/****************
* Generate a random secret exponent k from prime p, so that k is
* relatively prime to p-1. With SMALL_K set, k will be selected for
* better encryption performance - this must never be used signing!
*/
static gcry_mpi_t
gen_k( gcry_mpi_t p, int small_k )
{
gcry_mpi_t k = mpi_alloc_secure( 0 );
gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
gcry_mpi_t p_1 = mpi_copy(p);
unsigned int orig_nbits = mpi_get_nbits(p);
unsigned int nbits, nbytes;
char *rndbuf = NULL;
if (small_k)
{
/* Using a k much lesser than p is sufficient for encryption and
* it greatly improves the encryption performance. We use
* Wiener's table and add a large safety margin. */
nbits = wiener_map( orig_nbits ) * 3 / 2;
if( nbits >= orig_nbits )
BUG();
}
else
nbits = orig_nbits;
nbytes = (nbits+7)/8;
if( DBG_CIPHER )
log_debug("choosing a random k ");
mpi_sub_ui( p_1, p, 1);
for(;;)
{
if( !rndbuf || nbits < 32 )
{
gcry_free(rndbuf);
rndbuf = gcry_random_bytes_secure( nbytes, GCRY_STRONG_RANDOM );
}
else
{
/* Change only some of the higher bits. We could improve
this by directly requesting more memory at the first call
to get_random_bytes() and use this the here maybe it is
easier to do this directly in random.c Anyway, it is
highly inlikely that we will ever reach this code. */
char *pp = gcry_random_bytes_secure( 4, GCRY_STRONG_RANDOM );
memcpy( rndbuf, pp, 4 );
gcry_free(pp);
}
_gcry_mpi_set_buffer( k, rndbuf, nbytes, 0 );
for(;;)
{
if( !(mpi_cmp( k, p_1 ) < 0) ) /* check: k < (p-1) */
{
if( DBG_CIPHER )
progress('+');
break; /* no */
}
if( !(mpi_cmp_ui( k, 0 ) > 0) ) /* check: k > 0 */
{
if( DBG_CIPHER )
progress('-');
break; /* no */
}
if (gcry_mpi_gcd( temp, k, p_1 ))
goto found; /* okay, k is relative prime to (p-1) */
mpi_add_ui( k, k, 1 );
if( DBG_CIPHER )
progress('.');
}
}
found:
gcry_free(rndbuf);
if( DBG_CIPHER )
progress('\n');
mpi_free(p_1);
mpi_free(temp);
return k;
}
/* Compute and print missing RSA parameters. */
static void
compute_missing (gcry_mpi_t rsa_p, gcry_mpi_t rsa_q, gcry_mpi_t rsa_e)
{
gcry_mpi_t rsa_n, rsa_d, rsa_pm1, rsa_qm1, rsa_u;
gcry_mpi_t phi, tmp_g, tmp_f;
rsa_n = gcry_mpi_new (0);
rsa_d = gcry_mpi_new (0);
rsa_pm1 = gcry_mpi_new (0);
rsa_qm1 = gcry_mpi_new (0);
rsa_u = gcry_mpi_new (0);
phi = gcry_mpi_new (0);
tmp_f = gcry_mpi_new (0);
tmp_g = gcry_mpi_new (0);
/* Check that p < q; if not swap p and q. */
if (openpgp_mode && gcry_mpi_cmp (rsa_p, rsa_q) > 0)
{
fprintf (stderr, PGM ": swapping p and q\n");
gcry_mpi_swap (rsa_p, rsa_q);
}
gcry_mpi_mul (rsa_n, rsa_p, rsa_q);
/* Compute the Euler totient: phi = (p-1)(q-1) */
gcry_mpi_sub_ui (rsa_pm1, rsa_p, 1);
gcry_mpi_sub_ui (rsa_qm1, rsa_q, 1);
gcry_mpi_mul (phi, rsa_pm1, rsa_qm1);
if (!gcry_mpi_gcd (tmp_g, rsa_e, phi))
die ("parameter 'e' does match 'p' and 'q'\n");
/* Compute: f = lcm(p-1,q-1) = phi / gcd(p-1,q-1) */
gcry_mpi_gcd (tmp_g, rsa_pm1, rsa_qm1);
gcry_mpi_div (tmp_f, NULL, phi, tmp_g, -1);
/* Compute the secret key: d = e^{-1} mod lcm(p-1,q-1) */
gcry_mpi_invm (rsa_d, rsa_e, tmp_f);
/* Compute the CRT helpers: d mod (p-1), d mod (q-1) */
gcry_mpi_mod (rsa_pm1, rsa_d, rsa_pm1);
gcry_mpi_mod (rsa_qm1, rsa_d, rsa_qm1);
/* Compute the CRT value: OpenPGP: u = p^{-1} mod q
Standard: iqmp = q^{-1} mod p */
if (openpgp_mode)
gcry_mpi_invm (rsa_u, rsa_p, rsa_q);
else
gcry_mpi_invm (rsa_u, rsa_q, rsa_p);
gcry_mpi_release (phi);
gcry_mpi_release (tmp_f);
gcry_mpi_release (tmp_g);
/* Print everything. */
print_mpi_line ("n", rsa_n);
print_mpi_line ("e", rsa_e);
if (openpgp_mode)
print_mpi_line ("d", rsa_d);
print_mpi_line ("p", rsa_p);
print_mpi_line ("q", rsa_q);
if (openpgp_mode)
print_mpi_line ("u", rsa_u);
else
{
print_mpi_line ("dmp1", rsa_pm1);
print_mpi_line ("dmq1", rsa_qm1);
print_mpi_line ("iqmp", rsa_u);
}
gcry_mpi_release (rsa_n);
gcry_mpi_release (rsa_d);
gcry_mpi_release (rsa_pm1);
gcry_mpi_release (rsa_qm1);
gcry_mpi_release (rsa_u);
}
/**
* Generate a key pair with a key of size NBITS.
