search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2735 from jareckib/master
[RRG-proxmark3.git] / common / mbedtls / rsa_internal.c
blobe1be1d9c06e35b32aaa09892a78be492a6178191
1 /*
2 * Helper functions for the RSA module
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_RSA_C)
24
25 #include "mbedtls/rsa.h"
26 #include "mbedtls/bignum.h"
27 #include "mbedtls/rsa_internal.h"
28
29 /*
30 * Compute RSA prime factors from public and private exponents
31 *
32 * Summary of algorithm:
33 * Setting F := lcm(P-1,Q-1), the idea is as follows:
34 *
35 * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
36 * is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
37 * square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
38 * possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
39 * or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
40 * factors of N.
41 *
42 * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
43 * construction still applies since (-)^K is the identity on the set of
44 * roots of 1 in Z/NZ.
45 *
46 * The public and private key primitives (-)^E and (-)^D are mutually inverse
47 * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
48 * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
49 * Splitting L = 2^t * K with K odd, we have
50 *
51 * DE - 1 = FL = (F/2) * (2^(t+1)) * K,
52 *
53 * so (F / 2) * K is among the numbers
54 *
55 * (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
56 *
57 * where ord is the order of 2 in (DE - 1).
58 * We can therefore iterate through these numbers apply the construction
59 * of (a) and (b) above to attempt to factor N.
60 *
61 */
62 int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N,
63 mbedtls_mpi const *E, mbedtls_mpi const *D,
64 mbedtls_mpi *P, mbedtls_mpi *Q) {
65 int ret = 0;
66
67 uint16_t attempt; /* Number of current attempt */
68 uint16_t iter; /* Number of squares computed in the current attempt */
69
70 uint16_t order; /* Order of 2 in DE - 1 */
71
72 mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */
73 mbedtls_mpi K; /* Temporary holding the current candidate */
74
75 const unsigned char primes[] = { 2,
76 3, 5, 7, 11, 13, 17, 19, 23,
77 29, 31, 37, 41, 43, 47, 53, 59,
78 61, 67, 71, 73, 79, 83, 89, 97,
79 101, 103, 107, 109, 113, 127, 131, 137,
80 139, 149, 151, 157, 163, 167, 173, 179,
81 181, 191, 193, 197, 199, 211, 223, 227,
82 229, 233, 239, 241, 251
83 };
84
85 const size_t num_primes = sizeof(primes) / sizeof(*primes);
86
87 if (P == NULL || Q == NULL || P->p != NULL || Q->p != NULL)
88 return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
89
90 if (mbedtls_mpi_cmp_int(N, 0) <= 0 ||
91 mbedtls_mpi_cmp_int(D, 1) <= 0 ||
92 mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
93 mbedtls_mpi_cmp_int(E, 1) <= 0 ||
94 mbedtls_mpi_cmp_mpi(E, N) >= 0) {
95 return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
96 }
97
98 /*
99 * Initializations and temporary changes
100 */
101
102 mbedtls_mpi_init(&K);
103 mbedtls_mpi_init(&T);
104
105 /* T := DE - 1 */
106 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, D, E));
107 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&T, &T, 1));
108
109 if ((order = (uint16_t) mbedtls_mpi_lsb(&T)) == 0) {
110 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
111 goto cleanup;
112 }
113
114 /* After this operation, T holds the largest odd divisor of DE - 1. */
115 MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&T, order));
116
117 /*
118 * Actual work
119 */
120
121 /* Skip trying 2 if N == 1 mod 8 */
122 attempt = 0;
123 if (N->p[0] % 8 == 1)
124 attempt = 1;
125
126 for (; attempt < num_primes; ++attempt) {
127 mbedtls_mpi_lset(&K, primes[attempt]);
128
129 /* Check if gcd(K,N) = 1 */
130 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
131 if (mbedtls_mpi_cmp_int(P, 1) != 0)
132 continue;
133
134 /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
135 * and check whether they have nontrivial GCD with N. */
136 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &K, &T, N,
137 Q /* temporarily use Q for storing Montgomery
138 * multiplication helper values */));
139
140 for (iter = 1; iter <= order; ++iter) {
141 /* If we reach 1 prematurely, there's no point
142 * in continuing to square K */
143 if (mbedtls_mpi_cmp_int(&K, 1) == 0)
144 break;
145
146 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&K, &K, 1));
147 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
148
149 if (mbedtls_mpi_cmp_int(P, 1) == 1 &&
150 mbedtls_mpi_cmp_mpi(P, N) == -1) {
151 /*
152 * Have found a nontrivial divisor P of N.
