diff options
| -rw-r--r-- | CHANGES.md | 6 | ||||
| -rw-r--r-- | crypto/rsa/rsa_backend.c | 156 | ||||
| -rw-r--r-- | crypto/rsa/rsa_gen.c | 329 | ||||
| -rw-r--r-- | crypto/rsa/rsa_lib.c | 34 | ||||
| -rw-r--r-- | crypto/rsa/rsa_local.h | 4 | ||||
| -rw-r--r-- | crypto/rsa/rsa_sp800_56b_gen.c | 56 | ||||
| -rw-r--r-- | doc/man7/EVP_PKEY-RSA.pod | 9 | ||||
| -rw-r--r-- | include/crypto/rsa.h | 6 | ||||
| -rw-r--r-- | test/evp_extra_test.c | 67 | ||||
| -rw-r--r-- | test/evp_pkey_provided_test.c | 398 | ||||
| -rw-r--r-- | util/perl/OpenSSL/paramnames.pm | 1 |
11 files changed, 943 insertions, 123 deletions
diff --git a/CHANGES.md b/CHANGES.md index 625eacb6d4..57507381e1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -80,6 +80,12 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * The EVP_PKEY_fromdata function has been augmented to allow for the derivation + of CRT (Chinese Remainder Theorem) parameters when requested. See the + OSSL_PKEY_PARAM_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation. + + *Neil Horman* + * The BLAKE2b hash algorithm supports a configurable output length by setting the "size" parameter. diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c index 7b2efa8862..1a9b783a9b 100644 --- a/crypto/rsa/rsa_backend.c +++ b/crypto/rsa/rsa_backend.c @@ -64,22 +64,56 @@ static int collect_numbers(STACK_OF(BIGNUM) *numbers, int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private) { const OSSL_PARAM *param_n, *param_e, *param_d = NULL; - BIGNUM *n = NULL, *e = NULL, *d = NULL; + const OSSL_PARAM *param_p, *param_q = NULL; + const OSSL_PARAM *param_derive = NULL; + BIGNUM *p = NULL, *q = NULL, *n = NULL, *e = NULL, *d = NULL; STACK_OF(BIGNUM) *factors = NULL, *exps = NULL, *coeffs = NULL; int is_private = 0; + int derive_from_pq = 0; + BN_CTX *ctx = NULL; if (rsa == NULL) return 0; param_n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N); param_e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E); - if (include_private) - param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D); - if ((param_n != NULL && !OSSL_PARAM_get_BN(param_n, &n)) - || (param_e != NULL && !OSSL_PARAM_get_BN(param_e, &e)) - || (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d))) + if ((param_n == NULL || !OSSL_PARAM_get_BN(param_n, &n)) + || (param_e == NULL || !OSSL_PARAM_get_BN(param_e, &e))) { + ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER); goto err; + } + + if (include_private) { + + param_derive = OSSL_PARAM_locate_const(params, + OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ); + if ((param_derive != NULL) + && !OSSL_PARAM_get_int(param_derive, &derive_from_pq)) + goto err; + + param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D); + if (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d)) { + ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + + if (derive_from_pq) { + ctx = BN_CTX_new_ex(rsa->libctx); + if (ctx == NULL) + goto err; + + /* we need at minimum p, q */ + param_p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_FACTOR1); + param_q = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_FACTOR2); + if ((param_p == NULL || !OSSL_PARAM_get_BN(param_p, &p)) + || (param_q == NULL || !OSSL_PARAM_get_BN(param_q, &q))) { + ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + + } + } is_private = (d != NULL); @@ -96,25 +130,121 @@ int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private) ossl_rsa_mp_coeff_names)) goto err; - /* It's ok if this private key just has n, e and d */ + if (derive_from_pq && sk_BIGNUM_num(exps) == 0 + && sk_BIGNUM_num(coeffs) == 0) { + /* + * If we want to use crt to derive our exponents/coefficients, we + * need to have at least 2 factors + */ + if (sk_BIGNUM_num(factors) < 2) { + ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + + /* + * if we have more than two factors, n and d must also have + * been provided + */ + if (sk_BIGNUM_num(factors) > 2 + && (param_n == NULL || param_d == NULL)) { + ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + + /* build our exponents and coefficients here */ + if (sk_BIGNUM_num(factors) == 2) { + /* for 2 factors we can use the sp800 functions to do this */ + if (!RSA_set0_factors(rsa, sk_BIGNUM_value(factors, 0), + sk_BIGNUM_value(factors, 1))) { + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); + goto err; + } + /* + * once consumed by RSA_set0_factors, pop those off the stack + * so we don't free them below + */ + sk_BIGNUM_pop(factors); + sk_BIGNUM_pop(factors); + + /* + * Note: Because we only have 2 factors here, there will be no + * additional pinfo fields to hold additional factors, and + * since we set our key and 2 factors above we can skip + * the call to ossl_rsa_set0_all_params + */ + if (!ossl_rsa_sp800_56b_derive_params_from_pq(rsa, + RSA_bits(rsa), + NULL, ctx)) { + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); + goto err; + } + } else { +#ifndef FIPS_MODULE + /* + * in the multiprime case we have to generate exps/coeffs here + * for each additional prime + */ + if (!ossl_rsa_multiprime_derive(rsa, RSA_bits(rsa), + sk_BIGNUM_num(factors), + rsa->e, factors, exps, + coeffs)) { + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); + goto err; + } + + /* + * Now we should have all our factors, exponents and + * coefficients + */ + if (!ossl_rsa_set0_all_params(rsa, factors, exps, coeffs)) { + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); + goto err; + } + +#else + /* multiprime case is disallowed in FIPS mode, raise an error */ + ERR_raise(ERR_LIB_RSA, ERR_R_UNSUPPORTED); + goto err; +#endif + } + + } else { + /* + * It's ok if this private key just has n, e and d + * but only if we're not using derive_from_pq + */ + if (sk_BIGNUM_num(factors) != 0 + && !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs)) + goto err; + } + /* sanity check to ensure we used everything in our stacks */ if (sk_BIGNUM_num(factors) != 0 - && !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs)) + || sk_BIGNUM_num(exps) != 0 + || sk_BIGNUM_num(coeffs) != 0) { + ERR_raise_data(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR, + "There are %d, %d, %d elements left on our factors, exps, coeffs stacks\n", + sk_BIGNUM_num(factors), sk_BIGNUM_num(exps), + sk_BIGNUM_num(coeffs)); goto err; + } } - + BN_clear_free(p); + BN_clear_free(q); sk_BIGNUM_free(factors); sk_BIGNUM_free(exps); sk_BIGNUM_free(coeffs); + BN_CTX_free(ctx); return 1; err: BN_free(n); BN_free(e); BN_free(d); - sk_BIGNUM_pop_free(factors, BN_free); - sk_BIGNUM_pop_free(exps, BN_free); - sk_BIGNUM_pop_free(coeffs, BN_free); + sk_BIGNUM_pop_free(factors, BN_clear_free); + sk_BIGNUM_pop_free(exps, BN_clear_free); + sk_BIGNUM_pop_free(coeffs, BN_clear_free); + BN_CTX_free(ctx); return 0; } @@ -152,7 +282,7 @@ int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[], || !ossl_param_build_set_multi_key_bn(bld, params, ossl_rsa_mp_coeff_names, coeffs)) - goto err; + goto err; } #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 0cdbb3fde2..f67e1152bb 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -71,15 +71,201 @@ int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0); } +DEFINE_STACK_OF(BIGNUM) + +/* + * Given input values, q, p, n, d and e, derive the exponents + * and coefficients for each prime in this key, placing the result + * on their respective exps and coeffs stacks + */ #ifndef FIPS_MODULE +int ossl_rsa_multiprime_derive(RSA *rsa, int bits, int primes, + BIGNUM *e_value, + STACK_OF(BIGNUM) *factors, + STACK_OF(BIGNUM) *exps, + STACK_OF(BIGNUM) *coeffs) +{ + STACK_OF(BIGNUM) *pplist = NULL, *pdlist = NULL; + BIGNUM *factor = NULL, *newpp = NULL, *newpd = NULL; + BIGNUM *dval = NULL, *newexp = NULL, *newcoeff = NULL; + BIGNUM *p = NULL, *q = NULL; + BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; + BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL; + BN_CTX *ctx = NULL; + BIGNUM *tmp = NULL; + int i; + int ret = 0; + + ctx = BN_CTX_new_ex(rsa->libctx); + if (ctx == NULL) + goto err; + + BN_CTX_start(ctx); + + pplist = sk_BIGNUM_new_null(); + if (pplist == NULL) + goto err; + + pdlist = sk_BIGNUM_new_null(); + if (pdlist == NULL) + goto err; + + r0 = BN_CTX_get(ctx); + r1 = BN_CTX_get(ctx); + r2 = BN_CTX_get(ctx); + + if (r2 == NULL) + goto err; + + BN_set_flags(r0, BN_FLG_CONSTTIME); + BN_set_flags(r1, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + + if (BN_copy(r1, rsa->n) == NULL) + goto err; + + p = sk_BIGNUM_value(factors, 0); + q = sk_BIGNUM_value(factors, 1); + + /* Build list of partial products of primes */ + for (i = 0; i < sk_BIGNUM_num(factors); i++) { + switch (i) { + case 0: + /* our first prime, p */ + if (!BN_sub(r2, p, BN_value_one())) + goto err; + BN_set_flags(r2, BN_FLG_CONSTTIME); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) == NULL) + goto err; + break; + case 1: + /* second prime q */ + if (!BN_mul(r1, p, q, ctx)) + goto err; + tmp = BN_dup(r1); + if (tmp == NULL) + goto err; + if (!sk_BIGNUM_insert(pplist, tmp, sk_BIGNUM_num(pplist))) + goto err; + break; + default: + factor = sk_BIGNUM_value(factors, i); + /* all other primes */ + if (!BN_mul(r1, r1, factor, ctx)) + goto err; + tmp = BN_dup(r1); + if (tmp == NULL) + goto err; + if (!sk_BIGNUM_insert(pplist, tmp, sk_BIGNUM_num(pplist))) + goto err; + break; + } + } + + /* build list of relative d values */ + /* p -1 */ + if (!BN_sub(r1, p, BN_value_one())) + goto err; + if (!BN_sub(r2, q, BN_value_one())) + goto err; + if (!BN_mul(r0, r1, r2, ctx)) + goto err; + for (i = 2; i < sk_BIGNUM_num(factors); i++) { + factor = sk_BIGNUM_value(factors, i); + dval = BN_new(); + if (dval == NULL) + goto err; + BN_set_flags(dval, BN_FLG_CONSTTIME); + if (!BN_sub(dval, factor, BN_value_one())) + goto err; + if (!BN_mul(r0, r0, dval, ctx)) + goto err; + if (!sk_BIGNUM_insert(pdlist, dval, sk_BIGNUM_num(pdlist))) + goto err; + } + + /* Calculate dmp1, dmq1 and additional exponents */ + dmp1 = BN_secure_new(); + if (dmp1 == NULL) + goto err; + dmq1 = BN_secure_new(); + if (dmq1 == NULL) + goto err; + + if (!BN_mod(dmp1, rsa->d, r1, ctx)) + goto err; + if (!sk_BIGNUM_insert(exps, dmp1, sk_BIGNUM_num(exps))) + goto err; + dmp1 = NULL; + + if (!BN_mod(dmq1, rsa->d, r2, ctx)) + goto err; + if (!sk_BIGNUM_insert(exps, dmq1, sk_BIGNUM_num(exps))) + goto err; + dmq1 = NULL; + + for (i = 2; i < sk_BIGNUM_num(factors); i++) { + newpd = sk_BIGNUM_value(pdlist, i - 2); + newexp = BN_new(); + if (newexp == NULL) + goto err; + if (!BN_mod(newexp, rsa->d, newpd, ctx)) { + BN_free(newexp); + goto err; + } + if (!sk_BIGNUM_insert(exps, newexp, sk_BIGNUM_num(exps))) + goto err; + } + + /* Calculate iqmp and additional coefficients */ + iqmp = BN_new(); + if (iqmp == NULL) + goto err; + + if (BN_mod_inverse(iqmp, sk_BIGNUM_value(factors, 1), + sk_BIGNUM_value(factors, 0), ctx) == NULL) + goto err; + if (!sk_BIGNUM_insert(coeffs, iqmp, sk_BIGNUM_num(coeffs))) + goto err; + iqmp = NULL; + + for (i = 2; i < sk_BIGNUM_num(factors); i++) { + newpp = sk_BIGNUM_value(pplist, i - 2); + newcoeff = BN_new(); + if (newcoeff == NULL) + goto err; + if (BN_mod_inverse(newcoeff, newpp, sk_BIGNUM_value(factors, i), + ctx) == NULL) { + BN_free(newcoeff); + goto err; + } + if (!sk_BIGNUM_insert(coeffs, newcoeff, sk_BIGNUM_num(coeffs))) + goto err; + } + + ret = 1; + err: + sk_BIGNUM_pop_free(pplist, BN_free); + sk_BIGNUM_pop_free(pdlist, BN_free); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + BN_clear_free(dmp1); + BN_clear_free(dmq1); + BN_clear_free(iqmp); + return ret; +} + static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { - BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *prime; + BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *tmp2, *prime; int n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0; int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0; RSA_PRIME_INFO *pinfo = NULL; STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL; + STACK_OF(BIGNUM) *factors = NULL; + STACK_OF(BIGNUM) *exps = NULL; + STACK_OF(BIGNUM) *coeffs = NULL; BN_CTX *ctx = NULL; BN_ULONG bitst = 0; unsigned long error = 0; @@ -104,6 +290,18 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, return 0; } + factors = sk_BIGNUM_new_null(); + if (factors == NULL) + return 0; + + exps = sk_BIGNUM_new_null(); + if (exps == NULL) + goto err; + + coeffs = sk_BIGNUM_new_null(); + if (coeffs == NULL) + goto err; + ctx = BN_CTX_new_ex(rsa->libctx); if (ctx == NULL) goto err; @@ -137,15 +335,6 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) goto err; BN_set_flags(rsa->q, BN_FLG_CONSTTIME); - if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) - goto err; - BN_set_flags(rsa->dmp1, BN_FLG_CONSTTIME); - if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) - goto err; - BN_set_flags(rsa->dmq1, BN_FLG_CONSTTIME); - if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) - goto err; - BN_set_flags(rsa->iqmp, BN_FLG_CONSTTIME); /* initialize multi-prime components */ if (primes > RSA_DEFAULT_PRIME_NUM) { @@ -220,7 +409,7 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, ERR_set_mark(); BN_set_flags(r2, BN_FLG_CONSTTIME); if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { - /* GCD == 1 since inverse exists */ + /* GCD == 1 since inverse exists */ break; } error = ERR_peek_last_error(); @@ -250,8 +439,14 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, /* i == 0, do nothing */ if (!BN_GENCB_call(cb, 3, i)) goto err; + tmp = BN_dup(prime); + if (tmp == NULL) + goto err; + if (!sk_BIGNUM_insert(factors, tmp, sk_BIGNUM_num(factors))) + goto err; continue; } + /* * if |r1|, product of factors so far, is not as long as expected * (by checking the first 4 bits are less than 0x9 or greater than @@ -298,6 +493,10 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, */ i = -1; bitse = 0; + sk_BIGNUM_pop_free(factors, BN_clear_free); + factors = sk_BIGNUM_new_null(); + if (factors == NULL) + goto err; continue; } retries++; @@ -310,12 +509,20 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, goto err; if (!BN_GENCB_call(cb, 3, i)) goto err; + tmp = BN_dup(prime); + if (tmp == NULL) + goto err; + if (!sk_BIGNUM_insert(factors, tmp, sk_BIGNUM_num(factors))) + goto err; } if (BN_cmp(rsa->p, rsa->q) < 0) { tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; + /* mirror this in our factor stack */ + if (!sk_BIGNUM_insert(factors, sk_BIGNUM_delete(factors, 0), 1)) + goto err; } /* calculate d */ @@ -339,79 +546,51 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, goto err; } - { - BIGNUM *pr0 = BN_new(); - if (pr0 == NULL) - goto err; - - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { - BN_free(pr0); - goto err; /* d */ - } - /* We MUST free pr0 before any further use of r0 */ - BN_free(pr0); - } - - { - BIGNUM *d = BN_new(); - - if (d == NULL) - goto err; - - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - - /* calculate d mod (p-1) and d mod (q - 1) */ - if (!BN_mod(rsa->dmp1, d, r1, ctx) - || !BN_mod(rsa->dmq1, d, r2, ctx)) { - BN_free(d); - goto err; - } - - /* calculate CRT exponents */ - for (i = 2; i < primes; i++) { - pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); - /* pinfo->d == r_i - 1 */ - if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) { - BN_free(d); - goto err; - } - } - - /* We MUST free d before any further use of rsa->d */ - BN_free(d); + BN_set_flags(r0, BN_FLG_CONSTTIME); + if (BN_mod_inverse(rsa->d, rsa->e, r0, ctx) == NULL) { + goto err; /* d */ } - { - BIGNUM *p = BN_new(); + /* derive any missing exponents and coefficients */ + if (!ossl_rsa_multiprime_derive(rsa, bits, primes, e_value, + factors, exps, coeffs)) + goto err; - if (p == NULL) + /* + * first 2 factors/exps are already tracked in p/q/dmq1/dmp1 + * and the first coeff is in iqmp, so pop those off the stack + * Note, the first 2 factors/exponents are already tracked by p and q + * assign dmp1/dmq1 and iqmp + * the remaining pinfo values are separately allocated, so copy and delete + * those + */ + BN_clear_free(sk_BIGNUM_delete(factors, 0)); + BN_clear_free(sk_BIGNUM_delete(factors, 0)); + rsa->dmp1 = sk_BIGNUM_delete(exps, 0); + rsa->dmq1 = sk_BIGNUM_delete(exps, 0); + rsa->iqmp = sk_BIGNUM_delete(coeffs, 0); + for (i = 2; i < primes; i++) { + pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); + tmp = sk_BIGNUM_delete(factors, 0); + BN_copy(pinfo->r, tmp); + BN_clear_free(tmp); + tmp = sk_BIGNUM_delete(exps, 0); + tmp2 = BN_copy(pinfo->d, tmp); + BN_clear_free(tmp); + if (tmp2 == NULL) goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - - /* calculate inverse of q mod p */ - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { - BN_free(p); + tmp = sk_BIGNUM_delete(coeffs, 0); + tmp2 = BN_copy(pinfo->t, tmp); + BN_clear_free(tmp); + if (tmp2 == NULL) goto err; - } - - /* calculate CRT coefficient for other primes */ - for (i = 2; i < primes; i++) { - pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2); - BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME); - if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) { - BN_free(p); - goto err; - } - } - - /* We MUST free p before any further use of rsa->p */ - BN_free(p); } - ok = 1; err: + sk_BIGNUM_free(factors); + sk_BIGNUM_free(exps); + sk_BIGNUM_free(coeffs); if (ok == -1) { ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB); ok = 0; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 1c3b33c28b..1bd1a0a7bd 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -744,9 +744,13 @@ int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) DEFINE_STACK_OF(BIGNUM) -int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, - const STACK_OF(BIGNUM) *exps, - const STACK_OF(BIGNUM) *coeffs) +/* + * Note: This function deletes values from the parameter + * stack values as they are consumed and set in the RSA key. + */ +int ossl_rsa_set0_all_params(RSA *r, STACK_OF(BIGNUM) *primes, + STACK_OF(BIGNUM) *exps, + STACK_OF(BIGNUM) *coeffs) { #ifndef FIPS_MODULE STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL; @@ -757,6 +761,8 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, return 0; pnum = sk_BIGNUM_num(primes); + + /* we need at least 2 primes */ if (pnum < 2) return 0; @@ -764,6 +770,17 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, sk_BIGNUM_value(primes, 1))) return 0; + /* + * if we managed to set everything above, remove those elements from the + * stack + * Note, we do this after the above all to ensure that we have taken + * ownership of all the elements in the RSA key to avoid memory leaks + * we also use delete 0 here as we are grabbing items from the end of the + * stack rather than the start, otherwise we could use pop + */ + sk_BIGNUM_delete(primes, 0); + sk_BIGNUM_delete(primes, 0); + if (pnum == sk_BIGNUM_num(exps) && pnum == sk_BIGNUM_num(coeffs) + 1) { @@ -771,6 +788,11 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, sk_BIGNUM_value(exps, 1), sk_BIGNUM_value(coeffs, 0))) return 0; + + /* as above, once we consume the above params, delete them from the list */ + sk_BIGNUM_delete(exps, 0); + sk_BIGNUM_delete(exps, 0); + sk_BIGNUM_delete(coeffs, 0); } #ifndef FIPS_MODULE @@ -786,9 +808,9 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, return 0; for (i = 2; i < pnum; i++) { - BIGNUM *prime = sk_BIGNUM_value(primes, i); - BIGNUM *exp = sk_BIGNUM_value(exps, i); - BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1); + BIGNUM *prime = sk_BIGNUM_pop(primes); + BIGNUM *exp = sk_BIGNUM_pop(exps); + BIGNUM *coeff = sk_BIGNUM_pop(coeffs); RSA_PRIME_INFO *pinfo = NULL; if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL)) diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index ea70da05ad..f0084aeab4 100644 --- a/crypto/rsa/rsa_local.h +++ b/crypto/rsa/rsa_local.h @@ -150,6 +150,10 @@ struct rsa_meth_st { /* Macros to test if a pkey or ctx is for a PSS key */ #define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) #define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) +int ossl_rsa_multiprime_derive(RSA *rsa, int bits, int primes, + BIGNUM *e_value, + STACK_OF(BIGNUM) *factors, STACK_OF(BIGNUM) *exps, + STACK_OF(BIGNUM) *coeffs); RSA_PSS_PARAMS *ossl_rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen); diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index 9fa85bfdf3..bcc0fceab0 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -228,13 +228,16 @@ static int rsa_validate_rng_strength(EVP_RAND_CTX *rng, int nbits) * Returns: -1 = error, * 0 = d is too small, * 1 = success. + * + * SP800-56b key generation always passes a non NULL value for e. + * For other purposes, if e is NULL then it is assumed that e, n and d are + * already set in the RSA key and do not need to be recalculated. */ int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits, const BIGNUM *e, BN_CTX *ctx) { int ret = -1; BIGNUM *p1, *q1, *lcm, *p1q1, *gcd; - BN_CTX_start(ctx); p1 = BN_CTX_get(ctx); q1 = BN_CTX_get(ctx); @@ -254,32 +257,37 @@ int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits, if (ossl_rsa_get_lcm(ctx, rsa->p, rsa->q, lcm, gcd, p1, q1, p1q1) != 1) goto err; - /* copy e */ - BN_free(rsa->e); - rsa->e = BN_dup(e); - if (rsa->e == NULL) - goto err; + /* + * if e is provided as a parameter, don't recompute e, d or n + */ + if (e != NULL) { + /* copy e */ + BN_free(rsa->e); + rsa->e = BN_dup(e); + if (rsa->e == NULL) + goto err; - BN_clear_free(rsa->d); - /* (Step 3) d = (e^-1) mod (LCM(p-1, q-1)) */ - rsa->d = BN_secure_new(); - if (rsa->d == NULL) - goto err; - BN_set_flags(rsa->d, BN_FLG_CONSTTIME); - if (BN_mod_inverse(rsa->d, e, lcm, ctx) == NULL) - goto err; + BN_clear_free(rsa->d); + /* (Step 3) d = (e^-1) mod (LCM(p-1, q-1)) */ + rsa->d = BN_secure_new(); + if (rsa->d == NULL) + goto err; + BN_set_flags(rsa->d, BN_FLG_CONSTTIME); + if (BN_mod_inverse(rsa->d, e, lcm, ctx) == NULL) + goto err; - /* (Step 3) return an error if d is too small */ - if (BN_num_bits(rsa->d) <= (nbits >> 1)) { - ret = 0; - goto err; - } + /* (Step 3) return an error if d is too small */ + if (BN_num_bits(rsa->d) <= (nbits >> 1)) { + ret = 0; + goto err; + } - /* (Step 4) n = pq */ - if (rsa->n == NULL) - rsa->n = BN_new(); - if (rsa->n == NULL || !BN_mul(rsa->n, rsa->p, rsa->q, ctx)) - goto err; + /* (Step 4) n = pq */ + if (rsa->n == NULL) + rsa->n = BN_new(); + if (rsa->n == NULL || !BN_mul(rsa->n, rsa->p, rsa->q, ctx)) + goto err; + } /* (Step 5a) dP = d mod (p-1) */ if (rsa->dmp1 == NULL) diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod index dcd38fcee8..96562b6be0 100644 --- a/doc/man7/EVP_PKEY-RSA.pod +++ b/doc/man7/EVP_PKEY-RSA.pod @@ -132,6 +132,15 @@ The RSA "e" value. The value may be any odd number greater than or equal to 65537. The default value is 65537. For legacy reasons a value of 3 is currently accepted but is deprecated. +=item "rsa-derive-from-pq" (B<OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ>) <unsigned integer> + +Indicate that missing parameters not passed in the parameter list should be +derived if not provided. Setting a nonzero value will cause all +needed exponents and coefficients to be derived if not available. Setting this +option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2, +and OSSL_PARAM_RSA_N to be provided. This option is ignored if +OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter. + =back =head2 RSA key generation parameters for FIPS module testing diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 8eddc168f6..cb7f84b301 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -54,9 +54,9 @@ RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx); OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r); void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx); -int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes, - const STACK_OF(BIGNUM) *exps, - const STACK_OF(BIGNUM) *coeffs); +int ossl_rsa_set0_all_params(RSA *r, STACK_OF(BIGNUM) *primes, + STACK_OF(BIGNUM) *exps, + STACK_OF(BIGNUM) *coeffs); int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes, STACK_OF(BIGNUM_const) *exps, STACK_OF(BIGNUM_const) *coeffs); diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index f3680a0fb4..131879b8e2 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -3080,6 +3080,70 @@ static int test_RSA_OAEP_set_null_label(void) return ret; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 +static int test_RSA_legacy(void) +{ + int ret = 0; + BIGNUM *p = NULL; + BIGNUM *q = NULL; + BIGNUM *n = NULL; + BIGNUM *e = NULL; + BIGNUM *d = NULL; + const EVP_MD *md = EVP_sha256(); + EVP_MD_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + + if (nullprov != NULL) + return TEST_skip("Test does not support a non-default library context"); + + if (!TEST_ptr(p = BN_dup(BN_value_one())) + || !TEST_ptr(q = BN_dup(BN_value_one())) + || !TEST_ptr(n = BN_dup(BN_value_one())) + || !TEST_ptr(e = BN_dup(BN_value_one())) + || !TEST_ptr(d = BN_dup(BN_value_one()))) + goto err; + + if (!TEST_ptr(rsa = RSA_new()) + || !TEST_ptr(pkey = EVP_PKEY_new()) + || !TEST_ptr(ctx = EVP_MD_CTX_new())) + goto err; + + if (!TEST_true(RSA_set0_factors(rsa, p, q))) + goto err; + p = NULL; + q = NULL; + + if (!TEST_true(RSA_set0_key(rsa, n, e, d))) + goto err; + n = NULL; + e = NULL; + d = NULL; + + if (!TEST_true(EVP_PKEY_assign_RSA(pkey, rsa))) + goto err; + + rsa = NULL; + + if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))) + goto err; + + ret = 1; + +err: + RSA_free(rsa); + EVP_MD_CTX_free(ctx); + EVP_PKEY_free(pkey); + BN_free(p); + BN_free(q); + BN_free(n); + BN_free(e); + BN_free(d); + + return ret; +} +#endif + #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) static int test_decrypt_null_chunks(void) { @@ -5520,6 +5584,9 @@ int setup_tests(void) ADD_TEST(test_RSA_get_set_params); ADD_TEST(test_RSA_OAEP_set_get_params); ADD_TEST(test_RSA_OAEP_set_null_label); +#ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_TEST(test_RSA_legacy); +#endif #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) ADD_TEST(test_decrypt_null_chunks); #endif diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 02e7aa727c..afebd04feb 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -429,7 +429,8 @@ static int test_fromdata_rsa(void) /* for better diagnostics always compare key params */ for (i = 0; fromdata_params[i].key != NULL; ++i) { if (!TEST_true(BN_set_word(bn_from, key_numbers[i])) - || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn)) + || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, + &bn)) || !TEST_BN_eq(bn, bn_from)) ret = 0; } @@ -443,6 +444,397 @@ static int test_fromdata_rsa(void) return ret; } +struct check_data { + const char *pname; + BIGNUM *comparebn; +}; + +static int do_fromdata_rsa_derive(OSSL_PARAM *fromdata_params, + struct check_data check[], + int expected_nbits, int expected_sbits, + int expected_ksize) +{ + const OSSL_PARAM *check_param = NULL; + BIGNUM *check_bn = NULL; + OSSL_PARAM *todata_params = NULL; + EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; + EVP_PKEY *pk = NULL, *copy_pk = NULL, *dup_pk = NULL; + int i; + int ret = 0; + + if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) + || !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) + || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, + fromdata_params), 1)) + goto err; + + /* + * get the generated key parameters back and validate that the + * exponents/coeffs are correct + */ + if (!TEST_int_eq(EVP_PKEY_todata(pk, EVP_PKEY_KEYPAIR, &todata_params), 1)) + goto err; + + for (i = 0; check[i].pname != NULL; i++) { + if (!TEST_ptr(check_param = OSSL_PARAM_locate_const(todata_params, + check[i].pname))) + goto err; + if (!TEST_int_eq(OSSL_PARAM_get_BN(check_param, &check_bn), 1)) + goto err; + if (!TEST_BN_eq(check_bn, check[i].comparebn)) { + TEST_info("Data mismatch for parameter %s", check[i].pname); + goto err; + } + BN_free(check_bn); + check_bn = NULL; + } + + while (dup_pk == NULL) { + if (!TEST_int_eq(EVP_PKEY_get_bits(pk), expected_nbits) + || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), expected_sbits) + || !TEST_int_eq(EVP_PKEY_get_size(pk), expected_ksize) + || !TEST_false(EVP_PKEY_missing_parameters(pk))) + goto err; + + EVP_PKEY_CTX_free(key_ctx); + if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_check(key_ctx), 0) + || !TEST_int_gt(EVP_PKEY_public_check(key_ctx), 0) + || !TEST_int_gt(EVP_PKEY_private_check(key_ctx), 0) + || !TEST_int_gt(EVP_PKEY_pairwise_check(key_ctx), 0)) + goto err; + + /* EVP_PKEY_copy_parameters() should fail for RSA */ + if (!TEST_ptr(copy_pk = EVP_PKEY_new()) + || !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk))) + goto err; + EVP_PKEY_free(copy_pk); + copy_pk = NULL; + + if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) + goto err; + if (!TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1)) { + EVP_PKEY_free(dup_pk); + goto err; + } + EVP_PKEY_free(pk); + pk = dup_pk; + } + ret = 1; +err: + BN_free(check_bn); + EVP_PKEY_free(pk); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(fromdata_params); + OSSL_PARAM_free(todata_params); + return ret; +} + +static int test_fromdata_rsa_derive_from_pq_sp800(void) +{ + OSSL_PARAM_BLD *bld = NULL; + BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; + BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; + OSSL_PARAM *fromdata_params = NULL; + struct check_data cdata[4]; + int ret = 0; + /* + * 512-bit RSA key, extracted from this command, + * openssl genrsa 512 | openssl rsa -text + * Note: When generating a key with EVP_PKEY_fromdata, and using + * crt derivation, openssl requires a minimum of 512 bits of n data, + * and 2048 bits in the FIPS case + */ + static unsigned char n_data[] = + {0x00, 0xc7, 0x06, 0xd8, 0x6b, 0x3c, 0x4f, 0xb7, 0x95, 0x42, 0x44, 0x90, + 0xbd, 0xef, 0xf3, 0xc4, 0xb5, 0xa8, 0x55, 0x9e, 0x33, 0xa3, 0x04, 0x3a, + 0x90, 0xe5, 0x13, 0xff, 0x87, 0x69, 0x15, 0xa4, 0x8a, 0x17, 0x10, 0xcc, + 0xdf, 0xf9, 0xc5, 0x0f, 0xf1, 0x12, 0xff, 0x12, 0x11, 0xe5, 0x6b, 0x5c, + 0x83, 0xd9, 0x43, 0xd1, 0x8a, 0x7e, 0xa6, 0x60, 0x07, 0x2e, 0xbb, 0x03, + 0x17, 0x2d, 0xec, 0x17, 0x87}; + static unsigned char e_data[] = {0x01, 0x00, 0x01}; + static unsigned char d_data[] = + {0x1e, 0x5e, 0x5d, 0x07, 0x7f, 0xdc, 0x6a, 0x16, 0xcc, 0x55, 0xca, 0x00, + 0x31, 0x6c, 0xf0, 0xc7, 0x07, 0x38, 0x89, 0x3b, 0x37, 0xd4, 0x9d, 0x5b, + 0x1e, 0x99, 0x3e, 0x94, 0x5a, 0xe4, 0x82, 0x86, 0x8a, 0x78, 0x34, 0x09, + 0x37, 0xd5, 0xe7, 0xb4, 0xef, 0x5f, 0x83, 0x94, 0xff, 0xe5, 0x36, 0x79, + 0x10, 0x0c, 0x38, 0xc5, 0x3a, 0x33, 0xa6, 0x7c, 0x3c, 0xcc, 0x98, 0xe0, + 0xf5, 0xdb, 0xe6, 0x81}; + static unsigned char p_data[] = + {0x00, 0xf6, 0x61, 0x38, 0x0e, 0x1f, 0x82, 0x7c, 0xb8, 0xba, 0x00, 0xd3, + 0xac, 0xdc, 0x4e, 0x6b, 0x7e, 0xf7, 0x58, 0xf3, 0xd9, 0xd8, 0x21, 0xed, + 0x54, 0xa3, 0x36, 0xd2, 0x2c, 0x5f, 0x06, 0x7d, 0xc5}; + static unsigned char q_data[] = + {0x00, 0xce, 0xcc, 0x4a, 0xa5, 0x4f, 0xd6, 0x73, 0xd0, 0x20, 0xc3, 0x98, + 0x64, 0x20, 0x9b, 0xc1, 0x23, 0xd8, 0x5c, 0x82, 0x4f, 0xe8, 0xa5, 0x32, + 0xcd, 0x7e, 0x97, 0xb4, 0xde, 0xf6, 0x4c, 0x80, 0xdb}; + static unsigned char dmp1_data[] = + {0x00, 0xd1, 0x07, 0xb6, 0x79, 0x34, 0xfe, 0x8e, 0x36, 0x63, 0x88, 0xa4, + 0x0e, 0x3a, 0x73, 0x45, 0xfc, 0x58, 0x7a, 0x5d, 0x98, 0xeb, 0x28, 0x0d, + 0xa5, 0x0b, 0x3c, 0x4d, 0xa0, 0x5b, 0x96, 0xb4, 0x49}; + static unsigned char dmq1_data[] = + {0x5b, 0x47, 0x02, 0xdf, 0xaa, 0xb8, 0xae, 0x8f, 0xbc, 0x16, 0x79, 0x6a, + 0x20, 0x96, 0x7f, 0x0e, 0x92, 0x4e, 0x6a, 0xda, 0x58, 0x86, 0xaa, 0x40, + 0xd7, 0xd2, 0xa0, 0x6c, 0x15, 0x6c, 0xb9, 0x27}; + static unsigned char iqmp_data[] = + {0x00, 0xa0, 0xd6, 0xf0, 0xe8, 0x17, 0x9e, 0xe7, 0xe6, 0x99, 0x12, 0xd6, + 0xd9, 0x43, 0xcf, 0xed, 0x37, 0x29, 0xf5, 0x6c, 0x3e, 0xc1, 0x7f, 0x2e, + 0x31, 0x3f, 0x64, 0x34, 0x66, 0x68, 0x5c, 0x22, 0x08}; + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_ptr(n = BN_bin2bn(n_data, sizeof(n_data), NULL)) + || !TEST_ptr(e = BN_bin2bn(e_data, sizeof(e_data), NULL)) + || !TEST_ptr(d = BN_bin2bn(d_data, sizeof(d_data), NULL)) + || !TEST_ptr(p = BN_bin2bn(p_data, sizeof(p_data), NULL)) + || !TEST_ptr(q = BN_bin2bn(q_data, sizeof(q_data), NULL)) + || !TEST_ptr(dmp1 = BN_bin2bn(dmp1_data, sizeof(dmp1_data), NULL)) + || !TEST_ptr(dmq1 = BN_bin2bn(dmq1_data, sizeof(dmq1_data), NULL)) + || !TEST_ptr(iqmp = BN_bin2bn(iqmp_data, sizeof(iqmp_data), NULL)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, + p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, + q)) + || !TEST_true(OSSL_PARAM_BLD_push_int(bld, + OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ, 1)) + || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + cdata[0].pname = OSSL_PKEY_PARAM_RSA_EXPONENT1; + cdata[0].comparebn = dmp1; + cdata[1].pname = OSSL_PKEY_PARAM_RSA_EXPONENT2; + cdata[1].comparebn = dmq1; + cdata[2].pname = OSSL_PKEY_PARAM_RSA_COEFFICIENT1; + cdata[2].comparebn = iqmp; + cdata[3].pname = NULL; + cdata[3].comparebn = NULL; + + ret = do_fromdata_rsa_derive(fromdata_params, cdata, 512, 56, 64); + +err: + BN_free(n); + BN_free(e); + BN_free(d); + BN_free(p); + BN_free(q); + BN_free(dmp1); + BN_free(dmq1); + BN_free(iqmp); + OSSL_PARAM_BLD_free(bld); + return ret; +} + +static int test_fromdata_rsa_derive_from_pq_multiprime(void) +{ + OSSL_PARAM_BLD *bld = NULL; + BIGNUM *n = NULL, *e = NULL, *d = NULL; + BIGNUM *p = NULL, *q = NULL, *p2 = NULL; + BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; + BIGNUM *exp3 = NULL, *coeff2 = NULL; + OSSL_PARAM *fromdata_params = NULL; + struct check_data cdata[12]; + int ret = 0; + /* + * multiprime RSA key, extracted from this command, + * openssl genrsa -primes 3 | openssl rsa -text + * Note: When generating a key with EVP_PKEY_fromdata, and using + * crt derivation, openssl requires a minimum of 512 bits of n data, + * and 2048 bits in the FIPS case + */ + static unsigned char n_data[] = + {0x00, 0x95, 0x78, 