1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 #define U (2 + ((BR_MAX_RSA_FACTOR + 30) / 31))
28 #define TLEN (8 * U)
29
30 /* see bearssl_rsa.h */
31 uint32_t
br_rsa_i31_private(unsigned char * x,const br_rsa_private_key * sk)32 br_rsa_i31_private(unsigned char *x, const br_rsa_private_key *sk)
33 {
34 const unsigned char *p, *q;
35 size_t plen, qlen;
36 size_t fwlen;
37 uint32_t p0i, q0i;
38 size_t xlen, u;
39 uint32_t tmp[1 + TLEN];
40 long z;
41 uint32_t *mp, *mq, *s1, *s2, *t1, *t2, *t3;
42 uint32_t r;
43
44 /*
45 * Compute the actual lengths of p and q, in bytes.
46 * These lengths are not considered secret (we cannot really hide
47 * them anyway in constant-time code).
48 */
49 p = sk->p;
50 plen = sk->plen;
51 while (plen > 0 && *p == 0) {
52 p ++;
53 plen --;
54 }
55 q = sk->q;
56 qlen = sk->qlen;
57 while (qlen > 0 && *q == 0) {
58 q ++;
59 qlen --;
60 }
61
62 /*
63 * Compute the maximum factor length, in words.
64 */
65 z = (long)(plen > qlen ? plen : qlen) << 3;
66 fwlen = 1;
67 while (z > 0) {
68 z -= 31;
69 fwlen ++;
70 }
71
72 /*
73 * Round up the word length to an even number.
74 */
75 fwlen += (fwlen & 1);
76
77 /*
78 * We need to fit at least 6 values in the stack buffer.
79 */
80 if (6 * fwlen > TLEN) {
81 return 0;
82 }
83
84 /*
85 * Compute modulus length (in bytes).
86 */
87 xlen = (sk->n_bitlen + 7) >> 3;
88
89 /*
90 * Decode q.
91 */
92 mq = tmp;
93 br_i31_decode(mq, q, qlen);
94
95 /*
96 * Decode p.
97 */
98 t1 = mq + fwlen;
99 br_i31_decode(t1, p, plen);
100
101 /*
102 * Compute the modulus (product of the two factors), to compare
103 * it with the source value. We use br_i31_mulacc(), since it's
104 * already used later on.
105 */
106 t2 = mq + 2 * fwlen;
107 br_i31_zero(t2, mq[0]);
108 br_i31_mulacc(t2, mq, t1);
109
110 /*
111 * We encode the modulus into bytes, to perform the comparison
112 * with bytes. We know that the product length, in bytes, is
113 * exactly xlen.
114 * The comparison actually computes the carry when subtracting
115 * the modulus from the source value; that carry must be 1 for
116 * a value in the correct range. We keep it in r, which is our
117 * accumulator for the error code.
118 */
119 t3 = mq + 4 * fwlen;
120 br_i31_encode(t3, xlen, t2);
121 u = xlen;
122 r = 0;
123 while (u > 0) {
124 uint32_t wn, wx;
125
126 u --;
127 wn = ((unsigned char *)t3)[u];
128 wx = x[u];
129 r = ((wx - (wn + r)) >> 8) & 1;
130 }
131
132 /*
133 * Move the decoded p to another temporary buffer.
134 */
135 mp = mq + 2 * fwlen;
136 memmove(mp, t1, fwlen * sizeof *t1);
137
138 /*
139 * Compute s2 = x^dq mod q.
140 */
141 q0i = br_i31_ninv31(mq[1]);
142 s2 = mq + fwlen;
143 br_i31_decode_reduce(s2, x, xlen, mq);
144 r &= br_i31_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i,
145 mq + 3 * fwlen, TLEN - 3 * fwlen);
146
147 /*
148 * Compute s1 = x^dp mod p.
149 */
150 p0i = br_i31_ninv31(mp[1]);
151 s1 = mq + 3 * fwlen;
152 br_i31_decode_reduce(s1, x, xlen, mp);
153 r &= br_i31_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i,
154 mq + 4 * fwlen, TLEN - 4 * fwlen);
155
156 /*
157 * Compute:
158 * h = (s1 - s2)*(1/q) mod p
159 * s1 is an integer modulo p, but s2 is modulo q. PKCS#1 is
160 * unclear about whether p may be lower than q (some existing,
161 * widely deployed implementations of RSA don't tolerate p < q),
162 * but we want to support that occurrence, so we need to use the
163 * reduction function.
164 *
165 * Since we use br_i31_decode_reduce() for iq (purportedly, the
166 * inverse of q modulo p), we also tolerate improperly large
167 * values for this parameter.
168 */
169 t1 = mq + 4 * fwlen;
170 t2 = mq + 5 * fwlen;
171 br_i31_reduce(t2, s2, mp);
172 br_i31_add(s1, mp, br_i31_sub(s1, t2, 1));
173 br_i31_to_monty(s1, mp);
174 br_i31_decode_reduce(t1, sk->iq, sk->iqlen, mp);
175 br_i31_montymul(t2, s1, t1, mp, p0i);
176
177 /*
178 * h is now in t2. We compute the final result:
179 * s = s2 + q*h
180 * All these operations are non-modular.
181 *
182 * We need mq, s2 and t2. We use the t3 buffer as destination.
183 * The buffers mp, s1 and t1 are no longer needed, so we can
184 * reuse them for t3. Moreover, the first step of the computation
185 * is to copy s2 into t3, after which s2 is not needed. Right
186 * now, mq is in slot 0, s2 is in slot 1, and t2 is in slot 5.
187 * Therefore, we have ample room for t3 by simply using s2.
188 */
189 t3 = s2;
190 br_i31_mulacc(t3, mq, t2);
191
192 /*
193 * Encode the result. Since we already checked the value of xlen,
194 * we can just use it right away.
195 */
196 br_i31_encode(x, xlen, t3);
197
198 /*
199 * The only error conditions remaining at that point are invalid
200 * values for p and q (even integers).
201 */
202 return p0i & q0i & r;
203 }
204