ae5c8664e5
Reviewed-by: Tim Hudson <tjh@openssl.org>
701 lines
20 KiB
C
701 lines
20 KiB
C
/* crypto/engine/eng_rsax.c */
|
|
/* Copyright (c) 2010-2010 Intel Corp.
|
|
* Author: Vinodh.Gopal@intel.com
|
|
* Jim Guilford
|
|
* Erdinc.Ozturk@intel.com
|
|
* Maxim.Perminov@intel.com
|
|
* Ying.Huang@intel.com
|
|
*
|
|
* More information about algorithm used can be found at:
|
|
* http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
|
|
*/
|
|
/* ====================================================================
|
|
* Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* 3. All advertising materials mentioning features or use of this
|
|
* software must display the following acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
|
*
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
* endorse or promote products derived from this software without
|
|
* prior written permission. For written permission, please contact
|
|
* licensing@OpenSSL.org.
|
|
*
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
* permission of the OpenSSL Project.
|
|
*
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
* acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
* ====================================================================
|
|
*
|
|
* This product includes cryptographic software written by Eric Young
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
* Hudson (tjh@cryptsoft.com).
|
|
*/
|
|
|
|
#include <openssl/opensslconf.h>
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/buffer.h>
|
|
#include <openssl/engine.h>
|
|
#ifndef OPENSSL_NO_RSA
|
|
# include <openssl/rsa.h>
|
|
#endif
|
|
#include <openssl/bn.h>
|
|
#include <openssl/err.h>
|
|
|
|
/* RSAX is available **ONLY* on x86_64 CPUs */
|
|
#undef COMPILE_RSAX
|
|
|
|
#if (defined(__x86_64) || defined(__x86_64__) || \
|
|
defined(_M_AMD64) || defined (_M_X64)) && !defined(OPENSSL_NO_ASM)
|
|
# define COMPILE_RSAX
|
|
static ENGINE *ENGINE_rsax(void);
|
|
#endif
|
|
|
|
void ENGINE_load_rsax(void)
|
|
{
|
|
/* On non-x86 CPUs it just returns. */
|
|
#ifdef COMPILE_RSAX
|
|
ENGINE *toadd = ENGINE_rsax();
|
|
if (!toadd)
|
|
return;
|
|
ENGINE_add(toadd);
|
|
ENGINE_free(toadd);
|
|
ERR_clear_error();
|
|
#endif
|
|
}
|
|
|
|
#ifdef COMPILE_RSAX
|
|
# define E_RSAX_LIB_NAME "rsax engine"
|
|
|
|
static int e_rsax_destroy(ENGINE *e);
|
|
static int e_rsax_init(ENGINE *e);
|
|
static int e_rsax_finish(ENGINE *e);
|
|
static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void));
|
|
|
|
# ifndef OPENSSL_NO_RSA
|
|
/* RSA stuff */
|
|
static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
|
|
BN_CTX *ctx);
|
|
static int e_rsax_rsa_finish(RSA *r);
|
|
# endif
|
|
|
|
static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
|
|
{0, NULL, NULL, 0}
|
|
};
|
|
|
|
# ifndef OPENSSL_NO_RSA
|
|
/* Our internal RSA_METHOD that we provide pointers to */
|
|
static RSA_METHOD e_rsax_rsa = {
|
|
"Intel RSA-X method",
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
e_rsax_rsa_mod_exp,
|
|
NULL,
|
|
NULL,
|
|
e_rsax_rsa_finish,
|
|
RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE,
|
|
NULL,
|
|
NULL,
|
|
NULL
|
|
};
|
|
# endif
|
|
|
|
/* Constants used when creating the ENGINE */
|
|
static const char *engine_e_rsax_id = "rsax";
|
|
static const char *engine_e_rsax_name = "RSAX engine support";
|
|
|
|
/* This internal function is used by ENGINE_rsax() */
|
|
static int bind_helper(ENGINE *e)
|
|
{
|
|
# ifndef OPENSSL_NO_RSA
|
|
const RSA_METHOD *meth1;
|
|
# endif
|
|
if (!ENGINE_set_id(e, engine_e_rsax_id) ||
|
|
!ENGINE_set_name(e, engine_e_rsax_name) ||
|
|
# ifndef OPENSSL_NO_RSA
|
|
!ENGINE_set_RSA(e, &e_rsax_rsa) ||
|
|
# endif
|
|
!ENGINE_set_destroy_function(e, e_rsax_destroy) ||
|
|
!ENGINE_set_init_function(e, e_rsax_init) ||
|
|
!ENGINE_set_finish_function(e, e_rsax_finish) ||
|
|
!ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
|
|
!ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
|
|
return 0;
|
|
|
|
# ifndef OPENSSL_NO_RSA
|
|
meth1 = RSA_PKCS1_SSLeay();
|
|
e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
|
|
e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
|
|
e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
|
|
e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
|
|
e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
|
|
# endif
|
|
return 1;
|
|
}
|
|
|
|
static ENGINE *ENGINE_rsax(void)
|
|
{
|
|
ENGINE *ret = ENGINE_new();
|
|
if (!ret)
|
|
return NULL;
|
|
if (!bind_helper(ret)) {
|
|
ENGINE_free(ret);
|
|
return NULL;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
# ifndef OPENSSL_NO_RSA
|
|
/* Used to attach our own key-data to an RSA structure */
|
|
static int rsax_ex_data_idx = -1;
|
|
# endif
|
|
|
|
static int e_rsax_destroy(ENGINE *e)
|
|
{
|
|
return 1;
|
|
}
|
|
|
|
/* (de)initialisation functions. */
|
|
static int e_rsax_init(ENGINE *e)
|
|
{
|
|
# ifndef OPENSSL_NO_RSA
|
|
if (rsax_ex_data_idx == -1)
|
|
rsax_ex_data_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
|
# endif
|
|
if (rsax_ex_data_idx == -1)
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
static int e_rsax_finish(ENGINE *e)
|
|
{
|
|
return 1;
|
|
}
|
|
|
|
static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
|
|
{
|
|
int to_return = 1;
|
|
|
|
switch (cmd) {
|
|
/* The command isn't understood by this engine */
|
|
default:
|
|
to_return = 0;
|
|
break;
|
|
}
|
|
|
|
return to_return;
|
|
}
|
|
|
|
# ifndef OPENSSL_NO_RSA
|
|
|
|
# ifdef _WIN32
|
|
typedef unsigned __int64 UINT64;
|
|
# else
|
|
typedef unsigned long long UINT64;
|
|
# endif
|
|
typedef unsigned short UINT16;
|
|
|
|
/*
|
|
* Table t is interleaved in the following manner: The order in memory is
|
|
* t[0][0], t[0][1], ..., t[0][7], t[1][0], ... A particular 512-bit value is
|
|
* stored in t[][index] rather than the more normal t[index][]; i.e. the
|
|
* qwords of a particular entry in t are not adjacent in memory
|
|
*/
|
|
|
|
/* Init BIGNUM b from the interleaved UINT64 array */
|
|
static int interleaved_array_to_bn_512(BIGNUM *b, UINT64 *array);
|
|
|
|
/*
|
|
* Extract array elements from BIGNUM b To set the whole array from b, call
|
|
* with n=8
|
|
*/
|
|
static int bn_extract_to_array_512(const BIGNUM *b, unsigned int n,
|
|
UINT64 *array);
|
|
|
|
struct mod_ctx_512 {
|
|
UINT64 t[8][8];
|
|
UINT64 m[8];
|
|
UINT64 m1[8]; /* 2^278 % m */
|
|
UINT64 m2[8]; /* 2^640 % m */
|
|
UINT64 k1[2]; /* (- 1/m) % 2^128 */
|
|
};
|
|
|
|
static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
|
|
|
|
void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
|
|
UINT64 *g, /* 512 bits, 8 qwords */
|
|
UINT64 *exp, /* 512 bits, 8 qwords */
|
|
struct mod_ctx_512 *data);
|
|
|
|
typedef struct st_e_rsax_mod_ctx {
|
|
UINT64 type;
|
|
union {
|
|
struct mod_ctx_512 b512;
|
|
} ctx;
|
|
|
|
} E_RSAX_MOD_CTX;
|
|
|
|
static E_RSAX_MOD_CTX *e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM *m)
|
|
{
|
|
E_RSAX_MOD_CTX *hptr;
|
|
|
|
if (idx < 0 || idx > 2)
|
|
return NULL;
|
|
|
|
hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
|
|
if (!hptr) {
|
|
hptr = OPENSSL_malloc(3 * sizeof(E_RSAX_MOD_CTX));
|
|
if (!hptr)
|
|
return NULL;
|
|
hptr[2].type = hptr[1].type = hptr[0].type = 0;
|
|
RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
|
|
}
|
|
|
|
if (hptr[idx].type == (UINT64)BN_num_bits(m))
|
|
return hptr + idx;
|
|
|
|
if (BN_num_bits(m) == 512) {
|
|
UINT64 _m[8];
|
|
bn_extract_to_array_512(m, 8, _m);
|
|
memset(&hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
|
|
mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
|
|
}
|
|
|
|
hptr[idx].type = BN_num_bits(m);
|
|
return hptr + idx;
|
|
}
|
|
|
|
static int e_rsax_rsa_finish(RSA *rsa)
|
|
{
|
|
E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
|
|
if (hptr) {
|
|
OPENSSL_free(hptr);
|
|
RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
|
|
}
|
|
if (rsa->_method_mod_n)
|
|
BN_MONT_CTX_free(rsa->_method_mod_n);
|
|
if (rsa->_method_mod_p)
|
|
BN_MONT_CTX_free(rsa->_method_mod_p);
|
|
if (rsa->_method_mod_q)
|
|
BN_MONT_CTX_free(rsa->_method_mod_q);
|
|
return 1;
|
|
}
|
|
|
|
static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e,
|
|
const BIGNUM *m, BN_CTX *ctx,
|
|
BN_MONT_CTX *in_mont,
|
|
E_RSAX_MOD_CTX *rsax_mod_ctx)
|
|
{
|
|
if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
|
|
if (BN_num_bits(m) == 512) {
|
|
UINT64 _r[8];
|
|
UINT64 _g[8];
|
|
UINT64 _e[8];
|
|
|
|
/* Init the arrays from the BIGNUMs */
|
|
bn_extract_to_array_512(g, 8, _g);
|
|
bn_extract_to_array_512(e, 8, _e);
|
|
|
|
mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
|
|
/* Return the result in the BIGNUM */
|
|
interleaved_array_to_bn_512(r, _r);
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
|
|
}
|
|
|
|
/*
|
|
* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
|
|
* exponentiation routine precalculations and a structure to hold the
|
|
* necessary values. These files are meant to live in crypto/rsa/ in the
|
|
* target openssl.
|
|
*/
|
|
|
|
/*
|
|
* Local method: extracts a piece from a BIGNUM, to fit it into
|
|
* an array. Call with n=8 to extract an entire 512-bit BIGNUM
|
|
*/
|
|
static int bn_extract_to_array_512(const BIGNUM *b, unsigned int n,
|
|
UINT64 *array)
|
|
{
|
|
int i;
|
|
UINT64 tmp;
|
|
unsigned char bn_buff[64];
|
|
memset(bn_buff, 0, 64);
|
|
if (BN_num_bytes(b) > 64) {
|
|
printf("Can't support this byte size\n");
|
|
return 0;
|
|
}
|
|
if (BN_num_bytes(b) != 0) {
|
|
if (!BN_bn2bin(b, bn_buff + (64 - BN_num_bytes(b)))) {
|
|
printf("Error's in bn2bin\n");
|
|
/* We have to error, here */
|
|
return 0;
|
|
}
|
|
}
|
|
while (n-- > 0) {
|
|
array[n] = 0;
|
|
for (i = 7; i >= 0; i--) {
|
|
tmp = bn_buff[63 - (n * 8 + i)];
|
|
array[n] |= tmp << (8 * i);
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
|
|
static int interleaved_array_to_bn_512(BIGNUM *b, UINT64 *array)
|
|
{
|
|
unsigned char tmp[64];
|
|
int n = 8;
|
|
int i;
|
|
while (n-- > 0) {
|
|
for (i = 7; i >= 0; i--) {
|
|
tmp[63 - (n * 8 + i)] = (unsigned char)(array[n] >> (8 * i));
|
|
}}
|
|
BN_bin2bn(tmp, 64, b);
|
|
return 0;
|
|
}
|
|
|
|
/* The main 512bit precompute call */
|
|
static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
|
|
{
|
|
BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
|
|
|
|
/* We need a BN_CTX for the modulo functions */
|
|
BN_CTX *ctx;
|
|
/* Some tmps */
|
|
UINT64 _t[8];
|
|
int i, j, ret = 0;
|
|
|
|
/* Init _m with m */
|
|
BN_init(&_m);
|
|
interleaved_array_to_bn_512(&_m, m);
|
|
memset(_t, 0, 64);
|
|
|
|
/* Inits */
|
|
BN_init(&two_768);
|
|
BN_init(&two_640);
|
|
BN_init(&two_128);
|
|
BN_init(&two_512);
|
|
BN_init(&tmp);
|
|
BN_init(&tmp2);
|
|
|
|
/* Create our context */
|
|
if ((ctx = BN_CTX_new()) == NULL) {
|
|
goto err;
|
|
}
|
|
BN_CTX_start(ctx);
|
|
|
|
/*
|
|
* For production, if you care, these only need to be set once,
|
|
* and may be made constants.
|
|
*/
|
|
BN_lshift(&two_768, BN_value_one(), 768);
|
|
BN_lshift(&two_640, BN_value_one(), 640);
|
|
BN_lshift(&two_128, BN_value_one(), 128);
|
|
BN_lshift(&two_512, BN_value_one(), 512);
|
|
|
|
if (0 == (m[7] & 0x8000000000000000)) {
|
|
exit(1);
|
|
}
|
|
if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */
|
|
exit(1);
|
|
}
|
|
|
|
/* Precompute m1 */
|
|
BN_mod(&tmp, &two_768, &_m, ctx);
|
|
if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
|
|
goto err;
|
|
}
|
|
|
|
/* Precompute m2 */
|
|
BN_mod(&tmp, &two_640, &_m, ctx);
|
|
if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
|
|
goto err;
|
|
}
|
|
|
|
/*
|
|
* Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
|
|
* be non-negative.
|
|
*/
|
|
BN_mod_inverse(&tmp, &_m, &two_128, ctx);
|
|
if (!BN_is_zero(&tmp)) {
|
|
BN_sub(&tmp, &two_128, &tmp);
|
|
}
|
|
if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
|
|
goto err;
|
|
}
|
|
|
|
/* Precompute t */
|
|
for (i = 0; i < 8; i++) {
|
|
BN_zero(&tmp);
|
|
if (i & 1) {
|
|
BN_add(&tmp, &two_512, &tmp);
|
|
}
|
|
if (i & 2) {
|
|
BN_add(&tmp, &two_512, &tmp);
|
|
}
|
|
if (i & 4) {
|
|
BN_add(&tmp, &two_640, &tmp);
|
|
}
|
|
|
|
BN_nnmod(&tmp2, &tmp, &_m, ctx);
|
|
if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
|
|
goto err;
|
|
}
|
|
for (j = 0; j < 8; j++)
|
|
data->t[j][i] = _t[j];
|
|
}
|
|
|
|
/* Precompute m */
|
|
for (i = 0; i < 8; i++) {
|
|
data->m[i] = m[i];
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
err:
|
|
/* Cleanup */
|
|
if (ctx != NULL) {
|
|
BN_CTX_end(ctx);
|
|
BN_CTX_free(ctx);
|
|
}
|
|
BN_free(&two_768);
|
|
BN_free(&two_640);
|
|
BN_free(&two_128);
|
|
BN_free(&two_512);
|
|
BN_free(&tmp);
|
|
BN_free(&tmp2);
|
|
BN_free(&_m);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
|
|
BN_CTX *ctx)
|
|
{
|
|
BIGNUM *r1, *m1, *vrfy;
|
|
BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
|
|
BIGNUM *dmp1, *dmq1, *c, *pr1;
|
|
int ret = 0;
|
|
|
|
BN_CTX_start(ctx);
|
|
r1 = BN_CTX_get(ctx);
|
|
m1 = BN_CTX_get(ctx);
|
|
vrfy = BN_CTX_get(ctx);
|
|
|
|
{
|
|
BIGNUM local_p, local_q;
|
|
BIGNUM *p = NULL, *q = NULL;
|
|
int error = 0;
|
|
|
|
/*
|
|
* Make sure BN_mod_inverse in Montgomery intialization uses the
|
|
* BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
|
|
*/
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
BN_init(&local_p);
|
|
p = &local_p;
|
|
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
|
|
|
|
BN_init(&local_q);
|
|
q = &local_q;
|
|
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
|
|
} else {
|
|
p = rsa->p;
|
|
q = rsa->q;
|
|
}
|
|
|
|
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
|
|
if (!BN_MONT_CTX_set_locked
|
|
(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
|
|
error = 1;
|
|
if (!BN_MONT_CTX_set_locked
|
|
(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
|
|
error = 1;
|
|
}
|
|
|
|
/* clean up */
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
BN_free(&local_p);
|
|
BN_free(&local_q);
|
|
}
|
|
if (error)
|
|
goto err;
|
|
}
|
|
|
|
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
|
if (!BN_MONT_CTX_set_locked
|
|
(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
|
goto err;
|
|
|
|
/* compute I mod q */
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
c = &local_c;
|
|
BN_with_flags(c, I, BN_FLG_CONSTTIME);
|
|
if (!BN_mod(r1, c, rsa->q, ctx))
|
|
goto err;
|
|
} else {
|
|
if (!BN_mod(r1, I, rsa->q, ctx))
|
|
goto err;
|
|
}
|
|
|
|
/* compute r1^dmq1 mod q */
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
dmq1 = &local_dmq1;
|
|
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
|
|
} else
|
|
dmq1 = rsa->dmq1;
|
|
|
|
if (!e_rsax_bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
|
|
rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0,
|
|
rsa->q)))
|
|
goto err;
|
|
|
|
/* compute I mod p */
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
c = &local_c;
|
|
BN_with_flags(c, I, BN_FLG_CONSTTIME);
|
|
if (!BN_mod(r1, c, rsa->p, ctx))
|
|
goto err;
|
|
} else {
|
|
if (!BN_mod(r1, I, rsa->p, ctx))
|
|
goto err;
|
|
}
|
|
|
|
/* compute r1^dmp1 mod p */
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
dmp1 = &local_dmp1;
|
|
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
|
|
} else
|
|
dmp1 = rsa->dmp1;
|
|
|
|
if (!e_rsax_bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
|
|
rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1,
|
|
rsa->p)))
|
|
goto err;
|
|
|
|
if (!BN_sub(r0, r0, m1))
|
|
goto err;
|
|
/*
|
|
* This will help stop the size of r0 increasing, which does affect the
|
|
* multiply if it optimised for a power of 2 size
|
|
*/
|
|
if (BN_is_negative(r0))
|
|
if (!BN_add(r0, r0, rsa->p))
|
|
goto err;
|
|
|
|
if (!BN_mul(r1, r0, rsa->iqmp, ctx))
|
|
goto err;
|
|
|
|
/* Turn BN_FLG_CONSTTIME flag on before division operation */
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
pr1 = &local_r1;
|
|
BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
|
|
} else
|
|
pr1 = r1;
|
|
if (!BN_mod(r0, pr1, rsa->p, ctx))
|
|
goto err;
|
|
|
|
/*
|
|
* If p < q it is occasionally possible for the correction of adding 'p'
|
|
* if r0 is negative above to leave the result still negative. This can
|
|
* break the private key operations: the following second correction
|
|
* should *always* correct this rare occurrence. This will *never* happen
|
|
* with OpenSSL generated keys because they ensure p > q [steve]
|
|
*/
|
|
if (BN_is_negative(r0))
|
|
if (!BN_add(r0, r0, rsa->p))
|
|
goto err;
|
|
if (!BN_mul(r1, r0, rsa->q, ctx))
|
|
goto err;
|
|
if (!BN_add(r0, r1, m1))
|
|
goto err;
|
|
|
|
if (rsa->e && rsa->n) {
|
|
if (!e_rsax_bn_mod_exp
|
|
(vrfy, r0, rsa->e, rsa->n, ctx, rsa->_method_mod_n,
|
|
e_rsax_get_ctx(rsa, 2, rsa->n)))
|
|
goto err;
|
|
|
|
/*
|
|
* If 'I' was greater than (or equal to) rsa->n, the operation will
|
|
* be equivalent to using 'I mod n'. However, the result of the
|
|
* verify will *always* be less than 'n' so we don't check for
|
|
* absolute equality, just congruency.
|
|
*/
|
|
if (!BN_sub(vrfy, vrfy, I))
|
|
goto err;
|
|
if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
|
|
goto err;
|
|
if (BN_is_negative(vrfy))
|
|
if (!BN_add(vrfy, vrfy, rsa->n))
|
|
goto err;
|
|
if (!BN_is_zero(vrfy)) {
|
|
/*
|
|
* 'I' and 'vrfy' aren't congruent mod n. Don't leak
|
|
* miscalculated CRT output, just do a raw (slower) mod_exp and
|
|
* return that instead.
|
|
*/
|
|
|
|
BIGNUM local_d;
|
|
BIGNUM *d = NULL;
|
|
|
|
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
d = &local_d;
|
|
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
|
} else
|
|
d = rsa->d;
|
|
if (!e_rsax_bn_mod_exp(r0, I, d, rsa->n, ctx,
|
|
rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2,
|
|
rsa->n)))
|
|
goto err;
|
|
}
|
|
}
|
|
ret = 1;
|
|
|
|
err:
|
|
BN_CTX_end(ctx);
|
|
|
|
return ret;
|
|
}
|
|
# endif /* !OPENSSL_NO_RSA */
|
|
#endif /* !COMPILE_RSAX */
|