Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
Nettle
nettle
Commits
17a0f7e8
Commit
17a0f7e8
authored
Apr 09, 2012
by
Niels Möller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implemented rsa_decrypt_tr, based on RSA blinding code
contributed by Nikos Mavrogiannopoulos.
parent
479aafcc
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
138 additions
and
8 deletions
+138
-8
ChangeLog
ChangeLog
+11
-0
Makefile.in
Makefile.in
+1
-1
rsa-decrypt-tr.c
rsa-decrypt-tr.c
+93
-0
rsa.h
rsa.h
+12
-6
testsuite/rsa-encrypt-test.c
testsuite/rsa-encrypt-test.c
+21
-1
No files found.
ChangeLog
View file @
17a0f7e8
2012-04-09 Niels Möller <nisse@lysator.liu.se>
Timing resistant RSA decryption, based on RSA blinding code
contributed by Nikos Mavrogiannopoulos.
* rsa-decrypt-tr.c (rsa_decrypt_tr): New function.
(rsa_blind): Helper function.
(rsa_unblind): Helper function.
* rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include
nettle-meta.h, more consistent declrations of function pointer
arguments.
* testsuite/rsa-encrypt-test.c (test_main): Test rsa_encrypt_tr.
Check for writes past the end of the message area.
* Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c.
* rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt.
* pkcs1-decrypt.c (pkcs1_decrypt): New file and function,
...
...
Makefile.in
View file @
17a0f7e8
...
...
@@ -106,7 +106,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
rsa-sha1-sign.c rsa-sha1-verify.c
\
rsa-sha256-sign.c rsa-sha256-verify.c
\
rsa-sha512-sign.c rsa-sha512-verify.c
\
rsa-encrypt.c rsa-decrypt.c
\
rsa-encrypt.c rsa-decrypt.c
rsa-decrypt-tr.c
\
rsa-keygen.c rsa-compat.c
\
rsa2sexp.c sexp2rsa.c
\
dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c
\
...
...
rsa-decrypt-tr.c
0 → 100644
View file @
17a0f7e8
/* rsa-decrypt-tr.c
*
* RSA decryption, using randomized RSA blinding to be more resistant
* to timing attacks.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "rsa.h"
#include "bignum.h"
#include "pkcs1.h"
/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also
returns the inverse (ri), for use by rsa_unblind. */
static
void
rsa_blind
(
const
struct
rsa_public_key
*
pub
,
void
*
random_ctx
,
nettle_random_func
random
,
mpz_t
c
,
mpz_t
ri
)
{
mpz_t
r
;
mpz_init
(
r
);
/* c = c*(r^e)
* ri = r^(-1)
*/
do
{
nettle_mpz_random
(
r
,
random_ctx
,
random
,
pub
->
n
);
/* invert r */
}
while
(
!
mpz_invert
(
ri
,
r
,
pub
->
n
));
/* c = c*(r^e) mod n */
mpz_powm
(
r
,
r
,
pub
->
e
,
pub
->
n
);
mpz_mul
(
c
,
c
,
r
);
mpz_fdiv_r
(
c
,
c
,
pub
->
n
);
mpz_clear
(
r
);
}
/* c *= ri mod n */
static
void
rsa_unblind
(
const
struct
rsa_public_key
*
pub
,
mpz_t
c
,
const
mpz_t
ri
)
{
mpz_mul
(
c
,
c
,
ri
);
mpz_fdiv_r
(
c
,
c
,
pub
->
n
);
}
int
rsa_decrypt_tr
(
const
struct
rsa_public_key
*
pub
,
const
struct
rsa_private_key
*
key
,
void
*
random_ctx
,
nettle_random_func
random
,
unsigned
*
length
,
uint8_t
*
message
,
const
mpz_t
gibberish
)
{
mpz_t
m
,
ri
;
int
res
;
mpz_init_set
(
m
,
gibberish
);
mpz_init
(
ri
);
rsa_blind
(
pub
,
random_ctx
,
random
,
m
,
ri
);
rsa_compute_root
(
key
,
m
,
m
);
rsa_unblind
(
pub
,
m
,
ri
);
res
=
pkcs1_decrypt
(
key
->
size
,
m
,
length
,
message
);
mpz_clear
(
m
);
return
res
;
}
rsa.h
View file @
17a0f7e8
...
...
@@ -32,9 +32,6 @@
#include "md5.h"
#include "sha.h"
/* For nettle_random_func */
#include "nettle-meta.h"
#ifdef __cplusplus
extern
"C"
{
#endif
...
...
@@ -64,6 +61,7 @@ extern "C" {
#define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
#define rsa_encrypt nettle_rsa_encrypt
#define rsa_decrypt nettle_rsa_decrypt
#define rsa_decrypt_tr nettle_rsa_decrypt_tr
#define rsa_compute_root nettle_rsa_compute_root
#define rsa_generate_keypair nettle_rsa_generate_keypair
#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
...
...
@@ -260,7 +258,7 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key,
int
rsa_encrypt
(
const
struct
rsa_public_key
*
key
,
/* For padding */
void
*
random_ctx
,
nettle_random_func
random
,
void
*
random_ctx
,
nettle_random_func
*
random
,
unsigned
length
,
const
uint8_t
*
cleartext
,
mpz_t
cipher
);
...
...
@@ -274,6 +272,14 @@ rsa_decrypt(const struct rsa_private_key *key,
unsigned
*
length
,
uint8_t
*
cleartext
,
const
mpz_t
ciphertext
);
/* Timing-resistant version, using randomized RSA blinding. */
int
rsa_decrypt_tr
(
const
struct
rsa_public_key
*
pub
,
const
struct
rsa_private_key
*
key
,
void
*
random_ctx
,
nettle_random_func
*
random
,
unsigned
*
length
,
uint8_t
*
message
,
const
mpz_t
gibberish
);
/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
void
rsa_compute_root
(
const
struct
rsa_private_key
*
key
,
...
...
@@ -287,8 +293,8 @@ int
rsa_generate_keypair
(
struct
rsa_public_key
*
pub
,
struct
rsa_private_key
*
key
,
void
*
random_ctx
,
nettle_random_func
random
,
void
*
progress_ctx
,
nettle_progress_func
progress
,
void
*
random_ctx
,
nettle_random_func
*
random
,
void
*
progress_ctx
,
nettle_progress_func
*
progress
,
/* Desired size of modulo, in bits */
unsigned
n_size
,
...
...
testsuite/rsa-encrypt-test.c
View file @
17a0f7e8
...
...
@@ -16,7 +16,8 @@ test_main(void)
uint8_t
*
decrypted
;
unsigned
decrypted_length
;
uint8_t
after
;
mpz_t
gibberish
;
rsa_private_key_init
(
&
key
);
...
...
@@ -45,6 +46,9 @@ test_main(void)
decrypted
=
xalloc
(
msg_length
+
1
);
knuth_lfib_random
(
&
lfib
,
msg_length
+
1
,
decrypted
);
after
=
decrypted
[
msg_length
];
decrypted_length
=
msg_length
-
1
;
ASSERT
(
!
rsa_decrypt
(
&
key
,
&
decrypted_length
,
decrypted
,
gibberish
));
...
...
@@ -52,12 +56,28 @@ test_main(void)
ASSERT
(
rsa_decrypt
(
&
key
,
&
decrypted_length
,
decrypted
,
gibberish
));
ASSERT
(
decrypted_length
==
msg_length
);
ASSERT
(
MEMEQ
(
msg_length
,
msg
,
decrypted
));
ASSERT
(
decrypted
[
msg_length
]
==
after
);
knuth_lfib_random
(
&
lfib
,
msg_length
+
1
,
decrypted
);
after
=
decrypted
[
msg_length
];
decrypted_length
=
key
.
size
;
ASSERT
(
rsa_decrypt
(
&
key
,
&
decrypted_length
,
decrypted
,
gibberish
));
ASSERT
(
decrypted_length
==
msg_length
);
ASSERT
(
MEMEQ
(
msg_length
,
msg
,
decrypted
));
ASSERT
(
decrypted
[
msg_length
]
==
after
);
knuth_lfib_random
(
&
lfib
,
msg_length
+
1
,
decrypted
);
after
=
decrypted
[
msg_length
];
decrypted_length
=
msg_length
;
ASSERT
(
rsa_decrypt_tr
(
&
pub
,
&
key
,
&
lfib
,
(
nettle_random_func
*
)
knuth_lfib_random
,
&
decrypted_length
,
decrypted
,
gibberish
));
ASSERT
(
decrypted_length
==
msg_length
);
ASSERT
(
MEMEQ
(
msg_length
,
msg
,
decrypted
));
ASSERT
(
decrypted
[
msg_length
]
==
after
);
rsa_private_key_clear
(
&
key
);
rsa_public_key_clear
(
&
pub
);
mpz_clear
(
gibberish
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment