Home Explore Help
Sign In
phcoder
/
grub-savannah-mirror
mirror of https://git.savannah.gnu.org/git/grub.git
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Tree: 4dc6166571
Branches Tags
grub-savanna...
/
grub-core
/
lib
/
libgcrypt
/
cipher
/
rsa.c

rsa.c 36 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391 
  1. /* rsa.c - RSA implementation
    2. 

  2.  * Copyright (C) 1997, 1998, 1999 by Werner Koch (dd9jn)
    3. 

  3.  * Copyright (C) 2000, 2001, 2002, 2003, 2008 Free Software Foundation, Inc.
    4. 

  4.  *
    5. 

  5.  * This file is part of Libgcrypt.
    6. 

  6.  *
    7. 

  7.  * Libgcrypt is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU Lesser General Public License as
    9. 

  9.  * published by the Free Software Foundation; either version 2.1 of
    10. 

  10.  * the License, or (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * Libgcrypt is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU Lesser General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU Lesser General Public
    18. 

  18.  * License along with this program; if not, see <http://www.gnu.org/licenses/>.
    19. 

  19.  */
    20. 

  20. 

  21. /* This code uses an algorithm protected by U.S. Patent #4,405,829
    22. 

  22.    which expired on September 20, 2000.  The patent holder placed that
    23. 

  23.    patent into the public domain on Sep 6th, 2000.
    24. 

  24. */
    25. 

  25. 

  26. #include <config.h>
    27. 

  27. #include <stdio.h>
    28. 

  28. #include <stdlib.h>
    29. 

  29. #include <string.h>
    30. 

  30. #include <errno.h>
    31. 

  31. 

  32. #include "g10lib.h"
    33. 

  33. #include "mpi.h"
    34. 

  34. #include "cipher.h"
    35. 

  35. 

  36. 

  37. typedef struct
    38. 

  38. {
    39. 

  39.   gcry_mpi_t n;	    /* modulus */
    40. 

  40.   gcry_mpi_t e;	    /* exponent */
    41. 

  41. } RSA_public_key;
    42. 

  42. 

  43. 

  44. typedef struct
    45. 

  45. {
    46. 

  46.   gcry_mpi_t n;	    /* public modulus */
    47. 

  47.   gcry_mpi_t e;	    /* public exponent */
    48. 

  48.   gcry_mpi_t d;	    /* exponent */
    49. 

  49.   gcry_mpi_t p;	    /* prime  p. */
    50. 

  50.   gcry_mpi_t q;	    /* prime  q. */
    51. 

  51.   gcry_mpi_t u;	    /* inverse of p mod q. */
    52. 

  52. } RSA_secret_key;
    53. 

  53. 

  54. 

  55. /* A sample 1024 bit RSA key used for the selftests.  */
    56. 

  56. static const char sample_secret_key[] =
    57. 

  57. "(private-key"
    58. 

  58. " (rsa"
    59. 

  59. "  (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
    60. 

  60. "      2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
    61. 

  61. "      ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
    62. 

  62. "      891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)"
    63. 

  63. "  (e #010001#)"
    64. 

  64. "  (d #046129f2489d71579be0a75fe029bd6cdb574ebf57ea8a5b0fda942cab943b11"
    65. 

  65. "      7d7bb95e5d28875e0f9fc5fcc06a72f6d502464dabded78ef6b716177b83d5bd"
    66. 

  66. "      c543dc5d3fed932e59f5897e92e6f58a0f33424106a3b6fa2cbf877510e4ac21"
    67. 

  67. "      c3ee47851e97d12996222ac3566d4ccb0b83d164074abf7de655fc2446da1781#)"
    68. 

  68. "  (p #00e861b700e17e8afe6837e7512e35b6ca11d0ae47d8b85161c67baf64377213"
    69. 

  69. "      fe52d772f2035b3ca830af41d8a4120e1c1c70d12cc22f00d28d31dd48a8d424f1#)"
    70. 

  70. "  (q #00f7a7ca5367c661f8e62df34f0d05c10c88e5492348dd7bddc942c9a8f369f9"
    71. 

  71. "      35a07785d2db805215ed786e4285df1658eed3ce84f469b81b50d358407b4ad361#)"
    72. 

  72. "  (u #304559a9ead56d2309d203811a641bb1a09626bc8eb36fffa23c968ec5bd891e"
    73. 

  73. "      ebbafc73ae666e01ba7c8990bae06cc2bbe10b75e69fcacb353a6473079d8e9b#)))";
    74. 

  74. /* A sample 1024 bit RSA key used for the selftests (public only).  */
    75. 

  75. static const char sample_public_key[] =
    76. 

  76. "(public-key"
    77. 

  77. " (rsa"
    78. 

  78. "  (n #00e0ce96f90b6c9e02f3922beada93fe50a875eac6bcc18bb9a9cf2e84965caa"
    79. 

  79. "      2d1ff95a7f542465c6c0c19d276e4526ce048868a7a914fd343cc3a87dd74291"
    80. 

  80. "      ffc565506d5bbb25cbac6a0e2dd1f8bcaab0d4a29c2f37c950f363484bf269f7"
    81. 

  81. "      891440464baf79827e03a36e70b814938eebdc63e964247be75dc58b014b7ea251#)"
    82. 

  82. "  (e #010001#)))";
    83. 

  83. 

  84. 

  85. 

  86. 
    87. 

  87. static int test_keys (RSA_secret_key *sk, unsigned nbits);
    88. 

  88. static int  check_secret_key (RSA_secret_key *sk);
    89. 

  89. static void public (gcry_mpi_t output, gcry_mpi_t input, RSA_public_key *skey);
    90. 

  90. static void secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey);
    91. 

  91. 

  92. 

  93. /* Check that a freshly generated key actually works.  Returns 0 on success. */
    94. 

  94. static int
    95. 

  95. test_keys (RSA_secret_key *sk, unsigned int nbits)
    96. 

  96. {
    97. 

  97.   int result = -1; /* Default to failure.  */
    98. 

  98.   RSA_public_key pk;
    99. 

  99.   gcry_mpi_t plaintext = gcry_mpi_new (nbits);
    100. 

  100.   gcry_mpi_t ciphertext = gcry_mpi_new (nbits);
    101. 

  101.   gcry_mpi_t decr_plaintext = gcry_mpi_new (nbits);
    102. 

  102.   gcry_mpi_t signature = gcry_mpi_new (nbits);
    103. 

  103. 

  104.   /* Put the relevant parameters into a public key structure.  */
    105. 

  105.   pk.n = sk->n;
    106. 

  106.   pk.e = sk->e;
    107. 

  107. 

  108.   /* Create a random plaintext.  */
    109. 

  109.   gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
    110. 

  110. 

  111.   /* Encrypt using the public key.  */
    112. 

  112.   public (ciphertext, plaintext, &pk);
    113. 

  113. 

  114.   /* Check that the cipher text does not match the plaintext.  */
    115. 

  115.   if (!gcry_mpi_cmp (ciphertext, plaintext))
    116. 

  116.     goto leave; /* Ciphertext is identical to the plaintext.  */
    117. 

  117. 

  118.   /* Decrypt using the secret key.  */
    119. 

  119.   secret (decr_plaintext, ciphertext, sk);
    120. 

  120. 

  121.   /* Check that the decrypted plaintext matches the original plaintext.  */
    122. 

  122.   if (gcry_mpi_cmp (decr_plaintext, plaintext))
    123. 

  123.     goto leave; /* Plaintext does not match.  */
    124. 

  124. 

  125.   /* Create another random plaintext as data for signature checking.  */
    126. 

  126.   gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
    127. 

  127. 

  128.   /* Use the RSA secret function to create a signature of the plaintext.  */
    129. 

  129.   secret (signature, plaintext, sk);
    130. 

  130. 

  131.   /* Use the RSA public function to verify this signature.  */
    132. 

  132.   public (decr_plaintext, signature, &pk);
    133. 

  133.   if (gcry_mpi_cmp (decr_plaintext, plaintext))
    134. 

  134.     goto leave; /* Signature does not match.  */
    135. 

  135. 

  136.   /* Modify the signature and check that the signing fails.  */
    137. 

  137.   gcry_mpi_add_ui (signature, signature, 1);
    138. 

  138.   public (decr_plaintext, signature, &pk);
    139. 

  139.   if (!gcry_mpi_cmp (decr_plaintext, plaintext))
    140. 

  140.     goto leave; /* Signature matches but should not.  */
    141. 

  141. 

  142.   result = 0; /* All tests succeeded.  */
    143. 

  143. 

  144.  leave:
    145. 

  145.   gcry_mpi_release (signature);
    146. 

  146.   gcry_mpi_release (decr_plaintext);
    147. 

  147.   gcry_mpi_release (ciphertext);
    148. 

  148.   gcry_mpi_release (plaintext);
    149. 

  149.   return result;
    150. 

  150. }
    151. 

  151. 

  152. 

  153. /* Callback used by the prime generation to test whether the exponent
    154. 

  154.    is suitable. Returns 0 if the test has been passed. */
    155. 

  155. static int
    156. 

