1 /* crypto/engine/eng_rsax.c */
2 /* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com
5 * Erdinc.Ozturk@intel.com
6 * Maxim.Perminov@intel.com
9 * More information about algorithm used can be found at:
10 * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
12 /* ====================================================================
13 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * licensing@OpenSSL.org.
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
41 * 6. Redistributions of any form whatsoever must retain the following
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
65 #include <openssl/opensslconf.h>
69 #include <openssl/crypto.h>
70 #include <openssl/buffer.h>
71 #include <openssl/engine.h>
72 #ifndef OPENSSL_NO_RSA
73 # include <openssl/rsa.h>
75 #include <openssl/bn.h>
76 #include <openssl/err.h>
78 /* RSAX is available **ONLY* on x86_64 CPUs */
81 #if (defined(__x86_64) || defined(__x86_64__) || \
82 defined(_M_AMD64) || defined (_M_X64)) && !defined(OPENSSL_NO_ASM)
84 static ENGINE
*ENGINE_rsax(void);
87 void ENGINE_load_rsax(void)
89 /* On non-x86 CPUs it just returns. */
91 ENGINE
*toadd
= ENGINE_rsax();
101 # define E_RSAX_LIB_NAME "rsax engine"
103 static int e_rsax_destroy(ENGINE
*e
);
104 static int e_rsax_init(ENGINE
*e
);
105 static int e_rsax_finish(ENGINE
*e
);
106 static int e_rsax_ctrl(ENGINE
*e
, int cmd
, long i
, void *p
, void (*f
) (void));
108 # ifndef OPENSSL_NO_RSA
110 static int e_rsax_rsa_mod_exp(BIGNUM
*r
, const BIGNUM
*I
, RSA
*rsa
,
112 static int e_rsax_rsa_finish(RSA
*r
);
115 static const ENGINE_CMD_DEFN e_rsax_cmd_defns
[] = {
119 # ifndef OPENSSL_NO_RSA
120 /* Our internal RSA_METHOD that we provide pointers to */
121 static RSA_METHOD e_rsax_rsa
= {
122 "Intel RSA-X method",
131 RSA_FLAG_CACHE_PUBLIC
| RSA_FLAG_CACHE_PRIVATE
,
138 /* Constants used when creating the ENGINE */
139 static const char *engine_e_rsax_id
= "rsax";
140 static const char *engine_e_rsax_name
= "RSAX engine support";
142 /* This internal function is used by ENGINE_rsax() */
143 static int bind_helper(ENGINE
*e
)
145 # ifndef OPENSSL_NO_RSA
146 const RSA_METHOD
*meth1
;
148 if (!ENGINE_set_id(e
, engine_e_rsax_id
) ||
149 !ENGINE_set_name(e
, engine_e_rsax_name
) ||
150 # ifndef OPENSSL_NO_RSA
151 !ENGINE_set_RSA(e
, &e_rsax_rsa
) ||
153 !ENGINE_set_destroy_function(e
, e_rsax_destroy
) ||
154 !ENGINE_set_init_function(e
, e_rsax_init
) ||
155 !ENGINE_set_finish_function(e
, e_rsax_finish
) ||
156 !ENGINE_set_ctrl_function(e
, e_rsax_ctrl
) ||
157 !ENGINE_set_cmd_defns(e
, e_rsax_cmd_defns
))
160 # ifndef OPENSSL_NO_RSA
161 meth1
= RSA_PKCS1_SSLeay();
162 e_rsax_rsa
.rsa_pub_enc
= meth1
->rsa_pub_enc
;
163 e_rsax_rsa
.rsa_pub_dec
= meth1
->rsa_pub_dec
;
164 e_rsax_rsa
.rsa_priv_enc
= meth1
->rsa_priv_enc
;
165 e_rsax_rsa
.rsa_priv_dec
= meth1
->rsa_priv_dec
;
166 e_rsax_rsa
.bn_mod_exp
= meth1
->bn_mod_exp
;
171 static ENGINE
*ENGINE_rsax(void)
173 ENGINE
*ret
= ENGINE_new();
176 if (!bind_helper(ret
)) {
183 # ifndef OPENSSL_NO_RSA
184 /* Used to attach our own key-data to an RSA structure */
185 static int rsax_ex_data_idx
= -1;
188 static int e_rsax_destroy(ENGINE
*e
)
193 /* (de)initialisation functions. */
194 static int e_rsax_init(ENGINE
*e
)
196 # ifndef OPENSSL_NO_RSA
