X-Git-Url: http://git.silcnet.org/gitweb/?a=blobdiff_plain;f=lib%2Fsilccrypt%2Frsa.c;h=7bacd1e098af114fd4663eb4c6b5f9c1720bb3fc;hb=413da0f8686910f5e627393157566ae729ca99c4;hp=ec85853a2f3dc9d90d310bb141d27272013a240c;hpb=ba5e36dbc0321270f06c4aad79e296e4cce1212b;p=silc.git diff --git a/lib/silccrypt/rsa.c b/lib/silccrypt/rsa.c index ec85853a..7bacd1e0 100644 --- a/lib/silccrypt/rsa.c +++ b/lib/silccrypt/rsa.c @@ -4,7 +4,7 @@ * * Author: Pekka Riikonen * - * Copyright (C) 1997 - 2000 Pekka Riikonen + * Copyright (C) 1997 - 2001 Pekka Riikonen * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -28,15 +28,16 @@ * Public key exponent: * e relatively prime to (p-1) * (q-1) * Private key exponent: - * d = e ^ -1 mod ((p-1) * (q-1)) + * d = e ^ -1 mod lcm(((p-1) * (q-1))) * * Encryption: * c = m ^ e mod n * Decryption: * m = c ^ d mod n * - * This code is based on SSH's (Secure Shell), PGP's (Pretty Good Privacy) - * and RSAREF Toolkit's RSA source codes. They all were a big help for me. + * The SSH's (Secure Shell), PGP's (Pretty Good Privacy) and RSAREF + * Toolkit were used as reference when coding this implementation. They + * all were a big help for me. * * I also suggest reading Bruce Schneier's; Applied Cryptography, Second * Edition, John Wiley & Sons, Inc. 1996. This book deals about RSA and @@ -45,7 +46,35 @@ */ /* $Id$ */ +/* + ChangeLog + + o Mon Feb 12 11:20:32 EET 2001 Pekka + + Changed RSA private exponent generation to what PKCS #1 suggests. We + try to find the smallest possible d by doing modinv(e, lcm(phi)) instead + of modinv(e, phi). Note: this is not security fix but optimization. + + o Tue Feb 20 13:58:58 EET 2001 Pekka + + Set key->bits in rsa_generate_key. It is the modulus length in bits. + The `tmplen' in encrypt, decrypt, sign and verify PKCS API functions + is now calculated by (key->bits + 7) / 8. It is the length of one block. + + o Sat Mar 16 18:27:19 EET 2002 Pekka + + Use the SilcRng sent as argument to SILC_PKCS_API_INIT in prime + generation. + + o Sat Sep 26 19:59:48 EEST 2002 Pekka + + Fixed double free in public key setting. Use a bit larger e as + starting point in key generation. + +*/ + #include "silcincludes.h" +#include "rsa_internal.h" #include "rsa.h" /* @@ -56,8 +85,9 @@ SILC_PKCS_API_INIT(rsa) { - unsigned int prime_bits = keylen / 2; - SilcInt p, q; + SilcUInt32 prime_bits = keylen / 2; + SilcMPInt p, q; + bool found = FALSE; printf("Generating RSA Public and Private keys, might take a while...\n"); @@ -65,37 +95,38 @@ SILC_PKCS_API_INIT(rsa) silc_mp_init(&q); /* Find p and q */ - retry_primes: - printf("Finding p: "); - silc_math_gen_prime(&p, prime_bits, TRUE); - - printf("\nFinding q: "); - silc_math_gen_prime(&q, prime_bits, TRUE); - - if ((silc_mp_cmp(&p, &q)) == 0) { - printf("\nFound equal primes, not good, retrying...\n"); - goto retry_primes; + while (!found) { + printf("Finding p: "); + silc_math_gen_prime(&p, prime_bits, TRUE, rng); + + printf("\nFinding q: "); + silc_math_gen_prime(&q, prime_bits, TRUE, rng); + + if ((silc_mp_cmp(&p, &q)) == 0) + printf("\nFound equal primes, not good, retrying...\n"); + else + found = TRUE; } /* If p is smaller than q, switch them */ if ((silc_mp_cmp(&p, &q)) > 0) { - SilcInt hlp; + SilcMPInt hlp; silc_mp_init(&hlp); silc_mp_set(&hlp, &p); silc_mp_set(&p, &q); silc_mp_set(&q, &hlp); - silc_mp_clear(&hlp); + silc_mp_uninit(&hlp); } /* Generate the actual keys */ rsa_generate_keys((RsaKey *)context, keylen, &p, &q); - silc_mp_clear(&p); - silc_mp_clear(&q); + silc_mp_uninit(&p); + silc_mp_uninit(&q); - printf("\nKeys generated succesfully.\n"); + printf("\nKeys generated successfully.\n"); return TRUE; } @@ -111,11 +142,11 @@ SILC_PKCS_API_GET_PUBLIC_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char *e, *n, *ret; - unsigned int e_len, n_len; + SilcUInt32 e_len, n_len; unsigned char tmp[4]; - e = silc_mp_mp2bin(&key->e, &e_len); - n = silc_mp_mp2bin(&key->n, &n_len); + e = silc_mp_mp2bin(&key->e, 0, &e_len); + n = silc_mp_mp2bin(&key->n, (key->bits + 7) / 8, &n_len); *ret_len = e_len + 4 + n_len + 4; ret = silc_calloc(*ret_len, sizeof(unsigned char)); @@ -150,12 +181,12 @@ SILC_PKCS_API_GET_PRIVATE_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char *e, *n, *d, *ret; - unsigned int e_len, n_len, d_len; + SilcUInt32 e_len, n_len, d_len; unsigned char tmp[4]; - e = silc_mp_mp2bin(&key->e, &e_len); - n = silc_mp_mp2bin(&key->n, &n_len); - d = silc_mp_mp2bin(&key->d, &d_len); + e = silc_mp_mp2bin(&key->e, 0, &e_len); + n = silc_mp_mp2bin(&key->n, (key->bits + 7) / 8, &n_len); + d = silc_mp_mp2bin(&key->d, 0, &d_len); *ret_len = e_len + 4 + n_len + 4 + d_len + 4; ret = silc_calloc(*ret_len, sizeof(unsigned char)); @@ -197,32 +228,50 @@ SILC_PKCS_API_SET_PUBLIC_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char tmp[4]; - unsigned int e_len, n_len; + SilcUInt32 e_len, n_len; + + if (key->pub_set) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + key->pub_set = FALSE; + } + + if (key_len < 4) + return 0; silc_mp_init(&key->e); silc_mp_init(&key->n); memcpy(tmp, key_data, 4); SILC_GET32_MSB(e_len, tmp); - if (e_len > key_len) { - silc_mp_clear(&key->e); - silc_mp_clear(&key->n); - return FALSE; + if (!e_len || e_len + 4 > key_len) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + return 0; } silc_mp_bin2mp(key_data + 4, e_len, &key->e); - + + if (key_len < 4 + e_len + 4) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + return 0; + } + memcpy(tmp, key_data + 4 + e_len, 4); SILC_GET32_MSB(n_len, tmp); - if (e_len + n_len > key_len) { - silc_mp_clear(&key->e); - silc_mp_clear(&key->n); - return FALSE; + if (!n_len || e_len + 4 + n_len + 4 > key_len) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + return 0; } silc_mp_bin2mp(key_data + 4 + e_len + 4, n_len, &key->n); - return TRUE; + key->bits = silc_mp_sizeinbase(&key->n, 2); + key->pub_set = TRUE; + + return key->bits; } /* Set private key. This derives the public key from the private @@ -233,7 +282,21 @@ SILC_PKCS_API_SET_PRIVATE_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char tmp[4]; - unsigned int e_len, n_len, d_len; + SilcUInt32 e_len, n_len, d_len; + + if (key->prv_set) { + silc_mp_uninit(&key->d); + key->prv_set = FALSE; + } + + if (key->pub_set) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + key->pub_set = FALSE; + } + + if (key_len < 4) + return FALSE; silc_mp_init(&key->e); silc_mp_init(&key->n); @@ -241,35 +304,56 @@ SILC_PKCS_API_SET_PRIVATE_KEY(rsa) memcpy(tmp, key_data, 4); SILC_GET32_MSB(e_len, tmp); - if (e_len > key_len) { - silc_mp_clear(&key->e); - silc_mp_clear(&key->n); + if (e_len + 4 > key_len) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + silc_mp_uninit(&key->d); return FALSE; } silc_mp_bin2mp(key_data + 4, e_len, &key->e); + if (key_len < e_len + 4 + 4) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + silc_mp_uninit(&key->d); + return FALSE; + } + memcpy(tmp, key_data + 4 + e_len, 4); SILC_GET32_MSB(n_len, tmp); - if (e_len + n_len > key_len) { - silc_mp_clear(&key->e); - silc_mp_clear(&key->n); + if (e_len + 4 + n_len + 4 > key_len) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + silc_mp_uninit(&key->d); return FALSE; } silc_mp_bin2mp(key_data + 4 + e_len + 4, n_len, &key->n); + if (key_len < e_len + 4 + n_len + 4 + 4) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + silc_mp_uninit(&key->d); + return FALSE; + } + memcpy(tmp, key_data + 4 + e_len + 4 + n_len, 4); SILC_GET32_MSB(d_len, tmp); - if (e_len + n_len + d_len > key_len) { - silc_mp_clear(&key->e); - silc_mp_clear(&key->n); + if (e_len + 4 + n_len + 4 + d_len + 4 > key_len) { + silc_mp_uninit(&key->e); + silc_mp_uninit(&key->n); + silc_mp_uninit(&key->d); return FALSE; } silc_mp_bin2mp(key_data + 4 + e_len + 4 + n_len + 4, d_len, &key->d); - return TRUE; + key->bits = silc_mp_sizeinbase(&key->n, 2); + key->prv_set = TRUE; + key->pub_set = TRUE; + + return key->bits; } SILC_PKCS_API_CONTEXT_LEN(rsa) @@ -277,75 +361,30 @@ SILC_PKCS_API_CONTEXT_LEN(rsa) return sizeof(RsaKey); } -SILC_PKCS_API_DATA_CONTEXT_LEN(rsa) -{ - return sizeof(RsaDataContext); -} - -SILC_PKCS_API_SET_ARG(rsa) -{ - RsaDataContext *data_ctx = (RsaDataContext *)data_context; - - switch(argnum) { - case 1: - data_ctx->src = val; - return TRUE; - break; - case 2: - data_ctx->dst = val; - return TRUE; - break; - case 3: - data_ctx->exp = val; - return TRUE; - break; - case 4: - data_ctx->mod = val; - return TRUE; - break; - default: - return FALSE; - break; - } - - return FALSE; -} - SILC_PKCS_API_ENCRYPT(rsa) { RsaKey *key = (RsaKey *)context; - int i, tmplen; - SilcInt mp_tmp; - SilcInt mp_dst; + int tmplen; + SilcMPInt mp_tmp; + SilcMPInt mp_dst; - silc_mp_init_set_ui(&mp_tmp, 0); - silc_mp_init_set_ui(&mp_dst, 0); + silc_mp_init(&mp_tmp); + silc_mp_init(&mp_dst); /* Format the data into MP int */ - for (i = 0; i < src_len; i++) { - silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); - silc_mp_add_ui(&mp_tmp, &mp_tmp, src[i]); - } - - silc_mp_out_str(stderr, 16, &mp_tmp); + silc_mp_bin2mp(src, src_len, &mp_tmp); /* Encrypt */ rsa_en_de_crypt(&mp_dst, &mp_tmp, &key->e, &key->n); - fprintf(stderr, "\n"); - silc_mp_out_str(stderr, 16, &mp_dst); - - tmplen = (1024 + 7) / 8; + tmplen = (key->bits + 7) / 8; /* Format the MP int back into data */ - for (i = tmplen; i > 0; i--) { - dst[i - 1] = (unsigned char)(silc_mp_get_ui(&mp_dst) & 0xff); - silc_mp_fdiv_q_2exp(&mp_dst, &mp_dst, 8); - } + silc_mp_mp2bin_noalloc(&mp_dst, dst, tmplen); *dst_len = tmplen; - silc_mp_clear(&mp_tmp); - silc_mp_clear(&mp_dst); + silc_mp_uninit(&mp_tmp); + silc_mp_uninit(&mp_dst); return TRUE; } @@ -353,38 +392,27 @@ SILC_PKCS_API_ENCRYPT(rsa) SILC_PKCS_API_DECRYPT(rsa) { RsaKey *key = (RsaKey *)context; - int i, tmplen; - SilcInt mp_tmp; - SilcInt mp_dst; + int tmplen; + SilcMPInt mp_tmp; + SilcMPInt mp_dst; - silc_mp_init_set_ui(&mp_tmp, 0); - silc_mp_init_set_ui(&mp_dst, 0); + silc_mp_init(&mp_tmp); + silc_mp_init(&mp_dst); /* Format the data into MP int */ - for (i = 0; i < src_len; i++) { - silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); - silc_mp_add_ui(&mp_tmp, &mp_tmp, src[i]); - } - - silc_mp_out_str(stderr, 16, &mp_tmp); + silc_mp_bin2mp(src, src_len, &mp_tmp); /* Decrypt */ rsa_en_de_crypt(&mp_dst, &mp_tmp, &key->d, &key->n); - fprintf(stderr, "\n"); - silc_mp_out_str(stderr, 16, &mp_dst); - - tmplen = (1024 + 7) / 8; + tmplen = (key->bits + 7) / 8; /* Format the MP int back into data */ - for (i = tmplen; i > 0; i--) { - dst[i - 1] = (unsigned char)(silc_mp_get_ui(&mp_dst) & 0xff); - silc_mp_fdiv_q_2exp(&mp_dst, &mp_dst, 8); - } + silc_mp_mp2bin_noalloc(&mp_dst, dst, tmplen); *dst_len = tmplen; - silc_mp_clear(&mp_tmp); - silc_mp_clear(&mp_dst); + silc_mp_uninit(&mp_tmp); + silc_mp_uninit(&mp_dst); return TRUE; } @@ -392,33 +420,27 @@ SILC_PKCS_API_DECRYPT(rsa) SILC_PKCS_API_SIGN(rsa) { RsaKey *key = (RsaKey *)context; - int i, tmplen; - SilcInt mp_tmp; - SilcInt mp_dst; + int tmplen; + SilcMPInt mp_tmp; + SilcMPInt mp_dst; - silc_mp_init_set_ui(&mp_tmp, 0); - silc_mp_init_set_ui(&mp_dst, 0); + silc_mp_init(&mp_tmp); + silc_mp_init(&mp_dst); /* Format the data into MP int */ - for (i = 0; i < src_len; i++) { - silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); - silc_mp_add_ui(&mp_tmp, &mp_tmp, src[i]); - } + silc_mp_bin2mp(src, src_len, &mp_tmp); /* Sign */ rsa_en_de_crypt(&mp_dst, &mp_tmp, &key->d, &key->n); - tmplen = (1024 + 7) / 8; + tmplen = (key->bits + 7) / 8; /* Format the MP int back into data */ - for (i = tmplen; i > 0; i--) { - dst[i - 1] = (unsigned char)(silc_mp_get_ui(&mp_dst) & 0xff); - silc_mp_fdiv_q_2exp(&mp_dst, &mp_dst, 8); - } + silc_mp_mp2bin_noalloc(&mp_dst, dst, tmplen); *dst_len = tmplen; - silc_mp_clear(&mp_tmp); - silc_mp_clear(&mp_dst); + silc_mp_uninit(&mp_tmp); + silc_mp_uninit(&mp_dst); return TRUE; } @@ -426,28 +448,22 @@ SILC_PKCS_API_SIGN(rsa) SILC_PKCS_API_VERIFY(rsa) { RsaKey *key = (RsaKey *)context; - int i, ret; - SilcInt mp_tmp, mp_tmp2; - SilcInt mp_dst; + int ret; + SilcMPInt mp_tmp, mp_tmp2; + SilcMPInt mp_dst; - silc_mp_init_set_ui(&mp_tmp, 0); - silc_mp_init_set_ui(&mp_tmp2, 0); - silc_mp_init_set_ui(&mp_dst, 0); + silc_mp_init(&mp_tmp); + silc_mp_init(&mp_tmp2); + silc_mp_init(&mp_dst); /* Format the signature into MP int */ - for (i = 0; i < signature_len; i++) { - silc_mp_mul_2exp(&mp_tmp2, &mp_tmp2, 8); - silc_mp_add_ui(&mp_tmp2, &mp_tmp2, signature[i]); - } + silc_mp_bin2mp(signature, signature_len, &mp_tmp2); /* Verify */ rsa_en_de_crypt(&mp_dst, &mp_tmp2, &key->e, &key->n); /* Format the data into MP int */ - for (i = 0; i < data_len; i++) { - silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); - silc_mp_add_ui(&mp_tmp, &mp_tmp, data[i]); - } + silc_mp_bin2mp(data, data_len, &mp_tmp); ret = TRUE; @@ -455,9 +471,9 @@ SILC_PKCS_API_VERIFY(rsa) if ((silc_mp_cmp(&mp_tmp, &mp_dst)) != 0) ret = FALSE; - silc_mp_clear(&mp_tmp); - silc_mp_clear(&mp_tmp2); - silc_mp_clear(&mp_dst); + silc_mp_uninit(&mp_tmp); + silc_mp_uninit(&mp_tmp2); + silc_mp_uninit(&mp_dst); return ret; } @@ -466,41 +482,39 @@ SILC_PKCS_API_VERIFY(rsa) to compute the modulus n has to be generated before calling this. They are then sent as argument for the function. */ -void rsa_generate_keys(RsaKey *key, unsigned int bits, - SilcInt *p, SilcInt *q) +void rsa_generate_keys(RsaKey *key, SilcUInt32 bits, + SilcMPInt *p, SilcMPInt *q) { - SilcInt phi, hlp; - SilcInt dq; - SilcInt pm1, qm1; + SilcMPInt phi, hlp; + SilcMPInt div, lcm; + SilcMPInt pm1, qm1; /* Initialize variables */ - silc_mp_init(&key->p); - silc_mp_init(&key->q); silc_mp_init(&key->n); silc_mp_init(&key->e); silc_mp_init(&key->d); silc_mp_init(&phi); silc_mp_init(&hlp); - silc_mp_init(&dq); + silc_mp_init(&div); + silc_mp_init(&lcm); silc_mp_init(&pm1); silc_mp_init(&qm1); - /* Set the primes */ - silc_mp_set(&key->p, p); - silc_mp_set(&key->q, q); - + /* Set modulus length */ + key->bits = bits; + /* Compute modulus, n = p * q */ - silc_mp_mul(&key->n, &key->p, &key->q); + silc_mp_mul(&key->n, p, q); /* phi = (p - 1) * (q - 1) */ - silc_mp_sub_ui(&pm1, &key->p, 1); - silc_mp_sub_ui(&qm1, &key->q, 1); + silc_mp_sub_ui(&pm1, p, 1); + silc_mp_sub_ui(&qm1, q, 1); silc_mp_mul(&phi, &pm1, &qm1); /* Set e, the public exponent. We try to use same public exponent for all keys. Also, to make encryption faster we use small number. */ - silc_mp_set_ui(&key->e, 127); + silc_mp_set_ui(&key->e, 65533); retry_e: /* See if e is relatively prime to phi. gcd == greates common divisor, if gcd equals 1 they are relatively prime. */ @@ -510,16 +524,17 @@ void rsa_generate_keys(RsaKey *key, unsigned int bits, goto retry_e; } - /* Find d, the private exponent. First we do phi / 2, to get it a - bit smaller */ - silc_mp_div_ui(&dq, &phi, 2); - silc_mp_modinv(&key->d, &key->e, &dq); + /* Find d, the private exponent, e ^ -1 mod lcm(phi). */ + silc_mp_gcd(&div, &pm1, &qm1); + silc_mp_div(&lcm, &phi, &div); + silc_mp_modinv(&key->d, &key->e, &lcm); - silc_mp_clear(&phi); - silc_mp_clear(&hlp); - silc_mp_clear(&dq); - silc_mp_clear(&pm1); - silc_mp_clear(&qm1); + silc_mp_uninit(&phi); + silc_mp_uninit(&hlp); + silc_mp_uninit(&div); + silc_mp_uninit(&lcm); + silc_mp_uninit(&pm1); + silc_mp_uninit(&qm1); } /* Clears whole key structure. */ @@ -527,11 +542,12 @@ void rsa_generate_keys(RsaKey *key, unsigned int bits, void rsa_clear_keys(RsaKey *key) { key->bits = 0; - silc_mp_clear(&key->p); - silc_mp_clear(&key->q); - silc_mp_clear(&key->n); - silc_mp_clear(&key->e); - silc_mp_clear(&key->d); + if (key->pub_set) { + silc_mp_uninit(&key->n); + silc_mp_uninit(&key->e); + } + if (key->prv_set) + silc_mp_uninit(&key->d); } /* RSA encrypt/decrypt function. cm = ciphertext or plaintext, @@ -542,8 +558,8 @@ void rsa_clear_keys(RsaKey *key) Decrypt: m = c ^ d mod n */ -void rsa_en_de_crypt(SilcInt *cm, SilcInt *mc, - SilcInt *expo, SilcInt *modu) +void rsa_en_de_crypt(SilcMPInt *cm, SilcMPInt *mc, + SilcMPInt *expo, SilcMPInt *modu) { - silc_mp_powm(cm, mc, expo, modu); + silc_mp_pow_mod(cm, mc, expo, modu); }