![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to rsaglue2.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [PGP] / pgp / src|
Return to rsaglue2.c CVS log | Up to [PGP] / pgp / src |
1.1 root 1: /*
2: * rsaglue2.c - These functions wrap and unwrap message digests (MDs) and
3: * data encryption keys (DEKs) in padding and RSA-encrypt them into
4: * multi-precision integers. This layer was introduced to allow the
5: * transparent use of RSAREF for the encryption (where required by
6: * patent law) or Philip Zimmermann's mpi library (where permitted, such
7: * as Canada).
8: *
9: * This file uses RSAREF to perform the actual encryption and decryption.
10: * It must be linked with the RSAREF 2.0 library (rsaref.a, rsaref.lib,
11: * or whatever it's called on your system) to function.
12: *
13: * This code only accepts PKCS-style padding. Sorry, folks, but the
14: * RSAREF routines won't do it any other way. This will cause some
15: * older messages and signatures trouble.
16: * See pgformat.doc for a detailed description of the formats.
17: *
18: * (c) Copyright 1990-1994 by Philip Zimmermann. All rights reserved.
19: * The author assumes no liability for damages resulting from the use
20: * of this software, even if the damage results from defects in this
21: * software. No warranty is expressed or implied.
22: *
23: * Note that while most PGP source modules bear Philip Zimmermann's
24: * copyright notice, many of them have been revised or entirely written
25: * by contributors who frequently failed to put their names in their
26: * code. Code that has been incorporated into PGP from other authors
27: * was either originally published in the public domain or is used with
28: * permission from the various authors.
29: *
30: * PGP is available for free to the public under certain restrictions.
31: * See the PGP User's Guide (included in the release package) for
32: * important information about licensing, patent restrictions on
33: * certain algorithms, trademarks, copyrights, and export controls.
34: */
35:
36: #include <string.h> /* for mem*() */
37: #include <assert.h>
38: #include "mpilib.h"
39: #include "mpiio.h"
40: #include "pgp.h"
41: #include "rsaglue.h"
42: #include "random.h" /* for cryptRandByte() */
43: #include "language.h" /* for _LANG() */
44:
45: char signon_legalese[] = _LANG("Distributed by the Massachusetts Institute of Technology. Uses RSAREF 2.0.\n");
46:
47: #include <global.h>
48: #include <rsaref.h>
49: #include <rsa.h>
50: /*
51: * The functions we call in rsa.h are:
52: *
53: * int RSAPublicEncrypt PROTO_LIST
54: * ((unsigned char *, unsigned int *, unsigned char *, unsigned int,
55: * R_RSA_PUBLIC_KEY *, R_RANDOM_STRUCT *));
56: * int RSAPrivateEncrypt PROTO_LIST
57: * ((unsigned char *, unsigned int *, unsigned char *, unsigned int,
58: * R_RSA_PRIVATE_KEY *));
59: * int RSAPublicDecrypt PROTO_LIST
60: * ((unsigned char *, unsigned int *, unsigned char *, unsigned int,
61: * R_RSA_PUBLIC_KEY *));
62: * int RSAPrivateDecrypt PROTO_LIST
63: * ((unsigned char *, unsigned int *, unsigned char *, unsigned int,
64: * R_RSA_PRIVATE_KEY *));
65: */
66:
67: /* Functions to convert to and from RSAREF's bignum formats */
68:
69: void
70: rsaref2reg (unitptr to, byte *from, int frombytes)
71: /* Convert an RSAREF-style MSB-first array of bytes to an mpi-style
72: * native-byte-order integer. (global_precision units long.)
73: */
74: {
75: int tobytes;
76:
77: tobytes = units2bytes (global_precision);
78: if (tobytes > frombytes) {
79: memset(to, 0, tobytes - frombytes);
80: memcpy((byte *)to + tobytes - frombytes, from, frombytes);
81: } else {
82: memcpy((byte *)to, from + frombytes - tobytes, tobytes);
83: }
84: #ifndef HIGHFIRST
85: hiloswap((byte *)to, tobytes);
86: #endif
87: } /* rsaref2reg */
88:
89: void
90: reg2rsaref (byte *to, int tobytes, unitptr from)
91: /* Convert the other way, mpi format to an array of bytes. */
92: {
93: int frombytes;
94:
95: frombytes = units2bytes(global_precision);
96:
97: #ifdef HIGHFIRST
98: if (tobytes > frombytes) {
99: memset(to, 0, tobytes-frombytes);
100: memcpy(to + tobytes - frombytes, (byte *)from, frombytes);
101: } else {
102: memcpy(to, (byte *)from + frombytes - tobytes, tobytes);
103: }
104: #else
105: if (tobytes > frombytes) {
106: memcpy(to, (byte *)from, frombytes);
107: memset(to + frombytes, 0, tobytes-frombytes);
108: } else {
109: memcpy(to, (byte *)from, tobytes);
110: }
111: hiloswap(to, tobytes);
112: #endif
113: } /* reg2rsaref */
114:
115: int
116: make_RSA_PUBLIC_KEY(R_RSA_PUBLIC_KEY *rpk, unitptr e, unitptr n)
117: /* Given mpi's e and n, fill in an R_RSA_PUBLIC_KEY structure.
118: * Returns -3 on error (key too big), 0 on success
119: */
120: {
121: rpk->bits = countbits(n);
122:
123: if (rpk->bits > MAX_RSA_MODULUS_BITS)
124: return -3;
125:
126: reg2rsaref(rpk->modulus, MAX_RSA_MODULUS_LEN, n);
127: reg2rsaref(rpk->exponent, MAX_RSA_MODULUS_LEN, e);
128: return 0;
129: } /* make_RSA_PUBLIC_KEY */
130:
131: /* Returns -1 on error, 0 on success */
132: int
133: make_RSA_PRIVATE_KEY(R_RSA_PRIVATE_KEY *rpk, unitptr e, unitptr d, unitptr p,
134: unitptr q, unitptr dp, unitptr dq, unitptr u, unitptr n)
135: /* Given a number of necessary mpi's, fill in an R_RSA_PRIVATE_KEY structure.
136: * Returns -3 on error (key too big), 0 on success
137: */
138: {
139: rpk->bits = countbits(n);
140:
141: if (rpk->bits > MAX_RSA_MODULUS_BITS ||
142: countbits(p) > MAX_RSA_PRIME_BITS ||
143: countbits(q) > MAX_RSA_PRIME_BITS)
144: return -3;
145:
146: reg2rsaref(rpk->modulus, MAX_RSA_MODULUS_LEN, n);
147: reg2rsaref(rpk->publicExponent, MAX_RSA_MODULUS_LEN, e);
148: reg2rsaref(rpk->exponent, MAX_RSA_MODULUS_LEN, d);
149: /* The larger prime (p) first */
150: reg2rsaref(rpk->prime[0], MAX_RSA_PRIME_LEN, q);
151: reg2rsaref(rpk->prime[1], MAX_RSA_PRIME_LEN, p);
152: /* d mod (p-1) and d mod (q-1) */
153: reg2rsaref(rpk->primeExponent[0], MAX_RSA_PRIME_LEN, dq);
154: reg2rsaref(rpk->primeExponent[1], MAX_RSA_PRIME_LEN, dp);
155: /* 1/q mod p */
156: reg2rsaref(rpk->coefficient, MAX_RSA_PRIME_LEN, u);
157: return 0;
158: } /* make_RSA_PRIVATE_KEY */
159:
160: /*
161: * These functions hide all the internal details of RSA-encrypted
162: * keys and digests.
163: */
164:
165: /* Abstract Syntax Notation One (ASN.1) Distinguished Encoding Rules (DER)
166: encoding for RSA/MD5, used in PKCS-format signatures. */
167: static byte asn_array[] = { /* PKCS 01 block type 01 data */
168: 0x30,0x20,0x30,0x0c,0x06,0x08,0x2a,0x86,0x48,0x86,0xf7,0x0d,
169: 0x02,0x05,0x05,0x00,0x04,0x10 };
170: /* This many bytes from the end, there's a zero byte */
171: #define ASN_ZERO_END 3
172:
173: int
174: rsa_public_encrypt(unitptr outbuf, byteptr inbuf, short bytes,
175: unitptr E, unitptr N)
176: /* Encrypt a DEK with a public key. Returns 0 on success.
177: * <0 means there was an error.
178: * -1: Generic error
179: * -3: Key too big
180: * -4: Key too small
181: */
182: {
183: unit temp[MAX_UNIT_PRECISION];
184: unsigned int blocksize;
185: int i; /* Temporary, and holds error codes */
186: R_RSA_PUBLIC_KEY PubKey;
187: R_RANDOM_STRUCT Random;
188:
189: /* Fill in the R_RSA_PUBLIC_KEY structure as needed later. */
190: i = make_RSA_PUBLIC_KEY(&PubKey, E, N);
191: if (i < 0)
192: return i;
193:
194: /* The RSAREF routines have their own random number generator
195: * to generate random padding. The following code seeds it
196: * from PGP's random number generator.
197: */
198: R_RandomInit(&Random);
199: for (;;) {
200: /* Bytes needed is an unsigned int */
201: R_GetRandomBytesNeeded(&blocksize, &Random);
202: if (!blocksize)
203: break;
204: if (blocksize > sizeof(temp))
205: blocksize = sizeof(temp);
206: for (i = 0; i < blocksize; i++)
207: ((byte *)temp)[i] = cryptRandByte();
208: R_RandomUpdate(&Random, (byte *)temp, blocksize);
209:
210: }
211: /* Pad and encrypt */
212: i = RSAPublicEncrypt((byte *)temp, &blocksize,
213: inbuf, bytes, &PubKey, &Random);
214: R_RandomFinal(&Random); /* Clean up RSAREF's RNG */
215: burn(Random); /* Just to be sure */
216:
217: if (i)
218: i = (i == RE_LEN) ? -4 : -1;
219:
220: rsaref2reg(outbuf, (byte *)temp, blocksize);
221:
222: Cleanup:
223: mp_burn(temp);
224: burn(PubKey);
225: return i < 0 ? i : 0;
226: } /* rsa_public_encrypt */
227:
228: int
229: rsa_private_encrypt(unitptr outbuf, byteptr inbuf, short bytes,
230: unitptr E, unitptr D, unitptr P, unitptr Q, unitptr U, unitptr N)
231: /* Encrypt a message digest with a private key.
232: * Returns <0 on error:
233: * -1: generic error
234: * -3: Key too big
235: * -4: Key too small
236: */
237: {
238: unit temp[MAX_UNIT_PRECISION];
239: unit DP[MAX_UNIT_PRECISION], DQ[MAX_UNIT_PRECISION];
240: R_RSA_PRIVATE_KEY PrivKey;
241: byte *p;
242: int i;
243: unsigned int blocksize;
244:
245: /* PGP doesn't store these coefficents, so we need to compute them. */
246: mp_move(temp,P);
247: mp_dec(temp);
248: mp_mod(DP,D,temp);
249: mp_move(temp,Q);
250: mp_dec(temp);
251: mp_mod(DQ,D,temp);
252:
253: p = (byte *)temp;
254:
255: i = make_RSA_PRIVATE_KEY(&PrivKey, E, D, P, Q, DP, DQ, U, N);
256: if (i < 0)
257: goto Cleanup;
258: memcpy(p, asn_array, sizeof(asn_array)); /* ASN data */
259: p += sizeof(asn_array);
260: memcpy(p, inbuf, bytes); /* User data */
261: /* Pad and encrypt */
262: i = RSAPrivateEncrypt((byte *)temp, &blocksize,
263: (byte *)temp, bytes+sizeof(asn_array), &PrivKey);
264: burn(PrivKey);
265: if (i)
266: i = (i == RE_LEN) ? -4 : -1;
267:
268: rsaref2reg(outbuf, (byte *)temp, blocksize);
269:
270: Cleanup:
271: burn(temp);
272:
273: return i;
274: } /* rsa_private_encrypt */
275:
276: /* Remove a signature packet from an MPI */
277: /* Thus, we expect constant padding and the MIC ASN sequence */
278: int
279: rsa_public_decrypt(byteptr outbuf, unitptr inbuf,
280: unitptr E, unitptr N)
281: /* Decrypt a message digest using a public key. Returns the number of bytes
282: * extracted, or <0 on error.
283: * -1: Corrupted packet.
284: * -3: Key too big
285: * -4: Key too small
286: * -5: Maybe malformed RSA packet
287: * -7: Unknown conventional algorithm
288: * -9: Malformed RSA packet
289: */
290: {
291: R_RSA_PUBLIC_KEY PubKey;
292: unit temp[MAX_UNIT_PRECISION];
293: unsigned int blocksize;
294: int i;
295: byte *front, *back;
296:
297: i = make_RSA_PUBLIC_KEY(&PubKey, E, N);
298: if (i < 0)
299: return i;
300: blocksize = countbytes(inbuf);
301: reg2rsaref((byte *)temp, blocksize, inbuf);
302:
303: i = RSAPublicDecrypt((byte *)temp, &blocksize,
304: (byte *)temp, blocksize, &PubKey);
305: burn(PubKey);
306: if (i) {
307: mp_burn(temp);
308: if (i == RE_LEN)
309: return -4;
310: if (i == RE_DATA)
311: return -5;
312: return -1;
313: }
314: front = (byte *)temp;
315: back = front+blocksize;
316:
317: if (memcmp(front, asn_array, sizeof(asn_array))) {
318: mp_burn(temp);
319: return -7;
320: }
321: front += sizeof(asn_array);
322:
323: /* We're done - copy user data to outbuf */
324: if (back < front)
325: goto ErrorReturn;
326: blocksize = back-front;
327: memcpy(outbuf, front, blocksize);
328: mp_burn(temp);
329: return blocksize;
330: ErrorReturn:
331: mp_burn(temp);
332: return -9;
333: } /* rsa_public_decrypt */
334:
335: /* We expect to find random padding and an encryption key */
336: int
337: rsa_private_decrypt(byteptr outbuf, unitptr inbuf,
338: unitptr E, unitptr D, unitptr P, unitptr Q, unitptr U, unitptr N)
339: /* Decrypt an encryption key using a private key. Returns the number of bytes
340: * extracted, or <0 on error.
341: * -1: Generic error
342: * -3: Key too big
343: * -4: Key too small
344: * -5: Maybe malformed RSA
345: * -7: Unknown conventional algorithm
346: * -9: Malformed RSA packet
347: */
348: {
349: R_RSA_PRIVATE_KEY PrivKey;
350: byte *front;
351: unsigned int blocksize;
352: unit temp[MAX_UNIT_PRECISION];
353: unit DP[MAX_UNIT_PRECISION], DQ[MAX_UNIT_PRECISION];
354: int i;
355:
356: /* PGP doesn't store (d mod p-1) and (d mod q-1), so compute 'em */
357: mp_move(temp,P);
358: mp_dec(temp);
359: mp_mod(DP,D,temp);
360: mp_move(temp,Q);
361: mp_dec(temp);
362: mp_mod(DQ,D,temp);
363:
364: i = make_RSA_PRIVATE_KEY(&PrivKey, E, D, P, Q, DP, DQ, U, N);
365: mp_burn(DP);
366: mp_burn(DQ);
367: mp_burn(temp);
368:
369: if (i < 0)
370: return i;
371:
372: blocksize = countbytes(inbuf);
373: reg2rsaref((byte *)temp, blocksize, inbuf);
374: i = RSAPrivateDecrypt((byte *)temp, &blocksize,
375: (byte *)temp, blocksize, &PrivKey);
376: burn(PrivKey);
377: if (i) {
378: if (i == RE_LEN)
379: return -4;
380: if (i == RE_DATA)
381: return -5;
382: return -1;
383: }
384: front = (byte *)temp; /* Start of block */
385:
386: memcpy(outbuf, front, blocksize);
387: mp_burn(temp);
388: return blocksize;
389:
390: Corrupted:
391: mp_burn(temp);
392: return -9;
393: } /* rsa_private_decrypt */
394:
395: /*
396: * Stub to replace RSAREF's NN_ModExp with a call to the mpilib's
397: * faster mp_modexp. (A bit over 3x faster on an IBM PC.)
398: * It's too bad that RSAREF's NN routines are pretty clean, while the
399: * mpilib is attractive only to the sort of people who like dead baby
400: * jokes. But the mpilib is pretty fast, especially on 16-bit machines,
401: * so this Bride of Frankenstein creation has reason for existence.
402: *
403: * If you comment out the following block of code, you get a (much slower)
404: * pure RSAREF version.
405: */
406: #ifdef USEMPILIB
407:
408: /*
409: * The mpilib keeps numbers in native byte order, in arrays global_precision
410: * "units" long. RSAREF keeps numbers in little-endian arrays of 32-bit
411: * "digits".
412: */
413: static void
414: nn2mpi(unit *mpi, word32 *nn, unsigned nndigits)
415: {
416: /* nndigits must be <= global_precision */
417: unsigned i;
418: word32 *p;
419:
420: assert((units2bytes(global_precision) & 3) == 0);
421: i = units2bytes(global_precision) >> 2;
422: if (nndigits > i)
423: nndigits = i;
424: i -= nndigits;
425:
426: #ifdef HIGHFIRST
427: p = (word32 *)(mpi+global_precision);
428: while (nndigits--)
429: *--p = *nn++;
430: while (i--)
431: *--p = 0;
432: #else
433: p = (word32 *)mpi;
434: while (nndigits--)
435: *p++ = *nn++;
436: while (i--)
437: *p++ = 0;
438: #endif
439: }
440:
441: static void
442: mpi2nn(word32 *nn, unsigned nndigits, unit *mpi)
443: {
444: /* nndigits must be >= global_precision */
445: unsigned i;
446: word32 *p;
447:
448: assert((units2bytes(global_precision) & 3) == 0);
449: i = units2bytes(global_precision) >> 2;
450: if (i > nndigits)
451: i = nndigits;
452: nndigits -= i;
453:
454: #ifdef HIGHFIRST
455: p = (word32 *)(mpi+global_precision);
456: while (i--)
457: *nn++ = *--p;
458: #else
459: p = (word32 *)mpi;
460: while (i--)
461: *nn++ = *p++;
462: #endif
463: while (nndigits--)
464: *nn++ = 0;
465: }
466:
467: void
468: NN_ModExp(word32 *result, word32 *base, word32 *exponent, unsigned expdigits,
469: word32 *modulus, unsigned moddigits)
470: {
471: unit a[MAX_UNIT_PRECISION], b[MAX_UNIT_PRECISION];
472: unit c[MAX_UNIT_PRECISION], d[MAX_UNIT_PRECISION];
473: int i;
474: unsigned oldprecision;
475:
476: oldprecision = global_precision;
477: set_precision(MAX_UNIT_PRECISION);
478:
479: nn2mpi(b, base, moddigits);
480: nn2mpi(c, exponent, expdigits);
481: nn2mpi(d, modulus, moddigits);
482:
483: i = mp_modexp(a, b, c, d);
484: assert(i == 0);
485: mpi2nn(result, moddigits, a);
486: set_precision(oldprecision);
487: }
488:
489: #endif
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.