_ Git - BearSSL/blob - src/rsa/rsa_i15_priv.c

   1 /*
   2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
   3  *
   4  * Permission is hereby granted, free of charge, to any person obtaining
   5  * a copy of this software and associated documentation files (the
   6  * "Software"), to deal in the Software without restriction, including
   7  * without limitation the rights to use, copy, modify, merge, publish,
   8  * distribute, sublicense, and/or sell copies of the Software, and to
   9  * permit persons to whom the Software is furnished to do so, subject to
  10  * the following conditions:
  11  *
  12  * The above copyright notice and this permission notice shall be
  13  * included in all copies or substantial portions of the Software.
  14  *
  15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  22  * SOFTWARE.
  23  */
  24
  25 #include "inner.h"
  26
  27 #define U      (2 + ((BR_MAX_RSA_FACTOR + 14) / 15))
  28 #define TLEN   (8 * U)
  29
  30 /* see bearssl_rsa.h */
  31 uint32_t
  32 br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk)
  33 {
  34         const unsigned char *p, *q;
  35         size_t plen, qlen;
  36         size_t fwlen;
  37         uint16_t p0i, q0i;
  38         size_t xlen, u;
  39         uint16_t tmp[1 + TLEN];
  40         long z;
  41         uint16_t *mp, *mq, *s1, *s2, *t1, *t2, *t3;
  42         uint32_t r;
  43
  44         /*
  45          * Compute the actual lengths of p and q, in bytes.
  46          * These lengths are not considered secret (we cannot really hide
  47          * them anyway in constant-time code).
  48          */
  49         p = sk->p;
  50         plen = sk->plen;
  51         while (plen > 0 && *p == 0) {
  52                 p ++;
  53                 plen --;
  54         }
  55         q = sk->q;
  56         qlen = sk->qlen;
  57         while (qlen > 0 && *q == 0) {
  58                 q ++;
  59                 qlen --;
  60         }
  61
  62         /*
  63          * Compute the maximum factor length, in words.
  64          */
  65         z = (long)(plen > qlen ? plen : qlen) << 3;
  66         fwlen = 1;
  67         while (z > 0) {
  68                 z -= 15;
  69                 fwlen ++;
  70         }
  71         /*
  72          * Round up the word length to an even number.
  73          */
  74         fwlen += (fwlen & 1);
  75
  76         /*
  77          * We need to fit at least 6 values in the stack buffer.
  78          */
  79         if (6 * fwlen > TLEN) {
  80                 return 0;
  81         }
  82
  83         /*
  84          * Compute signature length (in bytes).
  85          */
  86         xlen = (sk->n_bitlen + 7) >> 3;
  87
  88         /*
  89          * Ensure 32-bit alignment for value words.
  90          */
  91         mq = tmp;
  92         if (((uintptr_t)mq & 2) == 0) {
  93                 mq ++;
  94         }
  95
  96         /*
  97          * Decode q.
  98          */
  99         br_i15_decode(mq, q, qlen);
 100
 101         /*
 102          * Decode p.
 103          */
 104         t1 = mq + fwlen;
 105         br_i15_decode(t1, p, plen);
 106
 107         /*
 108          * Compute the modulus (product of the two factors), to compare
 109          * it with the source value. We use br_i15_mulacc(), since it's
 110          * already used later on.
 111          */
 112         t2 = mq + 2 * fwlen;
 113         br_i15_zero(t2, mq[0]);
 114         br_i15_mulacc(t2, mq, t1);
 115
 116         /*
 117          * We encode the modulus into bytes, to perform the comparison
 118          * with bytes. We know that the product length, in bytes, is
 119          * exactly xlen.
 120          * The comparison actually computes the carry when subtracting
 121          * the modulus from the source value; that carry must be 1 for
 122          * a value in the correct range. We keep it in r, which is our
 123          * accumulator for the error code.
 124          */
 125         t3 = mq + 4 * fwlen;
 126         br_i15_encode(t3, xlen, t2);
 127         u = xlen;
 128         r = 0;
 129         while (u > 0) {
 130                 uint32_t wn, wx;
 131
 132                 u --;
 133                 wn = ((unsigned char *)t3)[u];
 134                 wx = x[u];
 135                 r = ((wx - (wn + r)) >> 8) & 1;
 136         }
 137
 138         /*
 139          * Move the decoded p to another temporary buffer.
 140          */
 141         mp = mq + 2 * fwlen;
 142         memmove(mp, t1, fwlen * sizeof *t1);
 143
 144         /*
 145          * Compute s2 = x^dq mod q.
 146          */
 147         q0i = br_i15_ninv15(mq[1]);
 148         s2 = mq + fwlen;
 149         br_i15_decode_reduce(s2, x, xlen, mq);
 150         r &= br_i15_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i,
 151                 mq + 3 * fwlen, TLEN - 3 * fwlen);
 152
 153         /*
 154          * Compute s1 = x^dq mod q.
 155          */
 156         p0i = br_i15_ninv15(mp[1]);
 157         s1 = mq + 3 * fwlen;
 158         br_i15_decode_reduce(s1, x, xlen, mp);
 159         r &= br_i15_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i,
 160                 mq + 4 * fwlen, TLEN - 4 * fwlen);
 161
 162         /*
 163          * Compute:
 164          *   h = (s1 - s2)*(1/q) mod p
 165          * s1 is an integer modulo p, but s2 is modulo q. PKCS#1 is
 166          * unclear about whether p may be lower than q (some existing,
 167          * widely deployed implementations of RSA don't tolerate p < q),
 168          * but we want to support that occurrence, so we need to use the
 169          * reduction function.
 170          *
 171          * Since we use br_i15_decode_reduce() for iq (purportedly, the
 172          * inverse of q modulo p), we also tolerate improperly large
 173          * values for this parameter.
 174          */
 175         t1 = mq + 4 * fwlen;
 176         t2 = mq + 5 * fwlen;
 177         br_i15_reduce(t2, s2, mp);
 178         br_i15_add(s1, mp, br_i15_sub(s1, t2, 1));
 179         br_i15_to_monty(s1, mp);
 180         br_i15_decode_reduce(t1, sk->iq, sk->iqlen, mp);
 181         br_i15_montymul(t2, s1, t1, mp, p0i);
 182
 183         /*
 184          * h is now in t2. We compute the final result:
 185          *   s = s2 + q*h
 186          * All these operations are non-modular.
 187          *
 188          * We need mq, s2 and t2. We use the t3 buffer as destination.
 189          * The buffers mp, s1 and t1 are no longer needed, so we can
 190          * reuse them for t3. Moreover, the first step of the computation
 191          * is to copy s2 into t3, after which s2 is not needed. Right
 192          * now, mq is in slot 0, s2 is in slot 1, and t2 in slot 5.
 193          * Therefore, we have ample room for t3 by simply using s2.
 194          */
 195         t3 = s2;
 196         br_i15_mulacc(t3, mq, t2);
 197
 198         /*
 199          * Encode the result. Since we already checked the value of xlen,
 200          * we can just use it right away.
 201          */
 202         br_i15_encode(x, xlen, t3);
 203
 204         /*
 205          * The only error conditions remaining at that point are invalid
 206          * values for p and q (even integers).
 207          */
 208         return p0i & q0i & r;
 209 }