summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/engine/eng_rsax.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/engine/eng_rsax.c')
-rw-r--r--src/lib/libcrypto/engine/eng_rsax.c613
1 files changed, 326 insertions, 287 deletions
diff --git a/src/lib/libcrypto/engine/eng_rsax.c b/src/lib/libcrypto/engine/eng_rsax.c
index f7b38b1156..ee18439070 100644
--- a/src/lib/libcrypto/engine/eng_rsax.c
+++ b/src/lib/libcrypto/engine/eng_rsax.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_rsax.c,v 1.6 2014/06/12 15:49:29 deraadt Exp $ */ 1/* $OpenBSD: eng_rsax.c,v 1.7 2014/06/22 12:05:09 jsing Exp $ */
2/* Copyright (c) 2010-2010 Intel Corp. 2/* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com 3 * Author: Vinodh.Gopal@intel.com
4 * Jim Guilford 4 * Jim Guilford
@@ -85,16 +85,17 @@ static ENGINE *ENGINE_rsax (void);
85#endif 85#endif
86 86
87void ENGINE_load_rsax (void) 87void ENGINE_load_rsax (void)
88 { 88{
89/* On non-x86 CPUs it just returns. */ 89/* On non-x86 CPUs it just returns. */
90#ifdef COMPILE_RSAX 90#ifdef COMPILE_RSAX
91 ENGINE *toadd = ENGINE_rsax(); 91 ENGINE *toadd = ENGINE_rsax();
92 if(!toadd) return; 92 if (!toadd)
93 return;
93 ENGINE_add(toadd); 94 ENGINE_add(toadd);
94 ENGINE_free(toadd); 95 ENGINE_free(toadd);
95 ERR_clear_error(); 96 ERR_clear_error();
96#endif 97#endif
97 } 98}
98 99
99#ifdef COMPILE_RSAX 100#ifdef COMPILE_RSAX
100#define E_RSAX_LIB_NAME "rsax engine" 101#define E_RSAX_LIB_NAME "rsax engine"
@@ -106,13 +107,14 @@ static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
106 107
107#ifndef OPENSSL_NO_RSA 108#ifndef OPENSSL_NO_RSA
108/* RSA stuff */ 109/* RSA stuff */
109static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); 110static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
111 BN_CTX *ctx);
110static int e_rsax_rsa_finish(RSA *r); 112static int e_rsax_rsa_finish(RSA *r);
111#endif 113#endif
112 114
113static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = { 115static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
114 {0, NULL, NULL, 0} 116 {0, NULL, NULL, 0}
115 }; 117};
116 118
117#ifndef OPENSSL_NO_RSA 119#ifndef OPENSSL_NO_RSA
118/* Our internal RSA_METHOD that we provide pointers to */ 120/* Our internal RSA_METHOD that we provide pointers to */
@@ -129,21 +131,22 @@ static const char *engine_e_rsax_id = "rsax";
129static const char *engine_e_rsax_name = "RSAX engine support"; 131static const char *engine_e_rsax_name = "RSAX engine support";
130 132
131/* This internal function is used by ENGINE_rsax() */ 133/* This internal function is used by ENGINE_rsax() */
132static int bind_helper(ENGINE *e) 134static int
133 { 135bind_helper(ENGINE *e)
136{
134#ifndef OPENSSL_NO_RSA 137#ifndef OPENSSL_NO_RSA
135 const RSA_METHOD *meth1; 138 const RSA_METHOD *meth1;
136#endif 139#endif
137 if(!ENGINE_set_id(e, engine_e_rsax_id) || 140 if (!ENGINE_set_id(e, engine_e_rsax_id) ||
138 !ENGINE_set_name(e, engine_e_rsax_name) || 141 !ENGINE_set_name(e, engine_e_rsax_name) ||
139#ifndef OPENSSL_NO_RSA 142#ifndef OPENSSL_NO_RSA
140 !ENGINE_set_RSA(e, &e_rsax_rsa) || 143 !ENGINE_set_RSA(e, &e_rsax_rsa) ||
141#endif 144#endif
142 !ENGINE_set_destroy_function(e, e_rsax_destroy) || 145 !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
143 !ENGINE_set_init_function(e, e_rsax_init) || 146 !ENGINE_set_init_function(e, e_rsax_init) ||
144 !ENGINE_set_finish_function(e, e_rsax_finish) || 147 !ENGINE_set_finish_function(e, e_rsax_finish) ||
145 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) || 148 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
146 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns)) 149 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
147 return 0; 150 return 0;
148 151
149#ifndef OPENSSL_NO_RSA 152#ifndef OPENSSL_NO_RSA
@@ -155,64 +158,67 @@ static int bind_helper(ENGINE *e)
155 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp; 158 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
156#endif 159#endif
157 return 1; 160 return 1;
158 } 161}
159 162
160static ENGINE *ENGINE_rsax(void) 163static ENGINE *
161 { 164ENGINE_rsax(void)
165{
162 ENGINE *ret = ENGINE_new(); 166 ENGINE *ret = ENGINE_new();
163 if(!ret) 167
168 if (!ret)
164 return NULL; 169 return NULL;
165 if(!bind_helper(ret)) 170 if (!bind_helper(ret)) {
166 {
167 ENGINE_free(ret); 171 ENGINE_free(ret);
168 return NULL; 172 return NULL;
169 }
170 return ret;
171 } 173 }
174 return ret;
175}
172 176
173#ifndef OPENSSL_NO_RSA 177#ifndef OPENSSL_NO_RSA
174/* Used to attach our own key-data to an RSA structure */ 178/* Used to attach our own key-data to an RSA structure */
175static int rsax_ex_data_idx = -1; 179static int rsax_ex_data_idx = -1;
176#endif 180#endif
177 181
178static int e_rsax_destroy(ENGINE *e) 182static int
179 { 183e_rsax_destroy(ENGINE *e)
184{
180 return 1; 185 return 1;
181 } 186}
182 187
183/* (de)initialisation functions. */ 188/* (de)initialisation functions. */
184static int e_rsax_init(ENGINE *e) 189static int
185 { 190e_rsax_init(ENGINE *e)
191{
186#ifndef OPENSSL_NO_RSA 192#ifndef OPENSSL_NO_RSA
187 if (rsax_ex_data_idx == -1) 193 if (rsax_ex_data_idx == -1)
188 rsax_ex_data_idx = RSA_get_ex_new_index(0, 194 rsax_ex_data_idx = RSA_get_ex_new_index(0, NULL, NULL,
189 NULL, 195 NULL, NULL);
190 NULL, NULL, NULL);
191#endif 196#endif
192 if (rsax_ex_data_idx == -1) 197 if (rsax_ex_data_idx == -1)
193 return 0; 198 return 0;
194 return 1; 199 return 1;
195 } 200}
196 201
197static int e_rsax_finish(ENGINE *e) 202static int
198 { 203e_rsax_finish(ENGINE *e)
204{
199 return 1; 205 return 1;
200 } 206}
201 207
202static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)) 208static int
203 { 209e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
210{
204 int to_return = 1; 211 int to_return = 1;
205 212
206 switch(cmd) 213 switch (cmd) {
207 { 214 /* The command isn't understood by this engine */
208 /* The command isn't understood by this engine */
209 default: 215 default:
210 to_return = 0; 216 to_return = 0;
211 break; 217 break;
212 } 218 }
213 219
214 return to_return; 220 return to_return;
215 } 221}
216 222
217 223
218#ifndef OPENSSL_NO_RSA 224#ifndef OPENSSL_NO_RSA
@@ -233,69 +239,71 @@ static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
233/* Extract array elements from BIGNUM b 239/* Extract array elements from BIGNUM b
234 * To set the whole array from b, call with n=8 240 * To set the whole array from b, call with n=8
235 */ 241 */
236static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array); 242static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n,
243 UINT64 *array);
237 244
238struct mod_ctx_512 { 245struct mod_ctx_512 {
239 UINT64 t[8][8]; 246 UINT64 t[8][8];
240 UINT64 m[8]; 247 UINT64 m[8];
241 UINT64 m1[8]; /* 2^278 % m */ 248 UINT64 m1[8]; /* 2^278 % m */
242 UINT64 m2[8]; /* 2^640 % m */ 249 UINT64 m2[8]; /* 2^640 % m */
243 UINT64 k1[2]; /* (- 1/m) % 2^128 */ 250 UINT64 k1[2]; /* (- 1/m) % 2^128 */
244}; 251};
245 252
246static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data); 253static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
247 254
248void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */ 255void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
249 UINT64 *g, /* 512 bits, 8 qwords */ 256UINT64 *g, /* 512 bits, 8 qwords */
250 UINT64 *exp, /* 512 bits, 8 qwords */ 257UINT64 *exp, /* 512 bits, 8 qwords */
251 struct mod_ctx_512 *data); 258struct mod_ctx_512 *data);
252 259
253typedef struct st_e_rsax_mod_ctx 260typedef struct st_e_rsax_mod_ctx {
254{ 261 UINT64 type;
255 UINT64 type; 262 union {
256 union { 263 struct mod_ctx_512 b512;
257 struct mod_ctx_512 b512; 264 } ctx;
258 } ctx;
259
260} E_RSAX_MOD_CTX; 265} E_RSAX_MOD_CTX;
261 266
262static E_RSAX_MOD_CTX *e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m) 267static E_RSAX_MOD_CTX *
268e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
263{ 269{
264 E_RSAX_MOD_CTX *hptr; 270 E_RSAX_MOD_CTX *hptr;
265 271
266 if (idx < 0 || idx > 2) 272 if (idx < 0 || idx > 2)
267 return NULL; 273 return NULL;
268 274
269 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx); 275 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
270 if (!hptr) { 276 if (!hptr) {
271 hptr = reallocarray(NULL, 3, sizeof(E_RSAX_MOD_CTX)); 277 hptr = reallocarray(NULL, 3, sizeof(E_RSAX_MOD_CTX));
272 if (!hptr) return NULL; 278 if (!hptr)
273 hptr[2].type = hptr[1].type= hptr[0].type = 0; 279 return NULL;
274 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr); 280 hptr[2].type = hptr[1].type = hptr[0].type = 0;
275 } 281 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
276 282 }
277 if (hptr[idx].type == (UINT64)BN_num_bits(m)) 283
278 return hptr+idx; 284 if (hptr[idx].type == (UINT64)BN_num_bits(m))
279 285 return hptr + idx;
280 if (BN_num_bits(m) == 512) { 286
281 UINT64 _m[8]; 287 if (BN_num_bits(m) == 512) {
282 bn_extract_to_array_512(m, 8, _m); 288 UINT64 _m[8];
283 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512)); 289 bn_extract_to_array_512(m, 8, _m);
284 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512); 290 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
291 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
285 } 292 }
286 293
287 hptr[idx].type = BN_num_bits(m); 294 hptr[idx].type = BN_num_bits(m);
288 return hptr+idx; 295 return hptr + idx;
289} 296}
290 297
291static int e_rsax_rsa_finish(RSA *rsa) 298static int
292 { 299e_rsax_rsa_finish(RSA *rsa)
300{
293 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx); 301 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
294 if(hptr) 302
295 { 303 if (hptr) {
296 free(hptr); 304 free(hptr);
297 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL); 305 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
298 } 306 }
299 if (rsa->_method_mod_n) 307 if (rsa->_method_mod_n)
300 BN_MONT_CTX_free(rsa->_method_mod_n); 308 BN_MONT_CTX_free(rsa->_method_mod_n);
301 if (rsa->_method_mod_p) 309 if (rsa->_method_mod_p)
