[PATCH 6/6] rsa: clarify the RSA secret parameters

[Peter Wu]

On Thu, Jul 16, 2015 at 01:57:17PM +0900, NIIBE Yutaka wrote:
> Hello,
> 
> Thank you for the patch.
> 
> On 07/10/2015 12:11 AM, Peter Wu wrote:
> > * cipher/rsa.c: Clarify meaning of the 'u' parameter. Fix error in
> >   comments.
> 
> For the first part, I think that it's correctly described in the
> documentation: (gcrypt)RSA key parameters
> 
> Even it has an example as:
> 
>        Note that OpenSSL uses slighly different parameters: q < p and u =
>     q^{-1} \bmod p.  To use these parameters you will need to swap the
>     values and recompute u.  Here is example code to do this:
> 
>        if (gcry_mpi_cmp (p, q) > 0)
>          {
>            gcry_mpi_swap (p, q);
>            gcry_mpi_invm (u, p, q);
>          }
> 
> I'm not sure (and wondering) if we need more.

That is documented in a different place. Repeating the same does not
hurt, especially when noting why it differs from other common RSA
implementations (presumably due to the origin from OpenPGP).

> I know that it's a pitfall of libgcrypt (something common).  For your
> reference, I know this one in Fedora:
> 
> http://pkgs.fedoraproject.org/cgit/libgcrypt.git/diff/?id=376991d05a1a0e2911242061c41ca5c5a915e339&id2=f56a95f03b711eac70ddc8673b6417a93a45c2bd
> 
> That's was same mistake.

Given this mistake, why not add the comment to save some hours from
other reviewers?

In my case it was an unexpected user error where $u = q^{-1} mod p$ was
used. Maybe the function that imports the RSA parameters should first
check for u * p == 1 mod q as a sanity check?
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl