diff options
Diffstat (limited to 'cipher/rsa.c')
| -rw-r--r-- | cipher/rsa.c | 93 |
1 files changed, 90 insertions, 3 deletions
diff --git a/cipher/rsa.c b/cipher/rsa.c index 36b0802e2..2daa0547f 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -98,7 +98,7 @@ generate( RSA_secret_key *sk, unsigned nbits ) MPI t1, t2; MPI n; /* the public key */ MPI e; /* the exponent */ - MPI phi; /* helper: (p-a)(q-1) */ + MPI phi; /* helper: (p-1)(q-1) */ MPI g; MPI f; @@ -201,19 +201,106 @@ public(MPI output, MPI input, RSA_public_key *pkey ) mpi_powm( output, input, pkey->e, pkey->n ); } +#if 0 +static void +stronger_key_check ( RSA_secret_key *skey ) +{ + MPI t = mpi_alloc_secure ( 0 ); + MPI t1 = mpi_alloc_secure ( 0 ); + MPI t2 = mpi_alloc_secure ( 0 ); + MPI phi = mpi_alloc_secure ( 0 ); + + /* check that n == p * q */ + mpi_mul( t, skey->p, skey->q); + if (mpi_cmp( t, skey->n) ) + log_info ( "RSA Oops: n != p * q\n" ); + + /* check that p is less than q */ + if( mpi_cmp( skey->p, skey->q ) > 0 ) + log_info ("RSA Oops: p >= q\n"); + + + /* check that e divides neither p-1 nor q-1 */ + mpi_sub_ui(t, skey->p, 1 ); + mpi_fdiv_r(t, t, skey->e ); + if ( !mpi_cmp_ui( t, 0) ) + log_info ( "RSA Oops: e divides p-1\n" ); + mpi_sub_ui(t, skey->q, 1 ); + mpi_fdiv_r(t, t, skey->e ); + if ( !mpi_cmp_ui( t, 0) ) + log_info ( "RSA Oops: e divides q-1\n" ); + + /* check that d is correct */ + mpi_sub_ui( t1, skey->p, 1 ); + mpi_sub_ui( t2, skey->q, 1 ); + mpi_mul( phi, t1, t2 ); + mpi_gcd(t, t1, t2); + mpi_fdiv_q(t, phi, t); + mpi_invm(t, skey->e, t ); + if ( mpi_cmp(t, skey->d ) ) + log_info ( "RSA Oops: d is wrong\n"); + + /* check for crrectness of u */ + mpi_invm(t, skey->p, skey->q ); + if ( mpi_cmp(t, skey->u ) ) + log_info ( "RSA Oops: u is wrong\n"); + + log_info ( "RSA secret key check finished\n"); + + mpi_free (t); + mpi_free (t1); + mpi_free (t2); + mpi_free (phi); +} +#endif + + /**************** * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT. * * m = c^d mod n * - * Where m is OUTPUT, c is INPUT and d,n are elements of PKEY. + * Or faster: + * + * m1 = c ^ (d mod (p-1)) mod p + * m2 = c ^ (d mod (q-1)) mod q + * h = u * (m2 - m1) mod q + * m = m1 + h * p * - * FIXME: We should better use the Chinese Remainder Theorem + * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY. */ static void secret(MPI output, MPI input, RSA_secret_key *skey ) { + #if 0 mpi_powm( output, input, skey->d, skey->n ); + #else + MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + + /* m1 = c ^ (d mod (p-1)) mod p */ + mpi_sub_ui( h, skey->p, 1 ); + mpi_fdiv_r( h, skey->d, h ); + mpi_powm( m1, input, h, skey->p ); + /* m2 = c ^ (d mod (q-1)) mod q */ + mpi_sub_ui( h, skey->q, 1 ); + mpi_fdiv_r( h, skey->d, h ); + mpi_powm( m2, input, h, skey->q ); + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub( h, m2, m1 ); + if ( mpi_is_neg( h ) ) + mpi_add ( h, h, skey->q ); + mpi_mulm( h, skey->u, h, skey->q ); + /* m = m2 + h * p */ + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); + /* ready */ + + mpi_free ( h ); + mpi_free ( m1 ); + mpi_free ( m2 ); + #endif } |