zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Augment RSA provider to generate CRT coefficients on EVP_PKEY_fromdata()

Browse Source 
It would be helpful to be able to generate RSA's dmp1/dmq1/iqmp values
when not provided in the param list to EVP_PKEY_fromdata.  Augment the
provider in ossl_rsa_fromdata to preform this generation iff:
a) At least p q n e and e are provided
b) the new parameter OSSL_PARAM_RSA_DERIVE_PQ is set to 1

Fixes #21826

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21875)
This commit is contained in:
Neil Horman 2023-08-28 08:48:34 -04:00 committed by Tomas Mraz
parent 0a22436ea5
commit f3be536686
11 changed files with 943 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES.md
View File

@ -80,6 +80,12 @@ OpenSSL 3.2
### Changes between 3.1 and 3.2 [xx XXX xxxx]
* The EVP_PKEY_fromdata function has been augmented to allow for the derivation
of CRT (Chinese Remainder Theorem) parameters when requested. See the
OSSL_PKEY_PARAM_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
*Neil Horman*
* The BLAKE2b hash algorithm supports a configurable output length
by setting the "size" parameter.

156
crypto/rsa/rsa_backend.c
View File

@ -64,22 +64,56 @@ static int collect_numbers(STACK_OF(BIGNUM) *numbers,
int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private)
{
const OSSL_PARAM *param_n, *param_e, *param_d = NULL;
BIGNUM *n = NULL, *e = NULL, *d = NULL;
const OSSL_PARAM *param_p, *param_q = NULL;
const OSSL_PARAM *param_derive = NULL;
BIGNUM *p = NULL, *q = NULL, *n = NULL, *e = NULL, *d = NULL;
STACK_OF(BIGNUM) *factors = NULL, *exps = NULL, *coeffs = NULL;
int is_private = 0;
int derive_from_pq = 0;
BN_CTX *ctx = NULL;
if (rsa == NULL)
return 0;
param_n = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_N);
param_e = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_E);
if (include_private)
param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D);
if ((param_n != NULL && !OSSL_PARAM_get_BN(param_n, &n))
|| (param_e != NULL && !OSSL_PARAM_get_BN(param_e, &e))
|| (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d)))
if ((param_n == NULL || !OSSL_PARAM_get_BN(param_n, &n))
|| (param_e == NULL || !OSSL_PARAM_get_BN(param_e, &e))) {
ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
if (include_private) {
param_derive = OSSL_PARAM_locate_const(params,
OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ);
if ((param_derive != NULL)
&& !OSSL_PARAM_get_int(param_derive, &derive_from_pq))
goto err;
param_d = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_D);
if (param_d != NULL && !OSSL_PARAM_get_BN(param_d, &d)) {
ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
if (derive_from_pq) {
ctx = BN_CTX_new_ex(rsa->libctx);
if (ctx == NULL)
goto err;
/* we need at minimum p, q */
param_p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_FACTOR1);
param_q = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_FACTOR2);
if ((param_p == NULL || !OSSL_PARAM_get_BN(param_p, &p))
|| (param_q == NULL || !OSSL_PARAM_get_BN(param_q, &q))) {
ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
}
}
is_private = (d != NULL);
@ -96,25 +130,121 @@ int ossl_rsa_fromdata(RSA *rsa, const OSSL_PARAM params[], int include_private)
ossl_rsa_mp_coeff_names))
goto err;
/* It's ok if this private key just has n, e and d */
if (derive_from_pq && sk_BIGNUM_num(exps) == 0
&& sk_BIGNUM_num(coeffs) == 0) {
/*
* If we want to use crt to derive our exponents/coefficients, we
* need to have at least 2 factors
*/
if (sk_BIGNUM_num(factors) < 2) {
ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
/*
* if we have more than two factors, n and d must also have
* been provided
*/
if (sk_BIGNUM_num(factors) > 2
&& (param_n == NULL || param_d == NULL)) {
ERR_raise(ERR_LIB_RSA, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
/* build our exponents and coefficients here */
if (sk_BIGNUM_num(factors) == 2) {
/* for 2 factors we can use the sp800 functions to do this */
if (!RSA_set0_factors(rsa, sk_BIGNUM_value(factors, 0),
sk_BIGNUM_value(factors, 1))) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
/*
* once consumed by RSA_set0_factors, pop those off the stack
* so we don't free them below
*/
sk_BIGNUM_pop(factors);
sk_BIGNUM_pop(factors);
/*
* Note: Because we only have 2 factors here, there will be no
* additional pinfo fields to hold additional factors, and
* since we set our key and 2 factors above we can skip
* the call to ossl_rsa_set0_all_params
*/
if (!ossl_rsa_sp800_56b_derive_params_from_pq(rsa,
RSA_bits(rsa),
NULL, ctx)) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
} else {
#ifndef FIPS_MODULE
/*
* in the multiprime case we have to generate exps/coeffs here
* for each additional prime
*/
if (!ossl_rsa_multiprime_derive(rsa, RSA_bits(rsa),
sk_BIGNUM_num(factors),
rsa->e, factors, exps,
coeffs)) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
/*
* Now we should have all our factors, exponents and
* coefficients
*/
if (!ossl_rsa_set0_all_params(rsa, factors, exps, coeffs)) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
#else
/* multiprime case is disallowed in FIPS mode, raise an error */
ERR_raise(ERR_LIB_RSA, ERR_R_UNSUPPORTED);
goto err;
#endif
}
} else {
/*
* It's ok if this private key just has n, e and d
* but only if we're not using derive_from_pq
*/
if (sk_BIGNUM_num(factors) != 0
&& !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs))
goto err;
}
/* sanity check to ensure we used everything in our stacks */
if (sk_BIGNUM_num(factors) != 0
&& !ossl_rsa_set0_all_params(rsa, factors, exps, coeffs))
|| sk_BIGNUM_num(exps) != 0
|| sk_BIGNUM_num(coeffs) != 0) {
ERR_raise_data(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR,
"There are %d, %d, %d elements left on our factors, exps, coeffs stacks\n",
sk_BIGNUM_num(factors), sk_BIGNUM_num(exps),
sk_BIGNUM_num(coeffs));
goto err;
}
}
BN_clear_free(p);
BN_clear_free(q);
sk_BIGNUM_free(factors);
sk_BIGNUM_free(exps);
sk_BIGNUM_free(coeffs);
BN_CTX_free(ctx);
return 1;
err:
BN_free(n);
BN_free(e);
BN_free(d);
sk_BIGNUM_pop_free(factors, BN_free);
sk_BIGNUM_pop_free(exps, BN_free);
sk_BIGNUM_pop_free(coeffs, BN_free);
sk_BIGNUM_pop_free(factors, BN_clear_free);
sk_BIGNUM_pop_free(exps, BN_clear_free);
sk_BIGNUM_pop_free(coeffs, BN_clear_free);
BN_CTX_free(ctx);
return 0;
}
@ -152,7 +282,7 @@ int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[],
|| !ossl_param_build_set_multi_key_bn(bld, params,
ossl_rsa_mp_coeff_names,
coeffs))
goto err;
goto err;
}
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)

