/**
* @brief Use the Chinese Remainder Theorem to quickly perform RSA decrypts.
*
* @param ctx [in] The bigint session context.
* @param bi [in] The bigint to perform the exp/mod.
* @param dP [in] CRT's dP bigint
* @param dQ [in] CRT's dQ bigint
* @param p [in] CRT's p bigint
* @param q [in] CRT's q bigint
* @param qInv [in] CRT's qInv bigint
* @return The result of the CRT operation
*/
bigint * ICACHE_FLASH_ATTR bi_crt(BI_CTX *ctx, bigint *bi,
bigint *dP, bigint *dQ,
bigint *p, bigint *q, bigint *qInv)
{
bigint *m1, *m2, *h;
/* Montgomery has a condition the 0 < x, y < m and these products violate
* that condition. So disable Montgomery when using CRT */
#if defined(CONFIG_BIGINT_MONTGOMERY)
ctx->use_classical = 1;
#endif
ctx->mod_offset = BIGINT_P_OFFSET;
m1 = bi_mod_power(ctx, bi_copy(bi), dP);
ctx->mod_offset = BIGINT_Q_OFFSET;
m2 = bi_mod_power(ctx, bi, dQ);
h = bi_subtract(ctx, bi_add(ctx, m1, p), bi_copy(m2), NULL);
h = bi_multiply(ctx, h, qInv);
ctx->mod_offset = BIGINT_P_OFFSET;
h = bi_residue(ctx, h);
#if defined(CONFIG_BIGINT_MONTGOMERY)
ctx->use_classical = 0; /* reset for any further operation */
#endif
return bi_add(ctx, m2, bi_multiply(ctx, q, h));
}
/**
* Use the Chinese Remainder Theorem to quickly perform RSA decrypts.
* This should really be in bigint.c (and was at one stage), but needs
* access to the RSA_CTX context...
*/
static bigint *bi_crt(const RSA_CTX *rsa, bigint *bi)
{
BI_CTX *ctx = rsa->bi_ctx;
bigint *m1, *m2, *h;
/* Montgomery has a condition the 0 < x, y < m and these products violate
* that condition. So disable Montgomery when using CRT */
#if defined(CONFIG_BIGINT_MONTGOMERY)
ctx->use_classical = 1;
#endif
ctx->mod_offset = BIGINT_P_OFFSET;
m1 = bi_mod_power(ctx, bi_copy(bi), rsa->dP);
ctx->mod_offset = BIGINT_Q_OFFSET;
m2 = bi_mod_power(ctx, bi, rsa->dQ);
h = bi_subtract(ctx, bi_add(ctx, m1, rsa->p), bi_copy(m2), NULL);
h = bi_multiply(ctx, h, rsa->qInv);
ctx->mod_offset = BIGINT_P_OFFSET;
h = bi_residue(ctx, h);
#if defined(CONFIG_BIGINT_MONTGOMERY)
ctx->use_classical = 0; /* reset for any further operation */
#endif
return bi_add(ctx, m2, bi_multiply(ctx, rsa->q, h));
}
void DH_generate_key(DH_CTX *dh_ctx)
{
BI_CTX *bi_ctx = bi_initialize();
int len = dh_ctx->len;
bigint *p = bi_import(bi_ctx, dh_ctx->p, len); //p modulus
bigint *g = bi_import(bi_ctx, dh_ctx->g, dh_ctx->glen); //generator
bigint *x, *gx;
bi_permanent(g);
//generate private key X
get_random_NZ(len, dh_ctx->x);
x = bi_import(bi_ctx, dh_ctx->x, len);
bi_permanent(x);
//calculate public key gx = g^x mod p
bi_set_mod(bi_ctx, p, BIGINT_M_OFFSET);
bi_ctx->mod_offset = BIGINT_M_OFFSET;
gx = bi_mod_power(bi_ctx, g, x);
bi_permanent(gx);