153 * Set Q := N / P.
154 */
155
156 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(Q, NULL, N, P));
157 goto cleanup;
158 }
159
160 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
161 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &K));
162 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, N));
163 }
164
165 /*
166 * If we get here, then either we prematurely aborted the loop because
167 * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
168 * be 1 if D,E,N were consistent.
169 * Check if that's the case and abort if not, to avoid very long,
170 * yet eventually failing, computations if N,D,E were not sane.
171 */
172 if (mbedtls_mpi_cmp_int(&K, 1) != 0) {
173 break;
174 }
175 }
176
177 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
178
179 cleanup:
180
181 mbedtls_mpi_free(&K);
182 mbedtls_mpi_free(&T);
183 return (ret);
184 }
185
186 /*
187 * Given P, Q and the public exponent E, deduce D.
188 * This is essentially a modular inversion.
189 */
190 int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
191 mbedtls_mpi const *Q,
192 mbedtls_mpi const *E,
193 mbedtls_mpi *D) {
194 int ret = 0;
195 mbedtls_mpi K, L;
196
197 if (D == NULL || mbedtls_mpi_cmp_int(D, 0) != 0)
198 return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
199
200 if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
201 mbedtls_mpi_cmp_int(Q, 1) <= 0 ||
202 mbedtls_mpi_cmp_int(E, 0) == 0) {
203 return (MBEDTLS_ERR_MPI_BAD_INPUT_DATA);
204 }
205
206 mbedtls_mpi_init(&K);
207 mbedtls_mpi_init(&L);
208
209 /* Temporarily put K := P-1 and L := Q-1 */
210 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
211 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
212
213 /* Temporarily put D := gcd(P-1, Q-1) */
214 MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(D, &K, &L));
215
216 /* K := LCM(P-1, Q-1) */
217 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &L));
218 MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&K, NULL, &K, D));
219
220 /* Compute modular inverse of E in LCM(P-1, Q-1) */
221 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
222
223 cleanup:
224
225 mbedtls_mpi_free(&K);
226 mbedtls_mpi_free(&L);
227
228 return (ret);
229 }
230
231 /*
232 * Check that RSA CRT parameters are in accordance with core parameters.
233 */
234 int mbedtls_rsa_validate_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
235 const mbedtls_mpi *D, const mbedtls_mpi *DP,
236 const mbedtls_mpi *DQ, const mbedtls_mpi *QP) {
237 int ret = 0;
238
239 mbedtls_mpi K, L;
240 mbedtls_mpi_init(&K);
241 mbedtls_mpi_init(&L);
242
243 /* Check that DP - D == 0 mod P - 1 */
244 if (DP != NULL) {
245 if (P == NULL) {
246 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
247 goto cleanup;
248 }
249
250 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
251 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DP, D));
252 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
253
254 if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
255 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
256 goto cleanup;
257 }
258 }
259
260 /* Check that DQ - D == 0 mod Q - 1 */
261 if (DQ != NULL) {
262 if (Q == NULL) {
263 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
264 goto cleanup;
265 }
266
267 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
268 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DQ, D));
269 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
270
271 if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
272 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
273 goto cleanup;
274 }
275 }
276
277 /* Check that QP * Q - 1 == 0 mod P */
278 if (QP != NULL) {
279 if (P == NULL || Q == NULL) {
280 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
281 goto cleanup;
282 }
283
284 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, QP, Q));
285 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
286 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, P));
287 if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
288 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
289 goto cleanup;
290 }
291 }
292
293 cleanup:
294
295 /* Wrap MPI error codes by RSA check failure error code */
296 if (ret != 0 &&
297 ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
298 ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA) {
299 ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
300 }
301
302 mbedtls_mpi_free(&K);
303 mbedtls_mpi_free(&L);
304
305 return (ret);
306 }
307
308 /*
309 * Check that core RSA parameters are sane.
