See ChangeLog: Wed Sep 13 18:12:34 CEST 2000 Werner Koch

2024-11-04 20:38:50 +01:00 · 2000-09-13 16:11:24 +00:00 · 2000-09-13 16:11:24 +00:00 · 8f6b40ff1c
commit 8f6b40ff1c
parent 3c3ad064b6
6 changed files with 122 additions and 9 deletions
--- a/cipher/ChangeLog
+++ b/cipher/ChangeLog
@ -1,3 +1,9 @@
+Wed Sep 13 18:12:34 CEST 2000  Werner Koch  <wk@openit.de>
+
+        * rsa.c (secret): Speed up by using the CRT.  For a 2k keys this
+        is about 3 times faster.
+        (stronger_key_check): New but unused code to check the secret key.
+
 Wed Sep  6 17:55:47 CEST 2000  Werner Koch  <wk@openit.de>

        * rsa.c: Changed the comment about the patent.
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@ -98,7 +98,7 @@ generate( RSA_secret_key *sk, unsigned nbits )
    MPI t1, t2;
    MPI n;    /* the public key */
    MPI e;    /* the exponent */
-    MPI phi;  /* helper: (p-a)(q-1) */
+    MPI phi;  /* helper: (p-1)(q-1) */
    MPI g;
    MPI f;

@ -201,19 +201,106 @@ public(MPI output, MPI input, RSA_public_key *pkey )
 	mpi_powm( output, input, pkey->e, pkey->n );
 }

+#if 0
+static void
+stronger_key_check ( RSA_secret_key *skey )
+{
+    MPI t = mpi_alloc_secure ( 0 );
+    MPI t1 = mpi_alloc_secure ( 0 );
+    MPI t2 = mpi_alloc_secure ( 0 );
+    MPI phi = mpi_alloc_secure ( 0 );
+
+    /* check that n == p * q */
+    mpi_mul( t, skey->p, skey->q);
+    if (mpi_cmp( t, skey->n) )
+        log_info ( "RSA Oops: n != p * q\n" );
+
+    /* check that p is less than q */
+    if( mpi_cmp( skey->p, skey->q ) > 0 )
+	log_info ("RSA Oops: p >= q\n");
+
+
+    /* check that e divides neither p-1 nor q-1 */
+    mpi_sub_ui(t, skey->p, 1 );
+    mpi_fdiv_r(t, t, skey->e );
+    if ( !mpi_cmp_ui( t, 0) )
+        log_info ( "RSA Oops: e divides p-1\n" );
+    mpi_sub_ui(t, skey->q, 1 );
+    mpi_fdiv_r(t, t, skey->e );
+    if ( !mpi_cmp_ui( t, 0) )
+        log_info ( "RSA Oops: e divides q-1\n" );
+
+    /* check that d is correct */
+    mpi_sub_ui( t1, skey->p, 1 );
+    mpi_sub_ui( t2, skey->q, 1 );
+    mpi_mul( phi, t1, t2 );
+    mpi_gcd(t, t1, t2);
+    mpi_fdiv_q(t, phi, t);
+    mpi_invm(t, skey->e, t );
+    if ( mpi_cmp(t, skey->d ) )
+        log_info ( "RSA Oops: d is wrong\n");
+
+    /* check for crrectness of u */
+    mpi_invm(t, skey->p, skey->q );
+    if ( mpi_cmp(t, skey->u ) )
+        log_info ( "RSA Oops: u is wrong\n");
+   
+    log_info ( "RSA secret key check finished\n");
+
+    mpi_free (t);
+    mpi_free (t1);
+    mpi_free (t2);
+    mpi_free (phi);
+}
+#endif
+
+
 /****************
 * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT.
 *
 *	m = c^d mod n
 *
- * Where m is OUTPUT, c is INPUT and d,n are elements of PKEY.
+ * Or faster:
 *
- * FIXME: We should better use the Chinese Remainder Theorem
+ *      m1 = c ^ (d mod (p-1)) mod p 
+ *      m2 = c ^ (d mod (q-1)) mod q 
+ *      h = u * (m2 - m1) mod q 
+ *      m = m1 + h * p
+ *
+ * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY.
 */
 static void
 secret(MPI output, MPI input, RSA_secret_key *skey )
 {
+  #if 0
    mpi_powm( output, input, skey->d, skey->n );
+  #else
+    MPI m1   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+    MPI m2   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+    MPI h    = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+
+    /* m1 = c ^ (d mod (p-1)) mod p */
+    mpi_sub_ui( h, skey->p, 1  );
+    mpi_fdiv_r( h, skey->d, h );   
+    mpi_powm( m1, input, h, skey->p );
+    /* m2 = c ^ (d mod (q-1)) mod q */
+    mpi_sub_ui( h, skey->q, 1  );
+    mpi_fdiv_r( h, skey->d, h );
+    mpi_powm( m2, input, h, skey->q );
+    /* h = u * ( m2 - m1 ) mod q */
+    mpi_sub( h, m2, m1 );
+    if ( mpi_is_neg( h ) ) 
+        mpi_add ( h, h, skey->q );
+    mpi_mulm( h, skey->u, h, skey->q ); 
+    /* m = m2 + h * p */
+    mpi_mul ( h, h, skey->p );
+    mpi_add ( output, m1, h );
+    /* ready */
+    
+    mpi_free ( h );
+    mpi_free ( m1 );
+    mpi_free ( m2 );
+  #endif
 }


