Path: blob/main/contrib/bearssl/src/rsa/rsa_i31_privexp.c
39483 views
/*1* Copyright (c) 2018 Thomas Pornin <[email protected]>2*3* Permission is hereby granted, free of charge, to any person obtaining4* a copy of this software and associated documentation files (the5* "Software"), to deal in the Software without restriction, including6* without limitation the rights to use, copy, modify, merge, publish,7* distribute, sublicense, and/or sell copies of the Software, and to8* permit persons to whom the Software is furnished to do so, subject to9* the following conditions:10*11* The above copyright notice and this permission notice shall be12* included in all copies or substantial portions of the Software.13*14* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,15* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF16* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND17* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS18* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN19* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN20* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE21* SOFTWARE.22*/2324#include "inner.h"2526/* see bearssl_rsa.h */27size_t28br_rsa_i31_compute_privexp(void *d,29const br_rsa_private_key *sk, uint32_t e)30{31/*32* We want to invert e modulo phi = (p-1)(q-1). This first33* requires computing phi, which is easy since we have the factors34* p and q in the private key structure.35*36* Since p = 3 mod 4 and q = 3 mod 4, phi/4 is an odd integer.37* We could invert e modulo phi/4 then patch the result to38* modulo phi, but this would involve assembling three modulus-wide39* values (phi/4, 1 and e) and calling moddiv, that requires40* three more temporaries, for a total of six big integers, or41* slightly more than 3 kB of stack space for RSA-4096. This42* exceeds our stack requirements.43*44* Instead, we first use one step of the extended GCD:45*46* - We compute phi = k*e + r (Euclidean division of phi by e).47* If public exponent e is correct, then r != 0 (e must be48* invertible modulo phi). We also have k != 0 since we49* enforce non-ridiculously-small factors.50*51* - We find small u, v such that u*e - v*r = 1 (using a52* binary GCD; we can arrange for u < r and v < e, i.e. all53* values fit on 32 bits).54*55* - Solution is: d = u + v*k56* This last computation is exact: since u < r and v < e,57* the above implies d < r + e*((phi-r)/e) = phi58*/5960uint32_t tmp[4 * ((BR_MAX_RSA_FACTOR + 30) / 31) + 12];61uint32_t *p, *q, *k, *m, *z, *phi;62const unsigned char *pbuf, *qbuf;63size_t plen, qlen, u, len, dlen;64uint32_t r, a, b, u0, v0, u1, v1, he, hr;65int i;6667/*68* Check that e is correct.69*/70if (e < 3 || (e & 1) == 0) {71return 0;72}7374/*75* Check lengths of p and q, and that they are both odd.76*/77pbuf = sk->p;78plen = sk->plen;79while (plen > 0 && *pbuf == 0) {80pbuf ++;81plen --;82}83if (plen < 5 || plen > (BR_MAX_RSA_FACTOR / 8)84|| (pbuf[plen - 1] & 1) != 1)85{86return 0;87}88qbuf = sk->q;89qlen = sk->qlen;90while (qlen > 0 && *qbuf == 0) {91qbuf ++;92qlen --;93}94if (qlen < 5 || qlen > (BR_MAX_RSA_FACTOR / 8)95|| (qbuf[qlen - 1] & 1) != 1)96{97return 0;98}99100/*101* Output length is that of the modulus.102*/103dlen = (sk->n_bitlen + 7) >> 3;104if (d == NULL) {105return dlen;106}107108p = tmp;109br_i31_decode(p, pbuf, plen);110plen = (p[0] + 31) >> 5;111q = p + 1 + plen;112br_i31_decode(q, qbuf, qlen);113qlen = (q[0] + 31) >> 5;114115/*116* Compute phi = (p-1)*(q-1), then move it over p-1 and q-1 (that117* we do not need anymore). The mulacc function sets the announced118* bit length of t to be the sum of the announced bit lengths of119* p-1 and q-1, which is usually exact but may overshoot by one 1120* bit in some cases; we readjust it to its true length.121*/122p[1] --;123q[1] --;124phi = q + 1 + qlen;125br_i31_zero(phi, p[0]);126br_i31_mulacc(phi, p, q);127len = (phi[0] + 31) >> 5;128memmove(tmp, phi, (1 + len) * sizeof *phi);129phi = tmp;130phi[0] = br_i31_bit_length(phi + 1, len);131len = (phi[0] + 31) >> 5;132133/*134* Divide phi by public exponent e. The final remainder r must be135* non-zero (otherwise, the key is invalid). The quotient is k,136* which we write over phi, since we don't need phi after that.137*/138r = 0;139for (u = len; u >= 1; u --) {140/*141* Upon entry, r < e, and phi[u] < 2^31; hence,142* hi:lo < e*2^31. Thus, the produced word k[u]143* must be lower than 2^31, and the new remainder r144* is lower than e.145*/146uint32_t hi, lo;147148hi = r >> 1;149lo = (r << 31) + phi[u];150phi[u] = br_divrem(hi, lo, e, &r);151}152if (r == 0) {153return 0;154}155k = phi;156157/*158* Compute u and v such that u*e - v*r = GCD(e,r). We use159* a binary GCD algorithm, with 6 extra integers a, b,160* u0, u1, v0 and v1. Initial values are:161* a = e u0 = 1 v0 = 0162* b = r u1 = r v1 = e-1163* The following invariants are maintained:164* a = u0*e - v0*r165* b = u1*e - v1*r166* 0 < a <= e167* 0 < b <= r168* 0 <= u0 <= r169* 0 <= v0 <= e170* 0 <= u1 <= r171* 0 <= v1 <= e172*173* At each iteration, we reduce either a or b by one bit, and174* adjust u0, u1, v0 and v1 to maintain the invariants:175* - if a is even, then a <- a/2176* - otherwise, if b is even, then b <- b/2177* - otherwise, if a > b, then a <- (a-b)/2178* - otherwise, if b > a, then b <- (b-a)/2179* Algorithm stops when a = b. At that point, the common value180* is the GCD of e and r; it must be 1 (otherwise, the private181* key or public exponent is not valid). The (u0,v0) or (u1,v1)182* pairs are the solution we are looking for.183*184* Since either a or b is reduced by at least 1 bit at each185* iteration, 62 iterations are enough to reach the end186* condition.187*188* To maintain the invariants, we must compute the same operations189* on the u* and v* values that we do on a and b:190* - When a is divided by 2, u0 and v0 must be divided by 2.191* - When b is divided by 2, u1 and v1 must be divided by 2.192* - When b is subtracted from a, u1 and v1 are subtracted from193* u0 and v0, respectively.194* - When a is subtracted from b, u0 and v0 are subtracted from195* u1 and v1, respectively.196*197* However, we want to keep the u* and v* values in their proper198* ranges. The following remarks apply:199*200* - When a is divided by 2, then a is even. Therefore:201*202* * If r is odd, then u0 and v0 must have the same parity;203* if they are both odd, then adding r to u0 and e to v0204* makes them both even, and the division by 2 brings them205* back to the proper range.206*207* * If r is even, then u0 must be even; if v0 is odd, then208* adding r to u0 and e to v0 makes them both even, and the209* division by 2 brings them back to the proper range.210*211* Thus, all we need to do is to look at the parity of v0,212* and add (r,e) to (u0,v0) when v0 is odd. In order to avoid213* a 32-bit overflow, we can add ((r+1)/2,(e/2)+1) after the214* division (r+1 does not overflow since r < e; and (e/2)+1215* is equal to (e+1)/2 since e is odd).216*217* - When we subtract b from a, three cases may occur:218*219* * u1 <= u0 and v1 <= v0: just do the subtractions220*221* * u1 > u0 and v1 > v0: compute:222* (u0, v0) <- (u0 + r - u1, v0 + e - v1)223*224* * u1 <= u0 and v1 > v0: compute:225* (u0, v0) <- (u0 + r - u1, v0 + e - v1)226*227* The fourth case (u1 > u0 and v1 <= v0) is not possible228* because it would contradict "b < a" (which is the reason229* why we subtract b from a).230*231* The tricky case is the third one: from the equations, it232* seems that u0 may go out of range. However, the invariants233* and ranges of other values imply that, in that case, the234* new u0 does not actually exceed the range.235*236* We can thus handle the subtraction by adding (r,e) based237* solely on the comparison between v0 and v1.238*/239a = e;240b = r;241u0 = 1;242v0 = 0;243u1 = r;244v1 = e - 1;245hr = (r + 1) >> 1;246he = (e >> 1) + 1;247for (i = 0; i < 62; i ++) {248uint32_t oa, ob, agtb, bgta;249uint32_t sab, sba, da, db;250uint32_t ctl;251252oa = a & 1; /* 1 if a is odd */253ob = b & 1; /* 1 if b is odd */254agtb = GT(a, b); /* 1 if a > b */255bgta = GT(b, a); /* 1 if b > a */256257sab = oa & ob & agtb; /* 1 if a <- a-b */258sba = oa & ob & bgta; /* 1 if b <- b-a */259260/* a <- a-b, u0 <- u0-u1, v0 <- v0-v1 */261ctl = GT(v1, v0);262a -= b & -sab;263u0 -= (u1 - (r & -ctl)) & -sab;264v0 -= (v1 - (e & -ctl)) & -sab;265266/* b <- b-a, u1 <- u1-u0 mod r, v1 <- v1-v0 mod e */267ctl = GT(v0, v1);268b -= a & -sba;269u1 -= (u0 - (r & -ctl)) & -sba;270v1 -= (v0 - (e & -ctl)) & -sba;271272da = NOT(oa) | sab; /* 1 if a <- a/2 */273db = (oa & NOT(ob)) | sba; /* 1 if b <- b/2 */274275/* a <- a/2, u0 <- u0/2, v0 <- v0/2 */276ctl = v0 & 1;277a ^= (a ^ (a >> 1)) & -da;278u0 ^= (u0 ^ ((u0 >> 1) + (hr & -ctl))) & -da;279v0 ^= (v0 ^ ((v0 >> 1) + (he & -ctl))) & -da;280281/* b <- b/2, u1 <- u1/2 mod r, v1 <- v1/2 mod e */282ctl = v1 & 1;283b ^= (b ^ (b >> 1)) & -db;284u1 ^= (u1 ^ ((u1 >> 1) + (hr & -ctl))) & -db;285v1 ^= (v1 ^ ((v1 >> 1) + (he & -ctl))) & -db;286}287288/*289* Check that the GCD is indeed 1. If not, then the key is invalid290* (and there's no harm in leaking that piece of information).291*/292if (a != 1) {293return 0;294}295296/*297* Now we have u0*e - v0*r = 1. Let's compute the result as:298* d = u0 + v0*k299* We still have k in the tmp[] array, and its announced bit300* length is that of phi.301*/302m = k + 1 + len;303m[0] = (1 << 5) + 1; /* bit length is 32 bits, encoded */304m[1] = v0 & 0x7FFFFFFF;305m[2] = v0 >> 31;306z = m + 3;307br_i31_zero(z, k[0]);308z[1] = u0 & 0x7FFFFFFF;309z[2] = u0 >> 31;310br_i31_mulacc(z, k, m);311312/*313* Encode the result.314*/315br_i31_encode(d, dlen, z);316return dlen;317}318319320