static int bn_blinding_update(BN_BLINDING *b, const RSA *rsa, BN_CTX *ctx) {
if (++b->counter == BN_BLINDING_COUNTER) {
/* re-create blinding parameters */
if (!bn_blinding_create_param(b, rsa, ctx)) {
goto err;
}
b->counter = 0;
} else {
if (!BN_mod_mul_montgomery(b->A, b->A, b->A, rsa->mont_n, ctx) ||
!BN_mod_mul_montgomery(b->Ai, b->Ai, b->Ai, rsa->mont_n, ctx)) {
goto err;
}
}
return 1;
err:
/* |A| and |Ai| may be in an inconsistent state so they both need to be
* replaced the next time this blinding is used. Note that this is only
* sufficient because support for |BN_BLINDING_NO_UPDATE| and
* |BN_BLINDING_NO_RECREATE| was previously dropped. */
b->counter = BN_BLINDING_COUNTER - 1;
return 0;
}
int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont,
BN_CTX *ctx) {
if (!BN_mod_mul_montgomery(n, n, b->Ai, mont, ctx)) {
return 0;
}
return 1;
}
int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const RSA *rsa, BN_CTX *ctx) {
if (!bn_blinding_update(b, rsa, ctx) ||
!BN_mod_mul_montgomery(n, n, b->A, rsa->mont_n, ctx)) {
return 0;
}
return 1;
}
int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx) {
if (group->field_data1 == NULL) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_sqr, EC_R_NOT_INITIALIZED);
return 0;
}
return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
}
int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx) {
if (group->mont == NULL) {
OPENSSL_PUT_ERROR(EC, EC_R_NOT_INITIALIZED);
return 0;
}
return BN_mod_mul_montgomery(r, a, b, group->mont, ctx);
}
int
ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx)
{
if (group->field_data1 == NULL) {
ECerror(EC_R_NOT_INITIALIZED);
return 0;
}
return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
}
int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
{
if (group->field_data1 == NULL)
{
ECerr(EC_F_EC_GFP_MONT_FIELD_SQR, EC_R_NOT_INITIALIZED);
return 0;
}
return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
}
int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,
BN_CTX *ctx) {
return BN_mod_mul_montgomery(ret, a, &mont->RR, mont, ctx);
}
static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
assert(ctx != NULL);
assert(rsa->n != NULL);
assert(rsa->e != NULL);
assert(rsa->d != NULL);
assert(rsa->p != NULL);
assert(rsa->q != NULL);
assert(rsa->dmp1 != NULL);
assert(rsa->dmq1 != NULL);
assert(rsa->iqmp != NULL);
BIGNUM *r1, *m1;
int ret = 0;
BN_CTX_start(ctx);
r1 = BN_CTX_get(ctx);
m1 = BN_CTX_get(ctx);
if (r1 == NULL ||
m1 == NULL) {
goto err;
}
if (!freeze_private_key(rsa, ctx)) {
goto err;
}
// Implementing RSA with CRT in constant-time is sensitive to which prime is
// larger. Canonicalize fields so that |p| is the larger prime.
const BIGNUM *dmp1 = rsa->dmp1_fixed, *dmq1 = rsa->dmq1_fixed;
const BN_MONT_CTX *mont_p = rsa->mont_p, *mont_q = rsa->mont_q;
if (BN_cmp(rsa->p, rsa->q) < 0) {
mont_p = rsa->mont_q;
mont_q = rsa->mont_p;
dmp1 = rsa->dmq1_fixed;
dmq1 = rsa->dmp1_fixed;
}
// Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if
// someone gives us non-minimal values, these will be slightly more efficient
// on the non-Montgomery operations.
const BIGNUM *n = &rsa->mont_n->N;
const BIGNUM *p = &mont_p->N;
const BIGNUM *q = &mont_q->N;
// This is a pre-condition for |mod_montgomery|. It was already checked by the
// caller.
assert(BN_ucmp(I, n) < 0);
if (// |m1| is the result modulo |q|.
!mod_montgomery(r1, I, q, mont_q, p, ctx) ||
!BN_mod_exp_mont_consttime(m1, r1, dmq1, q, ctx, mont_q) ||
// |r0| is the result modulo |p|.
!mod_montgomery(r1, I, p, mont_p, q, ctx) ||
!BN_mod_exp_mont_consttime(r0, r1, dmp1, p, ctx, mont_p) ||
// Compute r0 = r0 - m1 mod p. |p| is the larger prime, so |m1| is already
// fully reduced mod |p|.
!bn_mod_sub_consttime(r0, r0, m1, p, ctx) ||
// r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this
// in constant time. |inv_small_mod_large_mont| is in Montgomery form and
// r0 is not, so the result is taken out of Montgomery form.
!BN_mod_mul_montgomery(r0, r0, rsa->inv_small_mod_large_mont, mont_p,
ctx) ||
// r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so
// it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0,
// so it is correct mod q. Finally, the result is bounded by [m1, n + m1),
// and the result is at least |m1|, so this must be the unique answer in
// [0, n).
!bn_mul_consttime(r0, r0, q, ctx) ||
!bn_uadd_consttime(r0, r0, m1) ||
// The result should be bounded by |n|, but fixed-width operations may
// bound the width slightly higher, so fix it.
!bn_resize_words(r0, n->width)) {
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
const BIGNUM *in_kinv, const BIGNUM *in_r,
EC_KEY *eckey)
{
int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL;
const BIGNUM *ckinv;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
ECDSA_SIG *ret;
ECDSA_DATA *ecdsa;
const BIGNUM *priv_key;
BN_MONT_CTX *mont_data;
ecdsa = ecdsa_check(eckey);
group = EC_KEY_get0_group(eckey);
priv_key = EC_KEY_get0_private_key(eckey);
if (group == NULL || priv_key == NULL || ecdsa == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
ret = ECDSA_SIG_new();
if (!ret) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
return NULL;
}
s = ret->s;
if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
(m = BN_new()) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
goto err;
}
mont_data = EC_GROUP_get_mont_data(group);
i = BN_num_bits(order);
/*
* Need to truncate digest if it is too long: first truncate whole bytes.
*/
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
/* If still too long truncate remaining bits with a shift */
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
do {
if (in_kinv == NULL || in_r == NULL) {
if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_ECDSA_LIB);
goto err;
}
ckinv = kinv;
} else {
ckinv = in_kinv;
if (BN_copy(ret->r, in_r) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
}
/*
* With only one multiplicant being in Montgomery domain
* multiplication yields real result without post-conversion.
* Also note that all operations but last are performed with
* zero-padded vectors. Last operation, BN_mod_mul_montgomery
* below, returns user-visible value with removed zero padding.
*/
if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx)
|| !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) {
goto err;
}
if (!bn_mod_add_fixed_top(s, s, m, order)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
/*
* |s| can still be larger than modulus, because |m| can be. In
* such case we count on Montgomery reduction to tie it up.
*/
if (!bn_to_mont_fixed_top(s, s, mont_data, ctx)
|| !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
if (BN_is_zero(s)) {
/*
* if kinv and r have been supplied by the caller don't to
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
ECDSA_R_NEED_NEW_SETUP_VALUES);
goto err;
}
} else
/* s != 0 => we have a valid signature */
break;
}
while (1);
ok = 1;
err:
if (!ok) {
ECDSA_SIG_free(ret);
ret = NULL;
}
if (ctx)
BN_CTX_free(ctx);
if (m)
BN_clear_free(m);
if (order)
BN_free(order);
if (kinv)
BN_clear_free(kinv);
return ret;
}
int test_mont(BIO *bp, BN_CTX *ctx)
{
BIGNUM a,b,c,d,A,B;
BIGNUM n;
int i;
BN_MONT_CTX *mont;
BN_init(&a);
BN_init(&b);
BN_init(&c);
BN_init(&d);
BN_init(&A);
BN_init(&B);
BN_init(&n);
mont=BN_MONT_CTX_new();
BN_bntest_rand(&a,100,0,0); /**/
BN_bntest_rand(&b,100,0,0); /**/
for (i=0; i<num2; i++)
{
int bits = (200*(i+1))/num2;
if (bits == 0)
continue;
BN_bntest_rand(&n,bits,0,1);
BN_MONT_CTX_set(mont,&n,ctx);
BN_nnmod(&a,&a,&n,ctx);
BN_nnmod(&b,&b,&n,ctx);
BN_to_montgomery(&A,&a,mont,ctx);
BN_to_montgomery(&B,&b,mont,ctx);
BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
BN_from_montgomery(&A,&c,mont,ctx);/**/
if (bp != NULL)
{
if (!results)
{
#ifdef undef
fprintf(stderr,"%d * %d %% %d\n",
BN_num_bits(&a),
BN_num_bits(&b),
BN_num_bits(mont->N));
#endif
BN_print(bp,&a);
BIO_puts(bp," * ");
BN_print(bp,&b);
BIO_puts(bp," % ");
BN_print(bp,&(mont->N));
BIO_puts(bp," - ");
}
BN_print(bp,&A);
BIO_puts(bp,"\n");
}
BN_mod_mul(&d,&a,&b,&n,ctx);
BN_sub(&d,&d,&A);
if(!BN_is_zero(&d))
{
fprintf(stderr,"Montgomery multiplication test failed!\n");
return 0;
}
}
BN_MONT_CTX_free(mont);
BN_free(&a);
BN_free(&b);
BN_free(&c);
BN_free(&d);
BN_free(&A);
BN_free(&B);
BN_free(&n);
return(1);
}
int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx) {
return BN_mod_mul_montgomery(r, a, a, &group->mont, ctx);
}
static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point,
BIGNUM *x, BIGNUM *y,
BN_CTX *ctx) {
if (EC_POINT_is_at_infinity(group, point)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);
return 0;
}
BN_CTX *new_ctx = NULL;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) {
return 0;
}
}
int ret = 0;
BN_CTX_start(ctx);
if (BN_cmp(&point->Z, &group->one) == 0) {
/* |point| is already affine. */
if (x != NULL && !BN_from_montgomery(x, &point->X, &group->mont, ctx)) {
goto err;
}
if (y != NULL && !BN_from_montgomery(y, &point->Y, &group->mont, ctx)) {
goto err;
}
} else {
/* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
BIGNUM *Z_1 = BN_CTX_get(ctx);
BIGNUM *Z_2 = BN_CTX_get(ctx);
BIGNUM *Z_3 = BN_CTX_get(ctx);
if (Z_1 == NULL ||
Z_2 == NULL ||
Z_3 == NULL) {
goto err;
}
/* The straightforward way to calculate the inverse of a Montgomery-encoded
* value where the result is Montgomery-encoded is:
*
* |BN_from_montgomery| + |BN_mod_inverse| + |BN_to_montgomery|.
*
* This is equivalent, but more efficient, because |BN_from_montgomery|
* is more efficient (at least in theory) than |BN_to_montgomery|, since it
* doesn't have to do the multiplication before the reduction. */
if (!BN_from_montgomery(Z_1, &point->Z, &group->mont, ctx) ||
!BN_from_montgomery(Z_1, Z_1, &group->mont, ctx) ||
!BN_mod_inverse(Z_1, Z_1, &group->field, ctx)) {
goto err;
}
if (!BN_mod_mul_montgomery(Z_2, Z_1, Z_1, &group->mont, ctx)) {
goto err;
}
/* Instead of using |BN_from_montgomery| to convert the |x| coordinate
* and then calling |BN_from_montgomery| again to convert the |y|
* coordinate below, convert the common factor |Z_2| once now, saving one
* reduction. */
if (!BN_from_montgomery(Z_2, Z_2, &group->mont, ctx)) {
goto err;
}
if (x != NULL) {
if (!BN_mod_mul_montgomery(x, &point->X, Z_2, &group->mont, ctx)) {
goto err;
}
}
if (y != NULL) {
if (!BN_mod_mul_montgomery(Z_3, Z_2, Z_1, &group->mont, ctx) ||
!BN_mod_mul_montgomery(y, &point->Y, Z_3, &group->mont, ctx)) {
goto err;
}
}
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return ret;
}
int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
int i,j,k,bits,bits1,bits2,ret=0,wstart,wend,window,xvalue,yvalue;
int start=1,ts=0,x,y;
BIGNUM *d,*aa1,*aa2,*r;
BIGNUM val[EXP2_TABLE_SIZE][EXP2_TABLE_SIZE];
BN_MONT_CTX *mont=NULL;
bn_check_top(a1);
bn_check_top(p1);
bn_check_top(a2);
bn_check_top(p2);
bn_check_top(m);
if (!(m->d[0] & 1))
{
BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
return(0);
}
bits1=BN_num_bits(p1);
bits2=BN_num_bits(p2);
if ((bits1 == 0) && (bits2 == 0))
{
BN_one(rr);
return(1);
}
BN_CTX_start(ctx);
d = BN_CTX_get(ctx);
r = BN_CTX_get(ctx);
if (d == NULL || r == NULL) goto err;
bits=(bits1 > bits2)?bits1:bits2;
/* If this is not done, things will break in the montgomery
* part */
if (in_mont != NULL)
mont=in_mont;
else
{
if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
}
BN_init(&(val[0][0]));
BN_init(&(val[1][1]));
BN_init(&(val[0][1]));
BN_init(&(val[1][0]));
ts=1;
if (BN_ucmp(a1,m) >= 0)
{
BN_mod(&(val[1][0]),a1,m,ctx);
aa1= &(val[1][0]);
}
else
aa1=a1;
if (BN_ucmp(a2,m) >= 0)
{
BN_mod(&(val[0][1]),a2,m,ctx);
aa2= &(val[0][1]);
}
else
aa2=a2;
if (!BN_to_montgomery(&(val[1][0]),aa1,mont,ctx)) goto err;
if (!BN_to_montgomery(&(val[0][1]),aa2,mont,ctx)) goto err;
if (!BN_mod_mul_montgomery(&(val[1][1]),
&(val[1][0]),&(val[0][1]),mont,ctx))
goto err;
#if 0
if (bits <= 20) /* This is probably 3 or 0x10001, so just do singles */
window=1;
else if (bits > 250)
window=5; /* max size of window */
else if (bits >= 120)
window=4;
else
window=3;
#else
window=EXP2_TABLE_BITS;
#endif
k=1<<window;
for (x=0; x<k; x++)
{
if (x >= 2)
{
BN_init(&(val[x][0]));
BN_init(&(val[x][1]));
if (!BN_mod_mul_montgomery(&(val[x][0]),
&(val[1][0]),&(val[x-1][0]),mont,ctx)) goto err;
if (!BN_mod_mul_montgomery(&(val[x][1]),
&(val[1][0]),&(val[x-1][1]),mont,ctx)) goto err;
}
for (y=2; y<k; y++)
{
BN_init(&(val[x][y]));
if (!BN_mod_mul_montgomery(&(val[x][y]),
&(val[x][y-1]),&(val[0][1]),mont,ctx))
goto err;
}
}
ts=k;
start=1; /* This is used to avoid multiplication etc
* when there is only the value '1' in the
* buffer. */
xvalue=0; /* The 'x value' of the window */
yvalue=0; /* The 'y value' of the window */
wstart=bits-1; /* The top bit of the window */
wend=0; /* The bottom bit of the window */
if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
for (;;)
{
xvalue=BN_is_bit_set(p1,wstart);
yvalue=BN_is_bit_set(p2,wstart);
if (!(xvalue || yvalue))
{
if (!start)
{
if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
goto err;
}
wstart--;
if (wstart < 0) break;
continue;
}
/* We now have wstart on a 'set' bit, we now need to work out
* how bit a window to do. To do this we need to scan
* forward until the last set bit before the end of the
* window */
j=wstart;
/* xvalue=BN_is_bit_set(p1,wstart); already set */
/* yvalue=BN_is_bit_set(p1,wstart); already set */
wend=0;
for (i=1; i<window; i++)
{
if (wstart-i < 0) break;
xvalue+=xvalue;
xvalue|=BN_is_bit_set(p1,wstart-i);
yvalue+=yvalue;
yvalue|=BN_is_bit_set(p2,wstart-i);
}
/* i is the size of the current window */
/* add the 'bytes above' */
if (!start)
for (j=0; j<i; j++)
{
if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
goto err;
}
/* wvalue will be an odd number < 2^window */
if (xvalue || yvalue)
{
if (!BN_mod_mul_montgomery(r,r,&(val[xvalue][yvalue]),
mont,ctx)) goto err;
}
/* move the 'window' down further */
wstart-=i;
start=0;
if (wstart < 0) break;
}
BN_from_montgomery(rr,r,mont,ctx);
ret=1;
err:
if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
BN_CTX_end(ctx);
for (i=0; i<ts; i++)
{
for (j=0; j<ts; j++)
{
BN_clear_free(&(val[i][j]));
}
}
return(ret);
}
