diff options
| author | djm <> | 2012-10-13 21:23:57 +0000 |
|---|---|---|
| committer | djm <> | 2012-10-13 21:23:57 +0000 |
| commit | 0f4e59be0458751f14ec603610fb285ff9737a1c (patch) | |
| tree | 51d00d308f46148b4b341133936e44706703ad8b /src/lib/libcrypto/engine/eng_rsax.c | |
| parent | 050e39dc2dfd5d05183a7283530fcaf13f832ba2 (diff) | |
| download | openbsd-0f4e59be0458751f14ec603610fb285ff9737a1c.tar.gz openbsd-0f4e59be0458751f14ec603610fb285ff9737a1c.tar.bz2 openbsd-0f4e59be0458751f14ec603610fb285ff9737a1c.zip | |
import OpenSSL-1.0.1c
Diffstat (limited to 'src/lib/libcrypto/engine/eng_rsax.c')
| -rw-r--r-- | src/lib/libcrypto/engine/eng_rsax.c | 668 |
1 files changed, 668 insertions, 0 deletions
diff --git a/src/lib/libcrypto/engine/eng_rsax.c b/src/lib/libcrypto/engine/eng_rsax.c new file mode 100644 index 0000000000..96e63477ee --- /dev/null +++ b/src/lib/libcrypto/engine/eng_rsax.c | |||
| @@ -0,0 +1,668 @@ | |||
| 1 | /* crypto/engine/eng_rsax.c */ | ||
| 2 | /* Copyright (c) 2010-2010 Intel Corp. | ||
| 3 | * Author: Vinodh.Gopal@intel.com | ||
| 4 | * Jim Guilford | ||
| 5 | * Erdinc.Ozturk@intel.com | ||
| 6 | * Maxim.Perminov@intel.com | ||
| 7 | * Ying.Huang@intel.com | ||
| 8 | * | ||
| 9 | * More information about algorithm used can be found at: | ||
| 10 | * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf | ||
| 11 | */ | ||
| 12 | /* ==================================================================== | ||
| 13 | * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. | ||
| 14 | * | ||
| 15 | * Redistribution and use in source and binary forms, with or without | ||
| 16 | * modification, are permitted provided that the following conditions | ||
| 17 | * are met: | ||
| 18 | * | ||
| 19 | * 1. Redistributions of source code must retain the above copyright | ||
| 20 | * notice, this list of conditions and the following disclaimer. | ||
| 21 | * | ||
| 22 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 23 | * notice, this list of conditions and the following disclaimer in | ||
| 24 | * the documentation and/or other materials provided with the | ||
| 25 | * distribution. | ||
| 26 | * | ||
| 27 | * 3. All advertising materials mentioning features or use of this | ||
| 28 | * software must display the following acknowledgment: | ||
| 29 | * "This product includes software developed by the OpenSSL Project | ||
| 30 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | ||
| 31 | * | ||
| 32 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 33 | * endorse or promote products derived from this software without | ||
| 34 | * prior written permission. For written permission, please contact | ||
| 35 | * licensing@OpenSSL.org. | ||
| 36 | * | ||
| 37 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 38 | * nor may "OpenSSL" appear in their names without prior written | ||
| 39 | * permission of the OpenSSL Project. | ||
| 40 | * | ||
| 41 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 42 | * acknowledgment: | ||
| 43 | * "This product includes software developed by the OpenSSL Project | ||
| 44 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | ||
| 45 | * | ||
| 46 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 47 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 48 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 49 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 50 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 51 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 52 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 53 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 54 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 55 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 56 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 57 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 58 | * ==================================================================== | ||
| 59 | * | ||
| 60 | * This product includes cryptographic software written by Eric Young | ||
| 61 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
| 62 | * Hudson (tjh@cryptsoft.com). | ||
| 63 | */ | ||
| 64 | |||
| 65 | #include <openssl/opensslconf.h> | ||
| 66 | |||
| 67 | #include <stdio.h> | ||
| 68 | #include <string.h> | ||
| 69 | #include <openssl/crypto.h> | ||
| 70 | #include <openssl/buffer.h> | ||
| 71 | #include <openssl/engine.h> | ||
| 72 | #ifndef OPENSSL_NO_RSA | ||
| 73 | #include <openssl/rsa.h> | ||
| 74 | #endif | ||
| 75 | #include <openssl/bn.h> | ||
| 76 | #include <openssl/err.h> | ||
| 77 | |||
| 78 | /* RSAX is available **ONLY* on x86_64 CPUs */ | ||
| 79 | #undef COMPILE_RSAX | ||
| 80 | |||
| 81 | #if (defined(__x86_64) || defined(__x86_64__) || \ | ||
| 82 | defined(_M_AMD64) || defined (_M_X64)) && !defined(OPENSSL_NO_ASM) | ||
| 83 | #define COMPILE_RSAX | ||
| 84 | static ENGINE *ENGINE_rsax (void); | ||
| 85 | #endif | ||
| 86 | |||
| 87 | void ENGINE_load_rsax (void) | ||
| 88 | { | ||
| 89 | /* On non-x86 CPUs it just returns. */ | ||
| 90 | #ifdef COMPILE_RSAX | ||
| 91 | ENGINE *toadd = ENGINE_rsax(); | ||
| 92 | if(!toadd) return; | ||
| 93 | ENGINE_add(toadd); | ||
| 94 | ENGINE_free(toadd); | ||
| 95 | ERR_clear_error(); | ||
| 96 | #endif | ||
| 97 | } | ||
| 98 | |||
| 99 | #ifdef COMPILE_RSAX | ||
| 100 | #define E_RSAX_LIB_NAME "rsax engine" | ||
| 101 | |||
| 102 | static int e_rsax_destroy(ENGINE *e); | ||
| 103 | static int e_rsax_init(ENGINE *e); | ||
| 104 | static int e_rsax_finish(ENGINE *e); | ||
| 105 | static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)); | ||
| 106 | |||
| 107 | #ifndef OPENSSL_NO_RSA | ||
| 108 | /* RSA stuff */ | ||
| 109 | static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); | ||
| 110 | static int e_rsax_rsa_finish(RSA *r); | ||
| 111 | #endif | ||
| 112 | |||
| 113 | static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = { | ||
| 114 | {0, NULL, NULL, 0} | ||
| 115 | }; | ||
| 116 | |||
| 117 | #ifndef OPENSSL_NO_RSA | ||
| 118 | /* Our internal RSA_METHOD that we provide pointers to */ | ||
| 119 | static RSA_METHOD e_rsax_rsa = | ||
| 120 | { | ||
| 121 | "Intel RSA-X method", | ||
| 122 | NULL, | ||
| 123 | NULL, | ||
| 124 | NULL, | ||
| 125 | NULL, | ||
| 126 | e_rsax_rsa_mod_exp, | ||
| 127 | NULL, | ||
| 128 | NULL, | ||
| 129 | e_rsax_rsa_finish, | ||
| 130 | RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE, | ||
| 131 | NULL, | ||
| 132 | NULL, | ||
| 133 | NULL | ||
| 134 | }; | ||
| 135 | #endif | ||
| 136 | |||
| 137 | /* Constants used when creating the ENGINE */ | ||
| 138 | static const char *engine_e_rsax_id = "rsax"; | ||
| 139 | static const char *engine_e_rsax_name = "RSAX engine support"; | ||
| 140 | |||
| 141 | /* This internal function is used by ENGINE_rsax() */ | ||
| 142 | static int bind_helper(ENGINE *e) | ||
| 143 | { | ||
| 144 | #ifndef OPENSSL_NO_RSA | ||
| 145 | const RSA_METHOD *meth1; | ||
| 146 | #endif | ||
| 147 | if(!ENGINE_set_id(e, engine_e_rsax_id) || | ||
| 148 | !ENGINE_set_name(e, engine_e_rsax_name) || | ||
| 149 | #ifndef OPENSSL_NO_RSA | ||
| 150 | !ENGINE_set_RSA(e, &e_rsax_rsa) || | ||
| 151 | #endif | ||
| 152 | !ENGINE_set_destroy_function(e, e_rsax_destroy) || | ||
| 153 | !ENGINE_set_init_function(e, e_rsax_init) || | ||
| 154 | !ENGINE_set_finish_function(e, e_rsax_finish) || | ||
| 155 | !ENGINE_set_ctrl_function(e, e_rsax_ctrl) || | ||
| 156 | !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns)) | ||
| 157 | return 0; | ||
| 158 | |||
| 159 | #ifndef OPENSSL_NO_RSA | ||
| 160 | meth1 = RSA_PKCS1_SSLeay(); | ||
| 161 | e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc; | ||
| 162 | e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec; | ||
| 163 | e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc; | ||
| 164 | e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec; | ||
| 165 | e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp; | ||
| 166 | #endif | ||
| 167 | return 1; | ||
| 168 | } | ||
| 169 | |||
| 170 | static ENGINE *ENGINE_rsax(void) | ||
| 171 | { | ||
| 172 | ENGINE *ret = ENGINE_new(); | ||
| 173 | if(!ret) | ||
| 174 | return NULL; | ||
| 175 | if(!bind_helper(ret)) | ||
| 176 | { | ||
| 177 | ENGINE_free(ret); | ||
| 178 | return NULL; | ||
| 179 | } | ||
| 180 | return ret; | ||
| 181 | } | ||
| 182 | |||
| 183 | #ifndef OPENSSL_NO_RSA | ||
| 184 | /* Used to attach our own key-data to an RSA structure */ | ||
| 185 | static int rsax_ex_data_idx = -1; | ||
| 186 | #endif | ||
| 187 | |||
| 188 | static int e_rsax_destroy(ENGINE *e) | ||
| 189 | { | ||
| 190 | return 1; | ||
| 191 | } | ||
| 192 | |||
| 193 | /* (de)initialisation functions. */ | ||
| 194 | static int e_rsax_init(ENGINE *e) | ||
| 195 | { | ||
| 196 | #ifndef OPENSSL_NO_RSA | ||
| 197 | if (rsax_ex_data_idx == -1) | ||
| 198 | rsax_ex_data_idx = RSA_get_ex_new_index(0, | ||
| 199 | NULL, | ||
| 200 | NULL, NULL, NULL); | ||
| 201 | #endif | ||
| 202 | if (rsax_ex_data_idx == -1) | ||
| 203 | return 0; | ||
| 204 | return 1; | ||
| 205 | } | ||
| 206 | |||
| 207 | static int e_rsax_finish(ENGINE *e) | ||
| 208 | { | ||
| 209 | return 1; | ||
| 210 | } | ||
| 211 | |||
| 212 | static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)) | ||
| 213 | { | ||
| 214 | int to_return = 1; | ||
| 215 | |||
| 216 | switch(cmd) | ||
| 217 | { | ||
| 218 | /* The command isn't understood by this engine */ | ||
| 219 | default: | ||
| 220 | to_return = 0; | ||
| 221 | break; | ||
| 222 | } | ||
| 223 | |||
| 224 | return to_return; | ||
| 225 | } | ||
| 226 | |||
| 227 | |||
| 228 | #ifndef OPENSSL_NO_RSA | ||
| 229 | |||
| 230 | #ifdef _WIN32 | ||
| 231 | typedef unsigned __int64 UINT64; | ||
| 232 | #else | ||
| 233 | typedef unsigned long long UINT64; | ||
| 234 | #endif | ||
| 235 | typedef unsigned short UINT16; | ||
| 236 | |||
| 237 | /* Table t is interleaved in the following manner: | ||
| 238 | * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ... | ||
| 239 | * A particular 512-bit value is stored in t[][index] rather than the more | ||
| 240 | * normal t[index][]; i.e. the qwords of a particular entry in t are not | ||
| 241 | * adjacent in memory | ||
| 242 | */ | ||
| 243 | |||
| 244 | /* Init BIGNUM b from the interleaved UINT64 array */ | ||
| 245 | static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array); | ||
| 246 | |||
| 247 | /* Extract array elements from BIGNUM b | ||
| 248 | * To set the whole array from b, call with n=8 | ||
| 249 | */ | ||
| 250 | static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array); | ||
| 251 | |||
| 252 | struct mod_ctx_512 { | ||
| 253 | UINT64 t[8][8]; | ||
| 254 | UINT64 m[8]; | ||
| 255 | UINT64 m1[8]; /* 2^278 % m */ | ||
| 256 | UINT64 m2[8]; /* 2^640 % m */ | ||
| 257 | UINT64 k1[2]; /* (- 1/m) % 2^128 */ | ||
| 258 | }; | ||
| 259 | |||
| 260 | static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data); | ||
| 261 | |||
| 262 | void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */ | ||
| 263 | UINT64 *g, /* 512 bits, 8 qwords */ | ||
| 264 | UINT64 *exp, /* 512 bits, 8 qwords */ | ||
| 265 | struct mod_ctx_512 *data); | ||
| 266 | |||
| 267 | typedef struct st_e_rsax_mod_ctx | ||
| 268 | { | ||
| 269 | UINT64 type; | ||
| 270 | union { | ||
| 271 | struct mod_ctx_512 b512; | ||
| 272 | } ctx; | ||
| 273 | |||
| 274 | } E_RSAX_MOD_CTX; | ||
| 275 | |||
| 276 | static E_RSAX_MOD_CTX *e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m) | ||
| 277 | { | ||
| 278 | E_RSAX_MOD_CTX *hptr; | ||
| 279 | |||
| 280 | if (idx < 0 || idx > 2) | ||
| 281 | return NULL; | ||
| 282 | |||
| 283 | hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx); | ||
| 284 | if (!hptr) { | ||
| 285 | hptr = OPENSSL_malloc(3*sizeof(E_RSAX_MOD_CTX)); | ||
| 286 | if (!hptr) return NULL; | ||
| 287 | hptr[2].type = hptr[1].type= hptr[0].type = 0; | ||
| 288 | RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr); | ||
| 289 | } | ||
| 290 | |||
| 291 | if (hptr[idx].type == (UINT64)BN_num_bits(m)) | ||
| 292 | return hptr+idx; | ||
| 293 | |||
| 294 | if (BN_num_bits(m) == 512) { | ||
| 295 | UINT64 _m[8]; | ||
| 296 | bn_extract_to_array_512(m, 8, _m); | ||
| 297 | memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512)); | ||
| 298 | mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512); | ||
| 299 | } | ||
| 300 | |||
| 301 | hptr[idx].type = BN_num_bits(m); | ||
| 302 | return hptr+idx; | ||
| 303 | } | ||
| 304 | |||
| 305 | static int e_rsax_rsa_finish(RSA *rsa) | ||
| 306 | { | ||
| 307 | E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx); | ||
| 308 | if(hptr) | ||
| 309 | { | ||
| 310 | OPENSSL_free(hptr); | ||
| 311 | RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL); | ||
| 312 | } | ||
| 313 | if (rsa->_method_mod_n) | ||