197 if (rsax_ex_data_idx
== -1)
198 rsax_ex_data_idx
= RSA_get_ex_new_index(0, NULL
, NULL
, NULL
, NULL
);
200 if (rsax_ex_data_idx
== -1)
205 static int e_rsax_finish(ENGINE
*e
)
210 static int e_rsax_ctrl(ENGINE
*e
, int cmd
, long i
, void *p
, void (*f
) (void))
215 /* The command isn't understood by this engine */
224 # ifndef OPENSSL_NO_RSA
227 typedef unsigned __int64 UINT64
;
229 typedef unsigned long long UINT64
;
231 typedef unsigned short UINT16
;
234 * Table t is interleaved in the following manner: The order in memory is
235 * t[0][0], t[0][1], ..., t[0][7], t[1][0], ... A particular 512-bit value is
236 * stored in t[][index] rather than the more normal t[index][]; i.e. the
237 * qwords of a particular entry in t are not adjacent in memory
240 /* Init BIGNUM b from the interleaved UINT64 array */
241 static int interleaved_array_to_bn_512(BIGNUM
*b
, UINT64
*array
);
244 * Extract array elements from BIGNUM b To set the whole array from b, call
247 static int bn_extract_to_array_512(const BIGNUM
*b
, unsigned int n
,
253 UINT64 m1
[8]; /* 2^278 % m */
254 UINT64 m2
[8]; /* 2^640 % m */
255 UINT64 k1
[2]; /* (- 1/m) % 2^128 */
258 static int mod_exp_pre_compute_data_512(UINT64
*m
, struct mod_ctx_512
*data
);
260 void mod_exp_512(UINT64
*result
, /* 512 bits, 8 qwords */
261 UINT64
*g
, /* 512 bits, 8 qwords */
262 UINT64
*exp
, /* 512 bits, 8 qwords */
263 struct mod_ctx_512
*data
);
265 typedef struct st_e_rsax_mod_ctx
{
268 struct mod_ctx_512 b512
;
273 static E_RSAX_MOD_CTX
*e_rsax_get_ctx(RSA
*rsa
, int idx
, BIGNUM
*m
)
275 E_RSAX_MOD_CTX
*hptr
;
277 if (idx
< 0 || idx
> 2)
280 hptr
= RSA_get_ex_data(rsa
, rsax_ex_data_idx
);
282 hptr
= OPENSSL_malloc(3 * sizeof(E_RSAX_MOD_CTX
));
285 hptr
[2].type
= hptr
[1].type
= hptr
[0].type
= 0;
286 RSA_set_ex_data(rsa
, rsax_ex_data_idx
, hptr
);
289 if (hptr
[idx
].type
== (UINT64
)BN_num_bits(m
))
292 if (BN_num_bits(m
) == 512) {
294 bn_extract_to_array_512(m
, 8, _m
);
295 memset(&hptr
[idx
].ctx
.b512
, 0, sizeof(struct mod_ctx_512
));
296 mod_exp_pre_compute_data_512(_m
, &hptr
[idx
].ctx
.b512
);
299 hptr
[idx
].type
= BN_num_bits(m
);
303 static int e_rsax_rsa_finish(RSA
*rsa
)
305 E_RSAX_MOD_CTX
*hptr
= RSA_get_ex_data(rsa
, rsax_ex_data_idx
);
308 RSA_set_ex_data(rsa
, rsax_ex_data_idx
, NULL
);
310 if (rsa
->_method_mod_n
)
311 BN_MONT_CTX_free(rsa
->_method_mod_n
);
312 if (rsa
->_method_mod_p
)
313 BN_MONT_CTX_free(rsa
->_method_mod_p
);
314 if (rsa
->_method_mod_q
)
315 BN_MONT_CTX_free(rsa
->_method_mod_q
);
319 static int e_rsax_bn_mod_exp(BIGNUM
*r
, const BIGNUM
*g
, const BIGNUM
*e
,
320 const BIGNUM
*m
, BN_CTX
*ctx
,
321 BN_MONT_CTX
*in_mont
,
322 E_RSAX_MOD_CTX
*rsax_mod_ctx
)
324 if (rsax_mod_ctx
&& BN_get_flags(e
, BN_FLG_CONSTTIME
) != 0) {
325 if (BN_num_bits(m
) == 512) {
330 /* Init the arrays from the BIGNUMs */
331 bn_extract_to_array_512(g
, 8, _g
);
332 bn_extract_to_array_512(e
, 8, _e
);
334 mod_exp_512(_r
, _g
, _e
, &rsax_mod_ctx
->ctx
.b512
);
335 /* Return the result in the BIGNUM */
336 interleaved_array_to_bn_512(r
, _r
);
341 return BN_mod_exp_mont(r
, g
, e
, m
, ctx
, in_mont
);
345 * Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
346 * exponentiation routine precalculations and a structure to hold the
