/src/openssl/crypto/rsa/rsa_gen.c

Source (jump to first uncovered line)
/* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/*
 * NB: these functions have been "upgraded", the deprecated versions (which
 * are compatibility wrappers using these functions) are in rsa_depr.c. -
 * Geoff
 */

#include <stdio.h>
#include <time.h>
#include "cryptlib.h"
#include <openssl/bn.h>
#include <openssl/rsa.h>
#ifdef OPENSSL_FIPS
# include <openssl/fips.h>
extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
                                         BN_GENCB *cb);
#endif

static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
                              BN_GENCB *cb);

/*
 * NB: this wrapper would normally be placed in rsa_lib.c and the static
 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here
 * so that we don't introduce a new linker dependency. Eg. any application
 * that wasn't previously linking object code related to key-generation won't
 * have to now just because key-generation is part of RSA_METHOD.
 */
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
#ifdef OPENSSL_FIPS
    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
        RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
        return 0;
    }
#endif
    if (rsa->meth->rsa_keygen)
        return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
#ifdef OPENSSL_FIPS
    if (FIPS_mode())
        return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
#endif
    return rsa_builtin_keygen(rsa, bits, e_value, cb);
}

static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
                              BN_GENCB *cb)
{
    BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
    BIGNUM local_r0, local_d, local_p;
    BIGNUM *pr0, *d, *p;
    int bitsp, bitsq, ok = -1, n = 0;
    BN_CTX *ctx = NULL;

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    r0 = BN_CTX_get(ctx);
    r1 = BN_CTX_get(ctx);
    r2 = BN_CTX_get(ctx);
    r3 = BN_CTX_get(ctx);
    if (r3 == NULL)
        goto err;

    bitsp = (bits + 1) / 2;
    bitsq = bits - bitsp;

    /* We need the RSA components non-NULL */
    if (!rsa->n && ((rsa->n = BN_new()) == NULL))
        goto err;
    if (!rsa->d && ((rsa->d = BN_new()) == NULL))
        goto err;
    if (!rsa->e && ((rsa->e = BN_new()) == NULL))
        goto err;
    if (!rsa->p && ((rsa->p = BN_new()) == NULL))
        goto err;
    if (!rsa->q && ((rsa->q = BN_new()) == NULL))
        goto err;
    if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
        goto err;
    if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
        goto err;
    if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
        goto err;

    if (BN_copy(rsa->e, e_value) == NULL)
        goto err;

    /* generate p and q */
    for (;;) {
        if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
            goto err;
        if (!BN_sub(r2, rsa->p, BN_value_one()))
            goto err;
        if (!BN_gcd(r1, r2, rsa->e, ctx))
            goto err;
        if (BN_is_one(r1))
            break;
        if (!BN_GENCB_call(cb, 2, n++))
            goto err;
    }
    if (!BN_GENCB_call(cb, 3, 0))
        goto err;
    for (;;) {
        /*
         * When generating ridiculously small keys, we can get stuck
         * continually regenerating the same prime values. Check for this and
         * bail if it happens 3 times.
         */
        unsigned int degenerate = 0;
        do {
            if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
                goto err;
        } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
        if (degenerate == 3) {
            ok = 0;             /* we set our own err */
            RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
            goto err;
        }
        if (!BN_sub(r2, rsa->q, BN_value_one()))
            goto err;
        if (!BN_gcd(r1, r2, rsa->e, ctx))
            goto err;
        if (BN_is_one(r1))
            break;
        if (!BN_GENCB_call(cb, 2, n++))
            goto err;
    }
    if (!BN_GENCB_call(cb, 3, 1))
        goto err;
    if (BN_cmp(rsa->p, rsa->q) < 0) {
        tmp = rsa->p;
        rsa->p = rsa->q;
        rsa->q = tmp;
    }

    /* calculate n */
    if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
        goto err;

    /* calculate d */
    if (!BN_sub(r1, rsa->p, BN_value_one()))
        goto err;               /* p-1 */
    if (!BN_sub(r2, rsa->q, BN_value_one()))
        goto err;               /* q-1 */
    if (!BN_mul(r0, r1, r2, ctx))
        goto err;               /* (p-1)(q-1) */
    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
        pr0 = &local_r0;
        BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
    } else
        pr0 = r0;
    if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
        goto err;               /* d */

    /* set up d for correct BN_FLG_CONSTTIME flag */
    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
        d = &local_d;
        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
    } else
        d = rsa->d;

    /* calculate d mod (p-1) */
    if (!BN_mod(rsa->dmp1, d, r1, ctx))
        goto err;

