1 /* crypto/engine/e_gmp.c */
2 /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
59 /* This engine is not (currently) compiled in by default. Do enable it,
60 * reconfigure OpenSSL with "enable-gmp -lgmp". The GMP libraries and
61 * headers must reside in one of the paths searched by the compiler/linker,
62 * otherwise paths must be specified - eg. try configuring with
63 * "enable-gmp -I<includepath> -L<libpath> -lgmp". YMMV. */
65 /* As for what this does - it's a largely unoptimised implementation of an
66 * ENGINE that uses the GMP library to perform RSA private key operations. To
67 * obtain more information about what "unoptimised" means, see my original mail
68 * on the subject (though ignore the build instructions which have since
71 * http://www.mail-archive.com/openssl-dev@openssl.org/msg12227.html
73 * On my athlon system at least, it appears the builtin OpenSSL code is now
74 * slightly faster, which is to say that the RSA-related MPI performance
75 * between OpenSSL's BIGNUM and GMP's mpz implementations is probably pretty
76 * balanced for this chip, and so the performance degradation in this ENGINE by
77 * having to convert to/from GMP formats (and not being able to cache
78 * montgomery forms) is probably the difference. However, if some unconfirmed
79 * reports from users is anything to go by, the situation on some other
80 * chipsets might be a good deal more favourable to the GMP version (eg. PPC).
81 * Feedback welcome. */
85 #include <openssl/crypto.h>
86 #include <openssl/buffer.h>
87 #include <openssl/engine.h>
88 #include <openssl/rsa.h>
89 #include <openssl/bn.h>
92 #ifndef OPENSSL_NO_GMP
96 #define E_GMP_LIB_NAME "gmp engine"
97 #include "e_gmp_err.c"
99 static int e_gmp_destroy(ENGINE
*e
);
100 static int e_gmp_init(ENGINE
*e
);
101 static int e_gmp_finish(ENGINE
*e
);
102 static int e_gmp_ctrl(ENGINE
*e
, int cmd
, long i
, void *p
, void (*f
)(void));
104 #ifndef OPENSSL_NO_RSA
106 static int e_gmp_rsa_mod_exp(BIGNUM
*r
, const BIGNUM
*I
, RSA
*rsa
, BN_CTX
*ctx
);
107 static int e_gmp_rsa_finish(RSA
*r
);
110 /* The definitions for control commands specific to this engine */
111 /* #define E_GMP_CMD_SO_PATH ENGINE_CMD_BASE */
112 static const ENGINE_CMD_DEFN e_gmp_cmd_defns
[] = {
116 "Specifies the path to the 'e_gmp' shared library",
117 ENGINE_CMD_FLAG_STRING
},
122 #ifndef OPENSSL_NO_RSA
123 /* Our internal RSA_METHOD that we provide pointers to */
124 static RSA_METHOD e_gmp_rsa
=
135 /* These flags initialise montgomery crud that GMP ignores, however it
136 * makes sure the public key ops (which are done in openssl) don't seem
137 * *slower* than usual :-) */
138 RSA_FLAG_CACHE_PUBLIC
|RSA_FLAG_CACHE_PRIVATE
,
145 /* Constants used when creating the ENGINE */
146 static const char *engine_e_gmp_id
= "gmp";
147 static const char *engine_e_gmp_name
= "GMP engine support";
149 /* This internal function is used by ENGINE_gmp() and possibly by the
150 * "dynamic" ENGINE support too */
151 static int bind_helper(ENGINE
*e
)
153 #ifndef OPENSSL_NO_RSA
154 const RSA_METHOD
*meth1
;
156 if(!ENGINE_set_id(e
, engine_e_gmp_id
) ||
157 !ENGINE_set_name(e
, engine_e_gmp_name
) ||
158 #ifndef OPENSSL_NO_RSA
159 !ENGINE_set_RSA(e
, &e_gmp_rsa
) ||
161 !ENGINE_set_destroy_function(e
, e_gmp_destroy
) ||
162 !ENGINE_set_init_function(e
, e_gmp_init
) ||
163 !ENGINE_set_finish_function(e
, e_gmp_finish
) ||
164 !ENGINE_set_ctrl_function(e
, e_gmp_ctrl
) ||
165 !ENGINE_set_cmd_defns(e
, e_gmp_cmd_defns
))
168 #ifndef OPENSSL_NO_RSA
169 meth1
= RSA_PKCS1_SSLeay();
170 e_gmp_rsa
.rsa_pub_enc
= meth1
->rsa_pub_enc
;
171 e_gmp_rsa
.rsa_pub_dec
= meth1
->rsa_pub_dec
;
172 e_gmp_rsa
.rsa_priv_enc
= meth1
->rsa_priv_enc
;
173 e_gmp_rsa
.rsa_priv_dec
= meth1
->rsa_priv_dec
;
174 e_gmp_rsa
.bn_mod_exp
= meth1
->bn_mod_exp
;
177 /* Ensure the e_gmp error handling is set up */
178 ERR_load_GMP_strings();
182 static ENGINE
*engine_gmp(void)
184 ENGINE
*ret
= ENGINE_new();
187 if(!bind_helper(ret
))
195 void ENGINE_load_gmp(void)
197 /* Copied from eng_[openssl|dyn].c */
198 ENGINE
*toadd
= engine_gmp();
205 #ifndef OPENSSL_NO_RSA
206 /* Used to attach our own key-data to an RSA structure */
207 static int hndidx_rsa
= -1;
210 static int e_gmp_destroy(ENGINE
*e
)
212 ERR_unload_GMP_strings();
216 /* (de)initialisation functions. */
217 static int e_gmp_init(ENGINE
*e
)
219 #ifndef OPENSSL_NO_RSA
220 if (hndidx_rsa
== -1)
221 hndidx_rsa
= RSA_get_ex_new_index(0,
222 "GMP-based RSA key handle",
225 if (hndidx_rsa
== -1)
230 static int e_gmp_finish(ENGINE
*e
)
235 static int e_gmp_ctrl(ENGINE
*e
, int cmd
, long i
, void *p
, void (*f
)(void))
242 case E_GMP_CMD_SO_PATH
:
245 /* The command isn't understood by this engine */
247 GMPerr(GMP_F_E_GMP_CTRL
,
248 GMP_R_CTRL_COMMAND_NOT_IMPLEMENTED
);
257 /* Most often limb sizes will be the same. If not, we use hex conversion
258 * which is neat, but extremely inefficient. */
259 static int bn2gmp(const BIGNUM
*bn
, mpz_t g
)
262 if(((sizeof(bn
->d
[0]) * 8) == GMP_NUMB_BITS
) &&
263 (BN_BITS2
== GMP_NUMB_BITS
))
265 /* The common case */
266 if(!_mpz_realloc (g
, bn
->top
))
268 memcpy(&g
->_mp_d
[0], &bn
->d
[0], bn
->top
* sizeof(bn
->d
[0]));
269 g
->_mp_size
= bn
->top
;
271 g
->_mp_size
= -g
->_mp_size
;
277 char *tmpchar
= BN_bn2hex(bn
);
278 if(!tmpchar
) return 0;
279 toret
= (mpz_set_str(g
, tmpchar
, 16) == 0 ? 1 : 0);
280 OPENSSL_free(tmpchar
);
285 static int gmp2bn(mpz_t g
, BIGNUM
*bn
)
287 if(((sizeof(bn
->d
[0]) * 8) == GMP_NUMB_BITS
) &&
288 (BN_BITS2
== GMP_NUMB_BITS
))
290 /* The common case */
291 int s
= (g
->_mp_size
>= 0) ? g
->_mp_size
: -g
->_mp_size
;
293 if(bn_expand2 (bn
, s
) == NULL
)
296 memcpy(&bn
->d
[0], &g
->_mp_d
[0], s
* sizeof(bn
->d
[0]));
298 bn
->neg
= g
->_mp_size
>= 0 ? 0 : 1;
304 char *tmpchar
= OPENSSL_malloc(mpz_sizeinbase(g
, 16) + 10);
305 if(!tmpchar
) return 0;
306 mpz_get_str(tmpchar
, 16, g
);
307 toret
= BN_hex2bn(&bn
, tmpchar
);
308 OPENSSL_free(tmpchar
);
313 #ifndef OPENSSL_NO_RSA
314 typedef struct st_e_gmp_rsa_ctx
325 mpz_t r0