bi_export(bi_ctx, x, dh_ctx->x, len);
bi_export(bi_ctx, gx, dh_ctx->gx, len);
bi_depermanent(g);
bi_depermanent(x);
bi_depermanent(gx);
bi_free(bi_ctx, g);
bi_free(bi_ctx, x);
bi_free(bi_ctx, gx);
bi_free_mod(bi_ctx, BIGINT_M_OFFSET);
bi_terminate(bi_ctx);
}
void DH_compute_key(DH_CTX *dh_ctx)
{
BI_CTX *bi_ctx = bi_initialize();
int len = dh_ctx->len;
bigint *p = bi_import(bi_ctx, dh_ctx->p, len); //p modulus
bigint *x = bi_import(bi_ctx, dh_ctx->x, len); //private key
bigint *gy = bi_import(bi_ctx, dh_ctx->gy, len); //public key(peer)
bigint *k; //negotiated(session) key
bi_permanent(x);
bi_permanent(gy);
//calculate session key k = gy^x mod p
bi_set_mod(bi_ctx, p, BIGINT_M_OFFSET);
bi_ctx->mod_offset = BIGINT_M_OFFSET;
k = bi_mod_power(bi_ctx, gy, x);
bi_permanent(k);
bi_export(bi_ctx, k, dh_ctx->k, len);
bi_depermanent(x);
bi_depermanent(gy);
bi_depermanent(k);
bi_free(bi_ctx, x);
bi_free(bi_ctx, gy);
bi_free(bi_ctx, k);
bi_free_mod(bi_ctx, BIGINT_M_OFFSET);
bi_terminate(bi_ctx);
}
/**
* Performs m = c^d mod n
*/
bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg)
{
#ifdef CONFIG_BIGINT_CRT
return bi_crt(c->bi_ctx, bi_msg, c->dP, c->dQ, c->p, c->q, c->qInv);
#else
BI_CTX *ctx = c->bi_ctx;
ctx->mod_offset = BIGINT_M_OFFSET;
return bi_mod_power(ctx, bi_msg, c->d);
#endif
}
/**
* @brief Perform a modular exponentiation using a temporary modulus.
*
* We need this function to check the signatures of certificates. The modulus
* of this function is temporary as it's just used for authentication.
* @param ctx [in] The bigint session context.
* @param bi [in] The bigint to perform the exp/mod.
* @param bim [in] The temporary modulus.
* @param biexp [in] The bigint exponent.
* @return The result of the mod exponentiation operation
* @see bi_set_mod().
*/
bigint *ICACHE_FLASH_ATTR bi_mod_power2(BI_CTX *ctx, bigint *bi, bigint *bim, bigint *biexp) {
bigint *biR, *tmp_biR;
/* Set up a temporary bigint context and transfer what we need between
* them. We need to do this since we want to keep the original modulus
* which is already in this context. This operation is only called when
* doing peer verification, and so is not expensive :-) */
BI_CTX *tmp_ctx = bi_initialize();
bi_set_mod(tmp_ctx, bi_clone(tmp_ctx, bim), BIGINT_M_OFFSET);
tmp_biR = bi_mod_power(tmp_ctx,
bi_clone(tmp_ctx, bi),
bi_clone(tmp_ctx, biexp));
biR = bi_clone(ctx, tmp_biR);
bi_free(tmp_ctx, tmp_biR);
bi_free_mod(tmp_ctx, BIGINT_M_OFFSET);
bi_terminate(tmp_ctx);
bi_free(ctx, bi);
bi_free(ctx, bim);
bi_free(ctx, biexp);
return biR;
}
/**
* Performs c = m^e mod n
*/
bigint *RSA_public(const RSA_CTX *c, bigint *bi_msg) {
c->bi_ctx->mod_offset = BIGINT_M_OFFSET;
return bi_mod_power(c->bi_ctx, bi_msg, c->e);
}
