2 * Copyright (c) 2006 - 2007, 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <krb5-types.h>
41 #ifdef USE_HCRYPTO_TFM
46 BN2mpz(fp_int *s, const BIGNUM *bn)
53 len = BN_num_bytes(bn);
56 fp_read_unsigned_bin(s, p, len);
61 tfm_rsa_private_calculate(fp_int * in, fp_int * p, fp_int * q,
62 fp_int * dmp1, fp_int * dmq1, fp_int * iqmp,
67 fp_init_multi(&vp, &vq, &u, NULL);
69 /* vq = c ^ (d mod (q - 1)) mod q */
70 /* vp = c ^ (d mod (p - 1)) mod p */
72 fp_exptmod(&u, dmp1, p, &vp);
74 fp_exptmod(&u, dmq1, q, &vq);
76 /* C2 = 1/q mod p (iqmp) */
77 /* u = (vp - vq)C2 mod p. */
84 /* c ^ d mod n = vq + u q */
88 fp_zero_multi(&vp, &vq, &u, NULL);
98 tfm_rsa_public_encrypt(int flen, const unsigned char* from,
99 unsigned char* to, RSA* rsa, int padding)
101 unsigned char *p, *p0;
104 fp_int enc, dec, n, e;
106 if (padding != RSA_PKCS1_PADDING)
109 size = RSA_size(rsa);
111 if (size < RSA_PKCS1_PADDING_SIZE || size - RSA_PKCS1_PADDING_SIZE < flen)
117 p = p0 = malloc(size - 1);
119 fp_zero_multi(&e, &n, NULL);
123 padlen = size - flen - 3;
126 if (RAND_bytes(p, padlen) != 1) {
127 fp_zero_multi(&e, &n, NULL);
138 memcpy(p, from, flen);
140 assert((p - p0) == size - 1);
142 fp_init_multi(&enc, &dec, NULL);
143 fp_read_unsigned_bin(&dec, p0, size - 1);
146 res = fp_exptmod(&dec, &e, &n, &enc);
148 fp_zero_multi(&dec, &e, &n, NULL);
155 ssize = fp_unsigned_bin_size(&enc);
156 assert(size >= ssize);
157 fp_to_unsigned_bin(&enc, to);
166 tfm_rsa_public_decrypt(int flen, const unsigned char* from,
167 unsigned char* to, RSA* rsa, int padding)
174 if (padding != RSA_PKCS1_PADDING)
177 if (flen > RSA_size(rsa))
184 /* Check that the exponent is larger then 3 */
185 if (mp_int_compare_value(&e, 3) <= 0) {
186 fp_zero_multi(&e, &n, NULL);
191 fp_init_multi(&s, &us, NULL);
192 fp_read_unsigned_bin(&s, rk_UNCONST(from), flen);
194 if (fp_cmp(&s, &n) >= 0) {
195 fp_zero_multi(&e, &n, NULL);
199 res = fp_exptmod(&s, &e, &n, &us);
201 fp_zero_multi(&s, &e, &n, NULL);
208 size = fp_unsigned_bin_size(&us);
209 assert(size <= RSA_size(rsa));
210 fp_to_unsigned_bin(&us, p);
214 /* head zero was skipped by fp_to_unsigned_bin */
220 while (size && *p == 0xff) {
223 if (size == 0 || *p != 0)
227 memmove(to, p, size);
233 tfm_rsa_private_encrypt(int flen, const unsigned char* from,
234 unsigned char* to, RSA* rsa, int padding)
236 unsigned char *p, *p0;
239 fp_int in, out, n, e;
241 if (padding != RSA_PKCS1_PADDING)
244 size = RSA_size(rsa);
246 if (size < RSA_PKCS1_PADDING_SIZE || size - RSA_PKCS1_PADDING_SIZE < flen)
249 p0 = p = malloc(size);
252 memset(p, 0xff, size - flen - 3);
253 p += size - flen - 3;
255 memcpy(p, from, flen);
257 assert((p - p0) == size);
262 fp_init_multi(&in, &out, NULL);
263 fp_read_unsigned_bin(&in, p0, size);
266 if(fp_isneg(&in) || fp_cmp(&in, &n) >= 0) {
271 if (rsa->p && rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp) {
272 fp_int p, q, dmp1, dmq1, iqmp;
276 BN2mpz(&dmp1, rsa->dmp1);
277 BN2mpz(&dmq1, rsa->dmq1);
278 BN2mpz(&iqmp, rsa->iqmp);
280 res = tfm_rsa_private_calculate(&in, &p, &q, &dmp1, &dmq1, &iqmp, &out);
282 fp_zero_multi(&p, &q, &dmp1, &dmq1, &iqmp, NULL);
292 res = fp_exptmod(&in, &d, &n, &out);
302 ssize = fp_unsigned_bin_size(&out);
