| 1c1af145 |
1 | /* |
| 2 | * RSA key generation. |
| 3 | */ |
| 4 | |
| 5 | #include "ssh.h" |
| 6 | |
| 7 | #define RSA_EXPONENT 37 /* we like this prime */ |
| 8 | |
| 9 | int rsa_generate(struct RSAKey *key, int bits, progfn_t pfn, |
| 10 | void *pfnparam) |
| 11 | { |
| 12 | Bignum pm1, qm1, phi_n; |
| 13 | |
| 14 | /* |
| 15 | * Set up the phase limits for the progress report. We do this |
| 16 | * by passing minus the phase number. |
| 17 | * |
| 18 | * For prime generation: our initial filter finds things |
| 19 | * coprime to everything below 2^16. Computing the product of |
| 20 | * (p-1)/p for all prime p below 2^16 gives about 20.33; so |
| 21 | * among B-bit integers, one in every 20.33 will get through |
| 22 | * the initial filter to be a candidate prime. |
| 23 | * |
| 24 | * Meanwhile, we are searching for primes in the region of 2^B; |
| 25 | * since pi(x) ~ x/log(x), when x is in the region of 2^B, the |
| 26 | * prime density will be d/dx pi(x) ~ 1/log(B), i.e. about |
| 27 | * 1/0.6931B. So the chance of any given candidate being prime |
| 28 | * is 20.33/0.6931B, which is roughly 29.34 divided by B. |
| 29 | * |
| 30 | * So now we have this probability P, we're looking at an |
| 31 | * exponential distribution with parameter P: we will manage in |
| 32 | * one attempt with probability P, in two with probability |
| 33 | * P(1-P), in three with probability P(1-P)^2, etc. The |
| 34 | * probability that we have still not managed to find a prime |
| 35 | * after N attempts is (1-P)^N. |
| 36 | * |
| 37 | * We therefore inform the progress indicator of the number B |
| 38 | * (29.34/B), so that it knows how much to increment by each |
| 39 | * time. We do this in 16-bit fixed point, so 29.34 becomes |
| 40 | * 0x1D.57C4. |
| 41 | */ |
| 42 | pfn(pfnparam, PROGFN_PHASE_EXTENT, 1, 0x10000); |
| 43 | pfn(pfnparam, PROGFN_EXP_PHASE, 1, -0x1D57C4 / (bits / 2)); |
| 44 | pfn(pfnparam, PROGFN_PHASE_EXTENT, 2, 0x10000); |
| 45 | pfn(pfnparam, PROGFN_EXP_PHASE, 2, -0x1D57C4 / (bits - bits / 2)); |
| 46 | pfn(pfnparam, PROGFN_PHASE_EXTENT, 3, 0x4000); |
| 47 | pfn(pfnparam, PROGFN_LIN_PHASE, 3, 5); |
| 48 | pfn(pfnparam, PROGFN_READY, 0, 0); |
| 49 | |
| 50 | /* |
| 51 | * We don't generate e; we just use a standard one always. |
| 52 | */ |
| 53 | key->exponent = bignum_from_long(RSA_EXPONENT); |
| 54 | |
| 55 | /* |
| 56 | * Generate p and q: primes with combined length `bits', not |
| 57 | * congruent to 1 modulo e. (Strictly speaking, we wanted (p-1) |
| 58 | * and e to be coprime, and (q-1) and e to be coprime, but in |
| 59 | * general that's slightly more fiddly to arrange. By choosing |
| 60 | * a prime e, we can simplify the criterion.) |
| 61 | */ |
| 62 | key->p = primegen(bits / 2, RSA_EXPONENT, 1, NULL, |
| 63 | 1, pfn, pfnparam); |
| 64 | key->q = primegen(bits - bits / 2, RSA_EXPONENT, 1, NULL, |
| 65 | 2, pfn, pfnparam); |
| 66 | |
| 67 | /* |
| 68 | * Ensure p > q, by swapping them if not. |
| 69 | */ |
| 70 | if (bignum_cmp(key->p, key->q) < 0) { |
| 71 | Bignum t = key->p; |
| 72 | key->p = key->q; |
| 73 | key->q = t; |
| 74 | } |
| 75 | |
| 76 | /* |
| 77 | * Now we have p, q and e. All we need to do now is work out |
| 78 | * the other helpful quantities: n=pq, d=e^-1 mod (p-1)(q-1), |
| 79 | * and (q^-1 mod p). |
| 80 | */ |
| 81 | pfn(pfnparam, PROGFN_PROGRESS, 3, 1); |
| 82 | key->modulus = bigmul(key->p, key->q); |
| 83 | pfn(pfnparam, PROGFN_PROGRESS, 3, 2); |
| 84 | pm1 = copybn(key->p); |
| 85 | decbn(pm1); |
| 86 | qm1 = copybn(key->q); |
| 87 | decbn(qm1); |
| 88 | phi_n = bigmul(pm1, qm1); |
| 89 | pfn(pfnparam, PROGFN_PROGRESS, 3, 3); |
| 90 | freebn(pm1); |
| 91 | freebn(qm1); |
| 92 | key->private_exponent = modinv(key->exponent, phi_n); |
| 93 | pfn(pfnparam, PROGFN_PROGRESS, 3, 4); |
| 94 | key->iqmp = modinv(key->q, key->p); |
| 95 | pfn(pfnparam, PROGFN_PROGRESS, 3, 5); |
| 96 | |
| 97 | /* |
| 98 | * Clean up temporary numbers. |
| 99 | */ |
| 100 | freebn(phi_n); |
| 101 | |
| 102 | return 1; |
| 103 | } |
projects / people / ms / putty.git / blame