mirror of
https://github.com/golang/go
synced 2024-11-21 21:04:41 -07:00
crypto/rand: add utility functions for number generation
This code is extracted from crypto/rsa with a few variables renamed and a comment fixed. R=agl, rsc, agl CC=golang-dev https://golang.org/cl/4446068
This commit is contained in:
parent
4ffff35abd
commit
24b2f48a4a
@ -8,6 +8,7 @@ TARG=crypto/rand
|
||||
|
||||
GOFILES=\
|
||||
rand.go\
|
||||
util.go\
|
||||
|
||||
GOFILES_freebsd=\
|
||||
rand_unix.go\
|
||||
|
80
src/pkg/crypto/rand/util.go
Normal file
80
src/pkg/crypto/rand/util.go
Normal file
@ -0,0 +1,80 @@
|
||||
// Copyright 2011 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package rand
|
||||
|
||||
import (
|
||||
"big"
|
||||
"io"
|
||||
"os"
|
||||
)
|
||||
|
||||
// Prime returns a number, p, of the given size, such that p is prime
|
||||
// with high probability.
|
||||
func Prime(rand io.Reader, bits int) (p *big.Int, err os.Error) {
|
||||
if bits < 1 {
|
||||
err = os.EINVAL
|
||||
}
|
||||
|
||||
b := uint(bits % 8)
|
||||
if b == 0 {
|
||||
b = 8
|
||||
}
|
||||
|
||||
bytes := make([]byte, (bits+7)/8)
|
||||
p = new(big.Int)
|
||||
|
||||
for {
|
||||
_, err = io.ReadFull(rand, bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Clear bits in the first byte to make sure the candidate has a size <= bits.
|
||||
bytes[0] &= uint8(int(1<<b) - 1)
|
||||
// Don't let the value be too small, i.e, set the most significant bit.
|
||||
bytes[0] |= 1 << (b - 1)
|
||||
// Make the value odd since an even number this large certainly isn't prime.
|
||||
bytes[len(bytes)-1] |= 1
|
||||
|
||||
p.SetBytes(bytes)
|
||||
if big.ProbablyPrime(p, 20) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Int returns a uniform random value in [0, max).
|
||||
func Int(rand io.Reader, max *big.Int) (n *big.Int, err os.Error) {
|
||||
k := (max.BitLen() + 7) / 8
|
||||
|
||||
// b is the number of bits in the most significant byte of max.
|
||||
b := uint(max.BitLen() % 8)
|
||||
if b == 0 {
|
||||
b = 8
|
||||
}
|
||||
|
||||
bytes := make([]byte, k)
|
||||
n = new(big.Int)
|
||||
|
||||
for {
|
||||
_, err = io.ReadFull(rand, bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Clear bits in the first byte to increase the probability
|
||||
// that the candidate is < max.
|
||||
bytes[0] &= uint8(int(1<<b) - 1)
|
||||
|
||||
n.SetBytes(bytes)
|
||||
if n.Cmp(max) < 0 {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
@ -9,6 +9,7 @@ package rsa
|
||||
|
||||
import (
|
||||
"big"
|
||||
"crypto/rand"
|
||||
"crypto/subtle"
|
||||
"hash"
|
||||
"io"
|
||||
@ -18,69 +19,6 @@ import (
|
||||
var bigZero = big.NewInt(0)
|
||||
var bigOne = big.NewInt(1)
|
||||
|
||||
// randomPrime returns a number, p, of the given size, such that p is prime
|
||||
// with high probability.
|
||||
func randomPrime(rand io.Reader, bits int) (p *big.Int, err os.Error) {
|
||||
if bits < 1 {
|
||||
err = os.EINVAL
|
||||
}
|
||||
|
||||
bytes := make([]byte, (bits+7)/8)
|
||||
p = new(big.Int)
|
||||
|
||||
for {
|
||||
_, err = io.ReadFull(rand, bytes)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// Don't let the value be too small.
|
||||
bytes[0] |= 0x80
|
||||
// Make the value odd since an even number this large certainly isn't prime.
|
||||
bytes[len(bytes)-1] |= 1
|
||||
|
||||
p.SetBytes(bytes)
|
||||
if big.ProbablyPrime(p, 20) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// randomNumber returns a uniform random value in [0, max).
|
||||
func randomNumber(rand io.Reader, max *big.Int) (n *big.Int, err os.Error) {
|
||||
k := (max.BitLen() + 7) / 8
|
||||
|
||||
// r is the number of bits in the used in the most significant byte of
|
||||
// max.
|
||||
r := uint(max.BitLen() % 8)
|
||||
if r == 0 {
|
||||
r = 8
|
||||
}
|
||||
|
||||
bytes := make([]byte, k)
|
||||
n = new(big.Int)
|
||||
|
||||
for {
|
||||
_, err = io.ReadFull(rand, bytes)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// Clear bits in the first byte to increase the probability
|
||||
// that the candidate is < max.