329
crypto/rsa/rsa_gen.c
View File

@ -71,15 +71,201 @@ int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
return rsa_keygen(rsa->libctx, rsa, bits, primes, e_value, cb, 0);
}
DEFINE_STACK_OF(BIGNUM)
/*
* Given input values, q, p, n, d and e, derive the exponents
* and coefficients for each prime in this key, placing the result
* on their respective exps and coeffs stacks
*/
#ifndef FIPS_MODULE
int ossl_rsa_multiprime_derive(RSA *rsa, int bits, int primes,
BIGNUM *e_value,
STACK_OF(BIGNUM) *factors,
STACK_OF(BIGNUM) *exps,
STACK_OF(BIGNUM) *coeffs)
{
STACK_OF(BIGNUM) *pplist = NULL, *pdlist = NULL;
BIGNUM *factor = NULL, *newpp = NULL, *newpd = NULL;
BIGNUM *dval = NULL, *newexp = NULL, *newcoeff = NULL;
BIGNUM *p = NULL, *q = NULL;
BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL;
BN_CTX *ctx = NULL;
BIGNUM *tmp = NULL;
int i;
int ret = 0;
ctx = BN_CTX_new_ex(rsa->libctx);
if (ctx == NULL)
goto err;
BN_CTX_start(ctx);
pplist = sk_BIGNUM_new_null();
if (pplist == NULL)
goto err;
pdlist = sk_BIGNUM_new_null();
if (pdlist == NULL)
goto err;
r0 = BN_CTX_get(ctx);
r1 = BN_CTX_get(ctx);
r2 = BN_CTX_get(ctx);
if (r2 == NULL)
goto err;
BN_set_flags(r0, BN_FLG_CONSTTIME);
BN_set_flags(r1, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
if (BN_copy(r1, rsa->n) == NULL)
goto err;
p = sk_BIGNUM_value(factors, 0);
q = sk_BIGNUM_value(factors, 1);
/* Build list of partial products of primes */
for (i = 0; i < sk_BIGNUM_num(factors); i++) {
switch (i) {
case 0:
/* our first prime, p */
if (!BN_sub(r2, p, BN_value_one()))
goto err;
BN_set_flags(r2, BN_FLG_CONSTTIME);
if (BN_mod_inverse(r1, r2, rsa->e, ctx) == NULL)
goto err;
break;
case 1:
/* second prime q */
if (!BN_mul(r1, p, q, ctx))
goto err;
tmp = BN_dup(r1);
if (tmp == NULL)
goto err;
if (!sk_BIGNUM_insert(pplist, tmp, sk_BIGNUM_num(pplist)))
goto err;
break;
default:
factor = sk_BIGNUM_value(factors, i);
/* all other primes */
if (!BN_mul(r1, r1, factor, ctx))
goto err;
tmp = BN_dup(r1);
if (tmp == NULL)
goto err;
if (!sk_BIGNUM_insert(pplist, tmp, sk_BIGNUM_num(pplist)))
goto err;
break;
}
}
/* build list of relative d values */
/* p -1 */
if (!BN_sub(r1, p, BN_value_one()))
goto err;
if (!BN_sub(r2, q, BN_value_one()))
goto err;
if (!BN_mul(r0, r1, r2, ctx))
goto err;
for (i = 2; i < sk_BIGNUM_num(factors); i++) {
factor = sk_BIGNUM_value(factors, i);
dval = BN_new();
if (dval == NULL)
goto err;
BN_set_flags(dval, BN_FLG_CONSTTIME);
if (!BN_sub(dval, factor, BN_value_one()))
goto err;
if (!BN_mul(r0, r0, dval, ctx))
goto err;
if (!sk_BIGNUM_insert(pdlist, dval, sk_BIGNUM_num(pdlist)))
goto err;
}
/* Calculate dmp1, dmq1 and additional exponents */
dmp1 = BN_secure_new();
if (dmp1 == NULL)
goto err;
dmq1 = BN_secure_new();
if (dmq1 == NULL)
goto err;
if (!BN_mod(dmp1, rsa->d, r1, ctx))
goto err;
if (!sk_BIGNUM_insert(exps, dmp1, sk_BIGNUM_num(exps)))
goto err;
dmp1 = NULL;
if (!BN_mod(dmq1, rsa->d, r2, ctx))
goto err;
if (!sk_BIGNUM_insert(exps, dmq1, sk_BIGNUM_num(exps)))
goto err;
dmq1 = NULL;
for (i = 2; i < sk_BIGNUM_num(factors); i++) {
newpd = sk_BIGNUM_value(pdlist, i - 2);
newexp = BN_new();
if (newexp == NULL)
goto err;
if (!BN_mod(newexp, rsa->d, newpd, ctx)) {
BN_free(newexp);
goto err;
}
if (!sk_BIGNUM_insert(exps, newexp, sk_BIGNUM_num(exps)))
goto err;
}
/* Calculate iqmp and additional coefficients */
iqmp = BN_new();
if (iqmp == NULL)
goto err;
if (BN_mod_inverse(iqmp, sk_BIGNUM_value(factors, 1),
sk_BIGNUM_value(factors, 0), ctx) == NULL)
goto err;
if (!sk_BIGNUM_insert(coeffs, iqmp, sk_BIGNUM_num(coeffs)))
goto err;
iqmp = NULL;
for (i = 2; i < sk_BIGNUM_num(factors); i++) {
newpp = sk_BIGNUM_value(pplist, i - 2);
newcoeff = BN_new();
if (newcoeff == NULL)
goto err;
if (BN_mod_inverse(newcoeff, newpp, sk_BIGNUM_value(factors, i),
ctx) == NULL) {
BN_free(newcoeff);
goto err;
}
if (!sk_BIGNUM_insert(coeffs, newcoeff, sk_BIGNUM_num(coeffs)))
goto err;
}
ret = 1;
err:
sk_BIGNUM_pop_free(pplist, BN_free);
sk_BIGNUM_pop_free(pdlist, BN_free);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_clear_free(dmp1);
BN_clear_free(dmq1);
BN_clear_free(iqmp);
return ret;
}
static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
BIGNUM *e_value, BN_GENCB *cb)
{
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *prime;
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *tmp, *tmp2, *prime;
int n = 0, bitsr[RSA_MAX_PRIME_NUM], bitse = 0;
int i = 0, quo = 0, rmd = 0, adj = 0, retries = 0;
RSA_PRIME_INFO *pinfo = NULL;
STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
STACK_OF(BIGNUM) *factors = NULL;
STACK_OF(BIGNUM) *exps = NULL;
STACK_OF(BIGNUM) *coeffs = NULL;
BN_CTX *ctx = NULL;
BN_ULONG bitst = 0;
unsigned long error = 0;
@ -104,6 +290,18 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
return 0;
}
factors = sk_BIGNUM_new_null();
if (factors == NULL)
return 0;
exps = sk_BIGNUM_new_null();
if (exps == NULL)
goto err;
coeffs = sk_BIGNUM_new_null();
if (coeffs == NULL)
goto err;
ctx = BN_CTX_new_ex(rsa->libctx);
if (ctx == NULL)
goto err;
@ -137,15 +335,6 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
goto err;
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
goto err;
BN_set_flags(rsa->dmp1, BN_FLG_CONSTTIME);
if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
goto err;
BN_set_flags(rsa->dmq1, BN_FLG_CONSTTIME);
if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
goto err;
BN_set_flags(rsa->iqmp, BN_FLG_CONSTTIME);
/* initialize multi-prime components */
if (primes > RSA_DEFAULT_PRIME_NUM) {
@ -220,7 +409,7 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
ERR_set_mark();
BN_set_flags(r2, BN_FLG_CONSTTIME);
if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
/* GCD == 1 since inverse exists */
/* GCD == 1 since inverse exists */
break;
}
error = ERR_peek_last_error();
@ -250,8 +439,14 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
/* i == 0, do nothing */
if (!BN_GENCB_call(cb, 3, i))
goto err;
tmp = BN_dup(prime);
if (tmp == NULL)
goto err;
if (!sk_BIGNUM_insert(factors, tmp, sk_BIGNUM_num(factors)))
goto err;
continue;
}
/*
* if |r1|, product of factors so far, is not as long as expected
* (by checking the first 4 bits are less than 0x9 or greater than
@ -298,6 +493,10 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
*/
i = -1;
bitse = 0;
sk_BIGNUM_pop_free(factors, BN_clear_free);
factors = sk_BIGNUM_new_null();
if (factors == NULL)
goto err;
continue;
}
retries++;
@ -310,12 +509,20 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
goto err;
if (!BN_GENCB_call(cb, 3, i))
goto err;
tmp = BN_dup(prime);
if (tmp == NULL)
goto err;
if (!sk_BIGNUM_insert(factors, tmp, sk_BIGNUM_num(factors)))
goto err;
}
if (BN_cmp(rsa->p, rsa->q) < 0) {
tmp = rsa->p;
rsa->p = rsa->q;
rsa->q = tmp;
/* mirror this in our factor stack */
if (!sk_BIGNUM_insert(factors, sk_BIGNUM_delete(factors, 0), 1))
goto err;
}
/* calculate d */
@ -339,79 +546,51 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
goto err;
}
{
BIGNUM *pr0 = BN_new();
if (pr0 == NULL)
goto err;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
BN_free(pr0);
goto err; /* d */
}
/* We MUST free pr0 before any further use of r0 */
BN_free(pr0);
BN_set_flags(r0, BN_FLG_CONSTTIME);
if (BN_mod_inverse(rsa->d, rsa->e, r0, ctx) == NULL) {
goto err; /* d */
}
{
BIGNUM *d = BN_new();
/* derive any missing exponents and coefficients */
if (!ossl_rsa_multiprime_derive(rsa, bits, primes, e_value,
factors, exps, coeffs))
goto err;
if (d == NULL)
/*
* first 2 factors/exps are already tracked in p/q/dmq1/dmp1
* and the first coeff is in iqmp, so pop those off the stack
* Note, the first 2 factors/exponents are already tracked by p and q
* assign dmp1/dmq1 and iqmp
* the remaining pinfo values are separately allocated, so copy and delete
* those
*/
BN_clear_free(sk_BIGNUM_delete(factors, 0));
BN_clear_free(sk_BIGNUM_delete(factors, 0));
rsa->dmp1 = sk_BIGNUM_delete(exps, 0);
rsa->dmq1 = sk_BIGNUM_delete(exps, 0);
rsa->iqmp = sk_BIGNUM_delete(coeffs, 0);
for (i = 2; i < primes; i++) {
pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
tmp = sk_BIGNUM_delete(factors, 0);
BN_copy(pinfo->r, tmp);
BN_clear_free(tmp);
tmp = sk_BIGNUM_delete(exps, 0);
tmp2 = BN_copy(pinfo->d, tmp);
BN_clear_free(tmp);
if (tmp2 == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
/* calculate d mod (p-1) and d mod (q - 1) */
if (!BN_mod(rsa->dmp1, d, r1, ctx)
|| !BN_mod(rsa->dmq1, d, r2, ctx)) {
BN_free(d);
tmp = sk_BIGNUM_delete(coeffs, 0);
tmp2 = BN_copy(pinfo->t, tmp);
BN_clear_free(tmp);
if (tmp2 == NULL)
goto err;
}
/* calculate CRT exponents */
for (i = 2; i < primes; i++) {
pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
/* pinfo->d == r_i - 1 */
if (!BN_mod(pinfo->d, d, pinfo->d, ctx)) {
BN_free(d);
goto err;
}
}
/* We MUST free d before any further use of rsa->d */
BN_free(d);
}
{
BIGNUM *p = BN_new();
if (p == NULL)
goto err;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
/* calculate inverse of q mod p */
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
BN_free(p);
goto err;
}
/* calculate CRT coefficient for other primes */
for (i = 2; i < primes; i++) {
pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
BN_with_flags(p, pinfo->r, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(pinfo->t, pinfo->pp, p, ctx)) {
BN_free(p);
goto err;
}
}
/* We MUST free p before any further use of rsa->p */
BN_free(p);
}
ok = 1;
err:
sk_BIGNUM_free(factors);
sk_BIGNUM_free(exps);
sk_BIGNUM_free(coeffs);
if (ok == -1) {
ERR_raise(ERR_LIB_RSA, ERR_R_BN_LIB);
ok = 0;

34
crypto/rsa/rsa_lib.c
View File

@ -744,9 +744,13 @@ int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
DEFINE_STACK_OF(BIGNUM)
int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
const STACK_OF(BIGNUM) *exps,
const STACK_OF(BIGNUM) *coeffs)
/*
* Note: This function deletes values from the parameter
* stack values as they are consumed and set in the RSA key.
*/
int ossl_rsa_set0_all_params(RSA *r, STACK_OF(BIGNUM) *primes,
STACK_OF(BIGNUM) *exps,
STACK_OF(BIGNUM) *coeffs)
{
#ifndef FIPS_MODULE
STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
@ -757,6 +761,8 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
return 0;
pnum = sk_BIGNUM_num(primes);
/* we need at least 2 primes */
if (pnum < 2)
return 0;
@ -764,6 +770,17 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
sk_BIGNUM_value(primes, 1)))
return 0;
/*
* if we managed to set everything above, remove those elements from the
* stack
* Note, we do this after the above all to ensure that we have taken
* ownership of all the elements in the RSA key to avoid memory leaks
* we also use delete 0 here as we are grabbing items from the end of the
* stack rather than the start, otherwise we could use pop
*/
sk_BIGNUM_delete(primes, 0);
sk_BIGNUM_delete(primes, 0);
if (pnum == sk_BIGNUM_num(exps)
&& pnum == sk_BIGNUM_num(coeffs) + 1) {
@ -771,6 +788,11 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
sk_BIGNUM_value(exps, 1),
sk_BIGNUM_value(coeffs, 0)))
return 0;
/* as above, once we consume the above params, delete them from the list */
sk_BIGNUM_delete(exps, 0);
sk_BIGNUM_delete(exps, 0);
sk_BIGNUM_delete(coeffs, 0);
}
#ifndef FIPS_MODULE
@ -786,9 +808,9 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
return 0;
for (i = 2; i < pnum; i++) {
BIGNUM *prime = sk_BIGNUM_value(primes, i);
BIGNUM *exp = sk_BIGNUM_value(exps, i);
BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1);
BIGNUM *prime = sk_BIGNUM_pop(primes);
BIGNUM *exp = sk_BIGNUM_pop(exps);
BIGNUM *coeff = sk_BIGNUM_pop(coeffs);
RSA_PRIME_INFO *pinfo = NULL;
if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL))

4
crypto/rsa/rsa_local.h
View File

@ -150,6 +150,10 @@ struct rsa_meth_st {
/* Macros to test if a pkey or ctx is for a PSS key */
#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS)
#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS)
int ossl_rsa_multiprime_derive(RSA *rsa, int bits, int primes,
BIGNUM *e_value,
STACK_OF(BIGNUM) *factors, STACK_OF(BIGNUM) *exps,
STACK_OF(BIGNUM) *coeffs);
RSA_PSS_PARAMS *ossl_rsa_pss_params_create(const EVP_MD *sigmd,
const EVP_MD *mgf1md, int saltlen);

56
crypto/rsa/rsa_sp800_56b_gen.c
View File

@ -228,13 +228,16 @@ static int rsa_validate_rng_strength(EVP_RAND_CTX *rng, int nbits)
* Returns: -1 = error,
* 0 = d is too small,
* 1 = success.
*
* SP800-56b key generation always passes a non NULL value for e.
* For other purposes, if e is NULL then it is assumed that e, n and d are
* already set in the RSA key and do not need to be recalculated.
*/
int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
const BIGNUM *e, BN_CTX *ctx)
{
int ret = -1;
BIGNUM *p1, *q1, *lcm, *p1q1, *gcd;
BN_CTX_start(ctx);
p1 = BN_CTX_get(ctx);
q1 = BN_CTX_get(ctx);
@ -254,33 +257,38 @@ int ossl_rsa_sp800_56b_derive_params_from_pq(RSA *rsa, int nbits,
if (ossl_rsa_get_lcm(ctx, rsa->p, rsa->q, lcm, gcd, p1, q1, p1q1) != 1)
goto err;
/* copy e */
BN_free(rsa->e);
rsa->e = BN_dup(e);
if (rsa->e == NULL)
goto err;
/*
* if e is provided as a parameter, don't recompute e, d or n
*/
if (e != NULL) {
/* copy e */
BN_free(rsa->e);
rsa->e = BN_dup(e);
if (rsa->e == NULL)
goto err;
BN_clear_free(rsa->d);
/* (Step 3) d = (e^-1) mod (LCM(p-1, q-1)) */
rsa->d = BN_secure_new();
if (rsa->d == NULL)
goto err;
BN_set_flags(rsa->d, BN_FLG_CONSTTIME);
if (BN_mod_inverse(rsa->d, e, lcm, ctx) == NULL)
goto err;
BN_clear_free(rsa->d);
/* (Step 3) d = (e^-1) mod (LCM(p-1, q-1)) */
rsa->d = BN_secure_new();
if (rsa->d == NULL)
goto err;
BN_set_flags(rsa->d, BN_FLG_CONSTTIME);
if (BN_mod_inverse(rsa->d, e, lcm, ctx) == NULL)
goto err;
/* (Step 3) return an error if d is too small */
if (BN_num_bits(rsa->d) <= (nbits >> 1)) {
ret = 0;
goto err;
/* (Step 3) return an error if d is too small */
if (BN_num_bits(rsa->d) <= (nbits >> 1)) {
ret = 0;
goto err;
}
/* (Step 4) n = pq */
if (rsa->n == NULL)
rsa->n = BN_new();
if (rsa->n == NULL || !BN_mul(rsa->n, rsa->p, rsa->q, ctx))
goto err;
}
/* (Step 4) n = pq */
if (rsa->n == NULL)
rsa->n = BN_new();
if (rsa->n == NULL || !BN_mul(rsa->n, rsa->p, rsa->q, ctx))
goto err;
/* (Step 5a) dP = d mod (p-1) */
if (rsa->dmp1 == NULL)
rsa->dmp1 = BN_secure_new();

9
doc/man7/EVP_PKEY-RSA.pod
View File

@ -132,6 +132,15 @@ The RSA "e" value. The value may be any odd number greater than or equal to
65537. The default value is 65537.
For legacy reasons a value of 3 is currently accepted but is deprecated.
=item "rsa-derive-from-pq" (B<OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ>) <unsigned integer>
Indicate that missing parameters not passed in the parameter list should be
derived if not provided. Setting a nonzero value will cause all
needed exponents and coefficients to be derived if not available. Setting this
option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2,
and OSSL_PARAM_RSA_N to be provided. This option is ignored if
OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter.
=back
=head2 RSA key generation parameters for FIPS module testing

6
include/crypto/rsa.h
View File

@ -54,9 +54,9 @@ RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx);
OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r);
void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx);
int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
const STACK_OF(BIGNUM) *exps,
const STACK_OF(BIGNUM) *coeffs);
int ossl_rsa_set0_all_params(RSA *r, STACK_OF(BIGNUM) *primes,
STACK_OF(BIGNUM) *exps,
STACK_OF(BIGNUM) *coeffs);
int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
STACK_OF(BIGNUM_const) *exps,
STACK_OF(BIGNUM_const) *coeffs);

67
test/evp_extra_test.c
View File

@ -3080,6 +3080,70 @@ static int test_RSA_OAEP_set_null_label(void)
return ret;
}
#ifndef OPENSSL_NO_DEPRECATED_3_0
static int test_RSA_legacy(void)
{
int ret = 0;
BIGNUM *p = NULL;
BIGNUM *q = NULL;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
BIGNUM *d = NULL;
const EVP_MD *md = EVP_sha256();
EVP_MD_CTX *ctx = NULL;
EVP_PKEY *pkey = NULL;
RSA *rsa = NULL;
if (nullprov != NULL)
return TEST_skip("Test does not support a non-default library context");
if (!TEST_ptr(p = BN_dup(BN_value_one()))
|| !TEST_ptr(q = BN_dup(BN_value_one()))
|| !TEST_ptr(n = BN_dup(BN_value_one()))
|| !TEST_ptr(e = BN_dup(BN_value_one()))
|| !TEST_ptr(d = BN_dup(BN_value_one())))
goto err;
if (!TEST_ptr(rsa = RSA_new())
|| !TEST_ptr(pkey = EVP_PKEY_new())
|| !TEST_ptr(ctx = EVP_MD_CTX_new()))
goto err;
if (!TEST_true(RSA_set0_factors(rsa, p, q)))
goto err;
p = NULL;
q = NULL;
if (!TEST_true(RSA_set0_key(rsa, n, e, d)))
goto err;
n = NULL;
e = NULL;
d = NULL;
if (!TEST_true(EVP_PKEY_assign_RSA(pkey, rsa)))
goto err;
rsa = NULL;
if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, pkey)))
goto err;
ret = 1;
err:
RSA_free(rsa);
EVP_MD_CTX_free(ctx);
EVP_PKEY_free(pkey);
BN_free(p);
BN_free(q);
BN_free(n);
BN_free(e);
BN_free(d);
return ret;
}
#endif
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
static int test_decrypt_null_chunks(void)
{
@ -5520,6 +5584,9 @@ int setup_tests(void)
ADD_TEST(test_RSA_get_set_params);
ADD_TEST(test_RSA_OAEP_set_get_params);
ADD_TEST(test_RSA_OAEP_set_null_label);
#ifndef OPENSSL_NO_DEPRECATED_3_0
ADD_TEST(test_RSA_legacy);
#endif
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ADD_TEST(test_decrypt_null_chunks);
#endif

398
test/evp_pkey_provided_test.c
View File

@ -429,7 +429,8 @@ static int test_fromdata_rsa(void)
/* for better diagnostics always compare key params */
for (i = 0; fromdata_params[i].key != NULL; ++i) {
if (!TEST_true(BN_set_word(bn_from, key_numbers[i]))
|| !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn))
|| !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key,
&bn))
|| !TEST_BN_eq(bn, bn_from))
ret = 0;
}
@ -443,6 +444,397 @@ static int test_fromdata_rsa(void)
return ret;
}
struct check_data {
const char *pname;
BIGNUM *comparebn;
};
static int do_fromdata_rsa_derive(OSSL_PARAM *fromdata_params,
struct check_data check[],
int expected_nbits, int expected_sbits,
int expected_ksize)
{
const OSSL_PARAM *check_param = NULL;
BIGNUM *check_bn = NULL;
OSSL_PARAM *todata_params = NULL;
EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL;
EVP_PKEY *pk = NULL, *copy_pk = NULL, *dup_pk = NULL;
int i;
int ret = 0;
if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))
|| !TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1)
|| !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR,
fromdata_params), 1))
goto err;
/*
* get the generated key parameters back and validate that the
* exponents/coeffs are correct
*/
if (!TEST_int_eq(EVP_PKEY_todata(pk, EVP_PKEY_KEYPAIR, &todata_params), 1))
goto err;
for (i = 0; check[i].pname != NULL; i++) {
if (!TEST_ptr(check_param = OSSL_PARAM_locate_const(todata_params,
check[i].pname)))
goto err;
if (!TEST_int_eq(OSSL_PARAM_get_BN(check_param, &check_bn), 1))
goto err;
if (!TEST_BN_eq(check_bn, check[i].comparebn)) {
TEST_info("Data mismatch for parameter %s", check[i].pname);
goto err;
}
BN_free(check_bn);
check_bn = NULL;
}
while (dup_pk == NULL) {
if (!TEST_int_eq(EVP_PKEY_get_bits(pk), expected_nbits)
|| !TEST_int_eq(EVP_PKEY_get_security_bits(pk), expected_sbits)
|| !TEST_int_eq(EVP_PKEY_get_size(pk), expected_ksize)
|| !TEST_false(EVP_PKEY_missing_parameters(pk)))
goto err;
EVP_PKEY_CTX_free(key_ctx);
if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, "")))
goto err;
if (!TEST_int_gt(EVP_PKEY_check(key_ctx), 0)
|| !TEST_int_gt(EVP_PKEY_public_check(key_ctx), 0)
|| !TEST_int_gt(EVP_PKEY_private_check(key_ctx), 0)
|| !TEST_int_gt(EVP_PKEY_pairwise_check(key_ctx), 0))
goto err;
/* EVP_PKEY_copy_parameters() should fail for RSA */
if (!TEST_ptr(copy_pk = EVP_PKEY_new())
|| !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk)))
goto err;
EVP_PKEY_free(copy_pk);
copy_pk = NULL;
if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
goto err;
if (!TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1)) {
EVP_PKEY_free(dup_pk);
goto err;
}
EVP_PKEY_free(pk);
pk = dup_pk;
}
ret = 1;
err:
BN_free(check_bn);
EVP_PKEY_free(pk);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_CTX_free(key_ctx);
OSSL_PARAM_free(fromdata_params);
OSSL_PARAM_free(todata_params);
return ret;
}
static int test_fromdata_rsa_derive_from_pq_sp800(void)
{
OSSL_PARAM_BLD *bld = NULL;
BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL;
BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
OSSL_PARAM *fromdata_params = NULL;
struct check_data cdata[4];
int ret = 0;
/*
* 512-bit RSA key, extracted from this command,
* openssl genrsa 512 | openssl rsa -text
* Note: When generating a key with EVP_PKEY_fromdata, and using
* crt derivation, openssl requires a minimum of 512 bits of n data,
* and 2048 bits in the FIPS case
*/
static unsigned char n_data[] =
{0x00, 0xc7, 0x06, 0xd8, 0x6b, 0x3c, 0x4f, 0xb7, 0x95, 0x42, 0x44, 0x90,
0xbd, 0xef, 0xf3, 0xc4, 0xb5, 0xa8, 0x55, 0x9e, 0x33, 0xa3, 0x04, 0x3a,
0x90, 0xe5, 0x13, 0xff, 0x87, 0x69, 0x15, 0xa4, 0x8a, 0x17, 0x10, 0xcc,
0xdf, 0xf9, 0xc5, 0x0f, 0xf1, 0x12, 0xff, 0x12, 0x11, 0xe5, 0x6b, 0x5c,
0x83, 0xd9, 0x43, 0xd1, 0x8a, 0x7e, 0xa6, 0x60, 0x07, 0x2e, 0xbb, 0x03,
0x17, 0x2d, 0xec, 0x17, 0x87};
static unsigned char e_data[] = {0x01, 0x00, 0x01};
static unsigned char d_data[] =
{0x1e, 0x5e, 0x5d, 0x07, 0x7f, 0xdc, 0x6a, 0x16, 0xcc, 0x55, 0xca, 0x00,
0x31, 0x6c, 0xf0, 0xc7, 0x07, 0x38, 0x89, 0x3b, 0x37, 0xd4, 0x9d, 0x5b,
0x1e, 0x99, 0x3e, 0x94, 0x5a, 0xe4, 0x82, 0x86, 0x8a, 0x78, 0x34, 0x09,
0x37, 0xd5, 0xe7, 0xb4, 0xef, 0x5f, 0x83, 0x94, 0xff, 0xe5, 0x36, 0x79,
0x10, 0x0c, 0x38, 0xc5, 0x3a, 0x33, 0xa6, 0x7c, 0x3c, 0xcc, 0x98, 0xe0,
0xf5, 0xdb, 0xe6, 0x81};
static unsigned char p_data[] =
{0x00, 0xf6, 0x61, 0x38, 0x0e, 0x1f, 0x82, 0x7c, 0xb8, 0xba, 0x00, 0xd3,
0xac, 0xdc, 0x4e, 0x6b, 0x7e, 0xf7, 0x58, 0xf3, 0xd9, 0xd8, 0x21, 0xed,
0x54, 0xa3, 0x36, 0xd2, 0x2c, 0x5f, 0x06, 0x7d, 0xc5};
static unsigned char q_data[] =
{0x00, 0xce, 0xcc, 0x4a, 0xa5, 0x4f, 0xd6, 0x73, 0xd0, 0x20, 0xc3, 0x98,
0x64, 0x20, 0x9b, 0xc1, 0x23, 0xd8, 0x5c, 0x82, 0x4f, 0xe8, 0xa5, 0x32,
0xcd, 0x7e, 0x97, 0xb4, 0xde, 0xf6, 0x4c, 0x80, 0xdb};
static unsigned char dmp1_data[] =
{0x00, 0xd1, 0x07, 0xb6, 0x79, 0x34, 0xfe, 0x8e, 0x36, 0x63, 0x88, 0xa4,
0x0e, 0x3a, 0x73, 0x45, 0xfc, 0x58, 0x7a, 0x5d, 0x98, 0xeb, 0x28, 0x0d,
0xa5, 0x0b, 0x3c, 0x4d, 0xa0, 0x5b, 0x96, 0xb4, 0x49};
static unsigned char dmq1_data[] =
{0x5b, 0x47, 0x02, 0xdf, 0xaa, 0xb8, 0xae, 0x8f, 0xbc, 0x16, 0x79, 0x6a,
0x20, 0x96, 0x7f, 0x0e, 0x92, 0x4e, 0x6a, 0xda, 0x58, 0x86, 0xaa, 0x40,
0xd7, 0xd2, 0xa0, 0x6c, 0x15, 0x6c, 0xb9, 0x27};
static unsigned char iqmp_data[] =
{0x00, 0xa0, 0xd6, 0xf0, 0xe8, 0x17, 0x9e, 0xe7, 0xe6, 0x99, 0x12, 0xd6,
0xd9, 0x43, 0xcf, 0xed, 0x37, 0x29, 0xf5, 0x6c, 0x3e, 0xc1, 0x7f, 0x2e,
0x31, 0x3f, 0x64, 0x34, 0x66, 0x68, 0x5c, 0x22, 0x08};
if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
|| !TEST_ptr(n = BN_bin2bn(n_data, sizeof(n_data), NULL))
|| !TEST_ptr(e = BN_bin2bn(e_data, sizeof(e_data), NULL))
|| !TEST_ptr(d = BN_bin2bn(d_data, sizeof(d_data), NULL))
|| !TEST_ptr(p = BN_bin2bn(p_data, sizeof(p_data), NULL))
|| !TEST_ptr(q = BN_bin2bn(q_data, sizeof(q_data), NULL))
|| !TEST_ptr(dmp1 = BN_bin2bn(dmp1_data, sizeof(dmp1_data), NULL))
|| !TEST_ptr(dmq1 = BN_bin2bn(dmq1_data, sizeof(dmq1_data), NULL))
|| !TEST_ptr(iqmp = BN_bin2bn(iqmp_data, sizeof(iqmp_data), NULL))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1,
p))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2,
q))
|| !TEST_true(OSSL_PARAM_BLD_push_int(bld,
OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ, 1))
|| !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
cdata[0].pname = OSSL_PKEY_PARAM_RSA_EXPONENT1;
cdata[0].comparebn = dmp1;
cdata[1].pname = OSSL_PKEY_PARAM_RSA_EXPONENT2;
cdata[1].comparebn = dmq1;
cdata[2].pname = OSSL_PKEY_PARAM_RSA_COEFFICIENT1;
cdata[2].comparebn = iqmp;
cdata[3].pname = NULL;
cdata[3].comparebn = NULL;
ret = do_fromdata_rsa_derive(fromdata_params, cdata, 512, 56, 64);
err:
BN_free(n);
BN_free(e);
BN_free(d);
BN_free(p);
BN_free(q);
BN_free(dmp1);
BN_free(dmq1);
BN_free(iqmp);
OSSL_PARAM_BLD_free(bld);
return ret;
}
static int test_fromdata_rsa_derive_from_pq_multiprime(void)
{
OSSL_PARAM_BLD *bld = NULL;
BIGNUM *n = NULL, *e = NULL, *d = NULL;
BIGNUM *p = NULL, *q = NULL, *p2 = NULL;
BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
BIGNUM *exp3 = NULL, *coeff2 = NULL;
OSSL_PARAM *fromdata_params = NULL;
struct check_data cdata[12];
int ret = 0;
/*
* multiprime RSA key, extracted from this command,
* openssl genrsa -primes 3 | openssl rsa -text
* Note: When generating a key with EVP_PKEY_fromdata, and using
* crt derivation, openssl requires a minimum of 512 bits of n data,
* and 2048 bits in the FIPS case
*/
static unsigned char n_data[] =
{0x00, 0x95, 0x78, 0x21, 0xe0, 0xca, 0x94, 0x6c, 0x0b, 0x86, 0x2a, 0x01,
0xde, 0xd9, 0xab, 0xee, 0x88, 0x4a, 0x27, 0x4f, 0xcc, 0x5f, 0xf1, 0x71,
0xe1, 0x0b, 0xc3, 0xd1, 0x88, 0x76, 0xf0, 0x83, 0x03, 0x93, 0x7e, 0x39,
0xfa, 0x47, 0x89, 0x34, 0x27, 0x18, 0x19, 0x97, 0xfc, 0xd4, 0xfe, 0xe5,
0x8a, 0xa9, 0x11, 0x83, 0xb5, 0x15, 0x4a, 0x29, 0xa6, 0xa6, 0xd0, 0x6e,
0x0c, 0x7f, 0x61, 0x8f, 0x7e, 0x7c, 0xfb, 0xfc, 0x04, 0x8b, 0xca, 0x44,
0xf8, 0x59, 0x0b, 0x22, 0x6f, 0x3f, 0x92, 0x23, 0x98, 0xb5, 0xc8, 0xf7,
0xff, 0xf7, 0xac, 0x6b, 0x36, 0xb3, 0xaf, 0x39, 0xde, 0x66, 0x38, 0x51,
0x9f, 0xbe, 0xe2, 0xfc, 0xe4, 0x6f, 0x1a, 0x0f, 0x7a, 0xde, 0x7f, 0x0f,
0x4e, 0xbc, 0xed, 0xa2, 0x99, 0xc5, 0xd1, 0xbf, 0x8f, 0xba, 0x92, 0x91,
0xe4, 0x00, 0x91, 0xbb, 0x67, 0x36, 0x7d, 0x00, 0x50, 0xda, 0x28, 0x38,
0xdc, 0x9f, 0xfe, 0x3f, 0x24, 0x5a, 0x0d, 0xe1, 0x8d, 0xe9, 0x45, 0x2c,
0xd7, 0xf2, 0x67, 0x8c, 0x0c, 0x6e, 0xdb, 0xc8, 0x8b, 0x6b, 0x38, 0x30,
0x21, 0x94, 0xc0, 0xe3, 0xd7, 0xe0, 0x23, 0xd3, 0xd4, 0xfa, 0xdb, 0xb9,
0xfe, 0x1a, 0xcc, 0xc9, 0x79, 0x19, 0x35, 0x18, 0x42, 0x30, 0xc4, 0xb5,
0x92, 0x33, 0x1e, 0xd4, 0xc4, 0xc0, 0x9d, 0x55, 0x37, 0xd4, 0xef, 0x54,
0x71, 0x81, 0x09, 0x15, 0xdb, 0x11, 0x38, 0x6b, 0x35, 0x93, 0x11, 0xdc,
0xb1, 0x6c, 0xd6, 0xa4, 0x37, 0x84, 0xf3, 0xb2, 0x2f, 0x1b, 0xd6, 0x05,
0x9f, 0x0e, 0x5c, 0x98, 0x29, 0x2f, 0x95, 0xb6, 0x55, 0xbd, 0x24, 0x44,
0xc5, 0xc8, 0xa2, 0x76, 0x1e, 0xf8, 0x82, 0x8a, 0xdf, 0x34, 0x72, 0x7e,
0xdd, 0x65, 0x4b, 0xfc, 0x6c, 0x1c, 0x96, 0x70, 0xe2, 0x69, 0xb5, 0x12,
0x1b, 0x59, 0x67, 0x14, 0x9d};
static unsigned char e_data[] = {0x01, 0x00, 0x01};
static unsigned char d_data[] =
{0x64, 0x57, 0x4d, 0x86, 0xf6, 0xf8, 0x44, 0xc0, 0x47, 0xc5, 0x13, 0x94,
0x63, 0x54, 0x84, 0xc1, 0x81, 0xe6, 0x7a, 0x2f, 0x9d, 0x89, 0x1d, 0x06,
0x13, 0x3b, 0xd6, 0x02, 0x62, 0xb6, 0x7b, 0x7d, 0x7f, 0x1a, 0x92, 0x19,
0x6e, 0xc4, 0xb0, 0xfa, 0x3d, 0xb7, 0x90, 0xcc, 0xee, 0xc0, 0x5f, 0xa0,
0x82, 0x77, 0x7b, 0x8f, 0xa9, 0x47, 0x2c, 0x46, 0xf0, 0x5d, 0xa4, 0x43,
0x47, 0x90, 0x5b, 0x20, 0x73, 0x0f, 0x46, 0xd4, 0x56, 0x73, 0xe7, 0x71,
0x41, 0x75, 0xb4, 0x1c, 0x32, 0xf5, 0x0c, 0x68, 0x8c, 0x40, 0xea, 0x1c,
0x30, 0x12, 0xa2, 0x65, 0x02, 0x27, 0x98, 0x4e, 0x0a, 0xbf, 0x2b, 0x72,
0xb2, 0x5c, 0xe3, 0xbe, 0x3e, 0xc7, 0xdb, 0x9b, 0xa2, 0x4a, 0x90, 0xc0,
0xa7, 0xb0, 0x00, 0xf1, 0x6a, 0xff, 0xa3, 0x77, 0xf7, 0x71, 0xa2, 0x41,
0xe9, 0x6e, 0x7c, 0x38, 0x24, 0x46, 0xd5, 0x5c, 0x49, 0x2a, 0xe6, 0xee,
0x27, 0x4b, 0x2e, 0x6f, 0x16, 0x54, 0x2d, 0x37, 0x36, 0x01, 0x39, 0x2b,
0x23, 0x4b, 0xb4, 0x65, 0x25, 0x4d, 0x7f, 0x72, 0x20, 0x7f, 0x5d, 0xec,
0x50, 0xba, 0xbb, 0xaa, 0x9c, 0x3c, 0x1d, 0xa1, 0x40, 0x2c, 0x6a, 0x8b,
0x5f, 0x2e, 0xe0, 0xa6, 0xf7, 0x9e, 0x03, 0xb5, 0x44, 0x5f, 0x74, 0xc7,
0x9f, 0x89, 0x2b, 0x71, 0x2f, 0x66, 0x9f, 0x03, 0x6c, 0x96, 0xd0, 0x23,
0x36, 0x4d, 0xa1, 0xf0, 0x82, 0xcc, 0x43, 0xe7, 0x08, 0x93, 0x40, 0x18,
0xc0, 0x39, 0x73, 0x83, 0xe2, 0xec, 0x9b, 0x81, 0x9d, 0x4c, 0x86, 0xaa,
0x59, 0xa8, 0x67, 0x1c, 0x80, 0xdc, 0x6f, 0x7f, 0x23, 0x6b, 0x7d, 0x2c,
0x56, 0x99, 0xa0, 0x89, 0x7e, 0xdb, 0x8b, 0x7a, 0xaa, 0x03, 0x8e, 0x8e,
0x8e, 0x3a, 0x58, 0xb4, 0x03, 0x6b, 0x65, 0xfa, 0x92, 0x0a, 0x96, 0x93,
0xa6, 0x07, 0x60, 0x01};
static unsigned char p_data[] =
{0x06, 0x55, 0x7f, 0xbd, 0xfd, 0xa8, 0x4c, 0x94, 0x5e, 0x10, 0x8a, 0x54,
0x37, 0xf3, 0x64, 0x37, 0x3a, 0xca, 0x18, 0x1b, 0xdd, 0x71, 0xa5, 0x94,
0xc9, 0x31, 0x59, 0xa5, 0x89, 0xe9, 0xc4, 0xba, 0x55, 0x90, 0x6d, 0x9c,
0xcc, 0x52, 0x5d, 0x44, 0xa8, 0xbc, 0x2b, 0x3b, 0x8c, 0xbd, 0x96, 0xfa,
0xcd, 0x54, 0x63, 0xe3, 0xc8, 0xfe, 0x5e, 0xc6, 0x73, 0x98, 0x14, 0x7a,
0x54, 0x0e, 0xe7, 0x75, 0x49, 0x93, 0x20, 0x33, 0x17, 0xa9, 0x34, 0xa8,
0xee, 0xaf, 0x3a, 0xcc, 0xf5, 0x69, 0xfc, 0x30, 0x1a, 0xdf, 0x49, 0x61,
0xa4, 0xd1};
static unsigned char p2_data[] =
{0x03, 0xe2, 0x41, 0x3d, 0xb1, 0xdd, 0xad, 0xd7, 0x3b, 0xf8, 0xab, 0x32,
0x27, 0x8b, 0xac, 0x95, 0xc0, 0x1a, 0x3f, 0x80, 0x8e, 0x21, 0xa9, 0xb8,
0xa2, 0xed, 0xcf, 0x97, 0x5c, 0x61, 0x10, 0x94, 0x1b, 0xd0, 0xbe, 0x88,
0xc2, 0xa7, 0x20, 0xe5, 0xa5, 0xc2, 0x7a, 0x7e, 0xf0, 0xd1, 0xe4, 0x13,
0x75, 0xb9, 0x62, 0x90, 0xf1, 0xc3, 0x5b, 0x8c, 0xe9, 0xa9, 0x5b, 0xb7,
0x6d, 0xdc, 0xcd, 0x12, 0xea, 0x97, 0x05, 0x04, 0x25, 0x2a, 0x93, 0xd1,
0x4e, 0x05, 0x1a, 0x50, 0xa2, 0x67, 0xb8, 0x4b, 0x09, 0x15, 0x65, 0x6c,
0x66, 0x2d};
static unsigned char q_data[] =
{0x06, 0x13, 0x74, 0x6e, 0xde, 0x7c, 0x33, 0xc2, 0xe7, 0x05, 0x2c, 0xeb,
0x25, 0x7d, 0x4a, 0x07, 0x7e, 0x03, 0xcf, 0x6a, 0x23, 0x36, 0x25, 0x23,
0xf6, 0x5d, 0xde, 0xa3, 0x0f, 0x82, 0xe6, 0x4b, 0xec, 0x39, 0xbf, 0x37,
0x1f, 0x4f, 0x56, 0x1e, 0xd8, 0x62, 0x32, 0x5c, 0xf5, 0x37, 0x75, 0x20,
0xe2, 0x7e, 0x56, 0x82, 0xc6, 0x35, 0xd3, 0x4d, 0xfa, 0x6c, 0xc3, 0x93,
0xf0, 0x60, 0x53, 0x78, 0x95, 0xee, 0xf9, 0x8b, 0x2c, 0xaf, 0xb1, 0x47,
0x5c, 0x29, 0x0d, 0x2a, 0x47, 0x7f, 0xd0, 0x7a, 0x4e, 0x26, 0x7b, 0x47,
0xfb, 0x61};
static unsigned char dmp1_data[] =
{0x01, 0x13, 0x3a, 0x1f, 0x91, 0x92, 0xa3, 0x8c, 0xfb, 0x7a, 0x6b, 0x40,
0x68, 0x4e, 0xd3, 0xcf, 0xdc, 0x16, 0xb9, 0x88, 0xe1, 0x49, 0x8d, 0x05,
0x78, 0x30, 0xfc, 0x3a, 0x70, 0xf2, 0x51, 0x06, 0x1f, 0xc7, 0xe8, 0x13,
0x19, 0x4b, 0x51, 0xb1, 0x79, 0xc2, 0x96, 0xc4, 0x00, 0xdb, 0x9d, 0x68,
0xec, 0xb9, 0x4a, 0x4b, 0x3b, 0xae, 0x91, 0x7f, 0xb5, 0xd7, 0x36, 0x82,
0x9d, 0x09, 0xfa, 0x97, 0x99, 0xe9, 0x73, 0x29, 0xb8, 0xf6, 0x6b, 0x8d,
0xd1, 0x15, 0xc5, 0x31, 0x4c, 0xe6, 0xb4, 0x7b, 0xa5, 0xd4, 0x08, 0xac,
0x9e, 0x41};
static unsigned char dmq1_data[] =
{0x05, 0xcd, 0x33, 0xc2, 0xdd, 0x3b, 0xb8, 0xec, 0xe4, 0x4c, 0x03, 0xcc,
0xef, 0xba, 0x07, 0x22, 0xca, 0x47, 0x77, 0x18, 0x40, 0x50, 0xe5, 0xfb,
0xc5, 0xb5, 0x71, 0xed, 0x3e, 0xd5, 0x5d, 0x72, 0xa7, 0x37, 0xa8, 0x86,
0x48, 0xa6, 0x27, 0x74, 0x42, 0x66, 0xd8, 0xf1, 0xfb, 0xcf, 0x1d, 0x4e,
0xee, 0x15, 0x76, 0x23, 0x5e, 0x81, 0x6c, 0xa7, 0x2b, 0x74, 0x08, 0xf7,
0x4c, 0x71, 0x9d, 0xa2, 0x29, 0x7f, 0xca, 0xd5, 0x02, 0x31, 0x2c, 0x54,
0x18, 0x02, 0xb6, 0xa8, 0x65, 0x26, 0xfc, 0xf8, 0x9b, 0x80, 0x90, 0xfc,
0x75, 0x61};
static unsigned char iqmp_data[] =
{0x05, 0x78, 0xf8, 0xdd, 0x1c, 0x6f, 0x3d, 0xaf, 0x53, 0x84, 0x32, 0xa9,
0x35, 0x52, 0xf3, 0xd0, 0x4d, 0xf8, 0x09, 0x85, 0x3d, 0x72, 0x20, 0x8b,
0x47, 0xba, 0xc8, 0xce, 0xac, 0xd9, 0x76, 0x90, 0x05, 0x88, 0x63, 0x8a,
0x10, 0x2b, 0xcd, 0xd3, 0xbe, 0x8c, 0x16, 0x60, 0x6a, 0xfd, 0xce, 0xc7,
0x9f, 0xfa, 0xbb, 0xe3, 0xa6, 0xde, 0xc2, 0x8f, 0x1d, 0x25, 0xdc, 0x41,
0xcb, 0xa4, 0xeb, 0x76, 0xc9, 0xdc, 0x8e, 0x49, 0x0e, 0xe4, 0x7c, 0xd2,
0xd5, 0x6e, 0x26, 0x3c, 0x0b, 0xd3, 0xc5, 0x20, 0x4e, 0x4b, 0xb6, 0xf7,
0xae, 0xef};
static unsigned char exp3_data[] =
{0x02, 0x7d, 0x16, 0x24, 0xfc, 0x35, 0xf9, 0xd0, 0xb3, 0x02, 0xf2, 0x5f,
0xde, 0xeb, 0x27, 0x19, 0x85, 0xd0, 0xcb, 0xe4, 0x0a, 0x2f, 0x13, 0xdb,
0xd5, 0xba, 0xe0, 0x8c, 0x32, 0x8b, 0x97, 0xdd, 0xef, 0xbc, 0xe0, 0x7a,
0x2d, 0x90, 0x7e, 0x09, 0xe9, 0x1f, 0x26, 0xf2, 0xf4, 0x48, 0xea, 0x06,
0x76, 0x26, 0xe6, 0x3b, 0xce, 0x4e, 0xc9, 0xf9, 0x0f, 0x38, 0x90, 0x26,
0x87, 0x65, 0x36, 0x9a, 0xea, 0x6a, 0xfe, 0xb1, 0xdb, 0x46, 0xdf, 0x14,
0xfd, 0x13, 0x53, 0xfb, 0x5b, 0x35, 0x6e, 0xe7, 0xd5, 0xd8, 0x39, 0xf7,
0x2d, 0xb9};
static unsigned char coeff2_data[] =
{0x01, 0xba, 0x66, 0x0a, 0xa2, 0x86, 0xc0, 0x57, 0x7f, 0x4e, 0x68, 0xb1,
0x86, 0x63, 0x23, 0x5b, 0x0e, 0xeb, 0x93, 0x42, 0xd1, 0xaa, 0x15, 0x13,
0xcc, 0x29, 0x71, 0x8a, 0xb0, 0xe0, 0xc9, 0x67, 0xde, 0x1a, 0x7c, 0x1a,
0xef, 0xa7, 0x08, 0x85, 0xb3, 0xae, 0x98, 0x99, 0xde, 0xaf, 0x09, 0x38,
0xfc, 0x46, 0x29, 0x5f, 0x4f, 0x7e, 0x01, 0x6c, 0x50, 0x13, 0x95, 0x91,
0x4c, 0x0f, 0x00, 0xba, 0xca, 0x40, 0xa3, 0xd0, 0x58, 0xb6, 0x62, 0x4c,
0xd1, 0xb6, 0xd3, 0x29, 0x5d, 0x82, 0xb3, 0x3d, 0x61, 0xbe, 0x5d, 0xf0,
0x4b, 0xf4};
if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
|| !TEST_ptr(n = BN_bin2bn(n_data, sizeof(n_data), NULL))
|| !TEST_ptr(e = BN_bin2bn(e_data, sizeof(e_data), NULL))
|| !TEST_ptr(d = BN_bin2bn(d_data, sizeof(d_data), NULL))
|| !TEST_ptr(p = BN_bin2bn(p_data, sizeof(p_data), NULL))
|| !TEST_ptr(q = BN_bin2bn(q_data, sizeof(q_data), NULL))
|| !TEST_ptr(p2 = BN_bin2bn(p2_data, sizeof(p2_data), NULL))
|| !TEST_ptr(exp3 = BN_bin2bn(exp3_data, sizeof(exp3_data), NULL))
|| !TEST_ptr(coeff2 = BN_bin2bn(coeff2_data, sizeof(coeff2_data), NULL))
|| !TEST_ptr(dmp1 = BN_bin2bn(dmp1_data, sizeof(dmp1_data), NULL))
|| !TEST_ptr(dmq1 = BN_bin2bn(dmq1_data, sizeof(dmq1_data), NULL))
|| !TEST_ptr(iqmp = BN_bin2bn(iqmp_data, sizeof(iqmp_data), NULL))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR1,
p))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR2,
q))
|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_FACTOR3,
p2))
|| !TEST_true(OSSL_PARAM_BLD_push_int(bld,
OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ, 1))
|| !TEST_ptr(fromdata_params = OSSL_PARAM_BLD_to_param(bld)))
goto err;
cdata[0].pname = OSSL_PKEY_PARAM_RSA_EXPONENT1;
cdata[0].comparebn = dmp1;
cdata[1].pname = OSSL_PKEY_PARAM_RSA_EXPONENT2;
cdata[1].comparebn = dmq1;
cdata[2].pname = OSSL_PKEY_PARAM_RSA_COEFFICIENT1;
cdata[2].comparebn = iqmp;
cdata[3].pname = OSSL_PKEY_PARAM_RSA_EXPONENT3;
cdata[3].comparebn = exp3;
cdata[4].pname = OSSL_PKEY_PARAM_RSA_COEFFICIENT2;
cdata[4].comparebn = coeff2;
cdata[5].pname = OSSL_PKEY_PARAM_RSA_N;
cdata[5].comparebn = n;
cdata[6].pname = OSSL_PKEY_PARAM_RSA_E;
cdata[6].comparebn = e;
cdata[7].pname = OSSL_PKEY_PARAM_RSA_D;
cdata[7].comparebn = d;
cdata[8].pname = OSSL_PKEY_PARAM_RSA_FACTOR1;
cdata[8].comparebn = p;
cdata[9].pname = OSSL_PKEY_PARAM_RSA_FACTOR2;
cdata[9].comparebn = q;
cdata[10].pname = OSSL_PKEY_PARAM_RSA_FACTOR3;
cdata[10].comparebn = p2;
cdata[11].pname = NULL;
cdata[11].comparebn = NULL;
ret = do_fromdata_rsa_derive(fromdata_params, cdata, 2048, 112, 256);
err:
BN_free(n);
BN_free(e);
BN_free(d);
BN_free(p);
BN_free(p2);
BN_free(q);
BN_free(dmp1);
BN_free(dmq1);
BN_free(iqmp);
BN_free(exp3);
BN_free(coeff2);
OSSL_PARAM_BLD_free(bld);
return ret;
}
static int test_evp_pkey_get_bn_param_large(void)
{
int ret = 0;
@ -459,7 +851,7 @@ static int test_evp_pkey_get_bn_param_large(void)
static const unsigned char e_data[] = {
0x1, 0x00, 0x01
};
static const unsigned char d_data[]= {
static const unsigned char d_data[] = {
0x99, 0x33, 0x13, 0x7b
};
@ -1765,6 +2157,8 @@ int setup_tests(void)
ADD_TEST(test_evp_pkey_ctx_dup_kdf);
ADD_TEST(test_evp_pkey_get_bn_param_large);
ADD_TEST(test_fromdata_rsa);
ADD_TEST(test_fromdata_rsa_derive_from_pq_sp800);
ADD_TEST(test_fromdata_rsa_derive_from_pq_multiprime);
#ifndef OPENSSL_NO_DH
ADD_TEST(test_fromdata_dh_fips186_4);
ADD_TEST(test_fromdata_dh_named_group);

1
util/perl/OpenSSL/paramnames.pm
View File

@ -348,6 +348,7 @@ my %params = (
'PKEY_PARAM_RSA_MASKGENFUNC' => '*PKEY_PARAM_MASKGENFUNC',
'PKEY_PARAM_RSA_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
'PKEY_PARAM_RSA_PSS_SALTLEN' => "saltlen",
'PKEY_PARAM_RSA_DERIVE_FROM_PQ' => "rsa-derive-from-pq",
# EC, X25519 and X448 Key generation parameters
'PKEY_PARAM_DHKEM_IKM' => "dhkem-ikm",