File Coverage

src/rsa/rsa_i31_keygen_inner.c

Criterion	Covered	Total	%
statement	185	215	86.0
branch	53	90	58.8
condition			n/a
subroutine			n/a
pod			n/a
total	238	305	78.0

line	stmt	bran	code
1			/*
2			* Copyright (c) 2018 Thomas Pornin
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining
5			* a copy of this software and associated documentation files (the
6			* "Software"), to deal in the Software without restriction, including
7			* without limitation the rights to use, copy, modify, merge, publish,
8			* distribute, sublicense, and/or sell copies of the Software, and to
9			* permit persons to whom the Software is furnished to do so, subject to
10			* the following conditions:
11			*
12			* The above copyright notice and this permission notice shall be
13			* included in all copies or substantial portions of the Software.
14			*
15			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16			* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17			* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18			* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19			* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20			* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21			* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22			* SOFTWARE.
23			*/
24
25			#include "inner.h"
26
27			/*
28			* Make a random integer of the provided size. The size is encoded.
29			* The header word is untouched.
30			*/
31			static void
32	594		mkrand(const br_prng_class *rng, uint32_t x, uint32_t esize)
33			{
34			size_t u, len;
35			unsigned m;
36
37	594		len = (esize + 31) >> 5;
38	594		(rng)->generate(rng, x + 1, len sizeof(uint32_t));
39	10098	100	for (u = 1; u < len; u ++) {
40	9504		x[u] &= 0x7FFFFFFF;
41			}
42	594		m = esize & 31;
43	594	50	if (m == 0) {
44	0		x[len] &= 0x7FFFFFFF;
45			} else {
46	594		x[len] &= 0x7FFFFFFF >> (31 - m);
47			}
48	594		}
49
50			/*
51			* This is the big-endian unsigned representation of the product of
52			* all small primes from 13 to 1481.
53			*/
54			static const unsigned char SMALL_PRIMES[] = {
55			0x2E, 0xAB, 0x92, 0xD1, 0x8B, 0x12, 0x47, 0x31, 0x54, 0x0A,
56			0x99, 0x5D, 0x25, 0x5E, 0xE2, 0x14, 0x96, 0x29, 0x1E, 0xB7,
57			0x78, 0x70, 0xCC, 0x1F, 0xA5, 0xAB, 0x8D, 0x72, 0x11, 0x37,
58			0xFB, 0xD8, 0x1E, 0x3F, 0x5B, 0x34, 0x30, 0x17, 0x8B, 0xE5,
59			0x26, 0x28, 0x23, 0xA1, 0x8A, 0xA4, 0x29, 0xEA, 0xFD, 0x9E,
60			0x39, 0x60, 0x8A, 0xF3, 0xB5, 0xA6, 0xEB, 0x3F, 0x02, 0xB6,
61			0x16, 0xC3, 0x96, 0x9D, 0x38, 0xB0, 0x7D, 0x82, 0x87, 0x0C,
62			0xF7, 0xBE, 0x24, 0xE5, 0x5F, 0x41, 0x04, 0x79, 0x76, 0x40,
63			0xE7, 0x00, 0x22, 0x7E, 0xB5, 0x85, 0x7F, 0x8D, 0x01, 0x50,
64			0xE9, 0xD3, 0x29, 0x42, 0x08, 0xB3, 0x51, 0x40, 0x7B, 0xD7,
