1/* 2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25#include "inner.h" 26 27#define U (2 + ((BR_MAX_RSA_FACTOR + 14) / 15)) 28#define TLEN (8 * U) 29 30/* see bearssl_rsa.h */ 31uint32_t 32br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk) 33{ 34 const unsigned char *p, *q; 35 size_t plen, qlen; 36 size_t fwlen; 37 uint16_t p0i, q0i; 38 size_t xlen, u; 39 uint16_t tmp[1 + TLEN]; 40 long z; 41 uint16_t *mp, *mq, *s1, *s2, *t1, *t2, *t3; 42 uint32_t r; 43 44 /* 45 * Compute the actual lengths of p and q, in bytes. 46 * These lengths are not considered secret (we cannot really hide 47 * them anyway in constant-time code). 48 */ 49 p = sk->p; 50 plen = sk->plen; 51 while (plen > 0 && *p == 0) { 52 p ++; 53 plen --; 54 } 55 q = sk->q; 56 qlen = sk->qlen; 57 while (qlen > 0 && *q == 0) { 58 q ++; 59 qlen --; 60 } 61 62 /* 63 * Compute the maximum factor length, in words. 64 */ 65 z = (long)(plen > qlen ? plen : qlen) << 3; 66 fwlen = 1; 67 while (z > 0) { 68 z -= 15; 69 fwlen ++; 70 } 71 /* 72 * Round up the word length to an even number. 73 */ 74 fwlen += (fwlen & 1); 75 76 /* 77 * We need to fit at least 6 values in the stack buffer. 78 */ 79 if (6 * fwlen > TLEN) { 80 return 0; 81 } 82 83 /* 84 * Compute signature length (in bytes). 85 */ 86 xlen = (sk->n_bitlen + 7) >> 3; 87 88 /* 89 * Ensure 32-bit alignment for value words. 90 */ 91 mq = tmp; 92 if (((uintptr_t)mq & 2) == 0) { 93 mq ++; 94 } 95 96 /* 97 * Decode q. 98 */ 99 br_i15_decode(mq, q, qlen); 100 101 /* 102 * Decode p. 103 */ 104 t1 = mq + fwlen; 105 br_i15_decode(t1, p, plen); 106 107 /* 108 * Compute the modulus (product of the two factors), to compare 109 * it with the source value. We use br_i15_mulacc(), since it's 110 * already used later on. 111 */ 112 t2 = mq + 2 * fwlen; 113 br_i15_zero(t2, mq[0]); 114 br_i15_mulacc(t2, mq, t1); 115 116 /* 117 * We encode the modulus into bytes, to perform the comparison 118 * with bytes. We know that the product length, in bytes, is 119 * exactly xlen. 120 * The comparison actually computes the carry when subtracting 121 * the modulus from the source value; that carry must be 1 for 122 * a value in the correct range. We keep it in r, which is our 123 * accumulator for the error code. 124 */ 125 t3 = mq + 4 * fwlen; 126 br_i15_encode(t3, xlen, t2); 127 u = xlen; 128 r = 0; 129 while (u > 0) { 130 uint32_t wn, wx; 131 132 u --; 133 wn = ((unsigned char *)t3)[u]; 134 wx = x[u]; 135 r = ((wx - (wn + r)) >> 8) & 1; 136 } 137 138 /* 139 * Move the decoded p to another temporary buffer. 140 */ 141 mp = mq + 2 * fwlen; 142 memmove(mp, t1, fwlen * sizeof *t1); 143 144 /* 145 * Compute s2 = x^dq mod q. 146 */ 147 q0i = br_i15_ninv15(mq[1]); 148 s2 = mq + fwlen; 149 br_i15_decode_reduce(s2, x, xlen, mq); 150 r &= br_i15_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i, 151 mq + 3 * fwlen, TLEN - 3 * fwlen); 152 153 /* 154 * Compute s1 = x^dq mod q. 155 */ 156 p0i = br_i15_ninv15(mp[1]); 157 s1 = mq + 3 * fwlen; 158 br_i15_decode_reduce(s1, x, xlen, mp); 159 r &= br_i15_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i, 160 mq + 4 * fwlen, TLEN - 4 * fwlen); 161 162 /* 163 * Compute: 164 * h = (s1 - s2)*(1/q) mod p 165 * s1 is an integer modulo p, but s2 is modulo q. PKCS#1 is 166 * unclear about whether p may be lower than q (some existing, 167 * widely deployed implementations of RSA don't tolerate p < q), 168 * but we want to support that occurrence, so we need to use the 169 * reduction function. 170 * 171 * Since we use br_i15_decode_reduce() for iq (purportedly, the 172 * inverse of q modulo p), we also tolerate improperly large 173 * values for this parameter. 174 */ 175 t1 = mq + 4 * fwlen; 176 t2 = mq + 5 * fwlen; 177 br_i15_reduce(t2, s2, mp); 178 br_i15_add(s1, mp, br_i15_sub(s1, t2, 1)); 179 br_i15_to_monty(s1, mp); 180 br_i15_decode_reduce(t1, sk->iq, sk->iqlen, mp); 181 br_i15_montymul(t2, s1, t1, mp, p0i); 182 183 /* 184 * h is now in t2. We compute the final result: 185 * s = s2 + q*h 186 * All these operations are non-modular. 187 * 188 * We need mq, s2 and t2. We use the t3 buffer as destination. 189 * The buffers mp, s1 and t1 are no longer needed, so we can 190 * reuse them for t3. Moreover, the first step of the computation 191 * is to copy s2 into t3, after which s2 is not needed. Right 192 * now, mq is in slot 0, s2 is in slot 1, and t2 in slot 5. 193 * Therefore, we have ample room for t3 by simply using s2. 194 */ 195 t3 = s2; 196 br_i15_mulacc(t3, mq, t2); 197 198 /* 199 * Encode the result. Since we already checked the value of xlen, 200 * we can just use it right away. 201 */ 202 br_i15_encode(x, xlen, t3); 203 204 /* 205 * The only error conditions remaining at that point are invalid 206 * values for p and q (even integers). 207 */ 208 return p0i & q0i & r; 209} 210