Commit 17c7e236 authored by Niels Möller's avatar Niels Möller

(rsa_check_size): New function, for computing and checking

the size of the modulo in octets.
(rsa_prepare_public_key): Usa rsa_check_size.
(rsa_init_private_key): Removed code handling n, e and d.
(rsa_clear_private_key): Likewise.
(rsa_compute_root): Always use CRT.

Rev: src/nettle/rsa.c:1.4
parent 010df288
...@@ -55,10 +55,14 @@ rsa_clear_public_key(struct rsa_public_key *key) ...@@ -55,10 +55,14 @@ rsa_clear_public_key(struct rsa_public_key *key)
mpz_clear(key->e); mpz_clear(key->e);
} }
int /* Computes the size, in octets, of a size BITS modulo.
rsa_prepare_public_key(struct rsa_public_key *key) * Returns 0 if the modulo is too small to be useful. */
static unsigned
rsa_check_size(unsigned bits)
{ {
unsigned size = (mpz_sizeinbase(key->n, 2) + 7) / 8; /* Round upwards */
unsigned size = (bits + 7) / 8;
/* For PKCS#1 to make sense, the size of the modulo, in octets, must /* For PKCS#1 to make sense, the size of the modulo, in octets, must
* be at least 11 + the length of the DER-encoded Digest Info. * be at least 11 + the length of the DER-encoded Digest Info.
...@@ -67,39 +71,43 @@ rsa_prepare_public_key(struct rsa_public_key *key) ...@@ -67,39 +71,43 @@ rsa_prepare_public_key(struct rsa_public_key *key)
* 46 octets is 368 bits. */ * 46 octets is 368 bits. */
if (size < 46) if (size < 46)
{ return 0;
/* Make sure the signing and verification functions doesn't
* try to use this key. */ return size;
key->size = 0; }
return 0; int
} rsa_prepare_public_key(struct rsa_public_key *key)
else {
{ /* FIXME: Add further sanity checks, like 0 < e < n. */
key->size = size; #if 0
return 1; if ( (mpz_sgn(key->e) <= 0)
} || mpz_cmp(key->e, key->n) >= 0)
return 0;
#endif
key->size = rsa_check_size(mpz_sizeinbase(key->n, 2));
return (key->size > 0);
} }
void void
rsa_init_private_key(struct rsa_private_key *key) rsa_init_private_key(struct rsa_private_key *key)
{ {
rsa_init_public_key(&key->pub);
mpz_init(key->d);
mpz_init(key->p); mpz_init(key->p);
mpz_init(key->q); mpz_init(key->q);
mpz_init(key->a); mpz_init(key->a);
mpz_init(key->b); mpz_init(key->b);
mpz_init(key->c); mpz_init(key->c);
/* Not really necessary, but it seems cleaner to initialize all the
* storage. */
key->size = 0;
} }
void void
rsa_clear_private_key(struct rsa_private_key *key) rsa_clear_private_key(struct rsa_private_key *key)
{ {
rsa_clear_public_key(&key->pub);
mpz_clear(key->d);
mpz_clear(key->p); mpz_clear(key->p);
mpz_clear(key->q); mpz_clear(key->q);
mpz_clear(key->a); mpz_clear(key->a);
...@@ -110,80 +118,71 @@ rsa_clear_private_key(struct rsa_private_key *key) ...@@ -110,80 +118,71 @@ rsa_clear_private_key(struct rsa_private_key *key)
int int
rsa_prepare_private_key(struct rsa_private_key *key) rsa_prepare_private_key(struct rsa_private_key *key)
{ {
return rsa_prepare_public_key(&key->pub); /* FIXME: Add further sanity checks. */
}
/* The size of the product is the sum of the sizes of the factors. */
key->size = rsa_check_size(mpz_sizeinbase(key->p, 2)
+ mpz_sizeinbase(key->p, 2));
#ifndef RSA_CRT return (key->size > 0);
#define RSA_CRT 1 }
#endif
/* Computing an rsa root.
*
* NOTE: We don't really need n not e, so we could drop the public
* key info from struct rsa_private_key. */
/* Computing an rsa root. */
void void
rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m) rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m)
{ {
#if RSA_CRT mpz_t xp; /* modulo p */
{ mpz_t xq; /* modulo q */
mpz_t xp; /* modulo p */
mpz_t xq; /* modulo q */ mpz_init(xp); mpz_init(xq);
mpz_init(xp); mpz_init(xq); /* Compute xq = m^d % q = (m%q)^b % q */
mpz_fdiv_r(xq, m, key->q);
/* Compute xq = m^d % q = (m%q)^b % q */ mpz_powm(xq, xq, key->b, key->q);
mpz_fdiv_r(xq, m, key->q);
mpz_powm(xq, xq, key->b, key->q); /* Compute xp = m^d % p = (m%p)^a % p */
mpz_fdiv_r(xp, m, key->p);
/* Compute xp = m^d % p = (m%p)^a % p */ mpz_powm(xp, xp, key->a, key->p);
mpz_fdiv_r(xp, m, key->p);
mpz_powm(xp, xp, key->a, key->p); /* Set xp' = (xp - xq) c % p. */
mpz_sub(xp, xp, xq);
/* Set xp' = (xp - xq) c % p. */ mpz_mul(xp, xp, key->c);
mpz_sub(xp, xp, xq); mpz_fdiv_r(xp, xp, key->p);
mpz_mul(xp, xp, key->c);
mpz_fdiv_r(xp, xp, key->p); /* Finally, compute x = xq + q xp'
*
/* Finally, compute x = xq + q xp' * To prove that this works, note that
* *
* To prove that this works, note that * xp = x + i p,
* * xq = x + j q,
* xp = x + i p, * c q = 1 + k p
* xq = x + j q, *
* c q = 1 + k p * for some integers i, j and k. Now, for some integer l,
* *
* for some integers i, j and k. Now, for some integer l, * xp' = (xp - xq) c + l p
* * = (x + i p - (x + j q)) c + l p
* xp' = (xp - xq) c + l p * = (i p - j q) c + l p
* = (x + i p - (x + j q)) c + l p * = (i c + l) p - j (c q)
* = (i p - j q) c + l p * = (i c + l) p - j (1 + kp)
* = (i c + l) p - j (c q) * = (i c + l - j k) p - j
* = (i c + l) p - j (1 + kp) *
* = (i c + l - j k) p - j * which shows that xp' = -j (mod p). We get
* *
* which shows that xp' = -j (mod p). We get * xq + q xp' = x + j q + (i c + l - j k) p q - j q
* * = x + (i c + l - j k) p q
* xq + q xp' = x + j q + (i c + l - j k) p q - j q *
* = x + (i c + l - j k) p q * so that
* *
* so that * xq + q xp' = x (mod pq)
* *
* xq + q xp' = x (mod pq) * We also get 0 <= xq + q xp' < p q, because
* *
* We also get 0 <= xq + q xp' < p q, because * 0 <= xq < q and 0 <= xp' < p.
* */
* 0 <= xq < q and 0 <= xp' < p. mpz_mul(x, key->q, xp);
*/ mpz_add(x, x, xq);
mpz_mul(x, key->q, xp);
mpz_add(x, x, xq); mpz_clear(xp); mpz_clear(xq);
mpz_clear(xp); mpz_clear(xq);
}
#else /* !RSA_CRT */
mpz_powm(x, m, key->d, key->pub->n);
#endif /* !RSA_CRT */
} }
#endif /* HAVE_LIBGMP */ #endif /* HAVE_LIBGMP */
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment