Two new Curve25519 implementations (generic "i31" code, and optimised code with MUL31).
[BearSSL] / src / rsa / rsa_i15_priv.c
1 /*
2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 #define U (1 + ((BR_MAX_RSA_FACTOR + 14) / 15))
28
29 /* see bearssl_rsa.h */
30 uint32_t
31 br_rsa_i15_private(unsigned char *x, const br_rsa_private_key *sk)
32 {
33 const unsigned char *p, *q;
34 size_t plen, qlen;
35 uint16_t tmp[6 * U];
36 uint16_t *mp, *mq, *s1, *s2, *t1, *t2, *t3;
37 uint16_t p0i, q0i;
38 size_t xlen;
39
40 /*
41 * All our temporary buffers are from the tmp[] array.
42 *
43 * The mp, mq, s1, s2, t1 and t2 buffers are large enough to
44 * contain a RSA factor. The t3 buffer can contain a complete
45 * RSA modulus. t3 shares its storage space with s2, s1 and t1,
46 * in that order (this is important, see below).
47 */
48 mq = tmp;
49 mp = tmp + U;
50 t2 = tmp + 2 * U;
51 s2 = tmp + 3 * U;
52 s1 = tmp + 4 * U;
53 t1 = tmp + 5 * U;
54 t3 = s2;
55
56 /*
57 * Compute the actual lengths (in bytes) of p and q, and check
58 * that they fit within our stack buffers.
59 */
60 p = sk->p;
61 plen = sk->plen;
62 while (plen > 0 && *p == 0) {
63 p ++;
64 plen --;
65 }
66 q = sk->q;
67 qlen = sk->qlen;
68 while (qlen > 0 && *q == 0) {
69 q ++;
70 qlen --;
71 }
72 if (plen > (BR_MAX_RSA_FACTOR >> 3)
73 || qlen > (BR_MAX_RSA_FACTOR >> 3))
74 {
75 return 0;
76 }
77
78 /*
79 * Decode p and q.
80 */
81 br_i15_decode(mp, p, plen);
82 br_i15_decode(mq, q, qlen);
83
84 /*
85 * Compute signature length (in bytes).
86 */
87 xlen = (sk->n_bitlen + 7) >> 3;
88
89 /*
90 * Compute s1 = x^dp mod p.
91 */
92 p0i = br_i15_ninv15(mp[1]);
93 br_i15_decode_reduce(s1, x, xlen, mp);
94 br_i15_modpow(s1, sk->dp, sk->dplen, mp, p0i, t1, t2);
95
96 /*
97 * Compute s2 = x^dq mod q.
98 */
99 q0i = br_i15_ninv15(mq[1]);
100 br_i15_decode_reduce(s2, x, xlen, mq);
101 br_i15_modpow(s2, sk->dq, sk->dqlen, mq, q0i, t1, t2);
102
103 /*
104 * Compute:
105 * h = (s1 - s2)*(1/q) mod p
106 * s1 is an integer modulo p, but s2 is modulo q. PKCS#1 is
107 * unclear about whether p may be lower than q (some existing,
108 * widely deployed implementations of RSA don't tolerate p < q),
109 * but we want to support that occurrence, so we need to use the
110 * reduction function.
111 *
112 * Since we use br_i15_decode_reduce() for iq (purportedly, the
113 * inverse of q modulo p), we also tolerate improperly large
114 * values for this parameter.
115 */
116 br_i15_reduce(t2, s2, mp);
117 br_i15_add(s1, mp, br_i15_sub(s1, t2, 1));
118 br_i15_to_monty(s1, mp);
119 br_i15_decode_reduce(t1, sk->iq, sk->iqlen, mp);
120 br_i15_montymul(t2, s1, t1, mp, p0i);
121
122 /*
123 * h is now in t2. We compute the final result:
124 * s = s2 + q*h
125 * All these operations are non-modular.
126 *
127 * We need mq, s2 and t2. We use the t3 buffer as destination.
128 * The buffers mp, s1 and t1 are no longer needed. Moreover,
129 * the first step is to copy s2 into the destination buffer t3.
130 * We thus arranged for t3 to actually share space with s2, and
131 * to be followed by the space formerly used by s1 and t1.
132 */
133 br_i15_mulacc(t3, mq, t2);
134
135 /*
136 * Encode the result. Since we already checked the value of xlen,
137 * we can just use it right away.
138 */
139 br_i15_encode(x, xlen, t3);
140
141 /*
142 * The only error conditions remaining at that point are invalid
143 * values for p and q (even integers).
144 */
145 return p0i & q0i & 1;
146 }