1 /* rsa.c - RSA function
2 * Copyright (C) 1997, 1998, 1999 by Werner Koch (dd9jn)
3 * Copyright (C) 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
5 * This file is part of Libgcrypt.
7 * Libgcrypt is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Lesser General Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
12 * Libgcrypt is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
22 /* This code uses an algorithm protected by U.S. Patent #4,405,829
23 which expired on September 20, 2000. The patent holder placed that
24 patent into the public domain on Sep 6th, 2000.
44 MPI n
; /* public modulus */
45 MPI e
; /* public exponent */
49 MPI u
; /* inverse of p mod q. */
53 static void test_keys( RSA_secret_key
*sk
, unsigned nbits
);
54 static void generate (RSA_secret_key
*sk
,
55 unsigned int nbits
, unsigned long use_e
);
56 static int check_secret_key( RSA_secret_key
*sk
);
57 static void public(MPI output
, MPI input
, RSA_public_key
*skey
);
58 static void secret(MPI output
, MPI input
, RSA_secret_key
*skey
);
62 test_keys( RSA_secret_key
*sk
, unsigned nbits
)
65 MPI test
= gcry_mpi_new ( nbits
);
66 MPI out1
= gcry_mpi_new ( nbits
);
67 MPI out2
= gcry_mpi_new ( nbits
);
71 gcry_mpi_randomize( test
, nbits
, GCRY_WEAK_RANDOM
);
73 public( out1
, test
, &pk
);
74 secret( out2
, out1
, sk
);
75 if( mpi_cmp( test
, out2
) )
76 log_fatal("RSA operation: public, secret failed\n");
77 secret( out1
, test
, sk
);
78 public( out2
, out1
, &pk
);
79 if( mpi_cmp( test
, out2
) )
80 log_fatal("RSA operation: secret, public failed\n");
81 gcry_mpi_release ( test
);
82 gcry_mpi_release ( out1
);
83 gcry_mpi_release ( out2
);
87 /* Callback used by the prime generation to test whether the exponent
88 is suitable. Returns 0 if the test has been passed. */
90 check_exponent (void *arg
, MPI a
)
97 tmp
= _gcry_mpi_alloc_like (a
);
98 result
= !gcry_mpi_gcd(tmp
, e
, a
); /* GCD is not 1. */
99 gcry_mpi_release (tmp
);
100 mpi_add_ui (a
, a
, 1);
105 * Generate a key pair with a key of size NBITS.
106 * USE_E = 0 let Libcgrypt decide what exponent to use.
107 * = 1 request the use of a "secure" exponent; this is required by some
108 * specification to be 65537.
109 * > 2 Try starting at this value until a working exponent is found.
110 * Returns: 2 structures filled with all needed values
113 generate (RSA_secret_key
*sk
, unsigned int nbits
, unsigned long use_e
)
115 MPI p
, q
; /* the two primes */
116 MPI d
; /* the private key */
119 MPI n
; /* the public key */
120 MPI e
; /* the exponent */
121 MPI phi
; /* helper: (p-1)(q-1) */
125 /* make sure that nbits is even so that we generate p, q of equal size */
129 if (use_e
== 1) /* Alias for a secure value. */
130 use_e
= 65537; /* as demanded by Spinx. */
133 In general we use 41 as this is quite fast and more secure than the
134 commonly used 17. Benchmarking the RSA verify function
135 with a 1024 bit key yields (2001-11-08):
141 e
= mpi_alloc( (32+BITS_PER_MPI_LIMB
-1)/BITS_PER_MPI_LIMB
);
143 mpi_set_ui (e
, 41); /* This is a reasonable secure and fast value */
146 use_e
|= 1; /* make sure this is odd */
147 mpi_set_ui (e
, use_e
);
150 n
= gcry_mpi_new (nbits
);
154 /* select two (very secret) primes */
156 gcry_mpi_release (p
);
158 gcry_mpi_release (q
);
160 { /* Do an extra test to ensure that the given exponent is
162 p
= _gcry_generate_secret_prime (nbits
/2, check_exponent
, e
);
163 q
= _gcry_generate_secret_prime (nbits
/2, check_exponent
, e
);
166 { /* We check the exponent later. */
167 p
= _gcry_generate_secret_prime (nbits
/2, NULL
, NULL
);
168 q
= _gcry_generate_secret_prime (nbits
/2, NULL
, NULL
);
170 if (mpi_cmp (p
, q
) > 0 ) /* p shall be smaller than q (for calc of u)*/
172 /* calculate the modulus */
174 } while ( mpi_get_nbits(n
) != nbits
);
176 /* calculate Euler totient: phi = (p-1)(q-1) */
177 t1
= mpi_alloc_secure( mpi_get_nlimbs(p
) );
178 t2
= mpi_alloc_secure( mpi_get_nlimbs(p
) );
179 phi
= gcry_mpi_snew ( nbits
);
180 g
= gcry_mpi_snew ( nbits
);
181 f
= gcry_mpi_snew ( nbits
);
182 mpi_sub_ui( t1
, p
, 1 );
183 mpi_sub_ui( t2
, q
, 1 );
184 mpi_mul( phi
, t1
, t2
);
185 gcry_mpi_gcd(g
, t1
, t2
);
186 mpi_fdiv_q(f
, phi
, g
);
188 while (!gcry_mpi_gcd(t1
, e
, phi
)) /* (while gcd is not 1) */
191 BUG (); /* The prime generator already made sure that we
192 never can get to here. */
193 mpi_add_ui (e
, e
, 2);
196 /* calculate the secret key d = e^1 mod phi */
197 d
= gcry_mpi_snew ( nbits
);
199 /* calculate the inverse of p and q (used for chinese remainder theorem)*/
200 u
= gcry_mpi_snew ( nbits
);
204 log_mpidump(" p= ", p
);
205 log_mpidump(" q= ", q
);
206 log_mpidump("phi= ", phi
);
207 log_mpidump(" g= ", g
);
208 log_mpidump(" f= ", f
);
209 log_mpidump(" n= ", n
);
210 log_mpidump(" e= ", e
);
211 log_mpidump(" d= ", d
);
212 log_mpidump(" u= ", u
);
215 gcry_mpi_release (t1
);
216 gcry_mpi_release (t2
);
217 gcry_mpi_release (phi
);
218 gcry_mpi_release (f
);
219 gcry_mpi_release (g
);
228 /* now we can test our keys (this should never fail!) */
229 test_keys( sk
, nbits
- 64 );
234 * Test wether the secret key is valid.
235 * Returns: true if this is a valid key.
238 check_secret_key( RSA_secret_key
*sk
)
241 MPI temp
= mpi_alloc( mpi_get_nlimbs(sk
->p
)*2 );
243 mpi_mul(temp
, sk
->p
, sk
->q
);
244 rc
= mpi_cmp( temp
, sk
->n
);
252 * Public key operation. Encrypt INPUT with PKEY and put result into OUTPUT.
256 * Where c is OUTPUT, m is INPUT and e,n are elements of PKEY.
259 public(MPI output
, MPI input
, RSA_public_key
*pkey
)
261 if( output
== input
) { /* powm doesn't like output and input the same */
262 MPI x
= mpi_alloc( mpi_get_nlimbs(input
)*2 );
263 mpi_powm( x
, input
, pkey
->e
, pkey
->n
);
268 mpi_powm( output
, input
, pkey
->e
, pkey
->n
);
273 stronger_key_check ( RSA_secret_key
*skey
)
275 MPI t
= mpi_alloc_secure ( 0 );
276 MPI t1
= mpi_alloc_secure ( 0 );
277 MPI t2
= mpi_alloc_secure ( 0 );
278 MPI phi
= mpi_alloc_secure ( 0 );
280 /* check that n == p * q */
281 mpi_mul( t
, skey
->p
, skey
->q
);
282 if (mpi_cmp( t
, skey
->n
) )
283 log_info ( "RSA Oops: n != p * q\n" );
285 /* check that p is less than q */
286 if( mpi_cmp( skey
->p
, skey
->q
) > 0 )
288 log_info ("RSA Oops: p >= q - fixed\n");
289 _gcry_mpi_swap ( skey
->p
, skey
->q
);
292 /* check that e divides neither p-1 nor q-1 */
293 mpi_sub_ui(t
, skey
->p
, 1 );
294 mpi_fdiv_r(t
, t
, skey
->e
);
295 if ( !mpi_cmp_ui( t
, 0) )
296 log_info ( "RSA Oops: e divides p-1\n" );
297 mpi_sub_ui(t
, skey
->q
, 1 );
298 mpi_fdiv_r(t
, t
, skey
->e
);
299 if ( !mpi_cmp_ui( t
, 0) )
300 log_info ( "RSA Oops: e divides q-1\n" );
302 /* check that d is correct */
303 mpi_sub_ui( t1
, skey
->p
, 1 );
304 mpi_sub_ui( t2
, skey
->q
, 1 );
305 mpi_mul( phi
, t1
, t2
);
306 gcry_mpi_gcd(t
, t1
, t2
);
307 mpi_fdiv_q(t
, phi
, t
);
308 mpi_invm(t
, skey
->e
, t
);
309 if ( mpi_cmp(t
, skey
->d
) )
311 log_info ( "RSA Oops: d is wrong - fixed\n");
312 mpi_set (skey
->d
, t
);
313 _gcry_log_mpidump (" fixed d", skey
->d
);
316 /* check for correctness of u */
317 mpi_invm(t
, skey
->p
, skey
->q
);
318 if ( mpi_cmp(t
, skey
->u
) )
320 log_info ( "RSA Oops: u is wrong - fixed\n");
321 mpi_set (skey
->u
, t
);
322 _gcry_log_mpidump (" fixed u", skey
->u
);
325 log_info ( "RSA secret key check finished\n");
337 * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT.