65			0x8D, 0xCC, 0x10, 0x01, 0x64, 0x59, 0x28, 0xB6, 0x53, 0xF3,
66			0x50, 0x4E, 0xB1, 0xF2, 0x58, 0xCD, 0x6E, 0xF5, 0x56, 0x3E,
67			0x66, 0x2F, 0xD7, 0x07, 0x7F, 0x52, 0x4C, 0x13, 0x24, 0xDC,
68			0x8E, 0x8D, 0xCC, 0xED, 0x77, 0xC4, 0x21, 0xD2, 0xFD, 0x08,
69			0xEA, 0xD7, 0xC0, 0x5C, 0x13, 0x82, 0x81, 0x31, 0x2F, 0x2B,
70			0x08, 0xE4, 0x80, 0x04, 0x7A, 0x0C, 0x8A, 0x3C, 0xDC, 0x22,
71			0xE4, 0x5A, 0x7A, 0xB0, 0x12, 0x5E, 0x4A, 0x76, 0x94, 0x77,
72			0xC2, 0x0E, 0x92, 0xBA, 0x8A, 0xA0, 0x1F, 0x14, 0x51, 0x1E,
73			0x66, 0x6C, 0x38, 0x03, 0x6C, 0xC7, 0x4A, 0x4B, 0x70, 0x80,
74			0xAF, 0xCA, 0x84, 0x51, 0xD8, 0xD2, 0x26, 0x49, 0xF5, 0xA8,
75			0x5E, 0x35, 0x4B, 0xAC, 0xCE, 0x29, 0x92, 0x33, 0xB7, 0xA2,
76			0x69, 0x7D, 0x0C, 0xE0, 0x9C, 0xDB, 0x04, 0xD6, 0xB4, 0xBC,
77			0x39, 0xD7, 0x7F, 0x9E, 0x9D, 0x78, 0x38, 0x7F, 0x51, 0x54,
78			0x50, 0x8B, 0x9E, 0x9C, 0x03, 0x6C, 0xF5, 0x9D, 0x2C, 0x74,
79			0x57, 0xF0, 0x27, 0x2A, 0xC3, 0x47, 0xCA, 0xB9, 0xD7, 0x5C,
80			0xFF, 0xC2, 0xAC, 0x65, 0x4E, 0xBD
81			};
82
83			/*
84			* We need temporary values for at least 7 integers of the same size
85			* as a factor (including header word); more space helps with performance
86			* (in modular exponentiations), but we much prefer to remain under
87			* 2 kilobytes in total, to save stack space. The macro TEMPS below
88			* exceeds 512 (which is a count in 32-bit words) when BR_MAX_RSA_SIZE
89			* is greater than 4464 (default value is 4096, so the 2-kB limit is
90			* maintained unless BR_MAX_RSA_SIZE was modified).
91			*/
92			#define MAX(x, y) ((x) > (y) ? (x) : (y))
93			#define ROUND2(x) ((((x) + 1) >> 1) << 1)
94
95			#define TEMPS MAX(512, ROUND2(7 * ((((BR_MAX_RSA_SIZE + 1) >> 1) + 61) / 31)))
96
97			/*
98			* Perform trial division on a candidate prime. This computes
99			* y = SMALL_PRIMES mod x, then tries to compute y/y mod x. The
100			* br_i31_moddiv() function will report an error if y is not invertible
101			* modulo x. Returned value is 1 on success (none of the small primes
102			* divides x), 0 on error (a non-trivial GCD is obtained).
103			*
104			* This function assumes that x is odd.
105			*/
106			static uint32_t
107	115		trial_divisions(const uint32_t x, uint32_t t)
108			{
109			uint32_t *y;
110			uint32_t x0i;
111
112	115		y = t;
113	115		t += 1 + ((x[0] + 31) >> 5);
114	115		x0i = br_i31_ninv31(x[1]);
115	115		br_i31_decode_reduce(y, SMALL_PRIMES, sizeof SMALL_PRIMES, x);
116	115		return br_i31_moddiv(y, y, x, x0i, t);
117			}
118
119			/*
120			* Perform n rounds of Miller-Rabin on the candidate prime x. This
121			* function assumes that x = 3 mod 4.
122			*
123			* Returned value is 1 on success (all rounds completed successfully),
124			* 0 otherwise.