    /* calculate d mod (q-1) */
    if (!BN_mod(rsa->dmq1, d, r2, ctx))
        goto err;

    /* calculate inverse of q mod p */
    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
        p = &local_p;
        BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
    } else
        p = rsa->p;
    if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
        goto err;

    ok = 1;
 err:
    if (ok == -1) {
        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
        ok = 0;
    }
    if (ctx != NULL) {
        BN_CTX_end(ctx);
        BN_CTX_free(ctx);
    }

    return ok;
}

Coverage Report

Created: 2022-11-30 06:20

Line	Count	Source (jump to first uncovered line)
1		/* crypto/rsa/rsa_gen.c */
2		/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3		* All rights reserved.
4		*
5		* This package is an SSL implementation written
6		* by Eric Young (eay@cryptsoft.com).
7		* The implementation was written so as to conform with Netscapes SSL.
8		*
9		* This library is free for commercial and non-commercial use as long as
10		* the following conditions are aheared to. The following conditions
11		* apply to all code found in this distribution, be it the RC4, RSA,
12		* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13		* included with this distribution is covered by the same copyright terms
14		* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15		*
16		* Copyright remains Eric Young's, and as such any Copyright notices in
17		* the code are not to be removed.
18		* If this package is used in a product, Eric Young should be given attribution
19		* as the author of the parts of the library used.
20		* This can be in the form of a textual message at program startup or
21		* in documentation (online or textual) provided with the package.
22		*
23		* Redistribution and use in source and binary forms, with or without
24		* modification, are permitted provided that the following conditions
25		* are met:
26		* 1. Redistributions of source code must retain the copyright
27		* notice, this list of conditions and the following disclaimer.
28		* 2. Redistributions in binary form must reproduce the above copyright
29		* notice, this list of conditions and the following disclaimer in the
30		* documentation and/or other materials provided with the distribution.
31		* 3. All advertising materials mentioning features or use of this software
32		* must display the following acknowledgement:
33		* "This product includes cryptographic software written by
34		* Eric Young (eay@cryptsoft.com)"
35		* The word 'cryptographic' can be left out if the rouines from the library
36		* being used are not cryptographic related :-).
37		* 4. If you include any Windows specific code (or a derivative thereof) from
38		* the apps directory (application code) you must include an acknowledgement:
39		* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40		*
41		* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44		* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51		* SUCH DAMAGE.
52		*
53		* The licence and distribution terms for any publically available version or
54		* derivative of this code cannot be changed. i.e. this code cannot simply be
55		* copied and put under another distribution licence
56		* [including the GNU Public Licence.]
57		*/
58
59		/*
60		* NB: these functions have been "upgraded", the deprecated versions (which
61		* are compatibility wrappers using these functions) are in rsa_depr.c. -
62		* Geoff
63		*/
64
65		#include <stdio.h>
66		#include <time.h>
67		#include "cryptlib.h"
68		#include <openssl/bn.h>
69		#include <openssl/rsa.h>
70		#ifdef OPENSSL_FIPS
71		# include <openssl/fips.h>
72		extern int FIPS_rsa_x931_generate_key_ex(RSA rsa, int bits, BIGNUM e,
73		BN_GENCB *cb);
74		#endif
75
76		static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value,
77		BN_GENCB *cb);
78
79		/*
80		* NB: this wrapper would normally be placed in rsa_lib.c and the static
81		* implementation would probably be in rsa_eay.c. Nonetheless, is kept here
82		* so that we don't introduce a new linker dependency. Eg. any application
83		* that wasn't previously linking object code related to key-generation won't
84		* have to now just because key-generation is part of RSA_METHOD.
85		*/
86		int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
87	0	{
88		#ifdef OPENSSL_FIPS
89		if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
90		&& !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
91		RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
92		return 0;
93		}
94		#endif
95	0	if (rsa->meth->rsa_keygen)
96	0	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
97		#ifdef OPENSSL_FIPS
98		if (FIPS_mode())
99		return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
100		#endif
101	0	return rsa_builtin_keygen(rsa, bits, e_value, cb);
102	0	}
103
104		static int rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value,
105		BN_GENCB *cb)
106	0	{
107	0	BIGNUM r0 = NULL, r1 = NULL, r2 = NULL, r3 = NULL, *tmp;
108	0	BIGNUM local_r0, local_d, local_p;
109	0	BIGNUM pr0, d, *p;
110	0	int bitsp, bitsq, ok = -1, n = 0;
111	0	BN_CTX *ctx = NULL;
112
113	0	ctx = BN_CTX_new();
114	0	if (ctx == NULL)
115	0	goto err;
116	0	BN_CTX_start(ctx);
117	0	r0 = BN_CTX_get(ctx);
118	0	r1 = BN_CTX_get(ctx);
119	0	r2 = BN_CTX_get(ctx);
120	0	r3 = BN_CTX_get(ctx);
121	0	if (r3 == NULL)
122	0	goto err;
123
124	0	bitsp = (bits + 1) / 2;
125	0	bitsq = bits - bitsp;
126
127		/* We need the RSA components non-NULL */
128	0	if (!rsa->n && ((rsa->n = BN_new()) == NULL))
129	0	goto err;
130	0	if (!rsa->d && ((rsa->d = BN_new()) == NULL))
131	0	goto err;
132	0	if (!rsa->e && ((rsa->e = BN_new()) == NULL))
133	0	goto err;
134	0	if (!rsa->p && ((rsa->p = BN_new()) == NULL))
135	0	goto err;
136	0	if (!rsa->q && ((rsa->q = BN_new()) == NULL))
137	0	goto err;
138	0	if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
139	0	goto err;
140	0	if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
141	0	goto err;
142	0	if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
143	0	goto err;
144
145	0	if (BN_copy(rsa->e, e_value) == NULL)
146	0	goto err;
147
148		/* generate p and q */
149	0	for (;;) {
150	0	if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
151	0	goto err;
152	0	if (!BN_sub(r2, rsa->p, BN_value_one()))
153	0	goto err;
154	0	if (!BN_gcd(r1, r2, rsa->e, ctx))
155	0	goto err;
156	0	if (BN_is_one(r1))
157	0	break;
158	0	if (!BN_GENCB_call(cb, 2, n++))
159	0	goto err;
160	0	}
161	0	if (!BN_GENCB_call(cb, 3, 0))
162	0	goto err;
163	0	for (;;) {
164		/*
165		* When generating ridiculously small keys, we can get stuck
166		* continually regenerating the same prime values. Check for this and
167		* bail if it happens 3 times.
168		*/
169	0	unsigned int degenerate = 0;
170	0	do {
171	0	if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
172	0	goto err;
173	0	} while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
174	0	if (degenerate == 3) {
175	0	ok = 0; /* we set our own err */
176	0	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
177	0	goto err;
178	0	}
179	0	if (!BN_sub(r2, rsa->q, BN_value_one()))
180	0	goto err;
181	0	if (!BN_gcd(r1, r2, rsa->e, ctx))
182	0	goto err;
183	0	if (BN_is_one(r1))
184	0	break;
185	0	if (!BN_GENCB_call(cb, 2, n++))
186	0	goto err;
187	0	}
188	0	if (!BN_GENCB_call(cb, 3, 1))
189	0	goto err;
190	0	if (BN_cmp(rsa->p, rsa->q) < 0) {
191	0	tmp = rsa->p;
192	0	rsa->p = rsa->q;
193	0	rsa->q = tmp;
194	0	}
195
196		/* calculate n */
197	0	if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
198	0	goto err;
199
200		/* calculate d */
201	0	if (!BN_sub(r1, rsa->p, BN_value_one()))
202	0	goto err; /* p-1 */
203	0	if (!BN_sub(r2, rsa->q, BN_value_one()))
204	0	goto err; /* q-1 */
205	0	if (!BN_mul(r0, r1, r2, ctx))
206	0	goto err; /* (p-1)(q-1) */
207	0	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
208	0	pr0 = &local_r0;
209	0	BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
210	0	} else
211	0	pr0 = r0;
212	0	if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
213	0	goto err; /* d */
214
215		/* set up d for correct BN_FLG_CONSTTIME flag */
216	0	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
217	0	d = &local_d;
218	0	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
219	0	} else
220	0	d = rsa->d;
221
222		/* calculate d mod (p-1) */
223	0	if (!BN_mod(rsa->dmp1, d, r1, ctx))
224	0	goto err;
225
226		/* calculate d mod (q-1) */
227	0	if (!BN_mod(rsa->dmq1, d, r2, ctx))
228	0	goto err;
229
230		/* calculate inverse of q mod p */
231	0	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
232	0	p = &local_p;
233	0	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
234	0	} else
235	0	p = rsa->p;
236	0	if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
237	0	goto err;
238
239	0	ok = 1;
240	0	err:
241	0	if (ok == -1) {
242	0	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
243	0	ok = 0;
244	0	}
245	0	if (ctx != NULL) {
246	0	BN_CTX_end(ctx);
247	0	BN_CTX_free(ctx);
248	0	}
249
250	0	return ok;
251	0	}