GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/rsa/rsa_chk.c Lines: 50 75 66.7 %
Date: 2017-11-13 Branches: 30 64 46.9 %

Line Branch Exec Source
1
/* $OpenBSD: rsa_chk.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */
2
/* ====================================================================
3
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 *
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 *
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in
14
 *    the documentation and/or other materials provided with the
15
 *    distribution.
16
 *
17
 * 3. All advertising materials mentioning features or use of this
18
 *    software must display the following acknowledgment:
19
 *    "This product includes software developed by the OpenSSL Project
20
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21
 *
22
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23
 *    endorse or promote products derived from this software without
24
 *    prior written permission. For written permission, please contact
25
 *    openssl-core@OpenSSL.org.
26
 *
27
 * 5. Products derived from this software may not be called "OpenSSL"
28
 *    nor may "OpenSSL" appear in their names without prior written
29
 *    permission of the OpenSSL Project.
30
 *
31
 * 6. Redistributions of any form whatsoever must retain the following
32
 *    acknowledgment:
33
 *    "This product includes software developed by the OpenSSL Project
34
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35
 *
36
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47
 * OF THE POSSIBILITY OF SUCH DAMAGE.
48
 * ====================================================================
49
 */
50
51
#include <openssl/bn.h>
52
#include <openssl/err.h>
53
#include <openssl/rsa.h>
54
55
#include "bn_lcl.h"
56
57
int
58
RSA_check_key(const RSA *key)
59
{
60
	BIGNUM *i, *j, *k, *l, *m;
61
	BN_CTX *ctx;
62
	int r;
63
	int ret = 1;
64
65


12
	if (!key->p || !key->q || !key->n || !key->e || !key->d) {
66
		RSAerror(RSA_R_VALUE_MISSING);
67
		return 0;
68
	}
69
70
2
	i = BN_new();
71
2
	j = BN_new();
72
2
	k = BN_new();
73
2
	l = BN_new();
74
2
	m = BN_new();
75
2
	ctx = BN_CTX_new();
76
4
	if (i == NULL || j == NULL || k == NULL || l == NULL || m == NULL ||
77
2
	    ctx == NULL) {
78
		ret = -1;
79
		RSAerror(ERR_R_MALLOC_FAILURE);
80
		goto err;
81
	}
82
83
	/* p prime? */
84
2
	r = BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL);
85
2
	if (r != 1) {
86
		ret = r;
87
		if (r != 0)
88
			goto err;
89
		RSAerror(RSA_R_P_NOT_PRIME);
90
	}
91
92
	/* q prime? */
93
2
	r = BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL);
94
2
	if (r != 1) {
95
		ret = r;
96
		if (r != 0)
97
			goto err;
98
		RSAerror(RSA_R_Q_NOT_PRIME);
99
	}
100
101
	/* n = p*q? */
102
2
	r = BN_mul(i, key->p, key->q, ctx);
103
2
	if (!r) {
104
		ret = -1;
105
		goto err;
106
	}
107
108
2
	if (BN_cmp(i, key->n) != 0) {
109
		ret = 0;
110
		RSAerror(RSA_R_N_DOES_NOT_EQUAL_P_Q);
111
	}
112
113
	/* d*e = 1  mod lcm(p-1,q-1)? */
114
115
2
	r = BN_sub(i, key->p, BN_value_one());
116
2
	if (!r) {
117
		ret = -1;
118
		goto err;
119
	}
120
2
	r = BN_sub(j, key->q, BN_value_one());
121
2
	if (!r) {
122
		ret = -1;
123
		goto err;
124
	}
125
126
	/* now compute k = lcm(i,j) */
127
2
	r = BN_mul(l, i, j, ctx);
128
2
	if (!r) {
129
		ret = -1;
130
		goto err;
131
	}
132
2
	r = BN_gcd_ct(m, i, j, ctx);
133
2
	if (!r) {
134
		ret = -1;
135
		goto err;
136
	}
137
2
	r = BN_div_ct(k, NULL, l, m, ctx); /* remainder is 0 */
138
2
	if (!r) {
139
		ret = -1;
140
		goto err;
141
	}
142
143
2
	r = BN_mod_mul(i, key->d, key->e, k, ctx);
144
2
	if (!r) {
145
		ret = -1;
146
		goto err;
147
	}
148
149

6
	if (!BN_is_one(i)) {
150
		ret = 0;
151
		RSAerror(RSA_R_D_E_NOT_CONGRUENT_TO_1);
152
	}
153
154

6
	if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
155
		/* dmp1 = d mod (p-1)? */
156
2
		r = BN_sub(i, key->p, BN_value_one());
157
2
		if (!r) {
158
			ret = -1;
159
			goto err;
160
		}
161
162
2
		r = BN_mod_ct(j, key->d, i, ctx);
163
2
		if (!r) {
164
			ret = -1;
165
			goto err;
166
		}
167
168
2
		if (BN_cmp(j, key->dmp1) != 0) {
169
			ret = 0;
170
			RSAerror(RSA_R_DMP1_NOT_CONGRUENT_TO_D);
171
		}
172
173
		/* dmq1 = d mod (q-1)? */
174
2
		r = BN_sub(i, key->q, BN_value_one());
175
2
		if (!r) {
176
			ret = -1;
177
			goto err;
178
		}
179
180
2
		r = BN_mod_ct(j, key->d, i, ctx);
181
2
		if (!r) {
182
			ret = -1;
183
			goto err;
184
		}
185
186
2
		if (BN_cmp(j, key->dmq1) != 0) {
187
			ret = 0;
188
			RSAerror(RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
189
		}
190
191
		/* iqmp = q^-1 mod p? */
192
2
		if (!BN_mod_inverse_ct(i, key->q, key->p, ctx)) {
193
			ret = -1;
194
			goto err;
195
		}
196
197
2
		if (BN_cmp(i, key->iqmp) != 0) {
198
			ret = 0;
199
			RSAerror(RSA_R_IQMP_NOT_INVERSE_OF_Q);
200
		}
201
	}
202
203
err:
204
2
	BN_free(i);
205
2
	BN_free(j);
206
2
	BN_free(k);
207
2
	BN_free(l);
208
2
	BN_free(m);
209
2
	BN_CTX_free(ctx);
210
211
2
	return (ret);
212
2
}