/src/openssl/crypto/rsa/rsa_gen.c

Source (jump to first uncovered line)
/*
 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * NB: these functions have been "upgraded", the deprecated versions (which
 * are compatibility wrappers using these functions) are in rsa_depr.c. -
 * Geoff
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include "rsa_locl.h"

static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
                              BN_GENCB *cb);

/*
 * NB: this wrapper would normally be placed in rsa_lib.c and the static
 * implementation would probably be in rsa_eay.c. Nonetheless, is kept here
 * so that we don't introduce a new linker dependency. Eg. any application
 * that wasn't previously linking object code related to key-generation won't
 * have to now just because key-generation is part of RSA_METHOD.
 */
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
    if (rsa->meth->rsa_keygen != NULL)
        return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);

    return RSA_generate_multi_prime_key(rsa, bits, RSA_DEFAULT_PRIME_NUM,
                                        e_value, cb);
}

int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
                                 BIGNUM *e_value, BN_GENCB *cb)
{
    /* multi-prime is only supported with the builtin key generation */
    if (rsa->meth->rsa_multi_prime_keygen != NULL) {
        return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
                                                 e_value, cb);
    } else if (rsa->meth->rsa_keygen != NULL) {
        /*
         * However, if rsa->meth implements only rsa_keygen, then we
         * have to honour it in 2-prime case and assume that it wouldn't
         * know what to do with multi-prime key generated by builtin
         * subroutine...
         */
        if (primes == 2)
            return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
        else
            return 0;
    }

    return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);
}

static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
                              BN_GENCB *cb)
{
    BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *prime;
    int ok = -1, n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0;
    int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0;
    RSA_PRIME_INFO *pinfo = NULL;
    STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
    BN_CTX *ctx = NULL;
    BN_ULONG bitst = 0;
    unsigned long error = 0;

    if (bits < RSA_MIN_MODULUS_BITS) {
        ok = 0;             /* we set our own err */
        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
        goto err;
    }

    if (primes < RSA_DEFAULT_PRIME_NUM || primes > rsa_multip_cap(bits)) {
        ok = 0;             /* we set our own err */
        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
        goto err;
    }

    ctx = BN_CTX_new();
    if (ctx == NULL)
        goto err;
    BN_CTX_start(ctx);
    r0 = BN_CTX_get(ctx);
    r1 = BN_CTX_get(ctx);
    r2 = BN_CTX_get(ctx);
    if (r2 == NULL)
        goto err;

    /* divide bits into 'primes' pieces evenly */
    quo = bits / primes;
    rmd = bits % primes;

    for (i = 0; i < primes; i++)
        bitsr[i] = (i < rmd) ? quo + 1 : quo;

    /* We need the RSA components non-NULL */
    if (!rsa->n && ((rsa->n = BN_new()) == NULL))
        goto err;
    if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->e && ((rsa->e = BN_new()) == NULL))
        goto err;
    if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
        goto err;
    if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
        goto err;

    /* initialize multi-prime components */
    if (primes > RSA_DEFAULT_PRIME_NUM) {
        rsa->version = RSA_ASN1_VERSION_MULTI;
        prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, primes - 2);
        if (prime_infos == NULL)
            goto err;
        if (rsa->prime_infos != NULL) {
            /* could this happen? */
            sk_RSA_PRIME_INFO_pop_free(rsa->prime_infos, rsa_multip_info_free);
        }
        rsa->prime_infos = prime_infos;

        /* prime_info from 2 to |primes| -1 */
        for (i = 2; i < primes; i++) {
            pinfo = rsa_multip_info_new();
            if (pinfo == NULL)
                goto err;
            (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
        }
    }

    if (BN_copy(rsa->e, e_value) == NULL)
        goto err;

    /* generate p, q and other primes (if any) */
    for (i = 0; i < primes; i++) {
        adj = 0;
        retries = 0;

        if (i == 0) {
            prime = rsa->p;
        } else if (i == 1) {
            prime = rsa->q;
        } else {
            pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
            prime = pinfo->r;
        }
        BN_set_flags(prime, BN_FLG_CONSTTIME);

        for (;;) {
 redo:
            if (!BN_generate_prime_ex(prime, bitsr[i] + adj, 0, NULL, NULL, cb))
                goto err;
            /*
             * prime should not be equal to p, q, r_3...
             * (those primes prior to this one)
             */
            {
                int j;

                for (j = 0; j < i; j++) {
                    BIGNUM *prev_prime;

                    if (j == 0)
                        prev_prime = rsa->p;
                    else if (j == 1)
                        prev_prime = rsa->q;
                    else
                        prev_prime = sk_RSA_PRIME_INFO_value(prime_infos,
                                                             j - 2)->r;

                    if (!BN_cmp(prime, prev_prime)) {
                        goto redo;
                    }
                }
            }
            if (!BN_sub(r2, prime, BN_value_one()))
                goto err;
            ERR_set_mark();
            BN_set_flags(r2, BN_FLG_CONSTTIME);
            if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
               /* GCD == 1 since inverse exists */
                break;
            }
            error = ERR_peek_last_error();
            if (ERR_GET_LIB(error) == ERR_LIB_BN
                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
                /* GCD != 1 */
                ERR_pop_to_mark();
            } else {
                goto err;
            }
            if (!BN_GENCB_call(cb, 2, n++))
                goto err;
        }

        bitse += bitsr[i];

        /* calculate n immediately to see if it's sufficient */
        if (i == 1) {
            /* we get at least 2 primes */
            if (!BN_mul(r1, rsa->p, rsa->q, ctx))
                goto err;
        } else if (i != 0) {
            /* modulus n = p * q * r_3 * r_4 ... */
            if (!BN_mul(r1, rsa->n, prime, ctx))
                goto err;
        } else {
            /* i == 0, do nothing */
            if (!BN_GENCB_call(cb, 3, i))
                goto err;
            continue;
        }
        /*
         * if |r1|, product of factors so far, is not as long as expected
         * (by checking the first 4 bits are less than 0x9 or greater than
         * 0xF). If so, re-generate the last prime.
         *
         * NOTE: This actually can't happen in two-prime case, because of
         * the way factors are generated.
         *
         * Besides, another consideration is, for multi-prime case, even the
         * length modulus is as long as expected, the modulus could start at
         * 0x8, which could be utilized to distinguish a multi-prime private
         * key by using the modulus in a certificate. This is also covered
         * by checking the length should not be less than 0x9.
         */
        if (!BN_rshift(r2, r1, bitse - 4))
            goto err;
        bitst = BN_get_word(r2);

        if (bitst < 0x9 || bitst > 0xF) {
            /*
             * For keys with more than 4 primes, we attempt longer factor to
             * meet length requirement.
             *
             * Otherwise, we just re-generate the prime with the same length.
             *
             * This strategy has the following goals:
             *
             * 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
             * 2. stay the same logic with normal 2-prime key
             */
            bitse -= bitsr[i];
            if (!BN_GENCB_call(cb, 2, n++))
                goto err;
            if (primes > 4) {
                if (bitst < 0x9)
                    adj++;
                else
                    adj--;
            } else if (retries == 4) {
                /*
                 * re-generate all primes from scratch, mainly used
                 * in 4 prime case to avoid long loop. Max retry times
                 * is set to 4.
                 */
                i = -1;
                bitse = 0;
                continue;
            }
            retries++;
            goto redo;
        }
        /* save product of primes for further use, for multi-prime only */
        if (i > 1 && BN_copy(pinfo->pp, rsa->n) == NULL)
            goto err;
        if (BN_copy(rsa->n, r1) == NULL)
            goto err;
        if (!BN_GENCB_call(cb, 3, i))
            goto err;
    }

    if (BN_cmp(rsa->p, rsa->q) < 0) {
        tmp = rsa->p;
        rsa->p = rsa->q;
        rsa->q = tmp;
    }

    /* calculate d */

    /* p - 1 */
    if (!BN_sub(r1, rsa->p, BN_value_one()))
        goto err;
    /* q - 1 */
    if (!BN_sub(r2, rsa->q, BN_value_one()))
        goto err;
    /* (p - 1)(q - 1) */
    if (!BN_mul(r0, r1, r2, ctx))
        goto err;
    /* multi-prime */
    for (i = 2; i < primes; i++) {
        pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
        /* save r_i - 1 to pinfo->d temporarily */
        if (!BN_sub(pinfo->d, pinfo->r, BN_value_one()))
            goto err;
        if (!BN_mul(r0, r0, pinfo->d, ctx))
            goto err;
    }

    {
        BIGNUM *pr0 = BN_new();

        if (pr0 == NULL)
            goto err;

        BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
        if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
            BN_free(pr0);
            goto err;               /* d */
        }
        /* We MUST free pr0 before any further use of r0 */
        BN_free(pr0);
    }

    {
        BIGNUM *d = BN_new();

        if (d == NULL)
            goto err;

        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

        /* calculate d mod (p-1) and d mod (q - 1) */
        if (!BN_mod(rsa->dmp1, d, r1, ctx)
            || !BN_mod(rsa->dmq1, d, r2, ctx)) {
            BN_free(d);
            goto err;
        }

        /* calculate CRT exponents */
        for (i = 2; i < primes; i++) {
            pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
            /* pinfo->d == r_i - 1 */
            if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) {
                BN_free(d);
                goto err;
            }
        }

        /* We MUST free d before any further use of rsa->d */
        BN_free(d);
    }

    {
        BIGNUM *p = BN_new();

        if (p == NULL)
            goto err;
        BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);

        /* calculate inverse of q mod p */
        if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
            BN_free(p);
            goto err;
        }

        /* calculate CRT coefficient for other primes */
        for (i = 2; i < primes; i++) {
            pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
            BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME);
            if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) {
                BN_free(p);
                goto err;
            }
        }

        /* We MUST free p before any further use of rsa->p */
        BN_free(p);
    }

    ok = 1;
 err:
    if (ok == -1) {
        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
        ok = 0;
    }
    if (ctx != NULL)
        BN_CTX_end(ctx);
    BN_CTX_free(ctx);
    return ok;
}

Coverage Report

Created: 2018-08-29 13:53

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* NB: these functions have been "upgraded", the deprecated versions (which
12		* are compatibility wrappers using these functions) are in rsa_depr.c. -
13		* Geoff
14		*/
15
16		#include <stdio.h>
17		#include <time.h>
18		#include "internal/cryptlib.h"
19		#include <openssl/bn.h>
20		#include "rsa_locl.h"
21
22		static int rsa_builtin_keygen(RSA rsa, int bits, int primes, BIGNUM e_value,
23		BN_GENCB *cb);
24
25		/*
26		* NB: this wrapper would normally be placed in rsa_lib.c and the static
27		* implementation would probably be in rsa_eay.c. Nonetheless, is kept here
28		* so that we don't introduce a new linker dependency. Eg. any application
29		* that wasn't previously linking object code related to key-generation won't
30		* have to now just because key-generation is part of RSA_METHOD.
31		*/
32		int RSA_generate_key_ex(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
33	0	{
34	0	if (rsa->meth->rsa_keygen != NULL)
35	0	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
36	0
37	0	return RSA_generate_multi_prime_key(rsa, bits, RSA_DEFAULT_PRIME_NUM,
38	0	e_value, cb);
39	0	}
40
41		int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
42		BIGNUM e_value, BN_GENCB cb)
43	0	{
44	0	/* multi-prime is only supported with the builtin key generation */
45	0	if (rsa->meth->rsa_multi_prime_keygen != NULL) {
46	0	return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
47	0	e_value, cb);
48	0	} else if (rsa->meth->rsa_keygen != NULL) {
49	0	/*
50	0	* However, if rsa->meth implements only rsa_keygen, then we
51	0	* have to honour it in 2-prime case and assume that it wouldn't
52	0	* know what to do with multi-prime key generated by builtin
53	0	* subroutine...
54	0	*/
55	0	if (primes == 2)
56	0	return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
57	0	else
58	0	return 0;
59	0	}
60	0
61	0	return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);
62	0	}
63
64		static int rsa_builtin_keygen(RSA rsa, int bits, int primes, BIGNUM e_value,
65		BN_GENCB *cb)
66	0	{
67	0	BIGNUM r0 = NULL, r1 = NULL, r2 = NULL, tmp, *prime;
68	0	int ok = -1, n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0;
69	0	int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0;
70	0	RSA_PRIME_INFO *pinfo = NULL;
71	0	STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
72	0	BN_CTX *ctx = NULL;
73	0	BN_ULONG bitst = 0;
74	0	unsigned long error = 0;
75	0
76	0	if (bits < RSA_MIN_MODULUS_BITS) {
77	0	ok = 0; /* we set our own err */
78	0	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
79	0	goto err;
80	0	}
81	0
82	0	if (primes < RSA_DEFAULT_PRIME_NUM \|\| primes > rsa_multip_cap(bits)) {
83	0	ok = 0; /* we set our own err */
84	0	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
85	0	goto err;
86	0	}
87	0
88	0	ctx = BN_CTX_new();
89	0	if (ctx == NULL)
90	0	goto err;
91	0	BN_CTX_start(ctx);
92	0	r0 = BN_CTX_get(ctx);
93	0	r1 = BN_CTX_get(ctx);
94	0	r2 = BN_CTX_get(ctx);
95	0	if (r2 == NULL)
96	0	goto err;
97	0
98	0	/* divide bits into 'primes' pieces evenly */
99	0	quo = bits / primes;
100	0	rmd = bits % primes;
101	0
102	0	for (i = 0; i < primes; i++)
103	0	bitsr[i] = (i < rmd) ? quo + 1 : quo;
104	0
105	0	/* We need the RSA components non-NULL */
106	0	if (!rsa->n && ((rsa->n = BN_new()) == NULL))
107	0	goto err;
108	0	if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
109	0	goto err;
110	0	if (!rsa->e && ((rsa->e = BN_new()) == NULL))
111	0	goto err;
112	0	if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
113	0	goto err;
114	0	if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
115	0	goto err;
116	0	if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
117	0	goto err;
118	0	if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
119	0	goto err;
120	0	if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
121	0	goto err;
122	0
123	0	/* initialize multi-prime components */
124	0	if (primes > RSA_DEFAULT_PRIME_NUM) {
125	0	rsa->version = RSA_ASN1_VERSION_MULTI;
126	0	prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, primes - 2);
127	0	if (prime_infos == NULL)
128	0	goto err;
129	0	if (rsa->prime_infos != NULL) {
130	0	/* could this happen? */
131	0	sk_RSA_PRIME_INFO_pop_free(rsa->prime_infos, rsa_multip_info_free);
132	0	}
133	0	rsa->prime_infos = prime_infos;
134	0
135	0	/* prime_info from 2 to \|primes\| -1 */
136	0	for (i = 2; i < primes; i++) {
137	0	pinfo = rsa_multip_info_new();
138	0	if (pinfo == NULL)
139	0	goto err;
140	0	(void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
141	0	}
142	0	}
143	0
144	0	if (BN_copy(rsa->e, e_value) == NULL)
145	0	goto err;
146	0
147	0	/* generate p, q and other primes (if any) */
148	0	for (i = 0; i < primes; i++) {
149	0	adj = 0;
150	0	retries = 0;
151	0
152	0	if (i == 0) {
153	0	prime = rsa->p;
154	0	} else if (i == 1) {
155	0	prime = rsa->q;
156	0	} else {
157	0	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
158	0	prime = pinfo->r;
159	0	}
160	0	BN_set_flags(prime, BN_FLG_CONSTTIME);
161	0
162	0	for (;;) {
163	0	redo:
164	0	if (!BN_generate_prime_ex(prime, bitsr[i] + adj, 0, NULL, NULL, cb))
165	0	goto err;
166	0	/*
167	0	* prime should not be equal to p, q, r_3...
168	0	* (those primes prior to this one)
169	0	*/
170	0	{
171	0	int j;
172	0
173	0	for (j = 0; j < i; j++) {
174	0	BIGNUM *prev_prime;
175	0
176	0	if (j == 0)
177	0	prev_prime = rsa->p;
178	0	else if (j == 1)
179	0	prev_prime = rsa->q;
180	0	else
181	0	prev_prime = sk_RSA_PRIME_INFO_value(prime_infos,
182	0	j - 2)->r;
183	0
184	0	if (!BN_cmp(prime, prev_prime)) {
185	0	goto redo;
186	0	}
187	0	}
188	0	}
189	0	if (!BN_sub(r2, prime, BN_value_one()))
190	0	goto err;
191	0	ERR_set_mark();
192	0	BN_set_flags(r2, BN_FLG_CONSTTIME);
193	0	if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
194	0	/* GCD == 1 since inverse exists */
195	0	break;
196	0	}
197	0	error = ERR_peek_last_error();
198	0	if (ERR_GET_LIB(error) == ERR_LIB_BN
199	0	&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
200	0	/* GCD != 1 */
201	0	ERR_pop_to_mark();
202	0	} else {
203	0	goto err;
204	0	}
205	0	if (!BN_GENCB_call(cb, 2, n++))
206	0	goto err;
207	0	}
208	0
209	0	bitse += bitsr[i];
210	0
211	0	/* calculate n immediately to see if it's sufficient */
212	0	if (i == 1) {
213	0	/* we get at least 2 primes */
214	0	if (!BN_mul(r1, rsa->p, rsa->q, ctx))
215	0	goto err;
216	0	} else if (i != 0) {
217	0	/* modulus n = p * q * r_3 * r_4 ... */
218	0	if (!BN_mul(r1, rsa->n, prime, ctx))
219	0	goto err;
220	0	} else {
221	0	/* i == 0, do nothing */
222	0	if (!BN_GENCB_call(cb, 3, i))
223	0	goto err;
224	0	continue;
225	0	}
226	0	/*
227	0	* if \|r1\|, product of factors so far, is not as long as expected
228	0	* (by checking the first 4 bits are less than 0x9 or greater than
229	0	* 0xF). If so, re-generate the last prime.
230	0	*
231	0	* NOTE: This actually can't happen in two-prime case, because of
232	0	* the way factors are generated.
233	0	*
234	0	* Besides, another consideration is, for multi-prime case, even the
235	0	* length modulus is as long as expected, the modulus could start at
236	0	* 0x8, which could be utilized to distinguish a multi-prime private
237	0	* key by using the modulus in a certificate. This is also covered
238	0	* by checking the length should not be less than 0x9.
239	0	*/
240	0	if (!BN_rshift(r2, r1, bitse - 4))
241	0	goto err;
242	0	bitst = BN_get_word(r2);
243	0
244	0	if (bitst < 0x9 \|\| bitst > 0xF) {
245	0	/*
246	0	* For keys with more than 4 primes, we attempt longer factor to
247	0	* meet length requirement.
248	0	*
249	0	* Otherwise, we just re-generate the prime with the same length.
250	0	*
251	0	* This strategy has the following goals:
252	0	*
253	0	* 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
254	0	* 2. stay the same logic with normal 2-prime key
255	0	*/
256	0	bitse -= bitsr[i];
257	0	if (!BN_GENCB_call(cb, 2, n++))
258	0	goto err;
259	0	if (primes > 4) {
260	0	if (bitst < 0x9)
261	0	adj++;
262	0	else
263	0	adj--;
264	0	} else if (retries == 4) {
265	0	/*
266	0	* re-generate all primes from scratch, mainly used
267	0	* in 4 prime case to avoid long loop. Max retry times
268	0	* is set to 4.
269	0	*/
270	0	i = -1;
271	0	bitse = 0;
272	0	continue;
273	0	}
274	0	retries++;
275	0	goto redo;
276	0	}
277	0	/* save product of primes for further use, for multi-prime only */
278	0	if (i > 1 && BN_copy(pinfo->pp, rsa->n) == NULL)
279	0	goto err;
280	0	if (BN_copy(rsa->n, r1) == NULL)
281	0	goto err;
282	0	if (!BN_GENCB_call(cb, 3, i))
283	0	goto err;
284	0	}
285	0
286	0	if (BN_cmp(rsa->p, rsa->q) < 0) {
287	0	tmp = rsa->p;
288	0	rsa->p = rsa->q;
289	0	rsa->q = tmp;
290	0	}
291	0
292	0	/* calculate d */
293	0
294	0	/* p - 1 */
295	0	if (!BN_sub(r1, rsa->p, BN_value_one()))
296	0	goto err;
297	0	/* q - 1 */
298	0	if (!BN_sub(r2, rsa->q, BN_value_one()))
299	0	goto err;
300	0	/* (p - 1)(q - 1) */
301	0	if (!BN_mul(r0, r1, r2, ctx))
302	0	goto err;
303	0	/* multi-prime */
304	0	for (i = 2; i < primes; i++) {
305	0	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
306	0	/* save r_i - 1 to pinfo->d temporarily */
307	0	if (!BN_sub(pinfo->d, pinfo->r, BN_value_one()))
308	0	goto err;
309	0	if (!BN_mul(r0, r0, pinfo->d, ctx))
310	0	goto err;
311	0	}
312	0
313	0	{
314	0	BIGNUM *pr0 = BN_new();
315	0
316	0	if (pr0 == NULL)
317	0	goto err;
318	0
319	0	BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
320	0	if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
321	0	BN_free(pr0);
322	0	goto err; /* d */
323	0	}
324	0	/* We MUST free pr0 before any further use of r0 */
325	0	BN_free(pr0);
326	0	}
327	0
328	0	{
329	0	BIGNUM *d = BN_new();
330	0
331	0	if (d == NULL)
332	0	goto err;
333	0
334	0	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
335	0
336	0	/* calculate d mod (p-1) and d mod (q - 1) */
337	0	if (!BN_mod(rsa->dmp1, d, r1, ctx)
338	0	\|\| !BN_mod(rsa->dmq1, d, r2, ctx)) {
339	0	BN_free(d);
340	0	goto err;
341	0	}
342	0
343	0	/* calculate CRT exponents */
344	0	for (i = 2; i < primes; i++) {
345	0	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
346	0	/* pinfo->d == r_i - 1 */
347	0	if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) {
348	0	BN_free(d);
349	0	goto err;
350	0	}
351	0	}
352	0
353	0	/* We MUST free d before any further use of rsa->d */
354	0	BN_free(d);
355	0	}
356	0
357	0	{
358	0	BIGNUM *p = BN_new();
359	0
360	0	if (p == NULL)
361	0	goto err;
362	0	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
363	0
364	0	/* calculate inverse of q mod p */
365	0	if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
366	0	BN_free(p);
367	0	goto err;
368	0	}
369	0
370	0	/* calculate CRT coefficient for other primes */
371	0	for (i = 2; i < primes; i++) {
372	0	pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
373	0	BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME);
374	0	if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) {
375	0	BN_free(p);
376	0	goto err;
377	0	}
378	0	}
379	0
380	0	/* We MUST free p before any further use of rsa->p */
381	0	BN_free(p);
382	0	}
383	0
384	0	ok = 1;
385	0	err:
386	0	if (ok == -1) {
387	0	RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
388	0	ok = 0;
389	0	}
390	0	if (ctx != NULL)
391	0	BN_CTX_end(ctx);
392	0	BN_CTX_free(ctx);
393	0	return ok;
394	0	}