view release on metacpan or  search on metacpan

src/rsa/rsa_i15_pubexp.c  view on Meta::CPAN

		return 0;
	}

	/*
	 * Decode p and compute (p-1)/2.
	 */
	p = tmp;
	br_i15_decode(p, pbuf, plen);
	len = (p[0] + 31) >> 4;
	br_i15_rshift(p, 1);

	/*
	 * Decode dp and make sure its announced bit length matches that of
	 * p (we already know that the size of dp, in bits, does not exceed
	 * the size of p, so we just have to copy the header word).
	 */
	dp = p + len;
	memset(dp, 0, len * sizeof *dp);
	br_i15_decode(dp, dpbuf, dplen);
	dp[0] = p[0];

	/*
	 * Subtract (p-1)/2 from dp if necessary.
	 */
	br_i15_sub(dp, p, NOT(br_i15_sub(dp, p, 0)));

	/*
	 * If another subtraction is needed, then this means that the
	 * value was invalid. We don't care to leak information about
	 * invalid keys.
	 */
	if (br_i15_sub(dp, p, 0) == 0) {
		return 0;
	}

	/*
	 * Invert dp modulo (p-1)/2. If the inversion fails, then the
	 * key value was invalid.
	 */
	x = dp + len;
	br_i15_zero(x, p[0]);
	x[1] = 1;
	if (br_i15_moddiv(x, dp, p, br_i15_ninv15(p[1]), x + len) == 0) {
		return 0;
	}

	/*
	 * We now have an inverse. We must set it to zero (error) if its
	 * length is greater than 32 bits and/or if it is an even integer.
	 * Take care that the bit_length function returns an encoded
	 * bit length.
	 */
	e = (uint32_t)x[1] | ((uint32_t)x[2] << 15) | ((uint32_t)x[3] << 30);
	e &= -LT(br_i15_bit_length(x + 1, len - 1), 35);
	e &= -(e & 1);
	return e;
}

/* see bearssl_rsa.h */
uint32_t
br_rsa_i15_compute_pubexp(const br_rsa_private_key *sk)
{
	/*
	 * Get the public exponent from both p and q. This is the right
	 * exponent if we get twice the same value.
	 */
	uint32_t ep, eq;

	ep = get_pubexp(sk->p, sk->plen, sk->dp, sk->dplen);
	eq = get_pubexp(sk->q, sk->qlen, sk->dq, sk->dqlen);
	return ep & -EQ(ep, eq);
}