1 /* crypto/engine/eng_rsax.c */
2 /* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com
5 * Erdinc.Ozturk@intel.com
6 * Maxim.Perminov@intel.com
9 * More information about algorithm used can be found at:
10 * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
12 /* ====================================================================
13 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * licensing@OpenSSL.org.
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
41 * 6. Redistributions of any form whatsoever must retain the following
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
65 #include <openssl/opensslconf.h>
69 #include <openssl/crypto.h>
70 #include <openssl/buffer.h>
71 #include <openssl/engine.h>
72 #ifndef OPENSSL_NO_RSA
73 #include <openssl/rsa.h>
75 #include <openssl/bn.h>
76 #include <openssl/err.h>
78 /* RSAX is available **ONLY* on x86_64 CPUs */
81 #if (defined(__x86_64) || defined(__x86_64__) || \
82 defined(_M_AMD64) || defined (_M_X64)) && !defined(OPENSSL_NO_ASM) && \
83 !defined(OPENSSL_SYS_WIN32)
85 static ENGINE *ENGINE_rsax (void);
88 void ENGINE_load_rsax (void)
90 /* On non-x86 CPUs it just returns. */
92 ENGINE *toadd = ENGINE_rsax();
101 #define E_RSAX_LIB_NAME "rsax engine"
103 static int e_rsax_destroy(ENGINE *e);
104 static int e_rsax_init(ENGINE *e);
105 static int e_rsax_finish(ENGINE *e);
106 static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
108 #ifndef OPENSSL_NO_RSA
110 static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
111 static int e_rsax_rsa_finish(RSA *r);
114 static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
118 #ifndef OPENSSL_NO_RSA
119 /* Our internal RSA_METHOD that we provide pointers to */
120 static RSA_METHOD e_rsax_rsa =
122 "Intel RSA-X method",
131 RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
138 /* Constants used when creating the ENGINE */
139 static const char *engine_e_rsax_id = "rsax";
140 static const char *engine_e_rsax_name = "RSAX engine support";
142 /* This internal function is used by ENGINE_rsax() */
143 static int bind_helper(ENGINE *e)
145 #ifndef OPENSSL_NO_RSA
146 const RSA_METHOD *meth1;
148 if(!ENGINE_set_id(e, engine_e_rsax_id) ||
149 !ENGINE_set_name(e, engine_e_rsax_name) ||
150 #ifndef OPENSSL_NO_RSA
151 !ENGINE_set_RSA(e, &e_rsax_rsa) ||
153 !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
154 !ENGINE_set_init_function(e, e_rsax_init) ||
155 !ENGINE_set_finish_function(e, e_rsax_finish) ||
156 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
157 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
160 #ifndef OPENSSL_NO_RSA
161 meth1 = RSA_PKCS1_SSLeay();
162 e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
163 e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
164 e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
165 e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
166 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
167 e_rsax_rsa.finish = meth1->finish;
172 static ENGINE *ENGINE_rsax(void)
174 ENGINE *ret = ENGINE_new();
177 if(!bind_helper(ret))
185 #ifndef OPENSSL_NO_RSA
186 /* Used to attach our own key-data to an RSA structure */
187 static int rsax_ex_data_idx = -1;
190 static int e_rsax_destroy(ENGINE *e)
195 /* (de)initialisation functions. */
196 static int e_rsax_init(ENGINE *e)
198 #ifndef OPENSSL_NO_RSA
199 if (rsax_ex_data_idx == -1)
200 rsax_ex_data_idx = RSA_get_ex_new_index(0,
204 if (rsax_ex_data_idx == -1)
209 static int e_rsax_finish(ENGINE *e)
214 static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
220 /* The command isn't understood by this engine */
230 #ifndef OPENSSL_NO_RSA
233 typedef uint64_t UINT64;
234 typedef uint16_t UINT16;
236 /* Table t is interleaved in the following manner:
237 * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
238 * A particular 512-bit value is stored in t[][index] rather than the more
239 * normal t[index][]; i.e. the qwords of a particular entry in t are not
243 /* Init BIGNUM b from the interleaved UINT64 array */
244 static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
246 /* Extract array elements from BIGNUM b
247 * To set the whole array from b, call with n=8
249 static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array);
254 UINT64 m1[8]; /* 2^278 % m */
255 UINT64 m2[8]; /* 2^640 % m */
256 UINT64 k1[2]; /* (- 1/m) % 2^128 */
259 static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
261 void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
262 UINT64 *g, /* 512 bits, 8 qwords */
263 UINT64 *exp, /* 512 bits, 8 qwords */
264 struct mod_ctx_512 *data);
266 typedef struct st_e_rsax_mod_ctx
270 struct mod_ctx_512 b512;
275 static E_RSAX_MOD_CTX *e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
277 E_RSAX_MOD_CTX *hptr;
279 if (idx < 0 || idx > 2)
282 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
284 hptr = OPENSSL_malloc(3*sizeof(E_RSAX_MOD_CTX));
285 if (!hptr) return NULL;
286 hptr[2].type = hptr[1].type= hptr[0].type = 0;
287 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
290 if (hptr[idx].type == (UINT64)BN_num_bits(m))
293 if (BN_num_bits(m) == 512) {
295 bn_extract_to_array_512(m, 8, _m);
296 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
297 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
300 hptr[idx].type = BN_num_bits(m);
304 static int e_rsax_rsa_finish(RSA *rsa)
306 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
310 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
315 static int e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e,
316 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx )
318 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
319 if (BN_num_bits(m) == 512) {
324 /* Init the arrays from the BIGNUMs */
325 bn_extract_to_array_512(g, 8, _g);
326 bn_extract_to_array_512(e, 8, _e);
328 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
329 /* Return the result in the BIGNUM */
330 interleaved_array_to_bn_512(r, _r);
335 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
338 /* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
339 * exponentiation routine precalculations and a structure to hold the
340 * necessary values. These files are meant to live in crypto/rsa/ in
341 * the target openssl.
345 * Local method: extracts a piece from a BIGNUM, to fit it into
346 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
348 static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
352 unsigned char bn_buff[64];
353 memset(bn_buff, 0, 64);
354 if (BN_num_bytes(b) > 64) {
355 printf ("Can't support this byte size\n");
357 if (BN_num_bytes(b)!=0) {
358 if (!BN_bn2bin(b, bn_buff+(64-BN_num_bytes(b)))) {
359 printf ("Error's in bn2bin\n");
360 /* We have to error, here */
364 for (i=7; i>=0; i--) {
365 tmp = bn_buff[63-(n*8+i)];
366 array[n] |= tmp << (8*i); } }
370 /* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
371 static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
373 unsigned char tmp[64];
377 for (i = 7; i>=0; i--) {
378 tmp[63-(n*8+i)] = (unsigned char)(array[n]>>(8*i)); } }
379 BN_bin2bn(tmp, 64, b);
384 /* The main 512bit precompute call */
385 static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
387 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
389 /* We need a BN_CTX for the modulo functions */
397 interleaved_array_to_bn_512(&_m, m);
408 /* Create our context */
409 if ((ctx=BN_CTX_new()) == NULL) { goto err; }
413 * For production, if you care, these only need to be set once,
414 * and may be made constants.
