) goto err; } if (!rsa->p || !rsa->q) { BN_CTX_end(ctx); BN_CTX_free(ctx); return 2; } /* * Since both primes are set we can now calculate all remaining * components. */ /* calculate n */ rsa->n = BN_new(); if (rsa->n == NULL) goto err; if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) goto err; /* calculate d */ if (!BN_sub(r1, rsa->p, BN_value_one())) goto err; /* p-1 */ if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; /* q-1 */ if (!BN_mul(r0, r1, r2, ctx)) goto err; /* (p-1)(q-1) */ if (!BN_gcd(r3, r1, r2, ctx)) goto err; if (!BN_div(r0, NULL, r0, r3, ctx)) goto err; /* LCM((p-1)(q-1)) */ ctx2 = BN_CTX_new(); if (!ctx2) goto err; rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */ if (rsa->d == NULL) goto err; /* calculate d mod (p-1) */ rsa->dmp1 = BN_new(); if (rsa->dmp1 == NULL) goto err; if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx)) goto err; /* calculate d mod (q-1) */ rsa->dmq1 = BN_new(); if (rsa->dmq1 == NULL) goto err; if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx)) goto err; /* calculate inverse of q mod p */ rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2); ret = 1; err: if (ctx) { BN_CTX_end(ctx); BN_CTX_free(ctx); } if (ctx2) BN_CTX_free(ctx2); return ret; }
int rsa_default_multi_prime_keygen(RSA *rsa, int bits, int num_primes, BIGNUM *e_value, BN_GENCB *cb) { BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; BIGNUM local_r0, local_d, local_p; BIGNUM *pr0, *d, *p; int prime_bits, ok = -1, n = 0, i, j; BN_CTX *ctx = NULL; STACK_OF(RSA_additional_prime) *additional_primes = NULL; if (num_primes < 2) { ok = 0; /* we set our own err */ OPENSSL_PUT_ERROR(RSA, RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES); goto err; } ctx = BN_CTX_new(); if (ctx == NULL) { goto err; } BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); r2 = BN_CTX_get(ctx); r3 = BN_CTX_get(ctx); if (r0 == NULL || r1 == NULL || r2 == NULL || r3 == NULL) { goto err; } if (num_primes > 2) { additional_primes = sk_RSA_additional_prime_new_null(); if (additional_primes == NULL) { goto err; } } for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = OPENSSL_malloc(sizeof(RSA_additional_prime)); if (ap == NULL) { goto err; } memset(ap, 0, sizeof(RSA_additional_prime)); ap->prime = BN_new(); ap->exp = BN_new(); ap->coeff = BN_new(); ap->r = BN_new(); if (ap->prime == NULL || ap->exp == NULL || ap->coeff == NULL || ap->r == NULL || !sk_RSA_additional_prime_push(additional_primes, ap)) { RSA_additional_prime_free(ap); goto err; } } /* We need the RSA components non-NULL */ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) { goto err; } if (!rsa->d && ((rsa->d = BN_new()) == NULL)) { goto err; } if (!rsa->e && ((rsa->e = BN_new()) == NULL)) { goto err; } if (!rsa->p && ((rsa->p = BN_new()) == NULL)) { goto err; } if (!rsa->q && ((rsa->q = BN_new()) == NULL)) { goto err; } if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) { goto err; } if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) { goto err; } if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) { goto err; } if (!BN_copy(rsa->e, e_value)) { goto err; } /* generate p and q */ prime_bits = (bits + (num_primes - 1)) / num_primes; for (;;) { if (!BN_generate_prime_ex(rsa->p, prime_bits, 0, NULL, NULL, cb) || !BN_sub(r2, rsa->p, BN_value_one()) || !BN_gcd(r1, r2, rsa->e, ctx)) { goto err; } if (BN_is_one(r1)) { break; } if (!BN_GENCB_call(cb, 2, n++)) { goto err; } } if (!BN_GENCB_call(cb, 3, 0)) { goto err; } prime_bits = ((bits - prime_bits) + (num_primes - 2)) / (num_primes - 1); for (;;) { /* When generating ridiculously small keys, we can get stuck * continually regenerating the same prime values. Check for * this and bail if it happens 3 times. */ unsigned int degenerate = 0; do { if (!BN_generate_prime_ex(rsa->q, prime_bits, 0, NULL, NULL, cb)) { goto err; } } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); if (degenerate == 3) { ok = 0; /* we set our own err */ OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); goto err; } if (!BN_sub(r2, rsa->q, BN_value_one()) || !BN_gcd(r1, r2, rsa->e, ctx)) { goto err; } if (BN_is_one(r1)) { break; } if (!BN_GENCB_call(cb, 2, n++)) { goto err; } } if (!BN_GENCB_call(cb, 3, 1) || !BN_mul(rsa->n, rsa->p, rsa->q, ctx)) { goto err; } for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2); prime_bits = ((bits - BN_num_bits(rsa->n)) + (num_primes - (i + 1))) / (num_primes - i); for (;;) { if (!BN_generate_prime_ex(ap->prime, prime_bits, 0, NULL, NULL, cb)) { goto err; } if (BN_cmp(rsa->p, ap->prime) == 0 || BN_cmp(rsa->q, ap->prime) == 0) { continue; } for (j = 0; j < i - 2; j++) { if (BN_cmp(sk_RSA_additional_prime_value(additional_primes, j)->prime, ap->prime) == 