Coverage Report

Created: 2023-03-26 07:33

/src/nettle/rsa-keygen.c
Line
Count
Source (jump to first uncovered line)
1
/* rsa-keygen.c
2
3
   Generation of RSA keypairs
4
5
   Copyright (C) 2002 Niels Möller
6
7
   This file is part of GNU Nettle.
8
9
   GNU Nettle is free software: you can redistribute it and/or
10
   modify it under the terms of either:
11
12
     * the GNU Lesser General Public License as published by the Free
13
       Software Foundation; either version 3 of the License, or (at your
14
       option) any later version.
15
16
   or
17
18
     * the GNU General Public License as published by the Free
19
       Software Foundation; either version 2 of the License, or (at your
20
       option) any later version.
21
22
   or both in parallel, as here.
23
24
   GNU Nettle is distributed in the hope that it will be useful,
25
   but WITHOUT ANY WARRANTY; without even the implied warranty of
26
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
27
   General Public License for more details.
28
29
   You should have received copies of the GNU General Public License and
30
   the GNU Lesser General Public License along with this program.  If
31
   not, see http://www.gnu.org/licenses/.
32
*/
33
34
#if HAVE_CONFIG_H
35
# include "config.h"
36
#endif
37
38
#include <assert.h>
39
#include <stdlib.h>
40
41
#include "rsa.h"
42
#include "rsa-internal.h"
43
#include "bignum.h"
44
45
#ifndef DEBUG
46
# define DEBUG 0
47
#endif
48
49
#if DEBUG
50
# include <stdio.h>
51
#endif
52
53
54
int
55
rsa_generate_keypair(struct rsa_public_key *pub,
56
         struct rsa_private_key *key,
57
         void *random_ctx, nettle_random_func *random,
58
         void *progress_ctx, nettle_progress_func *progress,
59
         unsigned n_size,
60
         unsigned e_size)
61
0
{
62
0
  mpz_t p1;
63
0
  mpz_t q1;
64
0
  mpz_t phi;
65
0
  mpz_t tmp;
66
67
0
  if (e_size)
68
0
    {
69
      /* We should choose e randomly. Is the size reasonable? */
70
0
      if ((e_size < 16) || (e_size >= n_size) )
71
0
  return 0;
72
0
    }
73
0
  else
74
0
    {
75
      /* We have a fixed e. Check that it makes sense */
76
77
      /* It must be odd */
78
0
      if (!mpz_tstbit(pub->e, 0))
79
0
  return 0;
80
81
      /* And 3 or larger */
82
0
      if (mpz_cmp_ui(pub->e, 3) < 0)
83
0
  return 0;
84
85
      /* And size less than n */
86
0
      if (mpz_sizeinbase(pub->e, 2) >= n_size)
87
0
  return 0;
88
0
    }
89
90
0
  if (n_size < RSA_MINIMUM_N_BITS)
91
0
    return 0;
92
  
93
0
  mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp);
94
95
  /* Generate primes */
96
0
  for (;;)
97
0
    {
98
      /* Generate p, such that gcd(p-1, e) = 1 */
99
0
      for (;;)
100
0
  {
101
0
    nettle_random_prime(key->p, (n_size+1)/2, 1,
102
0
            random_ctx, random,
103
0
            progress_ctx, progress);
104
105
0
    mpz_sub_ui(p1, key->p, 1);
106
      
107
    /* If e was given, we must choose p such that p-1 has no factors in
108
     * common with e. */
109
0
    if (e_size)
110
0
      break;
111
    
112
0
    mpz_gcd(tmp, pub->e, p1);
113
114
0
    if (mpz_cmp_ui(tmp, 1) == 0)
115
0
      break;
116
0
    else if (progress) progress(progress_ctx, 'c');
117
0
  } 
118
119
0
      if (progress)
120
0
  progress(progress_ctx, '\n');
121
      
122
      /* Generate q, such that gcd(q-1, e) = 1 */
123
0
      for (;;)
124
0
  {
125
0
    nettle_random_prime(key->q, n_size/2, 1,
126
0
            random_ctx, random,
127
0
            progress_ctx, progress);
128
129
0
    mpz_sub_ui(q1, key->q, 1);
130
      
131
    /* If e was given, we must choose q such that q-1 has no factors in
132
     * common with e. */
133
0
    if (e_size)
134
0
      break;
135
    
136
0
    mpz_gcd(tmp, pub->e, q1);
137
138
0
    if (mpz_cmp_ui(tmp, 1) == 0)
139
0
      break;
140
0
    else if (progress) progress(progress_ctx, 'c');
141
0
  }
142
143
      /* Now we have the primes. Is the product of the right size? */
144
0
      mpz_mul(pub->n, key->p, key->q);
145
146
0
      assert (mpz_sizeinbase(pub->n, 2) == n_size);
147
148
0
      if (progress)
149
0
  progress(progress_ctx, '\n');
150
151
      /* c = q^{-1} (mod p) */
152
0
      if (mpz_invert(key->c, key->q, key->p))
153
  /* This should succeed everytime. But if it doesn't,
154
   * we try again. */
155
0
  break;
156
0
      else if (progress) progress(progress_ctx, '?');
157
0
    }
158
159
0
  mpz_mul(phi, p1, q1);
160
  
161
  /* If we didn't have a given e, generate one now. */
162
0
  if (e_size)
163
0
    {
164
0
      int retried = 0;
165
0
      for (;;)
166
0
  {
167
0
    nettle_mpz_random_size(pub->e,
168
0
         random_ctx, random,
169
0
         e_size);
170
  
171
    /* Make sure it's odd and that the most significant bit is
172
     * set */
173
0
    mpz_setbit(pub->e, 0);
174
0
    mpz_setbit(pub->e, e_size - 1);
175
176
    /* Needs gmp-3, or inverse might be negative. */
177
0
    if (mpz_invert(key->d, pub->e, phi))
178
0
      break;
179
180
0
    if (progress) progress(progress_ctx, 'e');
181
0
    retried = 1;
182
0
  }
183
0
      if (retried && progress)
184
0
  progress(progress_ctx, '\n'); 
185
0
    }
186
0
  else
187
0
    {
188
      /* Must always succeed, as we already that e
189
       * doesn't have any common factor with p-1 or q-1. */
190
0
      int res = mpz_invert(key->d, pub->e, phi);
191
0
      assert(res);
192
0
    }
193
194
  /* Done! Almost, we must compute the auxillary private values. */
195
  /* a = d % (p-1) */
196
0
  mpz_fdiv_r(key->a, key->d, p1);
197
198
  /* b = d % (q-1) */
199
0
  mpz_fdiv_r(key->b, key->d, q1);
200
201
  /* c was computed earlier */
202
203
0
  pub->size = key->size = (n_size + 7) / 8;
204
0
  assert(pub->size >= RSA_MINIMUM_N_OCTETS);
205
  
206
0
  mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp);
207
208
0
  return 1;
209
0
}