mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-10-23 01:52:40 +03:00
RSA: refactor: avoid code duplication
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
@@ -1047,7 +1047,7 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
|
|||||||
unsigned int nbits, int exponent)
|
unsigned int nbits, int exponent)
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
mbedtls_mpi H, G, L;
|
mbedtls_mpi H;
|
||||||
int prime_quality = 0;
|
int prime_quality = 0;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1060,8 +1060,6 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
|
|||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_mpi_init(&H);
|
mbedtls_mpi_init(&H);
|
||||||
mbedtls_mpi_init(&G);
|
|
||||||
mbedtls_mpi_init(&L);
|
|
||||||
|
|
||||||
if (exponent < 3 || nbits % 2 != 0) {
|
if (exponent < 3 || nbits % 2 != 0) {
|
||||||
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
|
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
|
||||||
@@ -1099,35 +1097,28 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
|
|||||||
mbedtls_mpi_swap(&ctx->P, &ctx->Q);
|
mbedtls_mpi_swap(&ctx->P, &ctx->Q);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Temporarily replace P,Q by P-1, Q-1 */
|
/* Compute D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b))
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
|
* if it exists (FIPS 186-4 §B.3.1 criterion 2(a)) */
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
|
ret = mbedtls_rsa_deduce_private_exponent(&ctx->P, &ctx->Q, &ctx->E, &ctx->D);
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
|
if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
|
||||||
|
mbedtls_mpi_lset(&ctx->D, 0); /* needed for the next call */
|
||||||
/* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
|
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
|
|
||||||
if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
if (ret != 0) {
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
/* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
|
/* (FIPS 186-4 §B.3.1 criterion 3(a)) */
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
|
if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) {
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
|
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
|
|
||||||
|
|
||||||
if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
} while (1);
|
} while (1);
|
||||||
|
|
||||||
/* Restore P,Q */
|
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
|
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
|
|
||||||
|
|
||||||
|
/* N = P * Q */
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
|
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
|
||||||
|
|
||||||
ctx->len = mbedtls_mpi_size(&ctx->N);
|
ctx->len = mbedtls_mpi_size(&ctx->N);
|
||||||
|
|
||||||
#if !defined(MBEDTLS_RSA_NO_CRT)
|
#if !defined(MBEDTLS_RSA_NO_CRT)
|
||||||
@@ -1146,8 +1137,6 @@ int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
|
|||||||
cleanup:
|
cleanup:
|
||||||
|
|
||||||
mbedtls_mpi_free(&H);
|
mbedtls_mpi_free(&H);
|
||||||
mbedtls_mpi_free(&G);
|
|
||||||
mbedtls_mpi_free(&L);
|
|
||||||
|
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
mbedtls_rsa_free(ctx);
|
mbedtls_rsa_free(ctx);
|
||||||
|
|||||||
@@ -212,7 +212,10 @@ int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
|
|||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &L));
|
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &L));
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&K, NULL, &K, D));
|
MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&K, NULL, &K, D));
|
||||||
|
|
||||||
/* Compute modular inverse of E in LCM(P-1, Q-1) */
|
/* Compute modular inverse of E mod LCM(P-1, Q-1)
|
||||||
|
* This is FIPS 186-4 §B.3.1 criterion 3(b).
|
||||||
|
* This will return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if E is not coprime to
|
||||||
|
* (P-1)(Q-1), also validating FIPS 186-4 §B.3.1 criterion 2(a). */
|
||||||
MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
|
MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
|||||||
@@ -89,12 +89,15 @@ int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E,
|
|||||||
* \param P First prime factor of RSA modulus
|
* \param P First prime factor of RSA modulus
|
||||||
* \param Q Second prime factor of RSA modulus
|
* \param Q Second prime factor of RSA modulus
|
||||||
* \param E RSA public exponent
|
* \param E RSA public exponent
|
||||||
* \param D Pointer to MPI holding the private exponent on success.
|
* \param D Pointer to MPI holding the private exponent on success,
|
||||||
|
* ie the modular inverse of E modulo LCM(P-1,Q-1).
|
||||||
*
|
*
|
||||||
* \return
|
* \return \c 0 if successful.
|
||||||
* - 0 if successful. In this case, D is set to a simultaneous
|
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
|
||||||
* modular inverse of E modulo both P-1 and Q-1.
|
* \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if E is not coprime to P-1
|
||||||
* - A non-zero error code otherwise.
|
* and Q-1, that is, if GCD( E, (P-1)*(Q-1) ) != 1.
|
||||||
|
* \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if inputs are otherwise
|
||||||
|
* invalid.
|
||||||
*
|
*
|
||||||
* \note This function does not check whether P and Q are primes.
|
* \note This function does not check whether P and Q are primes.
|
||||||
*
|
*
|
||||||
|
|||||||
Reference in New Issue
Block a user