1 /*
2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 #define U (2 + ((BR_MAX_RSA_FACTOR + 14) / 15))
28 #define TLEN (8 * U)
29
30 /* see bearssl_rsa.h */
31 uint32_t
br_rsa_i15_private(unsigned char * x,const br_rsa_private_key * sk)32 br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk)
33 {
34 const unsigned char *p, *q;
35 size_t plen, qlen;
36 size_t fwlen;
37 uint16_t p0i, q0i;
38 size_t xlen, u;
39 uint16_t tmp[1 + TLEN];
40 long z;
41 uint16_t *mp, *mq, *s1, *s2, *t1, *t2, *t3;
42 uint32_t r;
43
44 /*
45 * Compute the actual lengths of p and q, in bytes.
46 * These lengths are not considered secret (we cannot really hide
47 * them anyway in constant-time code).
48 */
49 p = sk->p;
50 plen = sk->plen;
51 while (plen > 0 && *p == 0) {
52 p ++;
53 plen --;
54 }
55 q = sk->q;
56 qlen = sk->qlen;
57 while (qlen > 0 && *q == 0) {
58 q ++;
59 qlen --;
60 }
61
62 /*
63 * Compute the maximum factor length, in words.
64 */
65 z = (long)(plen > qlen ? plen : qlen) << 3;
66 fwlen = 1;
67 while (z > 0) {
68 z -= 15;
69 fwlen ++;
70 }
71 /*
72 * Round up the word length to an even number.
73 */
74 fwlen += (fwlen & 1);
75
76 /*
77 * We need to fit at least 6 values in the stack buffer.
78 */
79 if (6 * fwlen > TLEN) {
80 return 0;
81 }
82
83 /*
84 * Compute signature length (in bytes).
85 */
86 xlen = (sk->n_bitlen + 7) >> 3;
87
88 /*
89 * Ensure 32-bit alignment for value words.
90 */
91 mq = tmp;
92 if (((uintptr_t)mq & 2) == 0) {
93 mq ++;
94 }
95
96 /*
97 * Decode q.
98 */
99 br_i15_decode(mq, q, qlen);
100
101 /*
102 * Decode p.
103 */
104 t1 = mq + fwlen;
105 br_i15_decode(t1, p, plen);
106
107 /*
108 * Compute the modulus (product of the two factors), to compare
109 * it with the source value. We use br_i15_mulacc(), since it's
110 * already used later on.
111 */
112 t2 = mq + 2 * fwlen;
113 br_i15_zero(t2, mq[0]);
114 br_i15_mulacc(t2, mq, t1);
115
116 /*
117 * We encode the modulus into bytes, to perform the comparison
118 * with bytes. We know that the product length, in bytes, is
119 * exactly xlen.
120 * The comparison actually computes the carry when subtracting
121 * the modulus from the source value; that carry must be 1 for
122 * a value in the correct range. We keep it in r, which is our
123 * accumulator for the error code.
124 */
125 t3 = mq + 4 * fwlen;
126 br_i15_encode(t3, xlen, t2);
127 u = xlen;
128 r = 0;
129 while (u > 0) {
130 uint32_t wn, wx;
131
132 u --;
133 wn = ((unsigned char *)t3)[u];
134 wx = x[u];
135 r = ((wx - (wn + r)) >> 8) & 1;
136 }
137
138 /*
139 * Move the decoded p to another temporary buffer.
140 */
141 mp = mq + 2 * fwlen;
142 memmove(mp, t1, fwlen * sizeof *t1);
143
144 /*
145 * Compute s2 = x^dq mod q.
146 */
147 q0i = br_i15_ninv15(mq[1]);
148 s2 = mq + fwlen;
149 br_i15_decode_reduce(s2, x, xlen, mq);
150 r &= br_i15_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i,
151 mq + 3 * fwlen, TLEN - 3 * fwlen);
152
153 /*
154 * Compute s1 = x^dq mod q.
155 */
156 p0i = br_i15_ninv15(mp[1]);
157 s1 = mq + 3 * fwlen;
158 br_i15_decode_reduce(s1, x, xlen, mp);
159 r &= br_i15_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i,
160 mq + 4 * fwlen, TLEN - 4 * fwlen);
161
162 /*
163 * Compute:
164 * h = (s1 - s2)*(1/q) mod p
165 * s1 is an integer modulo p, but s2 is modulo q. PKCS#1 is
166 * unclear about whether p may be lower than q (some existing,
167 * widely deployed implementations of RSA don't tolerate p < q),
168 * but we want to support that occurrence, so we need to use the
169 * reduction function.
170 *
171 * Since we use br_i15_decode_reduce() for iq (purportedly, the
172 * inverse of q modulo p), we also tolerate improperly large
173 * values for this parameter.
174 */
175 t1 = mq + 4 * fwlen;
176 t2 = mq + 5 * fwlen;
177 br_i15_reduce(t2, s2, mp);
178 br_i15_add(s1, mp, br_i15_sub(s1, t2, 1));
179 br_i15_to_monty(s1, mp);
180 br_i15_decode_reduce(t1, sk->iq, sk->iqlen, mp);
181 br_i15_montymul(t2, s1, t1, mp, p0i);
182
183 /*
184 * h is now in t2. We compute the final result:
185 * s = s2 + q*h
186 * All these operations are non-modular.
187 *
188 * We need mq, s2 and t2. We use the t3 buffer as destination.
189 * The buffers mp, s1 and t1 are no longer needed, so we can
190 * reuse them for t3. Moreover, the first step of the computation
191 * is to copy s2 into t3, after which s2 is not needed. Right
192 * now, mq is in slot 0, s2 is in slot 1, and t2 in slot 5.
193 * Therefore, we have ample room for t3 by simply using s2.
194 */
195 t3 = s2;
196 br_i15_mulacc(t3, mq, t2);
197
198 /*
199 * Encode the result. Since we already checked the value of xlen,
200 * we can just use it right away.
201 */
202 br_i15_encode(x, xlen, t3);
203
204 /*
205 * The only error conditions remaining at that point are invalid
206 * values for p and q (even integers).
207 */
208 return p0i & q0i & r;
209 }
210