347 * necessary values. These files are meant to live in crypto/rsa/ in the
352 * Local method: extracts a piece from a BIGNUM, to fit it into
353 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
355 static int bn_extract_to_array_512(const BIGNUM
*b
, unsigned int n
,
360 unsigned char bn_buff
[64];
361 memset(bn_buff
, 0, 64);
362 if (BN_num_bytes(b
) > 64) {
363 printf("Can't support this byte size\n");
366 if (BN_num_bytes(b
) != 0) {
367 if (!BN_bn2bin(b
, bn_buff
+ (64 - BN_num_bytes(b
)))) {
368 printf("Error's in bn2bin\n");
369 /* We have to error, here */
375 for (i
= 7; i
>= 0; i
--) {
376 tmp
= bn_buff
[63 - (n
* 8 + i
)];
377 array
[n
] |= tmp
<< (8 * i
);
383 /* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
384 static int interleaved_array_to_bn_512(BIGNUM
*b
, UINT64
*array
)
386 unsigned char tmp
[64];
390 for (i
= 7; i
>= 0; i
--) {
391 tmp
[63 - (n
* 8 + i
)] = (unsigned char)(array
[n
] >> (8 * i
));
393 BN_bin2bn(tmp
, 64, b
);
397 /* The main 512bit precompute call */
398 static int mod_exp_pre_compute_data_512(UINT64
*m
, struct mod_ctx_512
*data
)
400 BIGNUM two_768
, two_640
, two_128
, two_512
, tmp
, _m
, tmp2
;
402 /* We need a BN_CTX for the modulo functions */
410 interleaved_array_to_bn_512(&_m
, m
);
421 /* Create our context */
422 if ((ctx
= BN_CTX_new()) == NULL
) {
428 * For production, if you care, these only need to be set once,
429 * and may be made constants.
431 BN_lshift(&two_768
, BN_value_one(), 768);
432 BN_lshift(&two_640
, BN_value_one(), 640);
433 BN_lshift(&two_128
, BN_value_one(), 128);
434 BN_lshift(&two_512
, BN_value_one(), 512);
436 if (0 == (m
[7] & 0x8000000000000000)) {
439 if (0 == (m
[0] & 0x1)) { /* Odd modulus required for Mont */
444 BN_mod(&tmp
, &two_768
, &_m
, ctx
);
445 if (!bn_extract_to_array_512(&tmp
, 8, &data
->m1
[0])) {
450 BN_mod(&tmp
, &two_640
, &_m
, ctx
);
451 if (!bn_extract_to_array_512(&tmp
, 8, &data
->m2
[0])) {
456 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
459 BN_mod_inverse(&tmp
, &_m
, &two_128
, ctx
);
460 if (!BN_is_zero(&tmp
)) {
461 BN_sub(&tmp
, &two_128
, &tmp
);
463 if (!bn_extract_to_array_512(&tmp
, 2, &data
->k1
[0])) {
468 for (i
= 0; i
< 8; i
++) {
471 BN_add(&tmp
, &two_512
, &tmp
);
474 BN_add(&tmp
, &two_512
, &tmp
);
477 BN_add(&tmp
, &two_640
, &tmp
);
480 BN_nnmod(&tmp2
, &tmp
, &_m
, ctx
);
481 if (!bn_extract_to_array_512(&tmp2
, 8, _t
)) {
484 for (j
= 0; j
< 8; j
++)
485 data
->t
[j
][i
] = _t
[j
];
489 for (i
= 0; i
< 8; i
++) {
512 static int e_rsax_rsa_mod_exp(BIGNUM
*r0
, const BIGNUM
*I
, RSA
*rsa
,
515 BIGNUM
*r1
, *m1
, *vrfy
;
516 BIGNUM local_dmp1
, local_dmq1
, local_c
, local_r1
;
517 BIGNUM
*dmp1
, *dmq1
, *c
, *pr1
;
521 r1
= BN_CTX_get(ctx
);
522 m1
= BN_CTX_get(ctx
);
523 vrfy
= BN_CTX_get(ctx
);
526 BIGNUM local_p
, local_q
;
527 BIGNUM
*p
= NULL
, *q
= NULL
;
531 * Make sure BN_mod_inverse in Montgomery intialization uses the
532 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
534 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
537 BN_with_flags(p
, rsa
->p
, BN_FLG_CONSTTIME
);
541 BN_with_flags(q
, rsa
->q
, BN_FLG_CONSTTIME
);
547 if (rsa
->flags
& RSA_FLAG_CACHE_PRIVATE
) {
548 if (!BN_MONT_CTX_set_locked
549 (&rsa
->_method_mod_p
, CRYPTO_LOCK_RSA
, p
, ctx
))
551 if (!BN_MONT_CTX_set_locked
552 (&rsa
->_method_mod_q
, CRYPTO_LOCK_RSA
, q
, ctx
))
557 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
565 if (rsa
->flags
& RSA_FLAG_CACHE_PUBLIC
)
566 if (!BN_MONT_CTX_set_locked
567 (&rsa
->_method_mod_n
, CRYPTO_LOCK_RSA
, rsa
->n
, ctx
))
570 /* compute I mod q */
571 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
573 BN_with_flags(c
, I
, BN_FLG_CONSTTIME
);
574 if (!BN_mod(r1
, c
, rsa
->q
, ctx
))
577 if (!BN_mod(r1
, I
, rsa
->q
, ctx
))
581 /* compute r1^dmq1 mod q */
582 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
584 BN_with_flags(dmq1
, rsa
->dmq1
, BN_FLG_CONSTTIME
);
588 if (!e_rsax_bn_mod_exp(m1
, r1
, dmq1
, rsa
->q
, ctx
,
589 rsa
->_method_mod_q
, e_rsax_get_ctx(rsa
, 0,
593 /* compute I mod p */
594 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
596 BN_with_flags(c
, I
, BN_FLG_CONSTTIME
);
597 if (!BN_mod(r1
, c
, rsa
->p
, ctx
))
600 if (!BN_mod(r1
, I
, rsa
->p
, ctx
))
604 /* compute r1^dmp1 mod p */
605 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
607 BN_with_flags(dmp1
, rsa
->dmp1
, BN_FLG_CONSTTIME
);
611 if (!e_rsax_bn_mod_exp(r0
, r1
, dmp1
, rsa
->p
, ctx
,
612 rsa
->_method_mod_p
, e_rsax_get_ctx(rsa
, 1,
616 if (!BN_sub(r0
, r0
, m1
))
619 * This will help stop the size of r0 increasing, which does affect the
620 * multiply if it optimised for a power of 2 size
622 if (BN_is_negative(r0
))
623 if (!BN_add(r0
, r0
, rsa
->p
))
626 if (!BN_mul(r1
, r0
, rsa
->iqmp
, ctx
))
629 /* Turn BN_FLG_CONSTTIME flag on before division operation */
630 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
632 BN_with_flags(pr1
, r1
, BN_FLG_CONSTTIME
);
635 if (!BN_mod(r0
, pr1
, rsa
->p
, ctx
))
639 * If p < q it is occasionally possible for the correction of adding 'p'
640 * if r0 is negative above to leave the result still negative. This can
641 * break the private key operations: the following second correction
642 * should *always* correct this rare occurrence. This will *never* happen
643 * with OpenSSL generated keys because they ensure p > q [steve]
645 if (BN_is_negative(r0
))
646 if (!BN_add(r0
, r0
, rsa
->p
))
648 if (!BN_mul(r1
, r0
, rsa
->q
, ctx
))
650 if (!BN_add(r0
, r1
, m1
))
653 if (rsa
->e
&& rsa
->n
) {
654 if (!e_rsax_bn_mod_exp
655 (vrfy
, r0
, rsa
->e
, rsa
->n
, ctx
, rsa
->_method_mod_n
,
656 e_rsax_get_ctx(rsa
, 2, rsa
->n
)))
660 * If 'I' was greater than (or equal to) rsa->n, the operation will
661 * be equivalent to using 'I mod n'. However, the result of the
662 * verify will *always* be less than 'n' so we don't check for
663 * absolute equality, just congruency.
665 if (!BN_sub(vrfy
, vrfy
, I
))
667 if (!BN_mod(vrfy
, vrfy
, rsa
->n
, ctx
))
669 if (BN_is_negative(vrfy
))
670 if (!BN_add(vrfy
, vrfy
, rsa
->n
))
672 if (!BN_is_zero(vrfy
)) {
674 * 'I' and 'vrfy' aren't congruent mod n. Don't leak
675 * miscalculated CRT output, just do a raw (slower) mod_exp and
676 * return that instead.
682 if (!(rsa
->flags
& RSA_FLAG_NO_CONSTTIME
)) {
684 BN_with_flags(d
, rsa
->d
, BN_FLG_CONSTTIME
);
687 if (!e_rsax_bn_mod_exp(r0
, I
, d
, rsa
->n
, ctx
,
688 rsa
->_method_mod_n
, e_rsax_get_ctx(rsa
, 2,
700 # endif /* !OPENSSL_NO_RSA */
701 #endif /* !COMPILE_RSAX */