@@ -303,28 +311,28 @@ static int e_rsax_rsa_finish(RSA *rsa)
303 if (rsa->_method_mod_q) 311 if (rsa->_method_mod_q)
304 BN_MONT_CTX_free(rsa->_method_mod_q); 312 BN_MONT_CTX_free(rsa->_method_mod_q);
305 return 1; 313 return 1;
306 } 314}
307
308 315
309static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, 316static int
310 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx ) 317e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, const BIGNUM *m,
318 BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx)
311{ 319{
312 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) { 320 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
313 if (BN_num_bits(m) == 512) { 321 if (BN_num_bits(m) == 512) {
314 UINT64 _r[8]; 322 UINT64 _r[8];
315 UINT64 _g[8]; 323 UINT64 _g[8];
316 UINT64 _e[8]; 324 UINT64 _e[8];
317 325
318 /* Init the arrays from the BIGNUMs */ 326 /* Init the arrays from the BIGNUMs */
319 bn_extract_to_array_512(g, 8, _g); 327 bn_extract_to_array_512(g, 8, _g);
320 bn_extract_to_array_512(e, 8, _e); 328 bn_extract_to_array_512(e, 8, _e);
321 329
322 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512); 330 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
323 /* Return the result in the BIGNUM */ 331 /* Return the result in the BIGNUM */
324 interleaved_array_to_bn_512(r, _r); 332 interleaved_array_to_bn_512(r, _r);
325 return 1; 333 return 1;
326 } 334 }
327 } 335 }
328 336
329 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont); 337 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
330} 338}
@@ -339,146 +347,177 @@ static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e,
339 * Local method: extracts a piece from a BIGNUM, to fit it into 347 * Local method: extracts a piece from a BIGNUM, to fit it into
340 * an array. Call with n=8 to extract an entire 512-bit BIGNUM 348 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
341 */ 349 */
342static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array) 350static int
351bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
343{ 352{
344 int i; 353 int i;
345 UINT64 tmp; 354 UINT64 tmp;
346 unsigned char bn_buff[64]; 355 unsigned char bn_buff[64];
356
347 memset(bn_buff, 0, 64); 357 memset(bn_buff, 0, 64);
348 if (BN_num_bytes(b) > 64) { 358 if (BN_num_bytes(b) > 64) {
349 printf ("Can't support this byte size\n"); 359 printf ("Can't support this byte size\n");
350 return 0; } 360 return 0;
351 if (BN_num_bytes(b)!=0) { 361 }
352 if (!BN_bn2bin(b, bn_buff+(64-BN_num_bytes(b)))) { 362 if (BN_num_bytes(b) != 0) {
363 if (!BN_bn2bin(b, bn_buff + (64 - BN_num_bytes(b)))) {
353 printf ("Error's in bn2bin\n"); 364 printf ("Error's in bn2bin\n");
354 /* We have to error, here */ 365 /* We have to error, here */
355 return 0; } } 366 return 0;
367 }
368 }
356 while (n-- > 0) { 369 while (n-- > 0) {
357 array[n] = 0; 370 array[n] = 0;
358 for (i=7; i>=0; i--) { 371 for (i = 7; i >= 0; i--) {
359 tmp = bn_buff[63-(n*8+i)]; 372 tmp = bn_buff[63 - (n*8 + i)];
360 array[n] |= tmp << (8*i); } } 373 array[n] |= tmp << (8*i);
374 }
375 }
361 return 1; 376 return 1;
362} 377}
363 378
364/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */ 379/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
365static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array) 380static int
381interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
366{ 382{
367 unsigned char tmp[64]; 383 unsigned char tmp[64];
368 int n=8; 384 int n = 8;
369 int i; 385 int i;
386
370 while (n-- > 0) { 387 while (n-- > 0) {
371 for (i = 7; i>=0; i--) { 388 for (i = 7; i >= 0; i--) {
372 tmp[63-(n*8+i)] = (unsigned char)(array[n]>>(8*i)); } } 389 tmp[63 - (n * 8 + i)] =
390 (unsigned char)(array[n] >> (8 * i));
391 }
392 }
373 BN_bin2bn(tmp, 64, b); 393 BN_bin2bn(tmp, 64, b);
374 return 0; 394 return 0;
375} 395}
376 396
377
378/* The main 512bit precompute call */ 397/* The main 512bit precompute call */
379static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data) 398static int
380 { 399mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
381 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2; 400{
382 401 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
383 /* We need a BN_CTX for the modulo functions */ 402
384 BN_CTX* ctx; 403 /* We need a BN_CTX for the modulo functions */
385 /* Some tmps */ 404 BN_CTX* ctx;
386 UINT64 _t[8]; 405 /* Some tmps */
387 int i, j, ret = 0; 406 UINT64 _t[8];
388 407 int i, j, ret = 0;
389 /* Init _m with m */ 408
390 BN_init(&_m); 409 /* Init _m with m */
391 interleaved_array_to_bn_512(&_m, m); 410 BN_init(&_m);
392 memset(_t, 0, 64); 411 interleaved_array_to_bn_512(&_m, m);
393 412 memset(_t, 0, 64);
394 /* Inits */ 413
395 BN_init(&two_768); 414 /* Inits */
396 BN_init(&two_640); 415 BN_init(&two_768);
397 BN_init(&two_128); 416 BN_init(&two_640);
398 BN_init(&two_512); 417 BN_init(&two_128);
399 BN_init(&tmp); 418 BN_init(&two_512);
400 BN_init(&tmp2); 419 BN_init(&tmp);
401 420 BN_init(&tmp2);
402 /* Create our context */ 421
403 if ((ctx=BN_CTX_new()) == NULL) { goto err; } 422 /* Create our context */
423 if ((ctx = BN_CTX_new()) == NULL) {
424 goto err;
425 }
404 BN_CTX_start(ctx); 426 BN_CTX_start(ctx);
405 427
406 /* 428 /*
407 * For production, if you care, these only need to be set once, 429 * For production, if you care, these only need to be set once,
408 * and may be made constants. 430 * and may be made constants.
409 */ 431 */
410 BN_lshift(&two_768, BN_value_one(), 768); 432 BN_lshift(&two_768, BN_value_one(), 768);
411 BN_lshift(&two_640, BN_value_one(), 640); 433 BN_lshift(&two_640, BN_value_one(), 640);
412 BN_lshift(&two_128, BN_value_one(), 128); 434 BN_lshift(&two_128, BN_value_one(), 128);
413 BN_lshift(&two_512, BN_value_one(), 512); 435 BN_lshift(&two_512, BN_value_one(), 512);
414 436
415 if (0 == (m[7] & 0x8000000000000000)) { 437 if (0 == (m[7] & 0x8000000000000000)) {
416 exit(1); 438 exit(1);
417 } 439 }
418 if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */ 440 if (0 == (m[0] & 0x1)) {
419 exit(1); 441 /* Odd modulus required for Mont */
420 } 442 exit(1);
421 443 }
422 /* Precompute m1 */ 444
423 BN_mod(&tmp, &two_768, &_m, ctx); 445 /* Precompute m1 */
424 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) { 446 BN_mod(&tmp, &two_768, &_m, ctx);
425 goto err; } 447 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
426 448 goto err;
427 /* Precompute m2 */ 449 }
428 BN_mod(&tmp, &two_640, &_m, ctx); 450
429 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) { 451 /* Precompute m2 */
430 goto err; 452 BN_mod(&tmp, &two_640, &_m, ctx);
431 } 453 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
432 454 goto err;
433 /* 455 }
434 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should 456
435 * be non-negative. 457 /*
436 */ 458 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
437 BN_mod_inverse(&tmp, &_m, &two_128, ctx); 459 * be non-negative.
438 if (!BN_is_zero(&tmp)) { BN_sub(&tmp, &two_128, &tmp); } 460 */
439 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) { 461 BN_mod_inverse(&tmp, &_m, &two_128, ctx);
440 goto err; } 462 if (!BN_is_zero(&tmp)) {
441 463 BN_sub(&tmp, &two_128, &tmp);
442 /* Precompute t */ 464 }
443 for (i=0; i<8; i++) { 465 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
444 BN_zero(&tmp); 466 goto err;
445 if (i & 1) { BN_add(&tmp, &two_512, &tmp); } 467 }
446 if (i & 2) { BN_add(&tmp, &two_512, &tmp); } 468
447 if (i & 4) { BN_add(&tmp, &two_640, &tmp); } 469 /* Precompute t */
448 470 for (i = 0; i < 8; i++) {
449 BN_nnmod(&tmp2, &tmp, &_m, ctx); 471 BN_zero(&tmp);
450 if (!bn_extract_to_array_512(&tmp2, 8, _t)) { 472 if (i & 1) {
451 goto err; } 473 BN_add(&tmp, &two_512, &tmp);
452 for (j=0; j<8; j++) data->t[j][i] = _t[j]; } 474 }
453 475 if (i & 2) {
454 /* Precompute m */ 476 BN_add(&tmp, &two_512, &tmp);
455 for (i=0; i<8; i++) { 477 }
456 data->m[i] = m[i]; } 478 if (i & 4) {
457 479 BN_add(&tmp, &two_640, &tmp);
458 ret = 1; 480 }
481
482 BN_nnmod(&tmp2, &tmp, &_m, ctx);
483 if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
484 goto err;
485 }
486 for (j = 0; j < 8; j++)
487 data->t[j][i] = _t[j];
488 }
489
490 /* Precompute m */
491 for (i = 0; i < 8; i++) {
492 data->m[i] = m[i];
493 }
494
495 ret = 1;
459 496
460err: 497err:
461 /* Cleanup */ 498 /* Cleanup */
462 if (ctx != NULL) { 499 if (ctx != NULL) {
463 BN_CTX_end(ctx); BN_CTX_free(ctx); } 500 BN_CTX_end(ctx);
464 BN_free(&two_768); 501 BN_CTX_free(ctx);
465 BN_free(&two_640); 502 }
466 BN_free(&two_128); 503 BN_free(&two_768);
467 BN_free(&two_512); 504 BN_free(&two_640);
468 BN_free(&tmp); 505 BN_free(&two_128);
469 BN_free(&tmp2); 506 BN_free(&two_512);
470 BN_free(&_m); 507 BN_free(&tmp);
471 508 BN_free(&tmp2);
472 return ret; 509 BN_free(&_m);
473}
474 510
511 return ret;
512}
475 513
476static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 514static int
477 { 515e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
478 BIGNUM *r1,*m1,*vrfy; 516{
479 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 517 BIGNUM *r1, *m1, *vrfy;
480 BIGNUM *dmp1,*dmq1,*c,*pr1; 518 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
481 int ret=0; 519 BIGNUM *dmp1, *dmq1, *c, *pr1;
520 int ret = 0;
482 521
483 BN_CTX_start(ctx); 522 BN_CTX_start(ctx);
484 r1 = BN_CTX_get(ctx); 523 r1 = BN_CTX_get(ctx);
@@ -494,8 +533,7 @@ static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx
494 * intialization uses the BN_FLG_CONSTTIME flag 533 * intialization uses the BN_FLG_CONSTTIME flag
495 * (unless RSA_FLAG_NO_CONSTTIME is set) 534 * (unless RSA_FLAG_NO_CONSTTIME is set)
496 */ 535 */
497 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 536 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
498 {
499 BN_init(&local_p); 537 BN_init(&local_p);
500 p = &local_p; 538 p = &local_p;
501 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); 539 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
@@ -503,100 +541,97 @@ static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx
503 BN_init(&local_q); 541 BN_init(&local_q);
504 q = &local_q; 542 q = &local_q;
505 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); 543 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
506 } 544 } else {
507 else
508 {
509 p = rsa->p; 545 p = rsa->p;
510 q = rsa->q; 546 q = rsa->q;
511 } 547 }
512 548
513 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) 549 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
514 { 550 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
515 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) 551 CRYPTO_LOCK_RSA, p, ctx))
516 error = 1; 552 error = 1;
517 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) 553 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
554 CRYPTO_LOCK_RSA, q, ctx))
518 error = 1; 555 error = 1;
519 } 556 }
520 557
521 /* clean up */ 558 /* clean up */
522 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 559 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
523 {
524 BN_free(&local_p); 560 BN_free(&local_p);
525 BN_free(&local_q); 561 BN_free(&local_q);
526 } 562 }
527 if ( error ) 563 if (error )
528 goto err; 564 goto err;
529 } 565 }
530 566
531 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 567 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
532 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) 568 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
569 CRYPTO_LOCK_RSA, rsa->n, ctx))
533 goto err; 570 goto err;
534 571
535 /* compute I mod q */ 572 /* compute I mod q */
536 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 573 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
537 {
538 c = &local_c; 574 c = &local_c;
539 BN_with_flags(c, I, BN_FLG_CONSTTIME); 575 BN_with_flags(c, I, BN_FLG_CONSTTIME);
540 if (!BN_mod(r1,c,rsa->q,ctx)) goto err; 576 if (!BN_mod(r1, c,rsa->q, ctx))
541 } 577 goto err;
542 else 578 } else {
543 { 579 if (!BN_mod(r1, I,rsa->q, ctx))
544 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 580 goto err;
545 } 581 }
546 582
547 /* compute r1^dmq1 mod q */ 583 /* compute r1^dmq1 mod q */
548 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 584 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
549 {
550 dmq1 = &local_dmq1; 585 dmq1 = &local_dmq1;
551 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 586 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
552 } 587 } else
553 else
554 dmq1 = rsa->dmq1; 588 dmq1 = rsa->dmq1;
555 589
556 if (!e_rsax_bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 590 if (!e_rsax_bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q,
557 rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0, rsa->q) )) goto err; 591 e_rsax_get_ctx(rsa, 0, rsa->q)))
592 goto err;
558 593
559 /* compute I mod p */ 594 /* compute I mod p */
560 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 595 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
561 {
562 c = &local_c; 596 c = &local_c;
563 BN_with_flags(c, I, BN_FLG_CONSTTIME); 597 BN_with_flags(c, I, BN_FLG_CONSTTIME);
564 if (!BN_mod(r1,c,rsa->p,ctx)) goto err; 598 if (!BN_mod(r1, c,rsa->p, ctx))
565 } 599 goto err;
566 else 600 } else {
567 { 601 if (!BN_mod(r1, I,rsa->p, ctx))
568 if (!BN_mod(r1,I,rsa->p,ctx)) goto err; 602 goto err;
569 } 603 }
570 604
571 /* compute r1^dmp1 mod p */ 605 /* compute r1^dmp1 mod p */
572 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 606 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
573 {
574 dmp1 = &local_dmp1; 607 dmp1 = &local_dmp1;
575 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 608 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
576 } 609 } else
577 else
578 dmp1 = rsa->dmp1; 610 dmp1 = rsa->dmp1;
579 611
580 if (!e_rsax_bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 612 if (!e_rsax_bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p,
581 rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1, rsa->p) )) goto err; 613 e_rsax_get_ctx(rsa, 1, rsa->p)))
614 goto err;
582 615
583 if (!BN_sub(r0,r0,m1)) goto err; 616 if (!BN_sub(r0, r0, m1))
617 goto err;
584 /* This will help stop the size of r0 increasing, which does 618 /* This will help stop the size of r0 increasing, which does
585 * affect the multiply if it optimised for a power of 2 size */ 619 * affect the multiply if it optimised for a power of 2 size */
586 if (BN_is_negative(r0)) 620 if (BN_is_negative(r0))
587 if (!BN_add(r0,r0,rsa->p)) goto err; 621 if (!BN_add(r0, r0, rsa->p))
622 goto err;
588 623
589 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 624 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
625 goto err;
590 626
591 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 627 /* Turn BN_FLG_CONSTTIME flag on before division operation */
592 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 628 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
593 {
594 pr1 = &local_r1; 629 pr1 = &local_r1;
595 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 630 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
596 } 631 } else
597 else
598 pr1 = r1; 632 pr1 = r1;
599 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 633 if (!BN_mod(r0, pr1, rsa->p, ctx))
634 goto err;
600 635
601 /* If p < q it is occasionally possible for the correction of 636 /* If p < q it is occasionally possible for the correction of
602 * adding 'p' if r0 is negative above to leave the result still 637 * adding 'p' if r0 is negative above to leave the result still
@@ -606,25 +641,30 @@ static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx
606 * they ensure p > q [steve] 641 * they ensure p > q [steve]
607 */ 642 */
608 if (BN_is_negative(r0)) 643 if (BN_is_negative(r0))
609 if (!BN_add(r0,r0,rsa->p)) goto err; 644 if (!BN_add(r0, r0, rsa->p))
610 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 645 goto err;
611 if (!BN_add(r0,r1,m1)) goto err; 646 if (!BN_mul(r1, r0, rsa->q, ctx))
612 647 goto err;
613 if (rsa->e && rsa->n) 648 if (!BN_add(r0, r1, m1))
614 { 649 goto err;
615 if (!e_rsax_bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) 650
616 goto err; 651 if (rsa->e && rsa->n) {
652 if (!e_rsax_bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
653 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
654 goto err;
617 655
618 /* If 'I' was greater than (or equal to) rsa->n, the operation 656 /* If 'I' was greater than (or equal to) rsa->n, the operation
619 * will be equivalent to using 'I mod n'. However, the result of 657 * will be equivalent to using 'I mod n'. However, the result of
620 * the verify will *always* be less than 'n' so we don't check 658 * the verify will *always* be less than 'n' so we don't check
621 * for absolute equality, just congruency. */ 659 * for absolute equality, just congruency. */
622 if (!BN_sub(vrfy, vrfy, I)) goto err; 660 if (!BN_sub(vrfy, vrfy, I))
623 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 661 goto err;
662 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
663 goto err;
624 if (BN_is_negative(vrfy)) 664 if (BN_is_negative(vrfy))
625 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 665 if (!BN_add(vrfy, vrfy, rsa->n))
626 if (!BN_is_zero(vrfy)) 666 goto err;
627 { 667 if (!BN_is_zero(vrfy)) {
628 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 668 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
629 * miscalculated CRT output, just do a raw (slower) 669 * miscalculated CRT output, just do a raw (slower)
630 * mod_exp and return that instead. */ 670 * mod_exp and return that instead. */
@@ -632,23 +672,22 @@ static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx
632 BIGNUM local_d; 672 BIGNUM local_d;
633 BIGNUM *d = NULL; 673 BIGNUM *d = NULL;
634 674
635 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 675 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
636 {
637 d = &local_d; 676 d = &local_d;
638 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 677 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
639 } 678 } else
640 else
641 d = rsa->d; 679 d = rsa->d;
642 if (!e_rsax_bn_mod_exp(r0,I,d,rsa->n,ctx, 680 if (!e_rsax_bn_mod_exp(r0, I,d, rsa->n, ctx,
643 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) goto err; 681 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
644 } 682 goto err;
645 } 683 }
646 ret=1; 684 }
685 ret = 1;
647 686
648err: 687err:
649 BN_CTX_end(ctx); 688 BN_CTX_end(ctx);
650 689
651 return ret; 690 return ret;
652 } 691}
653#endif /* !OPENSSL_NO_RSA */ 692#endif /* !OPENSSL_NO_RSA */
654#endif /* !COMPILE_RSAX */ 693#endif /* !COMPILE_RSAX */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 06:34:05 +0000