125			*/
126			static uint32_t
127	39		miller_rabin(const br_prng_class *rng, const uint32_t x, int n,
128			uint32_t *t, size_t tlen, br_i31_modpow_opt_type mp31)
129			{
130			/*
131			* Since x = 3 mod 4, the Miller-Rabin test is simple:
132			* - get a random base a (such that 1 < a < x-1)
133			* - compute z = a^((x-1)/2) mod x
134			* - if z != 1 and z != x-1, the number x is composite
135			*
136			* We generate bases 'a' randomly with a size which is
137			* one bit less than x, which ensures that a < x-1. It
138			* is not useful to verify that a > 1 because the probability
139			* that we get a value a equal to 0 or 1 is much smaller
140			* than the probability of our Miller-Rabin tests not to
141			* detect a composite, which is already quite smaller than the
142			* probability of the hardware misbehaving and return a
143			* composite integer because of some glitch (e.g. bad RAM
144			* or ill-timed cosmic ray).
145			*/
146			unsigned char *xm1d2;
147			size_t xlen, xm1d2_len, xm1d2_len_u32, u;
148			uint32_t asize;
149			unsigned cc;
150			uint32_t x0i;
151
152			/*
153			* Compute (x-1)/2 (encoded).
154			*/
155	39		xm1d2 = (unsigned char *)t;
156	39		xm1d2_len = ((x[0] - (x[0] >> 5)) + 7) >> 3;
157	39		br_i31_encode(xm1d2, xm1d2_len, x);
158	39		cc = 0;
159	2535	100	for (u = 0; u < xm1d2_len; u ++) {
160			unsigned w;
161
162	2496		w = xm1d2[u];
163	2496		xm1d2[u] = (unsigned char)((w >> 1) \| cc);
164	2496		cc = w << 7;
165			}
166
167			/*
168			* We used some words of the provided buffer for (x-1)/2.
169			*/
170	39		xm1d2_len_u32 = (xm1d2_len + 3) >> 2;
171	39		t += xm1d2_len_u32;
172	39		tlen -= xm1d2_len_u32;
173
174	39		xlen = (x[0] + 31) >> 5;
175	39		asize = x[0] - 1 - EQ0(x[0] & 31);
176	39		x0i = br_i31_ninv31(x[1]);
177	51	100	while (n -- > 0) {
178			uint32_t a, t2;
179			uint32_t eq1, eqm1;
180			size_t t2len;
181
182			/*
183			* Generate a random base. We don't need the base to be
184			* really uniform modulo x, so we just get a random
185			* number which is one bit shorter than x.
186			*/
187	49		a = t;
188	49		a[0] = x[0];
189	49		a[xlen] = 0;
190	49		mkrand(rng, a, asize);
191
192			/*
193			* Compute a^((x-1)/2) mod x. We assume here that the
194			* function will not fail (the temporary array is large
195			* enough).
196			*/
197	49		t2 = t + 1 + xlen;
198	49		t2len = tlen - 1 - xlen;
199	49	50	if ((t2len & 1) != 0) {
200			/*
201			* Since the source array is 64-bit aligned and
202			* has an even number of elements (TEMPS), we
203			* can use the parity of the remaining length to
204			* detect and adjust alignment.
205			*/
206	0		t2 ++;
207	0		t2len --;
208			}
209	49		mp31(a, xm1d2, xm1d2_len, x, x0i, t2, t2len);
210
211			/*
212			* We must obtain either 1 or x-1. Note that x is odd,
213			* hence x-1 differs from x only in its low word (no
214			* carry).
215			*/
216	49		eq1 = a[1] ^ 1;
217	49		eqm1 = a[1] ^ (x[1] - 1);
218	833	100	for (u = 2; u <= xlen; u ++) {
219	784		eq1 \|= a[u];
220	784		eqm1 \|= a[u] ^ x[u];
221			}
222
223	49	100	if ((EQ0(eq1) \| EQ0(eqm1)) == 0) {
224	37		return 0;
225			}
226			}
227	2		return 1;
228			}
229
230			/*
231			* Create a random prime of the provided size. 'size' is the _encoded_
232			* bit length. The two top bits and the two bottom bits are set to 1.