  156. check_exponent (void *arg, gcry_mpi_t a)
    157. 

  157. {
    158. 

  158.   gcry_mpi_t e = arg;
    159. 

  159.   gcry_mpi_t tmp;
    160. 

  160.   int result;
    161. 

  161. 

  162.   mpi_sub_ui (a, a, 1);
    163. 

  163.   tmp = _gcry_mpi_alloc_like (a);
    164. 

  164.   result = !gcry_mpi_gcd(tmp, e, a); /* GCD is not 1. */
    165. 

  165.   gcry_mpi_release (tmp);
    166. 

  166.   mpi_add_ui (a, a, 1);
    167. 

  167.   return result;
    168. 

  168. }
    169. 

  169. 

  170. /****************
    171. 

  171.  * Generate a key pair with a key of size NBITS.
    172. 

  172.  * USE_E = 0 let Libcgrypt decide what exponent to use.
    173. 

  173.  *       = 1 request the use of a "secure" exponent; this is required by some
    174. 

  174.  *           specification to be 65537.
    175. 

  175.  *       > 2 Use this public exponent.  If the given exponent
    176. 

  176.  *           is not odd one is internally added to it.
    177. 

  177.  * TRANSIENT_KEY:  If true, generate the primes using the standard RNG.
    178. 

  178.  * Returns: 2 structures filled with all needed values
    179. 

  179.  */
    180. 

  180. static gpg_err_code_t
    181. 

  181. generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
    182. 

  182.               int transient_key)
    183. 

  183. {
    184. 

  184.   gcry_mpi_t p, q; /* the two primes */
    185. 

  185.   gcry_mpi_t d;    /* the private key */
    186. 

  186.   gcry_mpi_t u;
    187. 

  187.   gcry_mpi_t t1, t2;
    188. 

  188.   gcry_mpi_t n;    /* the public key */
    189. 

  189.   gcry_mpi_t e;    /* the exponent */
    190. 

  190.   gcry_mpi_t phi;  /* helper: (p-1)(q-1) */
    191. 

  191.   gcry_mpi_t g;
    192. 

  192.   gcry_mpi_t f;
    193. 

  193.   gcry_random_level_t random_level;
    194. 

  194. 

  195.   if (fips_mode ())
    196. 

  196.     {
    197. 

  197.       if (nbits < 1024)
    198. 

  198.         return GPG_ERR_INV_VALUE;
    199. 

  199.       if (transient_key)
    200. 

  200.         return GPG_ERR_INV_VALUE;
    201. 

  201.     }
    202. 

  202. 

  203.   /* The random quality depends on the transient_key flag.  */
    204. 

  204.   random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM;
    205. 

  205. 

  206.   /* Make sure that nbits is even so that we generate p, q of equal size. */
    207. 

  207.   if ( (nbits&1) )
    208. 

  208.     nbits++;
    209. 

  209. 

  210.   if (use_e == 1)   /* Alias for a secure value */
    211. 

  211.     use_e = 65537;  /* as demanded by Sphinx. */
    212. 

  212. 

  213.   /* Public exponent:
    214. 

  214.      In general we use 41 as this is quite fast and more secure than the
    215. 

  215.      commonly used 17.  Benchmarking the RSA verify function
    216. 

  216.      with a 1024 bit key yields (2001-11-08):
    217. 

  217.      e=17    0.54 ms
    218. 

  218.      e=41    0.75 ms
    219. 

  219.      e=257   0.95 ms
    220. 

  220.      e=65537 1.80 ms
    221. 

  221.   */
    222. 

  222.   e = mpi_alloc( (32+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
    223. 

  223.   if (!use_e)
    224. 

  224.     mpi_set_ui (e, 41);     /* This is a reasonable secure and fast value */
    225. 

  225.   else
    226. 

  226.     {
    227. 

  227.       use_e |= 1; /* make sure this is odd */
    228. 

  228.       mpi_set_ui (e, use_e);
    229. 

  229.     }
    230. 

  230. 

  231.   n = gcry_mpi_new (nbits);
    232. 

  232. 

  233.   p = q = NULL;
    234. 

  234.   do
    235. 

  235.     {
    236. 

  236.       /* select two (very secret) primes */
    237. 

  237.       if (p)
    238. 

  238.         gcry_mpi_release (p);
    239. 

  239.       if (q)
    240. 

  240.         gcry_mpi_release (q);
    241. 

  241.       if (use_e)
    242. 

  242.         { /* Do an extra test to ensure that the given exponent is
    243. 

  243.              suitable. */
    244. 

  244.           p = _gcry_generate_secret_prime (nbits/2, random_level,
    245. 

  245.                                            check_exponent, e);
    246. 

  246.           q = _gcry_generate_secret_prime (nbits/2, random_level,
    247. 

  247.                                            check_exponent, e);
    248. 

  248.         }
    249. 

  249.       else
    250. 

  250.         { /* We check the exponent later. */
    251. 

  251.           p = _gcry_generate_secret_prime (nbits/2, random_level, NULL, NULL);
    252. 

  252.           q = _gcry_generate_secret_prime (nbits/2, random_level, NULL, NULL);
    253. 

  253.         }
    254. 

  254.       if (mpi_cmp (p, q) > 0 ) /* p shall be smaller than q (for calc of u)*/
    255. 

  255.         mpi_swap(p,q);
    256. 

  256.       /* calculate the modulus */
    257. 

  257.       mpi_mul( n, p, q );
    258. 

  258.     }
    259. 

  259.   while ( mpi_get_nbits(n) != nbits );
    260. 

  260. 

  261.   /* calculate Euler totient: phi = (p-1)(q-1) */
    262. 

  262.   t1 = mpi_alloc_secure( mpi_get_nlimbs(p) );
    263. 

  263.   t2 = mpi_alloc_secure( mpi_get_nlimbs(p) );
    264. 

  264.   phi = gcry_mpi_snew ( nbits );
    265. 

  265.   g	= gcry_mpi_snew ( nbits );
    266. 

  266.   f	= gcry_mpi_snew ( nbits );
    267. 

  267.   mpi_sub_ui( t1, p, 1 );
    268. 

  268.   mpi_sub_ui( t2, q, 1 );
    269. 

  269.   mpi_mul( phi, t1, t2 );
    270. 

  270.   gcry_mpi_gcd(g, t1, t2);
    271. 

  271.   mpi_fdiv_q(f, phi, g);
    272. 

  272. 

  273.   while (!gcry_mpi_gcd(t1, e, phi)) /* (while gcd is not 1) */
    274. 

  274.     {
    275. 

  275.       if (use_e)
    276. 

  276.         BUG (); /* The prime generator already made sure that we
    277. 

  277.                    never can get to here. */
    278. 

  278.       mpi_add_ui (e, e, 2);
    279. 

  279.     }
    280. 

  280. 

  281.   /* calculate the secret key d = e^1 mod phi */
    282. 

  282.   d = gcry_mpi_snew ( nbits );
    283. 

  283.   mpi_invm(d, e, f );
    284. 

  284.   /* calculate the inverse of p and q (used for chinese remainder theorem)*/
    285. 

  285.   u = gcry_mpi_snew ( nbits );
    286. 

  286.   mpi_invm(u, p, q );
    287. 

  287. 

  288.   if( DBG_CIPHER )
    289. 

  289.     {
    290. 

  290.       log_mpidump("  p= ", p );
    291. 

  291.       log_mpidump("  q= ", q );
    292. 

  292.       log_mpidump("phi= ", phi );
    293. 

  293.       log_mpidump("  g= ", g );
    294. 

  294.       log_mpidump("  f= ", f );
    295. 

  295.       log_mpidump("  n= ", n );
    296. 

  296.       log_mpidump("  e= ", e );
    297. 

  297.       log_mpidump("  d= ", d );
    298. 

  298.       log_mpidump("  u= ", u );
    299. 

  299.     }
    300. 

  300. 

  301.   gcry_mpi_release (t1);
    302. 

  302.   gcry_mpi_release (t2);
    303. 

  303.   gcry_mpi_release (phi);
    304. 

  304.   gcry_mpi_release (f);
    305. 

  305.   gcry_mpi_release (g);
    306. 

  306. 

  307.   sk->n = n;
    308. 

  308.   sk->e = e;
    309. 

  309.   sk->p = p;
    310. 

  310.   sk->q = q;
    311. 

  311.   sk->d = d;
    312. 

  312.   sk->u = u;
    313. 

  313. 

  314.   /* Now we can test our keys. */
    315. 

  315.   if (test_keys (sk, nbits - 64))
    316. 

  316.     {
    317. 

  317.       gcry_mpi_release (sk->n); sk->n = NULL;
    318. 

  318.       gcry_mpi_release (sk->e); sk->e = NULL;
    319. 

  319.       gcry_mpi_release (sk->p); sk->p = NULL;
    320. 

  320.       gcry_mpi_release (sk->q); sk->q = NULL;
    321. 

  321.       gcry_mpi_release (sk->d); sk->d = NULL;
    322. 

  322.       gcry_mpi_release (sk->u); sk->u = NULL;
    323. 

  323.       fips_signal_error ("self-test after key generation failed");
    324. 

  324.       return GPG_ERR_SELFTEST_FAILED;
    325. 

  325.     }
    326. 

  326. 

  327.   return 0;
    328. 

  328. }
    329. 

  329. 

  330. 

  331. /* Helper for generate_x931.  */
    332. 

  332. static gcry_mpi_t
    333. 

  333. gen_x931_parm_xp (unsigned int nbits)
    334. 

  334. {
    335. 

  335.   gcry_mpi_t xp;
    336. 

  336. 

  337.   xp = gcry_mpi_snew (nbits);
    338. 

  338.   gcry_mpi_randomize (xp, nbits, GCRY_VERY_STRONG_RANDOM);
    339. 

  339. 

  340.   /* The requirement for Xp is:
    341. 

  341. 

  342.        sqrt{2}*2^{nbits-1} <= xp <= 2^{nbits} - 1
    343. 

  343. 

  344.      We set the two high order bits to 1 to satisfy the lower bound.
    345. 

  345.      By using mpi_set_highbit we make sure that the upper bound is
    346. 

  346.      satisfied as well.  */
    347. 

  347.   mpi_set_highbit (xp, nbits-1);
    348. 

  348.   mpi_set_bit (xp, nbits-2);
    349. 

  349.   gcry_assert ( mpi_get_nbits (xp) == nbits );
    350. 

  350. 

  351.   return xp;
    352. 

  352. }
    353. 

  353. 

  354. 

  355. /* Helper for generate_x931.  */
    356. 

  356. static gcry_mpi_t
    357. 

  357. gen_x931_parm_xi (void)
    358. 

  358. {
    359. 

  359.   gcry_mpi_t xi;
    360. 

  360. 

  361.   xi = gcry_mpi_snew (101);
    362. 

  362.   gcry_mpi_randomize (xi, 101, GCRY_VERY_STRONG_RANDOM);
    363. 

  363.   mpi_set_highbit (xi, 100);
    364. 

  364.   gcry_assert ( mpi_get_nbits (xi) == 101 );
    365. 

  365. 

  366.   return xi;
    367. 

  367. }
    368. 

  368. 

  369. 

  370. 

  371. /* Variant of the standard key generation code using the algorithm
    372. 

  372.    from X9.31.  Using this algorithm has the advantage that the
    373. 

  373.    generation can be made deterministic which is required for CAVS
    374. 

  374.    testing.  */
    375. 

  375. static gpg_err_code_t
    376. 

  376. generate_x931 (RSA_secret_key *sk, unsigned int nbits, unsigned long e_value,
    377. 

  377.                gcry_sexp_t deriveparms, int *swapped)
    378. 

  378. {
    379. 

  379.   gcry_mpi_t p, q; /* The two primes.  */
    380. 

  380.   gcry_mpi_t e;    /* The public exponent.  */
    381. 

  381.   gcry_mpi_t n;    /* The public key.  */
    382. 

  382.   gcry_mpi_t d;    /* The private key */
    383. 

  383.   gcry_mpi_t u;    /* The inverse of p and q.  */
    384. 

  384.   gcry_mpi_t pm1;  /* p - 1  */
    385. 

  385.   gcry_mpi_t qm1;  /* q - 1  */
    386. 

  386.   gcry_mpi_t phi;  /* Euler totient.  */
    387. 

  387.   gcry_mpi_t f, g; /* Helper.  */
    388. 

  388. 

  389.   *swapped = 0;
    390. 

  390. 

  391.   if (e_value == 1)   /* Alias for a secure value. */
    392. 

  392.     e_value = 65537;
    393. 

  393. 

  394.   /* Point 1 of section 4.1:  k = 1024 + 256s with S >= 0  */
    395. 

  395.   if (nbits < 1024 || (nbits % 256))
    396. 

  396.     return GPG_ERR_INV_VALUE;
    397. 

  397. 

  398.   /* Point 2:  2 <= bitlength(e) < 2^{k-2}
    399. 

  399.      Note that we do not need to check the upper bound because we use
    400. 

  400.      an unsigned long for E and thus there is no way for E to reach
    401. 

  401.      that limit.  */
    402. 

  402.   if (e_value < 3)
    403. 

  403.     return GPG_ERR_INV_VALUE;
    404. 

  404. 

  405.   /* Our implementaion requires E to be odd.  */
    406. 

  406.   if (!(e_value & 1))
    407. 

  407.     return GPG_ERR_INV_VALUE;
    408. 

  408. 

  409.   /* Point 3:  e > 0 or e 0 if it is to be randomly generated.
    410. 

  410.      We support only a fixed E and thus there is no need for an extra test.  */
    411. 

  411. 

  412. 

  413.   /* Compute or extract the derive parameters.  */
    414. 

  414.   {
    415. 

  415.     gcry_mpi_t xp1 = NULL;
    416. 

  416.     gcry_mpi_t xp2 = NULL;
    417. 

  417.     gcry_mpi_t xp  = NULL;
    418. 

  418.     gcry_mpi_t xq1 = NULL;
    419. 

  419.     gcry_mpi_t xq2 = NULL;
    420. 

  420.     gcry_mpi_t xq  = NULL;
    421. 

  421.     gcry_mpi_t tmpval;
    422. 

  422. 

  423.     if (!deriveparms)
    424. 

  424.       {
    425. 

  425.         /* Not given: Generate them.  */
    426. 

  426.         xp = gen_x931_parm_xp (nbits/2);
    427. 

  427.         /* Make sure that |xp - xq| > 2^{nbits - 100} holds.  */
    428. 

  428.         tmpval = gcry_mpi_snew (nbits/2);
    429. 

  429.         do
    430. 

  430.           {
    431. 

  431.             gcry_mpi_release (xq);
    432. 

  432.             xq = gen_x931_parm_xp (nbits/2);
    433. 

  433.             mpi_sub (tmpval, xp, xq);
    434. 

  434.           }
    435. 

  435.         while (mpi_get_nbits (tmpval) <= (nbits/2 - 100));
    436. 

  436.         gcry_mpi_release (tmpval);
    437. 

  437. 

  438.         xp1 = gen_x931_parm_xi ();
    439. 

  439.         xp2 = gen_x931_parm_xi ();
    440. 

  440.         xq1 = gen_x931_parm_xi ();
    441. 

  441.         xq2 = gen_x931_parm_xi ();
    442. 

  442. 

  443.       }
    444. 

  444.     else
    445. 

  445.       {
    446. 

  446.         /* Parameters to derive the key are given.  */
    447. 

  447.         /* Note that we explicitly need to setup the values of tbl
    448. 

  448.            because some compilers (e.g. OpenWatcom, IRIX) don't allow
    449. 

  449.            to initialize a structure with automatic variables.  */
    450. 

  450.         struct { const char *name; gcry_mpi_t *value; } tbl[] = {
    451. 

  451.           { "Xp1" },
    452. 

  452.           { "Xp2" },
    453. 

  453.           { "Xp"  },
    454. 

  454.           { "Xq1" },
    455. 

  455.           { "Xq2" },
    456. 

  456.           { "Xq"  },
    457. 

  457.           { NULL }
    458. 

  458.         };
    459. 

  459.         int idx;
    460. 

  460.         gcry_sexp_t oneparm;
    461. 

  461. 

  462.         tbl[0].value = &xp1;
    463. 

  463.         tbl[1].value = &xp2;
    464. 

  464.         tbl[2].value = &xp;
    465. 

  465.         tbl[3].value = &xq1;
    466. 

  466.         tbl[4].value = &xq2;
    467. 

  467.         tbl[5].value = &xq;
    468. 

  468. 

  469.         for (idx=0; tbl[idx].name; idx++)
    470. 

  470.           {
    471. 

  471.             oneparm = gcry_sexp_find_token (deriveparms, tbl[idx].name, 0);
    472. 

  472.             if (oneparm)
    473. 

  473.               {
    474. 

  474.                 *tbl[idx].value = gcry_sexp_nth_mpi (oneparm, 1,
    475. 

  475.                                                      GCRYMPI_FMT_USG);
    476. 

  476.                 gcry_sexp_release (oneparm);
    477. 

  477.               }
    478. 

  478.           }
    479. 

  479.         for (idx=0; tbl[idx].name; idx++)
    480. 

  480.           if (!*tbl[idx].value)
    481. 

  481.             break;
    482. 

  482.         if (tbl[idx].name)
    483. 

  483.           {
    484. 

  484.             /* At least one parameter is missing.  */
    485. 

  485.             for (idx=0; tbl[idx].name; idx++)
    486. 

  486.               gcry_mpi_release (*tbl[idx].value);
    487. 

  487.             return GPG_ERR_MISSING_VALUE;
    488. 

  488.           }
    489. 

  489.       }
    490. 

  490. 

  491.     e = mpi_alloc_set_ui (e_value);
    492. 

  492. 

  493.     /* Find two prime numbers.  */
    494. 

  494.     p = _gcry_derive_x931_prime (xp, xp1, xp2, e, NULL, NULL);
    495. 

  495.     q = _gcry_derive_x931_prime (xq, xq1, xq2, e, NULL, NULL);
    496. 

  496.     gcry_mpi_release (xp);  xp  = NULL;
    497. 

  497.     gcry_mpi_release (xp1); xp1 = NULL;
    498. 

  498.     gcry_mpi_release (xp2); xp2 = NULL;
    499. 

  499.     gcry_mpi_release (xq);  xq  = NULL;
    500. 

  500.     gcry_mpi_release (xq1); xq1 = NULL;
    501. 

  501.     gcry_mpi_release (xq2); xq2 = NULL;
    502. 

  502.     if (!p || !q)
    503. 

  503.       {
    504. 

  504.         gcry_mpi_release (p);
    505. 

  505.         gcry_mpi_release (q);
    506. 

  506.         gcry_mpi_release (e);
    507. 

  507.         return GPG_ERR_NO_PRIME;
    508. 

  508.       }
    509. 

  509.   }
    510. 

  510. 

  511. 

  512.   /* Compute the public modulus.  We make sure that p is smaller than
    513. 

  513.      q to allow the use of the CRT.  */
    514. 

  514.   if (mpi_cmp (p, q) > 0 )
    515. 

  515.     {
    516. 

  516.       mpi_swap (p, q);
    517. 

  517.       *swapped = 1;
    518. 

  518.     }
    519. 

  519.   n = gcry_mpi_new (nbits);
    520. 

  520.   mpi_mul (n, p, q);
    521. 

  521. 

  522.   /* Compute the Euler totient:  phi = (p-1)(q-1)  */
    523. 

  523.   pm1 = gcry_mpi_snew (nbits/2);
    524. 

  524.   qm1 = gcry_mpi_snew (nbits/2);
    525. 

  525.   phi = gcry_mpi_snew (nbits);
    526. 

  526.   mpi_sub_ui (pm1, p, 1);
    527. 

  527.   mpi_sub_ui (qm1, q, 1);
    528. 

  528.   mpi_mul (phi, pm1, qm1);
    529. 

  529. 

  530.   g = gcry_mpi_snew (nbits);
    531. 

  531.   gcry_assert (gcry_mpi_gcd (g, e, phi));
    532. 

  532. 

  533.   /* Compute: f = lcm(p-1,q-1) = phi / gcd(p-1,q-1) */
    534. 

  534.   gcry_mpi_gcd (g, pm1, qm1);
    535. 

  535.   f = pm1; pm1 = NULL;
    536. 

  536.   gcry_mpi_release (qm1); qm1 = NULL;
    537. 

  537.   mpi_fdiv_q (f, phi, g);
    538. 

  538.   gcry_mpi_release (phi); phi = NULL;
    539. 

  539.   d = g; g = NULL;
    540. 

  540.   /* Compute the secret key:  d = e^{-1} mod lcm(p-1,q-1) */
    541. 

  541.   mpi_invm (d, e, f);
    542. 

  542. 

  543.   /* Compute the inverse of p and q.  */
    544. 

  544.   u = f; f = NULL;
    545. 

  545.   mpi_invm (u, p, q );
    546. 

  546. 

  547.   if( DBG_CIPHER )
    548. 

  548.     {
    549. 

  549.       if (*swapped)
    550. 

  550.         log_debug ("p and q are swapped\n");
    551. 

  551.       log_mpidump("  p", p );
    552. 

  552.       log_mpidump("  q", q );
    553. 

  553.       log_mpidump("  n", n );
    554. 

  554.       log_mpidump("  e", e );
    555. 

  555.       log_mpidump("  d", d );
    556. 

  556.       log_mpidump("  u", u );
    557. 

  557.     }
    558. 

  558. 

  559. 

  560.   sk->n = n;
    561. 

  561.   sk->e = e;
    562. 

  562.   sk->p = p;
    563. 

  563.   sk->q = q;
    564. 

  564.   sk->d = d;
    565. 

  565.   sk->u = u;
    566. 

  566. 

  567.   /* Now we can test our keys. */
    568. 

  568.   if (test_keys (sk, nbits - 64))
    569. 

  569.     {
    570. 

  570.       gcry_mpi_release (sk->n); sk->n = NULL;
    571. 

  571.       gcry_mpi_release (sk->e); sk->e = NULL;
    572. 

  572.       gcry_mpi_release (sk->p); sk->p = NULL;
    573. 

  573.       gcry_mpi_release (sk->q); sk->q = NULL;
    574. 

  574.       gcry_mpi_release (sk->d); sk->d = NULL;
    575. 

  575.       gcry_mpi_release (sk->u); sk->u = NULL;
    576. 

  576.       fips_signal_error ("self-test after key generation failed");
    577. 

  577.       return GPG_ERR_SELFTEST_FAILED;
    578. 

  578.     }
    579. 

  579. 

  580.   return 0;
    581. 

  581. }
    582. 

  582. 

  583. 

  584. /****************
    585. 

  585.  * Test whether the secret key is valid.
    586. 

  586.  * Returns: true if this is a valid key.
    587. 

  587.  */
    588. 

  588. static int
    589. 

  589. check_secret_key( RSA_secret_key *sk )
    590. 

  590. {
    591. 

  591.   int rc;
    592. 

  592.   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(sk->p)*2 );
    593. 

  593. 

  594.   mpi_mul(temp, sk->p, sk->q );
    595. 

  595.   rc = mpi_cmp( temp, sk->n );
    596. 

  596.   mpi_free(temp);
    597. 

  597.   return !rc;
    598. 

  598. }
    599. 

  599. 

  600. 

  601. 

  602. /****************
    603. 

  603.  * Public key operation. Encrypt INPUT with PKEY and put result into OUTPUT.
    604. 

  604.  *
    605. 

  605.  *	c = m^e mod n
    606. 

  606.  *
    607. 

  607.  * Where c is OUTPUT, m is INPUT and e,n are elements of PKEY.
    608. 

  608.  */
    609. 

  609. static void
    610. 

  610. public(gcry_mpi_t output, gcry_mpi_t input, RSA_public_key *pkey )
    611. 

  611. {
    612. 

  612.   if( output == input )  /* powm doesn't like output and input the same */
    613. 

  613.     {
    614. 

  614.       gcry_mpi_t x = mpi_alloc( mpi_get_nlimbs(input)*2 );
    615. 

  615.       mpi_powm( x, input, pkey->e, pkey->n );
    616. 

  616.       mpi_set(output, x);
    617. 

  617.       mpi_free(x);
    618. 

  618.     }
    619. 

  619.   else
    620. 

  620.     mpi_powm( output, input, pkey->e, pkey->n );
    621. 

  621. }
    622. 

  622. 

  623. #if 0
    624. 

  624. static void
    625. 

  625. stronger_key_check ( RSA_secret_key *skey )
    626. 

  626. {
    627. 

  627.   gcry_mpi_t t = mpi_alloc_secure ( 0 );
    628. 

  628.   gcry_mpi_t t1 = mpi_alloc_secure ( 0 );
    629. 

  629.   gcry_mpi_t t2 = mpi_alloc_secure ( 0 );
    630. 

  630.   gcry_mpi_t phi = mpi_alloc_secure ( 0 );
    631. 

  631. 

  632.   /* check that n == p * q */
    633. 

  633.   mpi_mul( t, skey->p, skey->q);
    634. 

  634.   if (mpi_cmp( t, skey->n) )
    635. 

  635.     log_info ( "RSA Oops: n != p * q\n" );
    636. 

  636. 

  637.   /* check that p is less than q */
    638. 

  638.   if( mpi_cmp( skey->p, skey->q ) > 0 )
    639. 

  639.     {
    640. 

  640.       log_info ("RSA Oops: p >= q - fixed\n");
    641. 

  641.       _gcry_mpi_swap ( skey->p, skey->q);
    642. 

  642.     }
    643. 

  643. 

  644.     /* check that e divides neither p-1 nor q-1 */
    645. 

  645.     mpi_sub_ui(t, skey->p, 1 );
    646. 

  646.     mpi_fdiv_r(t, t, skey->e );
    647. 

  647.     if ( !mpi_cmp_ui( t, 0) )
    648. 

  648.         log_info ( "RSA Oops: e divides p-1\n" );
    649. 

  649.     mpi_sub_ui(t, skey->q, 1 );
    650. 

  650.     mpi_fdiv_r(t, t, skey->e );
    651. 

  651.     if ( !mpi_cmp_ui( t, 0) )
    652. 

  652.         log_info ( "RSA Oops: e divides q-1\n" );
    653. 

  653. 

  654.     /* check that d is correct */
    655. 

  655.     mpi_sub_ui( t1, skey->p, 1 );
    656. 

  656.     mpi_sub_ui( t2, skey->q, 1 );
    657. 

  657.     mpi_mul( phi, t1, t2 );
    658. 

  658.     gcry_mpi_gcd(t, t1, t2);
    659. 

  659.     mpi_fdiv_q(t, phi, t);
    660. 

  660.     mpi_invm(t, skey->e, t );
    661. 

  661.     if ( mpi_cmp(t, skey->d ) )
    662. 

  662.       {
    663. 

  663.         log_info ( "RSA Oops: d is wrong - fixed\n");
    664. 

  664.         mpi_set (skey->d, t);
    665. 

  665.         _gcry_log_mpidump ("  fixed d", skey->d);
    666. 

  666.       }
    667. 

  667. 

  668.     /* check for correctness of u */
    669. 

  669.     mpi_invm(t, skey->p, skey->q );
    670. 

  670.     if ( mpi_cmp(t, skey->u ) )
    671. 

  671.       {
    672. 

  672.         log_info ( "RSA Oops: u is wrong - fixed\n");
    673. 

  673.         mpi_set (skey->u, t);
    674. 

  674.         _gcry_log_mpidump ("  fixed u", skey->u);
    675. 

  675.       }
    676. 

  676. 

  677.     log_info ( "RSA secret key check finished\n");
    678. 

  678. 

  679.     mpi_free (t);
    680. 

  680.     mpi_free (t1);
    681. 

  681.     mpi_free (t2);
    682. 

  682.     mpi_free (phi);
    683. 

  683. }
    684. 

  684. #endif
    685. 

  685. 

  686. 

  687. 

  688. /****************
    689. 

  689.  * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT.
    690. 

  690.  *
    691. 

  691.  *	m = c^d mod n
    692. 

  692.  *
    693. 

  693.  * Or faster:
    694. 

  694.  *
    695. 

  695.  *      m1 = c ^ (d mod (p-1)) mod p
    696. 

  696.  *      m2 = c ^ (d mod (q-1)) mod q
    697. 

  697.  *      h = u * (m2 - m1) mod q
    698. 

  698.  *      m = m1 + h * p
    699. 

  699.  *
    700. 

  700.  * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY.
    701. 

  701.  */
    702. 

  702. static void
    703. 

  703. secret(gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
    704. 

  704. {
    705. 

  705.   if (!skey->p || !skey->q || !skey->u)
    706. 

  706.     {
    707. 

  707.       mpi_powm (output, input, skey->d, skey->n);
    708. 

  708.     }
    709. 

  709.   else
    710. 

  710.     {
    711. 

  711.       gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
    712. 

  712.       gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
    713. 

  713.       gcry_mpi_t h  = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
    714. 

  714. 

  715.       /* m1 = c ^ (d mod (p-1)) mod p */
    716. 

  716.       mpi_sub_ui( h, skey->p, 1  );
    717. 

  717.       mpi_fdiv_r( h, skey->d, h );
    718. 

  718.       mpi_powm( m1, input, h, skey->p );
    719. 

  719.       /* m2 = c ^ (d mod (q-1)) mod q */
    720. 

  720.       mpi_sub_ui( h, skey->q, 1  );
    721. 

  721.       mpi_fdiv_r( h, skey->d, h );
    722. 

  722.       mpi_powm( m2, input, h, skey->q );
    723. 

  723.       /* h = u * ( m2 - m1 ) mod q */
    724. 

  724.       mpi_sub( h, m2, m1 );
    725. 

  725.       if ( mpi_is_neg( h ) )
    726. 

  726.         mpi_add ( h, h, skey->q );
    727. 

  727.       mpi_mulm( h, skey->u, h, skey->q );
    728. 

  728.       /* m = m2 + h * p */
    729. 

  729.       mpi_mul ( h, h, skey->p );
    730. 

  730.       mpi_add ( output, m1, h );
    731. 

  731. 

  732.       mpi_free ( h );
    733. 

  733.       mpi_free ( m1 );
    734. 

  734.       mpi_free ( m2 );
    735. 

  735.     }
    736. 

  736. }
    737. 

  737. 

  738. 

  739. 

  740. /* Perform RSA blinding.  */
    741. 

  741. static gcry_mpi_t
    742. 

  742. rsa_blind (gcry_mpi_t x, gcry_mpi_t r, gcry_mpi_t e, gcry_mpi_t n)
    743. 

  743. {
    744. 

  744.   /* A helper.  */
    745. 

  745.   gcry_mpi_t a;
    746. 

  746. 

  747.   /* Result.  */
    748. 

  748.   gcry_mpi_t y;
    749. 

  749. 

  750.   a = gcry_mpi_snew (gcry_mpi_get_nbits (n));
    751. 

  751.   y = gcry_mpi_snew (gcry_mpi_get_nbits (n));
    752. 

  752. 

  753.   /* Now we calculate: y = (x * r^e) mod n, where r is the random
    754. 

  754.      number, e is the public exponent, x is the non-blinded data and n
    755. 

  755.      is the RSA modulus.  */
    756. 

  756.   gcry_mpi_powm (a, r, e, n);
    757. 

  757.   gcry_mpi_mulm (y, a, x, n);
    758. 

  758. 

  759.   gcry_mpi_release (a);
    760. 

  760. 

  761.   return y;
    762. 

  762. }
    763. 

  763. 

  764. /* Undo RSA blinding.  */
    765. 

  765. static gcry_mpi_t
    766. 

  766. rsa_unblind (gcry_mpi_t x, gcry_mpi_t ri, gcry_mpi_t n)
    767. 

  767. {
    768. 

  768.   gcry_mpi_t y;
    769. 

  769. 

  770.   y = gcry_mpi_snew (gcry_mpi_get_nbits (n));
    771. 

  771. 

  772.   /* Here we calculate: y = (x * r^-1) mod n, where x is the blinded
    773. 

  773.      decrypted data, ri is the modular multiplicative inverse of r and
    774. 

  774.      n is the RSA modulus.  */
    775. 

  775. 

  776.   gcry_mpi_mulm (y, ri, x, n);
    777. 

  777. 

  778.   return y;
    779. 

  779. }
    780. 

  780. 

  781. /*********************************************
    782. 

  782.  **************  interface  ******************
    783. 

  783.  *********************************************/
    784. 

  784. 

  785. static gcry_err_code_t
    786. 

  786. rsa_generate_ext (int algo, unsigned int nbits, unsigned long evalue,
    787. 

  787.                   const gcry_sexp_t genparms,
    788. 

  788.                   gcry_mpi_t *skey, gcry_mpi_t **retfactors,
    789. 

  789.                   gcry_sexp_t *r_extrainfo)
    790. 

  790. {
    791. 

  791.   RSA_secret_key sk;
    792. 

  792.   gpg_err_code_t ec;
    793. 

  793.   gcry_sexp_t deriveparms;
    794. 

  794.   int transient_key = 0;
    795. 

  795.   int use_x931 = 0;
    796. 

  796.   gcry_sexp_t l1;
    797. 

  797. 

  798.   (void)algo;
    799. 

  799. 

  800.   *retfactors = NULL; /* We don't return them.  */
    801. 

  801. 

  802.   deriveparms = (genparms?
    803. 

  803.                  gcry_sexp_find_token (genparms, "derive-parms", 0) : NULL);
    804. 

  804.   if (!deriveparms)
    805. 

  805.     {
    806. 

  806.       /* Parse the optional "use-x931" flag. */
    807. 

  807.       l1 = gcry_sexp_find_token (genparms, "use-x931", 0);
    808. 

  808.       if (l1)
    809. 

  809.         {
    810. 

  810.           use_x931 = 1;
    811. 

  811.           gcry_sexp_release (l1);
    812. 

  812.         }
    813. 

  813.     }
    814. 

  814. 

  815.   if (deriveparms || use_x931 || fips_mode ())
    816. 

  816.     {
    817. 

  817.       int swapped;
    818. 

  818.       ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped);
    819. 

  819.       gcry_sexp_release (deriveparms);
    820. 

  820.       if (!ec && r_extrainfo && swapped)
    821. 

  821.         {
    822. 

  822.           ec = gcry_sexp_new (r_extrainfo,
    823. 

  823.                               "(misc-key-info(p-q-swapped))", 0, 1);
    824. 

  824.           if (ec)
    825. 

  825.             {
    826. 

  826.               gcry_mpi_release (sk.n); sk.n = NULL;
    827. 

  827.               gcry_mpi_release (sk.e); sk.e = NULL;
    828. 

  828.               gcry_mpi_release (sk.p); sk.p = NULL;
    829. 

  829.               gcry_mpi_release (sk.q); sk.q = NULL;
    830. 

  830.               gcry_mpi_release (sk.d); sk.d = NULL;
    831. 

  831.               gcry_mpi_release (sk.u); sk.u = NULL;
    832. 

  832.             }
    833. 

  833.         }
    834. 

  834.     }
    835. 

  835.   else
    836. 

  836.     {
    837. 

  837.       /* Parse the optional "transient-key" flag. */
    838. 

  838.       l1 = gcry_sexp_find_token (genparms, "transient-key", 0);
    839. 

  839.       if (l1)
    840. 

  840.         {
    841. 

  841.           transient_key = 1;
    842. 

  842.           gcry_sexp_release (l1);
    843. 

  843.         }
    844. 

  844.       /* Generate.  */
    845. 

  845.       ec = generate_std (&sk, nbits, evalue, transient_key);
    846. 

  846.     }
    847. 

  847. 

  848.   if (!ec)
    849. 

  849.     {
    850. 

  850.       skey[0] = sk.n;
    851. 

  851.       skey[1] = sk.e;
    852. 

  852.       skey[2] = sk.d;
    853. 

  853.       skey[3] = sk.p;
    854. 

  854.       skey[4] = sk.q;
    855. 

  855.       skey[5] = sk.u;
    856. 

  856.     }
    857. 

  857. 

  858.   return ec;
    859. 

  859. }
    860. 

  860. 

  861. 

  862. static gcry_err_code_t
    863. 

  863. rsa_generate (int algo, unsigned int nbits, unsigned long evalue,
    864. 

  864.               gcry_mpi_t *skey, gcry_mpi_t **retfactors)
    865. 

  865. {
    866. 

  866.   return rsa_generate_ext (algo, nbits, evalue, NULL, skey, retfactors, NULL);
    867. 

  867. }
    868. 

  868. 

  869. 

  870. static gcry_err_code_t
    871. 

  871. rsa_check_secret_key (int algo, gcry_mpi_t *skey)
    872. 

  872. {
    873. 

  873.   gcry_err_code_t err = GPG_ERR_NO_ERROR;
    874. 

  874.   RSA_secret_key sk;
    875. 

  875. 

  876.   (void)algo;
    877. 

  877. 

  878.   sk.n = skey[0];
    879. 

  879.   sk.e = skey[1];
    880. 

  880.   sk.d = skey[2];
    881. 

  881.   sk.p = skey[3];
    882. 

  882.   sk.q = skey[4];
    883. 

  883.   sk.u = skey[5];
    884. 

  884. 

  885.   if (!sk.p || !sk.q || !sk.u)
    886. 

  886.     err = GPG_ERR_NO_OBJ;  /* To check the key we need the optional
    887. 

  887.                               parameters. */
    888. 

  888.   else if (!check_secret_key (&sk))
    889. 

  889.     err = GPG_ERR_BAD_SECKEY;
    890. 

  890. 

  891.   return err;
    892. 

  892. }
    893. 

  893. 

  894. 

  895. static gcry_err_code_t
    896. 

  896. rsa_encrypt (int algo, gcry_mpi_t *resarr, gcry_mpi_t data,
    897. 

  897.              gcry_mpi_t *pkey, int flags)
    898. 

  898. {
    899. 

  899.   RSA_public_key pk;
    900. 

  900. 

  901.   (void)algo;
    902. 

  902.   (void)flags;
    903. 

  903. 

  904.   pk.n = pkey[0];
    905. 

  905.   pk.e = pkey[1];
    906. 

  906.   resarr[0] = mpi_alloc (mpi_get_nlimbs (pk.n));
    907. 

  907.   public (resarr[0], data, &pk);
    908. 

  908. 

  909.   return GPG_ERR_NO_ERROR;
    910. 

  910. }
    911. 

  911. 

  912. 

  913. static gcry_err_code_t
    914. 

  914. rsa_decrypt (int algo, gcry_mpi_t *result, gcry_mpi_t *data,
    915. 

  915.              gcry_mpi_t *skey, int flags)
    916. 

  916. {
    917. 

  917.   RSA_secret_key sk;
    918. 

  918.   gcry_mpi_t r = MPI_NULL;	/* Random number needed for blinding.  */
    919. 

  919.   gcry_mpi_t ri = MPI_NULL;	/* Modular multiplicative inverse of
    920. 

  920. 				   r.  */
    921. 

  921.   gcry_mpi_t x = MPI_NULL;	/* Data to decrypt.  */
    922. 

  922.   gcry_mpi_t y;			/* Result.  */
    923. 

  923. 

  924.   (void)algo;
    925. 

  925. 

  926.   /* Extract private key.  */
    927. 

  927.   sk.n = skey[0];
    928. 

  928.   sk.e = skey[1];
    929. 

  929.   sk.d = skey[2];
    930. 

  930.   sk.p = skey[3]; /* Optional. */
    931. 

  931.   sk.q = skey[4]; /* Optional. */
    932. 

  932.   sk.u = skey[5]; /* Optional. */
    933. 

  933. 

  934.   y = gcry_mpi_snew (gcry_mpi_get_nbits (sk.n));
    935. 

  935. 

  936.   /* We use blinding by default to mitigate timing attacks which can
    937. 

  937.      be practically mounted over the network as shown by Brumley and
    938. 

  938.      Boney in 2003.  */
    939. 

  939.   if (! (flags & PUBKEY_FLAG_NO_BLINDING))
    940. 

  940.     {
    941. 

  941.       /* Initialize blinding.  */
    942. 

  942. 

  943.       /* First, we need a random number r between 0 and n - 1, which
    944. 

  944. 	 is relatively prime to n (i.e. it is neither p nor q).  The
    945. 

  945. 	 random number needs to be only unpredictable, thus we employ
    946. 

  946. 	 the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
    947. 

  947. 	 gcry_mpi_randomize.  */
    948. 

  948.       r = gcry_mpi_snew (gcry_mpi_get_nbits (sk.n));
    949. 

  949.       ri = gcry_mpi_snew (gcry_mpi_get_nbits (sk.n));
    950. 

  950. 

  951.       gcry_mpi_randomize (r, gcry_mpi_get_nbits (sk.n), GCRY_WEAK_RANDOM);
    952. 

  952.       gcry_mpi_mod (r, r, sk.n);
    953. 

  953. 

  954.       /* Calculate inverse of r.  It practically impossible that the
    955. 

  955.          following test fails, thus we do not add code to release
    956. 

  956.          allocated resources.  */
    957. 

  957.       if (!gcry_mpi_invm (ri, r, sk.n))
    958. 

  958. 	return GPG_ERR_INTERNAL;
    959. 

  959.     }
    960. 

  960. 

  961.   if (! (flags & PUBKEY_FLAG_NO_BLINDING))
    962. 

  962.     x = rsa_blind (data[0], r, sk.e, sk.n);
    963. 

  963.   else
    964. 

  964.     x = data[0];
    965. 

  965. 

  966.   /* Do the encryption.  */
    967. 

  967.   secret (y, x, &sk);
    968. 

  968. 

  969.   if (! (flags & PUBKEY_FLAG_NO_BLINDING))
    970. 

  970.     {
    971. 

  971.       /* Undo blinding.  */
    972. 

  972.       gcry_mpi_t a = gcry_mpi_copy (y);
    973. 

  973. 

  974.       gcry_mpi_release (y);
    975. 

  975.       y = rsa_unblind (a, ri, sk.n);
    976. 

  976. 

  977.       gcry_mpi_release (a);
    978. 

  978.     }
    979. 

  979. 

  980.   if (! (flags & PUBKEY_FLAG_NO_BLINDING))
    981. 

  981.     {
    982. 

  982.       /* Deallocate resources needed for blinding.  */
    983. 

  983.       gcry_mpi_release (x);
    984. 

  984.       gcry_mpi_release (r);
    985. 

  985.       gcry_mpi_release (ri);
    986. 

  986.     }
    987. 

  987. 

  988.   /* Copy out result.  */
    989. 

  989.   *result = y;
    990. 

  990. 

  991.   return GPG_ERR_NO_ERROR;
    992. 

  992. }
    993. 

  993. 

  994. 

  995. static gcry_err_code_t
    996. 

  996. rsa_sign (int algo, gcry_mpi_t *resarr, gcry_mpi_t data, gcry_mpi_t *skey)
    997. 

  997. {
    998. 

  998.   RSA_secret_key sk;
    999. 

  999. 

  1000.   (void)algo;
    1001. 

  1001. 

  1002.   sk.n = skey[0];
    1003. 

  1003.   sk.e = skey[1];
    1004. 

  1004.   sk.d = skey[2];
    1005. 

  1005.   sk.p = skey[3];
    1006. 

  1006.   sk.q = skey[4];
    1007. 

  1007.   sk.u = skey[5];
    1008. 

  1008.   resarr[0] = mpi_alloc( mpi_get_nlimbs (sk.n));
    1009. 

  1009.   secret (resarr[0], data, &sk);
    1010. 

  1010. 

  1011.   return GPG_ERR_NO_ERROR;
    1012. 

  1012. }
    1013. 

  1013. 

  1014. 

  1015. static gcry_err_code_t
    1016. 

  1016. rsa_verify (int algo, gcry_mpi_t hash, gcry_mpi_t *data, gcry_mpi_t *pkey,
    1017. 

  1017. 		  int (*cmp) (void *opaque, gcry_mpi_t tmp),
    1018. 

  1018. 		  void *opaquev)
    1019. 

  1019. {
    1020. 

  1020.   RSA_public_key pk;
    1021. 

  1021.   gcry_mpi_t result;
    1022. 

  1022.   gcry_err_code_t rc;
    1023. 

  1023. 

  1024.   (void)algo;
    1025. 

  1025.   (void)cmp;
    1026. 

  1026.   (void)opaquev;
    1027. 

  1027. 

  1028.   pk.n = pkey[0];
    1029. 

  1029.   pk.e = pkey[1];
    1030. 

  1030.   result = gcry_mpi_new ( 160 );
    1031. 

  1031.   public( result, data[0], &pk );
    1032. 

  1032. #ifdef IS_DEVELOPMENT_VERSION
    1033. 

  1033.   if (DBG_CIPHER)
    1034. 

  1034.     {
    1035. 

  1035.       log_mpidump ("rsa verify result:", result );
    1036. 

  1036.       log_mpidump ("             hash:", hash );
    1037. 

  1037.     }
    1038. 

  1038. #endif /*IS_DEVELOPMENT_VERSION*/
    1039. 

  1039.   if (cmp)
    1040. 

  1040.     rc = (*cmp) (opaquev, result);
    1041. 

  1041.   else
    1042. 

  1042.     rc = mpi_cmp (result, hash) ? GPG_ERR_BAD_SIGNATURE : GPG_ERR_NO_ERROR;
    1043. 

  1043.   gcry_mpi_release (result);
    1044. 

  1044. 

  1045.   return rc;
    1046. 

  1046. }
    1047. 

  1047. 

  1048. 

  1049. static unsigned int
    1050. 

  1050. rsa_get_nbits (int algo, gcry_mpi_t *pkey)
    1051. 

  1051. {
    1052. 

  1052.   (void)algo;
    1053. 

  1053. 

  1054.   return mpi_get_nbits (pkey[0]);
    1055. 

  1055. }
    1056. 

  1056. 

  1057. 

  1058. /* Compute a keygrip.  MD is the hash context which we are going to
    1059. 

  1059.    update.  KEYPARAM is an S-expression with the key parameters, this
    1060. 

  1060.    is usually a public key but may also be a secret key.  An example
    1061. 

  1061.    of such an S-expression is:
    1062. 

  1062. 

  1063.       (rsa
    1064. 

  1064.         (n #00B...#)
    1065. 

  1065.         (e #010001#))
    1066. 

  1066. 

  1067.    PKCS-15 says that for RSA only the modulus should be hashed -
    1068. 

  1068.    however, it is not clear whether this is meant to use the raw bytes
    1069. 

  1069.    (assuming this is an unsigned integer) or whether the DER required
    1070. 

  1070.    0 should be prefixed.  We hash the raw bytes.  */
    1071. 

  1071. static gpg_err_code_t
    1072. 

  1072. compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparam)
    1073. 

  1073. {
    1074. 

  1074.   gcry_sexp_t l1;
    1075. 

  1075.   const char *data;
    1076. 

  1076.   size_t datalen;
    1077. 

  1077. 

  1078.   l1 = gcry_sexp_find_token (keyparam, "n", 1);
    1079. 

  1079.   if (!l1)
    1080. 

  1080.     return GPG_ERR_NO_OBJ;
    1081. 

  1081. 

  1082.   data = gcry_sexp_nth_data (l1, 1, &datalen);
    1083. 

  1083.   if (!data)
    1084. 

  1084.     {
    1085. 

  1085.       gcry_sexp_release (l1);
    1086. 

  1086.       return GPG_ERR_NO_OBJ;
    1087. 

  1087.     }
    1088. 

  1088. 

  1089.   gcry_md_write (md, data, datalen);
    1090. 

  1090.   gcry_sexp_release (l1);
    1091. 

  1091. 

  1092.   return 0;
    1093. 

  1093. }
    1094. 

  1094. 

  1095. 

  1096. 

  1097. 
    1098. 

  1098. /*
    1099. 

  1099.      Self-test section.
    1100. 

  1100.  */
    1101. 

  1101. 

  1102. static const char *
    1103. 

  1103. selftest_sign_1024 (gcry_sexp_t pkey, gcry_sexp_t skey)
    1104. 

  1104. {
    1105. 

  1105.   static const char sample_data[] =
    1106. 

  1106.     "(data (flags pkcs1)"
    1107. 

  1107.     " (hash sha1 #11223344556677889900aabbccddeeff10203040#))";
    1108. 

  1108.   static const char sample_data_bad[] =
    1109. 

  1109.     "(data (flags pkcs1)"
    1110. 

  1110.     " (hash sha1 #11223344556677889900aabbccddeeff80203040#))";
    1111. 

  1111. 

  1112.   const char *errtxt = NULL;
    1113. 

  1113.   gcry_error_t err;
    1114. 

  1114.   gcry_sexp_t data = NULL;
    1115. 

  1115.   gcry_sexp_t data_bad = NULL;
    1116. 

  1116.   gcry_sexp_t sig = NULL;
    1117. 

  1117. 

  1118.   err = gcry_sexp_sscan (&data, NULL,
    1119. 

  1119.                          sample_data, strlen (sample_data));
    1120. 

  1120.   if (!err)
    1121. 

  1121.     err = gcry_sexp_sscan (&data_bad, NULL,
    1122. 

  1122.                            sample_data_bad, strlen (sample_data_bad));
    1123. 

  1123.   if (err)
    1124. 

  1124.     {
    1125. 

  1125.       errtxt = "converting data failed";
    1126. 

  1126.       goto leave;
    1127. 

  1127.     }
    1128. 

  1128. 

  1129.   err = gcry_pk_sign (&sig, data, skey);
    1130. 

  1130.   if (err)
    1131. 

  1131.     {
    1132. 

  1132.       errtxt = "signing failed";
    1133. 

  1133.       goto leave;
    1134. 

  1134.     }
    1135. 

  1135.   err = gcry_pk_verify (sig, data, pkey);
    1136. 

  1136.   if (err)
    1137. 

  1137.     {
    1138. 

  1138.       errtxt = "verify failed";
    1139. 

  1139.       goto leave;
    1140. 

  1140.     }
    1141. 

  1141.   err = gcry_pk_verify (sig, data_bad, pkey);
    1142. 

  1142.   if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
    1143. 

  1143.     {
    1144. 

  1144.       errtxt = "bad signature not detected";
    1145. 

  1145.       goto leave;
    1146. 

  1146.     }
    1147. 

  1147. 

  1148. 

  1149.  leave:
    1150. 

  1150.   gcry_sexp_release (sig);
    1151. 

  1151.   gcry_sexp_release (data_bad);
    1152. 

  1152.   gcry_sexp_release (data);
    1153. 

  1153.   return errtxt;
    1154. 

  1154. }
    1155. 

  1155. 

  1156. 

  1157. 

  1158. /* Given an S-expression ENCR_DATA of the form:
    1159. 

  1159. 

  1160.    (enc-val
    1161. 

  1161.     (rsa
    1162. 

  1162.      (a a-value)))
    1163. 

  1163. 

  1164.    as returned by gcry_pk_decrypt, return the the A-VALUE.  On error,
    1165. 

  1165.    return NULL.  */
    1166. 

  1166. static gcry_mpi_t
    1167. 

  1167. extract_a_from_sexp (gcry_sexp_t encr_data)
    1168. 

  1168. {
    1169. 

  1169.   gcry_sexp_t l1, l2, l3;
    1170. 

  1170.   gcry_mpi_t a_value;
    1171. 

  1171. 

  1172.   l1 = gcry_sexp_find_token (encr_data, "enc-val", 0);
    1173. 

  1173.   if (!l1)
    1174. 

  1174.     return NULL;
    1175. 

  1175.   l2 = gcry_sexp_find_token (l1, "rsa", 0);
    1176. 

  1176.   gcry_sexp_release (l1);
    1177. 

  1177.   if (!l2)
    1178. 

  1178.     return NULL;
    1179. 

  1179.   l3 = gcry_sexp_find_token (l2, "a", 0);
    1180. 

  1180.   gcry_sexp_release (l2);
    1181. 

  1181.   if (!l3)
    1182. 

  1182.     return NULL;
    1183. 

  1183.   a_value = gcry_sexp_nth_mpi (l3, 1, 0);
    1184. 

  1184.   gcry_sexp_release (l3);
    1185. 

  1185. 

  1186.   return a_value;
    1187. 

  1187. }
    1188. 

  1188. 

  1189. 

  1190. static const char *
    1191. 

  1191. selftest_encr_1024 (gcry_sexp_t pkey, gcry_sexp_t skey)
    1192. 

  1192. {
    1193. 

  1193.   const char *errtxt = NULL;
    1194. 

  1194.   gcry_error_t err;
    1195. 

  1195.   const unsigned int nbits = 1000; /* Encrypt 1000 random bits.  */
    1196. 

  1196.   gcry_mpi_t plaintext = NULL;
    1197. 

  1197.   gcry_sexp_t plain = NULL;
    1198. 

  1198.   gcry_sexp_t encr  = NULL;
    1199. 

  1199.   gcry_mpi_t  ciphertext = NULL;
    1200. 

  1200.   gcry_sexp_t decr  = NULL;
    1201. 

  1201.   gcry_mpi_t  decr_plaintext = NULL;
    1202. 

  1202.   gcry_sexp_t tmplist = NULL;
    1203. 

  1203. 

  1204.   /* Create plaintext.  The plaintext is actually a big integer number.  */
    1205. 

  1205.   plaintext = gcry_mpi_new (nbits);
    1206. 

  1206.   gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
    1207. 

  1207. 

  1208.   /* Put the plaintext into an S-expression.  */
    1209. 

  1209.   err = gcry_sexp_build (&plain, NULL,
    1210. 

  1210.                          "(data (flags raw) (value %m))", plaintext);
    1211. 

  1211.   if (err)
    1212. 

  1212.     {
    1213. 

  1213.       errtxt = "converting data failed";
    1214. 

  1214.       goto leave;
    1215. 

  1215.     }
    1216. 

  1216. 

  1217.   /* Encrypt.  */
    1218. 

  1218.   err = gcry_pk_encrypt (&encr, plain, pkey);
    1219. 

  1219.   if (err)
    1220. 

  1220.     {
    1221. 

  1221.       errtxt = "encrypt failed";
    1222. 

  1222.       goto leave;
    1223. 

  1223.     }
    1224. 

  1224. 

  1225.   /* Extraxt the ciphertext from the returned S-expression.  */
    1226. 

  1226.   /*gcry_sexp_dump (encr);*/
    1227. 

  1227.   ciphertext = extract_a_from_sexp (encr);
    1228. 

  1228.   if (!ciphertext)
    1229. 

  1229.     {
    1230. 

  1230.       errtxt = "gcry_pk_decrypt returned garbage";
    1231. 

  1231.       goto leave;
    1232. 

  1232.     }
    1233. 

  1233. 

  1234.   /* Check that the ciphertext does no match the plaintext.  */
    1235. 

  1235.   /* _gcry_log_mpidump ("plaintext", plaintext); */
    1236. 

  1236.   /* _gcry_log_mpidump ("ciphertxt", ciphertext); */
    1237. 

  1237.   if (!gcry_mpi_cmp (plaintext, ciphertext))
    1238. 

  1238.     {
    1239. 

  1239.       errtxt = "ciphertext matches plaintext";
    1240. 

  1240.       goto leave;
    1241. 

  1241.     }
    1242. 

  1242. 

  1243.   /* Decrypt.  */
    1244. 

  1244.   err = gcry_pk_decrypt (&decr, encr, skey);
    1245. 

  1245.   if (err)
    1246. 

  1246.     {
    1247. 

  1247.       errtxt = "decrypt failed";
    1248. 

  1248.       goto leave;
    1249. 

  1249.     }
    1250. 

  1250. 

  1251.   /* Extract the decrypted data from the S-expression.  Note that the
    1252. 

  1252.      output of gcry_pk_decrypt depends on whether a flags lists occurs
    1253. 

  1253.      in its input data.  Because we passed the output of
    1254. 

  1254.      gcry_pk_encrypt directly to gcry_pk_decrypt, such a flag value
    1255. 

  1255.      won't be there as of today.  To be prepared for future changes we
    1256. 

  1256.      take care of it anyway.  */
    1257. 

  1257.   tmplist = gcry_sexp_find_token (decr, "value", 0);
    1258. 

  1258.   if (tmplist)
    1259. 

  1259.     decr_plaintext = gcry_sexp_nth_mpi (tmplist, 1, GCRYMPI_FMT_USG);
    1260. 

  1260.   else
    1261. 

  1261.     decr_plaintext = gcry_sexp_nth_mpi (decr, 0, GCRYMPI_FMT_USG);
    1262. 

  1262.   if (!decr_plaintext)
    1263. 

  1263.     {
    1264. 

  1264.       errtxt = "decrypt returned no plaintext";
    1265. 

  1265.       goto leave;
    1266. 

  1266.     }
    1267. 

  1267. 

  1268.   /* Check that the decrypted plaintext matches the original  plaintext.  */
    1269. 

  1269.   if (gcry_mpi_cmp (plaintext, decr_plaintext))
    1270. 

  1270.     {
    1271. 

  1271.       errtxt = "mismatch";
    1272. 

  1272.       goto leave;
    1273. 

  1273.     }
    1274. 

  1274. 

  1275.  leave:
    1276. 

  1276.   gcry_sexp_release (tmplist);
    1277. 

  1277.   gcry_mpi_release (decr_plaintext);
    1278. 

  1278.   gcry_sexp_release (decr);
    1279. 

  1279.   gcry_mpi_release (ciphertext);
    1280. 

  1280.   gcry_sexp_release (encr);
    1281. 

  1281.   gcry_sexp_release (plain);
    1282. 

  1282.   gcry_mpi_release (plaintext);
    1283. 

  1283.   return errtxt;
    1284. 

  1284. }
    1285. 

  1285. 

  1286. 

  1287. static gpg_err_code_t
    1288. 

  1288. selftests_rsa (selftest_report_func_t report)
    1289. 

  1289. {
    1290. 

  1290.   const char *what;
    1291. 

  1291.   const char *errtxt;
    1292. 

  1292.   gcry_error_t err;
    1293. 

  1293.   gcry_sexp_t skey = NULL;
    1294. 

  1294.   gcry_sexp_t pkey = NULL;
    1295. 

  1295. 

  1296.   /* Convert the S-expressions into the internal representation.  */
    1297. 

  1297.   what = "convert";
    1298. 

  1298.   err = gcry_sexp_sscan (&skey, NULL,
    1299. 

  1299.                          sample_secret_key, strlen (sample_secret_key));
    1300. 

  1300.   if (!err)
    1301. 

  1301.     err = gcry_sexp_sscan (&pkey, NULL,
    1302. 

  1302.                            sample_public_key, strlen (sample_public_key));
    1303. 

  1303.   if (err)
    1304. 

  1304.     {
    1305. 

  1305.       errtxt = gcry_strerror (err);
    1306. 

  1306.       goto failed;
    1307. 

  1307.     }
    1308. 

  1308. 

  1309.   what = "key consistency";
    1310. 

  1310.   err = gcry_pk_testkey (skey);
    1311. 

  1311.   if (err)
    1312. 

  1312.     {
    1313. 

  1313.       errtxt = gcry_strerror (err);
    1314. 

  1314.       goto failed;
    1315. 

  1315.     }
    1316. 

  1316. 

  1317.   what = "sign";
    1318. 

  1318.   errtxt = selftest_sign_1024 (pkey, skey);
    1319. 

  1319.   if (errtxt)
    1320. 

  1320.     goto failed;
    1321. 

  1321. 

  1322.   what = "encrypt";
    1323. 

  1323.   errtxt = selftest_encr_1024 (pkey, skey);
    1324. 

  1324.   if (errtxt)
    1325. 

  1325.     goto failed;
    1326. 

  1326. 

  1327.   gcry_sexp_release (pkey);
    1328. 

  1328.   gcry_sexp_release (skey);
    1329. 

  1329.   return 0; /* Succeeded. */
    1330. 

  1330. 

  1331.  failed:
    1332. 

  1332.   gcry_sexp_release (pkey);
    1333. 

  1333.   gcry_sexp_release (skey);
    1334. 

  1334.   if (report)
    1335. 

  1335.     report ("pubkey", GCRY_PK_RSA, what, errtxt);
    1336. 

  1336.   return GPG_ERR_SELFTEST_FAILED;
    1337. 

  1337. }
    1338. 

  1338. 

  1339. 

  1340. /* Run a full self-test for ALGO and return 0 on success.  */
    1341. 

  1341. static gpg_err_code_t
    1342. 

  1342. run_selftests (int algo, int extended, selftest_report_func_t report)
    1343. 

  1343. {
    1344. 

  1344.   gpg_err_code_t ec;
    1345. 

  1345. 

  1346.   (void)extended;
    1347. 

  1347. 

  1348.   switch (algo)
    1349. 

  1349.     {
    1350. 

  1350.     case GCRY_PK_RSA:
    1351. 

  1351.       ec = selftests_rsa (report);
    1352. 

  1352.       break;
    1353. 

  1353.     default:
    1354. 

  1354.       ec = GPG_ERR_PUBKEY_ALGO;
    1355. 

  1355.       break;
    1356. 

  1356. 

  1357.     }
    1358. 

  1358.   return ec;
    1359. 

  1359. }
    1360. 

  1360. 

  1361. 

  1362. 

  1363. 
    1364. 

  1364. static const char *rsa_names[] =
    1365. 

  1365.   {
    1366. 

  1366.     "rsa",
    1367. 

  1367.     "openpgp-rsa",
    1368. 

  1368.     "oid.1.2.840.113549.1.1.1",
    1369. 

  1369.     NULL,
    1370. 

  1370.   };
    1371. 

  1371. 

  1372. gcry_pk_spec_t _gcry_pubkey_spec_rsa =
    1373. 

  1373.   {
    1374. 

  1374.     "RSA", rsa_names,
    1375. 

  1375.     "ne", "nedpqu", "a", "s", "n",
    1376. 

  1376.     GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR,
    1377. 

  1377.     rsa_generate,
    1378. 

  1378.     rsa_check_secret_key,
    1379. 

  1379.     rsa_encrypt,
    1380. 

  1380.     rsa_decrypt,
    1381. 

  1381.     rsa_sign,
    1382. 

  1382.     rsa_verify,
    1383. 

  1383.     rsa_get_nbits,
    1384. 

  1384.   };
    1385. 

  1385. pk_extra_spec_t _gcry_pubkey_extraspec_rsa =
    1386. 

  1386.   {
    1387. 

  1387.     run_selftests,
    1388. 

  1388.     rsa_generate_ext,
    1389. 

  1389.     compute_keygrip
    1390. 

  1390.   };
    1391. 

  1391.