2
0

rsa_gen.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * NB: these functions have been "upgraded", the deprecated versions (which
  11. * are compatibility wrappers using these functions) are in rsa_depr.c. -
  12. * Geoff
  13. */
  14. #include <stdio.h>
  15. #include <time.h>
  16. #include "internal/cryptlib.h"
  17. #include <openssl/bn.h>
  18. #include "rsa_local.h"
  19. static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
  20. BN_GENCB *cb);
  21. /*
  22. * NB: this wrapper would normally be placed in rsa_lib.c and the static
  23. * implementation would probably be in rsa_eay.c. Nonetheless, is kept here
  24. * so that we don't introduce a new linker dependency. Eg. any application
  25. * that wasn't previously linking object code related to key-generation won't
  26. * have to now just because key-generation is part of RSA_METHOD.
  27. */
  28. int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
  29. {
  30. if (rsa->meth->rsa_keygen != NULL)
  31. return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
  32. return RSA_generate_multi_prime_key(rsa, bits, RSA_DEFAULT_PRIME_NUM,
  33. e_value, cb);
  34. }
  35. int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
  36. BIGNUM *e_value, BN_GENCB *cb)
  37. {
  38. #ifndef FIPS_MODE
  39. /* multi-prime is only supported with the builtin key generation */
  40. if (rsa->meth->rsa_multi_prime_keygen != NULL) {
  41. return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
  42. e_value, cb);
  43. } else if (rsa->meth->rsa_keygen != NULL) {
  44. /*
  45. * However, if rsa->meth implements only rsa_keygen, then we
  46. * have to honour it in 2-prime case and assume that it wouldn't
  47. * know what to do with multi-prime key generated by builtin
  48. * subroutine...
  49. */
  50. if (primes == 2)
  51. return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
  52. else
  53. return 0;
  54. }
  55. #endif /* FIPS_MODE */
  56. return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);
  57. }
  58. static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
  59. BN_GENCB *cb)
  60. {
  61. #ifdef FIPS_MODE
  62. if (primes != 2)
  63. return 0;
  64. return rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
  65. #else
  66. BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *prime;
  67. int ok = -1, n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0;
  68. int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0;
  69. RSA_PRIME_INFO *pinfo = NULL;
  70. STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
  71. BN_CTX *ctx = NULL;
  72. BN_ULONG bitst = 0;
  73. unsigned long error = 0;
  74. if (bits < RSA_MIN_MODULUS_BITS) {
  75. ok = 0; /* we set our own err */
  76. RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
  77. goto err;
  78. }
  79. if (primes < RSA_DEFAULT_PRIME_NUM || primes > rsa_multip_cap(bits)) {
  80. ok = 0; /* we set our own err */
  81. RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
  82. goto err;
  83. }
  84. ctx = BN_CTX_new();
  85. if (ctx == NULL)
  86. goto err;
  87. BN_CTX_start(ctx);
  88. r0 = BN_CTX_get(ctx);
  89. r1 = BN_CTX_get(ctx);
  90. r2 = BN_CTX_get(ctx);
  91. if (r2 == NULL)
  92. goto err;
  93. /* divide bits into 'primes' pieces evenly */
  94. quo = bits / primes;
  95. rmd = bits % primes;
  96. for (i = 0; i < primes; i++)
  97. bitsr[i] = (i < rmd) ? quo + 1 : quo;
  98. rsa->dirty_cnt++;
  99. /* We need the RSA components non-NULL */
  100. if (!rsa->n && ((rsa->n = BN_new()) == NULL))
  101. goto err;
  102. if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
  103. goto err;
  104. if (!rsa->e && ((rsa->e = BN_new()) == NULL))
  105. goto err;
  106. if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
  107. goto err;
  108. if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
  109. goto err;
  110. if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
  111. goto err;
  112. if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
  113. goto err;
  114. if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
  115. goto err;
  116. /* initialize multi-prime components */
  117. if (primes > RSA_DEFAULT_PRIME_NUM) {
  118. rsa->version = RSA_ASN1_VERSION_MULTI;
  119. prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, primes - 2);
  120. if (prime_infos == NULL)
  121. goto err;
  122. if (rsa->prime_infos != NULL) {
  123. /* could this happen? */
  124. sk_RSA_PRIME_INFO_pop_free(rsa->prime_infos, rsa_multip_info_free);
  125. }
  126. rsa->prime_infos = prime_infos;
  127. /* prime_info from 2 to |primes| -1 */
  128. for (i = 2; i < primes; i++) {
  129. pinfo = rsa_multip_info_new();
  130. if (pinfo == NULL)
  131. goto err;
  132. (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
  133. }
  134. }
  135. if (BN_copy(rsa->e, e_value) == NULL)
  136. goto err;
  137. /* generate p, q and other primes (if any) */
  138. for (i = 0; i < primes; i++) {
  139. adj = 0;
  140. retries = 0;
  141. if (i == 0) {
  142. prime = rsa->p;
  143. } else if (i == 1) {
  144. prime = rsa->q;
  145. } else {
  146. pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
  147. prime = pinfo->r;
  148. }
  149. BN_set_flags(prime, BN_FLG_CONSTTIME);
  150. for (;;) {
  151. redo:
  152. if (!BN_generate_prime_ex(prime, bitsr[i] + adj, 0, NULL, NULL, cb))
  153. goto err;
  154. /*
  155. * prime should not be equal to p, q, r_3...
  156. * (those primes prior to this one)
  157. */
  158. {
  159. int j;
  160. for (j = 0; j < i; j++) {
  161. BIGNUM *prev_prime;
  162. if (j == 0)
  163. prev_prime = rsa->p;
  164. else if (j == 1)
  165. prev_prime = rsa->q;
  166. else
  167. prev_prime = sk_RSA_PRIME_INFO_value(prime_infos,
  168. j - 2)->r;
  169. if (!BN_cmp(prime, prev_prime)) {
  170. goto redo;
  171. }
  172. }
  173. }
  174. if (!BN_sub(r2, prime, BN_value_one()))
  175. goto err;
  176. ERR_set_mark();
  177. BN_set_flags(r2, BN_FLG_CONSTTIME);
  178. if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
  179. /* GCD == 1 since inverse exists */
  180. break;
  181. }
  182. error = ERR_peek_last_error();
  183. if (ERR_GET_LIB(error) == ERR_LIB_BN
  184. && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
  185. /* GCD != 1 */
  186. ERR_pop_to_mark();
  187. } else {
  188. goto err;
  189. }
  190. if (!BN_GENCB_call(cb, 2, n++))
  191. goto err;
  192. }
  193. bitse += bitsr[i];
  194. /* calculate n immediately to see if it's sufficient */
  195. if (i == 1) {
  196. /* we get at least 2 primes */
  197. if (!BN_mul(r1, rsa->p, rsa->q, ctx))
  198. goto err;
  199. } else if (i != 0) {
  200. /* modulus n = p * q * r_3 * r_4 ... */
  201. if (!BN_mul(r1, rsa->n, prime, ctx))
  202. goto err;
  203. } else {
  204. /* i == 0, do nothing */
  205. if (!BN_GENCB_call(cb, 3, i))
  206. goto err;
  207. continue;
  208. }
  209. /*
  210. * if |r1|, product of factors so far, is not as long as expected
  211. * (by checking the first 4 bits are less than 0x9 or greater than
  212. * 0xF). If so, re-generate the last prime.
  213. *
  214. * NOTE: This actually can't happen in two-prime case, because of
  215. * the way factors are generated.
  216. *
  217. * Besides, another consideration is, for multi-prime case, even the
  218. * length modulus is as long as expected, the modulus could start at
  219. * 0x8, which could be utilized to distinguish a multi-prime private
  220. * key by using the modulus in a certificate. This is also covered
  221. * by checking the length should not be less than 0x9.
  222. */
  223. if (!BN_rshift(r2, r1, bitse - 4))
  224. goto err;
  225. bitst = BN_get_word(r2);
  226. if (bitst < 0x9 || bitst > 0xF) {
  227. /*
  228. * For keys with more than 4 primes, we attempt longer factor to
  229. * meet length requirement.
  230. *
  231. * Otherwise, we just re-generate the prime with the same length.
  232. *
  233. * This strategy has the following goals:
  234. *
  235. * 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
  236. * 2. stay the same logic with normal 2-prime key
  237. */
  238. bitse -= bitsr[i];
  239. if (!BN_GENCB_call(cb, 2, n++))
  240. goto err;
  241. if (primes > 4) {
  242. if (bitst < 0x9)
  243. adj++;
  244. else
  245. adj--;
  246. } else if (retries == 4) {
  247. /*
  248. * re-generate all primes from scratch, mainly used
  249. * in 4 prime case to avoid long loop. Max retry times
  250. * is set to 4.
  251. */
  252. i = -1;
  253. bitse = 0;
  254. continue;
  255. }
  256. retries++;
  257. goto redo;
  258. }
  259. /* save product of primes for further use, for multi-prime only */
  260. if (i > 1 && BN_copy(pinfo->pp, rsa->n) == NULL)
  261. goto err;
  262. if (BN_copy(rsa->n, r1) == NULL)
  263. goto err;
  264. if (!BN_GENCB_call(cb, 3, i))
  265. goto err;
  266. }
  267. if (BN_cmp(rsa->p, rsa->q) < 0) {
  268. tmp = rsa->p;
  269. rsa->p = rsa->q;
  270. rsa->q = tmp;
  271. }
  272. /* calculate d */
  273. /* p - 1 */
  274. if (!BN_sub(r1, rsa->p, BN_value_one()))
  275. goto err;
  276. /* q - 1 */
  277. if (!BN_sub(r2, rsa->q, BN_value_one()))
  278. goto err;
  279. /* (p - 1)(q - 1) */
  280. if (!BN_mul(r0, r1, r2, ctx))
  281. goto err;
  282. /* multi-prime */
  283. for (i = 2; i < primes; i++) {
  284. pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
  285. /* save r_i - 1 to pinfo->d temporarily */
  286. if (!BN_sub(pinfo->d, pinfo->r, BN_value_one()))
  287. goto err;
  288. if (!BN_mul(r0, r0, pinfo->d, ctx))
  289. goto err;
  290. }
  291. {
  292. BIGNUM *pr0 = BN_new();
  293. if (pr0 == NULL)
  294. goto err;
  295. BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
  296. if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
  297. BN_free(pr0);
  298. goto err; /* d */
  299. }
  300. /* We MUST free pr0 before any further use of r0 */
  301. BN_free(pr0);
  302. }
  303. {
  304. BIGNUM *d = BN_new();
  305. if (d == NULL)
  306. goto err;
  307. BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
  308. /* calculate d mod (p-1) and d mod (q - 1) */
  309. if (!BN_mod(rsa->dmp1, d, r1, ctx)
  310. || !BN_mod(rsa->dmq1, d, r2, ctx)) {
  311. BN_free(d);
  312. goto err;
  313. }
  314. /* calculate CRT exponents */
  315. for (i = 2; i < primes; i++) {
  316. pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
  317. /* pinfo->d == r_i - 1 */
  318. if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) {
  319. BN_free(d);
  320. goto err;
  321. }
  322. }
  323. /* We MUST free d before any further use of rsa->d */
  324. BN_free(d);
  325. }
  326. {
  327. BIGNUM *p = BN_new();
  328. if (p == NULL)
  329. goto err;
  330. BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
  331. /* calculate inverse of q mod p */
  332. if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
  333. BN_free(p);
  334. goto err;
  335. }
  336. /* calculate CRT coefficient for other primes */
  337. for (i = 2; i < primes; i++) {
  338. pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
  339. BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME);
  340. if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) {
  341. BN_free(p);
  342. goto err;
  343. }
  344. }
  345. /* We MUST free p before any further use of rsa->p */
  346. BN_free(p);
  347. }
  348. ok = 1;
  349. err:
  350. if (ok == -1) {
  351. RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
  352. ok = 0;
  353. }
  354. BN_CTX_end(ctx);
  355. BN_CTX_free(ctx);
  356. return ok;
  357. #endif /* FIPS_MODE */
  358. }