233			*/
234			static void
235	2		mkprime(const br_prng_class *rng, uint32_t x, uint32_t esize,
236			uint32_t pubexp, uint32_t *t, size_t tlen, br_i31_modpow_opt_type mp31)
237			{
238			size_t len;
239
240	2		x[0] = esize;
241	2		len = (esize + 31) >> 5;
242	543		for (;;) {
243			size_t u;
244			uint32_t m3, m5, m7, m11;
245			int rounds, s7, s11;
246
247			/*
248			* Generate random bits. We force the two top bits and the
249			* two bottom bits to 1.
250			*/
251	545		mkrand(rng, x, esize);
252	545	50	if ((esize & 31) == 0) {
253	0		x[len] \|= 0x60000000;
254	545	50	} else if ((esize & 31) == 1) {
255	0		x[len] \|= 0x00000001;
256	0		x[len - 1] \|= 0x40000000;
257			} else {
258	545		x[len] \|= 0x00000003 << ((esize & 31) - 2);
259			}
260	545		x[1] \|= 0x00000003;
261
262			/*
263			* Trial division with low primes (3, 5, 7 and 11). We
264			* use the following properties:
265			*
266			* 2^2 = 1 mod 3
267			* 2^4 = 1 mod 5
268			* 2^3 = 1 mod 7
269			* 2^10 = 1 mod 11
270			*/
271	545		m3 = 0;
272	545		m5 = 0;
273	545		m7 = 0;
274	545		m11 = 0;
275	545		s7 = 0;
276	545		s11 = 0;
277	9810	100	for (u = 0; u < len; u ++) {
278			uint32_t w, w3, w5, w7, w11;
279
280	9265		w = x[1 + u];
281	9265		w3 = (w & 0xFFFF) + (w >> 16); /* max: 98302 */
282	9265		w5 = (w & 0xFFFF) + (w >> 16); /* max: 98302 */
283	9265		w7 = (w & 0x7FFF) + (w >> 15); /* max: 98302 */
284	9265		w11 = (w & 0xFFFFF) + (w >> 20); /* max: 1050622 */
285
286	9265		m3 += w3 << (u & 1);
287	9265		m3 = (m3 & 0xFF) + (m3 >> 8); /* max: 1025 */
288
289	9265		m5 += w5 << ((4 - u) & 3);
290	9265		m5 = (m5 & 0xFFF) + (m5 >> 12); /* max: 4479 */
291
292	9265		m7 += w7 << s7;
293	9265		m7 = (m7 & 0x1FF) + (m7 >> 9); /* max: 1280 */
294	9265	100	if (++ s7 == 3) {
295	2725		s7 = 0;
296			}
297
298	9265		m11 += w11 << s11;
299	9265	100	if (++ s11 == 10) {
300	545		s11 = 0;
301			}
302	9265		m11 = (m11 & 0x3FF) + (m11 >> 10); /* max: 526847 */
303			}
304
305	545		m3 = (m3 & 0x3F) + (m3 >> 6); /* max: 78 */
306	545		m3 = (m3 & 0x0F) + (m3 >> 4); /* max: 18 */
307	545		m3 = ((m3 * 43) >> 5) & 3;
308
309	545		m5 = (m5 & 0xFF) + (m5 >> 8); /* max: 271 */
310	545		m5 = (m5 & 0x0F) + (m5 >> 4); /* max: 31 */
311	545		m5 -= 20 & -GT(m5, 19);
312	545		m5 -= 10 & -GT(m5, 9);
313	545		m5 -= 5 & -GT(m5, 4);
314
315	545		m7 = (m7 & 0x3F) + (m7 >> 6); /* max: 82 */
316	545		m7 = (m7 & 0x07) + (m7 >> 3); /* max: 16 */
317	545		m7 = ((m7 * 147) >> 7) & 7;
318
319			/*
320			* 2^5 = 32 = -1 mod 11.
