X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=rsa.c;h=f7dd69db6f69115e03c94779a2529468b642619f;hp=0bd106ff3526935734641b239cdb3ec91649de2b;hb=c6a3b1f54ccc754be82f0a2ea5b4d60746053a2b;hpb=39a6b1e27fba043e9f988fa10f76ea68b796cbfd;ds=sidebyside diff --git a/rsa.c b/rsa.c index 0bd106f..f7dd69d 100644 --- a/rsa.c +++ b/rsa.c @@ -34,18 +34,19 @@ struct rsapub { }; /* Sign data. NB data must be smaller than modulus */ +#define RSA_MAX_MODBYTES 2048 +/* The largest modulus I've seen is 15360 bits, which works out at 1920 + * bytes. Using keys this big is quite implausible, but it doesn't cost us + * much to support them. + */ + static const char *hexchars="0123456789abcdef"; -static string_t rsa_sign(void *sst, uint8_t *data, int32_t datalen) +static void emsa_pkcs1(MP_INT *n, MP_INT *m, + const uint8_t *data, int32_t datalen) { - struct rsapriv *st=sst; - MP_INT a, b, u, v, tmp, tmp2; - char buff[2048]; + char buff[2*RSA_MAX_MODBYTES + 1]; int msize, i; - string_t signature; - - mpz_init(&a); - mpz_init(&b); /* RSA PKCS#1 v1.5 signature padding: * @@ -65,7 +66,7 @@ static string_t rsa_sign(void *sst, uint8_t *data, int32_t datalen) * -iwj 17.9.2002 */ - msize=mpz_sizeinbase(&st->n, 16); + msize=mpz_sizeinbase(n, 16); if (datalen*2+6>=msize) { fatal("rsa_sign: message too big"); @@ -86,7 +87,20 @@ static string_t rsa_sign(void *sst, uint8_t *data, int32_t datalen) buff[msize]=0; - mpz_set_str(&a, buff, 16); + mpz_set_str(m, buff, 16); +} + +static string_t rsa_sign(void *sst, uint8_t *data, int32_t datalen) +{ + struct rsapriv *st=sst; + MP_INT a, b, u, v, tmp, tmp2; + string_t signature; + + mpz_init(&a); + mpz_init(&b); + + /* Construct the message representative. */ + emsa_pkcs1(&st->n, &a, data, datalen); /* * Produce an RSA signature (a^d mod n) using the Chinese @@ -135,32 +149,13 @@ static bool_t rsa_sig_check(void *sst, uint8_t *data, int32_t datalen, { struct rsapub *st=sst; MP_INT a, b, c; - char buff[2048]; - int msize, i; bool_t ok; mpz_init(&a); mpz_init(&b); mpz_init(&c); - msize=mpz_sizeinbase(&st->n, 16); - - strcpy(buff,"0001"); - - for (i=0; i>4]; - buff[msize+(-datalen+i)*2+1]=hexchars[data[i]&0xf]; - } - - buff[msize-datalen*2-2]= '0'; - buff[msize-datalen*2-1]= '0'; - - for (i=4; in, &a, data, datalen); mpz_set_str(&b, signature, 16); @@ -204,6 +199,9 @@ static list_t *rsapub_apply(closure_t *self, struct cloc loc, dict_t *context, } else { cfgfatal(loc,"rsa-public","you must provide an encryption key\n"); } + if (mpz_sizeinbase(&st->e, 256) > RSA_MAX_MODBYTES) { + cfgfatal(loc, "rsa-public", "implausibly large public exponent\n"); + } i=list_elem(args,1); if (i) { @@ -218,6 +216,9 @@ static list_t *rsapub_apply(closure_t *self, struct cloc loc, dict_t *context, } else { cfgfatal(loc,"rsa-public","you must provide a modulus\n"); } + if (mpz_sizeinbase(&st->n, 256) > RSA_MAX_MODBYTES) { + cfgfatal(loc, "rsa-public", "implausibly large modulus\n"); + } return new_closure(&st->cl); } @@ -307,7 +308,7 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, /* Read the public key */ keyfile_get_int(loc,f); /* Not sure what this is */ length=(keyfile_get_short(loc,f)+7)/8; - if (length>1024) { + if (length>RSA_MAX_MODBYTES) { cfgfatal(loc,"rsa-private","implausible length %ld for modulus\n", length); } @@ -319,7 +320,7 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, read_mpbin(&st->n,b,length); free(b); length=(keyfile_get_short(loc,f)+7)/8; - if (length>1024) { + if (length>RSA_MAX_MODBYTES) { cfgfatal(loc,"rsa-private","implausible length %ld for e\n",length); } b=safe_malloc(length,"rsapriv_apply"); @@ -350,7 +351,7 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, /* Read d */ length=(keyfile_get_short(loc,f)+7)/8; - if (length>1024) { + if (length>RSA_MAX_MODBYTES) { cfgfatal(loc,"rsa-private","implausibly long (%ld) decryption key\n", length); } @@ -364,7 +365,7 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, free(b); /* Read iqmp (inverse of q mod p) */ length=(keyfile_get_short(loc,f)+7)/8; - if (length>1024) { + if (length>RSA_MAX_MODBYTES) { cfgfatal(loc,"rsa-private","implausibly long (%ld)" " iqmp auxiliary value\n", length); } @@ -378,7 +379,7 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, free(b); /* Read q (the smaller of the two primes) */ length=(keyfile_get_short(loc,f)+7)/8; - if (length>1024) { + if (length>RSA_MAX_MODBYTES) { cfgfatal(loc,"rsa-private","implausibly long (%ld) q value\n", length); } @@ -392,7 +393,7 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, free(b); /* Read p (the larger of the two primes) */ length=(keyfile_get_short(loc,f)+7)/8; - if (length>1024) { + if (length>RSA_MAX_MODBYTES) { cfgfatal(loc,"rsa-private","implausibly long (%ld) p value\n", length); } @@ -430,8 +431,9 @@ static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context, /* * Verify that d*e is congruent to 1 mod (p-1), and mod * (q-1). This is equivalent to it being congruent to 1 mod - * lcm(p-1,q-1), i.e. congruent to 1 mod phi(n). Note that - * phi(n) is _not_ simply (p-1)*(q-1). + * lambda(n) = lcm(p-1,q-1). The usual `textbook' condition, + * that d e == 1 (mod (p-1)(q-1)) is sufficient, but not + * actually necessary. */ mpz_mul(&tmp, &d, &e); mpz_sub_ui(&tmp2, &st->p, 1);