/* rsa.c - RSA implementation
* Copyright (C) 1997, 1998, 1999 by Werner Koch (dd9jn)
* Copyright (C) 2000, 2001, 2002, 2003, 2008 Free Software Foundation, Inc.
*
* This file is part of Libgcrypt.
*
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* Libgcrypt is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
/* This code uses an algorithm protected by U.S. Patent #4,405,829
which expired on September 20, 2000. The patent holder placed that
patent into the public domain on Sep 6th, 2000.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "g10lib.h"
#include "mpi.h"
#include "cipher.h"
typedef struct
{
gcry_mpi_t n; /* modulus */
gcry_mpi_t e; /* exponent */
typedef struct
{
gcry_mpi_t n; /* public modulus */
gcry_mpi_t e; /* public exponent */
gcry_mpi_t d; /* exponent */
gcry_mpi_t p; /* prime p. */
gcry_mpi_t q; /* prime q. */
gcry_mpi_t u; /* inverse of p mod q. */
/* A sample 1024 bit RSA key used for the selftests. */
static const char sample_secret_key[] =
"(private-key"
" (rsa"
" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
" 2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
" ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
" 891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)"
" (e #010001#)"
" (d #046129f2489d71579be0a75fe029bd6cdb574ebf57ea8a5b0fda942cab943b11"
" 7d7bb95e5d28875e0f9fc5fcc06a72f6d502464dabded78ef6b716177b83d5bd"
" c543dc5d3fed932e59f5897e92e6f58a0f33424106a3b6fa2cbf877510e4ac21"
" c3ee47851e97d12996222ac3566d4ccb0b83d164074abf7de655fc2446da1781#)"
" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213"
" fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)"
" (q #00f7a7ca5367c661f8e62df34f0d05c10c88e5492348dd7bddc942c9a8f369f9"
" 35a07785d2db805215ed786e4285df1658eed3ce84f469b81b50d358407b4ad361#)"
" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
" ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)))";
/* A sample 1024 bit RSA key used for the selftests (public only). */
static const char sample_public_key[] =
"(public-key"
" (rsa"
" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
" 2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
" ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
" 891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)"
" (e #010001#)))";
/* Check that a freshly generated key actually works. Returns 0 on success. */
static int
{
/* Put the relevant parameters into a public key structure. */
/* Create a random plaintext. */
/* Encrypt using the public key. */
/* Check that the cipher text does not match the plaintext. */
goto leave; /* Ciphertext is identical to the plaintext. */
/* Decrypt using the secret key. */
/* Check that the decrypted plaintext matches the original plaintext. */
goto leave; /* Plaintext does not match. */
/* Create another random plaintext as data for signature checking. */
/* Use the RSA secret function to create a signature of the plaintext. */
/* Use the RSA public function to verify this signature. */
goto leave; /* Signature does not match. */
/* Modify the signature and check that the signing fails. */
goto leave; /* Signature matches but should not. */
result = 0; /* All tests succeeded. */
return result;
}
/* Callback used by the prime generation to test whether the exponent
is suitable. Returns 0 if the test has been passed. */
static int
{
gcry_mpi_t e = arg;
int result;
mpi_sub_ui (a, a, 1);
tmp = _gcry_mpi_alloc_like (a);
mpi_add_ui (a, a, 1);
return result;
}
/****************
* Generate a key pair with a key of size NBITS.
* USE_E = 0 let Libcgrypt decide what exponent to use.
* = 1 request the use of a "secure" exponent; this is required by some
* specification to be 65537.
* > 2 Use this public exponent. If the given exponent
* is not odd one is internally added to it.
* TRANSIENT_KEY: If true, generate the primes using the standard RNG.
* Returns: 2 structures filled with all needed values
*/
static gpg_err_code_t
int transient_key)
{
gcry_mpi_t p, q; /* the two primes */
gcry_mpi_t d; /* the private key */
gcry_mpi_t u;
gcry_mpi_t n; /* the public key */
gcry_mpi_t e; /* the exponent */
gcry_mpi_t g;
gcry_mpi_t f;
if (fips_mode ())
{
if (nbits < 1024)
return GPG_ERR_INV_VALUE;
if (transient_key)
return GPG_ERR_INV_VALUE;
}
/* The random quality depends on the transient_key flag. */
/* Make sure that nbits is even so that we generate p, q of equal size. */
if ( (nbits&1) )
nbits++;
/* Public exponent:
In general we use 41 as this is quite fast and more secure than the
commonly used 17. Benchmarking the RSA verify function
with a 1024 bit key yields (2001-11-08):
e=17 0.54 ms
e=41 0.75 ms
e=257 0.95 ms
e=65537 1.80 ms
*/
if (!use_e)
else
{
mpi_set_ui (e, use_e);
}
n = gcry_mpi_new (nbits);
p = q = NULL;
do
{
/* select two (very secret) primes */
if (p)
gcry_mpi_release (p);
if (q)
gcry_mpi_release (q);
if (use_e)
{ /* Do an extra test to ensure that the given exponent is
suitable. */
check_exponent, e);
check_exponent, e);
}
else
{ /* We check the exponent later. */
}
if (mpi_cmp (p, q) > 0 ) /* p shall be smaller than q (for calc of u)*/
mpi_swap(p,q);
/* calculate the modulus */
mpi_mul( n, p, q );
}
while ( mpi_get_nbits(n) != nbits );
/* calculate Euler totient: phi = (p-1)(q-1) */
g = gcry_mpi_snew ( nbits );
f = gcry_mpi_snew ( nbits );
mpi_fdiv_q(f, phi, g);
{
if (use_e)
BUG (); /* The prime generator already made sure that we
never can get to here. */
mpi_add_ui (e, e, 2);
}
/* calculate the secret key d = e^1 mod phi */
d = gcry_mpi_snew ( nbits );
mpi_invm(d, e, f );
/* calculate the inverse of p and q (used for chinese remainder theorem)*/
u = gcry_mpi_snew ( nbits );
mpi_invm(u, p, q );
if( DBG_CIPHER )
{
log_mpidump(" p= ", p );
log_mpidump(" q= ", q );
log_mpidump(" g= ", g );
log_mpidump(" f= ", f );
log_mpidump(" n= ", n );
log_mpidump(" e= ", e );
log_mpidump(" d= ", d );
log_mpidump(" u= ", u );
}
gcry_mpi_release (f);
gcry_mpi_release (g);
sk->n = n;
sk->e = e;
sk->p = p;
sk->q = q;
sk->d = d;
sk->u = u;
/* Now we can test our keys. */
{
fips_signal_error ("self-test after key generation failed");
return GPG_ERR_SELFTEST_FAILED;
}
return 0;
}
/* Helper for generate_x931. */
static gcry_mpi_t
{
/* The requirement for Xp is:
sqrt{2}*2^{nbits-1} <= xp <= 2^{nbits} - 1
We set the two high order bits to 1 to satisfy the lower bound.
By using mpi_set_highbit we make sure that the upper bound is
satisfied as well. */
return xp;
}
/* Helper for generate_x931. */
static gcry_mpi_t
gen_x931_parm_xi (void)
{
return xi;
}
/* Variant of the standard key generation code using the algorithm
from X9.31. Using this algorithm has the advantage that the
generation can be made deterministic which is required for CAVS
testing. */
static gpg_err_code_t
{
gcry_mpi_t p, q; /* The two primes. */
gcry_mpi_t e; /* The public exponent. */
gcry_mpi_t n; /* The public key. */
gcry_mpi_t d; /* The private key */
gcry_mpi_t u; /* The inverse of p and q. */
gcry_mpi_t f, g; /* Helper. */
*swapped = 0;
e_value = 65537;
/* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */
return GPG_ERR_INV_VALUE;
/* Point 2: 2 <= bitlength(e) < 2^{k-2}
Note that we do not need to check the upper bound because we use
an unsigned long for E and thus there is no way for E to reach
that limit. */
if (e_value < 3)
return GPG_ERR_INV_VALUE;
/* Our implementaion requires E to be odd. */
if (!(e_value & 1))
return GPG_ERR_INV_VALUE;
/* Point 3: e > 0 or e 0 if it is to be randomly generated.
