rsa.c 4.26 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/* rsa.c
 *
 * The RSA publickey algorithm.
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2001 Niels Mller
 *  
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 * 
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#if HAVE_CONFIG_H
#include "config.h"
#endif

#if HAVE_LIBGMP

#include "rsa.h"

#include "bignum.h"

/* FIXME: Perhaps we should split this into several functions, so that
 * one can link in the signature functions without also getting the
 * verify functions. */

40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
void
rsa_init_public_key(struct rsa_public_key *key)
{
  mpz_init(key->n);
  mpz_init(key->e);

  /* Not really necessary, but it seems cleaner to initialize all the
   * storage. */
  key->size = 0;
}

void
rsa_clear_public_key(struct rsa_public_key *key)
{
  mpz_clear(key->n);
  mpz_clear(key->e);
}

58
int
59
rsa_prepare_public_key(struct rsa_public_key *key)
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
{
  unsigned size = (mpz_sizeinbase(key->n, 2) + 7) / 8;

  /* For PKCS#1 to make sense, the size of the modulo, in octets, must
   * be at least 11 + the length of the DER-encoded Digest Info.
   *
   * And a DigestInfo is 34 octets for md5, and 35 octets for sha1.
   * 46 octets is 368 bits. */
  
  if (size < 46)
    {
      /* Make sure the signing and verification functions doesn't
       * try to use this key. */
      key->size = 0;

      return 0;
    }
  else
    {
      key->size = size;
      return 1;
    }
}

84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
void
rsa_init_private_key(struct rsa_private_key *key)
{
  rsa_init_public_key(&key->pub);

  mpz_init(key->d);
  mpz_init(key->p);
  mpz_init(key->q);
  mpz_init(key->a);
  mpz_init(key->b);
  mpz_init(key->c);
}

void
rsa_clear_private_key(struct rsa_private_key *key)
{
  rsa_clear_public_key(&key->pub);

  mpz_clear(key->d);
  mpz_clear(key->p);
  mpz_clear(key->q);
  mpz_clear(key->a);
  mpz_clear(key->b);
  mpz_clear(key->c);
}

110
int
111
rsa_prepare_private_key(struct rsa_private_key *key)
112
{
113
  return rsa_prepare_public_key(&key->pub);
114
115
}

116

117
118
119
120
#ifndef RSA_CRT
#define RSA_CRT 1
#endif

121
/* Computing an rsa root.
122
 *
123
124
 * NOTE: We don't really need n not e, so we could drop the public
 * key info from struct rsa_private_key. */
125
126

void
127
rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m)
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
{
#if RSA_CRT
  {
    mpz_t xp; /* modulo p */
    mpz_t xq; /* modulo q */

    mpz_init(xp); mpz_init(xq);    

    /* Compute xq = m^d % q = (m%q)^b % q */
    mpz_fdiv_r(xq, m, key->q);
    mpz_powm(xq, xq, key->b, key->q);

    /* Compute xp = m^d % p = (m%p)^a % p */
    mpz_fdiv_r(xp, m, key->p);
    mpz_powm(xp, xp, key->a, key->p);

    /* Set xp' = (xp - xq) c % p. */
    mpz_sub(xp, xp, xq);
    mpz_mul(xp, xp, key->c);
    mpz_fdiv_r(xp, xp, key->p);

    /* Finally, compute x = xq + q xp'
     *
     * To prove that this works, note that
     *
     *   xp  = x + i p,
     *   xq  = x + j q,
     *   c q = 1 + k p
     *
     * for some integers i, j and k. Now, for some integer l,
     *
     *   xp' = (xp - xq) c + l p
     *       = (x + i p - (x + j q)) c + l p
     *       = (i p - j q) c + l p
     *       = (i c + l) p - j (c q)
     *       = (i c + l) p - j (1 + kp)
     *       = (i c + l - j k) p - j
     *
     * which shows that xp' = -j (mod p). We get
     *
     *   xq + q xp' = x + j q + (i c + l - j k) p q - j q
     *              = x + (i c + l - j k) p q
     *
     * so that
     *
     *   xq + q xp' = x (mod pq)
     *
     * We also get 0 <= xq + q xp' < p q, because
     *
     *   0 <= xq < q and 0 <= xp' < p.
     */
    mpz_mul(x, key->q, xp);
    mpz_add(x, x, xq);

    mpz_clear(xp); mpz_clear(xq);
  }  
#else /* !RSA_CRT */
  mpz_powm(x, m, key->d, key->pub->n);
#endif /* !RSA_CRT */
}

#endif /* HAVE_LIBGMP */