2 * Copyright (c) 2006 - 2007, 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <krb5-types.h>
48 BN2mpz(fp_int
*s
, const BIGNUM
*bn
)
55 len
= BN_num_bytes(bn
);
58 fp_read_unsigned_bin(s
, p
, len
);
63 tfm_rsa_private_calculate(fp_int
* in
, fp_int
* p
, fp_int
* q
,
64 fp_int
* dmp1
, fp_int
* dmq1
, fp_int
* iqmp
,
69 fp_init_multi(&vp
, &vq
, &u
, NULL
);
71 /* vq = c ^ (d mod (q - 1)) mod q */
72 /* vp = c ^ (d mod (p - 1)) mod p */
74 fp_exptmod(&u
, dmp1
, p
, &vp
);
76 fp_exptmod(&u
, dmq1
, q
, &vq
);
78 /* C2 = 1/q mod p (iqmp) */
79 /* u = (vp - vq)C2 mod p. */
86 /* c ^ d mod n = vq + u q */
90 fp_zero_multi(&vp
, &vq
, &u
, NULL
);
100 tfm_rsa_public_encrypt(int flen
, const unsigned char* from
,
101 unsigned char* to
, RSA
* rsa
, int padding
)
103 unsigned char *p
, *p0
;
106 fp_int enc
, dec
, n
, e
;
108 if (padding
!= RSA_PKCS1_PADDING
)
111 size
= RSA_size(rsa
);
113 if (size
< RSA_PKCS1_PADDING_SIZE
|| size
- RSA_PKCS1_PADDING_SIZE
< flen
)
119 p
= p0
= malloc(size
- 1);
121 fp_zero_multi(&e
, &n
, NULL
);
125 padlen
= size
- flen
- 3;
128 if (RAND_bytes(p
, padlen
) != 1) {
129 fp_zero_multi(&e
, &n
, NULL
);
140 memcpy(p
, from
, flen
);
142 assert((p
- p0
) == size
- 1);
144 fp_init_multi(&enc
, &dec
, NULL
);
145 fp_read_unsigned_bin(&dec
, p0
, size
- 1);
148 res
= fp_exptmod(&dec
, &e
, &n
, &enc
);
150 fp_zero_multi(&dec
, &e
, &n
, NULL
);
157 ssize
= fp_unsigned_bin_size(&enc
);
158 assert(size
>= ssize
);
159 fp_to_unsigned_bin(&enc
, to
);
168 tfm_rsa_public_decrypt(int flen
, const unsigned char* from
,
169 unsigned char* to
, RSA
* rsa
, int padding
)
176 if (padding
!= RSA_PKCS1_PADDING
)
179 if (flen
> RSA_size(rsa
))
186 /* Check that the exponent is larger then 3 */
187 if (mp_int_compare_value(&e
, 3) <= 0) {
188 fp_zero_multi(&e
, &n
, NULL
);
193 fp_init_multi(&s
, &us
, NULL
);
194 fp_read_unsigned_bin(&s
, rk_UNCONST(from
), flen
);
196 if (fp_cmp(&s
, &n
) >= 0) {
197 fp_zero_multi(&e
, &n
, NULL
);
201 res
= fp_exptmod(&s
, &e
, &n
, &us
);
203 fp_zero_multi(&s
, &e
, &n
, NULL
);
210 size
= fp_unsigned_bin_size(&us
);
211 assert(size
<= RSA_size(rsa
));
212 fp_to_unsigned_bin(&us
, p
);
216 /* head zero was skipped by fp_to_unsigned_bin */
222 while (size
&& *p
== 0xff) {
225 if (size
== 0 || *p
!= 0)
229 memmove(to
, p
, size
);
235 tfm_rsa_private_encrypt(int flen
, const unsigned char* from
,
236 unsigned char* to
, RSA
* rsa
, int padding
)
238 unsigned char *p
, *p0
;
241 fp_int in
, out
, n
, e
;
243 if (padding
!= RSA_PKCS1_PADDING
)
246 size
= RSA_size(rsa
);
248 if (size
< RSA_PKCS1_PADDING_SIZE
|| size
- RSA_PKCS1_PADDING_SIZE
< flen
)
251 p0
= p
= malloc(size
);
254 memset(p
, 0xff, size
- flen
- 3);
255 p
+= size
- flen
- 3;
257 memcpy(p
, from
, flen
);
259 assert((p
- p0
) == size
);
264 fp_init_multi(&in
, &out
, NULL
);
265 fp_read_unsigned_bin(&in
, p0
, size
);
268 if(fp_isneg(&in
) || fp_cmp(&in
, &n
) >= 0) {
273 if (rsa
->p
&& rsa
->q
&& rsa
->dmp1
&& rsa
->dmq1
&& rsa
->iqmp
) {
274 fp_int p
, q
, dmp1
, dmq1
, iqmp
;
278 BN2mpz(&dmp1
, rsa
->dmp1
);
279 BN2mpz(&dmq1
, rsa
->dmq1
);
280 BN2mpz(&iqmp
, rsa
->iqmp
);
282 res
= tfm_rsa_private_calculate(&in
, &p
, &q
, &dmp1
, &dmq1
, &iqmp
, &out
);
284 fp_zero_multi(&p
, &q
, &dmp1
, &dmq1
, &iqmp
, NULL
);
294 res
= fp_exptmod(&in
, &d
, &n
, &out
);
304 ssize
= fp_unsigned_bin_size(&out
);
305 assert(size
>= ssize
);
306 fp_to_unsigned_bin(&out
, to
);
311 fp_zero_multi(&e
, &n
, &in
, &out
, NULL
);
317 tfm_rsa_private_decrypt(int flen
, const unsigned char* from
,
318 unsigned char* to
, RSA
* rsa
, int padding
)
323 fp_int in
, out
, n
, e
;
325 if (padding
!= RSA_PKCS1_PADDING
)
328 size
= RSA_size(rsa
);
332 fp_init_multi(&in
, &out
, NULL
);
337 fp_read_unsigned_bin(&in
, rk_UNCONST(from
), flen
);
339 if(fp_isneg(&in
) || fp_cmp(&in
, &n
) >= 0) {
344 if (rsa
->p
&& rsa
->q
&& rsa
->dmp1
&& rsa
->dmq1
&& rsa
->iqmp
) {
345 fp_int p
, q
, dmp1
, dmq1
, iqmp
;
349 BN2mpz(&dmp1
, rsa
->dmp1
);
350 BN2mpz(&dmq1
, rsa
->dmq1
);
351 BN2mpz(&iqmp
, rsa
->iqmp
);
353 res
= tfm_rsa_private_calculate(&in
, &p
, &q
, &dmp1
, &dmq1
, &iqmp
, &out
);
355 fp_zero_multi(&p
, &q
, &dmp1
, &dmq1
, &iqmp
, NULL
);
365 if(fp_isneg(&in
) || fp_cmp(&in
, &n
) >= 0)
369 res
= fp_exptmod(&in
, &d
, &n
, &out
);
380 ssize
= fp_unsigned_bin_size(&out
);
381 assert(size
>= ssize
);
382 fp_to_unsigned_bin(&out
, ptr
);
386 /* head zero was skipped by mp_int_to_unsigned */
392 while (size
&& *ptr
!= 0) {
399 memmove(to
, ptr
, size
);
402 fp_zero_multi(&e
, &n
, &in
, &out
, NULL
);
414 size
= fp_unsigned_bin_size(s
);
416 if (p
== NULL
&& size
!= 0)
419 fp_to_unsigned_bin(s
, p
);
421 bn
= BN_bin2bn(p
, size
, NULL
);
427 random_num(fp_int
*num
, size_t len
)
435 if (RAND_bytes(p
, len
) != 1) {
439 fp_read_unsigned_bin(num
, p
, len
);
444 #define CHECK(f, v) if ((f) != (v)) { goto out; }
447 tfm_rsa_generate_key(RSA
*rsa
, int bits
, BIGNUM
*e
, BN_GENCB
*cb
)
449 fp_int el
, p
, q
, n
, d
, dmp1
, dmq1
, iqmp
, t1
, t2
, t3
;
450 int counter
, ret
, bitsp
;
455 bitsp
= (bits
+ 1) / 2;
459 fp_init_multi(&el
, &p
, &q
, &n
, &n
, &d
, &dmp1
, &dmq1
, &iqmp
, &t1
, &t2
, &t3
, NULL
);
463 /* generate p and q so that p != q and bits(pq) ~ bits */
466 BN_GENCB_call(cb
, 2, counter
++);
467 CHECK(random_num(&p
, bitsp
), 0);
468 CHECK(fp_find_prime(&p
), FP_YES
);
470 fp_sub_d(&p
, 1, &t1
);
471 fp_gcd(&t1
, &el
, &t2
);
472 } while(fp_cmp_d(&t2
, 1) != 0);
474 BN_GENCB_call(cb
, 3, 0);
478 BN_GENCB_call(cb
, 2, counter
++);
479 CHECK(random_num(&q
, bits
- bitsp
), 0);
480 CHECK(fp_find_prime(&q
), FP_YES
);
482 if (fp_cmp(&p
, &q
) == 0) /* don't let p and q be the same */
485 fp_sub_d(&q
, 1, &t1
);
486 fp_gcd(&t1
, &el
, &t2
);
487 } while(fp_cmp_d(&t2
, 1) != 0);
490 if (fp_cmp(&p
, &q
) < 0) {
497 BN_GENCB_call(cb
, 3, 1);
499 /* calculate n, n = p * q */
502 /* calculate d, d = 1/e mod (p - 1)(q - 1) */
503 fp_sub_d(&p
, 1, &t1
);
504 fp_sub_d(&q
, 1, &t2
);
505 fp_mul(&t1
, &t2
, &t3
);
506 fp_invmod(&el
, &t3
, &d
);
508 /* calculate dmp1 dmp1 = d mod (p-1) */
509 fp_mod(&d
, &t1
, &dmp1
);
510 /* calculate dmq1 dmq1 = d mod (q-1) */
511 fp_mod(&d
, &t2
, &dmq1
);
512 /* calculate iqmp iqmp = 1/q mod p */
513 fp_invmod(&q
, &p
, &iqmp
);
515 /* fill in RSA key */
517 rsa
->e
= mpz2BN(&el
);
522 rsa
->dmp1
= mpz2BN(&dmp1
);
523 rsa
->dmq1
= mpz2BN(&dmq1
);
524 rsa
->iqmp
= mpz2BN(&iqmp
);
529 fp_zero_multi(&el
, &p
, &q
, &n
, &d
, &dmp1
,
530 &dmq1
, &iqmp
, &t1
, &t2
, &t3
, NULL
);
536 tfm_rsa_init(RSA
*rsa
)
542 tfm_rsa_finish(RSA
*rsa
)
547 const RSA_METHOD hc_rsa_tfm_method
= {
549 tfm_rsa_public_encrypt
,
550 tfm_rsa_public_decrypt
,
551 tfm_rsa_private_encrypt
,
552 tfm_rsa_private_decrypt
,
567 return &hc_rsa_tfm_method
;