TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / daba4f67cccf6fa2f4a71f6be3e5da353671412f / . / library / rsa_internal.c
blob: 4db49aa578b92358af0624d0360a2f955f688121 [file] [log] [blame]
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]1/*
2 * Helper functions for the RSA module
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 *
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]46 * This file is part of mbed TLS (https://tls.mbed.org)
47 *
48 */
49
50#if !defined(MBEDTLS_CONFIG_FILE)
51#include "mbedtls/config.h"
52#else
53#include MBEDTLS_CONFIG_FILE
54#endif
55
56#if defined(MBEDTLS_RSA_C)
57
58#include "mbedtls/rsa.h"
59#include "mbedtls/bignum.h"
60#include "mbedtls/rsa_internal.h"
61
62/*
63 * Compute RSA prime factors from public and private exponents
64 *
65 * Summary of algorithm:
66 * Setting F := lcm(P-1,Q-1), the idea is as follows:
67 *
68 * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
69 * is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
70 * square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
71 * possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
72 * or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
73 * factors of N.
74 *
75 * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
76 * construction still applies since (-)^K is the identity on the set of
77 * roots of 1 in Z/NZ.
78 *
79 * The public and private key primitives (-)^E and (-)^D are mutually inverse
80 * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
81 * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
82 * Splitting L = 2^t * K with K odd, we have
83 *
84 * DE - 1 = FL = (F/2) * (2^(t+1)) * K,
85 *
86 * so (F / 2) * K is among the numbers
87 *
88 * (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
89 *
90 * where ord is the order of 2 in (DE - 1).
91 * We can therefore iterate through these numbers apply the construction
92 * of (a) and (b) above to attempt to factor N.
93 *
94 */
95int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,
Hanno Beckerc36aab62017-10-17 09:15:06 +0100[diff] [blame]96 mbedtls_mpi const *E, mbedtls_mpi const *D,
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]97 mbedtls_mpi *P, mbedtls_mpi *Q )
98{
99 int ret = 0;
100
101 uint16_t attempt; /* Number of current attempt */
102 uint16_t iter; /* Number of squares computed in the current attempt */
103
104 uint16_t order; /* Order of 2 in DE - 1 */
105
106 mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */
107 mbedtls_mpi K; /* Temporary holding the current candidate */
108
Hanno Becker4055a3a2017-10-17 09:15:26 +0100[diff] [blame]109 const unsigned char primes[] = { 2,
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]110 3, 5, 7, 11, 13, 17, 19, 23,
111 29, 31, 37, 41, 43, 47, 53, 59,
112 61, 67, 71, 73, 79, 83, 89, 97,
113 101, 103, 107, 109, 113, 127, 131, 137,
114 139, 149, 151, 157, 163, 167, 173, 179,
115 181, 191, 193, 197, 199, 211, 223, 227,
Hanno Becker4055a3a2017-10-17 09:15:26 +0100[diff] [blame]116 229, 233, 239, 241, 251
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]117 };
118
119 const size_t num_primes = sizeof( primes ) / sizeof( *primes );
120
121 if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )
122 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
123
124 if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||
125 mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
126 mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
127 mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
128 mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
129 {
130 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
131 }
132
133 /*
134 * Initializations and temporary changes
135 */
136
137 mbedtls_mpi_init( &K );
138 mbedtls_mpi_init( &T );
139
140 /* T := DE - 1 */
141 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D, E ) );
142 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );
143
Hanno Becker4952e7a2018-01-03 09:27:40 +0000[diff] [blame]144 if( ( order = (uint16_t) mbedtls_mpi_lsb( &T ) ) == 0 )
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]145 {
146 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
147 goto cleanup;
148 }
149
150 /* After this operation, T holds the largest odd divisor of DE - 1. */
151 MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );
152
153 /*
154 * Actual work
155 */
156
157 /* Skip trying 2 if N == 1 mod 8 */
158 attempt = 0;
159 if( N->p[0] % 8 == 1 )
160 attempt = 1;
161
162 for( ; attempt < num_primes; ++attempt )
163 {
164 mbedtls_mpi_lset( &K, primes[attempt] );
165
166 /* Check if gcd(K,N) = 1 */
167 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
168 if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )
169 continue;
170
171 /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
172 * and check whether they have nontrivial GCD with N. */
173 MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,
174 Q /* temporarily use Q for storing Montgomery
175 * multiplication helper values */ ) );
176
Hanno Becker7643d4e2017-10-11 15:53:02 +0100[diff] [blame]177 for( iter = 1; iter <= order; ++iter )
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]178 {
Hanno Becker5d42b532017-10-11 15:58:00 +0100[diff] [blame]179 /* If we reach 1 prematurely, there's no point
180 * in continuing to square K */
181 if( mbedtls_mpi_cmp_int( &K, 1 ) == 0 )
182 break;
183
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]184 MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );
185 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
186
187 if( mbedtls_mpi_cmp_int( P, 1 ) == 1 &&
188 mbedtls_mpi_cmp_mpi( P, N ) == -1 )
189 {
190 /*
191 * Have found a nontrivial divisor P of N.
