/* * rsa.c RSA Public and Private key generation functions, * RSA encrypt and decrypt functions. * * Author: Pekka Riikonen * * Copyright (C) 1997 - 2001 Pekka Riikonen * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * Created: Sat Mar 1 13:26:45 1997 pekka * * RSA public key cryptographic algorithm used in this distribution is: * * Key generation: * p, q primes * p != q * n = p * q modulus * * Public key exponent: * e relatively prime to (p-1) * (q-1) * Private key exponent: * d = e ^ -1 mod lcm(((p-1) * (q-1))) * * Encryption: * c = m ^ e mod n * Decryption: * m = c ^ d mod n * * This code is based on SSH's (Secure Shell), PGP's (Pretty Good Privacy) * and RSAREF Toolkit's RSA source codes. They all were a big help for me. * * I also suggest reading Bruce Schneier's; Applied Cryptography, Second * Edition, John Wiley & Sons, Inc. 1996. This book deals about RSA and * everything else too about cryptography. * */ /* $Id$ */ /* ChangeLog o Mon Feb 12 11:20:32 EET 2001 Pekka Changed RSA private exponent generation to what PKCS #1 suggests. We try to find the smallest possible d by doing modinv(e, lcm(phi)) instead of modinv(e, phi). Note: this is not security fix but optimization. o Tue Feb 20 13:58:58 EET 2001 Pekka Set key->bits in rsa_generate_key. It is the modulus length in bits. The `tmplen' in encrypt, decrypt, sign and verify PKCS API functions is now calculated by (key->bits + 7) / 8. It is the length of one block. */ #include "silcincludes.h" #include "rsa.h" /* * SILC PKCS API for RSA */ /* Generates RSA key pair. */ SILC_PKCS_API_INIT(rsa) { uint32 prime_bits = keylen / 2; SilcInt p, q; printf("Generating RSA Public and Private keys, might take a while...\n"); silc_mp_init(&p); silc_mp_init(&q); /* Find p and q */ retry_primes: printf("Finding p: "); silc_math_gen_prime(&p, prime_bits, TRUE); printf("\nFinding q: "); silc_math_gen_prime(&q, prime_bits, TRUE); if ((silc_mp_cmp(&p, &q)) == 0) { printf("\nFound equal primes, not good, retrying...\n"); goto retry_primes; } /* If p is smaller than q, switch them */ if ((silc_mp_cmp(&p, &q)) > 0) { SilcInt hlp; silc_mp_init(&hlp); silc_mp_set(&hlp, &p); silc_mp_set(&p, &q); silc_mp_set(&q, &hlp); silc_mp_clear(&hlp); } /* Generate the actual keys */ rsa_generate_keys((RsaKey *)context, keylen, &p, &q); silc_mp_clear(&p); silc_mp_clear(&q); printf("\nKeys generated succesfully.\n"); return TRUE; } SILC_PKCS_API_CLEAR_KEYS(rsa) { rsa_clear_keys((RsaKey *)context); } /* Returns SILC style encoded RSA public key. */ SILC_PKCS_API_GET_PUBLIC_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char *e, *n, *ret; uint32 e_len, n_len; unsigned char tmp[4]; e = silc_mp_mp2bin(&key->e, 0, &e_len); n = silc_mp_mp2bin(&key->n, key->bits / 8, &n_len); *ret_len = e_len + 4 + n_len + 4; ret = silc_calloc(*ret_len, sizeof(unsigned char)); /* Put the length of the e. */ SILC_PUT32_MSB(e_len, tmp); memcpy(ret, tmp, 4); /* Put the e. */ memcpy(ret + 4, e, e_len); /* Put the length of the n. */ SILC_PUT32_MSB(n_len, tmp); memcpy(ret + 4 + e_len, tmp, 4); /* Put the n. */ memcpy(ret + 4 + e_len + 4, n, n_len); memset(e, 0, e_len); memset(n, 0, n_len); silc_free(e); silc_free(n); return ret; } /* Returns SILC style encoded RSA private key. Public key is always returned in private key as well. Public keys are often derived directly from private key. */ SILC_PKCS_API_GET_PRIVATE_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char *e, *n, *d, *ret; uint32 e_len, n_len, d_len; unsigned char tmp[4]; e = silc_mp_mp2bin(&key->e, 0, &e_len); n = silc_mp_mp2bin(&key->n, key->bits / 8, &n_len); d = silc_mp_mp2bin(&key->d, 0, &d_len); *ret_len = e_len + 4 + n_len + 4 + d_len + 4; ret = silc_calloc(*ret_len, sizeof(unsigned char)); /* Put the length of the e. */ SILC_PUT32_MSB(e_len, tmp); memcpy(ret, tmp, 4); /* Put the e. */ memcpy(ret + 4, e, e_len); /* Put the length of the n. */ SILC_PUT32_MSB(n_len, tmp); memcpy(ret + 4 + e_len, tmp, 4); /* Put the n. */ memcpy(ret + 4 + e_len + 4, n, n_len); /* Put the length of the d. */ SILC_PUT32_MSB(d_len, tmp); memcpy(ret + 4 + e_len + 4 + n_len, tmp, 4); /* Put the n. */ memcpy(ret + 4 + e_len + 4 + n_len + 4, d, d_len); memset(e, 0, e_len); memset(n, 0, n_len); memset(d, 0, d_len); silc_free(e); silc_free(n); silc_free(d); return ret; } /* Set public key */ SILC_PKCS_API_SET_PUBLIC_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char tmp[4]; uint32 e_len, n_len; silc_mp_init(&key->e); silc_mp_init(&key->n); memcpy(tmp, key_data, 4); SILC_GET32_MSB(e_len, tmp); if (e_len > key_len) { silc_mp_clear(&key->e); silc_mp_clear(&key->n); return 0; } silc_mp_bin2mp(key_data + 4, e_len, &key->e); memcpy(tmp, key_data + 4 + e_len, 4); SILC_GET32_MSB(n_len, tmp); if (e_len + n_len > key_len) { silc_mp_clear(&key->e); silc_mp_clear(&key->n); return 0; } silc_mp_bin2mp(key_data + 4 + e_len + 4, n_len, &key->n); key->bits = n_len * 8; return key->bits; } /* Set private key. This derives the public key from the private key and sets the public key as well. Public key should not be set already and should not be set after setting private key. */ SILC_PKCS_API_SET_PRIVATE_KEY(rsa) { RsaKey *key = (RsaKey *)context; unsigned char tmp[4]; uint32 e_len, n_len, d_len; silc_mp_init(&key->e); silc_mp_init(&key->n); silc_mp_init(&key->d); memcpy(tmp, key_data, 4); SILC_GET32_MSB(e_len, tmp); if (e_len > key_len) { silc_mp_clear(&key->e); silc_mp_clear(&key->n); return FALSE; } silc_mp_bin2mp(key_data + 4, e_len, &key->e); memcpy(tmp, key_data + 4 + e_len, 4); SILC_GET32_MSB(n_len, tmp); if (e_len + n_len > key_len) { silc_mp_clear(&key->e); silc_mp_clear(&key->n); return FALSE; } silc_mp_bin2mp(key_data + 4 + e_len + 4, n_len, &key->n); memcpy(tmp, key_data + 4 + e_len + 4 + n_len, 4); SILC_GET32_MSB(d_len, tmp); if (e_len + n_len + d_len > key_len) { silc_mp_clear(&key->e); silc_mp_clear(&key->n); return FALSE; } silc_mp_bin2mp(key_data + 4 + e_len + 4 + n_len + 4, d_len, &key->d); key->bits = n_len * 8; return TRUE; } SILC_PKCS_API_CONTEXT_LEN(rsa) { return sizeof(RsaKey); } SILC_PKCS_API_DATA_CONTEXT_LEN(rsa) { return sizeof(RsaDataContext); } SILC_PKCS_API_SET_ARG(rsa) { RsaDataContext *data_ctx = (RsaDataContext *)data_context; switch(argnum) { case 1: data_ctx->src = val; return TRUE; break; case 2: data_ctx->dst = val; return TRUE; break; case 3: data_ctx->exp = val; return TRUE; break; case 4: data_ctx->mod = val; return TRUE; break; default: return FALSE; break; } return FALSE; } SILC_PKCS_API_ENCRYPT(rsa) { RsaKey *key = (RsaKey *)context; int i, tmplen; SilcInt mp_tmp; SilcInt mp_dst; silc_mp_init_set_ui(&mp_tmp, 0); silc_mp_init_set_ui(&mp_dst, 0); /* Format the data into MP int */ for (i = 0; i < src_len; i++) { silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); silc_mp_add_ui(&mp_tmp, &mp_tmp, src[i]); } /* Encrypt */ rsa_en_de_crypt(&mp_dst, &mp_tmp, &key->e, &key->n); tmplen = (key->bits + 7) / 8; /* Format the MP int back into data */ for (i = tmplen; i > 0; i--) { dst[i - 1] = (unsigned char)(silc_mp_get_ui(&mp_dst) & 0xff); silc_mp_fdiv_q_2exp(&mp_dst, &mp_dst, 8); } *dst_len = tmplen; silc_mp_clear(&mp_tmp); silc_mp_clear(&mp_dst); return TRUE; } SILC_PKCS_API_DECRYPT(rsa) { RsaKey *key = (RsaKey *)context; int i, tmplen; SilcInt mp_tmp; SilcInt mp_dst; silc_mp_init_set_ui(&mp_tmp, 0); silc_mp_init_set_ui(&mp_dst, 0); /* Format the data into MP int */ for (i = 0; i < src_len; i++) { silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); silc_mp_add_ui(&mp_tmp, &mp_tmp, src[i]); } /* Decrypt */ rsa_en_de_crypt(&mp_dst, &mp_tmp, &key->d, &key->n); tmplen = (key->bits + 7) / 8; /* Format the MP int back into data */ for (i = tmplen; i > 0; i--) { dst[i - 1] = (unsigned char)(silc_mp_get_ui(&mp_dst) & 0xff); silc_mp_fdiv_q_2exp(&mp_dst, &mp_dst, 8); } *dst_len = tmplen; silc_mp_clear(&mp_tmp); silc_mp_clear(&mp_dst); return TRUE; } SILC_PKCS_API_SIGN(rsa) { RsaKey *key = (RsaKey *)context; int i, tmplen; SilcInt mp_tmp; SilcInt mp_dst; silc_mp_init_set_ui(&mp_tmp, 0); silc_mp_init_set_ui(&mp_dst, 0); /* Format the data into MP int */ for (i = 0; i < src_len; i++) { silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); silc_mp_add_ui(&mp_tmp, &mp_tmp, src[i]); } /* Sign */ rsa_en_de_crypt(&mp_dst, &mp_tmp, &key->d, &key->n); tmplen = (key->bits + 7) / 8; /* Format the MP int back into data */ for (i = tmplen; i > 0; i--) { dst[i - 1] = (unsigned char)(silc_mp_get_ui(&mp_dst) & 0xff); silc_mp_fdiv_q_2exp(&mp_dst, &mp_dst, 8); } *dst_len = tmplen; silc_mp_clear(&mp_tmp); silc_mp_clear(&mp_dst); return TRUE; } SILC_PKCS_API_VERIFY(rsa) { RsaKey *key = (RsaKey *)context; int i, ret; SilcInt mp_tmp, mp_tmp2; SilcInt mp_dst; silc_mp_init_set_ui(&mp_tmp, 0); silc_mp_init_set_ui(&mp_tmp2, 0); silc_mp_init_set_ui(&mp_dst, 0); /* Format the signature into MP int */ for (i = 0; i < signature_len; i++) { silc_mp_mul_2exp(&mp_tmp2, &mp_tmp2, 8); silc_mp_add_ui(&mp_tmp2, &mp_tmp2, signature[i]); } /* Verify */ rsa_en_de_crypt(&mp_dst, &mp_tmp2, &key->e, &key->n); /* Format the data into MP int */ for (i = 0; i < data_len; i++) { silc_mp_mul_2exp(&mp_tmp, &mp_tmp, 8); silc_mp_add_ui(&mp_tmp, &mp_tmp, data[i]); } ret = TRUE; /* Compare */ if ((silc_mp_cmp(&mp_tmp, &mp_dst)) != 0) ret = FALSE; silc_mp_clear(&mp_tmp); silc_mp_clear(&mp_tmp2); silc_mp_clear(&mp_dst); return ret; } /* Generates RSA public and private keys. Primes p and q that are used to compute the modulus n has to be generated before calling this. They are then sent as argument for the function. */ void rsa_generate_keys(RsaKey *key, uint32 bits, SilcInt *p, SilcInt *q) { SilcInt phi, hlp; SilcInt div, lcm; SilcInt pm1, qm1; /* Initialize variables */ silc_mp_init(&key->p); silc_mp_init(&key->q); silc_mp_init(&key->n); silc_mp_init(&key->e); silc_mp_init(&key->d); silc_mp_init(&phi); silc_mp_init(&hlp); silc_mp_init(&div); silc_mp_init(&lcm); silc_mp_init(&pm1); silc_mp_init(&qm1); /* Set modulus length */ key->bits = bits; /* Set the primes */ silc_mp_set(&key->p, p); silc_mp_set(&key->q, q); /* Compute modulus, n = p * q */ silc_mp_mul(&key->n, &key->p, &key->q); /* phi = (p - 1) * (q - 1) */ silc_mp_sub_ui(&pm1, &key->p, 1); silc_mp_sub_ui(&qm1, &key->q, 1); silc_mp_mul(&phi, &pm1, &qm1); /* Set e, the public exponent. We try to use same public exponent for all keys. Also, to make encryption faster we use small number. */ silc_mp_set_ui(&key->e, 127); retry_e: /* See if e is relatively prime to phi. gcd == greates common divisor, if gcd equals 1 they are relatively prime. */ silc_mp_gcd(&hlp, &key->e, &phi); if((silc_mp_cmp_ui(&hlp, 1)) > 0) { silc_mp_add_ui(&key->e, &key->e, 2); goto retry_e; } /* Find d, the private exponent. */ silc_mp_gcd(&div, &pm1, &qm1); silc_mp_fdiv_q(&lcm, &phi, &div); silc_mp_modinv(&key->d, &key->e, &lcm); silc_mp_clear(&phi); silc_mp_clear(&hlp); silc_mp_clear(&div); silc_mp_clear(&lcm); silc_mp_clear(&pm1); silc_mp_clear(&qm1); } /* Clears whole key structure. */ void rsa_clear_keys(RsaKey *key) { key->bits = 0; silc_mp_clear(&key->p); silc_mp_clear(&key->q); silc_mp_clear(&key->n); silc_mp_clear(&key->e); silc_mp_clear(&key->d); } /* RSA encrypt/decrypt function. cm = ciphertext or plaintext, mc = plaintext or ciphertext, expo = public or private exponent, and modu = modulus. Encrypt: c = m ^ e mod n, Decrypt: m = c ^ d mod n */ void rsa_en_de_crypt(SilcInt *cm, SilcInt *mc, SilcInt *expo, SilcInt *modu) { silc_mp_powm(cm, mc, expo, modu); }