firmware/src/rsa.c - device/google/contexthub - Git at Google

 /*
  * Copyright (C) 2016 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <stdint.h>
 #include <stdbool.h>
 #include <string.h>
 #include <rsa.h>


 static void biMod(uint32_t *num, const uint32_t *denum, uint32_t *tmp) //num %= denum where num is RSA_LEN * 2 and denum is RSA_LEN and tmp is RSA_LEN + limb_sz
 {
     uint32_t bitsh = 32, limbsh = RSA_LIMBS - 1;
     int64_t t;
     int32_t i;

     //initially set it up left shifted as far as possible
     memcpy(tmp + 1, denum, RSA_BYTES);
     tmp[0] = 0;
     bitsh = 32;

     while (!(tmp[RSA_LIMBS] & 0x80000000)) {
         for (i = RSA_LIMBS; i > 0; i--) {
             tmp[i] <<= 1;
             if (tmp[i - 1] & 0x80000000)
                 tmp[i]++;
         }
         //no need to adjust tmp[0] as it is still zero
         bitsh++;
     }

     while (1) {

         //check if we should subtract (uses less space than subtracting and unroling it later)
         for (i = RSA_LIMBS; i >= 0; i--) {
             if (num[limbsh + i] < tmp[i])
                 goto dont_subtract;
             if (num[limbsh + i] > tmp[i])
                 break;
         }

         //subtract
         t = 0;
         for (i = 0; i <= RSA_LIMBS; i++) {
             t += (uint64_t)num[limbsh + i];
             t -= (uint64_t)tmp[i];
             num[limbsh + i] = t;
             t >>= 32;
         }

         //carry the subtraction's carry to the end
         for (i = RSA_LIMBS + limbsh + 1; i < RSA_LIMBS * 2; i++) {
             t += (uint64_t)num[i];
             num[i] = t;
             t >>= 32;
         }

 dont_subtract:
         //handle bitshifts/refills
         if (!bitsh) {                          // tmp = denum << 32
             if (!limbsh)
                 break;

             memcpy(tmp + 1, denum, RSA_BYTES);
             tmp[0] = 0;
             bitsh = 32;
             limbsh--;
         }
         else {                                 // tmp >>= 1
             for (i = 0; i < RSA_LIMBS; i++) {
                 tmp[i] >>= 1;
                 if (tmp[i + 1] & 1)
                     tmp[i] += 0x80000000;
             }
             tmp[i] >>= 1;
             bitsh--;
         }
     }
 }

 static void biMul(uint32_t *ret, const uint32_t *a, const uint32_t *b) //ret = a * b
 {
     uint32_t i, j, c;
     uint64_t r;

     //zero the result
     memset(ret, 0, RSA_BYTES * 2);

     for (i = 0; i < RSA_LIMBS; i++) {

         //produce a partial sum & add it in
         c = 0;
         for (j = 0; j < RSA_LIMBS; j++) {
             r = (uint64_t)a[i] * b[j] + c + ret[i + j];
             ret[i + j] = r;
             c = r >> 32;
         }

         //carry the carry to the end
         for (j = i + RSA_LIMBS; j < RSA_LIMBS * 2; j++) {
             r = (uint64_t)ret[j] + c;
             ret[j] = r;
             c = r >> 32;
         }
     }
 }

 const uint32_t* rsaPubOp(struct RsaState* state, const uint32_t *a, const uint32_t *c)
 {
     uint32_t i;

     //calculate a ^ 65536 mod c into state->tmpB
     memcpy(state->tmpB, a, RSA_BYTES);
     for (i = 0; i < 16; i++) {
         biMul(state->tmpA, state->tmpB, state->tmpB);
         biMod(state->tmpA, c, state->tmpB);
         memcpy(state->tmpB, state->tmpA, RSA_BYTES);
     }

     //calculate a ^ 65537 mod c into state->tmpA [ at this point this means do state->tmpA = (state->tmpB * a) % c ]
     biMul(state->tmpA, state->tmpB, a);
     biMod(state->tmpA, c, state->tmpB);

     //return result
     return state->tmpA;
 }

 #if defined(RSA_SUPPORT_PRIV_OP_LOWRAM) || defined (RSA_SUPPORT_PRIV_OP_BIGRAM)
 const uint32_t* rsaPrivOp(struct RsaState* state, const uint32_t *a, const uint32_t *b, const uint32_t *c)
 {
     uint32_t i;

     memcpy(state->tmpC, a, RSA_BYTES);  //tC will hold our powers of a

     memset(state->tmpA, 0, RSA_BYTES * 2); //tA will hold result
     state->tmpA[0] = 1;

     for (i = 0; i < RSA_LEN; i++) {
         //if the bit is set, multiply the current power of A into result
         if (b[i / 32] & (1 << (i % 32))) {
             memcpy(state->tmpB, state->tmpA, RSA_BYTES);
             biMul(state->tmpA, state->tmpB, state->tmpC);
             biMod(state->tmpA, c, state->tmpB);
         }

         //calculate the next power of a and modulus it
 #if defined(RSA_SUPPORT_PRIV_OP_LOWRAM)
         memcpy(state->tmpB, state->tmpA, RSA_BYTES); //save tA
         biMul(state->tmpA, state->tmpC, state->tmpC);
         biMod(state->tmpA, c, state->tmpC);
         memcpy(state->tmpC, state->tmpA, RSA_BYTES);
         memcpy(state->tmpA, state->tmpB, RSA_BYTES); //restore tA
 #elif defined (RSA_SUPPORT_PRIV_OP_BIGRAM)
         memcpy(state->tmpB, state->tmpC, RSA_BYTES);
         biMul(state->tmpC, state->tmpB, state->tmpB);
         biMod(state->tmpC, c, state->tmpB);
 #endif
     }

     return state->tmpA;
 }
 #endif
	/*
	* Copyright (C) 2016 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <stdint.h>
	#include <stdbool.h>
	#include <string.h>
	#include <rsa.h>


	static void biMod(uint32_t num, const uint32_t denum, uint32_t tmp) //num %= denum where num is RSA_LEN 2 and denum is RSA_LEN and tmp is RSA_LEN + limb_sz
	{
	uint32_t bitsh = 32, limbsh = RSA_LIMBS - 1;
	int64_t t;
	int32_t i;