310 */
311 int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
312 const mbedtls_mpi *Q, const mbedtls_mpi *D,
313 const mbedtls_mpi *E,
314 int (*f_rng)(void *, unsigned char *, size_t),
315 void *p_rng) {
316 int ret = 0;
317 mbedtls_mpi K, L;
318
319 mbedtls_mpi_init(&K);
320 mbedtls_mpi_init(&L);
321
322 /*
323 * Step 1: If PRNG provided, check that P and Q are prime
324 */
325
326 #if defined(MBEDTLS_GENPRIME)
327 /*
328 * When generating keys, the strongest security we support aims for an error
329 * rate of at most 2^-100 and we are aiming for the same certainty here as
330 * well.
331 */
332 if (f_rng != NULL && P != NULL &&
333 (ret = mbedtls_mpi_is_prime_ext(P, 50, f_rng, p_rng)) != 0) {
334 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
335 goto cleanup;
336 }
337
338 if (f_rng != NULL && Q != NULL &&
339 (ret = mbedtls_mpi_is_prime_ext(Q, 50, f_rng, p_rng)) != 0) {
340 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
341 goto cleanup;
342 }
343 #else
344 ((void) f_rng);
345 ((void) p_rng);
346 #endif /* MBEDTLS_GENPRIME */
347
348 /*
349 * Step 2: Check that 1 < N = P * Q
350 */
351
352 if (P != NULL && Q != NULL && N != NULL) {
353 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, P, Q));
354 if (mbedtls_mpi_cmp_int(N, 1) <= 0 ||
355 mbedtls_mpi_cmp_mpi(&K, N) != 0) {
356 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
357 goto cleanup;
358 }
359 }
360
361 /*
362 * Step 3: Check and 1 < D, E < N if present.
363 */
364
365 if (N != NULL && D != NULL && E != NULL) {
366 if (mbedtls_mpi_cmp_int(D, 1) <= 0 ||
367 mbedtls_mpi_cmp_int(E, 1) <= 0 ||
368 mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
369 mbedtls_mpi_cmp_mpi(E, N) >= 0) {
370 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
371 goto cleanup;
372 }
373 }
374
375 /*
376 * Step 4: Check that D, E are inverse modulo P-1 and Q-1
377 */
378
379 if (P != NULL && Q != NULL && D != NULL && E != NULL) {
380 if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
381 mbedtls_mpi_cmp_int(Q, 1) <= 0) {
382 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
383 goto cleanup;
384 }
385
386 /* Compute DE-1 mod P-1 */
387 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
388 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
389 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, P, 1));
390 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
391 if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
392 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
393 goto cleanup;
394 }
395
396 /* Compute DE-1 mod Q-1 */
397 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
398 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
399 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
400 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
401 if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
402 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
403 goto cleanup;
404 }
405 }
406
407 cleanup:
408
409 mbedtls_mpi_free(&K);
410 mbedtls_mpi_free(&L);
411
412 /* Wrap MPI error codes by RSA check failure error code */
413 if (ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) {
414 ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
415 }
416
417 return (ret);
418 }
419
420 int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
421 const mbedtls_mpi *D, mbedtls_mpi *DP,
422 mbedtls_mpi *DQ, mbedtls_mpi *QP) {
423 int ret = 0;
424 mbedtls_mpi K;
425 mbedtls_mpi_init(&K);
426
427 /* DP = D mod P-1 */
428 if (DP != NULL) {
429 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
430 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DP, D, &K));
431 }
432
433 /* DQ = D mod Q-1 */
434 if (DQ != NULL) {
435 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
436 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DQ, D, &K));
437 }
438
439 /* QP = Q^{-1} mod P */
440 if (QP != NULL) {
441 MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(QP, Q, P));
442 }
443
444 cleanup:
445 mbedtls_mpi_free(&K);
446
447 return (ret);
448 }
449
450 #endif /* MBEDTLS_RSA_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware