diff options
Diffstat (limited to 'rsa.c')
-rw-r--r-- | rsa.c | 89 |
1 files changed, 14 insertions, 75 deletions
@@ -77,13 +77,6 @@ #include <tfm.h> #include "asn1_internal.h" -#ifdef DO_TIMING -#include "stm-dwt.h" -#else -#define DWT_start(x) -#define DWT_stop(x) -#endif - /* * Whether to use ModExp core. It works, but it's painfully slow. */ @@ -309,21 +302,13 @@ static hal_error_t modexp(hal_core_t *core, .mont = mont, .mont_len = mont_len }; - if (precalc) { - DWT_start(DWT_precalc_n); - if ((err = modexpng_precalc(mod, coeff, coeff_len, mont, mont_len)) != HAL_OK) - goto fail; - DWT_stop(DWT_precalc_n); - } - - if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK || + if ((precalc && + (err = modexpng_precalc(mod, coeff, coeff_len, mont, mont_len)) != HAL_OK) || + (err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK || (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK || - (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK) - goto fail; - DWT_start(DWT_hal_modexpng_n); - if ((err = hal_modexpng(&args)) != HAL_OK) + (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK || + (err = hal_modexpng(&args)) != HAL_OK) goto fail; - DWT_stop(DWT_hal_modexpng_n); } else { hal_modexp_arg_t args = { @@ -338,12 +323,9 @@ static hal_error_t modexp(hal_core_t *core, if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK || (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK || - (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK) - goto fail; - DWT_start(DWT_hal_modexp); - if ((err = hal_modexp(precalc, &args)) != HAL_OK) + (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK || + (err = hal_modexp(precalc, &args)) != HAL_OK) goto fail; - DWT_stop(DWT_hal_modexp); } fp_read_unsigned_bin(res, resbuf, sizeof(resbuf)); @@ -408,18 +390,13 @@ static hal_error_t modexp2(const int precalc, .mont = mont2, .mont_len = mont2_len }; - DWT_start(DWT_unpack_fp); if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK || (err = unpack_fp(exp1, expbuf1, sizeof(expbuf1))) != HAL_OK || (err = unpack_fp(mod1, modbuf1, sizeof(modbuf1))) != HAL_OK || (err = unpack_fp(exp2, expbuf2, sizeof(expbuf2))) != HAL_OK || - (err = unpack_fp(mod2, modbuf2, sizeof(modbuf2))) != HAL_OK) - goto fail; - DWT_stop(DWT_unpack_fp); - DWT_start(DWT_hal_modexp2); - if ((err = hal_modexp2(precalc, &args1, &args2)) != HAL_OK) + (err = unpack_fp(mod2, modbuf2, sizeof(modbuf2))) != HAL_OK || + (err = hal_modexp2(precalc, &args1, &args2)) != HAL_OK) goto fail; - DWT_stop(DWT_hal_modexp2); fp_read_unsigned_bin(res1, resbuf1, sizeof(resbuf1)); fp_read_unsigned_bin(res2, resbuf2, sizeof(resbuf2)); @@ -450,19 +427,15 @@ static hal_error_t modexpng(hal_core_t *core, return HAL_ERROR_IMPOSSIBLE; if (!(key->flags & RSA_FLAG_PRECALC_N_DONE)) { - DWT_start(DWT_precalc_n); if ((err = modexpng_precalc(key->n, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK) return err; - DWT_stop(DWT_precalc_n); key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING; } if (key->p && !(key->flags & RSA_FLAG_PRECALC_PQ_DONE)) { - DWT_start(DWT_precalc_pq); if ((err = modexpng_precalc(key->p, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF))) != HAL_OK || (err = modexpng_precalc(key->q, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF))) != HAL_OK) return err; - DWT_stop(DWT_precalc_pq); key->flags |= RSA_FLAG_PRECALC_PQ_DONE | RSA_FLAG_NEEDS_SAVING; } @@ -504,7 +477,6 @@ static hal_error_t modexpng(hal_core_t *core, .ubf = ubf_buf, .ubf_len = sizeof(ubf_buf), }; - DWT_start(DWT_unpack_fp); if (bf) { if ((err = unpack_fp(bf, bf_buf, sizeof(bf_buf))) != HAL_OK || (err = unpack_fp(ubf, ubf_buf, sizeof(ubf_buf))) != HAL_OK) @@ -523,13 +495,9 @@ static hal_error_t modexpng(hal_core_t *core, (err = unpack_fp(key->q, q_buf, sizeof(q_buf))) != HAL_OK || (err = unpack_fp(key->u, u_buf, sizeof(u_buf))) != HAL_OK || (err = unpack_fp(key->dP, dP_buf, sizeof(dP_buf))) != HAL_OK || - (err = unpack_fp(key->dQ, dQ_buf, sizeof(dQ_buf))) != HAL_OK) - goto