int cp_rsa_gen_basic(rsa_t pub, rsa_t prv, int bits) {
bn_t t, r;
int result = STS_OK;
if (pub == NULL || prv == NULL || bits == 0) {
return STS_ERR;
}
bn_null(t);
bn_null(r);
TRY {
bn_new(t);
bn_new(r);
/* Generate different primes p and q. */
do {
bn_gen_prime(prv->p, bits / 2);
bn_gen_prime(prv->q, bits / 2);
} while (bn_cmp(prv->p, prv->q) == CMP_EQ);
/* Swap p and q so that p is smaller. */
if (bn_cmp(prv->p, prv->q) == CMP_LT) {
bn_copy(t, prv->p);
bn_copy(prv->p, prv->q);
bn_copy(prv->q, t);
}
bn_mul(pub->n, prv->p, prv->q);
bn_copy(prv->n, pub->n);
bn_sub_dig(prv->p, prv->p, 1);
bn_sub_dig(prv->q, prv->q, 1);
bn_mul(t, prv->p, prv->q);
bn_set_2b(pub->e, 16);
bn_add_dig(pub->e, pub->e, 1);
bn_gcd_ext(r, prv->d, NULL, pub->e, t);
if (bn_sign(prv->d) == BN_NEG) {
bn_add(prv->d, prv->d, t);
}
if (bn_cmp_dig(r, 1) == CMP_EQ) {
bn_add_dig(prv->p, prv->p, 1);
bn_add_dig(prv->q, prv->q, 1);
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(t);
bn_free(r);
}
return result;
}
int bn_is_prime_basic(const bn_t a) {
dig_t t;
int i, result;
result = 1;
if (bn_cmp_dig(a, 1) == CMP_EQ) {
return 0;
}
/* Trial division. */
for (i = 0; i < BASIC_TESTS; i++) {
bn_mod_dig(&t, a, primes[i]);
if (t == 0 && bn_cmp_dig(a, primes[i]) != CMP_EQ) {
result = 0;
break;
}
}
return result;
}
int bn_factor(bn_t c, const bn_t a) {
bn_t t0, t1;
int result;
unsigned int i, tests;
bn_null(t0);
bn_null(t1);
result = 1;
if (bn_is_even(a)) {
bn_set_dig(c, 2);
return 1;
}
TRY {
bn_new(t0);
bn_new(t1);
bn_set_dig(t0, 2);
#if WORD == 8
tests = 255;
#else
tests = 65535;
#endif
for (i = 2; i < tests; i++) {
bn_set_dig(t1, i);
bn_mxp(t0, t0, t1, a);
}
bn_sub_dig(t0, t0, 1);
bn_gcd(t1, t0, a);
if (bn_cmp_dig(t1, 1) == CMP_GT && bn_cmp(t1, a) == CMP_LT) {
bn_copy(c, t1);
} else {
result = 0;
}
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
bn_free(t0);
bn_free(t1);
}
return result;
}
/**
* Applies or removes a PKCS#1 v2.1 encryption padding.
*
* @param[out] m - the buffer to pad.
* @param[out] p_len - the number of added pad bytes.
* @param[in] m_len - the message length in bytes.
* @param[in] k_len - the key length in bytes.
* @param[in] operation - flag to indicate the operation type.
* @return STS_ERR if errors occurred, STS_OK otherwise.
*/
static int pad_pkcs2(bn_t m, int *p_len, int m_len, int k_len, int operation) {
uint8_t pad, h1[MD_LEN], h2[MD_LEN], mask[k_len];
int result = STS_OK;
bn_t t;
bn_null(t);
TRY {
bn_new(t);
switch (operation) {
case RSA_ENC:
/* DB = lHash | PS | 01 | D. */
md_map(h1, NULL, 0);
bn_read_bin(m, h1, MD_LEN);
*p_len = k_len - 2 * MD_LEN - 2 - m_len;
bn_lsh(m, m, *p_len * 8);
bn_lsh(m, m, 8);
bn_add_dig(m, m, 0x01);
/* Make room for the real message. */
bn_lsh(m, m, m_len * 8);
break;
case RSA_ENC_FIN:
/* EB = 00 | maskedSeed | maskedDB. */
rand_bytes(h1, MD_LEN);
md_mgf1(mask, k_len - MD_LEN - 1, h1, MD_LEN);
bn_read_bin(t, mask, k_len - MD_LEN - 1);
for (int i = 0; i < t->used; i++) {
m->dp[i] ^= t->dp[i];
}
bn_write_bin(mask, k_len - MD_LEN - 1, m);
md_mgf1(h2, MD_LEN, mask, k_len - MD_LEN - 1);
for (int i = 0; i < MD_LEN; i++) {
h1[i] ^= h2[i];
}
bn_read_bin(t, h1, MD_LEN);
bn_lsh(t, t, 8 * (k_len - MD_LEN - 1));
bn_add(t, t, m);
bn_copy(m, t);
break;
case RSA_DEC:
m_len = k_len - 1;
bn_rsh(t, m, 8 * m_len);
if (!bn_is_zero(t)) {
result = STS_ERR;
}
m_len -= MD_LEN;
bn_rsh(t, m, 8 * m_len);
bn_write_bin(h1, MD_LEN, t);
bn_mod_2b(m, m, 8 * m_len);
bn_write_bin(mask, m_len, m);
md_mgf1(h2, MD_LEN, mask, m_len);
for (int i = 0; i < MD_LEN; i++) {
h1[i] ^= h2[i];
}
md_mgf1(mask, k_len - MD_LEN - 1, h1, MD_LEN);
bn_read_bin(t, mask, k_len - MD_LEN - 1);
for (int i = 0; i < t->used; i++) {
m->dp[i] ^= t->dp[i];
}
m_len -= MD_LEN;
bn_rsh(t, m, 8 * m_len);
bn_write_bin(h2, MD_LEN, t);
md_map(h1, NULL, 0);
pad = 0;
for (int i = 0; i < MD_LEN; i++) {
pad |= h1[i] - h2[i];
}
if (result == STS_OK) {
result = (pad ? STS_ERR : STS_OK);
}
bn_mod_2b(m, m, 8 * m_len);
*p_len = bn_size_bin(m);
(*p_len)--;
bn_rsh(t, m, *p_len * 8);
if (bn_cmp_dig(t, 1) != CMP_EQ) {
result = STS_ERR;
}
bn_mod_2b(m, m, *p_len * 8);
*p_len = k_len - *p_len;
break;
case RSA_SIG:
case RSA_SIG_HASH:
/* M' = 00 00 00 00 00 00 00 00 | H(M). */
bn_zero(m);
bn_lsh(m, m, 64);
/* Make room for the real message. */
bn_lsh(m, m, MD_LEN * 8);
break;
case RSA_SIG_FIN:
memset(mask, 0, 8);
bn_write_bin(mask + 8, MD_LEN, m);
md_map(h1, mask, MD_LEN + 8);
bn_read_bin(m, h1, MD_LEN);
md_mgf1(mask, k_len - MD_LEN - 1, h1, MD_LEN);
bn_read_bin(t, mask, k_len - MD_LEN - 1);
t->dp[0] ^= 0x01;
/* m_len is now the size in bits of the modulus. */
bn_lsh(t, t, 8 * MD_LEN);
bn_add(m, t, m);
bn_lsh(m, m, 8);
bn_add_dig(m, m, RSA_PSS);
for (int i = m_len - 1; i < 8 * k_len; i++) {
bn_set_bit(m, i, 0);
}
break;
case RSA_VER:
case RSA_VER_HASH:
bn_mod_2b(t, m, 8);
if (bn_cmp_dig(t, RSA_PSS) != CMP_EQ) {
result = STS_ERR;
} else {
for (int i = m_len; i < 8 * k_len; i++) {
if (bn_get_bit(m, i) != 0) {
result = STS_ERR;
}
}
bn_rsh(m, m, 8);
bn_mod_2b(t, m, 8 * MD_LEN);
bn_write_bin(h2, MD_LEN, t);
bn_rsh(m, m, 8 * MD_LEN);
bn_write_bin(h1, MD_LEN, t);
md_mgf1(mask, k_len - MD_LEN - 1, h1, MD_LEN);
bn_read_bin(t, mask, k_len - MD_LEN - 1);
for (int i = 0; i < t->used; i++) {
m->dp[i] ^= t->dp[i];
}
m->dp[0] ^= 0x01;
for (int i = m_len - 1; i < 8 * k_len; i++) {
bn_set_bit(m, i - ((MD_LEN + 1) * 8), 0);
}
if (!bn_is_zero(m)) {
result = STS_ERR;
}
bn_read_bin(m, h2, MD_LEN);
*p_len = k_len - MD_LEN;
}
break;
}
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(t);
}
return result;
}
int cp_bdpe_gen(bdpe_t pub, bdpe_t prv, dig_t block, int bits) {
bn_t t, r;
int result = STS_OK;
bn_null(t);
bn_null(r);
TRY {
bn_new(t);
bn_new(r);
prv->t = pub->t = block;
/* Make sure that block size is prime. */
bn_set_dig(t, block);
if (bn_is_prime_basic(t) == 0) {
THROW(ERR_NO_VALID);
}
/* Generate prime q such that gcd(block, (q - 1)) = 1. */
do {
bn_gen_prime(prv->q, bits / 2);
bn_sub_dig(prv->q, prv->q, 1);
bn_gcd_dig(t, prv->q, block);
bn_add_dig(prv->q, prv->q, 1);
} while (bn_cmp_dig(t, 1) != CMP_EQ);
/* Generate different primes p and q. */
do {
/* Compute p = block * (x * block + b) + 1, 0 < b < block random. */
bn_rand(prv->p, BN_POS, bits / 2 - 2 * util_bits_dig(block));
bn_mul_dig(prv->p, prv->p, block);
bn_rand(t, BN_POS, util_bits_dig(block));
bn_add_dig(prv->p, prv->p, t->dp[0]);
/* We know that block divides (p-1). */
bn_gcd_dig(t, prv->p, block);
bn_mul_dig(prv->p, prv->p, block);
bn_add_dig(prv->p, prv->p, 1);
} while (bn_cmp_dig(t, 1) != CMP_EQ || bn_is_prime(prv->p) == 0);
/* Compute t = (p-1)*(q-1). */
bn_sub_dig(prv->q, prv->q, 1);
bn_sub_dig(prv->p, prv->p, 1);
bn_mul(t, prv->p, prv->q);
bn_div_dig(t, t, block);
/* Restore factors p and q and compute n = p * q. */
bn_add_dig(prv->p, prv->p, 1);
bn_add_dig(prv->q, prv->q, 1);
bn_mul(pub->n, prv->p, prv->q);
bn_copy(prv->n, pub->n);
/* Select random y such that y^{(p-1)(q-1)}/block \neq 1 mod N. */
do {
bn_rand(pub->y, BN_POS, bits);
bn_mxp(r, pub->y, t, pub->n);
} while (bn_cmp_dig(r, 1) == CMP_EQ);
bn_copy(prv->y, pub->y);
}
CATCH_ANY {
result = STS_ERR;
}
FINALLY {
bn_free(t);
bn_free(r);
}
return result;
}
int bn_is_prime_solov(const bn_t a) {
bn_t t0, t1, t2;
int i, result;
bn_null(t0);
bn_null(t1);
bn_null(t2);
result = 1;
TRY {
bn_new(t0);
bn_new(t1);
bn_new(t2);
for (i = 0; i < 100; i++) {
/* Generate t0, 2 <= t0, <= a - 2. */
do {
bn_rand(t0, BN_POS, bn_bits(a));
bn_mod(t0, t0, a);
} while (bn_cmp_dig(t0, 2) == CMP_LT);
/* t2 = a - 1. */
bn_copy(t2, a);
bn_sub_dig(t2, t2, 1);
/* t1 = (a - 1)/2. */
bn_rsh(t1, t2, 1);
/* t1 = t0^(a - 1)/2 mod a. */
#if BN_MOD != PMERS
bn_mxp(t1, t0, t1, a);
#else
bn_exp(t1, t0, t1, a);
#endif
/* If t1 != 1 and t1 != n - 1 return 0 */
if (bn_cmp_dig(t1, 1) != CMP_EQ && bn_cmp(t1, t2) != CMP_EQ) {
result = 0;
break;
}
/* t2 = (t0|a). */
bn_smb_jac(t2, t0, a);
if (bn_sign(t2) == BN_NEG) {
bn_add(t2, t2, a);
}
/* If t1 != t2 (mod a) return 0. */
bn_mod(t1, t1, a);
bn_mod(t2, t2, a);
if (bn_cmp(t1, t2) != CMP_EQ) {
result = 0;
break;
}
}
}
CATCH_ANY {
result = 0;
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t0);
bn_free(t1);
bn_free(t2);
}
return result;
}
int bn_is_prime_rabin(const bn_t a) {
bn_t t, n1, y, r;
int i, s, j, result, b, tests = 0;
tests = 0;
result = 1;
bn_null(t);
bn_null(n1);
bn_null(y);
bn_null(r);
if (bn_cmp_dig(a, 1) == CMP_EQ) {
return 0;
}
TRY {
/*
* These values are taken from Table 4.4 inside Handbook of Applied
* Cryptography.
*/
b = bn_bits(a);
if (b >= 1300) {
tests = 2;
} else if (b >= 850) {
tests = 3;
} else if (b >= 650) {
tests = 4;
} else if (b >= 550) {
tests = 5;
} else if (b >= 450) {
tests = 6;
} else if (b >= 400) {
tests = 7;
} else if (b >= 350) {
tests = 8;
} else if (b >= 300) {
tests = 9;
} else if (b >= 250) {
tests = 12;
} else if (b >= 200) {
tests = 15;
} else if (b >= 150) {
tests = 18;
} else {
tests = 27;
}
bn_new(t);
bn_new(n1);
bn_new(y);
bn_new(r);
/* r = (n - 1)/2^s. */
bn_sub_dig(n1, a, 1);
s = 0;
while (bn_is_even(n1)) {
s++;
bn_rsh(n1, n1, 1);
}
bn_lsh(r, n1, s);
for (i = 0; i < tests; i++) {
/* Fix the basis as the first few primes. */
bn_set_dig(t, primes[i]);
/* y = b^r mod a. */
#if BN_MOD != PMERS
bn_mxp(y, t, r, a);
#else
bn_exp(y, t, r, a);
#endif
if (bn_cmp_dig(y, 1) != CMP_EQ && bn_cmp(y, n1) != CMP_EQ) {
j = 1;
while ((j <= (s - 1)) && bn_cmp(y, n1) != CMP_EQ) {
bn_sqr(y, y);
bn_mod(y, y, a);
/* If y == 1 then composite. */
if (bn_cmp_dig(y, 1) == CMP_EQ) {
result = 0;
break;
}
++j;
}
/* If y != n1 then composite. */
if (bn_cmp(y, n1) != CMP_EQ) {
result = 0;
break;
}
}
}
}
CATCH_ANY {
result = 0;
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(r);
bn_free(y);
bn_free(n1);
bn_free(t);
}
return result;
}