Revert deletion of _rsa_blind and _rsa_unblind.rsa-crt-hardening

4 files changed, 95 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index c3fe41c8..d22b5532 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-11-15  Niels Möller  <nisse@lysator.liu.se>
+
+	* rsa-blind.c: Revert delete in 2015-09-14 change.
+	* rsa.h: Undo deletions.
+	* Makefile.in (hogweed_SOURCES): Readded rsa-blind.c.
+
 2015-09-17  Niels Möller  <nisse@lysator.liu.se>
 
 	* rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New
diff --git a/Makefile.in b/Makefile.in
index bda83829..9d47552b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -151,7 +151,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \
 		  rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \
 		  rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \
-		  rsa-keygen.c \
+		  rsa-keygen.c rsa-blind.c \
 		  rsa2sexp.c sexp2rsa.c \
 		  dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \
 		  dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \
diff --git a/rsa-blind.c b/rsa-blind.c
new file mode 100644
index 00000000..7662f503
--- /dev/null
+++ b/rsa-blind.c
@@ -0,0 +1,77 @@
+/* rsa-blind.c
+
+   RSA blinding. Used for resistance to timing-attacks.
+
+   Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+
+/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also
+   returns the inverse (ri), for use by rsa_unblind. */
+void
+_rsa_blind (const struct rsa_public_key *pub,
+	    void *random_ctx, nettle_random_func *random,
+	    mpz_t c, mpz_t ri)
+{
+  mpz_t r;
+
+  mpz_init(r);
+
+  /* c = c*(r^e)
+   * ri = r^(-1)
+   */
+  do 
+    {
+      nettle_mpz_random(r, random_ctx, random, pub->n);
+      /* invert r */
+    }
+  while (!mpz_invert (ri, r, pub->n));
+
+  /* c = c*(r^e) mod n */
+  mpz_powm(r, r, pub->e, pub->n);
+  mpz_mul(c, c, r);
+  mpz_fdiv_r(c, c, pub->n);
+
+  mpz_clear(r);
+}
+
+/* c *= ri mod n */
+void
+_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri)
+{
+  mpz_mul(c, c, ri);
+  mpz_fdiv_r(c, c, pub->n);
+}
diff --git a/rsa.h b/rsa.h
index 539bb44d..6d2574bc 100644
--- a/rsa.h
+++ b/rsa.h
@@ -94,6 +94,8 @@ extern "C" {
 #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
 #define _rsa_verify _nettle_rsa_verify
 #define _rsa_check_size _nettle_rsa_check_size
+#define _rsa_blind _nettle_rsa_blind
+#define _rsa_unblind _nettle_rsa_unblind
 
 /* This limit is somewhat arbitrary. Technically, the smallest modulo
    which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
@@ -481,6 +483,15 @@ _rsa_verify(const struct rsa_public_key *key,
 size_t
 _rsa_check_size(mpz_t n);
 
+/* _rsa_blind and _rsa_unblind are deprecated, unused in the library,
+   and will likely be removed with the next ABI break. */
+void
+_rsa_blind (const struct rsa_public_key *pub,
+	    void *random_ctx, nettle_random_func *random,
+	    mpz_t c, mpz_t ri);
+void
+_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri);
+
 #ifdef __cplusplus
 }
 #endif