Commit 17a0f7e8 authored by Niels Möller's avatar Niels Möller

Implemented rsa_decrypt_tr, based on RSA blinding code

contributed by Nikos Mavrogiannopoulos.
parent 479aafcc
2012-04-09 Niels Möller <nisse@lysator.liu.se>
Timing resistant RSA decryption, based on RSA blinding code
contributed by Nikos Mavrogiannopoulos.
* rsa-decrypt-tr.c (rsa_decrypt_tr): New function.
(rsa_blind): Helper function.
(rsa_unblind): Helper function.
* rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include
nettle-meta.h, more consistent declrations of function pointer
arguments.
* testsuite/rsa-encrypt-test.c (test_main): Test rsa_encrypt_tr.
Check for writes past the end of the message area.
* Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c.
* rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt.
* pkcs1-decrypt.c (pkcs1_decrypt): New file and function,
......
......@@ -106,7 +106,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
rsa-sha1-sign.c rsa-sha1-verify.c \
rsa-sha256-sign.c rsa-sha256-verify.c \
rsa-sha512-sign.c rsa-sha512-verify.c \
rsa-encrypt.c rsa-decrypt.c \
rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \
rsa-keygen.c rsa-compat.c \
rsa2sexp.c sexp2rsa.c \
dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c \
......
/* rsa-decrypt-tr.c
*
* RSA decryption, using randomized RSA blinding to be more resistant
* to timing attacks.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "rsa.h"
#include "bignum.h"
#include "pkcs1.h"
/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also
returns the inverse (ri), for use by rsa_unblind. */
static void
rsa_blind (const struct rsa_public_key *pub,
void *random_ctx, nettle_random_func random,
mpz_t c, mpz_t ri)
{
mpz_t r;
mpz_init(r);
/* c = c*(r^e)
* ri = r^(-1)
*/
do
{
nettle_mpz_random(r, random_ctx, random, pub->n);
/* invert r */
}
while (!mpz_invert (ri, r, pub->n));
/* c = c*(r^e) mod n */
mpz_powm(r, r, pub->e, pub->n);
mpz_mul(c, c, r);
mpz_fdiv_r(c, c, pub->n);
mpz_clear(r);
}
/* c *= ri mod n */
static void
rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri)
{
mpz_mul(c, c, ri);
mpz_fdiv_r(c, c, pub->n);
}
int
rsa_decrypt_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
void *random_ctx, nettle_random_func random,
unsigned *length, uint8_t *message,
const mpz_t gibberish)
{
mpz_t m, ri;
int res;
mpz_init_set(m, gibberish);
mpz_init (ri);
rsa_blind (pub, random_ctx, random, m, ri);
rsa_compute_root(key, m, m);
rsa_unblind (pub, m, ri);
res = pkcs1_decrypt (key->size, m, length, message);
mpz_clear(m);
return res;
}
......@@ -32,9 +32,6 @@
#include "md5.h"
#include "sha.h"
/* For nettle_random_func */
#include "nettle-meta.h"
#ifdef __cplusplus
extern "C" {
#endif
......@@ -64,6 +61,7 @@ extern "C" {
#define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
#define rsa_encrypt nettle_rsa_encrypt
#define rsa_decrypt nettle_rsa_decrypt
#define rsa_decrypt_tr nettle_rsa_decrypt_tr
#define rsa_compute_root nettle_rsa_compute_root
#define rsa_generate_keypair nettle_rsa_generate_keypair
#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
......@@ -260,7 +258,7 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key,
int
rsa_encrypt(const struct rsa_public_key *key,
/* For padding */
void *random_ctx, nettle_random_func random,
void *random_ctx, nettle_random_func *random,
unsigned length, const uint8_t *cleartext,
mpz_t cipher);
......@@ -274,6 +272,14 @@ rsa_decrypt(const struct rsa_private_key *key,
unsigned *length, uint8_t *cleartext,
const mpz_t ciphertext);
/* Timing-resistant version, using randomized RSA blinding. */
int
rsa_decrypt_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random,
unsigned *length, uint8_t *message,
const mpz_t gibberish);
/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
void
rsa_compute_root(const struct rsa_private_key *key,
......@@ -287,8 +293,8 @@ int
rsa_generate_keypair(struct rsa_public_key *pub,
struct rsa_private_key *key,
void *random_ctx, nettle_random_func random,
void *progress_ctx, nettle_progress_func progress,
void *random_ctx, nettle_random_func *random,
void *progress_ctx, nettle_progress_func *progress,
/* Desired size of modulo, in bits */
unsigned n_size,
......
......@@ -16,7 +16,8 @@ test_main(void)
uint8_t *decrypted;
unsigned decrypted_length;
uint8_t after;
mpz_t gibberish;
rsa_private_key_init(&key);
......@@ -45,6 +46,9 @@ test_main(void)
decrypted = xalloc(msg_length + 1);
knuth_lfib_random (&lfib, msg_length + 1, decrypted);
after = decrypted[msg_length];
decrypted_length = msg_length - 1;
ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
......@@ -52,12 +56,28 @@ test_main(void)
ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
ASSERT(decrypted_length == msg_length);
ASSERT(MEMEQ(msg_length, msg, decrypted));
ASSERT(decrypted[msg_length] == after);
knuth_lfib_random (&lfib, msg_length + 1, decrypted);
after = decrypted[msg_length];
decrypted_length = key.size;
ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
ASSERT(decrypted_length == msg_length);
ASSERT(MEMEQ(msg_length, msg, decrypted));
ASSERT(decrypted[msg_length] == after);
knuth_lfib_random (&lfib, msg_length + 1, decrypted);
after = decrypted[msg_length];
decrypted_length = msg_length;
ASSERT(rsa_decrypt_tr(&pub, &key,
&lfib, (nettle_random_func *) knuth_lfib_random,
&decrypted_length, decrypted, gibberish));
ASSERT(decrypted_length == msg_length);
ASSERT(MEMEQ(msg_length, msg, decrypted));
ASSERT(decrypted[msg_length] == after);
rsa_private_key_clear(&key);
rsa_public_key_clear(&pub);
mpz_clear(gibberish);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment