felixm/cryptopals
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Prepare for Bleichenbacher's PKCS attack

Browse Source
This commit is contained in:
Felix Martin
2023-01-22 20:04:09 -05:00
parent c6c6167112
commit 6abf32c361
3 changed files with 84 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/rsa.rs
View File

@@ -51,13 +51,13 @@ fn generate_random_prime(bits: i32) -> Result<BigNum, ErrorStack> {
Ok(p)
}
pub fn rsa_gen_keys() -> Result<(RsaPublicKey, RsaPrivateKey), ErrorStack> {
pub fn rsa_gen_keys_with_size(p_bits: i32, q_bits: i32) -> Result<(RsaPublicKey, RsaPrivateKey), ErrorStack> {
let mut ctx = BigNumContext::new()?;
loop {
// Generate 2 random primes.
let mut p = generate_random_prime(512)?;
let mut q = generate_random_prime(512)?;
let mut p = generate_random_prime(p_bits)?;
let mut q = generate_random_prime(q_bits)?;
// Let n be p * q. Your RSA math is modulo n.
let mut n = BigNum::new()?;
@@ -83,6 +83,10 @@ pub fn rsa_gen_keys() -> Result<(RsaPublicKey, RsaPrivateKey), ErrorStack> {
}
}
pub fn rsa_gen_keys() -> Result<(RsaPublicKey, RsaPrivateKey), ErrorStack> {
rsa_gen_keys_with_size(512, 512)
}
pub fn invmod(a: &BigNum, n: &BigNum) -> Result<BigNum, ErrorStack> {
fn extended_gcd(a: BigNum, b: BigNum) -> Result<(BigNum, BigNum, BigNum), ErrorStack> {
// credit: https://www.dcode.fr/extended-gcd
@@ -140,7 +144,7 @@ pub fn rsa_padding_add_pkcs1(m: &BigNum, to_len: i32) -> Result<BigNum, ErrorSta
let padding_str_len: usize = (to_len - 3 - from_len).try_into().unwrap();
let mut v = vec![0x0; 3 + padding_str_len];
v[0] = 0x0;
v[1] = 0x1;
v[1] = 0x2;
for i in 2..padding_str_len + 2 {
v[i] = 0xff;
}
@@ -156,7 +160,7 @@ pub fn rsa_padding_remove_pkcs1(m: &BigNum, pad_to: i32) -> Result<BigNum, Error
// first byte is zero and therefore num_bytes is 1 smaller than expected
assert!(m.num_bytes() + 1 == pad_to, "Padding length incorrect");
assert!(v[0] == 0, "PKCS1 padding incorrect");
assert!(v[1] == 1, "PKCS1 padding incorrect");
assert!(v[1] == 2, "PKCS1 padding incorrect");
while v[i] == 0xff {
i += 1;
}
@@ -235,7 +239,7 @@ pub fn rsa_verify_insecure(
// them by looking for 00h 01h ... ffh 00h ASN.1 HASH.
let v = m.to_vec_padded(pad_to)?;
assert!(v[0] == 0, "PKCS1 padding incorrect");
assert!(v[1] == 1, "PKCS1 padding incorrect");
assert!(v[1] == 2, "PKCS1 padding incorrect");
let mut i = 2;
while i < v.len() - 1 {
if v[i] == 0xff && v[i + 1] == 0x0 {