--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@ -1,3 +1,10 @@
+Wed Sep 13 18:12:34 CEST 2000  Werner Koch  <wk@openit.de>
+
+        * keyedit.c (keyedit_menu): Allow to use "debug" on the secret key.
+
+        * ringedit.c (cmp_seckey): Fix for v4 RSA keys.
+        * seckey-cert.c (do_check): Workaround for PGP 7 bug.
+
 Wed Sep  6 17:55:47 CEST 2000  Werner Koch  <wk@openit.de>

        * misc.c (print_pubkey_algo_note): Do not print the RSA notice.
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@ -592,7 +592,7 @@ keyedit_menu( const char *username, STRLIST locusr, STRLIST commands,
 	{ N_("sign")    , cmdSIGN      , 0,1,1, N_("sign the key") },
 	{ N_("s")       , cmdSIGN      , 0,1,1, NULL },
 	{ N_("lsign")   , cmdLSIGN     , 0,1,1, N_("sign the key locally") },
-	{ N_("debug")   , cmdDEBUG     , 0,1,0, NULL },
+	{ N_("debug")   , cmdDEBUG     , 0,0,0, NULL },
 	{ N_("adduid")  , cmdADDUID    , 1,1,0, N_("add a user ID") },
 	{ N_("deluid")  , cmdDELUID    , 0,1,0, N_("delete user ID") },
 	{ N_("addkey")  , cmdADDKEY    , 1,1,0, N_("add a secondary key") },
--- a/g10/ringedit.c
+++ b/g10/ringedit.c
@ -1070,7 +1070,13 @@ cmp_seckey( PKT_secret_key *req_sk, PKT_secret_key *sk )

    n = pubkey_get_nskey( req_sk->pubkey_algo );
    for(i=0; i < n; i++ ) {
-	if( mpi_cmp( req_sk->skey[i], sk->skey[i] ) )
+        /* Note: becuase v4 protected keys have nothing in the
+         * mpis except for the first one, we skip all NULL MPIs.
+         * This might not be always correct in cases where the both
+         * keys do not match in their secret parts but we can ignore that
+         * because the need for this function is quite ugly. */
+	if( req_sk->skey[1] && sk->skey[i]
+             && mpi_cmp( req_sk->skey[i], sk->skey[i] ) )
 	    return -1;
    }
    return 0;
--- a/g10/seckey-cert.c
+++ b/g10/seckey-cert.c
@ -80,10 +80,13 @@ do_check( PKT_secret_key *sk )
 	if( sk->version >= 4 ) {
 	    int ndata;
 	    byte *p, *data;
+            u16 csumc = 0;

 	    i = pubkey_get_npkey(sk->pubkey_algo);
 	    assert( mpi_is_opaque( sk->skey[i] ) );
 	    p = mpi_get_opaque( sk->skey[i], &ndata );
+            if ( ndata > 1 )
+                csumc = p[ndata-2] << 8 | p[ndata-1];
 	    data = m_alloc_secure( ndata );
 	    cipher_decrypt( cipher_hd, data, p, ndata );
 	    mpi_free( sk->skey[i] ); sk->skey[i] = NULL ;
@ -96,9 +99,14 @@ do_check( PKT_secret_key *sk )
 	    else {
 		csum = checksum( data, ndata-2);
 		sk->csum = data[ndata-2] << 8 | data[ndata-1];
+                if ( sk->csum != csum ) {
+                    /* This is a PGP 7.0.0 workaround */
+                    sk->csum = csumc; /* take the encrypted one */
+                }
 	    }
+            
 	    /* must check it here otherwise the mpi_read_xx would fail
-	     * because the length das an abritary value */
+	     * because the length may have an arbitrary value */
 	    if( sk->csum == csum ) {
 		for( ; i < pubkey_get_nskey(sk->pubkey_algo); i++ ) {
 		    nbytes = ndata;
@ -106,6 +114,7 @@ do_check( PKT_secret_key *sk )
 		    ndata -= nbytes;
 		    p += nbytes;
 		}
+                /* at this point ndata should be equal to 2 (the checksum) */
 	    }
 	    m_free(data);
 	}
@ -237,9 +246,7 @@ protect_secret_key( PKT_secret_key *sk, DEK *dek )
 	    randomize_buffer(sk->protect.iv, sk->protect.ivlen, 1);
 	    cipher_setiv( cipher_hd, sk->protect.iv, sk->protect.ivlen );
 	    if( sk->version >= 4 ) {
-		/* FIXME: There is a bug in this function for all algorithms
-		 * where the secret MPIs are more than 1 */
-		byte *bufarr[PUBKEY_MAX_NSKEY];
+                byte *bufarr[PUBKEY_MAX_NSKEY];
 		unsigned narr[PUBKEY_MAX_NSKEY];
 		unsigned nbits[PUBKEY_MAX_NSKEY];
 		int ndata=0;