303 assert(size >= ssize);
304 fp_to_unsigned_bin(&out, to);
309 fp_zero_multi(&e, &n, &in, &out, NULL);
315 tfm_rsa_private_decrypt(int flen, const unsigned char* from,
316 unsigned char* to, RSA* rsa, int padding)
321 fp_int in, out, n, e;
323 if (padding != RSA_PKCS1_PADDING)
326 size = RSA_size(rsa);
330 fp_init_multi(&in, &out, NULL);
335 fp_read_unsigned_bin(&in, rk_UNCONST(from), flen);
337 if(fp_isneg(&in) || fp_cmp(&in, &n) >= 0) {
342 if (rsa->p && rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp) {
343 fp_int p, q, dmp1, dmq1, iqmp;
347 BN2mpz(&dmp1, rsa->dmp1);
348 BN2mpz(&dmq1, rsa->dmq1);
349 BN2mpz(&iqmp, rsa->iqmp);
351 res = tfm_rsa_private_calculate(&in, &p, &q, &dmp1, &dmq1, &iqmp, &out);
353 fp_zero_multi(&p, &q, &dmp1, &dmq1, &iqmp, NULL);
363 if(fp_isneg(&in) || fp_cmp(&in, &n) >= 0)
367 res = fp_exptmod(&in, &d, &n, &out);
378 ssize = fp_unsigned_bin_size(&out);
379 assert(size >= ssize);
380 fp_to_unsigned_bin(&out, ptr);
384 /* head zero was skipped by mp_int_to_unsigned */
390 while (size && *ptr != 0) {
397 memmove(to, ptr, size);
400 fp_zero_multi(&e, &n, &in, &out, NULL);
412 size = fp_unsigned_bin_size(s);
414 if (p == NULL && size != 0)
417 fp_to_unsigned_bin(s, p);
419 bn = BN_bin2bn(p, size, NULL);
425 random_num(fp_int *num, size_t len)
433 if (RAND_bytes(p, len) != 1) {
437 fp_read_unsigned_bin(num, p, len);
442 #define CHECK(f, v) if ((f) != (v)) { goto out; }
445 tfm_rsa_generate_key(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
447 fp_int el, p, q, n, d, dmp1, dmq1, iqmp, t1, t2, t3;
448 int counter, ret, bitsp;
453 bitsp = (bits + 1) / 2;
457 fp_init_multi(&el, &p, &q, &n, &n, &d, &dmp1, &dmq1, &iqmp, &t1, &t2, &t3, NULL);
461 /* generate p and q so that p != q and bits(pq) ~ bits */
464 BN_GENCB_call(cb, 2, counter++);
465 CHECK(random_num(&p, bitsp), 0);
466 CHECK(fp_find_prime(&p), FP_YES);
468 fp_sub_d(&p, 1, &t1);
469 fp_gcd(&t1, &el, &t2);
470 } while(fp_cmp_d(&t2, 1) != 0);
472 BN_GENCB_call(cb, 3, 0);
476 BN_GENCB_call(cb, 2, counter++);
477 CHECK(random_num(&q, bits - bitsp), 0);
478 CHECK(fp_find_prime(&q), FP_YES);
480 if (fp_cmp(&p, &q) == 0) /* don't let p and q be the same */
483 fp_sub_d(&q, 1, &t1);
484 fp_gcd(&t1, &el, &t2);
485 } while(fp_cmp_d(&t2, 1) != 0);
488 if (fp_cmp(&p, &q) < 0) {
495 BN_GENCB_call(cb, 3, 1);
497 /* calculate n, n = p * q */
500 /* calculate d, d = 1/e mod (p - 1)(q - 1) */
501 fp_sub_d(&p, 1, &t1);
502 fp_sub_d(&q, 1, &t2);
503 fp_mul(&t1, &t2, &t3);
504 fp_invmod(&el, &t3, &d);
506 /* calculate dmp1 dmp1 = d mod (p-1) */
507 fp_mod(&d, &t1, &dmp1);
508 /* calculate dmq1 dmq1 = d mod (q-1) */
509 fp_mod(&d, &t2, &dmq1);
510 /* calculate iqmp iqmp = 1/q mod p */
511 fp_invmod(&q, &p, &iqmp);
513 /* fill in RSA key */
515 rsa->e = mpz2BN(&el);
520 rsa->dmp1 = mpz2BN(&dmp1);
521 rsa->dmq1 = mpz2BN(&dmq1);
522 rsa->iqmp = mpz2BN(&iqmp);
527 fp_zero_multi(&el, &p, &q, &n, &d, &dmp1,
528 &dmq1, &iqmp, &t1, &t2, &t3, NULL);
534 tfm_rsa_init(RSA *rsa)
540 tfm_rsa_finish(RSA *rsa)
545 const RSA_METHOD hc_rsa_tfm_method = {
547 tfm_rsa_public_encrypt,
548 tfm_rsa_public_decrypt,
549 tfm_rsa_private_encrypt,
550 tfm_rsa_private_decrypt,
567 #ifdef USE_HCRYPTO_TFM
568 return &hc_rsa_tfm_method;