tomcrypt/src/pk/rsa/rsa_exptmod.c

/* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 *
 * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
 *
 * Added RSA blinding --nmav
 */
#include "tomcrypt.h"

/**
  @file rsa_exptmod.c
  RSA PKCS exptmod, Tom St Denis
*/

#ifdef LTC_MRSA

/**
   Compute an RSA modular exponentiation
   @param in         The input data to send into RSA
   @param inlen      The length of the input (octets)
   @param out        [out] The destination
   @param outlen     [in/out] The max size and resulting size of the output
   @param which      Which exponent to use, e.g. PK_PRIVATE or PK_PUBLIC
   @param key        The RSA key to use
   @return CRYPT_OK if successful
*/
int rsa_exptmod(const unsigned char *in,   unsigned long inlen,
                      unsigned char *out,  unsigned long *outlen, int which,
                      rsa_key *key)
{
   void        *tmp, *tmpa, *tmpb;
   #ifdef LTC_RSA_BLINDING
   void        *rnd, *rndi /* inverse of rnd */;
   #endif
   unsigned long x;
   int           err, no_crt;

   LTC_ARGCHK(in     != NULL);
   LTC_ARGCHK(out    != NULL);
   LTC_ARGCHK(outlen != NULL);
   LTC_ARGCHK(key    != NULL);

   /* is the key of the right type for the operation? */
   if (which == PK_PRIVATE && (key->type != PK_PRIVATE)) {
      return CRYPT_PK_NOT_PRIVATE;
   }

   /* must be a private or public operation */
   if (which != PK_PRIVATE && which != PK_PUBLIC) {
      return CRYPT_PK_INVALID_TYPE;
   }

   /* init and copy into tmp */
   if ((err = mp_init_multi(&tmp, &tmpa, &tmpb,
#ifdef LTC_RSA_BLINDING
                                               &rnd, &rndi,
#endif /* LTC_RSA_BLINDING */
                                                           NULL)) != CRYPT_OK)
        { return err; }
   if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, (int)inlen)) != CRYPT_OK)
        { goto error; }


   /* sanity check on the input */
   if (mp_cmp(key->N, tmp) == LTC_MP_LT) {
      err = CRYPT_PK_INVALID_SIZE;
      goto error;
   }

   /* are we using the private exponent and is the key optimized? */
   if (which == PK_PRIVATE) {
      #ifdef LTC_RSA_BLINDING
      /* do blinding */
      err = mp_rand(rnd, mp_get_digit_count(key->N));
      if (err != CRYPT_OK) {
             goto error;
      }

      /* rndi = 1/rnd mod N */
      err = mp_invmod(rnd, key->N, rndi);
      if (err != CRYPT_OK) {
             goto error;
      }

      /* rnd = rnd^e */
      err = mp_exptmod( rnd, key->e, key->N, rnd);
      if (err != CRYPT_OK) {
             goto error;
      }

      /* tmp = tmp*rnd mod N */
      err = mp_mulmod( tmp, rnd, key->N, tmp);
      if (err != CRYPT_OK) {
             goto error;
      }
      #endif /* LTC_RSA_BLINDING */

      no_crt = (key->dP == NULL) || (mp_get_digit_count(key->dP) == 0);

      if (no_crt) {
         /*
          * In case CRT optimization parameters are not provided,
          * the private key is directly used to exptmod it
          */
         if ((err = mp_exptmod(tmp, key->d, key->N, tmp)) != CRYPT_OK)                              { goto error; }
      } else {
         /* tmpa = tmp^dP mod p */
         if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK)                            { goto error; }

         /* tmpb = tmp^dQ mod q */
         if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK)                            { goto error; }

         /* tmp = (tmpa - tmpb) * qInv (mod p) */
         if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK)                                           { goto error; }
         if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK)                              { goto error; }

         /* tmp = tmpb + q * tmp */
         if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK)                                          { goto error; }
         if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK)                                            { goto error; }
      }

      #ifdef LTC_RSA_BLINDING
      /* unblind */
      err = mp_mulmod( tmp, rndi, key->N, tmp);
      if (err != CRYPT_OK) {
             goto error;
      }
      #endif

      #ifdef LTC_RSA_CRT_HARDENING
      if (!no_crt) {
         if ((err = mp_exptmod(tmp, key->e, key->N, tmpa)) != CRYPT_OK)                              { goto error; }
         if ((err = mp_read_unsigned_bin(tmpb, (unsigned char *)in, (int)inlen)) != CRYPT_OK)        { goto error; }
         if (mp_cmp(tmpa, tmpb) != LTC_MP_EQ)                                     { err = CRYPT_ERROR; goto error; }
      }
      #endif
   } else {
      /* exptmod it */
      if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK)                                { goto error; }
   }

   /* read it back */
   x = (unsigned long)mp_unsigned_bin_size(key->N);
   if (x > *outlen) {
      *outlen = x;
      err = CRYPT_BUFFER_OVERFLOW;
      goto error;
   }

   /* this should never happen ... */
   if (mp_unsigned_bin_size(tmp) > mp_unsigned_bin_size(key->N)) {
      err = CRYPT_ERROR;
      goto error;
   }
   *outlen = x;

   /* convert it */
   zeromem(out, x);
   if ((err = mp_to_unsigned_bin(tmp, out+(x-mp_unsigned_bin_size(tmp)))) != CRYPT_OK)               { goto error; }

   /* clean up and return */
   err = CRYPT_OK;
error:
   mp_clear_multi(
#ifdef LTC_RSA_BLINDING
                  rndi, rnd,
#endif /* LTC_RSA_BLINDING */
                             tmpb, tmpa, tmp, NULL);
   return err;
}

#endif

/* $Source$ */
/* $Revision$ */
/* $Date$ */
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`/* LibTomCrypt, modular cryptographic library -- Tom St Denis`
			`*`
			`* LibTomCrypt is a library that provides various cryptographic`
			`* algorithms in a highly modular and flexible manner.`
			`*`
			`* The library is free for all purposes without any express`
			`* guarantee it works.`
			`*`
added libtomcrypt-1.17 2007-07-20 17:48:02 +00:00			`* Tom St Denis, tomstdenis@gmail.com, http://libtom.org`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`*`
			`* Added RSA blinding --nmav`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`*/`
added libtomcrypt-1.00 2004-12-30 23:55:53 +00:00			`#include "tomcrypt.h"`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00
added libtomcrypt-1.00 2004-12-30 23:55:53 +00:00			`/**`
			`@file rsa_exptmod.c`
trim trailing spaces/clean up 2014-01-03 15:16:59 +01:00			`RSA PKCS exptmod, Tom St Denis`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`*/`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00
added libtomcrypt-1.17 2007-07-20 17:48:02 +00:00			`#ifdef LTC_MRSA`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`/**`
			`Compute an RSA modular exponentiation`
added libtomcrypt-1.00 2004-12-30 23:55:53 +00:00			`@param in The input data to send into RSA`
			`@param inlen The length of the input (octets)`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`@param out [out] The destination`
added libtomcrypt-1.00 2004-12-30 23:55:53 +00:00			`@param outlen [in/out] The max size and resulting size of the output`
			`@param which Which exponent to use, e.g. PK_PRIVATE or PK_PUBLIC`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`@param key The RSA key to use`
added libtomcrypt-1.00 2004-12-30 23:55:53 +00:00			`@return CRYPT_OK if successful`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`*/`
added libtomcrypt-0.96 2004-05-31 02:36:47 +00:00			`int rsa_exptmod(const unsigned char *in, unsigned long inlen,`
			`unsigned char out, unsigned long outlen, int which,`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`rsa_key *key)`
			`{`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`void tmp, tmpa, *tmpb;`
			`#ifdef LTC_RSA_BLINDING`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`void rnd, rndi /* inverse of rnd */;`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`#endif`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`unsigned long x;`
harden RSA CRT by implementing the proposed countermeasure ... from ch. 1.3 of [1] [1] https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf 2015-09-08 02:44:17 +02:00			`int err, no_crt;`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00
added libtomcrypt-1.00 2004-12-30 23:55:53 +00:00			`LTC_ARGCHK(in != NULL);`
			`LTC_ARGCHK(out != NULL);`
			`LTC_ARGCHK(outlen != NULL);`
			`LTC_ARGCHK(key != NULL);`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00
added libtomcrypt-0.97 2004-06-20 02:41:49 +00:00			`/* is the key of the right type for the operation? */`
added libtomcrypt-0.99 2004-10-30 03:00:26 +00:00			`if (which == PK_PRIVATE && (key->type != PK_PRIVATE)) {`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`return CRYPT_PK_NOT_PRIVATE;`
			`}`

			`/* must be a private or public operation */`
			`if (which != PK_PRIVATE && which != PK_PUBLIC) {`
			`return CRYPT_PK_INVALID_TYPE;`
			`}`

			`/* init and copy into tmp */`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`if ((err = mp_init_multi(&tmp, &tmpa, &tmpb,`
			`#ifdef LTC_RSA_BLINDING`
			`&rnd, &rndi,`
			`#endif /* LTC_RSA_BLINDING */`
			`NULL)) != CRYPT_OK)`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`{ return err; }`
fixed error causing segmentation fault 2011-03-21 21:17:59 +01:00			`if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, (int)inlen)) != CRYPT_OK)`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`{ goto error; }`

added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00
			`/* sanity check on the input */`
added libtomcrypt-1.06 2005-08-01 16:36:47 +00:00			`if (mp_cmp(key->N, tmp) == LTC_MP_LT) {`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`err = CRYPT_PK_INVALID_SIZE;`
added libtomcrypt-1.16 2006-12-16 18:10:04 +00:00			`goto error;`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`}`

			`/* are we using the private exponent and is the key optimized? */`
added libtomcrypt-0.99 2004-10-30 03:00:26 +00:00			`if (which == PK_PRIVATE) {`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`#ifdef LTC_RSA_BLINDING`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`/* do blinding */`
mp_rand() assumes the number of digits and not the bitsize as parameter 2014-08-28 02:51:22 +02:00			`err = mp_rand(rnd, mp_get_digit_count(key->N));`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`if (err != CRYPT_OK) {`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`goto error;`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`}`

			`/* rndi = 1/rnd mod N */`
			`err = mp_invmod(rnd, key->N, rndi);`
			`if (err != CRYPT_OK) {`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`goto error;`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`}`

			`/* rnd = rnd^e */`
			`err = mp_exptmod( rnd, key->e, key->N, rnd);`
			`if (err != CRYPT_OK) {`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`goto error;`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`}`

			`/* tmp = tmprnd mod N /`
			`err = mp_mulmod( tmp, rnd, key->N, tmp);`
			`if (err != CRYPT_OK) {`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`goto error;`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`}`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`#endif /* LTC_RSA_BLINDING */`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00
harden RSA CRT by implementing the proposed countermeasure ... from ch. 1.3 of [1] [1] https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf 2015-09-08 02:44:17 +02:00			`no_crt = (key->dP == NULL) \|\| (mp_get_digit_count(key->dP) == 0);`

			`if (no_crt) {`
RSA in case CRT optimization parameters are not populated rsa_exptmod(), ran on the private key, makes use of CRT optimization parameters. In some use-cases, the given key does not include the optimization parameters. This patch allows rsa_exptmod() to run without the CRT parameters, using directly mp_exptmod(). Signed-off-by: Pascal Brand <pascal.brand@st.com> 2014-09-18 02:12:59 +02:00			`/*`
RSA in CRT optimization parameters are empty 2014-09-18 20:45:42 +02:00			`* In case CRT optimization parameters are not provided,`
			`* the private key is directly used to exptmod it`
RSA in case CRT optimization parameters are not populated rsa_exptmod(), ran on the private key, makes use of CRT optimization parameters. In some use-cases, the given key does not include the optimization parameters. This patch allows rsa_exptmod() to run without the CRT parameters, using directly mp_exptmod(). Signed-off-by: Pascal Brand <pascal.brand@st.com> 2014-09-18 02:12:59 +02:00			`*/`
			`if ((err = mp_exptmod(tmp, key->d, key->N, tmp)) != CRYPT_OK) { goto error; }`
			`} else {`
			`/* tmpa = tmp^dP mod p */`
			`if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK) { goto error; }`

			`/* tmpb = tmp^dQ mod q */`
			`if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK) { goto error; }`

			`/* tmp = (tmpa - tmpb) * qInv (mod p) */`
			`if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK) { goto error; }`
			`if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK) { goto error; }`

			`/* tmp = tmpb + q * tmp */`
			`if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK) { goto error; }`
			`if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK) { goto error; }`
			`}`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`#ifdef LTC_RSA_BLINDING`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`/* unblind */`
			`err = mp_mulmod( tmp, rndi, key->N, tmp);`
			`if (err != CRYPT_OK) {`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`goto error;`
Added RSA blinding (requires mp_rand()). 2011-03-21 08:26:41 +01:00			`}`
Added define LTC_RSA_BLINDING to be able to disable rsa blinding 2011-03-21 22:50:49 +01:00			`#endif`
harden RSA CRT by implementing the proposed countermeasure ... from ch. 1.3 of [1] [1] https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf 2015-09-08 02:44:17 +02:00
			`#ifdef LTC_RSA_CRT_HARDENING`
			`if (!no_crt) {`
			`if ((err = mp_exptmod(tmp, key->e, key->N, tmpa)) != CRYPT_OK) { goto error; }`
			`if ((err = mp_read_unsigned_bin(tmpb, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto error; }`
			`if (mp_cmp(tmpa, tmpb) != LTC_MP_EQ) { err = CRYPT_ERROR; goto error; }`
			`}`
			`#endif`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`} else {`
			`/* exptmod it */`
added libtomcrypt-1.06 2005-08-01 16:36:47 +00:00			`if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK) { goto error; }`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`}`

			`/* read it back */`
added libtomcrypt-1.06 2005-08-01 16:36:47 +00:00			`x = (unsigned long)mp_unsigned_bin_size(key->N);`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`if (x > *outlen) {`
added libtomcrypt-1.13 2006-06-18 01:37:50 +00:00			`*outlen = x;`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`err = CRYPT_BUFFER_OVERFLOW;`
added libtomcrypt-1.16 2006-12-16 18:10:04 +00:00			`goto error;`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`}`
added libtomcrypt-1.05 2005-06-27 11:47:35 +00:00
			`/* this should never happen ... */`
added libtomcrypt-1.06 2005-08-01 16:36:47 +00:00			`if (mp_unsigned_bin_size(tmp) > mp_unsigned_bin_size(key->N)) {`
added libtomcrypt-1.05 2005-06-27 11:47:35 +00:00			`err = CRYPT_ERROR;`
added libtomcrypt-1.16 2006-12-16 18:10:04 +00:00			`goto error;`
added libtomcrypt-1.05 2005-06-27 11:47:35 +00:00			`}`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`*outlen = x;`

			`/* convert it */`
added libtomcrypt-0.96 2004-05-31 02:36:47 +00:00			`zeromem(out, x);`
added libtomcrypt-1.06 2005-08-01 16:36:47 +00:00			`if ((err = mp_to_unsigned_bin(tmp, out+(x-mp_unsigned_bin_size(tmp)))) != CRYPT_OK) { goto error; }`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00
			`/* clean up and return */`
			`err = CRYPT_OK;`
			`error:`
fix possible missing free of rnd and rndi There could have been a 'goto error', which misses the free of rnd and rndi even if they were initialized. This could happen in cases where a private key operation was done and afterwards one of the operations like reading back or conversion, would have failed (which is likely not to happen) This also includes a proposed improvement from the OLPC project to free elements in the reverse order as they were allocated. 2014-06-15 11:51:38 +02:00			`mp_clear_multi(`
			`#ifdef LTC_RSA_BLINDING`
			`rndi, rnd,`
			`#endif /* LTC_RSA_BLINDING */`
			`tmpb, tmpa, tmp, NULL);`
added libtomcrypt-0.95 2004-05-12 20:42:16 +00:00			`return err;`
			`}`

			`#endif`
added libtomcrypt-1.03 2005-06-09 00:08:13 +00:00
			`/* $Source$ */`
			`/* $Revision$ */`
			`/* $Date$ */`