416 BN_lshift(&two_768, BN_value_one(), 768);
417 BN_lshift(&two_640, BN_value_one(), 640);
418 BN_lshift(&two_128, BN_value_one(), 128);
419 BN_lshift(&two_512, BN_value_one(), 512);
421 if (0 == (m[7] & 0x8000000000000000)) {
424 if (0 == (m[0] & 0x1)) { /* Odd modulus required for Mont */
429 BN_mod(&tmp, &two_768, &_m, ctx);
430 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
434 BN_mod(&tmp, &two_640, &_m, ctx);
435 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
440 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
443 BN_mod_inverse(&tmp, &_m, &two_128, ctx);
444 if (!BN_is_zero(&tmp)) { BN_sub(&tmp, &two_128, &tmp); }
445 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
449 for (i=0; i<8; i++) {
451 if (i & 1) { BN_add(&tmp, &two_512, &tmp); }
452 if (i & 2) { BN_add(&tmp, &two_512, &tmp); }
453 if (i & 4) { BN_add(&tmp, &two_640, &tmp); }
455 BN_nnmod(&tmp2, &tmp, &_m, ctx);
456 if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
458 for (j=0; j<8; j++) data->t[j][i] = _t[j]; }
461 for (i=0; i<8; i++) {
482 static int e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
484 BIGNUM *r1,*m1,*vrfy;
485 BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
486 BIGNUM *dmp1,*dmq1,*c,*pr1;
490 r1 = BN_CTX_get(ctx);
491 m1 = BN_CTX_get(ctx);
492 vrfy = BN_CTX_get(ctx);
495 BIGNUM local_p, local_q;
496 BIGNUM *p = NULL, *q = NULL;
499 /* Make sure BN_mod_inverse in Montgomery
500 * intialization uses the BN_FLG_CONSTTIME flag
501 * (unless RSA_FLAG_NO_CONSTTIME is set)
503 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
507 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
511 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
519 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
521 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
523 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
528 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
537 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
538 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
541 /* compute I mod q */
542 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
545 BN_with_flags(c, I, BN_FLG_CONSTTIME);
546 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
550 if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
553 /* compute r1^dmq1 mod q */
554 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
557 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
562 if (!e_rsax_bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
563 rsa->_method_mod_q, e_rsax_get_ctx(rsa, 0, rsa->q) )) goto err;
565 /* compute I mod p */
566 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
569 BN_with_flags(c, I, BN_FLG_CONSTTIME);
570 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
574 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
577 /* compute r1^dmp1 mod p */
578 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
581 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
586 if (!e_rsax_bn_mod_exp(r0,r1,dmp1,rsa->p,ctx,
587 rsa->_method_mod_p, e_rsax_get_ctx(rsa, 1, rsa->p) )) goto err;
589 if (!BN_sub(r0,r0,m1)) goto err;
590 /* This will help stop the size of r0 increasing, which does
591 * affect the multiply if it optimised for a power of 2 size */
592 if (BN_is_negative(r0))
593 if (!BN_add(r0,r0,rsa->p)) goto err;
595 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
597 /* Turn BN_FLG_CONSTTIME flag on before division operation */
598 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
601 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
605 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
607 /* If p < q it is occasionally possible for the correction of
608 * adding 'p' if r0 is negative above to leave the result still
609 * negative. This can break the private key operations: the following
610 * second correction should *always* correct this rare occurrence.
611 * This will *never* happen with OpenSSL generated keys because
612 * they ensure p > q [steve]
614 if (BN_is_negative(r0))
615 if (!BN_add(r0,r0,rsa->p)) goto err;
616 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
617 if (!BN_add(r0,r1,m1)) goto err;
619 if (rsa->e && rsa->n)
621 if (!e_rsax_bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) ))
624 /* If 'I' was greater than (or equal to) rsa->n, the operation
625 * will be equivalent to using 'I mod n'. However, the result of
626 * the verify will *always* be less than 'n' so we don't check
627 * for absolute equality, just congruency. */
628 if (!BN_sub(vrfy, vrfy, I)) goto err;
629 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err;
630 if (BN_is_negative(vrfy))
631 if (!BN_add(vrfy, vrfy, rsa->n)) goto err;
632 if (!BN_is_zero(vrfy))
634 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
635 * miscalculated CRT output, just do a raw (slower)
636 * mod_exp and return that instead. */
641 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
644 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
648 if (!e_rsax_bn_mod_exp(r0,I,d,rsa->n,ctx,
649 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n) )) goto err;
659 #endif /* !OPENSSL_NO_RSA */
660 #endif /* !COMPILE_RSAX */