3 * OpenPGP MPI functions.
5 * Copyright (c) 2005 Marko Kreen
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * contrib/pgcrypto/pgp-mpi-internal.c
40 mpz_t *mp = mp_int_alloc();
42 mp_int_init_size(mp, 256);
47 mp_clear_free(mpz_t *a)
51 /* fixme: no clear? */
57 mp_px_rand(uint32 bits, mpz_t *res)
59 unsigned bytes = (bits + 7) / 8;
60 int last_bits = bits & 7;
63 buf = px_alloc(bytes);
64 if (!pg_strong_random(buf, bytes))
70 /* clear unnecessary bits and set last bit to one */
73 buf[0] >>= 8 - last_bits;
74 buf[0] |= 1 << (last_bits - 1);
79 mp_int_read_unsigned(res, buf, bytes);
87 mp_modmul(mpz_t *a, mpz_t *b, mpz_t *p, mpz_t *res)
89 mpz_t *tmp = mp_new();
91 mp_int_mul(a, b, tmp);
92 mp_int_mod(tmp, p, res);
101 mp_int_read_unsigned(bn, n->data, n->bytes);
105 if (mp_int_count_bits(bn) != n->bits)
107 px_debug("mpi_to_bn: bignum conversion failed: mpi=%d, bn=%d",
108 n->bits, mp_int_count_bits(bn));
122 res = pgp_mpi_alloc(mp_int_count_bits(bn), &n);
126 bytes = (mp_int_count_bits(bn) + 7) / 8;
127 if (bytes != n->bytes)
129 px_debug("bn_to_mpi: bignum conversion failed: bn=%d, mpi=%d",
134 mp_int_to_unsigned(bn, n->data, n->bytes);
139 * Decide the number of bits in the random component k
141 * It should be in the same range as p for signing (which
142 * is deprecated), but can be much smaller for encrypting.
144 * Until I research it further, I just mimic gpg behaviour.
145 * It has a special mapping table, for values <= 5120,
146 * above that it uses 'arbitrary high number'. Following
147 * algorithm hovers 10-70 bits above gpg values. And for
148 * larger p, it uses gpg's algorithm.
150 * The point is - if k gets large, encryption will be
151 * really slow. It does not matter for decryption.
154 decide_k_bits(int p_bits)
157 return p_bits / 10 + 160;
159 return (p_bits / 8 + 200) * 3 / 2;
163 pgp_elgamal_encrypt(PGP_PubKey *pk, PGP_MPI *_m,
164 PGP_MPI **c1_p, PGP_MPI **c2_p)
166 int res = PXE_PGP_MATH_FAILED;
168 mpz_t *m = mpi_to_bn(_m);
169 mpz_t *p = mpi_to_bn(pk->pub.elg.p);
170 mpz_t *g = mpi_to_bn(pk->pub.elg.g);
171 mpz_t *y = mpi_to_bn(pk->pub.elg.y);
173 mpz_t *yk = mp_new();
174 mpz_t *c1 = mp_new();
175 mpz_t *c2 = mp_new();
177 if (!m || !p || !g || !y || !k || !yk || !c1 || !c2)
183 k_bits = decide_k_bits(mp_int_count_bits(p));
184 res = mp_px_rand(k_bits, k);
189 * c1 = g^k c2 = m * y^k
191 mp_int_exptmod(g, k, p, c1);
192 mp_int_exptmod(y, k, p, yk);
193 mp_modmul(m, yk, p, c2);
196 *c1_p = bn_to_mpi(c1);
197 *c2_p = bn_to_mpi(c2);
213 pgp_elgamal_decrypt(PGP_PubKey *pk, PGP_MPI *_c1, PGP_MPI *_c2,
216 int res = PXE_PGP_MATH_FAILED;
217 mpz_t *c1 = mpi_to_bn(_c1);
218 mpz_t *c2 = mpi_to_bn(_c2);
219 mpz_t *p = mpi_to_bn(pk->pub.elg.p);
220 mpz_t *x = mpi_to_bn(pk->sec.elg.x);
221 mpz_t *c1x = mp_new();
222 mpz_t *div = mp_new();
225 if (!c1 || !c2 || !p || !x || !c1x || !div || !m)
231 mp_int_exptmod(c1, x, p, c1x);
232 mp_int_invmod(c1x, p, div);
233 mp_modmul(c2, div, p, m);
236 *msg_p = bn_to_mpi(m);
251 pgp_rsa_encrypt(PGP_PubKey *pk, PGP_MPI *_m, PGP_MPI **c_p)
253 int res = PXE_PGP_MATH_FAILED;
254 mpz_t *m = mpi_to_bn(_m);
255 mpz_t *e = mpi_to_bn(pk->pub.rsa.e);
256 mpz_t *n = mpi_to_bn(pk->pub.rsa.n);
259 if (!m || !e || !n || !c)
265 mp_int_exptmod(m, e, n, c);
279 pgp_rsa_decrypt(PGP_PubKey *pk, PGP_MPI *_c, PGP_MPI **m_p)
281 int res = PXE_PGP_MATH_FAILED;
282 mpz_t *c = mpi_to_bn(_c);
283 mpz_t *d = mpi_to_bn(pk->sec.rsa.d);
284 mpz_t *n = mpi_to_bn(pk->pub.rsa.n);
287 if (!m || !d || !n || !c)
293 mp_int_exptmod(c, d, n, m);