1/* rsa.c - RSA implementation 2 * Copyright (C) 1997, 1998, 1999 by Werner Koch (dd9jn) 3 * Copyright (C) 2000, 2001, 2002, 2003, 2008 Free Software Foundation, Inc. 4 * 5 * This file is part of Libgcrypt. 6 * 7 * Libgcrypt is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU Lesser General Public License as 9 * published by the Free Software Foundation; either version 2.1 of 10 * the License, or (at your option) any later version. 11 * 12 * Libgcrypt is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU Lesser General Public License for more details. 16 * 17 * You should have received a copy of the GNU Lesser General Public 18 * License along with this program; if not, see <http://www.gnu.org/licenses/>. 19 */ 20 21/* This code uses an algorithm protected by U.S. Patent #4,405,829 22 which expired on September 20, 2000. The patent holder placed that 23 patent into the public domain on Sep 6th, 2000. 24*/ 25 26#include <config.h> 27#include <stdio.h> 28#include <stdlib.h> 29#include <string.h> 30#include <errno.h> 31 32#include "g10lib.h" 33#include "mpi.h" 34#include "cipher.h" 35 36 37typedef struct 38{ 39 gcry_mpi_t n; /* modulus */ 40 gcry_mpi_t e; /* exponent */ 41} RSA_public_key; 42 43 44typedef struct 45{ 46 gcry_mpi_t n; /* public modulus */ 47 gcry_mpi_t e; /* public exponent */ 48 gcry_mpi_t d; /* exponent */ 49 gcry_mpi_t p; /* prime p. */ 50 gcry_mpi_t q; /* prime q. */ 51 gcry_mpi_t u; /* inverse of p mod q. */ 52} RSA_secret_key; 53 54 55/* A sample 1024 bit RSA key used for the selftests. */ 56static const char sample_secret_key[] = 57"(private-key" 58" (rsa" 59" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa" 60" 2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291" 61" ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7" 62" 891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)" 63" (e #010001#)" 64" (d #046129f2489d71579be0a75fe029bd6cdb574ebf57ea8a5b0fda942cab943b11" 65" 7d7bb95e5d28875e0f9fc5fcc06a72f6d502464dabded78ef6b716177b83d5bd" 66" c543dc5d3fed932e59f5897e92e6f58a0f33424106a3b6fa2cbf877510e4ac21" 67" c3ee47851e97d12996222ac3566d4ccb0b83d164074abf7de655fc2446da1781#)" 68" (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213" 69" fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)" 70" (q #00f7a7ca5367c661f8e62df34f0d05c10c88e5492348dd7bddc942c9a8f369f9" 71" 35a07785d2db805215ed786e4285df1658eed3ce84f469b81b50d358407b4ad361#)" 72" (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e" 73" ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)))"; 74/* A sample 1024 bit RSA key used for the selftests (public only). */ 75static const char sample_public_key[] = 76"(public-key" 77" (rsa" 78" (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa" 79" 2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291" 80" ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7" 81" 891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)" 82" (e #010001#)))"; 83 84 85 86 87static int test_keys (RSA_secret_key *sk, unsigned nbits); 88static int check_secret_key (RSA_secret_key *sk); 89static void public (gcry_mpi_t output, gcry_mpi_t input, RSA_public_key *skey); 90static void secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey); 91 92 93/* Check that a freshly generated key actually works. Returns 0 on success. */ 94static int 95test_keys (RSA_secret_key *sk, unsigned int nbits) 96{ 97 int result = -1; /* Default to failure. */ 98 RSA_public_key pk; 99 gcry_mpi_t plaintext = gcry_mpi_new (nbits); 100 gcry_mpi_t ciphertext = gcry_mpi_new (nbits); 101 gcry_mpi_t decr_plaintext = gcry_mpi_new (nbits); 102 gcry_mpi_t signature = gcry_mpi_new (nbits); 103 104 /* Put the relevant parameters into a public key structure. */ 105 pk.n = sk->n; 106 pk.e = sk->e; 107 108 /* Create a random plaintext. */ 109 gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM); 110 111 /* Encrypt using the public key. */ 112 public (ciphertext, plaintext, &pk); 113 114 /* Check that the cipher text does not match the plaintext. */ 115 if (!gcry_mpi_cmp (ciphertext, plaintext)) 116 goto leave; /* Ciphertext is identical to the plaintext. */ 117 118 /* Decrypt using the secret key. */ 119 secret (decr_plaintext, ciphertext, sk); 120 121 /* Check that the decrypted plaintext matches the original plaintext. */ 122 if (gcry_mpi_cmp (decr_plaintext, plaintext)) 123 goto leave; /* Plaintext does not match. */ 124 125 /* Create another random plaintext as data for signature checking. */ 126 gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM); 127 128 /* Use the RSA secret function to create a signature of the plaintext. */ 129 secret (signature, plaintext, sk); 130 131 /* Use the RSA public function to verify this signature. */ 132 public (decr_plaintext, signature, &pk); 133 if (gcry_mpi_cmp (decr_plaintext, plaintext)) 134 goto leave; /* Signature does not match. */ 135 136 /* Modify the signature and check that the signing fails. */ 137 gcry_mpi_add_ui (signature, signature, 1); 138 public (decr_plaintext, signature, &pk); 139 if (!gcry_mpi_cmp (decr_plaintext, plaintext)) 140 goto leave; /* Signature matches but should not. */ 141 142 result = 0; /* All tests succeeded. */ 143 144 leave: 145 gcry_mpi_release (signature); 146 gcry_mpi_release (decr_plaintext); 147 gcry_mpi_release (ciphertext); 148 gcry_mpi_release (plaintext); 149 return result; 150} 151 152 153/* Callback used by the prime generation to test whether the exponent 154 is suitable. Returns 0 if the test has been passed. */ 155static int 156check_exponent (void *arg, gcry_mpi_t a) 157{ 158 gcry_mpi_t e = arg; 159 gcry_mpi_t tmp; 160 int result; 161 162 mpi_sub_ui (a, a, 1); 163 tmp = _gcry_mpi_alloc_like (a); 164 result = !gcry_mpi_gcd(tmp, e, a); /* GCD is not 1. */ 165 gcry_mpi_release (tmp); 166 mpi_add_ui (a, a, 1); 167 return result; 168} 169 170/**************** 171 * Generate a key pair with a key of size NBITS. 172 * USE_E = 0 let Libcgrypt decide what exponent to use. 173 * = 1 request the use of a "secure" exponent; this is required by some 174 * specification to be 65537. 175 * > 2 Use this public exponent. If the given exponent 176 * is not odd one is internally added to it. 177 * TRANSIENT_KEY: If true, generate the primes using the standard RNG. 178 * Returns: 2 structures filled with all needed values 179 */ 180static gpg_err_code_t 181generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e, 182 int transient_key) 183{ 184 gcry_mpi_t p, q; /* the two primes */ 185 gcry_mpi_t d; /* the private key */ 186 gcry_mpi_t u; 187 gcry_mpi_t t1, t2; 188 gcry_mpi_t n; /* the public key */ 189 gcry_mpi_t e; /* the exponent */ 190 gcry_mpi_t phi; /* helper: (p-1)(q-1) */ 191 gcry_mpi_t g; 192 gcry_mpi_t f; 193 gcry_random_level_t random_level; 194 195 if (fips_mode ()) 196 { 197 if (nbits < 1024) 198 return GPG_ERR_INV_VALUE; 199 if (transient_key) 200 return GPG_ERR_INV_VALUE; 201 } 202 203 /* The random quality depends on the transient_key flag. */ 204 random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM; 205 206 /* Make sure that nbits is even so that we generate p, q of equal size. */ 207 if ( (nbits&1) ) 208 nbits++; 209 210 if (use_e == 1) /* Alias for a secure value */ 211 use_e = 65537; /* as demanded by Sphinx. */ 212 213 /* Public exponent: 214 In general we use 41 as this is quite fast and more secure than the 215 commonly used 17. Benchmarking the RSA verify function 216 with a 1024 bit key yields (2001-11-08): 217 e=17 0.54 ms 218 e=41 0.75 ms 219 e=257 0.95 ms 220 e=65537 1.80 ms 221 */ 222 e = mpi_alloc( (32+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); 223 if (!use_e) 224 mpi_set_ui (e, 41); /* This is a reasonable secure and fast value */ 225 else 226 { 227 use_e |= 1; /* make sure this is odd */ 228 mpi_set_ui (e, use_e); 229 } 230 231 n = gcry_mpi_new (nbits); 232 233 p = q = NULL; 234 do 235 { 236 /* select two (very secret) primes */ 237 if (p) 238 gcry_mpi_release (p); 239 if (q) 240 gcry_mpi_release (q); 241 if (use_e) 242 { /* Do an extra test to ensure that the given exponent is 243 suitable. */ 244 p = _gcry_generate_secret_prime (nbits/2, random_level, 245 check_exponent, e); 246 q = _gcry_generate_secret_prime (nbits/2, random_level, 247 check_exponent, e); 248 } 249 else 250 { /* We check the exponent later. */ 251 p = _gcry_generate_secret_prime (nbits/2, random_level, NULL, NULL); 252 q = _gcry_generate_secret_prime (nbits/2, random_level, NULL, NULL); 253 } 254 if (mpi_cmp (p, q) > 0 ) /* p shall be smaller than q (for calc of u)*/ 255 mpi_swap(p,q); 256 /* calculate the modulus */ 257 mpi_mul( n, p, q ); 258 } 259 while ( mpi_get_nbits(n) != nbits ); 260 261 /* calculate Euler totient: phi = (p-1)(q-1) */ 262 t1 = mpi_alloc_secure( mpi_get_nlimbs(p) ); 263 t2 = mpi_alloc_secure( mpi_get_nlimbs(p) ); 264 phi = gcry_mpi_snew ( nbits ); 265 g = gcry_mpi_snew ( nbits ); 266 f = gcry_mpi_snew ( nbits ); 267 mpi_sub_ui( t1, p, 1 ); 268 mpi_sub_ui( t2, q, 1 ); 269 mpi_mul( phi, t1, t2 ); 270 gcry_mpi_gcd(g, t1, t2); 271 mpi_fdiv_q(f, phi, g); 272 273 while (!gcry_mpi_gcd(t1, e, phi)) /* (while gcd is not 1) */ 274 { 275 if (use_e) 276 BUG (); /* The prime generator already made sure that we 277 never can get to here. */ 278 mpi_add_ui (e, e, 2); 279 } 280 281 /* calculate the secret key d = e^1 mod phi */ 282 d = gcry_mpi_snew ( nbits ); 283 mpi_invm(d, e, f ); 284 /* calculate the inverse of p and q (used for chinese remainder theorem)*/ 285 u = gcry_mpi_snew ( nbits ); 286 mpi_invm(u, p, q ); 287 288 if( DBG_CIPHER ) 289 { 290 log_mpidump(" p= ", p ); 291 log_mpidump(" q= ", q ); 292 log_mpidump("phi= ", phi ); 293 log_mpidump(" g= ", g ); 294 log_mpidump(" f= ", f ); 295 log_mpidump(" n= ", n ); 296 log_mpidump(" e= ", e ); 297 log_mpidump(" d= ", d ); 298 log_mpidump(" u= ", u ); 299 } 300 301 gcry_mpi_release (t1); 302 gcry_mpi_release (t2); 303 gcry_mpi_release (phi); 304 gcry_mpi_release (f); 305 gcry_mpi_release (g); 306 307 sk->n = n; 308 sk->e = e; 309 sk->p = p; 310 sk->q = q; 311 sk->d = d; 312 sk->u = u; 313 314 /* Now we can test our keys. */ 315 if (test_keys (sk, nbits - 64)) 316 { 317 gcry_mpi_release (sk->n); sk->n = NULL; 318 gcry_mpi_release (sk->e); sk->e = NULL; 319 gcry_mpi_release (sk->p); sk->p = NULL; 320 gcry_mpi_release (sk->q); sk->q = NULL; 321 gcry_mpi_release (sk->d); sk->d = NULL; 322 gcry_mpi_release (sk->u); sk->u = NULL; 323 fips_signal_error ("self-test after key generation failed"); 324 return GPG_ERR_SELFTEST_FAILED; 325 } 326 327 return 0; 328} 329 330 331/* Helper for generate_x931. */ 332static gcry_mpi_t 333gen_x931_parm_xp (unsigned int nbits) 334{ 335 gcry_mpi_t xp; 336 337 xp = gcry_mpi_snew (nbits); 338 gcry_mpi_randomize (xp, nbits, GCRY_VERY_STRONG_RANDOM); 339 340 /* The requirement for Xp is: 341 342 sqrt{2}*2^{nbits-1} <= xp <= 2^{nbits} - 1 343 344 We set the two high order bits to 1 to satisfy the lower bound. 345 By using mpi_set_highbit we make sure that the upper bound is 346 satisfied as well. */ 347 mpi_set_highbit (xp, nbits-1); 348 mpi_set_bit (xp, nbits-2); 349 gcry_assert ( mpi_get_nbits (xp) == nbits ); 350 351 return xp; 352} 353 354 355/* Helper for generate_x931. */ 356static gcry_mpi_t 357gen_x931_parm_xi (void) 358{ 359 gcry_mpi_t xi; 360 361 xi = gcry_mpi_snew (101); 362 gcry_mpi_randomize (xi, 101, GCRY_VERY_STRONG_RANDOM); 363 mpi_set_highbit (xi, 100); 364 gcry_assert ( mpi_get_nbits (xi) == 101 ); 365 366 return xi; 367} 368 369 370 371/* Variant of the standard key generation code using the algorithm 372 from X9.31. Using this algorithm has the advantage that the 373 generation can be made deterministic which is required for CAVS 374 testing. */ 375static gpg_err_code_t 376generate_x931 (RSA_secret_key *sk, unsigned int nbits, unsigned long e_value, 377 gcry_sexp_t deriveparms, int *swapped) 378{ 379 gcry_mpi_t p, q; /* The two primes. */ 380 gcry_mpi_t e; /* The public exponent. */ 381 gcry_mpi_t n; /* The public key. */ 382 gcry_mpi_t d; /* The private key */ 383 gcry_mpi_t u; /* The inverse of p and q. */ 384 gcry_mpi_t pm1; /* p - 1 */ 385 gcry_mpi_t qm1; /* q - 1 */ 386 gcry_mpi_t phi; /* Euler totient. */ 387 gcry_mpi_t f, g; /* Helper. */ 388 389 *swapped = 0; 390 391 if (e_value == 1) /* Alias for a secure value. */ 392 e_value = 65537; 393 394 /* Point 1 of section 4.1: k = 1024 + 256s with S >= 0 */ 395 if (nbits < 1024 || (nbits % 256)) 396 return GPG_ERR_INV_VALUE; 397 398 /* Point 2: 2 <= bitlength(e) < 2^{k-2} 399 Note that we do not need to check the upper bound because we use 400 an unsigned long for E and thus there is no way for E to reach 401 that limit. */ 402 if (e_value < 3) 403 return GPG_ERR_INV_VALUE; 404 405 /* Our implementaion requires E to be odd. */ 406 if (!(e_value & 1)) 407 return GPG_ERR_INV_VALUE; 408 409 /* Point 3: e > 0 or e 0 if it is to be randomly generated. 410 We support only a fixed E and thus there is no need for an extra test. */ 411 412 413 /* Compute or extract the derive parameters. */ 414 { 415 gcry_mpi_t xp1 = NULL; 416 gcry_mpi_t xp2 = NULL; 417 gcry_mpi_t xp = NULL; 418 gcry_mpi_t xq1 = NULL; 419 gcry_mpi_t xq2 = NULL; 420 gcry_mpi_t xq = NULL; 421 gcry_mpi_t tmpval; 422 423 if (!deriveparms) 424 { 425 /* Not given: Generate them. */ 426 xp = gen_x931_parm_xp (nbits/2); 427 /* Make sure that |xp - xq| > 2^{nbits - 100} holds. */ 428 tmpval = gcry_mpi_snew (nbits/2); 429 do 430 { 431 gcry_mpi_release (xq); 432 xq = gen_x931_parm_xp (nbits/2); 433 mpi_sub (tmpval, xp, xq); 434 } 435 while (mpi_get_nbits (tmpval) <= (nbits/2 - 100)); 436 gcry_mpi_release (tmpval); 437 438 xp1 = gen_x931_parm_xi (); 439 xp2 = gen_x931_parm_xi (); 440 xq1 = gen_x931_parm_xi (); 441 xq2 = gen_x931_parm_xi (); 442 443 } 444 else 445 { 446 /* Parameters to derive the key are given. */ 447 /* Note that we explicitly need to setup the values of tbl 448 because some compilers (e.g. OpenWatcom, IRIX) don't allow 449 to initialize a structure with automatic variables. */ 450 struct { const char *name; gcry_mpi_t *value; } tbl[] = { 451 { "Xp1" }, 452 { "Xp2" }, 453 { "Xp" }, 454 { "Xq1" }, 455 { "Xq2" }, 456 { "Xq" }, 457 { NULL } 458 }; 459 int idx; 460 gcry_sexp_t oneparm; 461 462 tbl[0].value = &xp1; 463 tbl[1].value = &xp2; 464 tbl[2].value = &xp; 465 tbl[3].value = &xq1; 466 tbl[4].value = &xq2; 467 tbl[5].value = &xq; 468 469 for (idx=0; tbl[idx].name; idx++) 470 { 471 oneparm = gcry_sexp_find_token (deriveparms, tbl[idx].name, 0); 472 if (oneparm) 473 { 474 *tbl[idx].value = gcry_sexp_nth_mpi (oneparm, 1, 475 GCRYMPI_FMT_USG); 476 gcry_sexp_release (oneparm); 477 } 478 } 479 for (idx=0; tbl[idx].name; idx++) 480 if (!*tbl[idx].value) 481 break; 482 if (tbl[idx].name) 483 { 484 /* At least one parameter is missing. */ 485 for (idx=0; tbl[idx].name; idx++) 486 gcry_mpi_release (*tbl[idx].value); 487 return GPG_ERR_MISSING_VALUE; 488 } 489 } 490 491 e = mpi_alloc_set_ui (e_value); 492 493 /* Find two prime numbers. */ 494 p = _gcry_derive_x931_prime (xp, xp1, xp2, e, NULL, NULL); 495 q = _gcry_derive_x931_prime (xq, xq1, xq2, e, NULL, NULL); 496 gcry_mpi_release (xp); xp = NULL; 497 gcry_mpi_release (xp1); xp1 = NULL; 498 gcry_mpi_release (xp2); xp2 = NULL; 499 gcry_mpi_release (xq); xq = NULL; 500 gcry_mpi_release (xq1); xq1 = NULL; 501 gcry_mpi_release (xq2); xq2 = NULL; 502 if (!p || !q) 503 { 504 gcry_mpi_release (p); 505 gcry_mpi_release (q); 506 gcry_mpi_release (e); 507 return GPG_ERR_NO_PRIME; 508 } 509 } 510 511 512 /* Compute the public modulus. We make sure that p is smaller than 513 q to allow the use of the CRT. */ 514 if (mpi_cmp (p, q) > 0 ) 515 { 516 mpi_swap (p, q); 517 *swapped = 1; 518 } 519 n = gcry_mpi_new (nbits); 520 mpi_mul (n, p, q); 521 522 /* Compute the Euler totient: phi = (p-1)(q-1) */ 523 pm1 = gcry_mpi_snew (nbits/2); 524 qm1 = gcry_mpi_snew (nbits/2); 525 phi = gcry_mpi_snew (nbits); 526 mpi_sub_ui (pm1, p, 1); 527 mpi_sub_ui (qm1, q, 1); 528 mpi_mul (phi, pm1, qm1); 529 530 g = gcry_mpi_snew (nbits); 531 gcry_assert (gcry_mpi_gcd (g, e, phi)); 532 533 /* Compute: f = lcm(p-1,q-1) = phi / gcd(p-1,q-1) */ 534 gcry_mpi_gcd (g, pm1, qm1); 535 f = pm1; pm1 = NULL; 536 gcry_mpi_release (qm1); qm1 = NULL; 537 mpi_fdiv_q (f, phi, g); 538 gcry_mpi_release (phi); phi = NULL; 539 d = g; g = NULL; 540 /* Compute the secret key: d = e^{-1} mod lcm(p-1,q-1) */ 541 mpi_invm (d, e, f); 542 543 /* Compute the inverse of p and q. */ 544 u = f; f = NULL; 545 mpi_invm (u, p, q ); 546 547 if( DBG_CIPHER ) 548 { 549 if (*swapped) 550 log_debug ("p and q are swapped\n"); 551 log_mpidump(" p", p ); 552 log_mpidump(" q", q ); 553 log_mpidump(" n", n ); 554 log_mpidump(" e", e ); 555 log_mpidump(" d", d ); 556 log_mpidump(" u", u ); 557 } 558 559 560 sk->n = n; 561 sk->e = e; 562 sk->p = p; 563 sk->q = q; 564 sk->d = d; 565 sk->u = u; 566 567 /* Now we can test our keys. */ 568 if (test_keys (sk, nbits - 64)) 569 { 570 gcry_mpi_release (sk->n); sk->n = NULL; 571 gcry_mpi_release (sk->e); sk->e = NULL; 572 gcry_mpi_release (sk->p); sk->p = NULL; 573 gcry_mpi_release (sk->q); sk->q = NULL; 574 gcry_mpi_release (sk->d); sk->d = NULL; 575 gcry_mpi_release (sk->u); sk->u = NULL; 576 fips_signal_error ("self-test after key generation failed"); 577 return GPG_ERR_SELFTEST_FAILED; 578 } 579 580 return 0; 581} 582 583 584/**************** 585 * Test whether the secret key is valid. 586 * Returns: true if this is a valid key. 587 */ 588static int 589check_secret_key( RSA_secret_key *sk ) 590{ 591 int rc; 592 gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(sk->p)*2 ); 593 594 mpi_mul(temp, sk->p, sk->q ); 595 rc = mpi_cmp( temp, sk->n ); 596 mpi_free(temp); 597 return !rc; 598} 599 600 601 602/**************** 603 * Public key operation. Encrypt INPUT with PKEY and put result into OUTPUT. 604 * 605 * c = m^e mod n 606 * 607 * Where c is OUTPUT, m is INPUT and e,n are elements of PKEY. 608 */ 609static void 610public(gcry_mpi_t output, gcry_mpi_t input, RSA_public_key *pkey ) 611{ 612 if( output == input ) /* powm doesn't like output and input the same */ 613 { 614 gcry_mpi_t x = mpi_alloc( mpi_get_nlimbs(input)*2 ); 615 mpi_powm( x, input, pkey->e, pkey->n ); 616 mpi_set(output, x); 617 mpi_free(x); 618 } 619 else 620 mpi_powm( output, input, pkey->e, pkey->n ); 621} 622 623#if 0 624static void 625stronger_key_check ( RSA_secret_key *skey ) 626{ 627 gcry_mpi_t t = mpi_alloc_secure ( 0 ); 628 gcry_mpi_t t1 = mpi_alloc_secure ( 0 ); 629 gcry_mpi_t t2 = mpi_alloc_secure ( 0 ); 630 gcry_mpi_t phi = mpi_alloc_secure ( 0 ); 631 632 /* check that n == p * q */ 633 mpi_mul( t, skey->p, skey->q); 634 if (mpi_cmp( t, skey->n) ) 635 log_info ( "RSA Oops: n != p * q\n" ); 636 637 /* check that p is less than q */ 638 if( mpi_cmp( skey->p, skey->q ) > 0 ) 639 { 640 log_info ("RSA Oops: p >= q - fixed\n"); 641 _gcry_mpi_swap ( skey->p, skey->q); 642 } 643 644 /* check that e divides neither p-1 nor q-1 */ 645 mpi_sub_ui(t, skey->p, 1 ); 646 mpi_fdiv_r(t, t, skey->e ); 647 if ( !mpi_cmp_ui( t, 0) ) 648 log_info ( "RSA Oops: e divides p-1\n" ); 649 mpi_sub_ui(t, skey->q, 1 ); 650 mpi_fdiv_r(t, t, skey->e ); 651 if ( !mpi_cmp_ui( t, 0) ) 652 log_info ( "RSA Oops: e divides q-1\n" ); 653 654 /* check that d is correct */ 655 mpi_sub_ui( t1, skey->p, 1 ); 656 mpi_sub_ui( t2, skey->q, 1 ); 657 mpi_mul( phi, t1, t2 ); 658 gcry_mpi_gcd(t, t1, t2); 659 mpi_fdiv_q(t, phi, t); 660 mpi_invm(t, skey->e, t ); 661 if ( mpi_cmp(t, skey->d ) ) 662 { 663 log_info ( "RSA Oops: d is wrong - fixed\n"); 664 mpi_set (skey->d, t); 665 _gcry_log_mpidump (" fixed d", skey->d); 666 } 667 668 /* check for correctness of u */ 669 mpi_invm(t, skey->p, skey->q ); 670 if ( mpi_cmp(t, skey->u ) ) 671 { 672 log_info ( "RSA Oops: u is wrong - fixed\n"); 673 mpi_set (skey->u, t); 674 _gcry_log_mpidump (" fixed u", skey->u); 675 } 676 677 log_info ( "RSA secret key check finished\n"); 678 679 mpi_free (t); 680 mpi_free (t1); 681 mpi_free (t2); 682 mpi_free (phi); 683} 684#endif 685 686 687 688/**************** 689 * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT. 690 * 691 * m = c^d mod n 692 * 693 * Or faster: 694 * 695 * m1 = c ^ (d mod (p-1)) mod p 696 * m2 = c ^ (d mod (q-1)) mod q 697 * h = u * (m2 - m1) mod q 698 * m = m1 + h * p 699 * 700 * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY. 701 */ 702static void 703secret(gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) 704{ 705 if (!skey->p || !skey->q || !skey->u) 706 { 707 mpi_powm (output, input, skey->d, skey->n); 708 } 709 else 710 { 711 gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); 712 gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); 713 gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); 714 715 /* m1 = c ^ (d mod (p-1)) mod p */ 716 mpi_sub_ui( h, skey->p, 1 ); 717 mpi_fdiv_r( h, skey->d, h ); 718 mpi_powm( m1, input, h, skey->p ); 719 /* m2 = c ^ (d mod (q-1)) mod q */ 720 mpi_sub_ui( h, skey->q, 1 ); 721 mpi_fdiv_r( h, skey->d, h ); 722 mpi_powm( m2, input, h, skey->q ); 723 /* h = u * ( m2 - m1 ) mod q */ 724 mpi_sub( h, m2, m1 ); 725 if ( mpi_is_neg( h ) ) 726 mpi_add ( h, h, skey->q ); 727 mpi_mulm( h, skey->u, h, skey->q ); 728 /* m = m2 + h * p */ 729 mpi_mul ( h, h, skey->p ); 730 mpi_add ( output, m1, h ); 731 732 mpi_free ( h ); 733 mpi_free ( m1 ); 734 mpi_free ( m2 ); 735 } 736} 737 738 739 740/* Perform RSA blinding. */ 741static gcry_mpi_t 742rsa_blind (gcry_mpi_t x, gcry_mpi_t r, gcry_mpi_t e, gcry_mpi_t n) 743{ 744 /* A helper. */ 745 gcry_mpi_t a; 746 747 /* Result. */ 748 gcry_mpi_t y; 749 750 a = gcry_mpi_snew (gcry_mpi_get_nbits (n)); 751 y = gcry_mpi_snew (gcry_mpi_get_nbits (n)); 752 753 /* Now we calculate: y = (x * r^e) mod n, where r is the random 754 number, e is the public exponent, x is the non-blinded data and n 755 is the RSA modulus. */ 756 gcry_mpi_powm (a, r, e, n); 757 gcry_mpi_mulm (y, a, x, n); 758 759 gcry_mpi_release (a); 760 761 return y; 762} 763 764/* Undo RSA blinding. */ 765static gcry_mpi_t 766rsa_unblind (gcry_mpi_t x, gcry_mpi_t ri, gcry_mpi_t n) 767{ 768 gcry_mpi_t y; 769 770 y = gcry_mpi_snew (gcry_mpi_get_nbits (n)); 771 772 /* Here we calculate: y = (x * r^-1) mod n, where x is the blinded 773 decrypted data, ri is the modular multiplicative inverse of r and 774 n is the RSA modulus. */ 775 776 gcry_mpi_mulm (y, ri, x, n); 777 778 return y; 779} 780 781/********************************************* 782 ************** interface ****************** 783 *********************************************/ 784 785static gcry_err_code_t 786rsa_generate_ext (int algo, unsigned int nbits, unsigned long evalue, 787 const gcry_sexp_t genparms, 788 gcry_mpi_t *skey, gcry_mpi_t **retfactors, 789 gcry_sexp_t *r_extrainfo) 790{ 791 RSA_secret_key sk; 792 gpg_err_code_t ec; 793 gcry_sexp_t deriveparms; 794 int transient_key = 0; 795 int use_x931 = 0; 796 gcry_sexp_t l1; 797 798 (void)algo; 799 800 *retfactors = NULL; /* We don't return them. */ 801 802 deriveparms = (genparms? 803 gcry_sexp_find_token (genparms, "derive-parms", 0) : NULL); 804 if (!deriveparms) 805 { 806 /* Parse the optional "use-x931" flag. */ 807 l1 = gcry_sexp_find_token (genparms, "use-x931", 0); 808 if (l1) 809 { 810 use_x931 = 1; 811 gcry_sexp_release (l1); 812 } 813 } 814 815 if (deriveparms || use_x931 || fips_mode ()) 816 { 817 int swapped; 818 ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped); 819 gcry_sexp_release (deriveparms); 820 if (!ec && r_extrainfo && swapped) 821 { 822 ec = gcry_sexp_new (r_extrainfo, 823 "(misc-key-info(p-q-swapped))", 0, 1); 824 if (ec) 825 { 826 gcry_mpi_release (sk.n); sk.n = NULL; 827 gcry_mpi_release (sk.e); sk.e = NULL; 828 gcry_mpi_release (sk.p); sk.p = NULL; 829 gcry_mpi_release (sk.q); sk.q = NULL; 830 gcry_mpi_release (sk.d); sk.d = NULL; 831 gcry_mpi_release (sk.u); sk.u = NULL; 832 } 833 } 834 } 835 else 836 { 837 /* Parse the optional "transient-key" flag. */ 838 l1 = gcry_sexp_find_token (genparms, "transient-key", 0); 839 if (l1) 840 { 841 transient_key = 1; 842 gcry_sexp_release (l1); 843 } 844 /* Generate. */ 845 ec = generate_std (&sk, nbits, evalue, transient_key); 846 } 847 848 if (!ec) 849 { 850 skey[0] = sk.n; 851 skey[1] = sk.e; 852 skey[2] = sk.d; 853 skey[3] = sk.p; 854 skey[4] = sk.q; 855 skey[5] = sk.u; 856 } 857 858 return ec; 859} 860 861 862static gcry_err_code_t 863rsa_generate (int algo, unsigned int nbits, unsigned long evalue, 864 gcry_mpi_t *skey, gcry_mpi_t **retfactors) 865{ 866 return rsa_generate_ext (algo, nbits, evalue, NULL, skey, retfactors, NULL); 867} 868 869 870static gcry_err_code_t 871rsa_check_secret_key (int algo, gcry_mpi_t *skey) 872{ 873 gcry_err_code_t err = GPG_ERR_NO_ERROR; 874 RSA_secret_key sk; 875 876 (void)algo; 877 878 sk.n = skey[0]; 879 sk.e = skey[1]; 880 sk.d = skey[2]; 881 sk.p = skey[3]; 882 sk.q = skey[4]; 883 sk.u = skey[5]; 884 885 if (!sk.p || !sk.q || !sk.u) 886 err = GPG_ERR_NO_OBJ; /* To check the key we need the optional 887 parameters. */ 888 else if (!check_secret_key (&sk)) 889 err = GPG_ERR_BAD_SECKEY; 890 891 return err; 892} 893 894 895static gcry_err_code_t 896rsa_encrypt (int algo, gcry_mpi_t *resarr, gcry_mpi_t data, 897 gcry_mpi_t *pkey, int flags) 898{ 899 RSA_public_key pk; 900 901 (void)algo; 902 (void)flags; 903 904 pk.n = pkey[0]; 905 pk.e = pkey[1]; 906 resarr[0] = mpi_alloc (mpi_get_nlimbs (pk.n)); 907 public (resarr[0], data, &pk); 908 909 return GPG_ERR_NO_ERROR; 910} 911 912 913static gcry_err_code_t 914rsa_decrypt (int algo, gcry_mpi_t *result, gcry_mpi_t *data, 915 gcry_mpi_t *skey, int flags) 916{ 917 RSA_secret_key sk; 918 gcry_mpi_t r = MPI_NULL; /* Random number needed for blinding. */ 919 gcry_mpi_t ri = MPI_NULL; /* Modular multiplicative inverse of 920 r. */ 921 gcry_mpi_t x = MPI_NULL; /* Data to decrypt. */ 922 gcry_mpi_t y; /* Result. */ 923 924 (void)algo; 925 926 /* Extract private key. */ 927 sk.n = skey[0]; 928 sk.e = skey[1]; 929 sk.d = skey[2]; 930 sk.p = skey[3]; /* Optional. */ 931 sk.q = skey[4]; /* Optional. */ 932 sk.u = skey[5]; /* Optional. */ 933 934 y = gcry_mpi_snew (gcry_mpi_get_nbits (sk.n)); 935 936 /* We use blinding by default to mitigate timing attacks which can 937 be practically mounted over the network as shown by Brumley and 938 Boney in 2003. */ 939 if (! (flags & PUBKEY_FLAG_NO_BLINDING)) 940 { 941 /* Initialize blinding. */ 942 943 /* First, we need a random number r between 0 and n - 1, which 944 is relatively prime to n (i.e. it is neither p nor q). The 945 random number needs to be only unpredictable, thus we employ 946 the gcry_create_nonce function by using GCRY_WEAK_RANDOM with 947 gcry_mpi_randomize. */ 948 r = gcry_mpi_snew (gcry_mpi_get_nbits (sk.n)); 949 ri = gcry_mpi_snew (gcry_mpi_get_nbits (sk.n)); 950 951 gcry_mpi_randomize (r, gcry_mpi_get_nbits (sk.n), GCRY_WEAK_RANDOM); 952 gcry_mpi_mod (r, r, sk.n); 953 954 /* Calculate inverse of r. It practically impossible that the 955 following test fails, thus we do not add code to release 956 allocated resources. */ 957 if (!gcry_mpi_invm (ri, r, sk.n)) 958 return GPG_ERR_INTERNAL; 959 } 960 961 if (! (flags & PUBKEY_FLAG_NO_BLINDING)) 962 x = rsa_blind (data[0], r, sk.e, sk.n); 963 else 964 x = data[0]; 965 966 /* Do the encryption. */ 967 secret (y, x, &sk); 968 969 if (! (flags & PUBKEY_FLAG_NO_BLINDING)) 970 { 971 /* Undo blinding. */ 972 gcry_mpi_t a = gcry_mpi_copy (y); 973 974 gcry_mpi_release (y); 975 y = rsa_unblind (a, ri, sk.n); 976 977 gcry_mpi_release (a); 978 } 979 980 if (! (flags & PUBKEY_FLAG_NO_BLINDING)) 981 { 982 /* Deallocate resources needed for blinding. */ 983 gcry_mpi_release (x); 984 gcry_mpi_release (r); 985 gcry_mpi_release (ri); 986 } 987 988 /* Copy out result. */ 989 *result = y; 990 991 return GPG_ERR_NO_ERROR; 992} 993 994 995static gcry_err_code_t 996rsa_sign (int algo, gcry_mpi_t *resarr, gcry_mpi_t data, gcry_mpi_t *skey) 997{ 998 RSA_secret_key sk; 999 1000 (void)algo; 1001 1002 sk.n = skey[0]; 1003 sk.e = skey[1]; 1004 sk.d = skey[2]; 1005 sk.p = skey[3]; 1006 sk.q = skey[4]; 1007 sk.u = skey[5]; 1008 resarr[0] = mpi_alloc( mpi_get_nlimbs (sk.n)); 1009 secret (resarr[0], data, &sk); 1010 1011 return GPG_ERR_NO_ERROR; 1012} 1013 1014 1015static gcry_err_code_t 1016rsa_verify (int algo, gcry_mpi_t hash, gcry_mpi_t *data, gcry_mpi_t *pkey, 1017 int (*cmp) (void *opaque, gcry_mpi_t tmp), 1018 void *opaquev) 1019{ 1020 RSA_public_key pk; 1021 gcry_mpi_t result; 1022 gcry_err_code_t rc; 1023 1024 (void)algo; 1025 (void)cmp; 1026 (void)opaquev; 1027 1028 pk.n = pkey[0]; 1029 pk.e = pkey[1]; 1030 result = gcry_mpi_new ( 160 ); 1031 public( result, data[0], &pk ); 1032#ifdef IS_DEVELOPMENT_VERSION 1033 if (DBG_CIPHER) 1034 { 1035 log_mpidump ("rsa verify result:", result ); 1036 log_mpidump (" hash:", hash ); 1037 } 1038#endif /*IS_DEVELOPMENT_VERSION*/ 1039 if (cmp) 1040 rc = (*cmp) (opaquev, result); 1041 else 1042 rc = mpi_cmp (result, hash) ? GPG_ERR_BAD_SIGNATURE : GPG_ERR_NO_ERROR; 1043 gcry_mpi_release (result); 1044 1045 return rc; 1046} 1047 1048 1049static unsigned int 1050rsa_get_nbits (int algo, gcry_mpi_t *pkey) 1051{ 1052 (void)algo; 1053 1054 return mpi_get_nbits (pkey[0]); 1055} 1056 1057 1058/* Compute a keygrip. MD is the hash context which we are going to 1059 update. KEYPARAM is an S-expression with the key parameters, this 1060 is usually a public key but may also be a secret key. An example 1061 of such an S-expression is: 1062 1063 (rsa 1064 (n #00B...#) 1065 (e #010001#)) 1066 1067 PKCS-15 says that for RSA only the modulus should be hashed - 1068 however, it is not clear whether this is meant to use the raw bytes 1069 (assuming this is an unsigned integer) or whether the DER required 1070 0 should be prefixed. We hash the raw bytes. */ 1071static gpg_err_code_t 1072compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparam) 1073{ 1074 gcry_sexp_t l1; 1075 const char *data; 1076 size_t datalen; 1077 1078 l1 = gcry_sexp_find_token (keyparam, "n", 1); 1079 if (!l1) 1080 return GPG_ERR_NO_OBJ; 1081 1082 data = gcry_sexp_nth_data (l1, 1, &datalen); 1083 if (!data) 1084 { 1085 gcry_sexp_release (l1); 1086 return GPG_ERR_NO_OBJ; 1087 } 1088 1089 gcry_md_write (md, data, datalen); 1090 gcry_sexp_release (l1); 1091 1092 return 0; 1093} 1094 1095 1096 1097 1098/* 1099 Self-test section. 1100 */ 1101 1102static const char * 1103selftest_sign_1024 (gcry_sexp_t pkey, gcry_sexp_t skey) 1104{ 1105 static const char sample_data[] = 1106 "(data (flags pkcs1)" 1107 " (hash sha1 #11223344556677889900aabbccddeeff10203040#))"; 1108 static const char sample_data_bad[] = 1109 "(data (flags pkcs1)" 1110 " (hash sha1 #11223344556677889900aabbccddeeff80203040#))"; 1111 1112 const char *errtxt = NULL; 1113 gcry_error_t err; 1114 gcry_sexp_t data = NULL; 1115 gcry_sexp_t data_bad = NULL; 1116 gcry_sexp_t sig = NULL; 1117 1118 err = gcry_sexp_sscan (&data, NULL, 1119 sample_data, strlen (sample_data)); 1120 if (!err) 1121 err = gcry_sexp_sscan (&data_bad, NULL, 1122 sample_data_bad, strlen (sample_data_bad)); 1123 if (err) 1124 { 1125 errtxt = "converting data failed"; 1126 goto leave; 1127 } 1128 1129 err = gcry_pk_sign (&sig, data, skey); 1130 if (err) 1131 { 1132 errtxt = "signing failed"; 1133 goto leave; 1134 } 1135 err = gcry_pk_verify (sig, data, pkey); 1136 if (err) 1137 { 1138 errtxt = "verify failed"; 1139 goto leave; 1140 } 1141 err = gcry_pk_verify (sig, data_bad, pkey); 1142 if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE) 1143 { 1144 errtxt = "bad signature not detected"; 1145 goto leave; 1146 } 1147 1148 1149 leave: 1150 gcry_sexp_release (sig); 1151 gcry_sexp_release (data_bad); 1152 gcry_sexp_release (data); 1153 return errtxt; 1154} 1155 1156 1157 1158/* Given an S-expression ENCR_DATA of the form: 1159 1160 (enc-val 1161 (rsa 1162 (a a-value))) 1163 1164 as returned by gcry_pk_decrypt, return the the A-VALUE. On error, 1165 return NULL. */ 1166static gcry_mpi_t 1167extract_a_from_sexp (gcry_sexp_t encr_data) 1168{ 1169 gcry_sexp_t l1, l2, l3; 1170 gcry_mpi_t a_value; 1171 1172 l1 = gcry_sexp_find_token (encr_data, "enc-val", 0); 1173 if (!l1) 1174 return NULL; 1175 l2 = gcry_sexp_find_token (l1, "rsa", 0); 1176 gcry_sexp_release (l1); 1177 if (!l2) 1178 return NULL; 1179 l3 = gcry_sexp_find_token (l2, "a", 0); 1180 gcry_sexp_release (l2); 1181 if (!l3) 1182 return NULL; 1183 a_value = gcry_sexp_nth_mpi (l3, 1, 0); 1184 gcry_sexp_release (l3); 1185 1186 return a_value; 1187} 1188 1189 1190static const char * 1191selftest_encr_1024 (gcry_sexp_t pkey, gcry_sexp_t skey) 1192{ 1193 const char *errtxt = NULL; 1194 gcry_error_t err; 1195 const unsigned int nbits = 1000; /* Encrypt 1000 random bits. */ 1196 gcry_mpi_t plaintext = NULL; 1197 gcry_sexp_t plain = NULL; 1198 gcry_sexp_t encr = NULL; 1199 gcry_mpi_t ciphertext = NULL; 1200 gcry_sexp_t decr = NULL; 1201 gcry_mpi_t decr_plaintext = NULL; 1202 gcry_sexp_t tmplist = NULL; 1203 1204 /* Create plaintext. The plaintext is actually a big integer number. */ 1205 plaintext = gcry_mpi_new (nbits); 1206 gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM); 1207 1208 /* Put the plaintext into an S-expression. */ 1209 err = gcry_sexp_build (&plain, NULL, 1210 "(data (flags raw) (value %m))", plaintext); 1211 if (err) 1212 { 1213 errtxt = "converting data failed"; 1214 goto leave; 1215 } 1216 1217 /* Encrypt. */ 1218 err = gcry_pk_encrypt (&encr, plain, pkey); 1219 if (err) 1220 { 1221 errtxt = "encrypt failed"; 1222 goto leave; 1223 } 1224 1225 /* Extraxt the ciphertext from the returned S-expression. */ 1226 /*gcry_sexp_dump (encr);*/ 1227 ciphertext = extract_a_from_sexp (encr); 1228 if (!ciphertext) 1229 { 1230 errtxt = "gcry_pk_decrypt returned garbage"; 1231 goto leave; 1232 } 1233 1234 /* Check that the ciphertext does no match the plaintext. */ 1235 /* _gcry_log_mpidump ("plaintext", plaintext); */ 1236 /* _gcry_log_mpidump ("ciphertxt", ciphertext); */ 1237 if (!gcry_mpi_cmp (plaintext, ciphertext)) 1238 { 1239 errtxt = "ciphertext matches plaintext"; 1240 goto leave; 1241 } 1242 1243 /* Decrypt. */ 1244 err = gcry_pk_decrypt (&decr, encr, skey); 1245 if (err) 1246 { 1247 errtxt = "decrypt failed"; 1248 goto leave; 1249 } 1250 1251 /* Extract the decrypted data from the S-expression. Note that the 1252 output of gcry_pk_decrypt depends on whether a flags lists occurs 1253 in its input data. Because we passed the output of 1254 gcry_pk_encrypt directly to gcry_pk_decrypt, such a flag value 1255 won't be there as of today. To be prepared for future changes we 1256 take care of it anyway. */ 1257 tmplist = gcry_sexp_find_token (decr, "value", 0); 1258 if (tmplist) 1259 decr_plaintext = gcry_sexp_nth_mpi (tmplist, 1, GCRYMPI_FMT_USG); 1260 else 1261 decr_plaintext = gcry_sexp_nth_mpi (decr, 0, GCRYMPI_FMT_USG); 1262 if (!decr_plaintext) 1263 { 1264 errtxt = "decrypt returned no plaintext"; 1265 goto leave; 1266 } 1267 1268 /* Check that the decrypted plaintext matches the original plaintext. */ 1269 if (gcry_mpi_cmp (plaintext, decr_plaintext)) 1270 { 1271 errtxt = "mismatch"; 1272 goto leave; 1273 } 1274 1275 leave: 1276 gcry_sexp_release (tmplist); 1277 gcry_mpi_release (decr_plaintext); 1278 gcry_sexp_release (decr); 1279 gcry_mpi_release (ciphertext); 1280 gcry_sexp_release (encr); 1281 gcry_sexp_release (plain); 1282 gcry_mpi_release (plaintext); 1283 return errtxt; 1284} 1285 1286 1287static gpg_err_code_t 1288selftests_rsa (selftest_report_func_t report) 1289{ 1290 const char *what; 1291 const char *errtxt; 1292 gcry_error_t err; 1293 gcry_sexp_t skey = NULL; 1294 gcry_sexp_t pkey = NULL; 1295 1296 /* Convert the S-expressions into the internal representation. */ 1297 what = "convert"; 1298 err = gcry_sexp_sscan (&skey, NULL, 1299 sample_secret_key, strlen (sample_secret_key)); 1300 if (!err) 1301 err = gcry_sexp_sscan (&pkey, NULL, 1302 sample_public_key, strlen (sample_public_key)); 1303 if (err) 1304 { 1305 errtxt = gcry_strerror (err); 1306 goto failed; 1307 } 1308 1309 what = "key consistency"; 1310 err = gcry_pk_testkey (skey); 1311 if (err) 1312 { 1313 errtxt = gcry_strerror (err); 1314 goto failed; 1315 } 1316 1317 what = "sign"; 1318 errtxt = selftest_sign_1024 (pkey, skey); 1319 if (errtxt) 1320 goto failed; 1321 1322 what = "encrypt"; 1323 errtxt = selftest_encr_1024 (pkey, skey); 1324 if (errtxt) 1325 goto failed; 1326 1327 gcry_sexp_release (pkey); 1328 gcry_sexp_release (skey); 1329 return 0; /* Succeeded. */ 1330 1331 failed: 1332 gcry_sexp_release (pkey); 1333 gcry_sexp_release (skey); 1334 if (report) 1335 report ("pubkey", GCRY_PK_RSA, what, errtxt); 1336 return GPG_ERR_SELFTEST_FAILED; 1337} 1338 1339 1340/* Run a full self-test for ALGO and return 0 on success. */ 1341static gpg_err_code_t 1342run_selftests (int algo, int extended, selftest_report_func_t report) 1343{ 1344 gpg_err_code_t ec; 1345 1346 (void)extended; 1347 1348 switch (algo) 1349 { 1350 case GCRY_PK_RSA: 1351 ec = selftests_rsa (report); 1352 break; 1353 default: 1354 ec = GPG_ERR_PUBKEY_ALGO; 1355 break; 1356 1357 } 1358 return ec; 1359} 1360 1361 1362 1363 1364static const char *rsa_names[] = 1365 { 1366 "rsa", 1367 "openpgp-rsa", 1368 "oid.1.2.840.113549.1.1.1", 1369 NULL, 1370 }; 1371 1372gcry_pk_spec_t _gcry_pubkey_spec_rsa = 1373 { 1374 "RSA", rsa_names, 1375 "ne", "nedpqu", "a", "s", "n", 1376 GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR, 1377 rsa_generate, 1378 rsa_check_secret_key, 1379 rsa_encrypt, 1380 rsa_decrypt, 1381 rsa_sign, 1382 rsa_verify, 1383 rsa_get_nbits, 1384 }; 1385pk_extra_spec_t _gcry_pubkey_extraspec_rsa = 1386 { 1387 run_selftests, 1388 rsa_generate_ext, 1389 compute_keygrip 1390 }; 1391