1 // SPDX-License-Identifier: BSD-2-Clause
2 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3 *
4 * LibTomCrypt is a library that provides various cryptographic
5 * algorithms in a highly modular and flexible manner.
6 *
7 * The library is free for all purposes without any express
8 * guarantee it works.
9 */
10 #include "tomcrypt_private.h"
11
12 /**
13 @file rsa_exptmod.c
14 RSA PKCS exptmod, Tom St Denis
15 Added RSA blinding --nmav
16 */
17
18 #ifdef LTC_MRSA
19
20 /**
21 Compute an RSA modular exponentiation
22 @param in The input data to send into RSA
23 @param inlen The length of the input (octets)
24 @param out [out] The destination
25 @param outlen [in/out] The max size and resulting size of the output
26 @param which Which exponent to use, e.g. PK_PRIVATE or PK_PUBLIC
27 @param key The RSA key to use
28 @return CRYPT_OK if successful
29 */
rsa_exptmod(const unsigned char * in,unsigned long inlen,unsigned char * out,unsigned long * outlen,int which,const rsa_key * key)30 int rsa_exptmod(const unsigned char *in, unsigned long inlen,
31 unsigned char *out, unsigned long *outlen, int which,
32 const rsa_key *key)
33 {
34 void *tmp, *tmpa, *tmpb;
35 #ifdef LTC_RSA_BLINDING
36 void *rnd, *rndi /* inverse of rnd */;
37 #endif
38 unsigned long x;
39 int err, has_crt_parameters;
40
41 LTC_ARGCHK(in != NULL);
42 LTC_ARGCHK(out != NULL);
43 LTC_ARGCHK(outlen != NULL);
44 LTC_ARGCHK(key != NULL);
45
46 /* is the key of the right type for the operation? */
47 if (which == PK_PRIVATE && (key->type != PK_PRIVATE)) {
48 return CRYPT_PK_NOT_PRIVATE;
49 }
50
51 /* must be a private or public operation */
52 if (which != PK_PRIVATE && which != PK_PUBLIC) {
53 return CRYPT_PK_INVALID_TYPE;
54 }
55
56 /* init and copy into tmp */
57 if ((err = mp_init_multi(&tmp, &tmpa, &tmpb,
58 #ifdef LTC_RSA_BLINDING
59 &rnd, &rndi,
60 #endif /* LTC_RSA_BLINDING */
61 NULL)) != CRYPT_OK)
62 { return err; }
63 if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, (int)inlen)) != CRYPT_OK)
64 { goto error; }
65
66
67 /* sanity check on the input */
68 if (mp_cmp(key->N, tmp) == LTC_MP_LT) {
69 err = CRYPT_PK_INVALID_SIZE;
70 goto error;
71 }
72
73 /* are we using the private exponent and is the key optimized? */
74 if (which == PK_PRIVATE) {
75 #ifdef LTC_RSA_BLINDING
76 /* do blinding */
77 err = mp_rand(rnd, mp_get_digit_count(key->N));
78 if (err != CRYPT_OK) {
79 goto error;
80 }
81
82 /* rndi = 1/rnd mod N */
83 err = mp_invmod(rnd, key->N, rndi);
84 if (err != CRYPT_OK) {
85 goto error;
86 }
87
88 /* rnd = rnd^e */
89 err = mp_exptmod( rnd, key->e, key->N, rnd);
90 if (err != CRYPT_OK) {
91 goto error;
92 }
93
94 /* tmp = tmp*rnd mod N */
95 err = mp_mulmod( tmp, rnd, key->N, tmp);
96 if (err != CRYPT_OK) {
97 goto error;
98 }
99 #endif /* LTC_RSA_BLINDING */
100
101 has_crt_parameters = (key->p != NULL) && (mp_get_digit_count(key->p) != 0) &&
102 (key->q != NULL) && (mp_get_digit_count(key->q) != 0) &&
103 (key->dP != NULL) && (mp_get_digit_count(key->dP) != 0) &&
104 (key->dQ != NULL) && (mp_get_digit_count(key->dQ) != 0) &&
105 (key->qP != NULL) && (mp_get_digit_count(key->qP) != 0);
106
107 if (!has_crt_parameters) {
108 /*
109 * In case CRT optimization parameters are not provided,
110 * the private key is directly used to exptmod it
111 */
112 if ((err = mp_exptmod(tmp, key->d, key->N, tmp)) != CRYPT_OK) { goto error; }
113 } else {
114 /* tmpa = tmp^dP mod p */
115 if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK) { goto error; }
116
117 /* tmpb = tmp^dQ mod q */
118 if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK) { goto error; }
119
120 /* tmp = (tmpa - tmpb) * qInv (mod p) */
121 if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK) { goto error; }
122 if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK) { goto error; }
123
124 /* tmp = tmpb + q * tmp */
125 if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK) { goto error; }
126 if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK) { goto error; }
127 }
128
129 #ifdef LTC_RSA_BLINDING
130 /* unblind */
131 err = mp_mulmod( tmp, rndi, key->N, tmp);
132 if (err != CRYPT_OK) {
133 goto error;
134 }
135 #endif
136
137 #ifdef LTC_RSA_CRT_HARDENING
138 if (has_crt_parameters) {
139 if ((err = mp_exptmod(tmp, key->e, key->N, tmpa)) != CRYPT_OK) { goto error; }
140 if ((err = mp_read_unsigned_bin(tmpb, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto error; }
141 if (mp_cmp(tmpa, tmpb) != LTC_MP_EQ) { err = CRYPT_ERROR; goto error; }
142 }
143 #endif
144 } else {
145 /* exptmod it */
146 if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK) { goto error; }
147 }
148
149 /* read it back */
150 x = (unsigned long)mp_unsigned_bin_size(key->N);
151 if (x > *outlen) {
152 *outlen = x;
153 err = CRYPT_BUFFER_OVERFLOW;
154 goto error;
155 }
156
157 /* this should never happen ... */
158 if (mp_unsigned_bin_size(tmp) > mp_unsigned_bin_size(key->N)) {
159 err = CRYPT_ERROR;
160 goto error;
161 }
162 *outlen = x;
163
164 /* convert it */
165 zeromem(out, x);
166 if ((err = mp_to_unsigned_bin(tmp, out+(x-mp_unsigned_bin_size(tmp)))) != CRYPT_OK) { goto error; }
167
168 /* clean up and return */
169 err = CRYPT_OK;
170 error:
171 mp_clear_multi(
172 #ifdef LTC_RSA_BLINDING
173 rndi, rnd,
174 #endif /* LTC_RSA_BLINDING */
175 tmpb, tmpa, tmp, NULL);
176 return err;
177 }
178
179 #endif
180
181 /* ref: $Format:%D$ */
182 /* git commit: $Format:%H$ */
183 /* commit time: $Format:%ai$ */
184