diff options
author | Filippo Valsorda <filippo@golang.org> | 2018-05-17 21:04:07 -0400 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2018-05-17 21:04:07 -0400 |
commit | a3f9ce3313af58d6f6d904875893b60d929ebd9c (patch) | |
tree | c3efcbc3f5f22a08f801059231d55c1329b04a05 /src/crypto/rsa/rsa.go | |
parent | 528dad8c7252a322b41a1413945b9b17febb5105 (diff) | |
parent | f2239d39571a176ebeb726e2d6cccbc3aa1ba4a9 (diff) | |
download | go-a3f9ce3313af58d6f6d904875893b60d929ebd9c.tar.gz go-a3f9ce3313af58d6f6d904875893b60d929ebd9c.zip |
[dev.boringcrypto] all: merge master into dev.boringcrypto
Conflicts due to simple variable renames (d <-> d0):
src/crypto/sha1/sha1.go
src/crypto/sha256/sha256.go
src/crypto/sha512/sha512.go
Change-Id: I437df180a527fb3ec8b47927ee71960d5d200b76
Diffstat (limited to 'src/crypto/rsa/rsa.go')
-rw-r--r-- | src/crypto/rsa/rsa.go | 49 |
1 files changed, 13 insertions, 36 deletions
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go index 9af5cbb165..9302ea8535 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -46,6 +46,12 @@ type PublicKey struct { boring unsafe.Pointer } +// Size returns the modulus size in bytes. Raw signatures and ciphertexts +// for or by this public key will have the same size. +func (pub *PublicKey) Size() int { + return (pub.N.BitLen() + 7) / 8 +} + // OAEPOptions is an interface for passing options to OAEP decryption using the // crypto.Decrypter interface. type OAEPOptions struct { @@ -318,18 +324,13 @@ NextSetOfPrimes: continue NextSetOfPrimes } - g := new(big.Int) priv.D = new(big.Int) e := big.NewInt(int64(priv.E)) - g.GCD(priv.D, nil, e, totient) + ok := priv.D.ModInverse(e, totient) - if g.Cmp(bigOne) == 0 { - if priv.D.Sign() < 0 { - priv.D.Add(priv.D, totient) - } + if ok != nil { priv.Primes = primes priv.N = n - break } } @@ -406,7 +407,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l return nil, err } hash.Reset() - k := (pub.N.BitLen() + 7) / 8 + k := pub.Size() if len(msg) > k-2*hash.Size()-2 { return nil, ErrMessageTooLong } @@ -477,29 +478,6 @@ var ErrDecryption = errors.New("crypto/rsa: decryption error") // It is deliberately vague to avoid adaptive attacks. var ErrVerification = errors.New("crypto/rsa: verification error") -// modInverse returns ia, the inverse of a in the multiplicative group of prime -// order n. It requires that a be a member of the group (i.e. less than n). -func modInverse(a, n *big.Int) (ia *big.Int, ok bool) { - g := new(big.Int) - x := new(big.Int) - g.GCD(x, nil, a, n) - if g.Cmp(bigOne) != 0 { - // In this case, a and n aren't coprime and we cannot calculate - // the inverse. This happens because the values of n are nearly - // prime (being the product of two primes) rather than truly - // prime. - return - } - - if x.Cmp(bigOne) < 0 { - // 0 is not the multiplicative inverse of any element so, if x - // < 1, then x is negative. - x.Add(x, n) - } - - return x, true -} - // Precompute performs some calculations that speed up private key operations // in the future. func (priv *PrivateKey) Precompute() { @@ -554,7 +532,7 @@ func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err er // by multiplying by the multiplicative inverse of r. var r *big.Int - + ir = new(big.Int) for { r, err = rand.Int(random, priv.N) if err != nil { @@ -563,9 +541,8 @@ func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err er if r.Cmp(bigZero) == 0 { r = bigOne } - var ok bool - ir, ok = modInverse(r, priv.N) - if ok { + ok := ir.ModInverse(r, priv.N) + if ok != nil { break } } @@ -646,7 +623,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext if err := checkPub(&priv.PublicKey); err != nil { return nil, err } - k := (priv.N.BitLen() + 7) / 8 + k := priv.Size() if len(ciphertext) > k || k < hash.Size()*2+2 { return nil, ErrDecryption |