HSD
/
putty
同期ミラー https://git.tartarus.org/simon/putty.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293
							/*
 * RSA key generation.
 */

#include <assert.h>

#include "ssh.h"
#include "sshkeygen.h"
#include "mpint.h"

#define RSA_EXPONENT 65537

#define NFIRSTBITS 13
static void invent_firstbits(unsigned *one, unsigned *two,
                             unsigned min_separation);

typedef struct RSAPrimeDetails RSAPrimeDetails;
struct RSAPrimeDetails {
    bool strong;
    int bits, bitsm1m1, bitsm1, bitsp1;
    unsigned firstbits;
    ProgressPhase phase_main, phase_m1m1, phase_m1, phase_p1;
};

#define STRONG_MARGIN (20 + NFIRSTBITS)

static RSAPrimeDetails setup_rsa_prime(
    int bits, bool strong, PrimeGenerationContext *pgc, ProgressReceiver *prog)
{
    RSAPrimeDetails pd;
    pd.bits = bits;
    if (strong) {
        pd.bitsm1 = (bits - STRONG_MARGIN) / 2;
        pd.bitsp1 = (bits - STRONG_MARGIN) - pd.bitsm1;
        pd.bitsm1m1 = (pd.bitsm1 - STRONG_MARGIN) / 2;
        if (pd.bitsm1m1 < STRONG_MARGIN) {
            /* Absurdly small prime, but we should at least not crash. */
            strong = false;
        }
    }
    pd.strong = strong;

    if (pd.strong) {
        pd.phase_m1m1 = primegen_add_progress_phase(pgc, prog, pd.bitsm1m1);
        pd.phase_m1 = primegen_add_progress_phase(pgc, prog, pd.bitsm1);
        pd.phase_p1 = primegen_add_progress_phase(pgc, prog, pd.bitsp1);
    }
    pd.phase_main = primegen_add_progress_phase(pgc, prog, pd.bits);

    return pd;
}

static mp_int *generate_rsa_prime(
    RSAPrimeDetails pd, PrimeGenerationContext *pgc, ProgressReceiver *prog)
{
    mp_int *m1m1 = NULL, *m1 = NULL, *p1 = NULL, *p = NULL;
    PrimeCandidateSource *pcs;

    if (pd.strong) {
        progress_start_phase(prog, pd.phase_m1m1);
        pcs = pcs_new_with_firstbits(pd.bitsm1m1, pd.firstbits, NFIRSTBITS);
        m1m1 = primegen_generate(pgc, pcs, prog);
        progress_report_phase_complete(prog);

        progress_start_phase(prog, pd.phase_m1);
        pcs = pcs_new_with_firstbits(pd.bitsm1, pd.firstbits, NFIRSTBITS);
        pcs_require_residue_1_mod_prime(pcs, m1m1);
        m1 = primegen_generate(pgc, pcs, prog);
        progress_report_phase_complete(prog);

        progress_start_phase(prog, pd.phase_p1);
        pcs = pcs_new_with_firstbits(pd.bitsp1, pd.firstbits, NFIRSTBITS);
        p1 = primegen_generate(pgc, pcs, prog);
        progress_report_phase_complete(prog);
    }

    progress_start_phase(prog, pd.phase_main);
    pcs = pcs_new_with_firstbits(pd.bits, pd.firstbits, NFIRSTBITS);
    pcs_avoid_residue_small(pcs, RSA_EXPONENT, 1);
    if (pd.strong) {
        pcs_require_residue_1_mod_prime(pcs, m1);
        mp_int *p1_minus_1 = mp_copy(p1);
        mp_sub_integer_into(p1_minus_1, p1, 1);
        pcs_require_residue(pcs, p1, p1_minus_1);
        mp_free(p1_minus_1);
    }
    p = primegen_generate(pgc, pcs, prog);
    progress_report_phase_complete(prog);

    if (m1m1)
        mp_free(m1m1);
    if (m1)
        mp_free(m1);
    if (p1)
        mp_free(p1);

    return p;
}

int rsa_generate(RSAKey *key, int bits, bool strong,
                 PrimeGenerationContext *pgc, ProgressReceiver *prog)
{
    key->sshk.vt = &ssh_rsa;

    /*
     * We don't generate e; we just use a standard one always.
     */
    mp_int *exponent = mp_from_integer(RSA_EXPONENT);

    /*
     * Generate p and q: primes with combined length `bits', not
     * congruent to 1 modulo e. (Strictly speaking, we wanted (p-1)
     * and e to be coprime, and (q-1) and e to be coprime, but in
     * general that's slightly more fiddly to arrange. By choosing
     * a prime e, we can simplify the criterion.)
     *
     * We give a min_separation of 2 to invent_firstbits(), ensuring
     * that the two primes won't be very close to each other. (The
     * chance of them being _dangerously_ close is negligible - even
     * more so than an attacker guessing a whole 256-bit session key -
     * but it doesn't cost much to make sure.)
     */
    int qbits = bits / 2;
    int pbits = bits - qbits;
    assert(pbits >= qbits);

    RSAPrimeDetails pd = setup_rsa_prime(pbits, strong, pgc, prog);
    RSAPrimeDetails qd = setup_rsa_prime(qbits, strong, pgc, prog);
    progress_ready(prog);

    invent_firstbits(&pd.firstbits, &qd.firstbits, 2);

    mp_int *p = generate_rsa_prime(pd, pgc, prog);
    mp_int *q = generate_rsa_prime(qd, pgc, prog);

    /*
     * Ensure p > q, by swapping them if not.
     *
     * We only need to do this if the two primes were generated with
     * the same number of bits (i.e. if the requested key size is
     * even) - otherwise it's already guaranteed!
     */
    if (pbits == qbits) {
        mp_cond_swap(p, q, mp_cmp_hs(q, p));
    } else {
        assert(mp_cmp_hs(p, q));
    }

    /*
     * Now we have p, q and e. All we need to do now is work out
     * the other helpful quantities: n=pq, d=e^-1 mod (p-1)(q-1),
     * and (q^-1 mod p).
     */
    mp_int *modulus = mp_mul(p, q);
    mp_int *pm1 = mp_copy(p);
    mp_sub_integer_into(pm1, pm1, 1);
    mp_int *qm1 = mp_copy(q);
    mp_sub_integer_into(qm1, qm1, 1);
    mp_int *phi_n = mp_mul(pm1, qm1);
    mp_free(pm1);
    mp_free(qm1);
    mp_int *private_exponent = mp_invert(exponent, phi_n);
    mp_free(phi_n);
    mp_int *iqmp = mp_invert(q, p);

    /*
     * Populate the returned structure.
     */
    key->modulus = modulus;
    key->exponent = exponent;
    key->private_exponent = private_exponent;
    key->p = p;
    key->q = q;
    key->iqmp = iqmp;

    key->bits = mp_get_nbits(modulus);
    key->bytes = (key->bits + 7) / 8;

    return 1;
}

/*
 * Invent a pair of values suitable for use as the 'firstbits' values
 * for the two RSA primes, such that their product is at least 2, and
 * such that their difference is also at least min_separation.
 *
 * This is used for generating RSA keys which have exactly the
 * specified number of bits rather than one fewer - if you generate an
 * a-bit and a b-bit number completely at random and multiply them
 * together, you could end up with either an (ab-1)-bit number or an
 * (ab)-bit number. The former happens log(2)*2-1 of the time (about
 * 39%) and, though actually harmless, every time it occurs it has a
 * non-zero probability of sparking a user email along the lines of
 * 'Hey, I asked PuTTYgen for a 2048-bit key and I only got 2047 bits!
 * Bug!'
 */
static inline unsigned firstbits_b_min(
    unsigned a, unsigned lo, unsigned hi, unsigned min_separation)
{
    /* To get a large enough product, b must be at least this much */
    unsigned b_min = (2*lo*lo + a - 1) / a;
    /* Now enforce a<b, optionally with minimum separation */
    if (b_min < a + min_separation)
        b_min = a + min_separation;
    /* And cap at the upper limit */
    if (b_min > hi)
        b_min = hi;
    return b_min;
}

static void invent_firstbits(unsigned *one, unsigned *two,
                             unsigned min_separation)
{
    /*
     * We'll pick 12 initial bits (number selected at random) for each
     * prime, not counting the leading 1. So we want to return two
     * values in the range [2^12,2^13) whose product is at least 2^25.
     *
     * Strategy: count up all the viable pairs, then select a random
     * number in that range and use it to pick a pair.
     *
     * To keep things simple, we'll ensure a < b, and randomly swap
     * them at the end.
     */
    const unsigned lo = 1<<12, hi = 1<<13, minproduct = 2*lo*lo;
    unsigned a, b;

    /*
     * Count up the number of prefixes of b that would be valid for
     * each prefix of a.
     */
    mp_int *total = mp_new(32);
    for (a = lo; a < hi; a++) {
        unsigned b_min = firstbits_b_min(a, lo, hi, min_separation);
        mp_add_integer_into(total, total, hi - b_min);
    }

    /*
     * Make up a random number in the range [0,2*total).
     */
    mp_int *mlo = mp_from_integer(0), *mhi = mp_new(32);
    mp_lshift_fixed_into(mhi, total, 1);
    mp_int *randval = mp_random_in_range(mlo, mhi);
    mp_free(mlo);
    mp_free(mhi);

    /*
     * Use the low bit of randval as our swap indicator, leaving the
     * rest of it in the range [0,total).
     */
    unsigned swap = mp_get_bit(randval, 0);
    mp_rshift_fixed_into(randval, randval, 1);

    /*
     * Now do the same counting loop again to make the actual choice.
     */
    a = b = 0;
    for (unsigned a_candidate = lo; a_candidate < hi; a_candidate++) {
        unsigned b_min = firstbits_b_min(a_candidate, lo, hi, min_separation);
        unsigned limit = hi - b_min;

        unsigned b_candidate = b_min + mp_get_integer(randval);
        unsigned use_it = 1 ^ mp_hs_integer(randval, limit);
        a ^= (a ^ a_candidate) & -use_it;
        b ^= (b ^ b_candidate) & -use_it;

        mp_sub_integer_into(randval, randval, limit);
    }

    mp_free(randval);
    mp_free(total);

    /*
     * Check everything came out right.
     */
    assert(lo <= a);
    assert(a < hi);
    assert(lo <= b);
    assert(b < hi);
    assert(a * b >= minproduct);
    assert(b >= a + min_separation);

    /*
     * Last-minute optional swap of a and b.
     */
    unsigned diff = (a ^ b) & (-swap);
    a ^= diff;
    b ^= diff;

    *one = a;
    *two = b;
}