0x21, 0xe0, 0xca, 0x94, 0x6c, 0x0b, 0x86, 0x2a, 0x01, + 0xde, 0xd9, 0xab, 0xee, 0x88, 0x4a, 0x27, 0x4f, 0xcc, 0x5f, 0xf1, 0x71, + 0xe1, 0x0b, 0xc3, 0xd1, 0x88, 0x76, 0xf0, 0x83, 0x03, 0x93, 0x7e, 0x39, + 0xfa, 0x47, 0x89, 0x34, 0x27, 0x18, 0x19, 0x97, 0xfc, 0xd4, 0xfe, 0xe5, + 0x8a, 0xa9, 0x11, 0x83, 0xb5, 0x15, 0x4a, 0x29, 0xa6, 0xa6, 0xd0, 0x6e, + 0x0c, 0x7f, 0x61, 0x8f, 0x7e, 0x7c, 0xfb, 0xfc, 0x04, 0x8b, 0xca, 0x44, + 0xf8, 0x59, 0x0b, 0x22, 0x6f, 0x3f, 0x92, 0x23, 0x98, 0xb5, 0xc8, 0xf7, + 0xff, 0xf7, 0xac, 0x6b, 0x36, 0xb3, 0xaf, 0x39, 0xde, 0x66, 0x38, 0x51, + 0x9f, 0xbe, 0xe2, 0xfc, 0xe4, 0x6f, 0x1a, 0x0f, 0x7a, 0xde, 0x7f, 0x0f, + 0x4e, 0xbc, 0xed, 0xa2, 0x99, 0xc5, 0xd1, 0xbf, 0x8f, 0xba, 0x92, 0x91, + 0xe4, 0x00, 0x91, 0xbb, 0x67, 0x36, 0x7d, 0x00, 0x50, 0xda, 0x28, 0x38, + 0xdc, 0x9f, 0xfe, 0x3f, 0x24, 0x5a, 0x0d, 0xe1, 0x8d, 0xe9, 0x45, 0x2c, + 0xd7, 0xf2, 0x67, 0x8c, 0x0c, 0x6e, 0xdb, 0xc8, 0x8b, 0x6b, 0x38, 0x30, + 0x21, 0x94, 0xc0, 0xe3, 0xd7, 0xe0, 0x23, 0xd3, 0xd4, 0xfa, 0xdb, 0xb9, + 0xfe, 0x1a, 0xcc, 0xc9, 0x79, 0x19, 0x35, 0x18, 0x42, 0x30, 0xc4, 0xb5, + 0x92, 0x33, 0x1e, 0xd4, 0xc4, 0xc0, 0x9d, 0x55, 0x37, 0xd4, 0xef, 0x54, + 0x71, 0x81, 0x09, 0x15, 0xdb, 0x11, 0x38, 0x6b, 0x35, 0x93, 0x11, 0xdc, + 0xb1, 0x6c, 0xd6, 0xa4, 0x37, 0x84, 0xf3, 0xb2, 0x2f, 0x1b, 0xd6, 0x05, + 0x9f, 0x0e, 0x5c, 0x98, 0x29, 0x2f, 0x95, 0xb6, 0x55, 0xbd, 0x24, 0x44, + 0xc5, 0xc8, 0xa2, 0x76, 0x1e, 0xf8, 0x82, 0x8a, 0xdf, 0x34, 0x72, 0x7e, + 0xdd, 0x65, 0x4b, 0xfc, 0x6c, 0x1c, 0x96, 0x70, 0xe2, 0x69, 0xb5, 0x12, + 0x1b, 0x59, 0x67, 0x14, 0x9d}; + static unsigned char e_data[] = {0x01, 0x00, 0x01}; + static unsigned char d_data[] = + {0x64, 0x57, 0x4d, 0x86, 0xf6, 0xf8, 0x44, 0xc0, 0x47, 0xc5, 0x13, 0x94, + 0x63, 0x54, 0x84, 0xc1, 0x81, 0xe6, 0x7a, 0x2f, 0x9d, 0x89, 0x1d, 0x06, + 0x13, 0x3b, 0xd6, 0x02, 0x62, 0xb6, 0x7b, 0x7d, 0x7f, 0x1a, 0x92, 0x19, + 0x6e, 0xc4, 0xb0, 0xfa, 0x3d, 0xb7, 0x90, 0xcc, 0xee, 0xc0, 0x5f, 0xa0, + 0x82, 0x77, 0x7b, 0x8f, 0xa9, 0x47, 0x2c, 0x46, 0xf0, 0x5d, 0xa4, 0x43, + 0x47, 0x90, 0x5b, 0x20, 0x73, 0x0f, 0x46, 0xd4, 0x56, 0x73, 0xe7, 0x71, + 0x41, 0x75, 0xb4, 0x1c, 0x32, 0xf5, 0x0c, 0x68, 0x8c, 0x40, 0xea, 0x1c, + 0x30, 0x12, 0xa2, 0x65, 0x02, 0x27, 0x98, 0x4e, 0x0a, 0xbf, 0x2b, 0x72, + 0xb2, 0x5c, 0xe3, 0xbe, 0x3e, 0xc7, 0xdb, 0x9b, 0xa2, 0x4a, 0x90, 0xc0, + 0xa7, 0xb0, 0x00, 0xf1, 0x6a, 0xff, 0xa3, 0x77, 0xf7, 0x71, 0xa2, 0x41, + 0xe9, 0x6e, 0x7c, 0x38, 0x24, 0x46, 0xd5, 0x5c, 0x49, 0x2a, 0xe6, 0xee, + 0x27, 0x4b, 0x2e, 0x6f, 0x16, 0x54, 0x2d, 0x37, 0x36, 0x01, 0x39, 0x2b, + 0x23, 0x4b, 0xb4, 0x65, 0x25, 0x4d, 0x7f, 0x72, 0x20, 0x7f, 0x5d, 0xec, + 0x50, 0xba, 0xbb, 0xaa, 0x9c, 0x3c, 0x1d, 0xa1, 0x40, 0x2c, 0x6a, 0x8b, + 0x5f, 0x2e, 0xe0, 0xa6, 0xf7, 0x9e, 0x03, 0xb5, 0x44, 0x5f, 0x74, 0xc7, + 0x9f, 0x89, 0x2b, 0x71, 0x2f, 0x66, 0x9f, 0x03, 0x6c, 0x96, 0xd0, 0x23, + 0x36, 0x4d, 0xa1, 0xf0, 0x82, 0xcc, 0x43, 0xe7, 0x08, 0x93, 0x40, 0x18, + 0xc0, 0x39, 0x73, 0x83, 0xe2, 0xec, 0x9b, 0x81, 0x9d, 0x4c, 0x86, 0xaa, + 0x59, 0xa8, 0x67, 0x1c, 0x80, 0xdc, 0x6f, 0x7f, 0x23, 0x6b, 0x7d, 0x2c, + 0x56, 0x99, 0xa0, 0x89, 0x7e, 0xdb, 0x8b, 0x7a, 0xaa, 0x03, 0x8e, 0x8e, + 0x8e, 0x3a, 0x58, 0xb4, 0x03, 0x6b, 0x65, 0xfa, 0x92, 0x0a, 0x96, 0x93, + 0xa6, 0x07, 0x60, 0x01}; + static unsigned char p_data[] = + {0x06, 0x55, 0x7f, 0xbd, 0xfd, 0xa8, 0x4c, 0x94, 0x5e, 0x10, 0x8a, 0x54, + 0x37, 0xf3, 0x64, 0x37, 0x3a, 0xca, 0x18, 0x1b, 0xdd, 0x71, 0xa5, 0x94, + 0xc9, 0x31, 0x59, 0xa5, 0x89, 0xe9, 0xc4, 0xba, 0x55, 0x90, 0x6d, 0x9c, + 0xcc, 0x52, 0x5d, 0x44, 0xa8, 0xbc, 0x2b, 0x3b, 0x8c, 0xbd, 0x96, 0xfa, + 0xcd, 0x54, 0x63, 0xe3, 0xc8, 0xfe, 0x5e, 0xc6, 0x73, 0x98, 0x14, 0x7a, + 0x54, 0x0e, 0xe7, 0x75, 0x49, 0x93, 0x20, 0x33, 0x17, 0xa9, 0x34, 0xa8, + 0xee, 0xaf, 0x3a, 0xcc, 0xf5, 0x69, 0xfc, 0x30, 0x1a, 0xdf, 0x49, 0x61, + 0xa4, 0xd1}; + static unsigned char p2_data[] = + {0x03, 0xe2, 0x41, 0x3d, 0xb1, 0xdd, 0xad, 0xd7, 0x3b, 0xf8, 0xab, 0x32, + 0x27, 0x8b, 0xac, 0x95, 0xc0, 0x1a, 0x3f, 0x80, 0x8e, 0x21, 0xa9, 0xb8, + 0xa2, 0xed, 0xcf, 0x97, 0x5c, 0x61, 0x10, 0x94, 0x1b, 0xd0, 0xbe, 0x88, + 0xc2, 0xa7, 0x20, 0xe5, 0xa5, 0xc2, 0x7a, 0x7e, 0xf0, 0xd1, 0xe4, 0x13, + 0x75, 0xb9, 0x62, 0x90, 0xf1, 0xc3, 0x5b, 0x8c, 0xe9, 0xa9, 0x5b, 0xb7, + 0x6d, 0xdc, 0xcd, 0x12, 0xea, 0x97, 0x05, 0x04, 0x25, 0x2a, 0x93, 0xd1, + 0x4e, 0x05, 0x1a, 0x50, 0xa2, 0x67, 0xb8, 0x4b, 0x09, 0x15, 0x65, 0x6c, + 0x66, 0x2d}; + static unsigned char q_data[] = + {0x06, 0x13, 0x74, 0x6e, 0xde, 0x7c, 0x33, 0xc2, 0xe7, 0x05, 0x2c, 0xeb, + 0x25, 0x7d, 0x4a, 0x07, 0x7e, 0x03, 0xcf, 0x6a, 0x23, 0x36, 0x25, 0x23, + 0xf6, 0x5d, 0xde, 0xa3, 0x0f, 0x82, 0xe6, 0x4b, 0xec, 0x39, 0xbf, 0x37, + 0x1f, 0x4f, 0x56, 0x1e, 0xd8, 0x62, 0x32, 0x5c, 0xf5, 0x37, 0x75, 0x20, + 0xe2, 0x7e, 0x56, 0x82, 0xc6, 0x35, 0xd3, 0x4d, 0xfa, 0x6c, 0xc3, 0x93, + 0xf0, 0x60, 0x53, 0x78, 0x95, 0xee, 0xf9, 0x8b, 0x2c, 0xaf, 0xb1, 0x47, + 0x5c, 0x29, 0x0d, 0x2a, 0x47, 0x7f, 0xd0, 0x7a, 0x4e, 0x26, 0x7b, 0x47, + 0xfb, 0x61}; + static unsigned char dmp1_data[] = + {0x01, 0x13, 0x3a, 0x1f, 0x91, 0x92, 0xa3, 0x8c, 0xfb, 0x7a, 0x6b, 0x40, + 0x68, 0x4e, 0xd3, 0xcf, 0xdc, 0x16, 0xb9, 0x88, 0xe1, 0x49, 0x8d, 0x05, + 0x78, 0x30, 0xfc, 0x3a, 0x70, 0xf2, 0x51, 0x06, 0x1f, 0xc7, 0xe8, 0x13, + 0x19, 0x4b, 0x51, 0xb1, 0x79, 0xc2, 0x96, 0xc4, 0x00, 0xdb, 0x9d, 0x68, + 0xec, 0xb9, 0x4a, 0x4b, 0x3b, 0xae, 0x91, 0x7f, 0xb5, 0xd7, 0x36, 0x82, + 0x9d, 0x09, 0xfa, 0x97, 0x99, 0xe9, 0x73, 0x29, 0xb8, 0xf6, 0x6b, 0x8d, + 0xd1, 0x15, 0xc5, 0x31, 0x4c, 0xe6, 0xb4, 0x7b, 0xa5, 0xd4, 0x08, 0xac, + 0x9e, 0x41}; + static unsigned char dmq1_data[] = + {0x05, 0xcd, 0x33, 0xc2, 0xdd, 0x3b, 0xb8, 0xec, 0xe4, 0x4c, 0x03, 0xcc, + 0xef, 0xba, 0x07, 0x22, 0xca, 0x47, 0x77, 0x18, 0x40, 0x50, 0xe5, 0xfb, + 0xc5, 0xb5, 0x71, 0xed, 0x3e, 0xd5, 0x5d, 0x72, 0xa7, 0x37, 0xa8, 0x86, + 0x48, 0xa6, 0x27, 0x74, 0x42, 0x66, 0xd8, 0xf1, 0xfb, 0xcf, 0x1d, 0x4e, + 0xee, 0x15, 0x76, 0x23, 0x5e, 0x81, 0x6c, 0xa7, 0x2b, 0x74, 0x08, 0xf7, + 0x4c, 0x71, 0x9d, 0xa2, 0x29, 0x7f, 0xca, 0xd5, 0x02, 0x31, 0x2c, 0x54, + 0x18, 0x02, 0xb6, 0xa8, 0x65, 0x26, 0xfc, 0xf8, 0x9b, 0x80, 0x90, 0xfc, + 0x75, 0x61}; + static unsigned char iqmp_data[] = + {0x05, 0x78, 0xf8, 0xdd, 0x1c, 0x6f, 0x3d, 0xaf, 0x53, 0x84, 0x32, 0xa9, + 0x35, 0x52, 0xf3, 0xd0, 0x4d, 0xf8, 0x09, 0x85, 0x3d, 0x72, 0x20, 0x8b, + 0x47, 0xba, 0xc8, 0xce, 0xac, 0xd9, 0x76, 0x90, 0x05, 0x88, 0x63, 0x8a, + 0x10, 0x2b, 0xcd, 0xd3, 0xbe, 0x8c, 0x16, 0x60, 0x6a, 0xfd, 0xce, 0xc7, + 0x9f, 0xfa, 0xbb, 0xe3, 0xa6, 0xde, 0xc2, 0x8f, 0x1d, 0x25, 0xdc, 0x41, + 0xcb, 0xa4, 0xeb, 0x76, 0xc9, 0xdc, 0x8e, 0x49, 0x0e, 0xe4, 0x7c, 0xd2, + 0xd5, 0x6e, 0x26, 0x3c, 0x0b, 0xd3, 0xc5, 0x20, 0x4e, 0x4b, 0xb6, 0xf7, + 0xae, 0xef}; + static unsigned char exp3_data[] = + {0x02, 0x7d, 0x16, 0x24, 0xfc, 0x35, 0xf9, 0xd0, 0xb3, 0x02, 0xf2, 0x5f, + 0xde, 0xeb, 0x27, 0x19, 0x85, 0xd0, 0xcb, 0xe4, 0x0a, 0x2f, 0x13, 0xdb, + 0xd5, 0xba, 0xe0, 0x8c, 0x32, 0x8b, 0x97, 0xdd, 0xef, 0xbc, 0xe0, 0x7a, + 0x2d, 0x90, 0x7e, 0x09, 0xe9, 0x1f, 0x26, 0xf2, 0xf4, 0x48, 0xea, 0x06, + 0x76, 0x26, 0xe6, 0x3b, 0xce, 0x4e, 0xc9, 0xf9, 0x0f, 0x38, 0x90, 0x26, + 0x87, 0x65, 0x36, 0x9a, 0xea, 0x6a, 0xfe, 0xb1, 0xdb, 0x46, 0xdf, 0x14, + 0xfd, 0x13, 0x53, 0xfb, 0x5b, 0x35, 0x6e, 0xe7, 0xd5, 0xd8, 0x39, 0xf7, + 0x2d, 0xb9}; + static unsigned char coeff2_data[] = + {0x01, 0xba, 0x66, 0x0a, 0xa2, 0x86, 0xc0, 0x57, 0x7f, 0x4e, 0x68, 0xb1, + 0x86, 0x63, 0x23, 0x5b, 0x0e, 0xeb, 0x93, 0x42, 0xd1, 0xaa, 0x15, 0x13, + 0xcc, 0x29, 0x71, 0x8a, 0xb0, 0xe0, 0xc9, 0x67, 0xde, 0x1a, 0x7c, 0x1a, + 0xef, 0xa7, 0x08, 0x85, 0xb3, 0xae, 0x98, 0x99, 0xde, 0xaf, 0x09, 0x38, + 0xfc, 0x46, 0x29, 0x5f, 0x4f, 0x7e, 0x01, 0x6c, 0x50, 0x13, 0x95, 0x91, + 0x4c, 0x0f, 0x00, 0xba, 0xca, 0x40, 0xa3, 0xd0, 0x58, 0xb6, 0x62, 0x4c, + 0xd1, 0xb6, 0xd3, 0x29, 0x5d, 0x82, 0xb3, 0x3d, 0x61, 0xbe, 0x5d, 0xf0, + 0x4b, 0xf4}; + + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_ptr(n = BN_bin2bn(n_data, sizeof(n_data), NULL)) + || !TEST_ptr(e = BN_bin2bn(e_data, sizeof(e_data), NULL)) + || !TEST_ptr(d = BN_bin2bn(d_data, sizeof(d_data), NULL)) + || !TEST_ptr(p = BN_bin2bn(p_data, sizeof(p_data), NULL)) + || !TEST_ptr(q = BN_bin2bn(q_data, sizeof(q_data), NULL)) + || !TEST_ptr(p2 = BN_bin2bn(p2_data, sizeof(p2_data), NULL)) + || !TEST_ptr(exp3 = BN_bin2bn(exp3_data, sizeof(exp3_data), NULL)) + || !TEST_ptr(coeff2 = BN_bin2bn(coeff2_data, sizeof(coeff2_data), NULL)) + || !TEST_ptr(dmp1 = BN_bin2bn(dmp1_data, sizeof(dmp1_data), NULL)) + || !TEST_ptr(dmq1 = BN_bin2bn(dmq1_data, sizeof(dmq1_data), NULL)) + || !TEST_ptr(iqmp = BN_bin2bn(iqmp_data, sizeof(iqmp_data), NULL)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1, + p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2, + q)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR3, + p2)) + || !TEST_true(OSSL_PARAM_BLD_push_int(bld, + OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ, 1)) + || !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + cdata[0].pname = OSSL_PKEY_PARAM_RSA_EXPONENT1; + cdata[0].comparebn = dmp1; + cdata[1].pname = OSSL_PKEY_PARAM_RSA_EXPONENT2; + cdata[1].comparebn = dmq1; + cdata[2].pname = OSSL_PKEY_PARAM_RSA_COEFFICIENT1; + cdata[2].comparebn = iqmp; + cdata[3].pname = OSSL_PKEY_PARAM_RSA_EXPONENT3; + cdata[3].comparebn = exp3; + cdata[4].pname = OSSL_PKEY_PARAM_RSA_COEFFICIENT2; + cdata[4].comparebn = coeff2; + cdata[5].pname = OSSL_PKEY_PARAM_RSA_N; + cdata[5].comparebn = n; + cdata[6].pname = OSSL_PKEY_PARAM_RSA_E; + cdata[6].comparebn = e; + cdata[7].pname = OSSL_PKEY_PARAM_RSA_D; + cdata[7].comparebn = d; + cdata[8].pname = OSSL_PKEY_PARAM_RSA_FACTOR1; + cdata[8].comparebn = p; + cdata[9].pname = OSSL_PKEY_PARAM_RSA_FACTOR2; + cdata[9].comparebn = q; + cdata[10].pname = OSSL_PKEY_PARAM_RSA_FACTOR3; + cdata[10].comparebn = p2; + cdata[11].pname = NULL; + cdata[11].comparebn = NULL; + + ret = do_fromdata_rsa_derive(fromdata_params, cdata, 2048, 112, 256); + +err: + BN_free(n); + BN_free(e); + BN_free(d); + BN_free(p); + BN_free(p2); + BN_free(q); + BN_free(dmp1); + BN_free(dmq1); + BN_free(iqmp); + BN_free(exp3); + BN_free(coeff2); + OSSL_PARAM_BLD_free(bld); + return ret; +} + static int test_evp_pkey_get_bn_param_large(void) { int ret = 0; @@ -459,7 +851,7 @@ static int test_evp_pkey_get_bn_param_large(void) static const unsigned char e_data[] = { 0x1, 0x00, 0x01 }; - static const unsigned char d_data[]= { + static const unsigned char d_data[] = { 0x99, 0x33, 0x13, 0x7b }; @@ -1765,6 +2157,8 @@ int setup_tests(void) ADD_TEST(test_evp_pkey_ctx_dup_kdf); ADD_TEST(test_evp_pkey_get_bn_param_large); ADD_TEST(test_fromdata_rsa); + ADD_TEST(test_fromdata_rsa_derive_from_pq_sp800); + ADD_TEST(test_fromdata_rsa_derive_from_pq_multiprime); #ifndef OPENSSL_NO_DH ADD_TEST(test_fromdata_dh_fips186_4); ADD_TEST(test_fromdata_dh_named_group); diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm index c37ed7815f..df93202d1d 100644 --- a/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm @@ -348,6 +348,7 @@ my %params = ( 'PKEY_PARAM_RSA_MASKGENFUNC' => '*PKEY_PARAM_MASKGENFUNC', 'PKEY_PARAM_RSA_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', 'PKEY_PARAM_RSA_PSS_SALTLEN' => "saltlen", + 'PKEY_PARAM_RSA_DERIVE_FROM_PQ' => "rsa-derive-from-pq", # EC, X25519 and X448 Key generation parameters 'PKEY_PARAM_DHKEM_IKM' => "dhkem-ikm", |