192 * Set Q := N / P.
193 */
194
195 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );
196 goto cleanup;
197 }
198
199 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
200 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );
201 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );
202 }
Hanno Becker14a00c02017-10-11 12:58:23 +0100[diff] [blame]203
Hanno Becker5d42b532017-10-11 15:58:00 +0100[diff] [blame]204 /*
205 * If we get here, then either we prematurely aborted the loop because
206 * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
207 * be 1 if D,E,N were consistent.
208 * Check if that's the case and abort if not, to avoid very long,
209 * yet eventually failing, computations if N,D,E were not sane.
210 */
Hanno Becker14a00c02017-10-11 12:58:23 +0100[diff] [blame]211 if( mbedtls_mpi_cmp_int( &K, 1 ) != 0 )
212 {
213 break;
214 }
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]215 }
216
217 ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
218
219cleanup:
220
221 mbedtls_mpi_free( &K );
222 mbedtls_mpi_free( &T );
223 return( ret );
224}
225
226/*
227 * Given P, Q and the public exponent E, deduce D.
228 * This is essentially a modular inversion.
229 */
230int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
231 mbedtls_mpi const *Q,
232 mbedtls_mpi const *E,
233 mbedtls_mpi *D )
234{
235 int ret = 0;
236 mbedtls_mpi K, L;
237
238 if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )
239 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
240
241 if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
242 mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||
243 mbedtls_mpi_cmp_int( E, 0 ) == 0 )
244 {
245 return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
246 }
247
248 mbedtls_mpi_init( &K );
249 mbedtls_mpi_init( &L );
250
251 /* Temporarily put K := P-1 and L := Q-1 */
252 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
253 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
254
255 /* Temporarily put D := gcd(P-1, Q-1) */
256 MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );
257
258 /* K := LCM(P-1, Q-1) */
259 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );
260 MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );
261
262 /* Compute modular inverse of E in LCM(P-1, Q-1) */
263 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );
264
265cleanup:
266
267 mbedtls_mpi_free( &K );
268 mbedtls_mpi_free( &L );
269
270 return( ret );
271}
272
273/*
274 * Check that RSA CRT parameters are in accordance with core parameters.
275 */
276int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
277 const mbedtls_mpi *D, const mbedtls_mpi *DP,
278 const mbedtls_mpi *DQ, const mbedtls_mpi *QP )
279{
280 int ret = 0;
281
282 mbedtls_mpi K, L;
283 mbedtls_mpi_init( &K );
284 mbedtls_mpi_init( &L );
285
286 /* Check that DP - D == 0 mod P - 1 */
287 if( DP != NULL )
288 {
289 if( P == NULL )
290 {
291 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
292 goto cleanup;
293 }
294
295 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
296 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );
297 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
298
299 if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
300 {
301 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
302 goto cleanup;
303 }
304 }
305
306 /* Check that DQ - D == 0 mod Q - 1 */
307 if( DQ != NULL )
308 {
309 if( Q == NULL )
310 {
311 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
312 goto cleanup;
313 }
314
315 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
316 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );
317 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
318
319 if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
320 {
321 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
322 goto cleanup;
323 }
324 }
325
326 /* Check that QP * Q - 1 == 0 mod P */
327 if( QP != NULL )
328 {
329 if( P == NULL || Q == NULL )
330 {
331 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
332 goto cleanup;
333 }
334
335 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );
336 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
337 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );
338 if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
339 {
340 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
341 goto cleanup;
342 }
343 }
344
345cleanup:
346
347 /* Wrap MPI error codes by RSA check failure error code */
348 if( ret != 0 &&
349 ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
350 ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
351 {
352 ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
353 }
354
355 mbedtls_mpi_free( &K );
356 mbedtls_mpi_free( &L );
357
358 return( ret );
359}
360
361/*
362 * Check that core RSA parameters are sane.
363 */
364int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
365 const mbedtls_mpi *Q, const mbedtls_mpi *D,
366 const mbedtls_mpi *E,
367 int (*f_rng)(void *, unsigned char *, size_t),
368 void *p_rng )
369{
370 int ret = 0;
371 mbedtls_mpi K, L;
372
373 mbedtls_mpi_init( &K );
374 mbedtls_mpi_init( &L );
375
376 /*
377 * Step 1: If PRNG provided, check that P and Q are prime
378 */
379
380#if defined(MBEDTLS_GENPRIME)
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]381 /*
382 * When generating keys, the strongest security we support aims for an error
383 * rate of at most 2^-100 and we are aiming for the same certainty here as
384 * well.
385 */
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]386 if( f_rng != NULL && P != NULL &&
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]387 ( ret = mbedtls_mpi_is_prime_ext( P, 50, f_rng, p_rng ) ) != 0 )
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]388 {
389 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
390 goto cleanup;
391 }
392
393 if( f_rng != NULL && Q != NULL &&
Janos Follatha0b67c22018-09-18 14:48:23 +0100[diff] [blame]394 ( ret = mbedtls_mpi_is_prime_ext( Q, 50, f_rng, p_rng ) ) != 0 )
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]395 {
396 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
397 goto cleanup;
398 }
399#else
400 ((void) f_rng);
401 ((void) p_rng);
402#endif /* MBEDTLS_GENPRIME */
403
404 /*
Hanno Beckerf8c028a2017-10-17 09:20:57 +0100[diff] [blame]405 * Step 2: Check that 1 < N = P * Q
Hanno Beckera565f542017-10-11 11:00:19 +0100[diff] [blame]406 */
407
408 if( P != NULL && Q != NULL && N != NULL )
409 {
410 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );
411 if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 ||
412 mbedtls_mpi_cmp_mpi( &K, N ) != 0 )
413 {
414 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
415 goto cleanup;
416 }
417 }
418
419 /*
420 * Step 3: Check and 1 < D, E < N if present.
421 */
422
423 if( N != NULL && D != NULL && E != NULL )
424 {
425 if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
426 mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
427 mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
428 mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
429 {
430 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
431 goto cleanup;
432 }
433 }
434
435 /*
436 * Step 4: Check that D, E are inverse modulo P-1 and Q-1
437 */
438
439 if( P != NULL && Q != NULL && D != NULL && E != NULL )
440 {
441 if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
442 mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )
443 {
444 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
445 goto cleanup;
446 }
447
448 /* Compute DE-1 mod P-1 */
449 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
450 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
451 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );
452 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
453 if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
454 {
455 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
456 goto cleanup;
457 }
458
459 /* Compute DE-1 mod Q-1 */
460 MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
461 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
462 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
463 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
464 if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
465 {
466 ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
467 goto cleanup;
468 }
469 }
470
471cleanup:
472
473 mbedtls_mpi_free( &K );
474 mbedtls_mpi_free( &L );
475
476 /* Wrap MPI error codes by RSA check failure error code */
477 if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
478 {
479 ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
480 }
481
482 return( ret );
483}
484
485int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
486 const mbedtls_mpi *D, mbedtls_mpi *DP,
487 mbedtls_mpi *DQ, mbedtls_mpi *QP )
488{
489 int ret = 0;
490 mbedtls_mpi K;
491 mbedtls_mpi_init( &K );
492
493 /* DP = D mod P-1 */
494 if( DP != NULL )
495 {
496 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
497 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );
498 }
499
500 /* DQ = D mod Q-1 */
501 if( DQ != NULL )
502 {
503 MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
504 MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );
505 }
506
507 /* QP = Q^{-1} mod P */
508 if( QP != NULL )
509 {
510 MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );
511 }
512
513cleanup:
514 mbedtls_mpi_free( &K );
515
516 return( ret );
517}
518
519#endif /* MBEDTLS_RSA_C */