rsa_sp800_56b_check.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442
  1. /*
  2. * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include <openssl/err.h>
  11. #include <openssl/bn.h>
  12. #include "crypto/bn.h"
  13. #include "rsa_local.h"
  14. /*
  15. * Part of the RSA keypair test.
  16. * Check the Chinese Remainder Theorem components are valid.
  17. *
  18. * See SP800-5bBr1
  19. * 6.4.1.2.3: rsakpv1-crt Step 7
  20. * 6.4.1.3.3: rsakpv2-crt Step 7
  21. */
  22. int rsa_check_crt_components(const RSA *rsa, BN_CTX *ctx)
  23. {
  24. int ret = 0;
  25. BIGNUM *r = NULL, *p1 = NULL, *q1 = NULL;
  26. /* check if only some of the crt components are set */
  27. if (rsa->dmp1 == NULL || rsa->dmq1 == NULL || rsa->iqmp == NULL) {
  28. if (rsa->dmp1 != NULL || rsa->dmq1 != NULL || rsa->iqmp != NULL)
  29. return 0;
  30. return 1; /* return ok if all components are NULL */
  31. }
  32. BN_CTX_start(ctx);
  33. r = BN_CTX_get(ctx);
  34. p1 = BN_CTX_get(ctx);
  35. q1 = BN_CTX_get(ctx);
  36. if (q1 != NULL) {
  37. BN_set_flags(r, BN_FLG_CONSTTIME);
  38. BN_set_flags(p1, BN_FLG_CONSTTIME);
  39. BN_set_flags(q1, BN_FLG_CONSTTIME);
  40. ret = 1;
  41. } else {
  42. ret = 0;
  43. }
  44. ret = ret
  45. /* p1 = p -1 */
  46. && (BN_copy(p1, rsa->p) != NULL)
  47. && BN_sub_word(p1, 1)
  48. /* q1 = q - 1 */
  49. && (BN_copy(q1, rsa->q) != NULL)
  50. && BN_sub_word(q1, 1)
  51. /* (a) 1 < dP < (p – 1). */
  52. && (BN_cmp(rsa->dmp1, BN_value_one()) > 0)
  53. && (BN_cmp(rsa->dmp1, p1) < 0)
  54. /* (b) 1 < dQ < (q - 1). */
  55. && (BN_cmp(rsa->dmq1, BN_value_one()) > 0)
  56. && (BN_cmp(rsa->dmq1, q1) < 0)
  57. /* (c) 1 < qInv < p */
  58. && (BN_cmp(rsa->iqmp, BN_value_one()) > 0)
  59. && (BN_cmp(rsa->iqmp, rsa->p) < 0)
  60. /* (d) 1 = (dP . e) mod (p - 1)*/
  61. && BN_mod_mul(r, rsa->dmp1, rsa->e, p1, ctx)
  62. && BN_is_one(r)
  63. /* (e) 1 = (dQ . e) mod (q - 1) */
  64. && BN_mod_mul(r, rsa->dmq1, rsa->e, q1, ctx)
  65. && BN_is_one(r)
  66. /* (f) 1 = (qInv . q) mod p */
  67. && BN_mod_mul(r, rsa->iqmp, rsa->q, rsa->p, ctx)
  68. && BN_is_one(r);
  69. BN_clear(r);
  70. BN_clear(p1);
  71. BN_clear(q1);
  72. BN_CTX_end(ctx);
  73. return ret;
  74. }
  75. /*
  76. * Part of the RSA keypair test.
  77. * Check that (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2) - 1
  78. *
  79. * See SP800-5bBr1 6.4.1.2.1 Part 5 (c) & (g) - used for both p and q.
  80. *
  81. * (√2)(2^(nbits/2 - 1) = (√2/2)(2^(nbits/2))
  82. */
  83. int rsa_check_prime_factor_range(const BIGNUM *p, int nbits, BN_CTX *ctx)
  84. {
  85. int ret = 0;
  86. BIGNUM *low;
  87. int shift;
  88. nbits >>= 1;
  89. shift = nbits - BN_num_bits(&bn_inv_sqrt_2);
  90. /* Upper bound check */
  91. if (BN_num_bits(p) != nbits)
  92. return 0;
  93. BN_CTX_start(ctx);
  94. low = BN_CTX_get(ctx);
  95. if (low == NULL)
  96. goto err;
  97. /* set low = (√2)(2^(nbits/2 - 1) */
  98. if (!BN_copy(low, &bn_inv_sqrt_2))
  99. goto err;
  100. if (shift >= 0) {
  101. /*
  102. * We don't have all the bits. bn_inv_sqrt_2 contains a rounded up
  103. * value, so there is a very low probability that we'll reject a valid
  104. * value.
  105. */
  106. if (!BN_lshift(low, low, shift))
  107. goto err;
  108. } else if (!BN_rshift(low, low, -shift)) {
  109. goto err;
  110. }
  111. if (BN_cmp(p, low) <= 0)
  112. goto err;
  113. ret = 1;
  114. err:
  115. BN_CTX_end(ctx);
  116. return ret;
  117. }
  118. /*
  119. * Part of the RSA keypair test.
  120. * Check the prime factor (for either p or q)
  121. * i.e: p is prime AND GCD(p - 1, e) = 1
  122. *
  123. * See SP800-56Br1 6.4.1.2.3 Step 5 (a to d) & (e to h).
  124. */
  125. int rsa_check_prime_factor(BIGNUM *p, BIGNUM *e, int nbits, BN_CTX *ctx)
  126. {
  127. int ret = 0;
  128. BIGNUM *p1 = NULL, *gcd = NULL;
  129. /* (Steps 5 a-b) prime test */
  130. if (BN_check_prime(p, ctx, NULL) != 1
  131. /* (Step 5c) (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2 - 1) */
  132. || rsa_check_prime_factor_range(p, nbits, ctx) != 1)
  133. return 0;
  134. BN_CTX_start(ctx);
  135. p1 = BN_CTX_get(ctx);
  136. gcd = BN_CTX_get(ctx);
  137. if (gcd != NULL) {
  138. BN_set_flags(p1, BN_FLG_CONSTTIME);
  139. BN_set_flags(gcd, BN_FLG_CONSTTIME);
  140. ret = 1;
  141. } else {
  142. ret = 0;
  143. }
  144. ret = ret
  145. /* (Step 5d) GCD(p-1, e) = 1 */
  146. && (BN_copy(p1, p) != NULL)
  147. && BN_sub_word(p1, 1)
  148. && BN_gcd(gcd, p1, e, ctx)
  149. && BN_is_one(gcd);
  150. BN_clear(p1);
  151. BN_CTX_end(ctx);
  152. return ret;
  153. }
  154. /*
  155. * See SP800-56Br1 6.4.1.2.3 Part 6(a-b) Check the private exponent d
  156. * satisfies:
  157. * (Step 6a) 2^(nBit/2) < d < LCM(p–1, q–1).
  158. * (Step 6b) 1 = (d*e) mod LCM(p–1, q–1)
  159. */
  160. int rsa_check_private_exponent(const RSA *rsa, int nbits, BN_CTX *ctx)
  161. {
  162. int ret;
  163. BIGNUM *r, *p1, *q1, *lcm, *p1q1, *gcd;
  164. /* (Step 6a) 2^(nbits/2) < d */
  165. if (BN_num_bits(rsa->d) <= (nbits >> 1))
  166. return 0;
  167. BN_CTX_start(ctx);
  168. r = BN_CTX_get(ctx);
  169. p1 = BN_CTX_get(ctx);
  170. q1 = BN_CTX_get(ctx);
  171. lcm = BN_CTX_get(ctx);
  172. p1q1 = BN_CTX_get(ctx);
  173. gcd = BN_CTX_get(ctx);
  174. if (gcd != NULL) {
  175. BN_set_flags(r, BN_FLG_CONSTTIME);
  176. BN_set_flags(p1, BN_FLG_CONSTTIME);
  177. BN_set_flags(q1, BN_FLG_CONSTTIME);
  178. BN_set_flags(lcm, BN_FLG_CONSTTIME);
  179. BN_set_flags(p1q1, BN_FLG_CONSTTIME);
  180. BN_set_flags(gcd, BN_FLG_CONSTTIME);
  181. ret = 1;
  182. } else {
  183. ret = 0;
  184. }
  185. ret = (ret
  186. /* LCM(p - 1, q - 1) */
  187. && (rsa_get_lcm(ctx, rsa->p, rsa->q, lcm, gcd, p1, q1, p1q1) == 1)
  188. /* (Step 6a) d < LCM(p - 1, q - 1) */
  189. && (BN_cmp(rsa->d, lcm) < 0)
  190. /* (Step 6b) 1 = (e . d) mod LCM(p - 1, q - 1) */
  191. && BN_mod_mul(r, rsa->e, rsa->d, lcm, ctx)
  192. && BN_is_one(r));
  193. BN_clear(r);
  194. BN_clear(p1);
  195. BN_clear(q1);
  196. BN_clear(lcm);
  197. BN_clear(gcd);
  198. BN_CTX_end(ctx);
  199. return ret;
  200. }
  201. #ifndef FIPS_MODULE
  202. static int bn_is_three(const BIGNUM *bn)
  203. {
  204. BIGNUM *num = BN_dup(bn);
  205. int ret = (num != NULL && BN_sub_word(num, 3) && BN_is_zero(num));
  206. BN_free(num);
  207. return ret;
  208. }
  209. #endif /* FIPS_MODULE */
  210. /* Check exponent is odd, and has a bitlen ranging from [17..256] */
  211. int rsa_check_public_exponent(const BIGNUM *e)
  212. {
  213. int bitlen;
  214. /* For legacy purposes RSA_3 is allowed in non fips mode */
  215. #ifndef FIPS_MODULE
  216. if (bn_is_three(e))
  217. return 1;
  218. #endif /* FIPS_MODULE */
  219. bitlen = BN_num_bits(e);
  220. return (BN_is_odd(e) && bitlen > 16 && bitlen < 257);
  221. }
  222. /*
  223. * SP800-56Br1 6.4.1.2.1 (Step 5i): |p - q| > 2^(nbits/2 - 100)
  224. * i.e- numbits(p-q-1) > (nbits/2 -100)
  225. */
  226. int rsa_check_pminusq_diff(BIGNUM *diff, const BIGNUM *p, const BIGNUM *q,
  227. int nbits)
  228. {
  229. int bitlen = (nbits >> 1) - 100;
  230. if (!BN_sub(diff, p, q))
  231. return -1;
  232. BN_set_negative(diff, 0);
  233. if (BN_is_zero(diff))
  234. return 0;
  235. if (!BN_sub_word(diff, 1))
  236. return -1;
  237. return (BN_num_bits(diff) > bitlen);
  238. }
  239. /*
  240. * return LCM(p-1, q-1)
  241. *
  242. * Caller should ensure that lcm, gcd, p1, q1, p1q1 are flagged with
  243. * BN_FLG_CONSTTIME.
  244. */
  245. int rsa_get_lcm(BN_CTX *ctx, const BIGNUM *p, const BIGNUM *q,
  246. BIGNUM *lcm, BIGNUM *gcd, BIGNUM *p1, BIGNUM *q1,
  247. BIGNUM *p1q1)
  248. {
  249. return BN_sub(p1, p, BN_value_one()) /* p-1 */
  250. && BN_sub(q1, q, BN_value_one()) /* q-1 */
  251. && BN_mul(p1q1, p1, q1, ctx) /* (p-1)(q-1) */
  252. && BN_gcd(gcd, p1, q1, ctx)
  253. && BN_div(lcm, NULL, p1q1, gcd, ctx); /* LCM((p-1, q-1)) */
  254. }
  255. /*
  256. * SP800-56Br1 6.4.2.2 Partial Public Key Validation for RSA refers to
  257. * SP800-89 5.3.3 (Explicit) Partial Public Key Validation for RSA
  258. * caveat is that the modulus must be as specified in SP800-56Br1
  259. */
  260. int rsa_sp800_56b_check_public(const RSA *rsa)
  261. {
  262. int ret = 0, status;
  263. #ifdef FIPS_MODULE
  264. int nbits;
  265. #endif
  266. BN_CTX *ctx = NULL;
  267. BIGNUM *gcd = NULL;
  268. if (rsa->n == NULL || rsa->e == NULL)
  269. return 0;
  270. #ifdef FIPS_MODULE
  271. /*
  272. * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
  273. * NOTE: changed to allow keys >= 2048
  274. */
  275. nbits = BN_num_bits(rsa->n);
  276. if (!rsa_sp800_56b_validate_strength(nbits, -1)) {
  277. RSAerr(RSA_F_RSA_SP800_56B_CHECK_PUBLIC, RSA_R_INVALID_KEY_LENGTH);
  278. return 0;
  279. }
  280. #endif
  281. if (!BN_is_odd(rsa->n)) {
  282. RSAerr(RSA_F_RSA_SP800_56B_CHECK_PUBLIC, RSA_R_INVALID_MODULUS);
  283. return 0;
  284. }
  285. /* (Steps b-c): 2^16 < e < 2^256, n and e must be odd */
  286. if (!rsa_check_public_exponent(rsa->e)) {
  287. RSAerr(RSA_F_RSA_SP800_56B_CHECK_PUBLIC,
  288. RSA_R_PUB_EXPONENT_OUT_OF_RANGE);
  289. return 0;
  290. }
  291. ctx = BN_CTX_new_ex(rsa->libctx);
  292. gcd = BN_new();
  293. if (ctx == NULL || gcd == NULL)
  294. goto err;
  295. /* (Steps d-f):
  296. * The modulus is composite, but not a power of a prime.
  297. * The modulus has no factors smaller than 752.
