| blob | 922cd605ccd9ab48e3b3c8e9a720394869dc0740 |
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
37 /*
38 * RSA key generation, public key op, private key op.
39 *
40 * $Id: rsa.c,v 1.37 2006/05/22 22:10:40 wtchang%redhat.com Exp $
41 */
55 /*
56 ** Number of times to attempt to generate a prime (p or q) from a random
57 ** seed (the seed changes for each iteration).
58 */
59 #define MAX_PRIME_GEN_ATTEMPTS 10
60 /*
61 ** Number of times to attempt to generate a key. The primes p and q change
62 ** for each attempt.
63 */
64 #define MAX_KEY_GEN_ATTEMPTS 10
66 /* exponent should not be greater than modulus */
67 #define BAD_RSA_KEY_SIZE(modLen, expLen) \
68 ((expLen) > (modLen) || (modLen) > RSA_MAX_MODULUS_BITS/8 || \
69 (expLen) > RSA_MAX_EXPONENT_BITS/8)
71 /*
72 ** RSABlindingParamsStr
73 **
74 ** For discussion of Paul Kocher's timing attack against an RSA private key
75 ** operation, see http://www.cryptography.com/timingattack/paper.html. The
76 ** countermeasure to this attack, known as blinding, is also discussed in
77 ** the Handbook of Applied Cryptography, 11.118-11.119.
78 */
79 struct RSABlindingParamsStr
80 {
81 /* Blinding-specific parameters */
86 };
88 /*
89 ** RSABlindingParamsListStr
90 **
91 ** List of key-specific blinding params. The arena holds the volatile pool
92 ** of memory for each entry and the list itself. The lock is for list
93 ** operations, in this case insertions and iterations, as well as control
94 ** of the counter for each set of blinding parameters.
95 */
96 struct RSABlindingParamsListStr
97 {
100 };
102 /*
103 ** The master blinding params list.
104 */
107 /* Number of times to reuse (f, g). Suggested by Paul Kocher */
108 #define RSA_BLINDING_PARAMS_MAX_REUSE 50
110 /* Global, allows optional use of blinding. On by default. */
111 /* Cannot be changed at the moment, due to thread-safety issues. */
114 static SECStatus
117 {
134 /* 1. Compute n = p*q */
136 /* verify that the modulus has the desired number of bits */
141 }
142 /* 2. Compute phi = (p-1)*(q-1) */
146 /* 3. Compute d = e**-1 mod(phi) */
148 /* Verify that phi(n) and e have no common divisors */
154 }
156 }
159 /* 4. Compute exponent1 = d mod (p-1) */
162 /* 5. Compute exponent2 = d mod (q-1) */
165 /* 6. Compute coefficient = q**-1 mod p */
168 cleanup:
178 }
180 }
181 static SECStatus
183 {
193 }
202 /* keep going while err == MP_NO */
203 }
204 cleanup:
210 }
212 }
214 /*
215 ** Generate and return a new RSA public and private key.
216 ** Both keys are encoded in a single RSAPrivateKey structure.
217 ** "cx" is the random number generator context
218 ** "keySizeInBits" is the size of the key to be generated, in bits.
219 ** 512, 1024, etc.
220 ** "publicExponent" when not NULL is a pointer to some data that
221 ** represents the public exponent to use. The data is a byte
222 ** encoded integer, in "big endian" order.
223 */
224 RSAPrivateKey *
226 {
235 /* Require key size to be a multiple of 16 bits. */
240 }
241 /* 1. Allocate arena & key */
246 }
252 }
254 /* length of primes p and q (in bytes) */
262 /* 2. Set the version number (PKCS1 v1.5 says it should be zero) */
265 /* 3. Set the public exponent */
274 /* Assure q < p */
277 /* Attempt to use these primes to generate a key */
282 kiter++;
283 /* loop until have primes */
289 cleanup:
296 }
300 }
302 }
304 static unsigned int
306 {
310 }
312 /*
313 ** Perform a raw public-key operation
314 ** Length of input and output buffers are equal to key's modulus len.
315 */
316 SECStatus
320 {
328 }
339 /* 1. Obtain public key (n, e) */
344 }
348 /* exponent should not be greater than modulus */
352 }
353 /* 2. check input out of range (needs to be in range [0..n-1]) */
359 }
360 /* 2 bis. Represent message as integer in range [0..n-1] */
362 /* 3. Compute c = m**e mod n */
363 #ifdef USE_MPI_EXPT_D
364 /* XXX see which is faster */
368 #endif
370 /* 4. result c is ciphertext */
373 cleanup:
381 }
383 }
385 /*
386 ** RSA Private key operation (no CRT).
387 */
388 static SECStatus
391 {
392 mp_int d;
398 /* 1. m = c**d mod n */
400 cleanup:
405 }
407 }
409 /*
410 ** RSA Private key operation using CRT.
411 */
412 static SECStatus
414 {
437 /* copy private key parameters into mp integers */
443 /* 1. m1 = c**d_p mod p */
446 /* 2. m2 = c**d_q mod q */
449 /* 3. h = (m1 - m2) * qInv mod p */
452 /* 4. m = m2 + h * q */
455 cleanup:
468 }
470 }
472 /*
473 ** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:
474 ** "On the Importance of Eliminating Errors in Cryptographic Computations",
475 ** http://theory.stanford.edu/~dabo/papers/faults.ps.gz
476 **
477 ** As a defense against the attack, carry out the private key operation,
478 ** followed up with a public key operation to invert the result.
479 ** Verify that result against the input.
480 */
481 static SECStatus
483 {
496 /* Perform a public key operation v = m ** e mod n */
500 }
501 cleanup:
508 }
510 }
513 static PRStatus
515 {
520 }
523 }
525 static SECStatus
528 {
538 /* generate random k < n */
543 }
546 /* k < n */
548 /* f = k**e mod n */
550 /* g = k**-1 mod n */
552 /* Initialize the counter for this (f, g) */
554 cleanup:
562 }
564 }
566 static SECStatus
569 {
574 /* initialize blinding parameters */
577 /* List elements are keyed using the modulus */
581 cleanup:
587 }
589 }
591 static SECStatus
594 {
600 /* Init the list if neccessary (the init function is only called once!) */
605 }
606 }
607 /* Acquire the list lock */
609 /* Walk the list looking for the private key */
616 /* Check the usage counter for the parameters */
618 /* Regenerate the blinding parameters */
620 }
621 /* Return the parameters */
624 /* Now that the params are located, release the list lock. */
628 /* The key is not in the list. Break to param creation. */
630 }
631 }
632 /* At this point, the key is not in the list. el should point to the
633 ** list element that this key should be inserted before. NOTE: the list
634 ** lock is still held, so there cannot be a race condition here.
635 */
641 }
642 /* Initialize the list pointer for the element */
644 /* Initialize the blinding parameters
645 ** This ties up the list lock while doing some heavy, element-specific
646 ** operations, but we don't want to insert the element until it is valid,
647 ** which requires computing the blinding params. If this proves costly,
648 ** it could be done after the list lock is released, and then if it fails
649 ** the lock would have to be reobtained and the invalid element removed.
650 */
655 }
656 /* Insert the new element into the list
657 ** If inserting in the middle of the list, el points to the link
658 ** to insert before. Otherwise, the link needs to be appended to
659 ** the end of the list, which is the same as inserting before the
660 ** head (since el would have looped back to the head).
661 */
663 /* Return the parameters */
666 /* Release the list lock */
669 cleanup:
670 /* It is possible to reach this after the lock is already released.
671 ** Ignore the error in that case.
672 */
677 }
679 }
681 /*
682 ** Perform a raw private-key operation
683 ** Length of input and output buffers are equal to key's modulus len.
684 */
685 static SECStatus
689 PRBool check)
690 {
694 mp_err err;
700 }
701 /* check input out of range (needs to be in range [0..n-1]) */
707 }
720 /* If blinding, compute pre-image of ciphertext by multiplying by
721 ** blinding factor
722 */
725 /* c' = c*f mod n */
727 }
728 /* Do the private key operation m = c**d mod n */
739 }
740 /* If blinding, compute post-image of plaintext by multiplying by
741 ** blinding factor
742 */
744 /* m = m'*g mod n */
746 }
749 cleanup:
758 }
760 }
762 SECStatus
766 {
768 }
770 SECStatus
774 {
776 }
778 static SECStatus
780 {
787 /* The new value is no longer than the old buffer, so use it */
792 /* The new value is longer, but working within an arena */
797 /* The new value is longer, no arena, can't handle this key */
799 }
801 }
803 SECStatus
805 {
837 /* p > q */
839 /* mind the p's and q's (and d_p's and d_q's) */
840 SECItem tmp;
849 }
850 #define VERIFY_MPI_EQUAL(m1, m2) \
851 if (mp_cmp(m1, m2) != 0) { \
852 rv = SECFailure; \
853 goto cleanup; \
854 }
855 #define VERIFY_MPI_EQUAL_1(m) \
856 if (mp_cmp_d(m, 1) != 0) { \
857 rv = SECFailure; \
858 goto cleanup; \
859 }
860 /*
861 * The following errors cannot be recovered from.
862 */
863 /* n == p * q */
866 /* gcd(e, p-1) == 1 */
870 /* gcd(e, q-1) == 1 */
874 /* d*e == 1 mod p-1 */
877 /* d*e == 1 mod q-1 */
880 /*
881 * The following errors can be recovered from.
882 */
883 /* d_p == d mod p-1 */
886 /* swap in the correct value */
888 }
889 /* d_q == d mod q-1 */
892 /* swap in the correct value */
894 }
895 /* q * q**-1 == 1 mod p */
898 /* compute the correct value */
901 }
902 cleanup:
917 }
919 }
921 /* cleanup at shutdown */
923 {
928 {
936 }
939 {
942 }
947 }
949 /*
950 * need a central place for this function to free up all the memory that
951 * free_bl may have allocated along the way. Currently only RSA does this,
952 * so I've put it here for now.
953 */
955 {
957 }