| 314 | BN_MONT_CTX_free(rsa->_method_mod_n); | ||
| 315 | if (rsa->_method_mod_p) | ||
| 316 | BN_MONT_CTX_free(rsa->_method_mod_p); | ||
| 317 | if (rsa->_method_mod_q) | ||
| 318 | BN_MONT_CTX_free(rsa->_method_mod_q); | ||
| 319 | return 1; | ||
| 320 | } | ||
| 321 | |||
| 322 | |||
| 323 | static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, | ||
| 324 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx ) | ||
| 325 | { | ||
| 326 | if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) { | ||
| 327 | if (BN_num_bits(m) == 512) { | ||
| 328 | UINT64 _r[8]; | ||
| 329 | UINT64 _g[8]; | ||
| 330 | UINT64 _e[8]; | ||
| 331 | |||
| 332 | /* Init the arrays from the BIGNUMs */ | ||
| 333 | bn_extract_to_array_512(g, 8, _g); | ||
| 334 | bn_extract_to_array_512(e, 8, _e); | ||
| 335 | |||
| 336 | mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512); | ||
| 337 | /* Return the result in the BIGNUM */ | ||
| 338 | interleaved_array_to_bn_512(r, _r); | ||
| 339 | return 1; | ||
| 340 | } | ||
| 341 | } | ||
| 342 | |||
| 343 | return BN_mod_exp_mont(r, g, e, m, ctx, in_mont); | ||
| 344 | } | ||
| 345 | |||
| 346 | /* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular | ||
| 347 | * exponentiation routine precalculations and a structure to hold the | ||
| 348 | * necessary values. These files are meant to live in crypto/rsa/ in | ||
| 349 | * the target openssl. | ||
| 350 | */ | ||
| 351 | |||
| 352 | /* | ||
| 353 | * Local method: extracts a piece from a BIGNUM, to fit it into | ||
| 354 | * an array. Call with n=8 to extract an entire 512-bit BIGNUM | ||
| 355 | */ | ||
| 356 | static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array) | ||
| 357 | { | ||
| 358 | int i; | ||
| 359 | UINT64 tmp; | ||
| 360 | unsigned char bn_buff[64]; | ||
| 361 | memset(bn_buff, 0, 64); | ||
| 362 | if (BN_num_bytes(b) > 64) { | ||
| 363 | printf ("Can't support this byte size\n"); | ||
| 364 | return 0; } | ||
| 365 | if (BN_num_bytes(b)!=0) { | ||
| 366 | if (!BN_bn2bin(b, bn_buff+(64-BN_num_bytes(b)))) { | ||
| 367 | printf ("Error's in bn2bin\n"); | ||
| 368 | /* We have to error, here */ | ||
| 369 | return 0; } } | ||
| 370 | while (n-- > 0) { | ||
| 371 | array[n] = 0; | ||
| 372 | for (i=7; i>=0; i--) { | ||
| 373 | tmp = bn_buff[63-(n*8+i)]; | ||
| 374 | array[n] |= tmp << (8*i); } } | ||
| 375 | return 1; | ||
| 376 | } | ||
| 377 | |||
| 378 | /* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */ | ||
| 379 | static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array) | ||
| 380 | { | ||
| 381 | unsigned char tmp[64]; | ||
| 382 | int n=8; | ||
| 383 | int i; | ||
| 384 | while (n-- > 0) { | ||
| 385 | for (i = 7; i>=0; i--) { | ||
| 386 | tmp[63-(n*8+i)] = (unsigned char)(array[n]>>(8*i)); } } | ||
| 387 | BN_bin2bn(tmp, 64, b); | ||
| 388 | return 0; | ||
| 389 | } | ||
| 390 | |||
| 391 | |||
| 392 | /* The main 512bit precompute call */ | ||
| 393 | static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data) | ||
| 394 | { | ||
| 395 | BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2; | ||
| 396 | |||
| 397 | /* We need a BN_CTX for the modulo functions */ | ||
| 398 | BN_CTX* ctx; | ||
| 399 | /* Some tmps */ | ||
| 400 | UINT64 _t[8]; | ||
| 401 | int i, j, ret = 0; | ||
| 402 | |||
| 403 | /* Init _m with m */ | ||
| 404 | BN_init(&_m); | ||
| 405 | interleaved_array_to_bn_512(&_m, m); | ||
| 406 | memset(_t, 0, 64); | ||
| 407 | |||
| 408 | /* Inits */ | ||
| 409 | BN_init(&two_768); | ||
| 410 | BN_init(&two_640); | ||
| 411 | BN_init(&two_128); | ||
| 412 | BN_init(&two_512); | ||
| 413 | BN_init(&tmp); | ||
| 414 | BN_init(&tmp2); | ||
| 415 | |||
| 416 | /* Create our context */ | ||
| 417 | if ((ctx=BN_CTX_new()) == NULL) { goto err; } | ||
| 418 | BN_CTX_start(ctx); | ||
| 419 | |||
| 420 | /* | ||
| 421 | * For production, if you care, these only need to be set once, | ||
| 422 | * and may be made constants. | ||
| 423 | */ | ||
| 424 | BN_lshift(&two_768, BN_value_one(), 768); | ||
| 425 | BN_lshift(&two_640, BN_value_one(), 640); | ||
| 426 | BN_lshift(&two_128, BN_value_one(), 128); | ||
| 427 | BN_lshift(&two_512, BN_value_one(), 512); | ||
| 428 | |||
| 429 | if (0 == (m[7] & 0x8000000000000000)) { | ||
| 430 | exit(1); | ||
| 431 | } | ||
| 432 | if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */ | ||
| 433 | exit(1); | ||
| 434 | } | ||
| 435 | |||
| 436 | /* Precompute m1 */ | ||
| 437 | BN_mod(&tmp, &two_768, &_m, ctx); | ||
| 438 | if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) { | ||
| 439 | goto err; } | ||
| 440 | |||
| 441 | /* Precompute m2 */ | ||
| 442 | BN_mod(&tmp, &two_640, &_m, ctx); | ||
| 443 | if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) { | ||
| 444 | goto err; | ||
| 445 | } | ||
| 446 | |||
| 447 | /* | ||
| 448 | * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should | ||
| 449 | * be non-negative. | ||
| 450 | */ | ||
| 451 | BN_mod_inverse(&tmp, &_m, &two_128, ctx); | ||
| 452 | if (!BN_is_zero(&tmp)) { BN_sub(&tmp, &two_128, &tmp); } | ||
| 453 | if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) { | ||
| 454 | goto err; } | ||
| 455 | |||
| 456 | /* Precompute t */ | ||
| 457 | for (i=0; i<8; i++) { | ||
| 458 | BN_zero(&tmp); | ||
| 459 | if (i & 1) { BN_add(&tmp, &two_512, &tmp); } | ||
| 460 | if (i & 2) { BN_add(&tmp, &two_512, &tmp); } | ||
| 461 | if (i & 4) { BN_add(&tmp, &two_640, &tmp); } | ||
| 462 | |||
| 463 | BN_nnmod(&tmp2, &tmp, &_m, ctx); | ||
| 464 | if (!bn_extract_to_array_512(&tmp2, 8, _t)) { | ||
| 465 | goto err; } | ||
| 466 | for (j=0; j<8; j++) data->t[j][i] = _t[j]; } | ||
| 467 | |||
| 468 | /* Precompute m */ | ||
| 469 | for (i=0; i<8; i++) { | ||
| 470 | data->m[i] = m[i]; } | ||
| 471 | |||
| 472 | ret = 1; | ||
| 473 | |||
| 474 | err: | ||
| 475 | /* Cleanup */ | ||
| 476 | if (ctx != NULL) { | ||
| 477 | BN_CTX_end(ctx); BN_CTX_free(ctx); } | ||
| 478 | BN_free(&two_768); | ||
| 479 | BN_free(&two_640); | ||
| 480 | BN_free(&two_128); | ||
| 481 | BN_free(&two_512); | ||
| 482 | BN_free(&tmp); | ||
| 483 | BN_free(&tmp2); | ||
| 484 | BN_free(&_m); | ||
| 485 | |||
| 486 | return ret; | ||
| 487 | } | ||
| 488 | |||
| 489 | |||
| 490 | static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | ||
| 491 | { | ||
| 492 | BIGNUM *r1,*m1,*vrfy; | ||
| 493 | BIGNUM local_dmp1,local_dmq1,local_c,local_r1; | ||
| 494 | BIGNUM *dmp1,*dmq1,*c,*pr1; | ||
| 495 | int ret=0; | ||
| 496 | |||
| 497 | BN_CTX_start(ctx); | ||
| 498 | r1 = BN_CTX_get(ctx); | ||
| 499 | m1 = BN_CTX_get(ctx); | ||
| 500 | vrfy = BN_CTX_get(ctx); | ||
| 501 | |||
| 502 | { | ||
| 503 | BIGNUM local_p, local_q; | ||
| 504 | BIGNUM *p = NULL, *q = NULL; | ||
| 505 | int error = 0; | ||
| 506 | |||
| 507 | /* Make sure BN_mod_inverse in Montgomery | ||
| 508 | * intialization uses the BN_FLG_CONSTTIME flag | ||
| 509 | * (unless RSA_FLAG_NO_CONSTTIME is set) | ||
| 510 | */ | ||
| 511 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 512 | { | ||
| 513 | BN_init(&local_p); | ||
| 514 | p = &local_p; | ||
| 515 | BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); | ||
| 516 | |||
| 517 | BN_init(&local_q); | ||
| 518 | q = &local_q; | ||
| 519 | BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); | ||
| 520 | } | ||
| 521 | else | ||
| 522 | { | ||
| 523 | p = rsa->p; | ||
| 524 | q = rsa->q; | ||
| 525 | } | ||
| 526 | |||
| 527 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) | ||
| 528 | { | ||
| 529 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) | ||
| 530 | error = 1; | ||
| 531 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) | ||
| 532 | error = 1; | ||
| 533 | } | ||
| 534 | |||
| 535 | /* clean up */ | ||
| 536 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 537 | { | ||
| 538 | BN_free(&local_p); | ||
| 539 | BN_free(&local_q); | ||
| 540 | } | ||
| 541 | if ( error ) | ||
| 542 | goto err; | ||
| 543 | } | ||
| 544 | |||
| 545 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | ||
| 546 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) | ||
| 547 | goto err; | ||
| 548 | |||
| 549 | /* compute I mod q */ | ||
| 550 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 551 | { | ||
| 552 | c = &local_c; | ||
| 553 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | ||
| 554 | if (!BN_mod(r1,c,rsa->q,ctx)) goto err; | ||
| 555 | } | ||
| 556 | else | ||
| 557 | { | ||
| 558 | if (!BN_mod(r1,I,rsa->q,ctx)) goto err; | ||
| 559 | } | ||
| 560 | |||
| 561 | /* compute r1^dmq1 mod q */ | ||
| 562 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 563 | { | ||
| 564 | dmq1 = &local_dmq1; | ||
| 565 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); | ||
| 566 | } | ||
| 567 | else | ||
| 568 | dmq1 = rsa->dmq1; | ||
| 569 | |||
| 570 | if (!e_rsax_bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, | ||
| 571 | rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0, rsa->q) )) goto err; | ||
| 572 | |||
| 573 | /* compute I mod p */ | ||
| 574 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 575 | { | ||
| 576 | c = &local_c; | ||
| 577 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | ||
| 578 | if (!BN_mod(r1,c,rsa->p,ctx)) goto err; | ||
| 579 | } | ||
| 580 | else | ||
| 581 | { | ||
| 582 | if (!BN_mod(r1,I,rsa->p,ctx)) goto err; | ||
| 583 | } | ||
| 584 | |||
| 585 | /* compute r1^dmp1 mod p */ | ||
| 586 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 587 | { | ||
| 588 | dmp1 = &local_dmp1; | ||
| 589 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | ||
| 590 | } | ||
| 591 | else | ||
| 592 | dmp1 = rsa->dmp1; | ||
| 593 | |||
| 594 | if (!e_rsax_bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, | ||
| 595 | rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1, rsa->p) )) goto err; | ||
| 596 | |||
| 597 | if (!BN_sub(r0,r0,m1)) goto err; | ||
| 598 | /* This will help stop the size of r0 increasing, which does | ||
| 599 | * affect the multiply if it optimised for a power of 2 size */ | ||
| 600 | if (BN_is_negative(r0)) | ||
| 601 | if (!BN_add(r0,r0,rsa->p)) goto err; | ||
| 602 | |||
| 603 | if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; | ||
| 604 | |||
| 605 | /* Turn BN_FLG_CONSTTIME flag on before division operation */ | ||
| 606 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 607 | { | ||
| 608 | pr1 = &local_r1; | ||
| 609 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | ||
| 610 | } | ||
| 611 | else | ||
| 612 | pr1 = r1; | ||
| 613 | if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; | ||
| 614 | |||
| 615 | /* If p < q it is occasionally possible for the correction of | ||
| 616 | * adding 'p' if r0 is negative above to leave the result still | ||
| 617 | * negative. This can break the private key operations: the following | ||
| 618 | * second correction should *always* correct this rare occurrence. | ||
| 619 | * This will *never* happen with OpenSSL generated keys because | ||
| 620 | * they ensure p > q [steve] | ||
| 621 | */ | ||
| 622 | if (BN_is_negative(r0)) | ||
| 623 | if (!BN_add(r0,r0,rsa->p)) goto err; | ||
| 624 | if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; | ||
| 625 | if (!BN_add(r0,r1,m1)) goto err; | ||
| 626 | |||
| 627 | if (rsa->e && rsa->n) | ||
| 628 | { | ||
| 629 | if (!e_rsax_bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) | ||
| 630 | goto err; | ||
| 631 | |||
| 632 | /* If 'I' was greater than (or equal to) rsa->n, the operation | ||
| 633 | * will be equivalent to using 'I mod n'. However, the result of | ||
| 634 | * the verify will *always* be less than 'n' so we don't check | ||
| 635 | * for absolute equality, just congruency. */ | ||
| 636 | if (!BN_sub(vrfy, vrfy, I)) goto err; | ||
| 637 | if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; | ||
| 638 | if (BN_is_negative(vrfy)) | ||
| 639 | if (!BN_add(vrfy, vrfy, rsa->n)) goto err; | ||
| 640 | if (!BN_is_zero(vrfy)) | ||
| 641 | { | ||
| 642 | /* 'I' and 'vrfy' aren't congruent mod n. Don't leak | ||
| 643 | * miscalculated CRT output, just do a raw (slower) | ||
| 644 | * mod_exp and return that instead. */ | ||
| 645 | |||
| 646 | BIGNUM local_d; | ||
| 647 | BIGNUM *d = NULL; | ||
| 648 | |||
| 649 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) | ||
| 650 | { | ||
| 651 | d = &local_d; | ||
| 652 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | ||
| 653 | } | ||
| 654 | else | ||
| 655 | d = rsa->d; | ||
| 656 | if (!e_rsax_bn_mod_exp(r0,I,d,rsa->n,ctx, | ||
| 657 | rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) goto err; | ||
| 658 | } | ||
| 659 | } | ||
| 660 | ret=1; | ||
| 661 | |||
| 662 | err: | ||
| 663 | BN_CTX_end(ctx); | ||
| 664 | |||
| 665 | return ret; | ||
| 666 | } | ||
| 667 | #endif /* !OPENSSL_NO_RSA */ | ||
| 668 | #endif /* !COMPILE_RSAX */ | ||