From c1ef4b322756753251d5ff4125d819a156dd16e7 Mon Sep 17 00:00:00 2001
From: Paul Selkirk <paul@psgd.org>
Date: Wed, 4 Mar 2020 17:06:26 -0500
Subject: Take advantage of ModExpNG core's blinding factor mutation.

---
 modexp.c |  6 ++++-
 rsa.c    | 90 +++++++++++++++++++++++++++++++++++++---------------------------
 2 files changed, 57 insertions(+), 39 deletions(-)

diff --git a/modexp.c b/modexp.c
index d8e2904..8fea2ea 100644
--- a/modexp.c
+++ b/modexp.c
@@ -391,6 +391,7 @@ hal_error_t hal_modexpng(hal_modexpng_arg_t *a)
       goto fail;
   }
   else {
+    /* set blinding factors to (1,1) */
     uint8_t one[a->mod_len]; memset(one, 0, sizeof(one)); one[sizeof(one) - 1] = 1;
     if ((err = set_buffer(a->core, MODEXPNG_ADDR_BANK_X, one, sizeof(one))) != HAL_OK ||
         (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_Y, one, sizeof(one))) != HAL_OK)
@@ -417,7 +418,10 @@ hal_error_t hal_modexpng(hal_modexpng_arg_t *a)
   if ((err = hal_io_zero(a->core)) != HAL_OK ||
       (err = hal_io_next(a->core)) != HAL_OK ||
       (err = hal_io_wait_valid(a->core)) != HAL_OK ||
-      (err = get_buffer(a->core, MODEXPNG_ADDR_BANK_S, a->result, a->result_len)) != HAL_OK)
+      (err = get_buffer(a->core, MODEXPNG_ADDR_BANK_S, a->result, a->result_len)) != HAL_OK ||
+      ((a->bf != NULL && a->ubf != NULL) &&
+       ((err = get_buffer(a->core, MODEXPNG_ADDR_BANK_XM, a->ubf, a->ubf_len)) != HAL_OK ||
+        (err = get_buffer(a->core, MODEXPNG_ADDR_BANK_YM, a->bf, a->bf_len)) != HAL_OK)))
     goto fail;
 
 fail:
diff --git a/rsa.c b/rsa.c
index 3adbd49..9fd4b90 100644
--- a/rsa.c
+++ b/rsa.c
@@ -473,20 +473,13 @@ static hal_error_t modexpng(hal_core_t *core,
     .dP     = dP_buf,  .dP_len     = sizeof(dP_buf),
     .dQ     = dQ_buf,  .dQ_len     = sizeof(dQ_buf),
     .qInv   = u_buf,   .qInv_len   = sizeof(u_buf),
-    .bf     = bf_buf,  .bf_len     = sizeof(bf_buf),
-    .ubf    = ubf_buf, .ubf_len    = sizeof(ubf_buf),
   };
 
   if (bf) {
-    if ((err = unpack_fp(bf, bf_buf, sizeof(bf_buf))) != HAL_OK ||
-        (err = unpack_fp(ubf, ubf_buf, sizeof(ubf_buf))) != HAL_OK)
+    if ((err = unpack_fp(bf,  (args.bf   = bf_buf), (args.bf_len  = sizeof(bf_buf))))  != HAL_OK ||
+        (err = unpack_fp(ubf, (args.ubf = ubf_buf), (args.ubf_len = sizeof(ubf_buf)))) != HAL_OK)
       goto fail;
   }
-  else {
-    /* set blinding factors to (1,1) */
-    memset(bf_buf, 0, sizeof(bf_buf)); bf_buf[sizeof(bf_buf) - 1] = 1;
-    memset(ubf_buf, 0, sizeof(ubf_buf)); ubf_buf[sizeof(ubf_buf) - 1] = 1;
-  }
 
   if ((err = unpack_fp(msg,     msgbuf,  sizeof(msgbuf)))  != HAL_OK ||
       (err = unpack_fp(key->d,  expbuf,  sizeof(expbuf)))  != HAL_OK ||
@@ -499,10 +492,11 @@ static hal_error_t modexpng(hal_core_t *core,
       (err = hal_modexpng(&args))                          != HAL_OK)
     goto fail;
 
-  fp_read_unsigned_bin(res, resbuf,  sizeof(resbuf));
-  /* we do the blinding factor mutation in create_blinding_factors,
-   * so we don't need to read them back from the core
-   */
+  fp_read_unsigned_bin(res, resbuf, sizeof(resbuf));
+  if (bf) {
+    fp_read_unsigned_bin(bf,  bf_buf,  sizeof(bf_buf));
+    fp_read_unsigned_bin(ubf, ubf_buf, sizeof(ubf_buf));
+  }
 
  fail:
   memset(msgbuf,  0, sizeof(msgbuf));
@@ -620,14 +614,16 @@ int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
 
 /*
  * Create blinding factors.
+ *
+ * If there is no blinding cache, bf and ubf point to user-supplied fp_ints.
+ * If there is a blinding cache, this returns pointers to a cache entry.
  */
 
-static hal_error_t create_blinding_factors(hal_rsa_key_t *key, fp_int *bf, fp_int *ubf)
+static hal_error_t create_blinding_factors(hal_rsa_key_t *key, fp_int **bf, fp_int **ubf)
 {
   if (key == NULL || bf == NULL || ubf == NULL)
     return HAL_ERROR_IMPOSSIBLE;
 
-  const int precalc = !(key->flags & RSA_FLAG_PRECALC_N_DONE);
   uint8_t rnd[fp_unsigned_bin_size(unconst_fp_int(key->n))];
   hal_error_t err = HAL_OK;
 
@@ -645,43 +641,53 @@ static hal_error_t create_blinding_factors(hal_rsa_key_t *key, fp_int *bf, fp_in
       best_index = i;
     }
     if (fp_cmp_mag(b->n, key->n) == FP_EQ) {
-      if (fp_sqrmod(b->bf,  key->n, b->bf)  != FP_OKAY ||
-          fp_sqrmod(b->ubf, key->n, b->ubf) != FP_OKAY)
+      /*
+       * ModExpNG does blinding factor mutation in hardware.
+       * ModExpA7 needs it done in software here.
+       */
+      if (!hal_modexp_using_modexpng() &&
+          (fp_sqrmod(b->bf,  key->n, b->bf)  != FP_OKAY ||
+           fp_sqrmod(b->ubf, key->n, b->ubf) != FP_OKAY))
         continue;               /* should never happen, but be safe */
-      fp_copy(b->bf, bf);
-      fp_copy(b->ubf, ubf);
+      *bf = b->bf;
+      *ubf = b->ubf;
       err = HAL_OK;
       goto fail;
     }
   }
+
+  /* Didn't find the modulus in the cache, so create a new cache entry. */
+  {
+    bfc_slot_t *b = &bfc.slot[best_index];
+    fp_copy(key->n, b->n);
+    b->lru = ++bfc.lru;
+    *bf = b->bf;
+    *ubf = b->ubf;
+  }
+#else
+  if (*bf == NULL || *ubf == NULL)
+    lose(HAL_ERROR_BAD_ARGUMENTS);
 #endif
 
   if ((err = hal_get_random(NULL, rnd, sizeof(rnd))) != HAL_OK)
     goto fail;
 
-  fp_init(bf);
-  fp_read_unsigned_bin(bf, rnd, sizeof(rnd));
-  fp_copy(bf, ubf);
+  fp_init(*bf);
+  fp_read_unsigned_bin(*bf, rnd, sizeof(rnd));
+  fp_copy(*bf, *ubf);
+
+  const int precalc = !(key->flags & RSA_FLAG_PRECALC_N_DONE);
 
   /* bf = ubf ** e mod n */
-  if ((err = modexp(NULL, precalc, bf, key->e, key->n, bf,
+  if ((err = modexp(NULL, precalc, *bf, key->e, key->n, *bf,
                     key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK)
     goto fail;
 
   if (precalc)
     key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING;
 
-  FP_CHECK(fp_invmod(ubf, unconst_fp_int(key->n), ubf));
-
-#if HAL_RSA_BLINDING_CACHE_SIZE > 0
-  {
-    bfc_slot_t *b = &bfc.slot[best_index];
-    fp_copy(key->n, b->n);
-    fp_copy(bf,  b->bf);
-    fp_copy(ubf, b->ubf);
-    b->lru = ++bfc.lru;
-  }
-#endif
+  /* ubf = ubf ** -1 mod n */
+  FP_CHECK(fp_invmod(*ubf, unconst_fp_int(key->n), *ubf));
 
  fail:
   hal_rsa_bf_unlock();
@@ -699,12 +705,16 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
     return HAL_ERROR_IMPOSSIBLE;
 
   hal_error_t err = HAL_OK;
-  fp_int bf[1]  = INIT_FP_INT;
-  fp_int ubf[1] = INIT_FP_INT;
+#if HAL_RSA_BLINDING_CACHE_SIZE > 0
+  fp_int *bf, *ubf;
+#else  
+  fp_int _bf[1]  = INIT_FP_INT, *bf = _bf;
+  fp_int _ubf[1] = INIT_FP_INT, *ubf = _ubf;
+#endif
 
   if (hal_modexp_using_modexpng()) {
     if (blinding) {
-      if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK)
+      if ((err = create_blinding_factors(key, &bf, &ubf)) != HAL_OK)
         return err;
       return modexpng(core1, msg, key, bf, ubf, sig);
     }
@@ -713,6 +723,10 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
     }
   }
 
+  /*
+   * ModExpA7 from here down
+   */
+
   const int precalc = !(key->flags & RSA_FLAG_PRECALC_PQ_DONE);
   fp_int t[1]   = INIT_FP_INT;
   fp_int m1[1]  = INIT_FP_INT;
@@ -722,7 +736,7 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
    * Handle blinding if requested.
    */
   if (blinding) {
-    if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK)
+    if ((err = create_blinding_factors(key, &bf, &ubf)) != HAL_OK)
       goto fail;
     /* msg = (msg * bf) % modulus */
     FP_CHECK(fp_mulmod(msg, bf, unconst_fp_int(key->n), msg));
-- 
cgit v1.2.3