* @param sk where to store the key
* @param nbits the number of bits to use
* @param hc the HC to use for PRNG (modified!)
*/
static void
generate_kblock_key (KBlock_secret_key *sk, unsigned int nbits,
struct GNUNET_HashCode * hc)
{
gcry_mpi_t t1, t2;
gcry_mpi_t phi; /* helper: (p-1)(q-1) */
gcry_mpi_t g;
gcry_mpi_t f;
/* make sure that nbits is even so that we generate p, q of equal size */
if ((nbits & 1))
nbits++;
sk->e = gcry_mpi_set_ui (NULL, 257);
sk->n = gcry_mpi_new (0);
sk->p = gcry_mpi_new (0);
sk->q = gcry_mpi_new (0);
sk->d = gcry_mpi_new (0);
sk->u = gcry_mpi_new (0);
t1 = gcry_mpi_new (0);
t2 = gcry_mpi_new (0);
phi = gcry_mpi_new (0);
g = gcry_mpi_new (0);
f = gcry_mpi_new (0);
do
{
do
{
gcry_mpi_release (sk->p);
gcry_mpi_release (sk->q);
gen_prime (&sk->p, nbits / 2, hc);
gen_prime (&sk->q, nbits / 2, hc);
if (gcry_mpi_cmp (sk->p, sk->q) > 0) /* p shall be smaller than q (for calc of u) */
gcry_mpi_swap (sk->p, sk->q);
/* calculate the modulus */
gcry_mpi_mul (sk->n, sk->p, sk->q);
}
while (gcry_mpi_get_nbits (sk->n) != nbits);
/* calculate Euler totient: phi = (p-1)(q-1) */
gcry_mpi_sub_ui (t1, sk->p, 1);
gcry_mpi_sub_ui (t2, sk->q, 1);
gcry_mpi_mul (phi, t1, t2);
gcry_mpi_gcd (g, t1, t2);
gcry_mpi_div (f, NULL, phi, g, 0);
while (0 == gcry_mpi_gcd (t1, sk->e, phi))
{ /* (while gcd is not 1) */
gcry_mpi_add_ui (sk->e, sk->e, 2);
}
/* calculate the secret key d = e^1 mod phi */
}
while ((0 == gcry_mpi_invm (sk->d, sk->e, f)) ||
(0 == gcry_mpi_invm (sk->u, sk->p, sk->q)));
gcry_mpi_release (t1);
gcry_mpi_release (t2);
gcry_mpi_release (phi);
gcry_mpi_release (f);
gcry_mpi_release (g);
}
/* Check that the RSA secret key SKEY is valid. Swap parameters to
the libgcrypt standard. */
static gpg_error_t
rsa_key_check (struct rsa_secret_key_s *skey)
{
int err = 0;
gcry_mpi_t t = gcry_mpi_snew (0);
gcry_mpi_t t1 = gcry_mpi_snew (0);
gcry_mpi_t t2 = gcry_mpi_snew (0);
gcry_mpi_t phi = gcry_mpi_snew (0);
/* Check that n == p * q. */
gcry_mpi_mul (t, skey->p, skey->q);
if (gcry_mpi_cmp( t, skey->n) )
{
log_error ("RSA oops: n != p * q\n");
err++;
}
/* Check that p is less than q. */
if (gcry_mpi_cmp (skey->p, skey->q) > 0)
{
gcry_mpi_t tmp;
log_info ("swapping secret primes\n");
tmp = gcry_mpi_copy (skey->p);
gcry_mpi_set (skey->p, skey->q);
gcry_mpi_set (skey->q, tmp);
gcry_mpi_release (tmp);
/* Recompute u. */
gcry_mpi_invm (skey->u, skey->p, skey->q);
}
/* Check that e divides neither p-1 nor q-1. */
gcry_mpi_sub_ui (t, skey->p, 1 );
gcry_mpi_div (NULL, t, t, skey->e, 0);
if (!gcry_mpi_cmp_ui( t, 0) )
{
log_error ("RSA oops: e divides p-1\n");
err++;
}
gcry_mpi_sub_ui (t, skey->q, 1);
gcry_mpi_div (NULL, t, t, skey->e, 0);
if (!gcry_mpi_cmp_ui( t, 0))
{
log_info ("RSA oops: e divides q-1\n" );
err++;
}
/* Check that d is correct. */
gcry_mpi_sub_ui (t1, skey->p, 1);
gcry_mpi_sub_ui (t2, skey->q, 1);
gcry_mpi_mul (phi, t1, t2);
gcry_mpi_invm (t, skey->e, phi);
if (gcry_mpi_cmp (t, skey->d))
{
/* No: try universal exponent. */
gcry_mpi_gcd (t, t1, t2);
gcry_mpi_div (t, NULL, phi, t, 0);
gcry_mpi_invm (t, skey->e, t);
if (gcry_mpi_cmp (t, skey->d))
{
log_error ("RSA oops: bad secret exponent\n");
err++;
}
}
/* Check for correctness of u. */
gcry_mpi_invm (t, skey->p, skey->q);
if (gcry_mpi_cmp (t, skey->u))
{
log_info ("RSA oops: bad u parameter\n");
err++;
}
if (err)
log_info ("RSA secret key check failed\n");
gcry_mpi_release (t);
gcry_mpi_release (t1);
gcry_mpi_release (t2);
gcry_mpi_release (phi);
return err? gpg_error (GPG_ERR_BAD_SECKEY):0;
}