  298. */
  299. if (!BN_gcd(gcd, rsa->n, bn_get0_small_factors(), ctx) || !BN_is_one(gcd)) {
  300. RSAerr(RSA_F_RSA_SP800_56B_CHECK_PUBLIC, RSA_R_INVALID_MODULUS);
  301. goto err;
  302. }
  303. ret = bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
  304. if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
  305. RSAerr(RSA_F_RSA_SP800_56B_CHECK_PUBLIC, RSA_R_INVALID_MODULUS);
  306. ret = 0;
  307. goto err;
  308. }
  309. ret = 1;
  310. err:
  311. BN_free(gcd);
  312. BN_CTX_free(ctx);
  313. return ret;
  314. }
  315. /*
  316. * Perform validation of the RSA private key to check that 0 < D < N.
  317. */
  318. int rsa_sp800_56b_check_private(const RSA *rsa)
  319. {
  320. if (rsa->d == NULL || rsa->n == NULL)
  321. return 0;
  322. return BN_cmp(rsa->d, BN_value_one()) >= 0 && BN_cmp(rsa->d, rsa->n) < 0;
  323. }
  324. /*
  325. * RSA key pair validation.
  326. *
  327. * SP800-56Br1.
  328. * 6.4.1.2 "RSAKPV1 Family: RSA Key - Pair Validation with a Fixed Exponent"
  329. * 6.4.1.3 "RSAKPV2 Family: RSA Key - Pair Validation with a Random Exponent"
  330. *
  331. * It uses:
  332. * 6.4.1.2.3 "rsakpv1 - crt"
  333. * 6.4.1.3.3 "rsakpv2 - crt"
  334. */
  335. int rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
  336. int strength, int nbits)
  337. {
  338. int ret = 0;
  339. BN_CTX *ctx = NULL;
  340. BIGNUM *r = NULL;
  341. if (rsa->p == NULL
  342. || rsa->q == NULL
  343. || rsa->e == NULL
  344. || rsa->d == NULL
  345. || rsa->n == NULL) {
  346. RSAerr(RSA_F_RSA_SP800_56B_CHECK_KEYPAIR, RSA_R_INVALID_REQUEST);
  347. return 0;
  348. }
  349. /* (Step 1): Check Ranges */
  350. if (!rsa_sp800_56b_validate_strength(nbits, strength))
  351. return 0;
  352. /* If the exponent is known */
  353. if (efixed != NULL) {
  354. /* (2): Check fixed exponent matches public exponent. */
  355. if (BN_cmp(efixed, rsa->e) != 0) {
  356. RSAerr(RSA_F_RSA_SP800_56B_CHECK_KEYPAIR, RSA_R_INVALID_REQUEST);
  357. return 0;
  358. }
  359. }
  360. /* (Step 1.c): e is odd integer 65537 <= e < 2^256 */
  361. if (!rsa_check_public_exponent(rsa->e)) {
  362. /* exponent out of range */
  363. RSAerr(RSA_F_RSA_SP800_56B_CHECK_KEYPAIR,
  364. RSA_R_PUB_EXPONENT_OUT_OF_RANGE);
  365. return 0;
  366. }
  367. /* (Step 3.b): check the modulus */
  368. if (nbits != BN_num_bits(rsa->n)) {
  369. RSAerr(RSA_F_RSA_SP800_56B_CHECK_KEYPAIR, RSA_R_INVALID_KEYPAIR);
  370. return 0;
  371. }
  372. ctx = BN_CTX_new_ex(rsa->libctx);
  373. if (ctx == NULL)
  374. return 0;
  375. BN_CTX_start(ctx);
  376. r = BN_CTX_get(ctx);
  377. if (r == NULL || !BN_mul(r, rsa->p, rsa->q, ctx))
  378. goto err;
  379. /* (Step 4.c): Check n = pq */
  380. if (BN_cmp(rsa->n, r) != 0) {
  381. RSAerr(RSA_F_RSA_SP800_56B_CHECK_KEYPAIR, RSA_R_INVALID_REQUEST);
  382. goto err;
  383. }
  384. /* (Step 5): check prime factors p & q */
  385. ret = rsa_check_prime_factor(rsa->p, rsa->e, nbits, ctx)
  386. && rsa_check_prime_factor(rsa->q, rsa->e, nbits, ctx)
  387. && (rsa_check_pminusq_diff(r, rsa->p, rsa->q, nbits) > 0)
  388. /* (Step 6): Check the private exponent d */
  389. && rsa_check_private_exponent(rsa, nbits, ctx)
  390. /* 6.4.1.2.3 (Step 7): Check the CRT components */
  391. && rsa_check_crt_components(rsa, ctx);
  392. if (ret != 1)
  393. RSAerr(RSA_F_RSA_SP800_56B_CHECK_KEYPAIR, RSA_R_INVALID_KEYPAIR);
  394. err:
  395. BN_clear(r);
  396. BN_CTX_end(ctx);
  397. BN_CTX_free(ctx);
  398. return ret;
  399. }