We support only a fixed E and thus there is no need for an extra test. */
/* Compute or extract the derive parameters. */
{
if (!deriveparms)
{
/* Not given: Generate them. */
/* Make sure that |xp - xq| > 2^{nbits - 100} holds. */
do
{
}
xp1 = gen_x931_parm_xi ();
xp2 = gen_x931_parm_xi ();
xq1 = gen_x931_parm_xi ();
xq2 = gen_x931_parm_xi ();
}
else
{
/* Parameters to derive the key are given. */
{ "Xp1", &xp1 },
{ "Xp2", &xp2 },
{ "Xp", &xp },
{ "Xq1", &xq1 },
{ "Xq2", &xq2 },
{ "Xq", &xq },
};
int idx;
{
if (oneparm)
{
}
}
break;
{
/* At least one parameter is missing. */
return GPG_ERR_MISSING_VALUE;
}
}
e = mpi_alloc_set_ui (e_value);
/* Find two prime numbers. */
if (!p || !q)
{
gcry_mpi_release (p);
gcry_mpi_release (q);
gcry_mpi_release (e);
return GPG_ERR_NO_PRIME;
}
}
/* Compute the public modulus. We make sure that p is smaller than
q to allow the use of the CRT. */
if (mpi_cmp (p, q) > 0 )
{
mpi_swap (p, q);
*swapped = 1;
}
n = gcry_mpi_new (nbits);
mpi_mul (n, p, q);
/* Compute the Euler totient: phi = (p-1)(q-1) */
g = gcry_mpi_snew (nbits);
/* Compute: f = lcm(p-1,q-1) = phi / gcd(p-1,q-1) */
mpi_fdiv_q (f, phi, g);
d = g; g = NULL;
/* Compute the secret key: d = e^{-1} mod lcm(p-1,q-1) */
mpi_invm (d, e, f);
/* Compute the inverse of p and q. */
u = f; f = NULL;
mpi_invm (u, p, q );
if( DBG_CIPHER )
{
if (*swapped)
log_debug ("p and q are swapped\n");
log_mpidump(" p", p );
log_mpidump(" q", q );
log_mpidump(" n", n );
log_mpidump(" e", e );
log_mpidump(" d", d );
log_mpidump(" u", u );
}
sk->n = n;
sk->e = e;
sk->p = p;
sk->q = q;
sk->d = d;
sk->u = u;
/* Now we can test our keys. */
{
fips_signal_error ("self-test after key generation failed");
return GPG_ERR_SELFTEST_FAILED;
}
return 0;
}
/****************
* Test wether the secret key is valid.
* Returns: true if this is a valid key.
*/
static int
{
int rc;
return !rc;
}
/****************
* Public key operation. Encrypt INPUT with PKEY and put result into OUTPUT.
*
* c = m^e mod n
*
* Where c is OUTPUT, m is INPUT and e,n are elements of PKEY.
*/
static void
{
{
mpi_free(x);
}
else
}
#if 0
static void
{
gcry_mpi_t t = mpi_alloc_secure ( 0 );
/* check that n == p * q */
log_info ( "RSA Oops: n != p * q\n" );
/* check that p is less than q */
{
log_info ("RSA Oops: p >= q - fixed\n");
}
/* check that e divides neither p-1 nor q-1 */
mpi_fdiv_r(t, t, skey->e );
if ( !mpi_cmp_ui( t, 0) )
log_info ( "RSA Oops: e divides p-1\n" );
mpi_fdiv_r(t, t, skey->e );
if ( !mpi_cmp_ui( t, 0) )
log_info ( "RSA Oops: e divides q-1\n" );
/* check that d is correct */
mpi_fdiv_q(t, phi, t);
{
log_info ( "RSA Oops: d is wrong - fixed\n");
}
/* check for correctness of u */
{
log_info ( "RSA Oops: u is wrong - fixed\n");
}
log_info ( "RSA secret key check finished\n");
mpi_free (t);
}
#endif
/****************
* Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT.
*
* m = c^d mod n
*
* Or faster:
*
* m1 = c ^ (d mod (p-1)) mod p
* m2 = c ^ (d mod (q-1)) mod q
* h = u * (m2 - m1) mod q
* m = m1 + h * p
*
* Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY.
*/
static void
{
{
}
else
{
/* m1 = c ^ (d mod (p-1)) mod p */
mpi_fdiv_r( h, skey->d, h );
/* m2 = c ^ (d mod (q-1)) mod q */
mpi_fdiv_r( h, skey->d, h );
/* h = u * ( m2 - m1 ) mod q */
if ( mpi_is_neg( h ) )
/* m = m2 + h * p */
mpi_free ( h );
}
}
/* Perform RSA blinding. */
static gcry_mpi_t
{
/* A helper. */
gcry_mpi_t a;
/* Result. */
gcry_mpi_t y;
a = gcry_mpi_snew (gcry_mpi_get_nbits (n));
y = gcry_mpi_snew (gcry_mpi_get_nbits (n));
/* Now we calculate: y = (x * r^e) mod n, where r is the random
number, e is the public exponent, x is the non-blinded data and n
is the RSA modulus. */
gcry_mpi_powm (a, r, e, n);
gcry_mpi_mulm (y, a, x, n);
gcry_mpi_release (a);
return y;
}
/* Undo RSA blinding. */
static gcry_mpi_t
{
gcry_mpi_t y;
y = gcry_mpi_snew (gcry_mpi_get_nbits (n));
/* Here we calculate: y = (x * r^-1) mod n, where x is the blinded
decrypted data, ri is the modular multiplicative inverse of r and
n is the RSA modulus. */
gcry_mpi_mulm (y, ri, x, n);
return y;
}
/*********************************************
************** interface ******************
*********************************************/
static gcry_err_code_t
const gcry_sexp_t genparms,
{
int transient_key = 0;
int use_x931 = 0;
(void)algo;
deriveparms = (genparms?
if (!deriveparms)
{
/* Parse the optional "use-x931" flag. */
if (l1)
{
use_x931 = 1;
}
}
{
int swapped;
{
"(misc-key-info(p-q-swapped))", 0, 1);
if (ec)
{
}
}
}
else
{
/* Parse the optional "transient-key" flag. */
if (l1)
{
transient_key = 1;
}
/* Generate. */
}
if (!ec)
{
}
return ec;
}
static gcry_err_code_t
{
}
static gcry_err_code_t
{
(void)algo;
parameters. */
else if (!check_secret_key (&sk))
return err;
}
static gcry_err_code_t
{
(void)algo;
(void)flags;
return GPG_ERR_NO_ERROR;
}
static gcry_err_code_t
{
r. */
gcry_mpi_t y; /* Result. */
(void)algo;
/* Extract private key. */
/* We use blinding by default to mitigate timing attacks which can
be practically mounted over the network as shown by Brumley and
Boney in 2003. */
if (! (flags & PUBKEY_FLAG_NO_BLINDING))
{
/* Initialize blinding. */
/* First, we need a random number r between 0 and n - 1, which
is relatively prime to n (i.e. it is neither p nor q). The
random number needs to be only unpredictable, thus we employ
the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
gcry_mpi_randomize. */
gcry_mpi_mod (r, r, sk.n);
/* Calculate inverse of r. It practically impossible that the
follwing test fails, thus we do not add code to release
allocated resources. */
return GPG_ERR_INTERNAL;
}
if (! (flags & PUBKEY_FLAG_NO_BLINDING))
else
x = data[0];
/* Do the encryption. */
if (! (flags & PUBKEY_FLAG_NO_BLINDING))
{
/* Undo blinding. */
gcry_mpi_t a = gcry_mpi_copy (y);
gcry_mpi_release (y);
gcry_mpi_release (a);
}
if (! (flags & PUBKEY_FLAG_NO_BLINDING))
{
/* Deallocate resources needed for blinding. */
gcry_mpi_release (x);
gcry_mpi_release (r);
}
/* Copy out result. */
*result = y;
return GPG_ERR_NO_ERROR;
}
static gcry_err_code_t
{
(void)algo;
return GPG_ERR_NO_ERROR;
}
static gcry_err_code_t
void *opaquev)
{
(void)algo;
(void)cmp;
(void)opaquev;
#ifdef IS_DEVELOPMENT_VERSION
if (DBG_CIPHER)
{
}
#endif /*IS_DEVELOPMENT_VERSION*/
/*rc = (*cmp)( opaquev, result );*/
return rc;
}
static unsigned int
{
(void)algo;
return mpi_get_nbits (pkey[0]);
}
/* Compute a keygrip. MD is the hash context which we are going to
update. KEYPARAM is an S-expression with the key parameters, this
is usually a public key but may also be a secret key. An example
of such an S-expression is:
(rsa
(n #00B...#)
(e #010001#))
PKCS-15 says that for RSA only the modulus should be hashed -
however, it is not clear wether this is meant to use the raw bytes
(assuming this is an unsigned integer) or whether the DER required
0 should be prefixed. We hash the raw bytes. */
static gpg_err_code_t
{
const char *data;
if (!l1)
return GPG_ERR_NO_OBJ;
if (!data)
{
return GPG_ERR_NO_OBJ;
}
return 0;
}
/*
Self-test section.
*/
static const char *
{
static const char sample_data[] =
"(data (flags pkcs1)"
" (hash sha1 #11223344556677889900aabbccddeeff10203040#))";
static const char sample_data_bad[] =
"(data (flags pkcs1)"
" (hash sha1 #11223344556677889900aabbccddeeff80203040#))";
if (!err)
if (err)
{
errtxt = "converting data failed";
goto leave;
}
if (err)
{
errtxt = "signing failed";
goto leave;
}
if (err)
{
errtxt = "verify failed";
goto leave;
}
{
errtxt = "bad signature not detected";
goto leave;
}
return errtxt;
}
/* Given an S-expression ENCR_DATA of the form:
(enc-val
(rsa
(a a-value)))
as returned by gcry_pk_decrypt, return the the A-VALUE. On error,
return NULL. */
static gcry_mpi_t
{
if (!l1)
return NULL;
if (!l2)
return NULL;
if (!l3)
return NULL;
return a_value;
}
static const char *
{
/* Create plaintext. The plaintext is actually a big integer number. */
/* Put the plaintext into an S-expression. */
"(data (flags raw) (value %m))", plaintext);
if (err)
{
errtxt = "converting data failed";
goto leave;
}
/* Encrypt. */
if (err)
{
errtxt = "encrypt failed";
goto leave;
}
/* Extraxt the ciphertext from the returned S-expression. */
/*gcry_sexp_dump (encr);*/
if (!ciphertext)
{
errtxt = "gcry_pk_decrypt returned garbage";
goto leave;
}
/* Check that the ciphertext does no match the plaintext. */
/* _gcry_log_mpidump ("plaintext", plaintext); */
/* _gcry_log_mpidump ("ciphertxt", ciphertext); */
{
errtxt = "ciphertext matches plaintext";
goto leave;
}
/* Decrypt. */
if (err)
{
errtxt = "decrypt failed";
goto leave;
}
/* Extract the decrypted data from the S-expression. Note that the
output of gcry_pk_decrypt depends on whether a flags lists occurs
in its input data. Because we passed the output of
gcry_pk_encrypt directly to gcry_pk_decrypt, such a flag value
won't be there as of today. To be prepared for future changes we
take care of it anyway. */
if (tmplist)
else
if (!decr_plaintext)
{
errtxt = "decrypt returned no plaintext";
goto leave;
}
/* Check that the decrypted plaintext matches the original plaintext. */
{
errtxt = "mismatch";
goto leave;
}
return errtxt;
}
static gpg_err_code_t
{
const char *what;
const char *errtxt;
/* Convert the S-expressions into the internal representation. */
what = "convert";
if (!err)
if (err)
{
goto failed;
}
what = "key consistency";
if (err)
{
goto failed;
}
what = "sign";
if (errtxt)
goto failed;
what = "encrypt";
if (errtxt)
goto failed;
return 0; /* Succeeded. */
if (report)
return GPG_ERR_SELFTEST_FAILED;
}
/* Run a full self-test for ALGO and return 0 on success. */
static gpg_err_code_t
{
(void)extended;
switch (algo)
{
case GCRY_PK_RSA:
break;
default:
break;
}
return ec;
}
static const char *rsa_names[] =
{
"rsa",
"openpgp-rsa",
"oid.1.2.840.113549.1.1.1",
NULL,
};
{
"RSA", rsa_names,
"ne", "nedpqu", "a", "s", "n",
};
{
};