321			*/
322	545		m11 = (m11 & 0x3FF) + (m11 >> 10); /* max: 1536 */
323	545		m11 = (m11 & 0x3FF) + (m11 >> 10); /* max: 1023 */
324	545		m11 = (m11 & 0x1F) + 33 - (m11 >> 5); /* max: 64 */
325	545		m11 -= 44 & -GT(m11, 43);
326	545		m11 -= 22 & -GT(m11, 21);
327	545		m11 -= 11 & -GT(m11, 10);
328
329			/*
330			* If any of these modulo is 0, then the candidate is
331			* not prime. Also, if pubexp is 3, 5, 7 or 11, and the
332			* corresponding modulus is 1, then the candidate must
333			* be rejected, because we need e to be invertible
334			* modulo p-1. We can use simple comparisons here
335			* because they won't leak information on a candidate
336			* that we keep, only on one that we reject (and is thus
337			* not secret).
338			*/
339	545	100	if (m3 == 0 \|\| m5 == 0 \|\| m7 == 0 \|\| m11 == 0) {
		100
		100
		100
340	318		continue;
341			}
342	227	50	if ((pubexp == 3 && m3 == 1)
		100
343	115	50	\|\| (pubexp == 5 && m5 == 1)
		0
344	115	50	\|\| (pubexp == 7 && m7 == 1)
		0
345	115	50	\|\| (pubexp == 11 && m11 == 1))
		0
346			{
347	112		continue;
348			}
349
350			/*
351			* More trial divisions.
352			*/
353	115	100	if (!trial_divisions(x, t)) {
354	76		continue;
355			}
356
357			/*
358			* Miller-Rabin algorithm. Since we selected a random
359			* integer, not a maliciously crafted integer, we can use
360			* relatively few rounds to lower the risk of a false
361			* positive (i.e. declaring prime a non-prime) under
362			* 2^(-80). It is not useful to lower the probability much
363			* below that, since that would be substantially below
364			* the probability of the hardware misbehaving. Sufficient
365			* numbers of rounds are extracted from the Handbook of
366			* Applied Cryptography, note 4.49 (page 149).
367			*
368			* Since we work on the encoded size (esize), we need to
369			* compare with encoded thresholds.
370			*/
371	39	50	if (esize < 309) {
372	0		rounds = 12;
373	39	50	} else if (esize < 464) {
374	0		rounds = 9;
375	39	50	} else if (esize < 670) {
376	39		rounds = 6;
377	0	0	} else if (esize < 877) {
378	0		rounds = 4;
379	0	0	} else if (esize < 1341) {
380	0		rounds = 3;
381			} else {
382	0		rounds = 2;
383			}
384
385	39	100	if (miller_rabin(rng, x, rounds, t, tlen, mp31)) {
386	2		return;
387			}
388			}
389			}
390
391			/*
392			* Let p be a prime (p > 2^33, p = 3 mod 4). Let m = (p-1)/2, provided
393			* as parameter (with announced bit length equal to that of p). This
394			* function computes d = 1/e mod p-1 (for an odd integer e). Returned
395			* value is 1 on success, 0 on error (an error is reported if e is not
396			* invertible modulo p-1).
397			*
398			* The temporary buffer (t) must have room for at least 4 integers of
399			* the size of p.
400			*/
401			static uint32_t
402	2		invert_pubexp(uint32_t d, const uint32_t m, uint32_t e, uint32_t *t)
403			{
404			uint32_t *f;
405			uint32_t r;
406
407	2		f = t;
408	2		t += 1 + ((m[0] + 31) >> 5);
409
410			/*
411			* Compute d = 1/e mod m. Since p = 3 mod 4, m is odd.
412			*/
413	2		br_i31_zero(d, m[0]);
414	2		d[1] = 1;
415	2		br_i31_zero(f, m[0]);
416	2		f[1] = e & 0x7FFFFFFF;
417	2		f[2] = e >> 31;
418	2		r = br_i31_moddiv(d, f, m, br_i31_ninv31(m[1]), t);
419
420			/*
421			* We really want d = 1/e mod p-1, with p = 2m. By the CRT,
422			* the result is either the d we got, or d + m.
423			*
424			* Let's write ed = 1 + km, for some integer k. Integers e
425			* and m are odd. If d is odd, then e*d is odd, which implies
426			* that k must be even; in that case, ed = 1 + (k/2)2m, and
427			* thus d is already fine. Conversely, if d is even, then k
428			* is odd, and we must add m to d in order to get the correct
429			* result.
430			*/
431	2		br_i31_add(d, m, (uint32_t)(1 - (d[1] & 1)));
432
433	2		return r;
434			}
435
436			/*
437			* Swap two buffers in RAM. They must be disjoint.
438			*/
439			static void
440	0		bufswap(void b1, void b2, size_t len)
441			{
442			size_t u;
443			unsigned char buf1, buf2;
444
445	0		buf1 = b1;
446	0		buf2 = b2;
447	0	0	for (u = 0; u < len; u ++) {
448			unsigned w;
449
450	0		w = buf1[u];
451	0		buf1[u] = buf2[u];
452	0		buf2[u] = w;
453			}
454	0		}
455
456			/* see inner.h */
457			uint32_t
458	1		br_rsa_i31_keygen_inner(const br_prng_class **rng,
459			br_rsa_private_key sk, void kbuf_priv,
460			br_rsa_public_key pk, void kbuf_pub,
461			unsigned size, uint32_t pubexp, br_i31_modpow_opt_type mp31)
462			{
463			uint32_t esize_p, esize_q;
464			size_t plen, qlen, tlen;
465			uint32_t p, q, *t;
466			union {
467			uint32_t t32[TEMPS];
468			uint64_t t64[TEMPS >> 1]; /* for 64-bit alignment */
469			} tmp;
470			uint32_t r;
471
472	1	50	if (size < BR_MIN_RSA_SIZE \|\| size > BR_MAX_RSA_SIZE) {
		50
473	0		return 0;
474			}
475	1	50	if (pubexp == 0) {
476	1		pubexp = 3;
477	0	0	} else if (pubexp == 1 \|\| (pubexp & 1) == 0) {
		0
478	0		return 0;
479			}
480
481	1		esize_p = (size + 1) >> 1;
482	1		esize_q = size - esize_p;
483	1		sk->n_bitlen = size;
484	1		sk->p = kbuf_priv;
485	1		sk->plen = (esize_p + 7) >> 3;
486	1		sk->q = sk->p + sk->plen;
487	1		sk->qlen = (esize_q + 7) >> 3;
488	1		sk->dp = sk->q + sk->qlen;
489	1		sk->dplen = sk->plen;
490	1		sk->dq = sk->dp + sk->dplen;
491	1		sk->dqlen = sk->qlen;
492	1		sk->iq = sk->dq + sk->dqlen;
493	1		sk->iqlen = sk->plen;
494
495	1	50	if (pk != NULL) {
496	1		pk->n = kbuf_pub;
497	1		pk->nlen = (size + 7) >> 3;
498	1		pk->e = pk->n + pk->nlen;
499	1		pk->elen = 4;
500	1		br_enc32be(pk->e, pubexp);
501	4	100	while (*pk->e == 0) {
502	3		pk->e ++;
503	3		pk->elen --;
504			}
505			}
506
507			/*
508			* We now switch to encoded sizes.
509			*
510			* floor((x * 16913) / (2^19)) is equal to floor(x/31) for all
511			* integers x from 0 to 34966; the intermediate product fits on
512			* 30 bits, thus we can use MUL31().
