diff --git a/ChangeLog b/ChangeLog index c2dac5935e98a02e99714333e1e287569a5c4d79..1ad2e53b032285bcd4a3cb5597ee8ecaaa7d3c79 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2012-06-09 Niels Möller + + * rsa.h (_rsa_blind, _rsa_unblind): Declare functions. + * rsa-blind.c (_rsa_blind, _rsa_unblind): Functions moved to a + separate file, renamed and made non-static. Moved from... + * rsa-decrypt-tr.c: ... here. + 2012-06-03 Niels Möller * testsuite/pkcs1-test.c (test_main): Include leading zero in diff --git a/Makefile.in b/Makefile.in index 58f7831d9455ba050a34dcdce95ca1697ec4db1b..ba0fdb279082c972ce842ade7118e38cf75372a8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -108,7 +108,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ rsa-sha256-sign.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \ - rsa-keygen.c rsa-compat.c \ + rsa-keygen.c rsa-compat.c rsa-blind.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c \ dsa-sha1-sign.c dsa-sha1-verify.c \ diff --git a/rsa-blind.c b/rsa-blind.c new file mode 100644 index 0000000000000000000000000000000000000000..eb5d0088806206c41af9520298a16dfa69ded6b6 --- /dev/null +++ b/rsa-blind.c @@ -0,0 +1,69 @@ +/* rsa-blind.c + * + * RSA blinding. It is used for timing resistant decryption or signing. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" + +/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also + returns the inverse (ri), for use by rsa_unblind. */ +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func random, + mpz_t c, mpz_t ri) +{ + mpz_t r; + + mpz_init(r); + + /* c = c*(r^e) + * ri = r^(-1) + */ + do + { + nettle_mpz_random(r, random_ctx, random, pub->n); + /* invert r */ + } + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ + mpz_powm(r, r, pub->e, pub->n); + mpz_mul(c, c, r); + mpz_fdiv_r(c, c, pub->n); + + mpz_clear(r); +} + +/* c *= ri mod n */ +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) +{ + mpz_mul(c, c, ri); + mpz_fdiv_r(c, c, pub->n); +} diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c index d130a0690713b80c393a644f78c00cef30e4d76e..1e21e985bf75bd46300d0f593aefa0ee94349c57 100644 --- a/rsa-decrypt-tr.c +++ b/rsa-decrypt-tr.c @@ -33,47 +33,10 @@ #include "bignum.h" #include "pkcs1.h" -/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also - returns the inverse (ri), for use by rsa_unblind. */ -static void -rsa_blind (const struct rsa_public_key *pub, - void *random_ctx, nettle_random_func random, - mpz_t c, mpz_t ri) -{ - mpz_t r; - - mpz_init(r); - - /* c = c*(r^e) - * ri = r^(-1) - */ - do - { - nettle_mpz_random(r, random_ctx, random, pub->n); - /* invert r */ - } - while (!mpz_invert (ri, r, pub->n)); - - /* c = c*(r^e) mod n */ - mpz_powm(r, r, pub->e, pub->n); - mpz_mul(c, c, r); - mpz_fdiv_r(c, c, pub->n); - - mpz_clear(r); -} - -/* c *= ri mod n */ -static void -rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) -{ - mpz_mul(c, c, ri); - mpz_fdiv_r(c, c, pub->n); -} - int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, - void *random_ctx, nettle_random_func random, + void *random_ctx, nettle_random_func random, unsigned *length, uint8_t *message, const mpz_t gibberish) { @@ -83,9 +46,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub, mpz_init_set(m, gibberish); mpz_init (ri); - rsa_blind (pub, random_ctx, random, m, ri); + _rsa_blind (pub, random_ctx, random, m, ri); rsa_compute_root(key, m, m); - rsa_unblind (pub, m, ri); + _rsa_unblind (pub, m, ri); mpz_clear (ri); res = pkcs1_decrypt (key->size, m, length, message); diff --git a/rsa.h b/rsa.h index 9dc7fe2bf57a5696cdf408ff068f5d07a4b60582..1b975ab8cad5f4bf2ca07f904317cf692a9b080c 100644 --- a/rsa.h +++ b/rsa.h @@ -73,6 +73,8 @@ extern "C" { #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp #define _rsa_verify _nettle_rsa_verify #define _rsa_check_size _nettle_rsa_check_size +#define _rsa_blind _nettle_rsa_blind +#define _rsa_unblind _nettle_rsa_unblind /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But @@ -383,6 +385,13 @@ _rsa_verify(const struct rsa_public_key *key, unsigned _rsa_check_size(mpz_t n); +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func random, + mpz_t c, mpz_t ri); +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri); + #ifdef __cplusplus } #endif