/src/boringssl/crypto/fipsmodule/bn/gcd.cc.inc
Line | Count | Source |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/bn.h> |
16 | | |
17 | | #include <openssl/err.h> |
18 | | |
19 | | #include "internal.h" |
20 | | |
21 | | |
22 | | using namespace bssl; |
23 | | |
24 | | int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, |
25 | 0 | const BIGNUM *n, BN_CTX *ctx) { |
26 | 0 | *out_no_inverse = 0; |
27 | |
|
28 | 0 | if (!BN_is_odd(n)) { |
29 | 0 | OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS); |
30 | 0 | return 0; |
31 | 0 | } |
32 | | |
33 | 0 | if (BN_is_negative(a) || BN_cmp(a, n) >= 0) { |
34 | 0 | OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); |
35 | 0 | return 0; |
36 | 0 | } |
37 | | |
38 | 0 | int sign; |
39 | 0 | BN_CTXScope scope(ctx); |
40 | 0 | BIGNUM *A = BN_CTX_get(ctx); |
41 | 0 | BIGNUM *B = BN_CTX_get(ctx); |
42 | 0 | BIGNUM *X = BN_CTX_get(ctx); |
43 | 0 | BIGNUM *Y = BN_CTX_get(ctx); |
44 | 0 | BIGNUM *R = out; |
45 | 0 | if (Y == nullptr) { |
46 | 0 | return 0; |
47 | 0 | } |
48 | | |
49 | 0 | BN_zero(Y); |
50 | 0 | if (!BN_one(X) || BN_copy(B, a) == nullptr || BN_copy(A, n) == nullptr) { |
51 | 0 | return 0; |
52 | 0 | } |
53 | 0 | A->neg = 0; |
54 | 0 | sign = -1; |
55 | | // From B = a mod |n|, A = |n| it follows that |
56 | | // |
57 | | // 0 <= B < A, |
58 | | // -sign*X*a == B (mod |n|), |
59 | | // sign*Y*a == A (mod |n|). |
60 | | |
61 | | // Binary inversion algorithm; requires odd modulus. This is faster than the |
62 | | // general algorithm if the modulus is sufficiently small (about 400 .. 500 |
63 | | // bits on 32-bit systems, but much more on 64-bit systems) |
64 | 0 | int shift; |
65 | |
|
66 | 0 | while (!BN_is_zero(B)) { |
67 | | // 0 < B < |n|, |
68 | | // 0 < A <= |n|, |
69 | | // (1) -sign*X*a == B (mod |n|), |
70 | | // (2) sign*Y*a == A (mod |n|) |
71 | | |
72 | | // Now divide B by the maximum possible power of two in the integers, |
73 | | // and divide X by the same value mod |n|. |
74 | | // When we're done, (1) still holds. |
75 | 0 | shift = 0; |
76 | 0 | while (!BN_is_bit_set(B, shift)) { |
77 | | // note that 0 < B |
78 | 0 | shift++; |
79 | |
|
80 | 0 | if (BN_is_odd(X)) { |
81 | 0 | if (!BN_uadd(X, X, n)) { |
82 | 0 | return 0; |
83 | 0 | } |
84 | 0 | } |
85 | | // now X is even, so we can easily divide it by two |
86 | 0 | if (!BN_rshift1(X, X)) { |
87 | 0 | return 0; |
88 | 0 | } |
89 | 0 | } |
90 | 0 | if (shift > 0) { |
91 | 0 | if (!BN_rshift(B, B, shift)) { |
92 | 0 | return 0; |
93 | 0 | } |
94 | 0 | } |
95 | | |
96 | | // Same for A and Y. Afterwards, (2) still holds. |
97 | 0 | shift = 0; |
98 | 0 | while (!BN_is_bit_set(A, shift)) { |
99 | | // note that 0 < A |
100 | 0 | shift++; |
101 | |
|
102 | 0 | if (BN_is_odd(Y)) { |
103 | 0 | if (!BN_uadd(Y, Y, n)) { |
104 | 0 | return 0; |
105 | 0 | } |
106 | 0 | } |
107 | | // now Y is even |
108 | 0 | if (!BN_rshift1(Y, Y)) { |
109 | 0 | return 0; |
110 | 0 | } |
111 | 0 | } |
112 | 0 | if (shift > 0) { |
113 | 0 | if (!BN_rshift(A, A, shift)) { |
114 | 0 | return 0; |
115 | 0 | } |
116 | 0 | } |
117 | | |
118 | | // We still have (1) and (2). |
119 | | // Both A and B are odd. |
120 | | // The following computations ensure that |
121 | | // |
122 | | // 0 <= B < |n|, |
123 | | // 0 < A < |n|, |
124 | | // (1) -sign*X*a == B (mod |n|), |
125 | | // (2) sign*Y*a == A (mod |n|), |
126 | | // |
127 | | // and that either A or B is even in the next iteration. |
128 | 0 | if (BN_ucmp(B, A) >= 0) { |
129 | | // -sign*(X + Y)*a == B - A (mod |n|) |
130 | 0 | if (!BN_uadd(X, X, Y)) { |
131 | 0 | return 0; |
132 | 0 | } |
133 | | // NB: we could use BN_mod_add_quick(X, X, Y, n), but that |
134 | | // actually makes the algorithm slower |
135 | 0 | if (!BN_usub(B, B, A)) { |
136 | 0 | return 0; |
137 | 0 | } |
138 | 0 | } else { |
139 | | // sign*(X + Y)*a == A - B (mod |n|) |
140 | 0 | if (!BN_uadd(Y, Y, X)) { |
141 | 0 | return 0; |
142 | 0 | } |
143 | | // as above, BN_mod_add_quick(Y, Y, X, n) would slow things down |
144 | 0 | if (!BN_usub(A, A, B)) { |
145 | 0 | return 0; |
146 | 0 | } |
147 | 0 | } |
148 | 0 | } |
149 | | |
150 | 0 | if (!BN_is_one(A)) { |
151 | 0 | *out_no_inverse = 1; |
152 | 0 | OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE); |
153 | 0 | return 0; |
154 | 0 | } |
155 | | |
156 | | // The while loop (Euclid's algorithm) ends when |
157 | | // A == gcd(a,n); |
158 | | // we have |
159 | | // sign*Y*a == A (mod |n|), |
160 | | // where Y is non-negative. |
161 | | |
162 | 0 | if (sign < 0) { |
163 | 0 | if (!BN_sub(Y, n, Y)) { |
164 | 0 | return 0; |
165 | 0 | } |
166 | 0 | } |
167 | | // Now Y*a == A (mod |n|). |
168 | | |
169 | | // Y*a == 1 (mod |n|) |
170 | 0 | if (Y->neg || BN_ucmp(Y, n) >= 0) { |
171 | 0 | if (!BN_nnmod(Y, Y, n, ctx)) { |
172 | 0 | return 0; |
173 | 0 | } |
174 | 0 | } |
175 | 0 | if (!BN_copy(R, Y)) { |
176 | 0 | return 0; |
177 | 0 | } |
178 | | |
179 | 0 | return 1; |
180 | 0 | } |
181 | | |
182 | | BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n, |
183 | 0 | BN_CTX *ctx) { |
184 | 0 | UniquePtr<BIGNUM> new_out; |
185 | 0 | if (out == nullptr) { |
186 | 0 | new_out.reset(BN_new()); |
187 | 0 | if (new_out == nullptr) { |
188 | 0 | return nullptr; |
189 | 0 | } |
190 | 0 | out = new_out.get(); |
191 | 0 | } |
192 | | |
193 | 0 | UniquePtr<BIGNUM> a_reduced; |
194 | 0 | if (a->neg || BN_ucmp(a, n) >= 0) { |
195 | 0 | a_reduced.reset(BN_dup(a)); |
196 | 0 | if (a_reduced == nullptr) { |
197 | 0 | return nullptr; |
198 | 0 | } |
199 | 0 | if (!BN_nnmod(a_reduced.get(), a_reduced.get(), n, ctx)) { |
200 | 0 | return nullptr; |
201 | 0 | } |
202 | 0 | a = a_reduced.get(); |
203 | 0 | } |
204 | | |
205 | 0 | int no_inverse; |
206 | 0 | if (!BN_is_odd(n)) { |
207 | 0 | if (!bn_mod_inverse_consttime(out, &no_inverse, a, n, ctx)) { |
208 | 0 | return nullptr; |
209 | 0 | } |
210 | 0 | } else if (!BN_mod_inverse_odd(out, &no_inverse, a, n, ctx)) { |
211 | 0 | return nullptr; |
212 | 0 | } |
213 | | |
214 | 0 | new_out.release(); // Passed to the caller via |out|. |
