/src/dropbear/src/genrsa.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Dropbear - a SSH2 server |
3 | | * |
4 | | * Copyright (c) 2002,2003 Matt Johnston |
5 | | * All rights reserved. |
6 | | * |
7 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
8 | | * of this software and associated documentation files (the "Software"), to deal |
9 | | * in the Software without restriction, including without limitation the rights |
10 | | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
11 | | * copies of the Software, and to permit persons to whom the Software is |
12 | | * furnished to do so, subject to the following conditions: |
13 | | * |
14 | | * The above copyright notice and this permission notice shall be included in |
15 | | * all copies or substantial portions of the Software. |
16 | | * |
17 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
18 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
19 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
20 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
21 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
22 | | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
23 | | * SOFTWARE. */ |
24 | | |
25 | | #include "includes.h" |
26 | | #include "dbutil.h" |
27 | | #include "bignum.h" |
28 | | #include "dbrandom.h" |
29 | | #include "rsa.h" |
30 | | #include "genrsa.h" |
31 | | |
32 | 0 | #define RSA_E 65537 |
33 | | |
34 | | #if DROPBEAR_RSA |
35 | | |
36 | | static void getrsaprime(mp_int* prime, mp_int *primeminus, |
37 | | const mp_int* rsa_e, unsigned int size_bytes); |
38 | | |
39 | | /* mostly taken from libtomcrypt's rsa key generation routine */ |
40 | 0 | dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { |
41 | |
|
42 | 0 | dropbear_rsa_key * key; |
43 | 0 | DEF_MP_INT(pminus); |
44 | 0 | DEF_MP_INT(qminus); |
45 | 0 | DEF_MP_INT(lcm); |
46 | |
|
47 | 0 | if (size < 512 || size > 4096 || (size % 8 != 0)) { |
48 | 0 | dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a" |
49 | 0 | " multiple of 8"); |
50 | 0 | } |
51 | | |
52 | 0 | key = m_malloc(sizeof(*key)); |
53 | 0 | m_mp_alloc_init_multi(&key->e, &key->n, &key->d, &key->p, &key->q, NULL); |
54 | 0 | m_mp_init_multi(&pminus, &lcm, &qminus, NULL); |
55 | |
|
56 | 0 | mp_set_ul(key->e, RSA_E); |
57 | |
|
58 | 0 | while (1) { |
59 | 0 | getrsaprime(key->p, &pminus, key->e, size/16); |
60 | 0 | getrsaprime(key->q, &qminus, key->e, size/16); |
61 | |
|
62 | 0 | if (mp_mul(key->p, key->q, key->n) != MP_OKAY) { |
63 | 0 | fprintf(stderr, "RSA generation failed\n"); |
64 | 0 | exit(1); |
65 | 0 | } |
66 | | |
67 | 0 | if ((unsigned int)mp_count_bits(key->n) == size) { |
68 | 0 | break; |
69 | 0 | } |
70 | 0 | } |
71 | | |
72 | | /* lcm(p-1, q-1) */ |
73 | 0 | if (mp_lcm(&pminus, &qminus, &lcm) != MP_OKAY) { |
74 | 0 | fprintf(stderr, "RSA generation failed\n"); |
75 | 0 | exit(1); |
76 | 0 | } |
77 | | |
78 | | /* de = 1 mod lcm(p-1,q-1) */ |
79 | | /* therefore d = (e^-1) mod lcm(p-1,q-1) */ |
80 | 0 | if (mp_invmod(key->e, &lcm, key->d) != MP_OKAY) { |
81 | 0 | fprintf(stderr, "RSA generation failed\n"); |
82 | 0 | exit(1); |
83 | 0 | } |
84 | | |
85 | 0 | mp_clear_multi(&pminus, &qminus, &lcm, NULL); |
86 | |
|
87 | 0 | return key; |
88 | 0 | } |
89 | | |
90 | | /* return a prime suitable for p or q */ |
91 | | static void getrsaprime(mp_int* prime, mp_int *primeminus, |
92 | 0 | const mp_int* rsa_e, unsigned int size_bytes) { |
93 | |
|
94 | 0 | unsigned char *buf; |
95 | 0 | int trials; |
96 | 0 | DEF_MP_INT(temp_gcd); |
97 | |
|
98 | 0 | buf = (unsigned char*)m_malloc(size_bytes); |
99 | |
|
100 | 0 | m_mp_init(&temp_gcd); |
101 | 0 | do { |
102 | | /* generate a random odd number with MSB set, then find the |
103 | | the next prime above it */ |
104 | 0 | genrandom(buf, size_bytes); |
105 | 0 | buf[0] |= 0x80; |
106 | |
|
107 | 0 | bytes_to_mp(prime, buf, size_bytes); |
108 | | |
109 | | /* find the next integer which is prime */ |
110 | 0 | trials = mp_prime_rabin_miller_trials(mp_count_bits(prime)); |
111 | 0 | if (mp_prime_next_prime(prime, trials, 0) != MP_OKAY) { |
112 | 0 | fprintf(stderr, "RSA generation failed\n"); |
113 | 0 | exit(1); |
114 | 0 | } |
115 | | |
116 | | /* subtract one to get p-1 */ |
117 | 0 | if (mp_sub_d(prime, 1, primeminus) != MP_OKAY) { |
118 | 0 | fprintf(stderr, "RSA generation failed\n"); |
119 | 0 | exit(1); |
120 | 0 | } |
121 | | /* check relative primality to e */ |
122 | 0 | if (mp_gcd(primeminus, rsa_e, &temp_gcd) != MP_OKAY) { |
123 | 0 | fprintf(stderr, "RSA generation failed\n"); |
124 | 0 | exit(1); |
125 | 0 | } |
126 | 0 | } while (mp_cmp_d(&temp_gcd, 1) != MP_EQ); /* while gcd(p-1, e) != 1 */ |
127 | | |
128 | | /* now we have a good value for result */ |
129 | 0 | mp_clear(&temp_gcd); |
130 | 0 | m_burn(buf, size_bytes); |
131 | 0 | m_free(buf); |
132 | 0 | } |
133 | | |
134 | | #endif /* DROPBEAR_RSA */ |