fail; - DWT_stop(DWT_unpack_fp); - DWT_start(DWT_hal_modexpng); - if ((err = hal_modexpng(&args)) != HAL_OK) + (err = unpack_fp(key->dQ, dQ_buf, sizeof(dQ_buf))) != HAL_OK || + (err = hal_modexpng(&args)) != HAL_OK) goto fail; - DWT_stop(DWT_hal_modexpng); fp_read_unsigned_bin(res, resbuf, sizeof(resbuf)); /* we do the blinding factor mutation in create_blinding_factors, @@ -688,21 +656,17 @@ static hal_error_t create_blinding_factors(hal_rsa_key_t *key, fp_int *bf, fp_in } #endif - DWT_start(DWT_hal_get_random); if ((err = hal_get_random(NULL, rnd, sizeof(rnd))) != HAL_OK) goto fail; - DWT_stop(DWT_hal_get_random); fp_init(bf); fp_read_unsigned_bin(bf, rnd, sizeof(rnd)); fp_copy(bf, ubf); /* bf = ubf ** e mod n */ - DWT_start(DWT_modexp); if ((err = modexp(NULL, precalc, bf, key->e, key->n, bf, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK) goto fail; - DWT_stop(DWT_modexp); if (precalc) key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING; @@ -740,20 +704,12 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t * if (hal_modexp_using_modexpng()) { if (blinding) { - DWT_start(DWT_create_blinding_factors); if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK) return err; - DWT_stop(DWT_create_blinding_factors); - DWT_start(DWT_modexpng); - err = modexpng(core1, msg, key, bf, ubf, sig); - DWT_stop(DWT_modexpng); - return err; + return modexpng(core1, msg, key, bf, ubf, sig); } else { - DWT_start(DWT_modexpng); - err = modexpng(core1, msg, key, NULL, NULL, sig); - DWT_stop(DWT_modexpng); - return err; + return modexpng(core1, msg, key, NULL, NULL, sig); } } @@ -766,26 +722,20 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t * * Handle blinding if requested. */ if (blinding) { - DWT_start(DWT_create_blinding_factors); if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK) goto fail; - DWT_stop(DWT_create_blinding_factors); /* msg = (msg * bf) % modulus */ - DWT_start(DWT_blind_message); FP_CHECK(fp_mulmod(msg, bf, unconst_fp_int(key->n), msg)); - DWT_stop(DWT_blind_message); } /* * m1 = msg ** dP mod p * m2 = msg ** dQ mod q */ - DWT_start(DWT_modexp2); if ((err = modexp2(precalc, msg, core1, key->dP, key->p, m1, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF), core2, key->dQ, key->q, m2, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF))) != HAL_OK) goto fail; - DWT_stop(DWT_modexp2); if (precalc) key->flags |= RSA_FLAG_PRECALC_PQ_DONE | RSA_FLAG_NEEDS_SAVING; @@ -817,11 +767,8 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t * * Unblind if necessary. */ /* sig = (sig * ubf) % modulus */ - if (blinding) { - DWT_restart(DWT_blind_message); + if (blinding) FP_CHECK(fp_mulmod(sig, ubf, unconst_fp_int(key->n), sig)); - DWT_stop(DWT_blind_message); - } fail: fp_zero(t); @@ -895,18 +842,14 @@ hal_error_t hal_rsa_decrypt(hal_core_t *core1, */ if (do_crt && !fp_iszero(key->p) && !fp_iszero(key->q) && !fp_iszero(key->u) && !fp_iszero(key->dP) && !fp_iszero(key->dQ)) { - DWT_start(DWT_rsa_crt); err = rsa_crt(core1, core2, key, i, o); - DWT_stop(DWT_rsa_crt); } else { const int precalc = !(key->flags & RSA_FLAG_PRECALC_N_DONE); /* o = i ** d % n */ - DWT_start(DWT_modexp); err = modexp(core1, precalc, i, key->d, key->n, o, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF)); - DWT_stop(DWT_modexp); if (err == HAL_OK && precalc) key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING; } @@ -1240,14 +1183,10 @@ hal_error_t hal_rsa_key_gen(hal_core_t *core, #if 0 if (hal_modexp_using_modexpng()) { - DWT_start(DWT_precalc_n); modexpng_precalc(key->n, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF)); - DWT_stop(DWT_precalc_n); - DWT_start(DWT_precalc_pq); modexpng_precalc(key->p, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF)); modexpng_precalc(key->q, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF)); key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_PRECALC_PQ_DONE; - DWT_stop(DWT_precalc_pq); } #endif |