215 | 0 | return out; |
216 | 0 | } |
217 | | |
218 | | int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, |
219 | 0 | const BN_MONT_CTX *mont, BN_CTX *ctx) { |
220 | 0 | *out_no_inverse = 0; |
221 | | |
222 | | // |a| is secret, but it is required to be in range, so these comparisons may |
223 | | // be leaked. |
224 | 0 | if (BN_is_negative(a) || |
225 | 0 | constant_time_declassify_int(BN_cmp(a, &mont->N) >= 0)) { |
226 | 0 | OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); |
227 | 0 | return 0; |
228 | 0 | } |
229 | | |
230 | 0 | UniquePtr<BIGNUM> blinding_factor(BN_new()); |
231 | 0 | if (blinding_factor == nullptr) { |
232 | 0 | return 0; |
233 | 0 | } |
234 | | |
235 | | // |BN_mod_inverse_odd| is leaky, so generate a secret blinding factor and |
236 | | // blind |a|. This works because (ar)^-1 * r = a^-1, supposing r is |
237 | | // invertible. If r is not invertible, this function will fail. However, we |
238 | | // only use this in RSA, where stumbling on an uninvertible element means |
239 | | // stumbling on the key's factorization. That is, if this function fails, the |
240 | | // RSA key was not actually a product of two large primes. |
241 | | // |
242 | | // TODO(crbug.com/boringssl/677): When the PRNG output is marked secret by |
243 | | // default, the explicit |bn_secret| call can be removed. |
244 | 0 | if (!BN_rand_range_ex(blinding_factor.get(), 1, &mont->N)) { |
245 | 0 | return 0; |
246 | 0 | } |
247 | 0 | bn_secret(blinding_factor.get()); |
248 | 0 | if (!BN_mod_mul_montgomery(out, blinding_factor.get(), a, mont, ctx)) { |
249 | 0 | return 0; |
250 | 0 | } |
251 | | |
252 | | // Once blinded, |out| is no longer secret, so it may be passed to a leaky |
253 | | // mod inverse function. Note |blinding_factor| is secret, so |out| will be |
254 | | // secret again after multiplying. |
255 | 0 | bn_declassify(out); |
256 | 0 | if (!BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) || |
257 | 0 | !BN_mod_mul_montgomery(out, blinding_factor.get(), out, mont, ctx)) { |
258 | 0 | return 0; |
259 | 0 | } |
260 | | |
261 | 0 | return 1; |
262 | 0 | } |
263 | | |
264 | | int bssl::bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p, |
265 | 0 | BN_CTX *ctx, const BN_MONT_CTX *mont_p) { |
266 | 0 | BN_CTXScope scope(ctx); |
267 | 0 | BIGNUM *p_minus_2 = BN_CTX_get(ctx); |
268 | 0 | return p_minus_2 != nullptr && BN_copy(p_minus_2, p) && |
269 | 0 | BN_sub_word(p_minus_2, 2) && |
270 | 0 | BN_mod_exp_mont(out, a, p_minus_2, p, ctx, mont_p); |
271 | 0 | } |
272 | | |
273 | | int bssl::bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, |
274 | | const BIGNUM *p, BN_CTX *ctx, |
275 | 0 | const BN_MONT_CTX *mont_p) { |
276 | 0 | BN_CTXScope scope(ctx); |
277 | 0 | BIGNUM *p_minus_2 = BN_CTX_get(ctx); |
278 | 0 | return p_minus_2 != nullptr && BN_copy(p_minus_2, p) && |
279 | 0 | BN_sub_word(p_minus_2, 2) && |
280 | 0 | BN_mod_exp_mont_consttime(out, a, p_minus_2, p, ctx, mont_p); |
281 | 0 | } |