1 /* 2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #include "inner.h" 26 27 /* 28 * As a strict minimum, we need four buffers that can hold a 29 * modular integer. 30 */ 31 #define TLEN (4 * (2 + ((BR_MAX_RSA_SIZE + 14) / 15))) 32 33 /* see bearssl_rsa.h */ 34 uint32_t 35 br_rsa_i15_public(unsigned char *x, size_t xlen, 36 const br_rsa_public_key *pk) 37 { 38 const unsigned char *n; 39 size_t nlen; 40 uint16_t tmp[1 + TLEN]; 41 uint16_t *m, *a, *t; 42 size_t fwlen; 43 long z; 44 uint16_t m0i; 45 uint32_t r; 46 47 /* 48 * Get the actual length of the modulus, and see if it fits within 49 * our stack buffer. We also check that the length of x[] is valid. 50 */ 51 n = pk->n; 52 nlen = pk->nlen; 53 while (nlen > 0 && *n == 0) { 54 n ++; 55 nlen --; 56 } 57 if (nlen == 0 || nlen > (BR_MAX_RSA_SIZE >> 3) || xlen != nlen) { 58 return 0; 59 } 60 z = (long)nlen << 3; 61 fwlen = 1; 62 while (z > 0) { 63 z -= 15; 64 fwlen ++; 65 } 66 /* 67 * Round up length to an even number. 68 */ 69 fwlen += (fwlen & 1); 70 71 /* 72 * The modulus gets decoded into m[]. 73 * The value to exponentiate goes into a[]. 74 * The temporaries for modular exponentiations are in t[]. 75 * 76 * We want the first value word of each integer to be aligned 77 * on a 32-bit boundary. 78 */ 79 m = tmp; 80 if (((uintptr_t)m & 2) == 0) { 81 m ++; 82 } 83 a = m + fwlen; 84 t = m + 2 * fwlen; 85 86 /* 87 * Decode the modulus. 88 */ 89 br_i15_decode(m, n, nlen); 90 m0i = br_i15_ninv15(m[1]); 91 92 /* 93 * Note: if m[] is even, then m0i == 0. Otherwise, m0i must be 94 * an odd integer. 95 */ 96 r = m0i & 1; 97 98 /* 99 * Decode x[] into a[]; we also check that its value is proper. 100 */ 101 r &= br_i15_decode_mod(a, x, xlen, m); 102 103 /* 104 * Compute the modular exponentiation. 105 */ 106 br_i15_modpow_opt(a, pk->e, pk->elen, m, m0i, t, TLEN - 2 * fwlen); 107 108 /* 109 * Encode the result. 110 */ 111 br_i15_encode(x, xlen, a); 112 return r; 113 } 114