|
||||
bytes[0] &= uint8(int(1<<r) - 1)
|
||||
|
||||
n.SetBytes(bytes)
|
||||
if n.Cmp(max) < 0 {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// A PublicKey represents the public part of an RSA key.
|
||||
type PublicKey struct {
|
||||
N *big.Int // modulus
|
||||
@ -162,8 +100,8 @@ func (priv *PrivateKey) Validate() os.Error {
|
||||
}
|
||||
|
||||
// GenerateKey generates an RSA keypair of the given bit size.
|
||||
func GenerateKey(rand io.Reader, bits int) (priv *PrivateKey, err os.Error) {
|
||||
return GenerateMultiPrimeKey(rand, 2, bits)
|
||||
func GenerateKey(random io.Reader, bits int) (priv *PrivateKey, err os.Error) {
|
||||
return GenerateMultiPrimeKey(random, 2, bits)
|
||||
}
|
||||
|
||||
// GenerateMultiPrimeKey generates a multi-prime RSA keypair of the given bit
|
||||
@ -176,7 +114,7 @@ func GenerateKey(rand io.Reader, bits int) (priv *PrivateKey, err os.Error) {
|
||||
//
|
||||
// [1] US patent 4405829 (1972, expired)
|
||||
// [2] http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
|
||||
func GenerateMultiPrimeKey(rand io.Reader, nprimes int, bits int) (priv *PrivateKey, err os.Error) {
|
||||
func GenerateMultiPrimeKey(random io.Reader, nprimes int, bits int) (priv *PrivateKey, err os.Error) {
|
||||
priv = new(PrivateKey)
|
||||
// Smaller public exponents lead to faster public key
|
||||
// operations. Since the exponent must be coprime to
|
||||
@ -198,7 +136,7 @@ NextSetOfPrimes:
|
||||
for {
|
||||
todo := bits
|
||||
for i := 0; i < nprimes; i++ {
|
||||
primes[i], err = randomPrime(rand, todo/(nprimes-i))
|
||||
primes[i], err = rand.Prime(random, todo/(nprimes-i))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -293,7 +231,7 @@ func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
|
||||
// EncryptOAEP encrypts the given message with RSA-OAEP.
|
||||
// The message must be no longer than the length of the public modulus less
|
||||
// twice the hash length plus 2.
|
||||
func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, label []byte) (out []byte, err os.Error) {
|
||||
func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) (out []byte, err os.Error) {
|
||||
hash.Reset()
|
||||
k := (pub.N.BitLen() + 7) / 8
|
||||
if len(msg) > k-2*hash.Size()-2 {
|
||||
@ -313,7 +251,7 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab
|
||||
db[len(db)-len(msg)-1] = 1
|
||||
copy(db[len(db)-len(msg):], msg)
|
||||
|
||||
_, err = io.ReadFull(rand, seed)
|
||||
_, err = io.ReadFull(random, seed)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@ -405,7 +343,7 @@ func (priv *PrivateKey) Precompute() {
|
||||
|
||||
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
|
||||
// random source is given, RSA blinding is used.
|
||||
func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
|
||||
func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
|
||||
// TODO(agl): can we get away with reusing blinds?
|
||||
if c.Cmp(priv.N) > 0 {
|
||||
err = DecryptionError{}
|
||||
@ -413,7 +351,7 @@ func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.E
|
||||
}
|
||||
|
||||
var ir *big.Int
|
||||
if rand != nil {
|
||||
if random != nil {
|
||||
// Blinding enabled. Blinding involves multiplying c by r^e.
|
||||
// Then the decryption operation performs (m^e * r^e)^d mod n
|
||||
// which equals mr mod n. The factor of r can then be removed
|
||||
@ -422,7 +360,7 @@ func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.E
|
||||
var r *big.Int
|
||||
|
||||
for {
|
||||
r, err = randomNumber(rand, priv.N)
|
||||
r, err = rand.Int(random, priv.N)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@ -483,7 +421,7 @@ func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.E
|
||||
|
||||
// DecryptOAEP decrypts ciphertext using RSA-OAEP.
|
||||
// If rand != nil, DecryptOAEP uses RSA blinding to avoid timing side-channel attacks.
|
||||
func DecryptOAEP(hash hash.Hash, rand io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) (msg []byte, err os.Error) {
|
||||
func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) (msg []byte, err os.Error) {
|
||||
k := (priv.N.BitLen() + 7) / 8
|
||||
if len(ciphertext) > k ||
|
||||
k < hash.Size()*2+2 {
|
||||
@ -493,7 +431,7 @@ func DecryptOAEP(hash hash.Hash, rand io.Reader, priv *PrivateKey, ciphertext []
|
||||
|
||||
c := new(big.Int).SetBytes(ciphertext)
|
||||
|
||||
m, err := decrypt(rand, priv, c)
|
||||
m, err := decrypt(random, priv, c)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user