search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
clean up
[heimdal.git] / lib / hcrypto / rsa-tfm.c
bloba479ec6735efe44efa928426ab5d8d8740ee47ae
1 /*
2 * Copyright (c) 2006 - 2007, 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <config.h>
35
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <krb5-types.h>
39 #include <assert.h>
40
41 #include <rsa.h>
42
43 #include <roken.h>
44
45 #include "tfm.h"
46
47 static void
48 BN2mpz(fp_int *s, const BIGNUM *bn)
49 {
50 size_t len;
51 void *p;
52
53 fp_init(s);
54
55 len = BN_num_bytes(bn);
56 p = malloc(len);
57 BN_bn2bin(bn, p);
58 fp_read_unsigned_bin(s, p, len);
59 free(p);
60 }
61
62 static int
63 tfm_rsa_private_calculate(fp_int * in, fp_int * p, fp_int * q,
64 fp_int * dmp1, fp_int * dmq1, fp_int * iqmp,
65 fp_int * out)
66 {
67 fp_int vp, vq, u;
68
69 fp_init_multi(&vp, &vq, &u, NULL);
70
71 /* vq = c ^ (d mod (q - 1)) mod q */
72 /* vp = c ^ (d mod (p - 1)) mod p */
73 fp_mod(in, p, &u);
74 fp_exptmod(&u, dmp1, p, &vp);
75 fp_mod(in, q, &u);
76 fp_exptmod(&u, dmq1, q, &vq);
77
78 /* C2 = 1/q mod p (iqmp) */
79 /* u = (vp - vq)C2 mod p. */
80 fp_sub(&vp, &vq, &u);
81 if (u.sign == FP_NEG)
82 fp_add(&u, p, &u);
83 fp_mul(&u, iqmp, &u);
84 fp_mod(&u, p, &u);
85
86 /* c ^ d mod n = vq + u q */
87 fp_mul(&u, q, &u);
88 fp_add(&u, &vq, out);
89
90 fp_zero(&vp);
91 fp_zero(&vq);
92 fp_zero(&u);
93
94 return 0;
95 }
96
97 /*
98 *
99 */
100
101 static int
102 tfm_rsa_public_encrypt(int flen, const unsigned char* from,
103 unsigned char* to, RSA* rsa, int padding)
104 {
105 unsigned char *p, *p0;
106 int res;
107 size_t size, padlen;
108 fp_int enc, dec, n, e;
109
110 if (padding != RSA_PKCS1_PADDING)
111 return -1;
112
113 size = RSA_size(rsa);
114
115 if (size < RSA_PKCS1_PADDING_SIZE || size - RSA_PKCS1_PADDING_SIZE < flen)
116 return -2;
117
118 BN2mpz(&n, rsa->n);
119 BN2mpz(&e, rsa->e);
120
121 p = p0 = malloc(size - 1);
122 if (p0 == NULL) {
123 fp_zero(&e);
124 fp_zero(&n);
125 return -3;
126 }
127
128 padlen = size - flen - 3;
129
130 *p++ = 2;
131 if (RAND_bytes(p, padlen) != 1) {
132 fp_zero(&e);
133 fp_zero(&n);
134 free(p0);
135 return -4;
136 }
137 while(padlen) {
138 if (*p == 0)
139 *p = 1;
140 padlen--;
141 p++;
142 }
143 *p++ = 0;
144 memcpy(p, from, flen);
145 p += flen;
146 assert((p - p0) == size - 1);
147
148 fp_init_multi(&enc, &dec, NULL);
149 fp_read_unsigned_bin(&dec, p0, size - 1);
150 free(p0);
151
152 res = fp_exptmod(&dec, &e, &n, &enc);
153
154 fp_zero(&dec);
155 fp_zero(&e);
156 fp_zero(&n);
157
158 if (res != 0)
159 return -4;
160
161 {
162 size_t ssize;
163 ssize = fp_unsigned_bin_size(&enc);
164 assert(size >= ssize);
165 fp_to_unsigned_bin(&enc, to);
166 size = ssize;
167 }
168 fp_zero(&enc);
169
170 return size;
171 }
172
173 static int
174 tfm_rsa_public_decrypt(int flen, const unsigned char* from,
175 unsigned char* to, RSA* rsa, int padding)
176 {
177 unsigned char *p;
178 int res;
179 size_t size;
180 fp_int s, us, n, e;
181
182 if (padding != RSA_PKCS1_PADDING)
183 return -1;
184
185 if (flen > RSA_size(rsa))
186 return -2;
187
188 BN2mpz(&n, rsa->n);
189 BN2mpz(&e, rsa->e);
190
191 #if 0
192 /* Check that the exponent is larger then 3 */
193 if (mp_int_compare_value(&e, 3) <= 0) {
194 fp_zero(&n);
195 fp_zero(&e);
196 return -3;
197 }
198 #endif
199
200 fp_init_multi(&s, &us, NULL);
201 fp_read_unsigned_bin(&s, rk_UNCONST(from), flen);
202
203 if (fp_cmp(&s, &n) >= 0) {
204 fp_zero(&n);
205 fp_zero(&e);
206 return -4;
207 }
208
209 res = fp_exptmod(&s, &e, &n, &us);
210
211 fp_zero(&s);
212 fp_zero(&n);
213 fp_zero(&e);
214
215 if (res != 0)
216 return -5;
217 p = to;
218
219
220 size = fp_unsigned_bin_size(&us);
221 assert(size <= RSA_size(rsa));
222 fp_to_unsigned_bin(&us, p);
223
224 fp_zero(&us);
225
226 /* head zero was skipped by fp_to_unsigned_bin */
227 if (*p == 0)
228 return -6;
229 if (*p != 1)
230 return -7;
231 size--; p++;
232 while (size && *p == 0xff) {
233 size--; p++;
234 }
235 if (size == 0 || *p != 0)
236 return -8;
237 size--; p++;
238
239 memmove(to, p, size);
240
241 return size;
242 }
243
244 static int
245 tfm_rsa_private_encrypt(int flen, const unsigned char* from,
246 unsigned char* to, RSA* rsa, int padding)
247 {
248 unsigned char *p, *p0;
249 int res;
250 int size;
251 fp_int in, out, n, e;
252
253 if (padding != RSA_PKCS1_PADDING)
254 return -1;
255
256 size = RSA_size(rsa);
257
258 if (size < RSA_PKCS1_PADDING_SIZE || size - RSA_PKCS1_PADDING_SIZE < flen)
259 return -2;
260
261 p0 = p = malloc(size);
262 *p++ = 0;
263 *p++ = 1;
264 memset(p, 0xff, size - flen - 3);
265 p += size - flen - 3;
266 *p++ = 0;
267 memcpy(p, from, flen);
268 p += flen;
269 assert((p - p0) == size);
270
271 BN2mpz(&n, rsa->n);
272 BN2mpz(&e, rsa->e);
273
274 fp_init_multi(&in, &out, NULL);
275 fp_read_unsigned_bin(&in, p0, size);
276 free(p0);
277
278 if(in.sign == FP_NEG ||
279 fp_cmp(&in, &n) >= 0) {
280 size = -3;
281 goto out;
282 }
283
284 if (rsa->p && rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp) {
285 fp_int p, q, dmp1, dmq1, iqmp;
286
287 BN2mpz(&p, rsa->p);
288 BN2mpz(&q, rsa->q);
289 BN2mpz(&dmp1, rsa->dmp1);
290 BN2mpz(&dmq1, rsa->dmq1);
291 BN2mpz(&iqmp, rsa->iqmp);
292
293 res = tfm_rsa_private_calculate(&in, &p, &q, &dmp1, &dmq1, &iqmp, &out);
294
295 fp_zero(&p);
296 fp_zero(&q);
297 fp_zero(&dmp1);
298 fp_zero(&dmq1);
299 fp_zero(&iqmp);
300
301 if (res != 0) {
302 size = -4;
303 goto out;
304 }
305 } else {
306 fp_int d;
307
308 BN2mpz(&d, rsa->d);
309 res = fp_exptmod(&in, &d, &n, &out);
310 fp_zero(&d);
311 if (res != 0) {
312 size = -5;
313 goto out;
314 }
315 }
316
317 if (size > 0) {
318 size_t ssize;
319 ssize = fp_unsigned_bin_size(&out);
320 assert(size >= ssize);
321 fp_to_unsigned_bin(&out, to);
322 size = ssize;
323 }
324
325 out:
326 fp_zero(&e);
327 fp_zero(&n);
328 fp_zero(&in);
329 fp_zero(&out);
330
331 return size;
332 }
333
334 static int
335 tfm_rsa_private_decrypt(int flen, const unsigned char* from,
336 unsigned char* to, RSA* rsa, int padding)
337 {
338 unsigned char *ptr;
339 int res;
340 size_t size;
341 fp_int in, out, n, e;
342
343 if (padding != RSA_PKCS1_PADDING)
344 return -1;
345
346 size = RSA_size(rsa);
347 if (flen > size)
348 return -2;
349
350 fp_init_multi(&in, &out, NULL);
351
352 BN2mpz(&n, rsa->n);
353 BN2mpz(&e, rsa->e);
354
355 fp_read_unsigned_bin(&in, rk_UNCONST(from), flen);
356
357 if(in.sign == FP_NEG ||
358 fp_cmp(&in, &n) >= 0) {
359 size = -2;
360 goto out;
361 }
362
363 if (rsa->p && rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp) {
364 fp_int p, q, dmp1, dmq1, iqmp;
365
366 BN2mpz(&p, rsa->p);
367 BN2mpz(&q, rsa->q);
368 BN2mpz(&dmp1, rsa->dmp1);
369 BN2mpz(&dmq1, rsa->dmq1);
370 BN2mpz(&iqmp, rsa->iqmp);
371
372 res = tfm_rsa_private_calculate(&in, &p, &q, &dmp1, &dmq1, &iqmp, &out);
373
374 fp_zero(&p);
375 fp_zero(&q);
376 fp_zero(&dmp1);
377 fp_zero(&dmq1);
378 fp_zero(&iqmp);
379
380 if (res != 0) {
381 size = -3;
382 goto out;
383 }
384
385 } else {
386 fp_int d;
387
388 if(in.sign == FP_NEG ||
389 fp_cmp(&in, &n) >= 0)
390 return -4;
391
392 BN2mpz(&d, rsa->d);
393 res = fp_exptmod(&in, &d, &n, &out);
394 fp_zero(&d);
395 if (res != 0) {
396 size = -5;
397 goto out;
398 }
399 }
400
401 ptr = to;
402 {
403 size_t ssize;
404 ssize = fp_unsigned_bin_size(&out);
405 assert(size >= ssize);
406 fp_to_unsigned_bin(&out, ptr);
407 size = ssize;
408 }
409
410 /* head zero was skipped by mp_int_to_unsigned */
411 if (*ptr != 2) {
412 size = -6;
413 goto out;
414 }
415 size--; ptr++;
416 while (size && *ptr != 0) {
417 size--; ptr++;
418 }
419 if (size == 0)
420 return -7;
421 size--; ptr++;
422
423 memmove(to, ptr, size);
424
425 out:
426 fp_zero(&e);
427 fp_zero(&n);
428 fp_zero(&in);
429 fp_zero(&out);
430
431 return size;
432 }
433
434 static BIGNUM *
435 mpz2BN(fp_int *s)
436 {
437 size_t size;
438 BIGNUM *bn;
439 void *p;
440
441 size = fp_unsigned_bin_size(s);
442 p = malloc(size);
443 if (p == NULL && size != 0)
444 return NULL;
445
446 fp_to_unsigned_bin(s, p);
447
448 bn = BN_bin2bn(p, size, NULL);
449 free(p);
450 return bn;
451 }
452
453 static int
454 random_num(fp_int *num, size_t len)
455 {
456 unsigned char *p;
457
458 len = (len + 7) / 8;
459 p = malloc(len);
460 if (p == NULL)
461 return 1;
462 if (RAND_bytes(p, len) != 1) {
463 free(p);
464 return 1;
465 }
466 fp_read_unsigned_bin(num, p, len);
467 free(p);
468 return 0;
469 }
470
471 #define CHECK(f, v) if ((f) != (v)) { goto out; }
472
473 static int
474 tfm_rsa_generate_key(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
475 {
476 fp_int el, p, q, n, d, dmp1, dmq1, iqmp, t1, t2, t3;
477 int counter, ret, bitsp;
478
479 if (bits < 789)
480 return -1;
481
482 bitsp = (bits + 1) / 2;
483
484 ret = -1;
485
486 fp_init_multi(&el, &p, &q, &n, &n, &d, &dmp1, &dmq1, &iqmp, &t1, &t2, &t3, NULL);
487
488 BN2mpz(&el, e);
489
490 /* generate p and q so that p != q and bits(pq) ~ bits */
491 counter = 0;
492 do {
493 BN_GENCB_call(cb, 2, counter++);
494 CHECK(random_num(&p, bitsp), 0);
495 CHECK(fp_find_prime(&p), FP_YES);
496
497 fp_sub_d(&p, 1, &t1);
498 fp_gcd(&t1, &el, &t2);
499 } while(fp_cmp_d(&t2, 1) != 0);
500
501 BN_GENCB_call(cb, 3, 0);
502
503 counter = 0;
504 do {
505 BN_GENCB_call(cb, 2, counter++);
506 CHECK(random_num(&q, bits - bitsp), 0);
507 CHECK(fp_find_prime(&q), FP_YES);
508
509 if (fp_cmp(&p, &q) == 0) /* don't let p and q be the same */
510 continue;
511
512 fp_sub_d(&q, 1, &t1);
513 fp_gcd(&t1, &el, &t2);
514 } while(fp_cmp_d(&t2, 1) != 0);
515
516 /* make p > q */
517 if (fp_cmp(&p, &q) < 0) {
518 fp_int c;
519 fp_copy(&p, &c);
520 fp_copy(&q, &p);
521 fp_copy(&c, &q);
522 }
523
524 BN_GENCB_call(cb, 3, 1);
525
526 /* calculate n, n = p * q */
527 fp_mul(&p, &q, &n);
528
529 /* calculate d, d = 1/e mod (p - 1)(q - 1) */
530 fp_sub_d(&p, 1, &t1);
531 fp_sub_d(&q, 1, &t2);
532 fp_mul(&t1, &t2, &t3);
533 fp_invmod(&el, &t3, &d);
534
535 /* calculate dmp1 dmp1 = d mod (p-1) */
536 fp_mod(&d, &t1, &dmp1);
537 /* calculate dmq1 dmq1 = d mod (q-1) */
538 fp_mod(&d, &t2, &dmq1);
539 /* calculate iqmp iqmp = 1/q mod p */
540 fp_invmod(&q, &p, &iqmp);
541
542 /* fill in RSA key */
543
544 rsa->e = mpz2BN(&el);
545 rsa->p = mpz2BN(&p);
546 rsa->q = mpz2BN(&q);
547 rsa->n = mpz2BN(&n);
548 rsa->d = mpz2BN(&d);
549 rsa->dmp1 = mpz2BN(&dmp1);
550 rsa->dmq1 = mpz2BN(&dmq1);
551 rsa->iqmp = mpz2BN(&iqmp);
552
553 ret = 1;
554
555 out:
556 fp_zero(&el);
557 fp_zero(&p);
558 fp_zero(&q);
559 fp_zero(&n);
560 fp_zero(&d);
561 fp_zero(&dmp1);
562 fp_zero(&dmq1);
563 fp_zero(&iqmp);
564 fp_zero(&t1);
565 fp_zero(&t2);
566 fp_zero(&t3);
567
568 return ret;
569 }
570
571 static int
572 tfm_rsa_init(RSA *rsa)
573 {
574 return 1;
575 }
576
577 static int
578 tfm_rsa_finish(RSA *rsa)
579 {
580 return 1;
581 }
582
583 const RSA_METHOD hc_rsa_tfm_method = {
584 "hcrypto tfm RSA",
585 tfm_rsa_public_encrypt,
586 tfm_rsa_public_decrypt,
587 tfm_rsa_private_encrypt,
588 tfm_rsa_private_decrypt,
589 NULL,
590 NULL,
591 tfm_rsa_init,
592 tfm_rsa_finish,
593 0,
594 NULL,
595 NULL,
596 NULL,
597 tfm_rsa_generate_key
598 };
599
600 const RSA_METHOD *
601 RSA_tfm_method(void)
602 {
603 return &hc_rsa_tfm_method;
604 }
Heimdal