/*
* Check a private RSA key
*/
int rsa_check_privkey( rsa_context *ctx )
{
int ret;
mpi PQ, DE, P1, Q1, H, I, G;
if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
return( ret );
if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, NULL );
MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
MPI_CHK( mpi_mod_mpi( &I, &DE, &H ) );
MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
mpi_cmp_int( &I, 1 ) == 0 &&
mpi_cmp_int( &G, 1 ) == 0 )
{
mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
return( 0 );
}
cleanup:
mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, NULL );
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
}
/*
* Check a private RSA key
*/
int rsa_check_privkey( const rsa_context *ctx )
{
int ret;
mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
return( ret );
if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
mpi_init( &H ); mpi_init( &I ); mpi_init( &G ); mpi_init( &G2 );
mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
mpi_init( &QP );
MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
/*
* Check for a valid PKCS1v2 private key
*/
if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
mpi_cmp_int( &L2, 0 ) != 0 ||
mpi_cmp_int( &I, 1 ) != 0 ||
mpi_cmp_int( &G, 1 ) != 0 )
{
ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED;
}
cleanup:
mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
mpi_free( &H ); mpi_free( &I ); mpi_free( &G ); mpi_free( &G2 );
mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
mpi_free( &QP );
if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED )
return( ret );
if( ret != 0 )
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
return( 0 );
}
/*
* Check if the private key is valid
*/
int rsa_check_privkey( rsa_context *ctx )
{
int ret = 0;
mpi TN, P1, Q1, H, G;
mpi_init( &TN, &P1, &Q1, &H, &G, NULL );
CHK( mpi_mul_mpi( &TN, &ctx->P, &ctx->Q ) );
CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
CHK( mpi_gcd( &G, &ctx->E, &H ) );
if( mpi_cmp_mpi( &TN, &ctx->N ) == 0 &&
mpi_cmp_int( &G, 1 ) == 0 )
{
mpi_free( &TN, &P1, &Q1, &H, &G, NULL );
return( 0 );
}
cleanup:
mpi_free( &TN, &P1, &Q1, &H, &G, NULL );
return( ERR_RSA_KEY_CHK_FAILED | ret );
}
/*
* Generate an RSA keypair
*/
int rsa_gen_key( rsa_context *ctx, int nbits, int exponent,
ulong (*rng_fn)(void *), void *rng_st )
{
int ret;
mpi P1, Q1, H, G;
mpi_init( &P1, &Q1, &H, &G, NULL );
memset( ctx, 0, sizeof( rsa_context ) );
/*
* find primes P and Q with Q < P so that:
* GCD( E, (P-1)*(Q-1) ) == 1
*/
CHK( mpi_lset( &ctx->E, exponent ) );
nbits >>= 1;
do
{
CHK( mpi_gen_prime( &ctx->P, nbits, 0, rng_fn, rng_st ) );
CHK( mpi_gen_prime( &ctx->Q, nbits, 0, rng_fn, rng_st ) );
if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
mpi_swap( &ctx->P, &ctx->Q );
CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
CHK( mpi_gcd( &G, &ctx->E, &H ) );
}
while( mpi_cmp_int( &G, 1 ) != 0 );
/*
* D = E^-1 mod ((P-1)*(Q-1))
* DP = D mod (P - 1)
* DQ = D mod (Q - 1)
* QP = Q^-1 mod P
*/
CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
ctx->len = ( mpi_size( &ctx->N ) + 7 ) >> 3;
cleanup:
mpi_free( &P1, &Q1, &H, &G, NULL );
if( ret != 0 )
{
rsa_free( ctx );
return( ERR_RSA_KEYGEN_FAILED | ret );
}
return( 0 );
}
/*
Generate an RSA keypair
*/
int rsa_gen_key(rsa_context *ctx, int nbits, int exponent)
{
mpi P1, Q1, H, G;
int ret;
if (ctx->f_rng == NULL || nbits < 128 || exponent < 3) {
return EST_ERR_RSA_BAD_INPUT_DATA;
}
mpi_init(&P1, &Q1, &H, &G, NULL);
/*
find primes P and Q with Q < P so that: GCD( E, (P-1)*(Q-1) ) == 1
*/
MPI_CHK(mpi_lset(&ctx->E, exponent));
do {
MPI_CHK(mpi_gen_prime(&ctx->P, (nbits + 1) >> 1, 0, ctx->f_rng, ctx->p_rng));
MPI_CHK(mpi_gen_prime(&ctx->Q, (nbits + 1) >> 1, 0, ctx->f_rng, ctx->p_rng));
if (mpi_cmp_mpi(&ctx->P, &ctx->Q) < 0) {
mpi_swap(&ctx->P, &ctx->Q);
}
if (mpi_cmp_mpi(&ctx->P, &ctx->Q) == 0) {
continue;
}
MPI_CHK(mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
if (mpi_msb(&ctx->N) != nbits) {
continue;
}
MPI_CHK(mpi_sub_int(&P1, &ctx->P, 1));
MPI_CHK(mpi_sub_int(&Q1, &ctx->Q, 1));
MPI_CHK(mpi_mul_mpi(&H, &P1, &Q1));
MPI_CHK(mpi_gcd(&G, &ctx->E, &H));
} while (mpi_cmp_int(&G, 1) != 0);
/*
D = E^-1 mod ((P-1)*(Q-1))
DP = D mod (P - 1)
DQ = D mod (Q - 1)
QP = Q^-1 mod P
*/
MPI_CHK(mpi_inv_mod(&ctx->D, &ctx->E, &H));
MPI_CHK(mpi_mod_mpi(&ctx->DP, &ctx->D, &P1));
MPI_CHK(mpi_mod_mpi(&ctx->DQ, &ctx->D, &Q1));
MPI_CHK(mpi_inv_mod(&ctx->QP, &ctx->Q, &ctx->P));
ctx->len = (mpi_msb(&ctx->N) + 7) >> 3;
cleanup:
mpi_free(&G, &H, &Q1, &P1, NULL);
if (ret != 0) {
rsa_free(ctx);
return EST_ERR_RSA_KEY_GEN_FAILED | ret;
}
return 0;
}
/*
* Check a private RSA key
*/
int rsa_check_privkey( const rsa_context *ctx )
{
int ret;
mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2;
if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
return( ret );
if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, &G2, &L1, &L2, NULL );
MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );
MPI_CHK( mpi_mod_mpi( &I, &DE, &L1 ) );
/*
* Check for a valid PKCS1v2 private key
*/
if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
mpi_cmp_int( &L2, 0 ) == 0 &&
mpi_cmp_int( &I, 1 ) == 0 &&
mpi_cmp_int( &G, 1 ) == 0 )
{
mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
return( 0 );
}
cleanup:
mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
}
static int Babs(lua_State *L)
{
mpi *b=Bget(L,1);
if (mpi_cmp_int(b,0)<0) {
mpi A;
mpi *a=&A;
mpi *c=Bnew(L);
mpi_init(a);
mpi_sub_mpi(c,a,b);
mpi_free(a);
}
else lua_settop(L,1);
return 1;
}
/*
* Generate or update blinding values, see section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
* DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
* Berlin Heidelberg, 1996. p. 104-113.
*/
static int rsa_prepare_blinding( rsa_context *ctx, mpi *Vi, mpi *Vf,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, count = 0;
#if defined(POLARSSL_THREADING_C)
polarssl_mutex_lock( &ctx->mutex );
#endif
if( ctx->Vf.p != NULL )
{
/* We already have blinding values, just update them by squaring */
MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
goto done;
}
/* Unblinding value: Vf = random number, invertible mod N */
do {
if( count++ > 10 )
return( POLARSSL_ERR_RSA_RNG_FAILED );
MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
} while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
/* Blinding value: Vi = Vf^(-e) mod N */
MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
done:
if( Vi != &ctx->Vi )
{
MPI_CHK( mpi_copy( Vi, &ctx->Vi ) );
MPI_CHK( mpi_copy( Vf, &ctx->Vf ) );
}
cleanup:
#if defined(POLARSSL_THREADING_C)
polarssl_mutex_unlock( &ctx->mutex );
#endif
return( ret );
}
/*
* Create own private value X and export G^X
*/
int dhm_make_public( dhm_context *ctx, int x_size,
unsigned char *output, size_t olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret, count = 0;
if( ctx == NULL || olen < 1 || olen > ctx->len )
return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
/*
* generate X and calculate GX = G^X mod P
*/
do
{
mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
mpi_shift_r( &ctx->X, 1 );
if( count++ > 10 )
return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED );
}
while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
&ctx->P , &ctx->RP ) );
if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
return( ret );
MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );
cleanup:
if( ret != 0 )
return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
return( 0 );
}
/*
* Generate an RSA keypair
*/
int rsa_gen_key( rsa_context *ctx,
int (*f_rng)(void *),
void *p_rng,
int nbits, int exponent )
{
int ret;
mpi P1, Q1, H, G;
if( f_rng == NULL || nbits < 128 || exponent < 3 )
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
mpi_init( &P1, &Q1, &H, &G, NULL );
/*
* find primes P and Q with Q < P so that:
* GCD( E, (P-1)*(Q-1) ) == 1
*/
MPI_CHK( mpi_lset( &ctx->E, exponent ) );
do
{
MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
f_rng, p_rng ) );
MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
f_rng, p_rng ) );
if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
mpi_swap( &ctx->P, &ctx->Q );
if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
continue;
MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
if( mpi_msb( &ctx->N ) != nbits )
continue;
MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
MPI_CHK( mpi_gcd( &G, &ctx->E, &H ) );
}
while( mpi_cmp_int( &G, 1 ) != 0 );
/*
* D = E^-1 mod ((P-1)*(Q-1))
* DP = D mod (P - 1)
* DQ = D mod (Q - 1)
* QP = Q^-1 mod P
*/
MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
cleanup:
mpi_free( &G, &H, &Q1, &P1, NULL );
if( ret != 0 )
{
rsa_free( ctx );
return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
}
return( 0 );
}
/*
* Setup and write the ServerKeyExchange parameters
*/
int dhm_make_params( dhm_context *ctx, int x_size,
unsigned char *output, size_t *olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret, count = 0;
size_t n1, n2, n3;
unsigned char *p;
if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
/*
* Generate X as large as possible ( < P )
*/
do
{
mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
mpi_shift_r( &ctx->X, 1 );
if( count++ > 10 )
return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED );
}
while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
/*
* Calculate GX = G^X mod P
*/
MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
&ctx->P , &ctx->RP ) );
if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
return( ret );
/*
* export P, G, GX
*/
#define DHM_MPI_EXPORT(X,n) \
MPI_CHK( mpi_write_binary( X, p + 2, n ) ); \
*p++ = (unsigned char)( n >> 8 ); \
*p++ = (unsigned char)( n ); p += n;
n1 = mpi_size( &ctx->P );
n2 = mpi_size( &ctx->G );
n3 = mpi_size( &ctx->GX );
p = output;
DHM_MPI_EXPORT( &ctx->P , n1 );
DHM_MPI_EXPORT( &ctx->G , n2 );
DHM_MPI_EXPORT( &ctx->GX, n3 );
*olen = p - output;
ctx->len = n1;
cleanup:
if( ret != 0 )
return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED + ret );
return( 0 );
}
static int Biszero(lua_State *L)
{
mpi *a=Bget(L,1);
lua_pushboolean(L, mpi_cmp_int(a,0)==0);
return 1;
}