/* GFp_rsa_public_decrypt decrypts the RSA signature |in| using the public key * with modulus |n| and exponent |e|, leaving the decrypted signature in |out|. * |out_len| and |in_len| must both be equal to the size of |n|. The public key * must have been validated prior. * * When |rsa_public_decrypt| succeeds, the caller must then check the * signature value (and padding) left in |out|. */ int GFp_rsa_public_decrypt(uint8_t *out, size_t out_len, const BN_MONT_CTX *mont_n, const BIGNUM *e, const uint8_t *in, size_t in_len) { assert(GFp_BN_is_odd(e)); assert(!GFp_BN_is_zero(e)); assert(!GFp_BN_is_one(e)); const BIGNUM *n = &mont_n->N; BIGNUM f; GFp_BN_init(&f); BIGNUM result; GFp_BN_init(&result); int ret = 0; unsigned rsa_size = GFp_BN_num_bytes(n); /* RSA_size((n, e)); */ if (out_len != rsa_size) { OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL); goto err; } if (in_len != rsa_size) { OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN); goto err; } if (GFp_BN_bin2bn(in, in_len, &f) == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } if (GFp_BN_ucmp(&f, n) >= 0) { OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); goto err; } if (!GFp_BN_mod_exp_mont_vartime(&result, &f, e, mont_n) || !GFp_BN_bn2bin_padded(out, out_len, &result)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } ret = 1; err: GFp_BN_free(&f); GFp_BN_free(&result); return ret; }
/* GFp_rsa_private_transform takes a big-endian integer in |base| and raises it * to the d'th power modulo the public modulus. The caller must ensure that * |base| is less than |n|. * * It returns one on success and zero otherwise. */ int GFp_rsa_private_transform(const RSA *rsa, /*inout*/ BIGNUM *base, BN_BLINDING *blinding, RAND *rng) { assert(GFp_BN_cmp(base, &rsa->mont_n->N) < 0); assert(!GFp_BN_is_zero(rsa->e)); assert(!GFp_BN_is_zero(rsa->dmp1)); assert(!GFp_BN_is_zero(rsa->dmq1)); int ret = 0; BIGNUM r, tmp, mp, mq, vrfy; GFp_BN_init(&r); GFp_BN_init(&tmp); GFp_BN_init(&mp); GFp_BN_init(&mq); GFp_BN_init(&vrfy); if (!GFp_BN_BLINDING_convert(base, blinding, rsa, rng)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } const BIGNUM *p = &rsa->mont_p->N; /* Extra reductions would be required if |p < q| and |p == q| is just plain * wrong. */ assert(GFp_BN_cmp(&rsa->mont_q->N, p) < 0); /* mp := base^dmp1 mod p. * * |p * q == n| and |p > q| implies |p < n < p**2|. Thus, the base is just * reduced mod |p|. */ if (!GFp_BN_reduce_mont(&tmp, base, rsa->mont_p) || !GFp_BN_mod_exp_mont_consttime(&mp, &tmp, rsa->dmp1, rsa->mont_p)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } /* mq := base^dmq1 mod q. * * |p * q == n| and |p > q| implies |q < q**2 < n < q**3|. Thus, |base| is * first reduced mod |q**2| and then reduced mod |q|. */ if (!GFp_BN_reduce_mont(&tmp, base, rsa->mont_qq) || !GFp_BN_reduce_mont(&tmp, &tmp, rsa->mont_q) || !GFp_BN_mod_exp_mont_consttime(&mq, &tmp, rsa->dmq1, rsa->mont_q)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } /* Combine them with Garner's algorithm. * * |0 <= mq < q < p| and |0 <= mp < p| implies |(-q) < (mp - mq) < p|, so * |GFp_BN_mod_sub_quick| can be used. * * In each multiplication, the Montgomery factor cancels out because |tmp| is * not Montgomery-encoded but the second input is. * * In the last multiplication, the reduction mod |n| isn't necessary because * |tmp < p| and |p * q == n| implies |tmp * q < n|. Montgomery * multiplication is used purely because it is implemented more efficiently. */ if (!GFp_BN_mod_sub_quick(&tmp, &mp, &mq, p) || !GFp_BN_mod_mul_mont(&tmp, &tmp, rsa->iqmp_mont, rsa->mont_p) || !GFp_BN_mod_mul_mont(&tmp, &tmp, rsa->qmn_mont, rsa->mont_n) || !GFp_BN_add(&r, &tmp, &mq)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } /* Verify the result to protect against fault attacks as described in the * 1997 paper "On the Importance of Checking Cryptographic Protocols for * Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some * implementations do this only when the CRT is used, but we do it in all * cases. Section 6 of the aforementioned paper describes an attack that * works when the CRT isn't used. That attack is much less likely to succeed * than the CRT attack, but there have likely been improvements since 1997. * * This check is very cheap assuming |e| is small, which it almost always is. * Note that this is the only validation of |e| that is done other than * basic checks on its size, oddness, and minimum value, as |RSA_check_key| * doesn't validate its mathematical relations to |d| or |p| or |q|. */ if (!GFp_BN_mod_exp_mont_vartime(&vrfy, &r, rsa->e, rsa->mont_n)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } if (vrfy.top != base->top || GFp_memcmp(vrfy.d, base->d, (size_t)vrfy.top * sizeof(vrfy.d[0])) != 0) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } if (!GFp_BN_BLINDING_invert(base, &r, blinding, rsa->mont_n)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); goto err; } ret = 1; err: GFp_BN_free(&r); GFp_BN_free(&tmp); GFp_BN_free(&mp); GFp_BN_free(&mq); GFp_BN_free(&vrfy); return ret; }
int GFp_BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BIGNUM *n) { *out_no_inverse = 0; if (!GFp_BN_is_odd(n)) { OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; } if (GFp_BN_is_negative(a) || GFp_BN_cmp(a, n) >= 0) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } BIGNUM A; GFp_BN_init(&A); BIGNUM B; GFp_BN_init(&B); BIGNUM X; GFp_BN_init(&X); BIGNUM Y; GFp_BN_init(&Y); int ret = 0; int sign; BIGNUM *R = out; GFp_BN_zero(&Y); if (!GFp_BN_one(&X) || !GFp_BN_copy(&B, a) || !GFp_BN_copy(&A, n)) { goto err; } A.neg = 0; sign = -1; /* From B = a mod |n|, A = |n| it follows that * * 0 <= B < A, * -sign*X*a == B (mod |n|), * sign*Y*a == A (mod |n|). */ /* Binary inversion algorithm; requires odd modulus. This is faster than the * general algorithm if the modulus is sufficiently small (about 400 .. 500 * bits on 32-bit systems, but much more on 64-bit systems) */ int shift; while (!GFp_BN_is_zero(&B)) { /* 0 < B < |n|, * 0 < A <= |n|, * (1) -sign*X*a == B (mod |n|), * (2) sign*Y*a == A (mod |n|) */ /* Now divide B by the maximum possible power of two in the integers, * and divide X by the same value mod |n|. * When we're done, (1) still holds. */ shift = 0; while (!GFp_BN_is_bit_set(&B, shift)) { /* note that 0 < B */ shift++; if (GFp_BN_is_odd(&X)) { if (!GFp_BN_uadd(&X, &X, n)) { goto err; } } /* now X is even, so we can easily divide it by two */ if (!GFp_BN_rshift1(&X, &X)) { goto err; } } if (shift > 0) { if (!GFp_BN_rshift(&B, &B, shift)) { goto err; } } /* Same for A and Y. Afterwards, (2) still holds. */ shift = 0; while (!GFp_BN_is_bit_set(&A, shift)) { /* note that 0 < A */ shift++; if (GFp_BN_is_odd(&Y)) { if (!GFp_BN_uadd(&Y, &Y, n)) { goto err; } } /* now Y is even */ if (!GFp_BN_rshift1(&Y, &Y)) { goto err; } } if (shift > 0) { if (!GFp_BN_rshift(&A, &A, shift)) { goto err; } } /* We still have (1) and (2). * Both A and B are odd. * The following computations ensure that * * 0 <= B < |n|, * 0 < A < |n|, * (1) -sign*X*a == B (mod |n|), * (2) sign*Y*a == A (mod |n|), * * and that either A or B is even in the next iteration. */ if (GFp_BN_ucmp(&B, &A) >= 0) { /* -sign*(X + Y)*a == B - A (mod |n|) */ if (!GFp_BN_uadd(&X, &X, &Y)) { goto err; } /* NB: we could use GFp_BN_mod_add_quick(X, X, Y, n), but that * actually makes the algorithm slower */ if (!GFp_BN_usub(&B, &B, &A)) { goto err; } } else { /* sign*(X + Y)*a == A - B (mod |n|) */ if (!GFp_BN_uadd(&Y, &Y, &X)) { goto err; } /* as above, GFp_BN_mod_add_quick(Y, Y, X, n) would slow things down */ if (!GFp_BN_usub(&A, &A, &B)) { goto err; } } } if (!GFp_BN_is_one(&A)) { *out_no_inverse = 1; OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE); goto err; } /* The while loop (Euclid's algorithm) ends when * A == gcd(a,n); * we have * sign*Y*a == A (mod |n|), * where Y is non-negative. */ if (sign < 0) { if (!GFp_BN_sub(&Y, n, &Y)) { goto err; } } /* Now Y*a == A (mod |n|). */ /* Y*a == 1 (mod |n|) */ if (!Y.neg && GFp_BN_ucmp(&Y, n) < 0) { if (!GFp_BN_copy(R, &Y)) { goto err; } } else { if (!GFp_BN_nnmod(R, &Y, n)) { goto err; } } ret = 1; err: GFp_BN_free(&A); GFp_BN_free(&B); GFp_BN_free(&X); GFp_BN_free(&Y); return ret; }