/src/boringssl/crypto/bn/exponentiation.cc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/bn.h> |
16 | | |
17 | | #include <assert.h> |
18 | | |
19 | | #include <openssl/err.h> |
20 | | |
21 | | #include "../fipsmodule/bn/internal.h" |
22 | | |
23 | | |
24 | 0 | int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { |
25 | 0 | bssl::BN_CTXScope scope(ctx); |
26 | 0 | BIGNUM *rr; |
27 | 0 | if (r == a || r == p) { |
28 | 0 | rr = BN_CTX_get(ctx); |
29 | 0 | } else { |
30 | 0 | rr = r; |
31 | 0 | } |
32 | |
|
33 | 0 | BIGNUM *v = BN_CTX_get(ctx); |
34 | 0 | if (rr == NULL || v == NULL) { |
35 | 0 | return 0; |
36 | 0 | } |
37 | | |
38 | 0 | if (BN_copy(v, a) == NULL) { |
39 | 0 | return 0; |
40 | 0 | } |
41 | 0 | int bits = BN_num_bits(p); |
42 | |
|
43 | 0 | if (BN_is_odd(p)) { |
44 | 0 | if (BN_copy(rr, a) == NULL) { |
45 | 0 | return 0; |
46 | 0 | } |
47 | 0 | } else { |
48 | 0 | if (!BN_one(rr)) { |
49 | 0 | return 0; |
50 | 0 | } |
51 | 0 | } |
52 | | |
53 | 0 | for (int i = 1; i < bits; i++) { |
54 | 0 | if (!BN_sqr(v, v, ctx)) { |
55 | 0 | return 0; |
56 | 0 | } |
57 | 0 | if (BN_is_bit_set(p, i)) { |
58 | 0 | if (!BN_mul(rr, rr, v, ctx)) { |
59 | 0 | return 0; |
60 | 0 | } |
61 | 0 | } |
62 | 0 | } |
63 | | |
64 | 0 | if (r != rr && !BN_copy(r, rr)) { |
65 | 0 | return 0; |
66 | 0 | } |
67 | 0 | return 1; |
68 | 0 | } |
69 | | |
70 | | static int mod_exp_even(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, |
71 | 704 | const BIGNUM *m, BN_CTX *ctx) { |
72 | | // No cryptographic operations require modular exponentiation with an even |
73 | | // modulus. We support it for backwards compatibility with any applications |
74 | | // that may have relied on the operation, but optimize for simplicity over |
75 | | // performance with straightforward square-and-multiply routine. |
76 | 704 | int bits = BN_num_bits(p); |
77 | 704 | if (bits == 0) { |
78 | 26 | return BN_one(r); |
79 | 26 | } |
80 | | |
81 | | // Make a copy of |a|, in case it aliases |r|. |
82 | 678 | bssl::BN_CTXScope scope(ctx); |
83 | 678 | BIGNUM *tmp = BN_CTX_get(ctx); |
84 | 678 | if (tmp == nullptr || !BN_copy(tmp, a)) { |
85 | 0 | return 0; |
86 | 0 | } |
87 | | |
88 | 678 | assert(BN_is_bit_set(p, bits - 1)); |
89 | 678 | if (!BN_copy(r, tmp)) { |
90 | 0 | return 0; |
91 | 0 | } |
92 | | |
93 | 43.5k | for (int i = bits - 2; i >= 0; i--) { |
94 | 42.8k | if (!BN_mod_sqr(r, r, m, ctx) || |
95 | 42.8k | (BN_is_bit_set(p, i) && !BN_mod_mul(r, r, tmp, m, ctx))) { |
96 | 0 | return 0; |
97 | 0 | } |
98 | 42.8k | } |
99 | | |
100 | 678 | return 1; |
101 | 678 | } |
102 | | |
103 | | int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, |
104 | 1.75k | BN_CTX *ctx) { |
105 | 1.75k | if (m->neg) { |
106 | 0 | OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); |
107 | 0 | return 0; |
108 | 0 | } |
109 | 1.75k | if (a->neg || BN_ucmp(a, m) >= 0) { |
110 | 1.40k | if (!BN_nnmod(r, a, m, ctx)) { |
111 | 0 | return 0; |
112 | 0 | } |
113 | 1.40k | a = r; |
114 | 1.40k | } |
115 | | |
116 | 1.75k | if (BN_is_odd(m)) { |
117 | 1.05k | return BN_mod_exp_mont(r, a, p, m, ctx, NULL); |
118 | 1.05k | } |
119 | | |
120 | 704 | return mod_exp_even(r, a, p, m, ctx); |
121 | 1.75k | } |
122 | | |
123 | | int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, |
124 | | const BIGNUM *m, BN_CTX *ctx, |
125 | 0 | const BN_MONT_CTX *mont) { |
126 | | // BN_mod_exp_mont requires reduced inputs. |
127 | 0 | if (bn_minimal_width(m) == 1) { |
128 | 0 | a %= m->d[0]; |
129 | 0 | } |
130 | |
|
131 | 0 | bssl::UniquePtr<BIGNUM> a_bignum(BN_new()); |
132 | 0 | if (a_bignum == nullptr || !BN_set_word(a_bignum.get(), a)) { |
133 | 0 | OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR); |
134 | 0 | return 0; |
135 | 0 | } |
136 | | |
137 | 0 | return BN_mod_exp_mont(rr, a_bignum.get(), p, m, ctx, mont); |
138 | 0 | } |
139 | | |
140 | | int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, |
141 | | const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, |
142 | 0 | BN_CTX *ctx, const BN_MONT_CTX *mont) { |
143 | | // Allocate a montgomery context if it was not supplied by the caller. |
144 | 0 | bssl::UniquePtr<BN_MONT_CTX> new_mont; |
145 | 0 | if (mont == nullptr) { |
146 | 0 | new_mont.reset(BN_MONT_CTX_new_for_modulus(m, ctx)); |
147 | 0 | if (new_mont == nullptr) { |
148 | 0 | return 0; |
149 | 0 | } |
150 | 0 | mont = new_mont.get(); |
151 | 0 | } |
152 | | |
153 | | // BN_mod_mul_montgomery removes one Montgomery factor, so passing one |
154 | | // Montgomery-encoded and one non-Montgomery-encoded value gives a |
155 | | // non-Montgomery-encoded result. |
156 | 0 | bssl::UniquePtr<BIGNUM> tmp(BN_new()); |
157 | 0 | if (tmp == nullptr || // |
158 | 0 | !BN_mod_exp_mont(rr, a1, p1, m, ctx, mont) || |
159 | 0 | !BN_mod_exp_mont(tmp.get(), a2, p2, m, ctx, mont) || |
160 | 0 | !BN_to_montgomery(rr, rr, mont, ctx) || |
161 | 0 | !BN_mod_mul_montgomery(rr, rr, tmp.get(), mont, ctx)) { |
162 | 0 | return 0; |
163 | 0 | } |
164 | | |
165 | 0 | return 1; |
166 | 0 | } |