	//initially set it up left shifted as far as possible
	memcpy(tmp + 1, denum, RSA_BYTES);
	tmp[0] = 0;
	bitsh = 32;

	while (!(tmp[RSA_LIMBS] & 0x80000000)) {
	for (i = RSA_LIMBS; i > 0; i--) {
	tmp[i] <<= 1;
	if (tmp[i - 1] & 0x80000000)
	tmp[i]++;
	}
	//no need to adjust tmp[0] as it is still zero
	bitsh++;
	}

	while (1) {

	//check if we should subtract (uses less space than subtracting and unroling it later)
	for (i = RSA_LIMBS; i >= 0; i--) {
	if (num[limbsh + i] < tmp[i])
	goto dont_subtract;
	if (num[limbsh + i] > tmp[i])
	break;
	}

	//subtract
	t = 0;
	for (i = 0; i <= RSA_LIMBS; i++) {
	t += (uint64_t)num[limbsh + i];
	t -= (uint64_t)tmp[i];
	num[limbsh + i] = t;
	t >>= 32;
	}

	//carry the subtraction's carry to the end
	for (i = RSA_LIMBS + limbsh + 1; i < RSA_LIMBS * 2; i++) {
	t += (uint64_t)num[i];
	num[i] = t;
	t >>= 32;
	}

	dont_subtract:
	//handle bitshifts/refills
	if (!bitsh) { // tmp = denum << 32
	if (!limbsh)
	break;

	memcpy(tmp + 1, denum, RSA_BYTES);
	tmp[0] = 0;
	bitsh = 32;
	limbsh--;
	}
	else { // tmp >>= 1
	for (i = 0; i < RSA_LIMBS; i++) {
	tmp[i] >>= 1;
	if (tmp[i + 1] & 1)
	tmp[i] += 0x80000000;
	}
	tmp[i] >>= 1;
	bitsh--;
	}
	}
	}

	static void biMul(uint32_t ret, const uint32_t a, const uint32_t b) //ret = a b
	{
	uint32_t i, j, c;
	uint64_t r;

	//zero the result
	memset(ret, 0, RSA_BYTES * 2);

	for (i = 0; i < RSA_LIMBS; i++) {

	//produce a partial sum & add it in
	c = 0;
	for (j = 0; j < RSA_LIMBS; j++) {
	r = (uint64_t)a[i] * b[j] + c + ret[i + j];
	ret[i + j] = r;
	c = r >> 32;
	}

	//carry the carry to the end
	for (j = i + RSA_LIMBS; j < RSA_LIMBS * 2; j++) {
	r = (uint64_t)ret[j] + c;
	ret[j] = r;
	c = r >> 32;
	}
	}
	}

	const uint32_t* rsaPubOp(struct RsaState* state, const uint32_t a, const uint32_t c)
	{
	uint32_t i;

	//calculate a ^ 65536 mod c into state->tmpB
	memcpy(state->tmpB, a, RSA_BYTES);
	for (i = 0; i < 16; i++) {
	biMul(state->tmpA, state->tmpB, state->tmpB);
	biMod(state->tmpA, c, state->tmpB);
	memcpy(state->tmpB, state->tmpA, RSA_BYTES);
	}

	//calculate a ^ 65537 mod c into state->tmpA [ at this point this means do state->tmpA = (state->tmpB * a) % c ]
	biMul(state->tmpA, state->tmpB, a);
	biMod(state->tmpA, c, state->tmpB);

	//return result
	return state->tmpA;
	}

	#if defined(RSA_SUPPORT_PRIV_OP_LOWRAM) \|\| defined (RSA_SUPPORT_PRIV_OP_BIGRAM)
	const uint32_t* rsaPrivOp(struct RsaState* state, const uint32_t a, const uint32_t b, const uint32_t *c)
	{
	uint32_t i;

	memcpy(state->tmpC, a, RSA_BYTES); //tC will hold our powers of a

	memset(state->tmpA, 0, RSA_BYTES * 2); //tA will hold result
	state->tmpA[0] = 1;

	for (i = 0; i < RSA_LEN; i++) {
	//if the bit is set, multiply the current power of A into result
	if (b[i / 32] & (1 << (i % 32))) {
	memcpy(state->tmpB, state->tmpA, RSA_BYTES);
	biMul(state->tmpA, state->tmpB, state->tmpC);
	biMod(state->tmpA, c, state->tmpB);
	}

	//calculate the next power of a and modulus it
	#if defined(RSA_SUPPORT_PRIV_OP_LOWRAM)
	memcpy(state->tmpB, state->tmpA, RSA_BYTES); //save tA
	biMul(state->tmpA, state->tmpC, state->tmpC);
	biMod(state->tmpA, c, state->tmpC);
	memcpy(state->tmpC, state->tmpA, RSA_BYTES);
	memcpy(state->tmpA, state->tmpB, RSA_BYTES); //restore tA
	#elif defined (RSA_SUPPORT_PRIV_OP_BIGRAM)
	memcpy(state->tmpB, state->tmpC, RSA_BYTES);
	biMul(state->tmpC, state->tmpB, state->tmpB);
	biMod(state->tmpC, c, state->tmpB);
	#endif
	}

	return state->tmpA;
	}
	#endif