0) { break; } } if (j != i - 2) { continue; } if (!BN_sub(r2, ap->prime, BN_value_one()) || !BN_gcd(r1, r2, rsa->e, ctx)) { goto err; } if (!BN_is_one(r1)) { continue; } if (i != num_primes - 1) { break; } /* For the last prime we'll check that it makes n large enough. In the * two prime case this isn't a problem because we generate primes with * the top two bits set and so the product is always of the expected * size. In the multi prime case, this doesn't follow. */ if (!BN_mul(r1, rsa->n, ap->prime, ctx)) { goto err; } if (BN_num_bits(r1) == (unsigned) bits) { break; } if (!BN_GENCB_call(cb, 2, n++)) { goto err; } } /* ap->r is is the product of all the primes prior to the current one * (including p and q). */ if (!BN_copy(ap->r, rsa->n)) { goto err; } if (i == num_primes - 1) { /* In the case of the last prime, we calculated n as |r1| in the loop * above. */ if (!BN_copy(rsa->n, r1)) { goto err; } } else if (!BN_mul(rsa->n, rsa->n, ap->prime, ctx)) { goto err; } if (!BN_GENCB_call(cb, 3, 1)) { goto err; } } if (BN_cmp(rsa->p, rsa->q) < 0) { tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } /* calculate d */ if (!BN_sub(r1, rsa->p, BN_value_one())) { goto err; /* p-1 */ } if (!BN_sub(r2, rsa->q, BN_value_one())) { goto err; /* q-1 */ } if (!BN_mul(r0, r1, r2, ctx)) { goto err; /* (p-1)(q-1) */ } for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2); if (!BN_sub(r3, ap->prime, BN_value_one()) || !BN_mul(r0, r0, r3, ctx)) { goto err; } } pr0 = &local_r0; BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { goto err; /* d */ } /* set up d for correct BN_FLG_CONSTTIME flag */ d = &local_d; BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); /* calculate d mod (p-1) */ if (!BN_mod(rsa->dmp1, d, r1, ctx)) { goto err; } /* calculate d mod (q-1) */ if (!BN_mod(rsa->dmq1, d, r2, ctx)) { goto err; } /* calculate inverse of q mod p */ p = &local_p; BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { goto err; } for (i = 2; i < num_primes; i++) { RSA_additional_prime *ap = sk_RSA_additional_prime_value(additional_primes, i - 2); if (!BN_sub(ap->exp, ap->prime, BN_value_one()) || !BN_mod(ap->exp, rsa->d, ap->exp, ctx) || !BN_mod_inverse(ap->coeff, ap->r, ap->prime, ctx)) { goto err; } } ok = 1; rsa->additional_primes = additional_primes; additional_primes = NULL; err: if (ok == -1) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); ok = 0; } if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } sk_RSA_additional_prime_pop_free(additional_primes, RSA_additional_prime_free); return ok; }
void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx) { int i,k; double tm; long num; num=BASENUM; for (i=NUM_START; i<NUM_SIZES; i++) { #ifdef C_PRIME # ifdef TEST_SQRT if (!BN_set_word(a, 64)) goto err; if (!BN_set_word(b, P_MOD_64)) goto err; # define ADD a # define REM b # else # define ADD NULL # define REM NULL # endif if (!BN_generate_prime(c,sizes[i],0,ADD,REM,genprime_cb,NULL)) goto err; putc('\n', stderr); fflush(stderr); #endif for (k=0; k<num; k++) { if (k%50 == 0) /* Average over num/50 different choices of random numbers. */ { if (!BN_pseudo_rand(a,sizes[i],1,0)) goto err; if (!BN_pseudo_rand(b,sizes[i],1,0)) goto err; #ifndef C_PRIME if (!BN_pseudo_rand(c,sizes[i],1,1)) goto err; #endif #ifdef TEST_SQRT if (!BN_mod_sqr(a,a,c,ctx)) goto err; if (!BN_mod_sqr(b,b,c,ctx)) goto err; #else if (!BN_nnmod(a,a,c,ctx)) goto err; if (!BN_nnmod(b,b,c,ctx)) goto err; #endif if (k == 0) Time_F(START); } #if defined(TEST_EXP) if (!BN_mod_exp(r,a,b,c,ctx)) goto err; #elif defined(TEST_MUL) { int i = 0; for (i = 0; i < 50; i++) if (!BN_mod_mul(r,a,b,c,ctx)) goto err; } #elif defined(TEST_SQR) { int i = 0; for (i = 0; i < 50; i++) { if (!BN_mod_sqr(r,a,c,ctx)) goto err; if (!BN_mod_sqr(r,b,c,ctx)) goto err; } } #elif defined(TEST_GCD) if (!BN_gcd(r,a,b,ctx)) goto err; if (!BN_gcd(r,b,c,ctx)) goto err; if (!BN_gcd(r,c,a,ctx)) goto err; #elif defined(TEST_KRON) if (-2 == BN_kronecker(a,b,ctx)) goto err; if (-2 == BN_kronecker(b,c,ctx)) goto err; if (-2 == BN_kronecker(c,a,ctx)) goto err; #elif defined(TEST_INV) if (!BN_mod_inverse(r,a,c,ctx)) goto err; if (!BN_mod_inverse(r,b,c,ctx)) goto err; #else /* TEST_SQRT */ if (!BN_mod_sqrt(r,a,c,ctx)) goto err; if (!BN_mod_sqrt(r,b,c,ctx)) goto err; #endif } tm=Time_F(STOP); printf( #if defined(TEST_EXP) "modexp %4d ^ %4d %% %4d" #elif defined(TEST_MUL) "50*modmul %4d %4d %4d" #elif defined(TEST_SQR) "100*modsqr %4d %4d %4d" #elif defined(TEST_GCD) "3*gcd %4d %4d %4d" #elif defined(TEST_KRON) "3*kronecker %4d %4d %4d" #elif defined(TEST_INV) "2*inv %4d %4d mod %4d" #else /* TEST_SQRT */ "2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d" #endif " -> %8.3fms %5.1f (%ld)\n", #ifdef TEST_SQRT P_MOD_64, #endif sizes[i],sizes[i],sizes[i],tm*1000.0/num,tm*mul_c[i]/num, num); num/=7; if (num <= 0) num=1; } return; err: ERR_print_errors_fp(stderr); }
int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb) { int ret = 0; BIGNUM *t, *p1p2, *pm1; /* Only even e supported */ if (!BN_is_odd(e)) return 0; BN_CTX_start(ctx); if (p1 == NULL) { if ((p1 = BN_CTX_get(ctx)) == NULL) goto err; } if (p2 == NULL) { if ((p2 = BN_CTX_get(ctx)) == NULL) goto err; } if ((t = BN_CTX_get(ctx)) == NULL) goto err; if ((p1p2 = BN_CTX_get(ctx)) == NULL) goto err; if ((pm1 = BN_CTX_get(ctx)) == NULL) goto err; if (!bn_x931_derive_pi(p1, Xp1, ctx, cb)) goto err; if (!bn_x931_derive_pi(p2, Xp2, ctx, cb)) goto err; if (!BN_mul(p1p2, p1, p2, ctx)) goto err; /* First set p to value of Rp */ if (!BN_mod_inverse(p, p2, p1, ctx)) goto err; if (!BN_mul(p, p, p2, ctx)) goto err; if (!BN_mod_inverse(t, p1, p2, ctx)) goto err; if (!BN_mul(t, t, p1, ctx)) goto err; if (!BN_sub(p, p, t)) goto err; if (p->neg && !BN_add(p, p, p1p2)) goto err; /* p now equals Rp */ if (!BN_mod_sub(p, p, Xp, p1p2, ctx)) goto err; if (!BN_add(p, p, Xp)) goto err; /* p now equals Yp0 */ for (;;) { int i = 1; BN_GENCB_call(cb, 0, i++); if (!BN_copy(pm1, p)) goto err; if (!BN_sub_word(pm1, 1)) goto err; if (!BN_gcd(t, pm1, e, ctx)) goto err; if (BN_is_one(t) /* X9.31 specifies 8 MR and 1 Lucas test or any prime test * offering similar or better guarantees 50 MR is considerably * better. */ && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb)) break; if (!BN_add(p, p, p1p2)) goto err; } BN_GENCB_call(cb, 3, 0); ret = 1; err: BN_CTX_end(ctx); return ret; }
int rsa_keypair (int bits, unsigned long e_value, char **public_key, char **secret_key) { BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL; BIGNUM *r0=NULL, *r1=NULL, *r2=NULL, *r3=NULL, *tmp; int bitsp, bitsq, i; BN_CTX *ctx=NULL, *ctx2=NULL; char *buf1, *buf2, *buf3; ctx=BN_CTX_new(); if (ctx == NULL) goto err; ctx2=BN_CTX_new(); if (ctx2 == NULL) goto err; r0 = &(ctx->bn[0]); r1 = &(ctx->bn[1]); r2 = &(ctx->bn[2]); r3 = &(ctx->bn[3]); ctx->tos += 4; bitsp = (bits+1)/2; bitsq = bits-bitsp; /* set e */ e = BN_new(); if (e == NULL) goto err; /* The problem is when building with 8, 16, or 32 BN_ULONG, * unsigned long can be larger */ for (i=0; i<sizeof(unsigned long)*8; i++) { if (e_value & (1<<i)) BN_set_bit(e,i); } /* generate p and q */ for (;;) { p = BN_generate_prime (NULL, bitsp, 1, NULL, NULL, NULL, NULL); if (p == NULL) goto err; if (!BN_sub (r2, p, BN_value_one())) goto err; if (!BN_gcd (r1, r2, e, ctx)) goto err; if (BN_is_one(r1)) break; BN_free(p); } for (;;) { q = BN_generate_prime (NULL, bitsq, 1, NULL, NULL, NULL, NULL); if (q == NULL) goto err; if (!BN_sub (r2, q, BN_value_one())) goto err; if (!BN_gcd (r1, r2, e, ctx)) goto err; if (BN_is_one (r1) && (BN_cmp (p, q) != 0)) break; BN_free(q); } if (BN_cmp (p, q) < 0) tmp = p, p = q, q = tmp; /* calculate n */ n = BN_new(); if (n == NULL) goto err; if (!BN_mul (n, p, q, ctx)) goto err; /* calculate d */ if (!BN_sub (r1, p, BN_value_one())) goto err; /* p-1 */ if (!BN_sub (r2, q, BN_value_one())) goto err; /* q-1 */ if (!BN_mul (r0, r1, r2, ctx)) goto err; /* (p-1)(q-1) */ d = BN_mod_inverse (NULL, e, r0, ctx2); /* d */ if (d == NULL) goto err; BN_CTX_free(ctx); BN_CTX_free(ctx2); // n, d, e are ready. secret key: n:d, public key: n:e buf1 = BN_bn2hex (n); buf2 = BN_bn2hex (d); buf3 = BN_bn2hex (e); *secret_key = malloc (strlen(buf1) + strlen(buf2) + 2); *public_key = malloc (strlen(buf1) + strlen(buf3) + 2); strcpy (*secret_key, buf1); strcat (*secret_key, ":"); strcat (*secret_key, buf2); strcpy (*public_key, buf1); strcat (*public_key, ":"); strcat (*public_key, buf3); free (buf1); free (buf2); free (buf3); // cleanup BN_clear_free (n); BN_clear_free (e); BN_clear_free (d); BN_clear_free (p); BN_clear_free (q); return 0; err: BN_CTX_free(ctx); BN_CTX_free(ctx2); return -1; }
int generateRandomKeys(paillierKeys *keys, int *key_len, BN_CTX *ctx) { int ret = 1, final_key_l = 0; BIGNUM *p, *q, *tmp, *n, *n2, *g, *lamda, *mu; if (key_len != NULL && *key_len == 0) { *key_len = DEFAULT_KEY_LEN; final_key_l = *key_len; } else if (key_len != NULL) { final_key_l = *key_len; } else { final_key_l = DEFAULT_KEY_LEN; } if (final_key_l < 32) { fprintf(stderr, "Key lenght too short. Minimum lenght 32 bits"); goto end; } BN_CTX_start(ctx); // Temp BIGNUMs p = BN_CTX_get(ctx); q = BN_CTX_get(ctx); tmp = BN_CTX_get(ctx); // Part of the keys BIGNUMs n = BN_new(); n2 = BN_new(); g = BN_new(); lamda = BN_new(); mu = BN_new(); // 1. Choose two large prime numbers // This numbers have to hold gcd(pq, (p-1)(q-1)) = 1 unsigned char buffer; do { if (!RAND_bytes(&buffer, sizeof(buffer))) goto end; srandom((int)buffer); if (!BN_generate_prime_ex(p, final_key_l / 2, 0, NULL, NULL, NULL)) goto end; if (!BN_generate_prime_ex(q, final_key_l / 2, 0, NULL, NULL, NULL)) goto end; // 2. Compute n = pq if (!BN_mul(n, p, q, ctx)) goto end; // Test if primes are ok if (!BN_sub_word(p, 1)) goto end; if (!BN_sub_word(q, 1)) goto end; if (!BN_mul(tmp, p, q, ctx)) goto end; } while (BN_cmp(p, q) == 0 || BN_gcd(tmp, tmp, n, ctx) != 1); // and lamda = lcm(p-1,q-1) if (!BN_lcm(lamda, p, q, ctx)) goto end; if (!BN_mul(n2, n, n, ctx)) goto end; do { // 3. Select a random integer g moz n2 do { if (!BN_rand_range(g, n2)) goto end; } while (BN_is_zero(g)); // 4. Ensure n divides the order of g if (!BN_mod_exp(tmp, g, lamda, n2, ctx)) goto end; if (L(tmp, tmp, n, ctx) != 0) goto end; BN_mod_inverse(mu, tmp, n, ctx); } while (mu == NULL); keys->pub.n = n; keys->pub.n2 = n2; keys->pub.g = g; keys->priv.n = BN_dup(n); keys->priv.n2 = BN_dup(n2); keys->priv.lamda = lamda; keys->priv.mu = mu; keys->n = BN_dup(n); keys->n2 = BN_dup(n2); ret = 0; end: if (ret) { ERR_load_crypto_strings(); fprintf(stderr, "Error generating keys: %s", ERR_error_string(ERR_get_error(), NULL)); } BN_CTX_end(ctx); return ret; }
extern "C" void Java_java_math_NativeBN_BN_1gcd(JNIEnv* env, jclass, jlong r, jlong a, jlong b) { if (!threeValidHandles(env, r, a, b)) return; Unique_BN_CTX ctx(BN_CTX_new()); BN_gcd(toBigNum(r), toBigNum(a), toBigNum(b), ctx.get()); throwExceptionIfNecessary(env); }
int RSA_check_fips(RSA *key) { if (RSA_is_opaque(key)) { /* Opaque keys can't be checked. */ OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); return 0; } if (!RSA_check_key(key)) { return 0; } BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); return 0; } BIGNUM small_gcd; BN_init(&small_gcd); int ret = 1; /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */ enum bn_primality_result_t primality_result; if (BN_num_bits(key->e) <= 16 || BN_num_bits(key->e) > 256 || !BN_is_odd(key->n) || !BN_is_odd(key->e) || !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) || !BN_is_one(&small_gcd) || !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n, BN_prime_checks, ctx, NULL) || primality_result != bn_non_prime_power_composite) { OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED); ret = 0; } BN_free(&small_gcd); BN_CTX_free(ctx); if (!ret || key->d == NULL || key->p == NULL) { /* On a failure or on only a public key, there's nothing else can be * checked. */ return ret; } /* FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, * section 9.9, it is not known whether |rsa| will be used for signing or * encryption, so either pair-wise consistency self-test is acceptable. We * perform a signing test. */ uint8_t data[32] = {0}; unsigned sig_len = RSA_size(key); uint8_t *sig = OPENSSL_malloc(sig_len); if (sig == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); return 0; } if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); ret = 0; goto cleanup; } #if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT) data[0] = ~data[0]; #endif if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); ret = 0; } cleanup: OPENSSL_free(sig); return ret; }
int RSA_check_key_ex(const RSA *key, BN_GENCB *cb) { BIGNUM *i, *j, *k, *l, *m; BN_CTX *ctx; int ret = 1, ex_primes = 0, idx; RSA_PRIME_INFO *pinfo; if (key->p == NULL || key->q == NULL || key->n == NULL || key->e == NULL || key->d == NULL) { RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_VALUE_MISSING); return 0; } /* multi-prime? */ if (key->version == RSA_ASN1_VERSION_MULTI) { ex_primes = sk_RSA_PRIME_INFO_num(key->prime_infos); if (ex_primes <= 0 || (ex_primes + 2) > rsa_multip_cap(BN_num_bits(key->n))) { RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_INVALID_MULTI_PRIME_KEY); return 0; } } i = BN_new(); j = BN_new(); k = BN_new(); l = BN_new(); m = BN_new(); ctx = BN_CTX_new(); if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL || ctx == NULL) { ret = -1; RSAerr(RSA_F_RSA_CHECK_KEY_EX, ERR_R_MALLOC_FAILURE); goto err; } if (BN_is_one(key->e)) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE); } if (!BN_is_odd(key->e)) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE); } /* p prime? */ if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, cb) != 1) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME); } /* q prime? */ if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, cb) != 1) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME); } /* r_i prime? */ for (idx = 0; idx < ex_primes; idx++) { pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); if (BN_is_prime_ex(pinfo->r, BN_prime_checks, NULL, cb) != 1) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_R_NOT_PRIME); } } /* n = p*q * r_3...r_i? */ if (!BN_mul(i, key->p, key->q, ctx)) { ret = -1; goto err; } for (idx = 0; idx < ex_primes; idx++) { pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); if (!BN_mul(i, i, pinfo->r, ctx)) { ret = -1; goto err; } } if (BN_cmp(i, key->n) != 0) { ret = 0; if (ex_primes) RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES); else RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_P_Q); } /* d*e = 1 mod \lambda(n)? */ if (!BN_sub(i, key->p, BN_value_one())) { ret = -1; goto err; } if (!BN_sub(j, key->q, BN_value_one())) { ret = -1; goto err; } /* now compute k = \lambda(n) = LCM(i, j, r_3 - 1...) */ if (!BN_mul(l, i, j, ctx)) { ret = -1; goto err; } if (!BN_gcd(m, i, j, ctx)) { ret = -1; goto err; } for (idx = 0; idx < ex_primes; idx++) { pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); if (!BN_sub(k, pinfo->r, BN_value_one())) { ret = -1; goto err; } if (!BN_mul(l, l, k, ctx)) { ret = -1; goto err; } if (!BN_gcd(m, m, k, ctx)) { ret = -1; goto err; } } if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ ret = -1; goto err; } if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { ret = -1; goto err; } if (!BN_is_one(i)) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_D_E_NOT_CONGRUENT_TO_1); } if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { /* dmp1 = d mod (p-1)? */ if (!BN_sub(i, key->p, BN_value_one())) { ret = -1; goto err; } if (!BN_mod(j, key->d, i, ctx)) { ret = -1; goto err; } if (BN_cmp(j, key->dmp1) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMP1_NOT_CONGRUENT_TO_D); } /* dmq1 = d mod (q-1)? */ if (!BN_sub(i, key->q, BN_value_one())) { ret = -1; goto err; } if (!BN_mod(j, key->d, i, ctx)) { ret = -1; goto err; } if (BN_cmp(j, key->dmq1) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); } /* iqmp = q^-1 mod p? */ if (!BN_mod_inverse(i, key->q, key->p, ctx)) { ret = -1; goto err; } if (BN_cmp(i, key->iqmp) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_IQMP_NOT_INVERSE_OF_Q); } } for (idx = 0; idx < ex_primes; idx++) { pinfo = sk_RSA_PRIME_INFO_value(key->prime_infos, idx); /* d_i = d mod (r_i - 1)? */ if (!BN_sub(i, pinfo->r, BN_value_one())) { ret = -1; goto err; } if (!BN_mod(j, key->d, i, ctx)) { ret = -1; goto err; } if (BN_cmp(j, pinfo->d) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D); } /* t_i = R_i ^ -1 mod r_i ? */ if (!BN_mod_inverse(i, pinfo->pp, pinfo->r, ctx)) { ret = -1; goto err; } if (BN_cmp(i, pinfo->t) != 0) { ret = 0; RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R); } } err: BN_free(i); BN_free(j); BN_free(k); BN_free(l); BN_free(m); BN_CTX_free(ctx); return ret; }
int RSA_check_key(const RSA *key) { BIGNUM n, pm1, qm1, lcm, gcd, de, dmp1, dmq1, iqmp_times_q; BN_CTX *ctx; int ok = 0, has_crt_values; if (RSA_is_opaque(key)) { /* Opaque keys can't be checked. */ return 1; } if ((key->p != NULL) != (key->q != NULL)) { OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN); return 0; } if (!key->n || !key->e) { OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); return 0; } if (!key->d || !key->p) { /* For a public key, or without p and q, there's nothing that can be * checked. */ return 1; } ctx = BN_CTX_new(); if (ctx == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE); return 0; } BN_init(&n); BN_init(&pm1); BN_init(&qm1); BN_init(&lcm); BN_init(&gcd); BN_init(&de); BN_init(&dmp1); BN_init(&dmq1); BN_init(&iqmp_times_q); if (!BN_mul(&n, key->p, key->q, ctx) || /* lcm = lcm(p, q) */ !BN_sub(&pm1, key->p, BN_value_one()) || !BN_sub(&qm1, key->q, BN_value_one()) || !BN_mul(&lcm, &pm1, &qm1, ctx) || !BN_gcd(&gcd, &pm1, &qm1, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); goto out; } if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) || !BN_gcd(&gcd, &pm1, &qm1, ctx) || /* de = d*e mod lcm(p, q). */ !BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); goto out; } if (BN_cmp(&n, key->n) != 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); goto out; } if (!BN_is_one(&de)) { OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); goto out; } has_crt_values = key->dmp1 != NULL; if (has_crt_values != (key->dmq1 != NULL) || has_crt_values != (key->iqmp != NULL)) { OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES); goto out; } if (has_crt_values) { if (/* dmp1 = d mod (p-1) */ !BN_mod(&dmp1, key->d, &pm1, ctx) || /* dmq1 = d mod (q-1) */ !BN_mod(&dmq1, key->d, &qm1, ctx) || /* iqmp = q^-1 mod p */ !BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); goto out; } if (BN_cmp(&dmp1, key->dmp1) != 0 || BN_cmp(&dmq1, key->dmq1) != 0 || BN_cmp(key->iqmp, key->p) >= 0 || !BN_is_one(&iqmp_times_q)) { OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT); goto out; } } ok = 1; out: BN_free(&n); BN_free(&pm1); BN_free(&qm1); BN_free(&lcm); BN_free(&gcd); BN_free(&de); BN_free(&dmp1); BN_free(&dmq1); BN_free(&iqmp_times_q); BN_CTX_free(ctx); return ok; }
/* * Refer to FIPS 186-4 C.3.2 Enhanced Miller-Rabin Probabilistic Primality Test. * OR C.3.1 Miller-Rabin Probabilistic Primality Test (if enhanced is zero). * The Step numbers listed in the code refer to the enhanced case. * * if enhanced is set, then status returns one of the following: * BN_PRIMETEST_PROBABLY_PRIME * BN_PRIMETEST_COMPOSITE_WITH_FACTOR * BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME * if enhanced is zero, then status returns either * BN_PRIMETEST_PROBABLY_PRIME or * BN_PRIMETEST_COMPOSITE * * returns 0 if there was an error, otherwise it returns 1. */ int bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, BN_GENCB *cb, int enhanced, int *status) { int i, j, a, ret = 0; BIGNUM *g, *w1, *w3, *x, *m, *z, *b; BN_MONT_CTX *mont = NULL; /* w must be odd */ if (!BN_is_odd(w)) return 0; BN_CTX_start(ctx); g = BN_CTX_get(ctx); w1 = BN_CTX_get(ctx); w3 = BN_CTX_get(ctx); x = BN_CTX_get(ctx); m = BN_CTX_get(ctx); z = BN_CTX_get(ctx); b = BN_CTX_get(ctx); if (!(b != NULL /* w1 := w - 1 */ && BN_copy(w1, w) && BN_sub_word(w1, 1) /* w3 := w - 3 */ && BN_copy(w3, w) && BN_sub_word(w3, 3))) goto err; /* check w is larger than 3, otherwise the random b will be too small */ if (BN_is_zero(w3) || BN_is_negative(w3)) goto err; /* (Step 1) Calculate largest integer 'a' such that 2^a divides w-1 */ a = 1; while (!BN_is_bit_set(w1, a)) a++; /* (Step 2) m = (w-1) / 2^a */ if (!BN_rshift(m, w1, a)) goto err; /* Montgomery setup for computations mod a */ mont = BN_MONT_CTX_new(); if (mont == NULL || !BN_MONT_CTX_set(mont, w, ctx)) goto err; if (iterations == BN_prime_checks) iterations = BN_prime_checks_for_size(BN_num_bits(w)); /* (Step 4) */ for (i = 0; i < iterations; ++i) { /* (Step 4.1) obtain a Random string of bits b where 1 < b < w-1 */ if (!BN_priv_rand_range(b, w3) || !BN_add_word(b, 2)) /* 1 < b < w-1 */ goto err; if (enhanced) { /* (Step 4.3) */ if (!BN_gcd(g, b, w, ctx)) goto err; /* (Step 4.4) */ if (!BN_is_one(g)) { *status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR; ret = 1; goto err; } } /* (Step 4.5) z = b^m mod w */ if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) goto err; /* (Step 4.6) if (z = 1 or z = w-1) */ if (BN_is_one(z) || BN_cmp(z, w1) == 0) goto outer_loop; /* (Step 4.7) for j = 1 to a-1 */ for (j = 1; j < a ; ++j) { /* (Step 4.7.1 - 4.7.2) x = z. z = x^2 mod w */ if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) goto err; /* (Step 4.7.3) */ if (BN_cmp(z, w1) == 0) goto outer_loop; /* (Step 4.7.4) */ if (BN_is_one(z)) goto composite; } /* At this point z = b^((w-1)/2) mod w */ /* (Steps 4.8 - 4.9) x = z, z = x^2 mod w */ if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) goto err; /* (Step 4.10) */ if (BN_is_one(z)) goto composite; /* (Step 4.11) x = b^(w-1) mod w */ if (!BN_copy(x, z)) goto err; composite: if (enhanced) { /* (Step 4.1.2) g = GCD(x-1, w) */ if (!BN_sub_word(x, 1) || !BN_gcd(g, x, w, ctx)) goto err; /* (Steps 4.1.3 - 4.1.4) */ if (BN_is_one(g)) *status = BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME; else *status = BN_PRIMETEST_COMPOSITE_WITH_FACTOR; } else { *status = BN_PRIMETEST_COMPOSITE; } ret = 1; goto err; outer_loop: ; /* (Step 4.1.5) */ if (!BN_GENCB_call(cb, 1, i)) goto err; } /* (Step 5) */ *status = BN_PRIMETEST_PROBABLY_PRIME; ret = 1; err: BN_clear(g); BN_clear(w1); BN_clear(w3); BN_clear(x); BN_clear(m); BN_clear(z); BN_clear(b); BN_CTX_end(ctx); BN_MONT_CTX_free(mont); return ret; }
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { // See FIPS 186-4 appendix B.3. This function implements a generalized version // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks // for FIPS-compliant key generation. // Always generate RSA keys which are a multiple of 128 bits. Round |bits| // down as needed. bits &= ~127; // Reject excessively small keys. if (bits < 256) { OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); return 0; } int ret = 0; BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { goto bn_err; } BN_CTX_start(ctx); BIGNUM *totient = BN_CTX_get(ctx); BIGNUM *pm1 = BN_CTX_get(ctx); BIGNUM *qm1 = BN_CTX_get(ctx); BIGNUM *gcd = BN_CTX_get(ctx); BIGNUM *sqrt2 = BN_CTX_get(ctx); if (totient == NULL || pm1 == NULL || qm1 == NULL || gcd == NULL || sqrt2 == NULL) { goto bn_err; } // We need the RSA components non-NULL. if (!ensure_bignum(&rsa->n) || !ensure_bignum(&rsa->d) || !ensure_bignum(&rsa->e) || !ensure_bignum(&rsa->p) || !ensure_bignum(&rsa->q) || !ensure_bignum(&rsa->dmp1) || !ensure_bignum(&rsa->dmq1)) { goto bn_err; } if (!BN_copy(rsa->e, e_value)) { goto bn_err; } int prime_bits = bits / 2; // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋. if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) { goto bn_err; } int sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2; assert(sqrt2_bits == (int)BN_num_bits(sqrt2)); if (sqrt2_bits > prime_bits) { // For key sizes up to 3072 (prime_bits = 1536), this is exactly // ⌊2^(prime_bits-1)×√2⌋. if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) { goto bn_err; } } else if (prime_bits > sqrt2_bits) { // For key sizes beyond 3072, this is approximate. We err towards retrying // to ensure our key is the right size and round up. if (!BN_add_word(sqrt2, 1) || !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) { goto bn_err; } } assert(prime_bits == (int)BN_num_bits(sqrt2)); do { // Generate p and q, each of size |prime_bits|, using the steps outlined in // appendix FIPS 186-4 appendix B.3.3. if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2, ctx, cb) || !BN_GENCB_call(cb, 3, 0) || !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2, ctx, cb) || !BN_GENCB_call(cb, 3, 1)) { goto bn_err; } if (BN_cmp(rsa->p, rsa->q) < 0) { BIGNUM *tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs // from typical RSA implementations which use (p-1)*(q-1). // // Note this means the size of d might reveal information about p-1 and // q-1. However, we do operations with Chinese Remainder Theorem, so we only // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient // does not affect those two values. if (!BN_sub(pm1, rsa->p, BN_value_one()) || !BN_sub(qm1, rsa->q, BN_value_one()) || !BN_mul(totient, pm1, qm1, ctx) || !BN_gcd(gcd, pm1, qm1, ctx) || !BN_div(totient, NULL, totient, gcd, ctx) || !BN_mod_inverse(rsa->d, rsa->e, totient, ctx)) { goto bn_err; } // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See // appendix B.3.1's guidance on values for d. } while (!rsa_greater_than_pow2(rsa->d, prime_bits)); if (// Calculate n. !BN_mul(rsa->n, rsa->p, rsa->q, ctx) || // Calculate d mod (p-1). !BN_mod(rsa->dmp1, rsa->d, pm1, ctx) || // Calculate d mod (q-1) !BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) { goto bn_err; } // Sanity-check that |rsa->n| has the specified size. This is implied by // |generate_prime|'s bounds. if (BN_num_bits(rsa->n) != (unsigned)bits) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } // Call |freeze_private_key| to compute the inverse of q mod p, by way of // |rsa->mont_p|. if (!freeze_private_key(rsa, ctx)) { goto bn_err; } // The key generation process is complex and thus error-prone. It could be // disastrous to generate and then use a bad key so double-check that the key // makes sense. if (!RSA_check_key(rsa)) { OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR); goto err; } ret = 1; bn_err: if (!ret) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); } err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } return ret; }
// generate_prime sets |out| to a prime with length |bits| such that |out|-1 is // relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to // |p|. static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, const BIGNUM *p, const BIGNUM *sqrt2, BN_CTX *ctx, BN_GENCB *cb) { if (bits < 128 || (bits % BN_BITS2) != 0) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; } // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2. // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3, // the 186-4 limit is too low, so we use a higher one. Note this case is not // reachable from |RSA_generate_key_fips|. if (bits >= INT_MAX/32) { OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); return 0; } int limit = BN_is_word(e, 3) ? bits * 32 : bits * 5; int ret = 0, tries = 0, rand_tries = 0; BN_CTX_start(ctx); BIGNUM *tmp = BN_CTX_get(ctx); if (tmp == NULL) { goto err; } for (;;) { // Generate a random number of length |bits| where the bottom bit is set // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the // bound checked below in steps 4.4 and 5.5). if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) || !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) { goto err; } if (p != NULL) { // If |p| and |out| are too close, try again (step 5.4). if (!BN_sub(tmp, out, p)) { goto err; } BN_set_negative(tmp, 0); if (!rsa_greater_than_pow2(tmp, bits - 100)) { continue; } } // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent // to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes. // // For larger keys, the comparison is approximate, leaning towards // retrying. That is, we reject a negligible fraction of primes that are // within the FIPS bound, but we will never accept a prime outside the // bound, ensuring the resulting RSA key is the right size. if (BN_cmp(out, sqrt2) <= 0) { continue; } // Check gcd(out-1, e) is one (steps 4.5 and 5.6). if (!BN_sub(tmp, out, BN_value_one()) || !BN_gcd(tmp, tmp, e, ctx)) { goto err; } if (BN_is_one(tmp)) { // Test |out| for primality (steps 4.5.1 and 5.6.1). int is_probable_prime; if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1, cb)) { goto err; } if (is_probable_prime) { ret = 1; goto err; } } // If we've tried too many times to find a prime, abort (steps 4.7 and // 5.8). tries++; if (tries >= limit) { OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS); goto err; } if (!BN_GENCB_call(cb, 2, tries)) { goto err; } } err: BN_CTX_end(ctx); return ret; }
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; BIGNUM local_r0,local_d,local_p; BIGNUM *pr0,*d,*p; int bitsp,bitsq,ok= -1,n=0; BN_CTX *ctx=NULL; ctx=BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); r2 = BN_CTX_get(ctx); r3 = BN_CTX_get(ctx); if (r3 == NULL) goto err; bitsp=(bits+1)/2; bitsq=bits-bitsp; /* We need the RSA components non-NULL */ if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err; if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err; if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err; if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err; if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err; if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err; if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err; if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err; BN_copy(rsa->e, e_value); /* generate p and q */ for (;;) { if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; if (BN_is_one(r1)) break; if(!BN_GENCB_call(cb, 2, n++)) goto err; } if(!BN_GENCB_call(cb, 3, 0)) goto err; for (;;) { /* When generating ridiculously small keys, we can get stuck * continually regenerating the same prime values. Check for * this and bail if it happens 3 times. */ unsigned int degenerate = 0; do { if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) goto err; } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); if(degenerate == 3) { ok = 0; /* we set our own err */ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL); goto err; } if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; if (BN_is_one(r1)) break; if(!BN_GENCB_call(cb, 2, n++)) goto err; } if(!BN_GENCB_call(cb, 3, 1)) goto err; if (BN_cmp(rsa->p,rsa->q) < 0) { tmp=rsa->p; rsa->p=rsa->q; rsa->q=tmp; } /* calculate n */ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; /* calculate d */ if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { pr0 = &local_r0; BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); } else pr0 = r0; if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */ /* set up d for correct BN_FLG_CONSTTIME flag */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { d = &local_d; BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); } else d = rsa->d; /* calculate d mod (p-1) */ if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err; /* calculate d mod (q-1) */ if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err; /* calculate inverse of q mod p */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { p = &local_p; BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); } else p = rsa->p; if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; ok=1; err: if (ok == -1) { RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN); ok=0; } if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); } return ok; }
static void pollard_rho(BIGNUM *val) { BIGNUM *x, *y, *tmp, *num; BN_ULONG a; unsigned int steps_taken, steps_limit; x = BN_new(); y = BN_new(); tmp = BN_new(); num = BN_new(); a = 1; restart: steps_taken = 0; steps_limit = 2; BN_set_word(x, 1); BN_copy(y, x); for (;;) { BN_sqr(tmp, x, ctx); BN_add_word(tmp, a); BN_mod(x, tmp, val, ctx); BN_sub(tmp, x, y); if (BN_is_zero(tmp)) { #ifdef DEBUG printf(" (loop)"); #endif a++; goto restart; } BN_gcd(tmp, tmp, val, ctx); if (!BN_is_one(tmp)) { if (BN_is_prime(tmp, PRIME_CHECKS, NULL, NULL, NULL) == 1) { putchar(' '); BN_print_dec_fp(stdout, tmp); } else { #ifdef DEBUG printf(" (recurse for "); BN_print_dec_fp(stdout, tmp); putchar(')'); #endif pollard_rho(BN_dup(tmp)); #ifdef DEBUG printf(" (back)"); #endif } fflush(stdout); BN_div(num, NULL, val, tmp, ctx); if (BN_is_one(num)) return; if (BN_is_prime(num, PRIME_CHECKS, NULL, NULL, NULL) == 1) { putchar(' '); BN_print_dec_fp(stdout, num); fflush(stdout); return; } BN_copy(val, num); goto restart; } steps_taken++; if (steps_taken == steps_limit) { BN_copy(y, x); /* teleport the turtle */ steps_taken = 0; steps_limit *= 2; if (steps_limit == 0) { #ifdef DEBUG printf(" (overflow)"); #endif a++; goto restart; } } } }