61ae41f198
FIPS 186-4 wants d = e^-1 (mod lcm(p-1, q-1)), not (p-1)*(q-1). Note this means the size of d might reveal information about p-1 and q-1. However, we do operations with Chinese Remainder Theorem, so we only use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient does not affect those two values. This removes RSA_recover_crt_params. Using a minimal d breaks (or rather reveals an existing bug in) the function. While I'm here, rename those ridiculous variable names. Change-Id: Iaf623271d49cd664ba0eca24aa25a393f5666fac Reviewed-on: https://boringssl-review.googlesource.com/15944 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> |
||
|---|---|---|
| .. | ||
| blinding.c | ||
| CMakeLists.txt | ||
| internal.h | ||
| padding.c | ||
| rsa_asn1.c | ||
| rsa_impl.c | ||
| rsa_test.cc | ||
| rsa.c | ||