1/* crypto/rsa/rsa_chk.c */ 2/* ==================================================================== 3 * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@OpenSSL.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 */ 50 51#include <openssl/bn.h> 52#include <openssl/err.h> 53#include <openssl/rsa.h> 54 55int RSA_check_key(const RSA *key) 56{ 57 BIGNUM *i, *j, *k, *l, *m; 58 BN_CTX *ctx; 59 int ret = 1; 60 61 if (!key->p || !key->q || !key->n || !key->e || !key->d) { 62 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING); 63 return 0; 64 } 65 66 /* Set consant-time flag on private parameters */ 67 BN_set_flags(key->p, BN_FLG_CONSTTIME); 68 BN_set_flags(key->q, BN_FLG_CONSTTIME); 69 BN_set_flags(key->d, BN_FLG_CONSTTIME); 70 i = BN_new(); 71 j = BN_new(); 72 k = BN_new(); 73 l = BN_new(); 74 m = BN_new(); 75 ctx = BN_CTX_new(); 76 if (i == NULL || j == NULL || k == NULL || l == NULL 77 || m == NULL || ctx == NULL) { 78 ret = -1; 79 RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE); 80 goto err; 81 } 82 83 if (BN_is_one(key->e)) { 84 ret = 0; 85 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE); 86 } 87 if (!BN_is_odd(key->e)) { 88 ret = 0; 89 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE); 90 } 91 92 /* p prime? */ 93 if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL) != 1) { 94 ret = 0; 95 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME); 96 } 97 98 /* q prime? */ 99 if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL) != 1) { 100 ret = 0; 101 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME); 102 } 103 104 /* n = p*q? */ 105 if (!BN_mul(i, key->p, key->q, ctx)) { 106 ret = -1; 107 goto err; 108 } 109 if (BN_cmp(i, key->n) != 0) { 110 ret = 0; 111 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q); 112 } 113 114 /* d*e = 1 mod lcm(p-1,q-1)? */ 115 if (!BN_sub(i, key->p, BN_value_one())) { 116 ret = -1; 117 goto err; 118 } 119 if (!BN_sub(j, key->q, BN_value_one())) { 120 ret = -1; 121 goto err; 122 } 123 124 /* now compute k = lcm(i,j) */ 125 if (!BN_mul(l, i, j, ctx)) { 126 ret = -1; 127 goto err; 128 } 129 if (!BN_gcd(m, i, j, ctx)) { 130 ret = -1; 131 goto err; 132 } 133 if (!BN_div(k, NULL, l, m, ctx)) { /* remainder is 0 */ 134 ret = -1; 135 goto err; 136 } 137 if (!BN_mod_mul(i, key->d, key->e, k, ctx)) { 138 ret = -1; 139 goto err; 140 } 141 142 if (!BN_is_one(i)) { 143 ret = 0; 144 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1); 145 } 146 147 if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { 148 /* Set consant-time flag on CRT parameters */ 149 BN_set_flags(key->dmp1, BN_FLG_CONSTTIME); 150 BN_set_flags(key->dmq1, BN_FLG_CONSTTIME); 151 BN_set_flags(key->iqmp, BN_FLG_CONSTTIME); 152 /* dmp1 = d mod (p-1)? */ 153 if (!BN_sub(i, key->p, BN_value_one())) { 154 ret = -1; 155 goto err; 156 } 157 if (!BN_mod(j, key->d, i, ctx)) { 158 ret = -1; 159 goto err; 160 } 161 if (BN_cmp(j, key->dmp1) != 0) { 162 ret = 0; 163 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D); 164 } 165 166 /* dmq1 = d mod (q-1)? */ 167 if (!BN_sub(i, key->q, BN_value_one())) { 168 ret = -1; 169 goto err; 170 } 171 if (!BN_mod(j, key->d, i, ctx)) { 172 ret = -1; 173 goto err; 174 } 175 if (BN_cmp(j, key->dmq1) != 0) { 176 ret = 0; 177 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D); 178 } 179 180 /* iqmp = q^-1 mod p? */ 181 if (!BN_mod_inverse(i, key->q, key->p, ctx)) { 182 ret = -1; 183 goto err; 184 } 185 if (BN_cmp(i, key->iqmp) != 0) { 186 ret = 0; 187 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q); 188 } 189 } 190 191 err: 192 BN_free(i); 193 BN_free(j); 194 BN_free(k); 195 BN_free(l); 196 BN_free(m); 197 BN_CTX_free(ctx); 198 return ret; 199} 200