, r1
, I0
, m1
;
328 static E_GMP_RSA_CTX
*e_gmp_get_rsa(RSA
*rsa
)
330 E_GMP_RSA_CTX
*hptr
= RSA_get_ex_data(rsa
, hndidx_rsa
);
331 if(hptr
) return hptr
;
332 hptr
= OPENSSL_malloc(sizeof(E_GMP_RSA_CTX
));
333 if(!hptr
) return NULL
;
334 /* These inits could probably be replaced by more intelligent
335 * mpz_init2() versions, to reduce malloc-thrashing. */
341 mpz_init(hptr
->dmp1
);
342 mpz_init(hptr
->dmq1
);
343 mpz_init(hptr
->iqmp
);
348 if(!bn2gmp(rsa
->n
, hptr
->n
) || !bn2gmp(rsa
->e
, hptr
->e
))
350 if(!rsa
->p
|| !rsa
->q
|| !rsa
->d
|| !rsa
->dmp1
|| !rsa
->dmq1
|| !rsa
->iqmp
)
352 hptr
->public_only
= 1;
355 if(!bn2gmp(rsa
->d
, hptr
->d
) || !bn2gmp(rsa
->p
, hptr
->p
) ||
356 !bn2gmp(rsa
->q
, hptr
->q
) || !bn2gmp(rsa
->dmp1
, hptr
->dmp1
) ||
357 !bn2gmp(rsa
->dmq1
, hptr
->dmq1
) || !bn2gmp(rsa
->iqmp
, hptr
->iqmp
))
359 hptr
->public_only
= 0;
360 RSA_set_ex_data(rsa
, hndidx_rsa
, hptr
);
368 mpz_clear(hptr
->dmp1
);
369 mpz_clear(hptr
->dmq1
);
370 mpz_clear(hptr
->iqmp
);
379 static int e_gmp_rsa_finish(RSA
*rsa
)
381 E_GMP_RSA_CTX
*hptr
= RSA_get_ex_data(rsa
, hndidx_rsa
);
388 mpz_clear(hptr
->dmp1
);
389 mpz_clear(hptr
->dmq1
);
390 mpz_clear(hptr
->iqmp
);
396 RSA_set_ex_data(rsa
, hndidx_rsa
, NULL
);
400 static int e_gmp_rsa_mod_exp(BIGNUM
*r
, const BIGNUM
*I
, RSA
*rsa
, BN_CTX
*ctx
)
405 hptr
= e_gmp_get_rsa(rsa
);
408 GMPerr(GMP_F_E_GMP_RSA_MOD_EXP
,
409 GMP_R_KEY_CONTEXT_ERROR
);
412 if(hptr
->public_only
)
414 GMPerr(GMP_F_E_GMP_RSA_MOD_EXP
,
415 GMP_R_MISSING_KEY_COMPONENTS
);
420 if(!bn2gmp(I
, hptr
->I0
))
423 /* This is basically the CRT logic in crypto/rsa/rsa_eay.c reworded into
424 * GMP-speak. It may be that GMP's API facilitates cleaner formulations
425 * of this stuff, eg. better handling of negatives, or functions that
426 * combine operations. */
428 mpz_mod(hptr
->r1
, hptr
->I0
, hptr
->q
);
429 mpz_powm(hptr
->m1
, hptr
->r1
, hptr
->dmq1
, hptr
->q
);
431 mpz_mod(hptr
->r1
, hptr
->I0
, hptr
->p
);
432 mpz_powm(hptr
->r0
, hptr
->r1
, hptr
->dmp1
, hptr
->p
);
434 mpz_sub(hptr
->r0
, hptr
->r0
, hptr
->m1
);
436 if(mpz_sgn(hptr
->r0
) < 0)
437 mpz_add(hptr
->r0
, hptr
->r0
, hptr
->p
);
438 mpz_mul(hptr
->r1
, hptr
->r0
, hptr
->iqmp
);
439 mpz_mod(hptr
->r0
, hptr
->r1
, hptr
->p
);
441 if(mpz_sgn(hptr
->r0
) < 0)
442 mpz_add(hptr
->r0
, hptr
->r0
, hptr
->p
);
443 mpz_mul(hptr
->r1
, hptr
->r0
, hptr
->q
);
444 mpz_add(hptr
->r0
, hptr
->r1
, hptr
->m1
);
447 if(gmp2bn(hptr
->r0
, r
))
454 #endif /* !OPENSSL_NO_GMP */
456 /* This stuff is needed if this ENGINE is being compiled into a self-contained
458 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
459 IMPLEMENT_DYNAMIC_CHECK_FN()
460 #ifndef OPENSSL_NO_GMP
461 static int bind_fn(ENGINE
*e
, const char *id
)
463 if(id
&& (strcmp(id
, engine_e_gmp_id
) != 0))
469 IMPLEMENT_DYNAMIC_BIND_FN(bind_fn
)
472 int bind_engine(ENGINE
*e
, const char *id
, const dynamic_fns
*fns
) { return 0; }
474 #endif /* OPENSSL_NO_DYNAMIC_ENGINE */
476 #endif /* !OPENSSL_NO_HW */