513			*/
514	1		esize_p += MUL31(esize_p, 16913) >> 19;
515	1		esize_q += MUL31(esize_q, 16913) >> 19;
516	1		plen = (esize_p + 31) >> 5;
517	1		qlen = (esize_q + 31) >> 5;
518	1		p = tmp.t32;
519	1		q = p + 1 + plen;
520	1		t = q + 1 + qlen;
521	1		tlen = ((sizeof tmp.t32) / sizeof(uint32_t)) - (2 + plen + qlen);
522
523			/*
524			* When looking for primes p and q, we temporarily divide
525			* candidates by 2, in order to compute the inverse of the
526			* public exponent.
527			*/
528
529			for (;;) {
530	1		mkprime(rng, p, esize_p, pubexp, t, tlen, mp31);
531	1		br_i31_rshift(p, 1);
532	1	50	if (invert_pubexp(t, p, pubexp, t + 1 + plen)) {
533	1		br_i31_add(p, p, 1);
534	1		p[1] \|= 1;
535	1		br_i31_encode(sk->p, sk->plen, p);
536	1		br_i31_encode(sk->dp, sk->dplen, t);
537	1		break;
538			}
539			}
540
541			for (;;) {
542	1		mkprime(rng, q, esize_q, pubexp, t, tlen, mp31);
543	1		br_i31_rshift(q, 1);
544	1	50	if (invert_pubexp(t, q, pubexp, t + 1 + qlen)) {
545	1		br_i31_add(q, q, 1);
546	1		q[1] \|= 1;
547	1		br_i31_encode(sk->q, sk->qlen, q);
548	1		br_i31_encode(sk->dq, sk->dqlen, t);
549	1		break;
550			}
551			}
552
553			/*
554			* If p and q have the same size, then it is possible that q > p
555			* (when the target modulus size is odd, we generate p with a
556			* greater bit length than q). If q > p, we want to swap p and q
557			* (and also dp and dq) for two reasons:
558			* - The final step below (inversion of q modulo p) is easier if
559			* p > q.
560			* - While BearSSL's RSA code is perfectly happy with RSA keys such
561			* that p < q, some other implementations have restrictions and
562			* require p > q.
563			*
564			* Note that we can do a simple non-constant-time swap here,
565			* because the only information we leak here is that we insist on
566			* returning p and q such that p > q, which is not a secret.
567			*/
568	1	50	if (esize_p == esize_q && br_i31_sub(p, q, 0) == 1) {
		50
569	0		bufswap(p, q, (1 + plen) * sizeof *p);
570	0		bufswap(sk->p, sk->q, sk->plen);
571	0		bufswap(sk->dp, sk->dq, sk->dplen);
572			}
573
574			/*
575			* We have produced p, q, dp and dq. We can now compute iq = 1/d mod p.
576			*
577			* We ensured that p >= q, so this is just a matter of updating the
578			* header word for q (and possibly adding an extra word).
579			*
580			* Theoretically, the call below may fail, in case we were
581			* extraordinarily unlucky, and p = q. Another failure case is if
582			* Miller-Rabin failed us _twice_, and p and q are non-prime and
583			* have a factor is common. We report the error mostly because it
584			* is cheap and we can, but in practice this never happens (or, at
585			* least, it happens way less often than hardware glitches).
586			*/
587	1		q[0] = p[0];
588	1	50	if (plen > qlen) {
589	0		q[plen] = 0;
590	0		t ++;
591	0		tlen --;
592			}
593	1		br_i31_zero(t, p[0]);
594	1		t[1] = 1;
595	1		r = br_i31_moddiv(t, q, p, br_i31_ninv31(p[1]), t + 1 + plen);
596	1		br_i31_encode(sk->iq, sk->iqlen, t);
597
598			/*
599			* Compute the public modulus too, if required.
600			*/
601	1	50	if (pk != NULL) {
602	1		br_i31_zero(t, p[0]);
603	1		br_i31_mulacc(t, p, q);
604	1		br_i31_encode(pk->n, pk->nlen, t);
605			}
606
607	1		return r;
608			}