[PATCH 6/6] rsa: clarify the RSA secret parameters
Peter Wu
peter at lekensteyn.nl
Thu Jul 16 21:40:50 CEST 2015
On Thu, Jul 16, 2015 at 01:57:17PM +0900, NIIBE Yutaka wrote:
> Hello,
>
> Thank you for the patch.
>
> On 07/10/2015 12:11 AM, Peter Wu wrote:
> > * cipher/rsa.c: Clarify meaning of the 'u' parameter. Fix error in
> > comments.
>
> For the first part, I think that it's correctly described in the
> documentation: (gcrypt)RSA key parameters
>
> Even it has an example as:
>
> Note that OpenSSL uses slighly different parameters: q < p and u =
> q^{-1} \bmod p. To use these parameters you will need to swap the
> values and recompute u. Here is example code to do this:
>
> if (gcry_mpi_cmp (p, q) > 0)
> {
> gcry_mpi_swap (p, q);
> gcry_mpi_invm (u, p, q);
> }
>
> I'm not sure (and wondering) if we need more.
That is documented in a different place. Repeating the same does not
hurt, especially when noting why it differs from other common RSA
implementations (presumably due to the origin from OpenPGP).
> I know that it's a pitfall of libgcrypt (something common). For your
> reference, I know this one in Fedora:
>
> http://pkgs.fedoraproject.org/cgit/libgcrypt.git/diff/?id=376991d05a1a0e2911242061c41ca5c5a915e339&id2=f56a95f03b711eac70ddc8673b6417a93a45c2bd
>
> That's was same mistake.
Given this mistake, why not add the comment to save some hours from
other reviewers?
In my case it was an unexpected user error where $u = q^{-1} mod p$ was
used. Maybe the function that imports the RSA parameters should first
check for u * p == 1 mod q as a sanity check?
--
Kind regards,
Peter Wu
https://lekensteyn.nl
More information about the Gcrypt-devel
mailing list