1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include "tomcrypt_private.h"
4
5 /**
6 @file rsa_exptmod.c
7 RSA PKCS exptmod, Tom St Denis
8 Added RSA blinding --nmav
9 */
10
11 #ifdef LTC_MRSA
12
13 /**
14 Compute an RSA modular exponentiation
15 @param in The input data to send into RSA
16 @param inlen The length of the input (octets)
17 @param out [out] The destination
18 @param outlen [in/out] The max size and resulting size of the output
19 @param which Which exponent to use, e.g. PK_PRIVATE or PK_PUBLIC
20 @param key The RSA key to use
21 @return CRYPT_OK if successful
22 */
rsa_exptmod(const unsigned char * in,unsigned long inlen,unsigned char * out,unsigned long * outlen,int which,const rsa_key * key)23 int rsa_exptmod(const unsigned char *in, unsigned long inlen,
24 unsigned char *out, unsigned long *outlen, int which,
25 const rsa_key *key)
26 {
27 void *tmp, *tmpa, *tmpb;
28 #ifdef LTC_RSA_BLINDING
29 void *rnd, *rndi /* inverse of rnd */;
30 #endif
31 unsigned long x;
32 int err, has_crt_parameters;
33
34 LTC_ARGCHK(in != NULL);
35 LTC_ARGCHK(out != NULL);
36 LTC_ARGCHK(outlen != NULL);
37 LTC_ARGCHK(key != NULL);
38
39 /* is the key of the right type for the operation? */
40 if (which == PK_PRIVATE && (key->type != PK_PRIVATE)) {
41 return CRYPT_PK_NOT_PRIVATE;
42 }
43
44 /* must be a private or public operation */
45 if (which != PK_PRIVATE && which != PK_PUBLIC) {
46 return CRYPT_PK_INVALID_TYPE;
47 }
48
49 /* init and copy into tmp */
50 if ((err = mp_init_multi(&tmp, &tmpa, &tmpb,
51 #ifdef LTC_RSA_BLINDING
52 &rnd, &rndi,
53 #endif /* LTC_RSA_BLINDING */
54 NULL)) != CRYPT_OK)
55 { return err; }
56 if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, (int)inlen)) != CRYPT_OK)
57 { goto error; }
58
59
60 /* sanity check on the input */
61 if (mp_cmp(key->N, tmp) == LTC_MP_LT) {
62 err = CRYPT_PK_INVALID_SIZE;
63 goto error;
64 }
65
66 /* are we using the private exponent and is the key optimized? */
67 if (which == PK_PRIVATE) {
68 #ifdef LTC_RSA_BLINDING
69 /* do blinding */
70 err = mp_rand(rnd, mp_get_digit_count(key->N));
71 if (err != CRYPT_OK) {
72 goto error;
73 }
74
75 /* rndi = 1/rnd mod N */
76 err = mp_invmod(rnd, key->N, rndi);
77 if (err != CRYPT_OK) {
78 goto error;
79 }
80
81 /* rnd = rnd^e */
82 err = mp_exptmod( rnd, key->e, key->N, rnd);
83 if (err != CRYPT_OK) {
84 goto error;
85 }
86
87 /* tmp = tmp*rnd mod N */
88 err = mp_mulmod( tmp, rnd, key->N, tmp);
89 if (err != CRYPT_OK) {
90 goto error;
91 }
92 #endif /* LTC_RSA_BLINDING */
93
94 has_crt_parameters = (key->p != NULL) && (mp_get_digit_count(key->p) != 0) &&
95 (key->q != NULL) && (mp_get_digit_count(key->q) != 0) &&
96 (key->dP != NULL) && (mp_get_digit_count(key->dP) != 0) &&
97 (key->dQ != NULL) && (mp_get_digit_count(key->dQ) != 0) &&
98 (key->qP != NULL) && (mp_get_digit_count(key->qP) != 0);
99
100 if (!has_crt_parameters) {
101 /*
102 * In case CRT optimization parameters are not provided,
103 * the private key is directly used to exptmod it
104 */
105 if ((err = mp_exptmod(tmp, key->d, key->N, tmp)) != CRYPT_OK) { goto error; }
106 } else {
107 /* tmpa = tmp^dP mod p */
108 if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK) { goto error; }
109
110 /* tmpb = tmp^dQ mod q */
111 if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK) { goto error; }
112
113 /* tmp = (tmpa - tmpb) * qInv (mod p) */
114 if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK) { goto error; }
115 if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK) { goto error; }
116
117 /* tmp = tmpb + q * tmp */
118 if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK) { goto error; }
119 if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK) { goto error; }
120 }
121
122 #ifdef LTC_RSA_BLINDING
123 /* unblind */
124 err = mp_mulmod( tmp, rndi, key->N, tmp);
125 if (err != CRYPT_OK) {
126 goto error;
127 }
128 #endif
129
130 #ifdef LTC_RSA_CRT_HARDENING
131 if (has_crt_parameters) {
132 if ((err = mp_exptmod(tmp, key->e, key->N, tmpa)) != CRYPT_OK) { goto error; }
133 if ((err = mp_read_unsigned_bin(tmpb, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto error; }
134 if (mp_cmp(tmpa, tmpb) != LTC_MP_EQ) { err = CRYPT_ERROR; goto error; }
135 }
136 #endif
137 } else {
138 /* exptmod it */
139 if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK) { goto error; }
140 }
141
142 /* read it back */
143 x = (unsigned long)mp_unsigned_bin_size(key->N);
144 if (x > *outlen) {
145 *outlen = x;
146 err = CRYPT_BUFFER_OVERFLOW;
147 goto error;
148 }
149
150 /* this should never happen ... */
151 if (mp_unsigned_bin_size(tmp) > mp_unsigned_bin_size(key->N)) {
152 err = CRYPT_ERROR;
153 goto error;
154 }
155 *outlen = x;
156
157 /* convert it */
158 zeromem(out, x);
159 if ((err = mp_to_unsigned_bin(tmp, out+(x-mp_unsigned_bin_size(tmp)))) != CRYPT_OK) { goto error; }
160
161 /* clean up and return */
162 err = CRYPT_OK;
163 error:
164 mp_clear_multi(
165 #ifdef LTC_RSA_BLINDING
166 rndi, rnd,
167 #endif /* LTC_RSA_BLINDING */
168 tmpb, tmpa, tmp, NULL);
169 return err;
170 }
171
172 #endif
173