rsa.c: Check public key length. The private key is checked quite carefully -- even to a fault -- for being sensibly sized, but the corresponding function for public keys appears to have no checking at all. This is a shame since message- representative construction assumes that the message representative will fit in a fixed-size buffer. Fix this situation by checking public key sizes in `rsapub_apply'. Signed-off-by: Mark Wooding <mdw@distorted.org.uk> Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

- [D] rsa.c

rsa.c: Replace the magic length 1024 with a (larger) constant. While 15360-bit RSA keys are rather large, they're not completely beyond the realms of possibility and it seems unreasonable to forbid them. (Specifically, 15360 is the length recommended by NIST for 256-bit security levels.) Signed-off-by: Mark Wooding <mdw@distorted.org.uk>

- [D] rsa.c

rsa.c: Factor out constructing the EMSA-PKCS1 message representative. This was done in two different places for no reason I could understand. Replace them both with a single implementation. Signed-off-by: Mark Wooding <mdw@distorted.org.uk>

- [D] rsa.c

rsa.c: Fix incorrect commentary. The Euler function phi(n) is defined to be phi(n) = #{ 1 < i < n | gcd(i, n) = 1 } the number of natural numbers less than n and prime to it; equivalently, it's the size of the multiplicative group (Z/nZ)^*. If n = p q is the product of two primes then phi(n) = (p - 1)(q - 1). But phi(n) is not (if n is composite) the exponent of (Z/nZ)^*. It's certainly true that a^{phi(n)} = 1 for all a in (Z/nZ)^*; but the exponent of a group G is the /smallest/ positive integer e such that a^e == 1 for all a in G. This quantity is denoted lambda(n); in our simple case where n = p q is the product of two primes it's true that lambda(n) = lcm(p - 1, q - 1) Since p and q are large primes, both p - 1 and q - 1 are even, so lambda(n) is at least a factor of 2 smaller than phi(n). In fact, lambda(2) = 1, lambda(2^f) = 2^{f-2} for f >= 1, and lambda(p^f) = p^{f-1} (p - 1) for prime p > 2; and, in general, if n = p_1^{f_1} ... p_m^{f_m} is the prime factorization of n then lambda(n) = lcm(lambda(p_1^{f_1}), ... lambda(p_m^{f_m})) Signed-off-by: Mark Wooding <mdw@distorted.org.uk>

- [D] rsa.c

messages: add some missing newlines Message and cfgfatal must be called with a message containing a newline (or, a newline sent in a later call). Fix a few call sites. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

- [D] rsa.c

integer arithmetic types: do not use unsigned for lengths In C it is not normally a good idea to use an unsigned integer type for integer values, even if they are known not ever to be zero (for example, because they are lengths). This is because C unsigned arithmetic has unhelpful behaviour when the values would become negative. In particular, comparing signed and unsigned integers, and doing arithmetic (especially subtraction) when unsigned integers are present, can be dangerous and lead to unexpected results. So fix the resulting warnings (which are due to -Wsign-compare which comes from -W) by making all lengths, counts (and iterators over them) and return values from scanf be of signed types, usually int32_t instead of uint32_t (but occasionally int). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

- [D] rsa.c

cleanup: remove redundant "init_module" declarations These declarations are now provided in secnet.h and should not appear in individual .c files. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

- [D] rsa.c

Import release 0.1.16

- [D] rsa.c

Import release 0.1.15

- [D] rsa.c

Import release 0.1.14

- [D] rsa.c

Import release 0.1.13

- [D] rsa.c

Import release 0.1.3

- [D] rsa.c

Import release 0.1.1

- [D] rsa.c

Import release 0.1.0

- [D] rsa.c

Import release 0.03

- [D] rsa.c