Stop using RSA_generate_key_ex

This switches _goboringcrypto_RSA_generate_key_fips to using
EVP_PKEY_keygen function instead of RSA_generate_key_ex.

The accessors functions around the RSA * type, such as
RSA_get0_crt_params, are still used, though they are not a
cryptographic operation so this patch leaves it as they are for now.

Signed-off-by: Daiki Ueno <[email protected]>

Author: ueno

openssl/goopenssl.h

@@ -585,9 +585,6 @@ int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int
 
 DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
 DEFINEFUNC(void, RSA_free, (GO_RSA * arg0), (arg0))
-DEFINEFUNC(int, RSA_generate_key_ex,
-	(GO_RSA * arg0, int arg1, GO_BIGNUM *arg2, GO_BN_GENCB *arg3),
-	(arg0, arg1, arg2, arg3))
 
 DEFINEFUNCINTERNAL(int, RSA_set0_factors,
 	(GO_RSA * rsa, GO_BIGNUM *p, GO_BIGNUM *q),
@@ -735,7 +732,8 @@ _goboringcrypto_RSA_get0_key(const GO_RSA *rsa, const GO_BIGNUM **n, const GO_BI
 #endif
 }
 
-int _goboringcrypto_RSA_generate_key_fips(GO_RSA *, int, GO_BN_GENCB *);
+GO_RSA *_goboringcrypto_RSA_generate_key_fips(int bits);
+
 enum
 {
 	GO_RSA_PKCS1_PADDING = 1,
@@ -804,6 +802,7 @@ typedef EVP_PKEY GO_EVP_PKEY;
 
 DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
 DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
+DEFINEFUNC(GO_RSA *, EVP_PKEY_get1_RSA, (GO_EVP_PKEY * arg0), (arg0))
 DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
 DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
 DEFINEFUNC(int, EVP_PKEY_verify,
@@ -869,6 +868,22 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
                                 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md);
 }
 
+static inline int
+_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_bits(GO_EVP_PKEY_CTX *ctx, int mbits) {
+	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1,
+		EVP_PKEY_OP_KEYGEN,
+		EVP_PKEY_CTRL_RSA_KEYGEN_BITS,
+		mbits, NULL);
+}
+
+static inline int
+_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_pubexp(GO_EVP_PKEY_CTX *ctx, GO_BIGNUM *pubexp) {
+	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1,
+		EVP_PKEY_OP_KEYGEN,
+		EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP,
+		0, pubexp);
+}
+
 DEFINEFUNC(int, EVP_PKEY_decrypt,
 		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
 		   (arg0, arg1, arg2, arg3, arg4))

openssl/openssl_port_rsa.c

@@ -8,15 +8,42 @@
 #include "goopenssl.h"
 
 // Only in BoringSSL.
-int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size,
-                                          GO_BN_GENCB *cb) {
+GO_RSA *_goboringcrypto_RSA_generate_key_fips(int bits) {
+  GO_EVP_PKEY_CTX *ctx = NULL;
+  GO_EVP_PKEY *pkey = NULL;
+  GO_BIGNUM *e = NULL;
+  GO_RSA *ret = NULL;
+
+  ctx = _goboringcrypto_EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+  if (!ctx)
+    return NULL;
+
+  if (_goboringcrypto_EVP_PKEY_keygen_init(ctx) <= 0)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0)
+    goto err;
+
   // BoringSSL's RSA_generate_key_fips hard-codes e to 65537.
-  BIGNUM *e = _goboringcrypto_BN_new();
-  if (e == NULL)
-    return 0;
-  int ret = _goboringcrypto_BN_set_word(e, RSA_F4) &&
-            _goboringcrypto_RSA_generate_key_ex(rsa, size, e, cb);
+  e = _goboringcrypto_BN_new();
+  if (!e)
+    goto err;
+
+  if (_goboringcrypto_BN_set_word(e, RSA_F4) <= 0)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, e) <= 0)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_keygen(ctx, &pkey) <= 0)
+    goto err;
+
+  ret = _goboringcrypto_EVP_PKEY_get1_RSA(pkey);
+
+err:
   _goboringcrypto_BN_free(e);
+  _goboringcrypto_EVP_PKEY_free(pkey);
+  _goboringcrypto_EVP_PKEY_CTX_free(ctx);
   return ret;
 }
 

openssl/rsa.go

@@ -23,15 +23,11 @@ func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
 		return nil, nil, nil, nil, nil, nil, nil, nil, e
 	}
 
-	key := C._goboringcrypto_RSA_new()
+	key := C._goboringcrypto_RSA_generate_key_fips(C.int(bits))
 	if key == nil {
-		return bad(NewOpenSSLError("RSA_new failed"))
-	}
-	defer C._goboringcrypto_RSA_free(key)
-
-	if C._goboringcrypto_RSA_generate_key_fips(key, C.int(bits), nil) == 0 {
 		return bad(NewOpenSSLError("RSA_generate_key_fips failed"))
 	}
+	defer C._goboringcrypto_RSA_free(key)
 
 	var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM
 	C._goboringcrypto_RSA_get0_key(key, &n, &e, &d)

openssl/rsa_test.go

@@ -139,3 +139,31 @@ func TestPKCS1v15(t *testing.T) {
 		}
 	}
 }
+
+func TestKeyGeneration(t *testing.T) {
+	for _, size := range []int{128, 1024, 2048, 3072} {
+		n, e, _, _, _, _, _, _, err := openssl.GenerateKeyRSA(size)
+		if size < 1024 {
+			if err == nil {
+				t.Errorf("GenerateKeyRSA(%d): unexpectedly succeeded", size)
+			}
+			continue
+		} else {
+			if err != nil {
+				t.Errorf("GenerateKeyRSA(%d): %v", size, err)
+			}
+		}
+
+		if bbig.Dec(n).BitLen() != size {
+			t.Errorf("GenerateKeyRSA(%d): bit size doesn't match: %v",
+				size, bbig.Dec(n).BitLen())
+		}
+
+		// BoringSSL's RSA_generate_key_fips hard-codes e to 65537.
+		f4 := big.NewInt(65537)
+		if bbig.Dec(e).Cmp(f4) != 0 {
+			t.Errorf("GenerateKeyRSA(%d): pubexp doesn't match: %v != %v",
+				size, bbig.Dec(e), f4)
+		}
+	}
+}