Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	lib/libcrypto/rsa/rsa_chk.c	Lines:	50	75	66.7 %
Date:	2017-11-07	Branches:	30	64	46.9 %


/* $OpenBSD: rsa_chk.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */

#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/rsa.h>

#include "bn_lcl.h"

int
RSA_check_key(const RSA *key)
{
	BIGNUM *i, *j, *k, *l, *m;
	BN_CTX *ctx;
	int r;
	int ret = 1;

	if (!key->p || !key->q || !key->n || !key->e || !key->d) {
		RSAerror(RSA_R_VALUE_MISSING);
		return 0;
	}

	i = BN_new();
	j = BN_new();
	k = BN_new();
	l = BN_new();
	m = BN_new();
	ctx = BN_CTX_new();
	if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
	    ctx == NULL) {
		ret = -1;
		RSAerror(ERR_R_MALLOC_FAILURE);
		goto err;
	}

	/* p prime? */
	r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
	if (r != 1) {
		ret = r;
		if (r != 0)
			goto err;
		RSAerror(RSA_R_P_NOT_PRIME);
	}

	/* q prime? */
	r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
	if (r != 1) {
		ret = r;
		if (r != 0)
			goto err;
		RSAerror(RSA_R_Q_NOT_PRIME);
	}

	/* n = p*q? */
	r = BN_mul(i, key->p, key->q, ctx);
	if (!r) {
		ret = -1;
		goto err;
	}

	if (BN_cmp(i, key->n) != 0) {
		ret = 0;
		RSAerror(RSA_R_N_DOES_NOT_EQUAL_P_Q);
	}

	/* d*e = 1  mod lcm(p-1,q-1)? */

	r = BN_sub(i, key->p, BN_value_one());
	if (!r) {
		ret = -1;
		goto err;
	}
	r = BN_sub(j, key->q, BN_value_one());
	if (!r) {
		ret = -1;
		goto err;
	}

	/* now compute k = lcm(i,j) */
	r = BN_mul(l, i, j, ctx);
	if (!r) {
		ret = -1;
		goto err;
	}
	r = BN_gcd_ct(m, i, j, ctx);
	if (!r) {
		ret = -1;
		goto err;
	}
	r = BN_div_ct(k, NULL, l, m, ctx); /* remainder is 0 */
	if (!r) {
		ret = -1;
		goto err;
	}

	r = BN_mod_mul(i, key->d, key->e, k, ctx);
	if (!r) {
		ret = -1;
		goto err;
	}

	if (!BN_is_one(i)) {
		ret = 0;
		RSAerror(RSA_R_D_E_NOT_CONGRUENT_TO_1);
	}

	if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
		/* dmp1 = d mod (p-1)? */
		r = BN_sub(i, key->p, BN_value_one());
		if (!r) {
			ret = -1;
			goto err;
		}

		r = BN_mod_ct(j, key->d, i, ctx);
		if (!r) {
			ret = -1;
			goto err;
		}

		if (BN_cmp(j, key->dmp1) != 0) {
			ret = 0;
			RSAerror(RSA_R_DMP1_NOT_CONGRUENT_TO_D);
		}

		/* dmq1 = d mod (q-1)? */
		r = BN_sub(i, key->q, BN_value_one());
		if (!r) {
			ret = -1;
			goto err;
		}

		r = BN_mod_ct(j, key->d, i, ctx);
		if (!r) {
			ret = -1;
			goto err;
		}

		if (BN_cmp(j, key->dmq1) != 0) {
			ret = 0;
			RSAerror(RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
		}

		/* iqmp = q^-1 mod p? */
		if (!BN_mod_inverse_ct(i, key->q, key->p, ctx)) {
			ret = -1;
			goto err;
		}

		if (BN_cmp(i, key->iqmp) != 0) {
			ret = 0;
			RSAerror(RSA_R_IQMP_NOT_INVERSE_OF_Q);
		}
	}

err:
	BN_free(i);
	BN_free(j);
	BN_free(k);
	BN_free(l);
	BN_free(m);
	BN_CTX_free(ctx);

	return (ret);
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: rsa_chk.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */
2			/* ====================================================================
3			* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4			*
5			* Redistribution and use in source and binary forms, with or without
6			* modification, are permitted provided that the following conditions
7			* are met:
8			*
9			* 1. Redistributions of source code must retain the above copyright
10			* notice, this list of conditions and the following disclaimer.
11			*
12			* 2. Redistributions in binary form must reproduce the above copyright
13			* notice, this list of conditions and the following disclaimer in
14			* the documentation and/or other materials provided with the
15			* distribution.
16			*
17			* 3. All advertising materials mentioning features or use of this
18			* software must display the following acknowledgment:
19			* "This product includes software developed by the OpenSSL Project
20			* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21			*
22			* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23			* endorse or promote products derived from this software without
24			* prior written permission. For written permission, please contact
25			* openssl-core@OpenSSL.org.
26			*
27			* 5. Products derived from this software may not be called "OpenSSL"
28			* nor may "OpenSSL" appear in their names without prior written
29			* permission of the OpenSSL Project.
30			*
31			* 6. Redistributions of any form whatsoever must retain the following
32			* acknowledgment:
33			* "This product includes software developed by the OpenSSL Project
34			* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35			*
36			* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47			* OF THE POSSIBILITY OF SUCH DAMAGE.
48			* ====================================================================
49			*/
50
51			#include <openssl/bn.h>
52			#include <openssl/err.h>
53			#include <openssl/rsa.h>
54
55			#include "bn_lcl.h"
56
57			int
58			RSA_check_key(const RSA *key)
59			{
60			BIGNUM i, j, k, l, *m;
61			BN_CTX *ctx;
62			int r;
63			int ret = 1;
64
65	✓✗✓✗ ✓✗✓✗ ✗✓	12	if (!key->p \|\| !key->q \|\| !key->n \|\| !key->e \|\| !key->d) {
66			RSAerror(RSA_R_VALUE_MISSING);
67			return 0;
68			}
69
70		2	i = BN_new();
71		2	j = BN_new();
72		2	k = BN_new();
73		2	l = BN_new();
74		2	m = BN_new();
75		2	ctx = BN_CTX_new();
76	✗✓	4	if (i == NULL \|\| j == NULL \|\| k == NULL \|\| l == NULL \|\| m == NULL \|\|
77		2	ctx == NULL) {
78			ret = -1;
79			RSAerror(ERR_R_MALLOC_FAILURE);
80			goto err;
81			}
82
83			/* p prime? */
84		2	r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
85	✗✓	2	if (r != 1) {
86			ret = r;
87			if (r != 0)
88			goto err;
89			RSAerror(RSA_R_P_NOT_PRIME);
90			}
91
92			/* q prime? */
93		2	r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
94	✗✓	2	if (r != 1) {
95			ret = r;
96			if (r != 0)
97			goto err;
98			RSAerror(RSA_R_Q_NOT_PRIME);
99			}
100
101			/* n = pq? /
102		2	r = BN_mul(i, key->p, key->q, ctx);
103	✗✓	2	if (!r) {
104			ret = -1;
105			goto err;
106			}
107
108	✗✓	2	if (BN_cmp(i, key->n) != 0) {
109			ret = 0;
110			RSAerror(RSA_R_N_DOES_NOT_EQUAL_P_Q);
111			}
112
113			/* de = 1 mod lcm(p-1,q-1)? /
114
115		2	r = BN_sub(i, key->p, BN_value_one());
116	✗✓	2	if (!r) {
117			ret = -1;
118			goto err;
119			}
120		2	r = BN_sub(j, key->q, BN_value_one());
121	✗✓	2	if (!r) {
122			ret = -1;
123			goto err;
124			}
125
126			/* now compute k = lcm(i,j) */
127		2	r = BN_mul(l, i, j, ctx);
128	✗✓	2	if (!r) {
129			ret = -1;
130			goto err;
131			}
132		2	r = BN_gcd_ct(m, i, j, ctx);
133	✗✓	2	if (!r) {
134			ret = -1;
135			goto err;
136			}
137		2	r = BN_div_ct(k, NULL, l, m, ctx); /* remainder is 0 */
138	✗✓	2	if (!r) {
139			ret = -1;
140			goto err;
141			}
142
143		2	r = BN_mod_mul(i, key->d, key->e, k, ctx);
144	✗✓	2	if (!r) {
145			ret = -1;
146			goto err;
147			}
148
149	✓✗✓✗ ✗✓	6	if (!BN_is_one(i)) {
150			ret = 0;
151			RSAerror(RSA_R_D_E_NOT_CONGRUENT_TO_1);
152			}
153
154	✓✗✓✗ ✓✗	6	if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
155			/* dmp1 = d mod (p-1)? */
156		2	r = BN_sub(i, key->p, BN_value_one());
157	✗✓	2	if (!r) {
158			ret = -1;
159			goto err;
160			}
161
162		2	r = BN_mod_ct(j, key->d, i, ctx);
163	✗✓	2	if (!r) {
164			ret = -1;
165			goto err;
166			}
167
168	✗✓	2	if (BN_cmp(j, key->dmp1) != 0) {
169			ret = 0;
170			RSAerror(RSA_R_DMP1_NOT_CONGRUENT_TO_D);
171			}
172
173			/* dmq1 = d mod (q-1)? */
174		2	r = BN_sub(i, key->q, BN_value_one());
175	✗✓	2	if (!r) {
176			ret = -1;
177			goto err;
178			}
179
180		2	r = BN_mod_ct(j, key->d, i, ctx);
181	✗✓	2	if (!r) {
182			ret = -1;
183			goto err;
184			}
185
186	✗✓	2	if (BN_cmp(j, key->dmq1) != 0) {
187			ret = 0;
188			RSAerror(RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
189			}
190
191			/* iqmp = q^-1 mod p? */
192	✗✓	2	if (!BN_mod_inverse_ct(i, key->q, key->p, ctx)) {
193			ret = -1;
194			goto err;
195			}
196
197	✗✓	2	if (BN_cmp(i, key->iqmp) != 0) {
198			ret = 0;
199			RSAerror(RSA_R_IQMP_NOT_INVERSE_OF_Q);
200			}
201			}
202
203			err:
204		2	BN_free(i);
205		2	BN_free(j);
206		2	BN_free(k);
207		2	BN_free(l);
208		2	BN_free(m);
209		2	BN_CTX_free(ctx);
210
211		2	return (ret);
212		2	}