diff options
author | Niels Möller <nisse@lysator.liu.se> | 2015-11-15 14:50:57 +0100 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2015-11-15 14:50:57 +0100 |
commit | fae2c01f58b609d9cedb36ea5b8d416dbf6f9fe8 (patch) | |
tree | 9248a9fc4957728ffbaad93c196a7acf6bd6a534 | |
parent | dc03f267483e8fc7aa10316db9fbb60235d83461 (diff) | |
download | nettle-rsa-crt-hardening.tar.gz |
Revert deletion of _rsa_blind and _rsa_unblind.rsa-crt-hardening
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | rsa-blind.c | 77 | ||||
-rw-r--r-- | rsa.h | 11 |
4 files changed, 95 insertions, 1 deletions
@@ -1,3 +1,9 @@ +2015-11-15 Niels Möller <nisse@lysator.liu.se> + + * rsa-blind.c: Revert delete in 2015-09-14 change. + * rsa.h: Undo deletions. + * Makefile.in (hogweed_SOURCES): Readded rsa-blind.c. + 2015-09-17 Niels Möller <nisse@lysator.liu.se> * rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New diff --git a/Makefile.in b/Makefile.in index bda83829..9d47552b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -151,7 +151,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \ - rsa-keygen.c \ + rsa-keygen.c rsa-blind.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \ dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \ diff --git a/rsa-blind.c b/rsa-blind.c new file mode 100644 index 00000000..7662f503 --- /dev/null +++ b/rsa-blind.c @@ -0,0 +1,77 @@ +/* rsa-blind.c + + RSA blinding. Used for resistance to timing-attacks. + + Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" + +/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also + returns the inverse (ri), for use by rsa_unblind. */ +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, + mpz_t c, mpz_t ri) +{ + mpz_t r; + + mpz_init(r); + + /* c = c*(r^e) + * ri = r^(-1) + */ + do + { + nettle_mpz_random(r, random_ctx, random, pub->n); + /* invert r */ + } + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ + mpz_powm(r, r, pub->e, pub->n); + mpz_mul(c, c, r); + mpz_fdiv_r(c, c, pub->n); + + mpz_clear(r); +} + +/* c *= ri mod n */ +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) +{ + mpz_mul(c, c, ri); + mpz_fdiv_r(c, c, pub->n); +} @@ -94,6 +94,8 @@ extern "C" { #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp #define _rsa_verify _nettle_rsa_verify #define _rsa_check_size _nettle_rsa_check_size +#define _rsa_blind _nettle_rsa_blind +#define _rsa_unblind _nettle_rsa_unblind /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But @@ -481,6 +483,15 @@ _rsa_verify(const struct rsa_public_key *key, size_t _rsa_check_size(mpz_t n); +/* _rsa_blind and _rsa_unblind are deprecated, unused in the library, + and will likely be removed with the next ABI break. */ +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, + mpz_t c, mpz_t ri); +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri); + #ifdef __cplusplus } #endif |