Implemented rsa_decrypt_tr, based on RSA blinding code

contributed by Nikos Mavrogiannopoulos.

ChangeLog

 2012-04-09  Niels Möller  <nisse@lysator.liu.se>
 
+	Timing resistant RSA decryption, based on RSA blinding code
+	contributed by Nikos Mavrogiannopoulos.
+	* rsa-decrypt-tr.c (rsa_decrypt_tr): New function.
+	(rsa_blind): Helper function.
+	(rsa_unblind): Helper function.
+	* rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include
+	nettle-meta.h, more consistent declrations of function pointer
+	arguments.
+	* testsuite/rsa-encrypt-test.c (test_main): Test rsa_encrypt_tr.
+	Check for writes past the end of the message area.
+
 	* Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c.
 	* rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt.
 	* pkcs1-decrypt.c (pkcs1_decrypt): New file and function,

Makefile.in

@@ -106,7 +106,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  rsa-sha1-sign.c rsa-sha1-verify.c \
 		  rsa-sha256-sign.c rsa-sha256-verify.c \
 		  rsa-sha512-sign.c rsa-sha512-verify.c \
-		  rsa-encrypt.c rsa-decrypt.c \
+		  rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \
 		  rsa-keygen.c rsa-compat.c \
 		  rsa2sexp.c sexp2rsa.c \
 		  dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c \

rsa-decrypt-tr.c

+/* rsa-decrypt-tr.c
+ *
+ * RSA decryption, using randomized RSA blinding to be more resistant
+ * to timing attacks.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos
+ *  
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ * 
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "rsa.h"
+
+#include "bignum.h"
+#include "pkcs1.h"
+
+/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also
+   returns the inverse (ri), for use by rsa_unblind. */
+static void
+rsa_blind (const struct rsa_public_key *pub,
+	   void *random_ctx, nettle_random_func random,
+	   mpz_t c, mpz_t ri)
+{
+  mpz_t r;
+
+  mpz_init(r);
+
+  /* c = c*(r^e)
+   * ri = r^(-1)
+   */
+  do 
+    {
+      nettle_mpz_random(r, random_ctx, random, pub->n);
+      /* invert r */
+    }
+  while (!mpz_invert (ri, r, pub->n));
+
+  /* c = c*(r^e) mod n */
+  mpz_powm(r, r, pub->e, pub->n);
+  mpz_mul(c, c, r);
+  mpz_fdiv_r(c, c, pub->n);
+
+  mpz_clear(r);
+}
+
+/* c *= ri mod n */
+static void
+rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri)
+{
+  mpz_mul(c, c, ri);
+  mpz_fdiv_r(c, c, pub->n);
+}
+
+int
+rsa_decrypt_tr(const struct rsa_public_key *pub,
+	       const struct rsa_private_key *key,
+	       void *random_ctx, nettle_random_func random,	       
+	       unsigned *length, uint8_t *message,
+	       const mpz_t gibberish)
+{
+  mpz_t m, ri;
+  int res;
+
+  mpz_init_set(m, gibberish);
+  mpz_init (ri);
+
+  rsa_blind (pub, random_ctx, random, m, ri);
+  rsa_compute_root(key, m, m);
+  rsa_unblind (pub, m, ri);
+  
+  res = pkcs1_decrypt (key->size, m, length, message);
+  mpz_clear(m);
+  return res;
+}

rsa.h

@@ -32,9 +32,6 @@
 #include "md5.h"
 #include "sha.h"
 
-/* For nettle_random_func */
-#include "nettle-meta.h"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -64,6 +61,7 @@ extern "C" {
 #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
 #define rsa_encrypt nettle_rsa_encrypt
 #define rsa_decrypt nettle_rsa_decrypt
+#define rsa_decrypt_tr nettle_rsa_decrypt_tr
 #define rsa_compute_root nettle_rsa_compute_root
 #define rsa_generate_keypair nettle_rsa_generate_keypair
 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
@@ -260,7 +258,7 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key,
 int
 rsa_encrypt(const struct rsa_public_key *key,
 	    /* For padding */
-	    void *random_ctx, nettle_random_func random,
+	    void *random_ctx, nettle_random_func *random,
 	    unsigned length, const uint8_t *cleartext,
 	    mpz_t cipher);
 
@@ -274,6 +272,14 @@ rsa_decrypt(const struct rsa_private_key *key,
 	    unsigned *length, uint8_t *cleartext,
 	    const mpz_t ciphertext);
 
+/* Timing-resistant version, using randomized RSA blinding. */
+int
+rsa_decrypt_tr(const struct rsa_public_key *pub,
+	       const struct rsa_private_key *key,
+	       void *random_ctx, nettle_random_func *random,	       
+	       unsigned *length, uint8_t *message,
+	       const mpz_t gibberish);
+
 /* Compute x, the e:th root of m. Calling it with x == m is allowed. */
 void
 rsa_compute_root(const struct rsa_private_key *key,
@@ -287,8 +293,8 @@ int
 rsa_generate_keypair(struct rsa_public_key *pub,
 		     struct rsa_private_key *key,
 
-		     void *random_ctx, nettle_random_func random,
-		     void *progress_ctx, nettle_progress_func progress,
+		     void *random_ctx, nettle_random_func *random,
+		     void *progress_ctx, nettle_progress_func *progress,
 
 		     /* Desired size of modulo, in bits */
 		     unsigned n_size,

testsuite/rsa-encrypt-test.c

@@ -16,7 +16,8 @@ test_main(void)
 
   uint8_t *decrypted;
   unsigned decrypted_length;
-  
+  uint8_t after;
+
   mpz_t gibberish;
 
   rsa_private_key_init(&key);
@@ -45,6 +46,9 @@ test_main(void)
   
   decrypted = xalloc(msg_length + 1);
 
+  knuth_lfib_random (&lfib, msg_length + 1, decrypted);
+  after = decrypted[msg_length];
+  
   decrypted_length = msg_length - 1;
   ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
 
@@ -52,12 +56,28 @@ test_main(void)
   ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
   ASSERT(decrypted_length == msg_length);
   ASSERT(MEMEQ(msg_length, msg, decrypted));
+  ASSERT(decrypted[msg_length] == after);
+
+  knuth_lfib_random (&lfib, msg_length + 1, decrypted);
+  after = decrypted[msg_length];
 
   decrypted_length = key.size;
   ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
   ASSERT(decrypted_length == msg_length);
   ASSERT(MEMEQ(msg_length, msg, decrypted));
+  ASSERT(decrypted[msg_length] == after);
   
+  knuth_lfib_random (&lfib, msg_length + 1, decrypted);
+  after = decrypted[msg_length];
+
+  decrypted_length = msg_length;
+  ASSERT(rsa_decrypt_tr(&pub, &key,
+			&lfib, (nettle_random_func *) knuth_lfib_random,
+			&decrypted_length, decrypted, gibberish));
+  ASSERT(decrypted_length == msg_length);
+  ASSERT(MEMEQ(msg_length, msg, decrypted));
+  ASSERT(decrypted[msg_length] == after);
+
   rsa_private_key_clear(&key);
   rsa_public_key_clear(&pub);
   mpz_clear(gibberish);