Stop using RSA_generate_key_ex

ueno · ueno · commit f0d4c10a5c64 · 2023-04-25T12:43:23.000+09:00
This switches _goboringcrypto_RSA_generate_key_fips to using
EVP_PKEY_keygen function instead of RSA_generate_key_ex.

The accessors functions around the RSA * type, such as
RSA_get0_crt_params, are still used, though they are not a
cryptographic operation so this patch leaves it as they are for now.

Signed-off-by: Daiki Ueno &lt;dueno@redhat.com&gt;
diff --git a/openssl/goopenssl.h b/openssl/goopenssl.h
@@ -575,9 +575,6 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
 
 #include <openssl/rsa.h>
 
-// Note: order of struct fields here is unchecked.
-typedef BN_GENCB GO_BN_GENCB;
-
 int _goboringcrypto_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
 int _goboringcrypto_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
 
@@ -590,9 +587,6 @@ int _goboringcrypto_RSA_verify_raw(EVP_MD *md, const uint8_t *msg, size_t msgLen
 
 DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
 DEFINEFUNC(void, RSA_free, (GO_RSA * arg0), (arg0))
-DEFINEFUNC(int, RSA_generate_key_ex,
-	(GO_RSA * arg0, int arg1, GO_BIGNUM *arg2, GO_BN_GENCB *arg3),
-	(arg0, arg1, arg2, arg3))
 
 DEFINEFUNCINTERNAL(int, RSA_set0_factors,
 	(GO_RSA * rsa, GO_BIGNUM *p, GO_BIGNUM *q),
@@ -740,7 +734,8 @@ _goboringcrypto_RSA_get0_key(const GO_RSA *rsa, const GO_BIGNUM **n, const GO_BI
 #endif
 }
 
-int _goboringcrypto_RSA_generate_key_fips(GO_RSA *, int, GO_BN_GENCB *);
+GO_RSA *_goboringcrypto_RSA_generate_key_fips(int bits);
+
 enum
 {
 	GO_RSA_PKCS1_PADDING = 1,
@@ -759,7 +754,6 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *, unsigned int *out_len, uint8_t *
 int _goboringcrypto_RSA_verify_pss_mgf1(GO_RSA *, const uint8_t *msg, unsigned int msg_len, GO_EVP_MD *md, const GO_EVP_MD *mgf1_md, int salt_len, const uint8_t *sig, unsigned int sig_len);
 
 DEFINEFUNC(unsigned int, RSA_size, (const GO_RSA *arg0), (arg0))
-DEFINEFUNC(int, RSA_check_key, (const GO_RSA *arg0), (arg0))
 
 DEFINEFUNC(int, EVP_EncryptInit_ex,
 	(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, ENGINE *impl, const unsigned char *key, const unsigned char *iv),
@@ -814,6 +808,7 @@ typedef EVP_PKEY GO_EVP_PKEY;
 
 DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
 DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
+DEFINEFUNC(GO_RSA *, EVP_PKEY_get1_RSA, (GO_EVP_PKEY * arg0), (arg0))
 DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
 DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
 DEFINEFUNC(int, EVP_PKEY_verify,
@@ -879,6 +874,22 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
                                 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md);
 }
 
+static inline int
+_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_bits(GO_EVP_PKEY_CTX *ctx, int mbits) {
+	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1,
+		EVP_PKEY_OP_KEYGEN,
+		EVP_PKEY_CTRL_RSA_KEYGEN_BITS,
+		mbits, NULL);
+}
+
+static inline int
+_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_pubexp(GO_EVP_PKEY_CTX *ctx, GO_BIGNUM *pubexp) {
+	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1,
+		EVP_PKEY_OP_KEYGEN,
+		EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP,
+		0, pubexp);
+}
+
 DEFINEFUNC(int, EVP_PKEY_decrypt,
 		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
 		   (arg0, arg1, arg2, arg3, arg4))
diff --git a/openssl/openssl_port_rsa.c b/openssl/openssl_port_rsa.c
@@ -8,15 +8,42 @@
 #include "goopenssl.h"
 
 // Only in BoringSSL.
-int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size,
-                                          GO_BN_GENCB *cb) {
+GO_RSA *_goboringcrypto_RSA_generate_key_fips(int bits) {
+  GO_EVP_PKEY_CTX *ctx = NULL;
+  GO_EVP_PKEY *pkey = NULL;
+  GO_BIGNUM *e = NULL;
+  GO_RSA *ret = NULL;
+
+  ctx = _goboringcrypto_EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+  if (!ctx)
+    return NULL;
+
+  if (_goboringcrypto_EVP_PKEY_keygen_init(ctx) <= 0)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0)
+    goto err;
+
   // BoringSSL's RSA_generate_key_fips hard-codes e to 65537.
-  BIGNUM *e = _goboringcrypto_BN_new();
-  if (e == NULL)
-    return 0;
-  int ret = _goboringcrypto_BN_set_word(e, RSA_F4) &&
-            _goboringcrypto_RSA_generate_key_ex(rsa, size, e, cb);
+  e = _goboringcrypto_BN_new();
+  if (!e)
+    goto err;
+
+  if (_goboringcrypto_BN_set_word(e, RSA_F4) <= 0)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, e) <= 0)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_keygen(ctx, &pkey) <= 0)
+    goto err;
+
+  ret = _goboringcrypto_EVP_PKEY_get1_RSA(pkey);
+
+err:
   _goboringcrypto_BN_free(e);
+  _goboringcrypto_EVP_PKEY_free(pkey);
+  _goboringcrypto_EVP_PKEY_CTX_free(ctx);
   return ret;
 }
 
diff --git a/openssl/rsa.go b/openssl/rsa.go
@@ -23,15 +23,11 @@ func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
 		return nil, nil, nil, nil, nil, nil, nil, nil, e
 	}
 
-	key := C._goboringcrypto_RSA_new()
+	key := C._goboringcrypto_RSA_generate_key_fips(C.int(bits))
 	if key == nil {
-		return bad(NewOpenSSLError("RSA_new failed"))
-	}
-	defer C._goboringcrypto_RSA_free(key)
-
-	if C._goboringcrypto_RSA_generate_key_fips(key, C.int(bits), nil) == 0 {
 		return bad(NewOpenSSLError("RSA_generate_key_fips failed"))
 	}
+	defer C._goboringcrypto_RSA_free(key)
 
 	var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM
 	C._goboringcrypto_RSA_get0_key(key, &n, &e, &d)
diff --git a/openssl/rsa_test.go b/openssl/rsa_test.go
@@ -139,3 +139,31 @@ func TestPKCS1v15(t *testing.T) {
 		}
 	}
 }
+
+func TestKeyGeneration(t *testing.T) {
+	for _, size := range []int{128, 1024, 2048, 3072} {
+		n, e, _, _, _, _, _, _, err := openssl.GenerateKeyRSA(size)
+		if size < 1024 {
+			if err == nil {
+				t.Errorf("GenerateKeyRSA(%d): unexpectedly succeeded", size)
+			}
+			continue
+		} else {
+			if err != nil {
+				t.Errorf("GenerateKeyRSA(%d): %v", size, err)
+			}
+		}
+
+		if bbig.Dec(n).BitLen() != size {
+			t.Errorf("GenerateKeyRSA(%d): bit size doesn't match: %v",
+				size, bbig.Dec(n).BitLen())
+		}
+
+		// BoringSSL's RSA_generate_key_fips hard-codes e to 65537.
+		f4 := big.NewInt(65537)
+		if bbig.Dec(e).Cmp(f4) != 0 {
+			t.Errorf("GenerateKeyRSA(%d): pubexp doesn't match: %v != %v",
+				size, bbig.Dec(e), f4)
+		}
+	}
+}