343 * m1 = c ^ (d mod (p-1)) mod p
344 * m2 = c ^ (d mod (q-1)) mod q
345 * h = u * (m2 - m1) mod q
348 * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY.
351 secret(MPI output
, MPI input
, RSA_secret_key
*skey
)
354 mpi_powm( output
, input
, skey
->d
, skey
->n
);
356 MPI m1
= mpi_alloc_secure( mpi_get_nlimbs(skey
->n
)+1 );
357 MPI m2
= mpi_alloc_secure( mpi_get_nlimbs(skey
->n
)+1 );
358 MPI h
= mpi_alloc_secure( mpi_get_nlimbs(skey
->n
)+1 );
360 /* m1 = c ^ (d mod (p-1)) mod p */
361 mpi_sub_ui( h
, skey
->p
, 1 );
362 mpi_fdiv_r( h
, skey
->d
, h
);
363 mpi_powm( m1
, input
, h
, skey
->p
);
364 /* m2 = c ^ (d mod (q-1)) mod q */
365 mpi_sub_ui( h
, skey
->q
, 1 );
366 mpi_fdiv_r( h
, skey
->d
, h
);
367 mpi_powm( m2
, input
, h
, skey
->q
);
368 /* h = u * ( m2 - m1 ) mod q */
369 mpi_sub( h
, m2
, m1
);
370 if ( mpi_is_neg( h
) )
371 mpi_add ( h
, h
, skey
->q
);
372 mpi_mulm( h
, skey
->u
, h
, skey
->q
);
374 mpi_mul ( h
, h
, skey
->p
);
375 mpi_add ( output
, m1
, h
);
386 /*********************************************
387 ************** interface ******************
388 *********************************************/
391 _gcry_rsa_generate (int algo
, unsigned int nbits
, unsigned long use_e
,
392 MPI
*skey
, MPI
**retfactors
)
397 return GCRYERR_INV_PK_ALGO
;
399 generate( &sk
, nbits
, use_e
);
406 /* make an empty list of factors */
407 *retfactors
= gcry_xcalloc( 1, sizeof **retfactors
);
413 _gcry_rsa_check_secret_key( int algo
, MPI
*skey
)
418 return GCRYERR_INV_PK_ALGO
;
426 if( !check_secret_key( &sk
) )
427 return GCRYERR_INV_PK_ALGO
;
435 _gcry_rsa_encrypt (int algo
, MPI
*resarr
, MPI data
, MPI
*pkey
,
440 if( algo
!= 1 && algo
!= 2 )
441 return GCRYERR_INV_PK_ALGO
;
445 resarr
[0] = mpi_alloc( mpi_get_nlimbs( pk
.n
) );
446 public( resarr
[0], data
, &pk
);
450 /* Perform RSA blinding. */
452 _gcry_rsa_blind (MPI x
, MPI r
, MPI e
, MPI n
)
460 a
= gcry_mpi_snew (gcry_mpi_get_nbits (n
));
461 y
= gcry_mpi_snew (gcry_mpi_get_nbits (n
));
463 /* Now we calculate: y = (x * r^e) mod n, where r is the random
464 number, e is the public exponent, x is the non-blinded data and n
465 is the RSA modulus. */
466 gcry_mpi_powm (a
, r
, e
, n
);
467 gcry_mpi_mulm (y
, a
, x
, n
);
469 gcry_mpi_release (a
);
474 /* Undo RSA blinding. */
476 _gcry_rsa_unblind (MPI x
, MPI ri
, MPI n
)
480 y
= gcry_mpi_snew (gcry_mpi_get_nbits (n
));
482 /* Here we calculate: y = (x * r^-1) mod n, where x is the blinded
483 decrypted data, ri is the modular multiplicative inverse of r and
484 n is the RSA modulus. */
486 gcry_mpi_mulm (y
, ri
, x
, n
);
492 _gcry_rsa_decrypt (int algo
, MPI
*result
, MPI
*data
, MPI
*skey
,
496 GcryMPI r
= MPI_NULL
; /* Random number needed for
498 GcryMPI ri
= MPI_NULL
; /* Modular multiplicative inverse of
500 GcryMPI x
= MPI_NULL
; /* Data to decrypt. */
501 GcryMPI y
; /* Result. */
503 if (algo
!= 1 && algo
!= 2)
504 return GCRYERR_INV_PK_ALGO
;
506 /* Extract private key. */
514 y
= gcry_mpi_snew (gcry_mpi_get_nbits (sk
.n
));
516 if (! (flags
& PUBKEY_FLAG_NO_BLINDING
))
518 /* Initialize blinding. */
520 /* First, we need a random number r between 0 and n - 1, which
521 is relatively prime to n (i.e. it is neither p nor q). */
522 r
= gcry_mpi_snew (gcry_mpi_get_nbits (sk
.n
));
523 ri
= gcry_mpi_snew (gcry_mpi_get_nbits (sk
.n
));
525 gcry_mpi_randomize (r
, gcry_mpi_get_nbits (sk
.n
),
527 gcry_mpi_mod (r
, r
, sk
.n
);
529 /* Actually it should be okay to skip the check for equality
530 with either p or q here. */
532 /* Calculate inverse of r. */
533 if (! gcry_mpi_invm (ri
, r
, sk
.n
))
537 if (! (flags
& PUBKEY_FLAG_NO_BLINDING
))
539 x
= _gcry_rsa_blind (data
[0], r
, sk
.e
, sk
.n
);
544 /* Do the encryption. */
547 if (! (flags
& PUBKEY_FLAG_NO_BLINDING
))
550 GcryMPI a
= gcry_mpi_copy (y
);
552 gcry_mpi_release (y
);
553 y
= _gcry_rsa_unblind (a
, ri
, sk
.n
);
556 if (! (flags
& PUBKEY_FLAG_NO_BLINDING
))
558 /* Deallocate resources needed for blinding. */
559 gcry_mpi_release (x
);
560 gcry_mpi_release (r
);
561 gcry_mpi_release (ri
);
564 /* Copy out result. */
571 _gcry_rsa_sign( int algo
, MPI
*resarr
, MPI data
, MPI
*skey
)
575 if( algo
!= 1 && algo
!= 3 )
576 return GCRYERR_INV_PK_ALGO
;
584 resarr
[0] = mpi_alloc( mpi_get_nlimbs( sk
.n
) );
585 secret( resarr
[0], data
, &sk
);
591 _gcry_rsa_verify( int algo
, MPI hash
, MPI
*data
, MPI
*pkey
,
592 int (*cmp
)(void *opaque
, MPI tmp
), void *opaquev
)
598 if( algo
!= 1 && algo
!= 3 )
599 return GCRYERR_INV_PK_ALGO
;
602 result
= gcry_mpi_new ( 160 );
603 public( result
, data
[0], &pk
);
604 /*rc = (*cmp)( opaquev, result );*/
605 rc
= mpi_cmp( result
, hash
)? GCRYERR_BAD_SIGNATURE
:0;
606 gcry_mpi_release (result
);
613 _gcry_rsa_get_nbits( int algo
, MPI
*pkey
)
617 return mpi_get_nbits( pkey
[0] );
622 * Return some information about the algorithm. We need algo here to
623 * distinguish different flavors of the algorithm.
624 * Returns: A pointer to string describing the algorithm or NULL if
625 * the ALGO is invalid.
626 * Usage: Bit 0 set : allows signing
627 * 1 set : allows encryption
630 _gcry_rsa_get_info( int algo
,
631 int *npkey
, int *nskey
, int *nenc
, int *nsig
, int *r_usage
)
639 case 1: *r_usage
= GCRY_PK_USAGE_SIGN
| GCRY_PK_USAGE_ENCR
; return "RSA";
640 case 2: *r_usage
= GCRY_PK_USAGE_ENCR
; return "RSA-E";
641 case 3: *r_usage
= GCRY_PK_USAGE_SIGN
; return "RSA-S";
642 default:*r_usage
= 0; return NULL
;