| blob | 57aedaf150d466c49a828d2c38a1bd9d9ce18b1f |
1 /* rsa.c - RSA function
2 * Copyright (C) 1997, 1998, 1999 by Werner Koch (dd9jn)
3 * Copyright (C) 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
4 *
5 * This file is part of Libgcrypt.
6 *
7 * Libgcrypt is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Lesser General Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * Libgcrypt is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
20 */
22 /* This code uses an algorithm protected by U.S. Patent #4,405,829
23 which expired on September 20, 2000. The patent holder placed that
24 patent into the public domain on Sep 6th, 2000.
25 */
27 #include <config.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
61 static void
63 {
64 RSA_public_key pk;
84 }
87 /* Callback used by the prime generation to test whether the exponent
88 is suitable. Returns 0 if the test has been passed. */
89 static int
91 {
93 MPI tmp;
102 }
104 /****************
105 * Generate a key pair with a key of size NBITS.
106 * USE_E = 0 let Libcgrypt decide what exponent to use.
107 * = 1 request the use of a "secure" exponent; this is required by some
108 * specification to be 65537.
109 * > 2 Try starting at this value until a working exponent is found.
110 * Returns: 2 structures filled with all needed values
111 */
112 static void
114 {
117 MPI u;
122 MPI g;
123 MPI f;
125 /* make sure that nbits is even so that we generate p, q of equal size */
127 nbits++;
132 /* Public exponent:
133 In general we use 41 as this is quite fast and more secure than the
134 commonly used 17. Benchmarking the RSA verify function
135 with a 1024 bit key yields (2001-11-08):
136 e=17 0.54 ms
137 e=41 0.75 ms
138 e=257 0.95 ms
139 e=65537 1.80 ms
140 */
144 else
145 {
148 }
154 /* select two (very secret) primes */
161 suitable. */
164 }
165 else
169 }
172 /* calculate the modulus */
176 /* calculate Euler totient: phi = (p-1)(q-1) */
189 {
192 never can get to here. */
194 }
196 /* calculate the secret key d = e^1 mod phi */
199 /* calculate the inverse of p and q (used for chinese remainder theorem)*/
213 }
228 /* now we can test our keys (this should never fail!) */
230 }
233 /****************
234 * Test wether the secret key is valid.
235 * Returns: true if this is a valid key.
236 */
237 static int
239 {
247 }
251 /****************
252 * Public key operation. Encrypt INPUT with PKEY and put result into OUTPUT.
253 *
254 * c = m^e mod n
255 *
256 * Where c is OUTPUT, m is INPUT and e,n are elements of PKEY.
257 */
258 static void
260 {
266 }
267 else
269 }
271 #if 0
272 static void
274 {
280 /* check that n == p * q */
285 /* check that p is less than q */
287 {
290 }
292 /* check that e divides neither p-1 nor q-1 */
302 /* check that d is correct */
310 {
314 }
316 /* check for correctness of u */
319 {
323 }
331 }
332 #endif
336 /****************
337 * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT.
338 *
339 * m = c^d mod n
340 *
341 * Or faster:
342 *
343 * m1 = c ^ (d mod (p-1)) mod p
344 * m2 = c ^ (d mod (q-1)) mod q
345 * h = u * (m2 - m1) mod q
346 * m = m1 + h * p
347 *
348 * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY.
349 */
350 static void
352 {
353 #if 0
355 #else
360 /* m1 = c ^ (d mod (p-1)) mod p */
364 /* m2 = c ^ (d mod (q-1)) mod q */
368 /* h = u * ( m2 - m1 ) mod q */
373 /* m = m2 + h * p */
376 /* ready */
381 #endif
382 }
386 /*********************************************
387 ************** interface ******************
388 *********************************************/
390 int
393 {
394 RSA_secret_key sk;
406 /* make an empty list of factors */
409 }
412 int
414 {
415 RSA_secret_key sk;
430 }
434 int
437 {
438 RSA_public_key pk;
448 }
450 /* Perform RSA blinding. */
451 GcryMPI
453 {
454 /* A helper. */
455 GcryMPI a;
457 /* Result. */
458 GcryMPI y;
463 /* Now we calculate: y = (x * r^e) mod n, where r is the random
464 number, e is the public exponent, x is the non-blinded data and n
465 is the RSA modulus. */
472 }
474 /* Undo RSA blinding. */
475 GcryMPI
477 {
478 GcryMPI y;
482 /* Here we calculate: y = (x * r^-1) mod n, where x is the blinded
483 decrypted data, ri is the modular multiplicative inverse of r and
484 n is the RSA modulus. */
489 }
491 int
494 {
495 RSA_secret_key sk;
497 blinding. */
499 r. */
506 /* Extract private key. */
517 {
518 /* Initialize blinding. */
520 /* First, we need a random number r between 0 and n - 1, which
521 is relatively prime to n (i.e. it is neither p nor q). */
526 GCRY_STRONG_RANDOM);
529 /* Actually it should be okay to skip the check for equality
530 with either p or q here. */
532 /* Calculate inverse of r. */
535 }
538 /* Do blinding. */
540 else
541 /* Skip blinding. */
544 /* Do the encryption. */
548 {
549 /* Undo blinding. */
554 }
557 {
558 /* Deallocate resources needed for blinding. */
562 }
564 /* Copy out result. */
568 }
570 int
572 {
573 RSA_secret_key sk;
588 }
590 int
593 {
594 RSA_public_key pk;
595 MPI result;
604 /*rc = (*cmp)( opaquev, result );*/
609 }
612 unsigned int
614 {
618 }
621 /****************
622 * Return some information about the algorithm. We need algo here to
623 * distinguish different flavors of the algorithm.
624 * Returns: A pointer to string describing the algorithm or NULL if
625 * the ALGO is invalid.
626 * Usage: Bit 0 set : allows signing
627 * 1 set : allows encryption
628 */
632 {
643 }
644 }