1
/*
2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining 
5
 * a copy of this software and associated documentation files (the
6
 * "Software"), to deal in the Software without restriction, including
7
 * without limitation the rights to use, copy, modify, merge, publish,
8
 * distribute, sublicense, and/or sell copies of the Software, and to
9
 * permit persons to whom the Software is furnished to do so, subject to
10
 * the following conditions:
11
 *
12
 * The above copyright notice and this permission notice shall be 
13
 * included in all copies or substantial portions of the Software.
14
 *
15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22
 * SOFTWARE.
23
 */
24

25
#include "inner.h"
26

27
#define U      (2 + ((BR_MAX_RSA_FACTOR + 30) / 31))
28
#define TLEN   (8 * U)
29

30
/* see bearssl_rsa.h */
31
uint32_t
32
br_rsa_i31_private(unsigned char *x, const br_rsa_private_key *sk)
33
{
34
	const unsigned char *p, *q;
35
	size_t plen, qlen;
36
	size_t fwlen;
37
	uint32_t p0i, q0i;
38
	size_t xlen, u;
39
	uint32_t tmp[1 + TLEN];
40
	long z;
41
	uint32_t *mp, *mq, *s1, *s2, *t1, *t2, *t3;
42
	uint32_t r;
43

44
	/*
45
	 * Compute the actual lengths of p and q, in bytes.
46
	 * These lengths are not considered secret (we cannot really hide
47
	 * them anyway in constant-time code).
48
	 */
49
	p = sk->p;
50
	plen = sk->plen;
51
	while (plen > 0 && *p == 0) {
52
		p ++;
53
		plen --;
54
	}
55
	q = sk->q;
56
	qlen = sk->qlen;
57
	while (qlen > 0 && *q == 0) {
58
		q ++;
59
		qlen --;
60
	}
61

62
	/*
63
	 * Compute the maximum factor length, in words.
64
	 */
65
	z = (long)(plen > qlen ? plen : qlen) << 3;
66
	fwlen = 1;
67
	while (z > 0) {
68
		z -= 31;
69
		fwlen ++;
70
	}
71

72
	/*
73
	 * Round up the word length to an even number.
74
	 */
75
	fwlen += (fwlen & 1);
76

77
	/*
78
	 * We need to fit at least 6 values in the stack buffer.
79
	 */
80
	if (6 * fwlen > TLEN) {
81
		return 0;
82
	}
83

84
	/*
85
	 * Compute modulus length (in bytes).
86
	 */
87
	xlen = (sk->n_bitlen + 7) >> 3;
88

89
	/*
90
	 * Decode q.
91
	 */
92
	mq = tmp;
93
	br_i31_decode(mq, q, qlen);
94

95
	/*
96
	 * Decode p.
97
	 */
98
	t1 = mq + fwlen;
99
	br_i31_decode(t1, p, plen);
100

101
	/*
102
	 * Compute the modulus (product of the two factors), to compare
103
	 * it with the source value. We use br_i31_mulacc(), since it's
104
	 * already used later on.
105
	 */
106
	t2 = mq + 2 * fwlen;
107
	br_i31_zero(t2, mq[0]);
108
	br_i31_mulacc(t2, mq, t1);
109

110
	/*
111
	 * We encode the modulus into bytes, to perform the comparison
112
	 * with bytes. We know that the product length, in bytes, is
113
	 * exactly xlen.
114
	 * The comparison actually computes the carry when subtracting
115
	 * the modulus from the source value; that carry must be 1 for
116
	 * a value in the correct range. We keep it in r, which is our
117
	 * accumulator for the error code.
118
	 */
119
	t3 = mq + 4 * fwlen;
120
	br_i31_encode(t3, xlen, t2);
121
	u = xlen;
122
	r = 0;
123
	while (u > 0) {
124
		uint32_t wn, wx;
125

126
		u --;
127
		wn = ((unsigned char *)t3)[u];
128
		wx = x[u];
129
		r = ((wx - (wn + r)) >> 8) & 1;
130
	}
131

132
	/*
133
	 * Move the decoded p to another temporary buffer.
134
	 */
135
	mp = mq + 2 * fwlen;
136
	memmove(mp, t1, fwlen * sizeof *t1);
137

138
	/*
139
	 * Compute s2 = x^dq mod q.
140
	 */
141
	q0i = br_i31_ninv31(mq[1]);
142
	s2 = mq + fwlen;
143
	br_i31_decode_reduce(s2, x, xlen, mq);
144
	r &= br_i31_modpow_opt(s2, sk->dq, sk->dqlen, mq, q0i,
145
		mq + 3 * fwlen, TLEN - 3 * fwlen);
146

147
	/*
148
	 * Compute s1 = x^dp mod p.
149
	 */
150
	p0i = br_i31_ninv31(mp[1]);
151
	s1 = mq + 3 * fwlen;
152
	br_i31_decode_reduce(s1, x, xlen, mp);
153
	r &= br_i31_modpow_opt(s1, sk->dp, sk->dplen, mp, p0i,
154
		mq + 4 * fwlen, TLEN - 4 * fwlen);
155

156
	/*
157
	 * Compute:
158
	 *   h = (s1 - s2)*(1/q) mod p
159
	 * s1 is an integer modulo p, but s2 is modulo q. PKCS#1 is
160
	 * unclear about whether p may be lower than q (some existing,
161
	 * widely deployed implementations of RSA don't tolerate p < q),
162
	 * but we want to support that occurrence, so we need to use the
163
	 * reduction function.
164
	 *
165
	 * Since we use br_i31_decode_reduce() for iq (purportedly, the
166
	 * inverse of q modulo p), we also tolerate improperly large
167
	 * values for this parameter.
168
	 */
169
	t1 = mq + 4 * fwlen;
170
	t2 = mq + 5 * fwlen;
171
	br_i31_reduce(t2, s2, mp);
172
	br_i31_add(s1, mp, br_i31_sub(s1, t2, 1));
173
	br_i31_to_monty(s1, mp);
174
	br_i31_decode_reduce(t1, sk->iq, sk->iqlen, mp);
175
	br_i31_montymul(t2, s1, t1, mp, p0i);
176

177
	/*
178
	 * h is now in t2. We compute the final result:
179
	 *   s = s2 + q*h
180
	 * All these operations are non-modular.
181
	 *
182
	 * We need mq, s2 and t2. We use the t3 buffer as destination.
183
	 * The buffers mp, s1 and t1 are no longer needed, so we can
184
	 * reuse them for t3. Moreover, the first step of the computation
185
	 * is to copy s2 into t3, after which s2 is not needed. Right
186
	 * now, mq is in slot 0, s2 is in slot 1, and t2 is in slot 5.
187
	 * Therefore, we have ample room for t3 by simply using s2.
188
	 */
189
	t3 = s2;
190
	br_i31_mulacc(t3, mq, t2);
191

192
	/*
193
	 * Encode the result. Since we already checked the value of xlen,
194
	 * we can just use it right away.
195
	 */
196
	br_i31_encode(x, xlen, t3);
197

198
	/*
199
	 * The only error conditions remaining at that point are invalid
200
	 * values for p and q (even integers).
201
	 */
202
	return p0i & q0i & r;
203
}
204

205