Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
nettle
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
Operations
Operations
Incidents
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Wim Lewis
nettle
Commits
17a0f7e8
Commit
17a0f7e8
authored
Apr 09, 2012
by
Niels Möller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implemented rsa_decrypt_tr, based on RSA blinding code
contributed by Nikos Mavrogiannopoulos.
parent
479aafcc
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
138 additions
and
8 deletions
+138
-8
ChangeLog
ChangeLog
+11
-0
Makefile.in
Makefile.in
+1
-1
rsa-decrypt-tr.c
rsa-decrypt-tr.c
+93
-0
rsa.h
rsa.h
+12
-6
testsuite/rsa-encrypt-test.c
testsuite/rsa-encrypt-test.c
+21
-1
No files found.
ChangeLog
View file @
17a0f7e8
2012-04-09 Niels Möller <nisse@lysator.liu.se>
Timing resistant RSA decryption, based on RSA blinding code
contributed by Nikos Mavrogiannopoulos.
* rsa-decrypt-tr.c (rsa_decrypt_tr): New function.
(rsa_blind): Helper function.
(rsa_unblind): Helper function.
* rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include
nettle-meta.h, more consistent declrations of function pointer
arguments.
* testsuite/rsa-encrypt-test.c (test_main): Test rsa_encrypt_tr.
Check for writes past the end of the message area.
* Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c.
* rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt.
* pkcs1-decrypt.c (pkcs1_decrypt): New file and function,
...
...
Makefile.in
View file @
17a0f7e8
...
...
@@ -106,7 +106,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
rsa-sha1-sign.c rsa-sha1-verify.c
\
rsa-sha256-sign.c rsa-sha256-verify.c
\
rsa-sha512-sign.c rsa-sha512-verify.c
\
rsa-encrypt.c rsa-decrypt.c
\
rsa-encrypt.c rsa-decrypt.c
rsa-decrypt-tr.c
\
rsa-keygen.c rsa-compat.c
\
rsa2sexp.c sexp2rsa.c
\
dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c
\
...
...
rsa-decrypt-tr.c
0 → 100644
View file @
17a0f7e8
/* rsa-decrypt-tr.c
*
* RSA decryption, using randomized RSA blinding to be more resistant
* to timing attacks.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "rsa.h"
#include "bignum.h"
#include "pkcs1.h"
/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also
returns the inverse (ri), for use by rsa_unblind. */
static
void
rsa_blind
(
const
struct
rsa_public_key
*
pub
,
void
*
random_ctx
,
nettle_random_func
random
,
mpz_t
c
,
mpz_t
ri
)
{
mpz_t
r
;
mpz_init
(
r
);
/* c = c*(r^e)
* ri = r^(-1)
*/
do
{
nettle_mpz_random
(
r
,
random_ctx
,
random
,
pub
->
n
);
/* invert r */
}
while
(
!
mpz_invert
(
ri
,
r
,
pub
->
n
));
/* c = c*(r^e) mod n */
mpz_powm
(
r
,
r
,
pub
->
e
,
pub
->
n
);
mpz_mul
(
c
,
c
,
r
);
mpz_fdiv_r
(
c
,
c
,
pub
->
n
);
mpz_clear
(
r
);
}
/* c *= ri mod n */
static
void
rsa_unblind
(
const
struct
rsa_public_key
*
pub
,
mpz_t
c
,
const
mpz_t
ri
)
{
mpz_mul
(
c
,
c
,
ri
);
mpz_fdiv_r
(
c
,
c
,
pub
->
n
);
}
int
rsa_decrypt_tr
(
const
struct
rsa_public_key
*
pub
,
const
struct
rsa_private_key
*
key
,
void
*
random_ctx
,
nettle_random_func
random
,
unsigned
*
length
,
uint8_t
*
message
,
const
mpz_t
gibberish
)
{
mpz_t
m
,
ri
;
int
res
;
mpz_init_set
(
m
,
gibberish
);
mpz_init
(
ri
);
rsa_blind
(
pub
,
random_ctx
,
random
,
m
,
ri
);
rsa_compute_root
(
key
,
m
,
m
);
rsa_unblind
(
pub
,
m
,
ri
);
res
=
pkcs1_decrypt
(
key
->
size
,
m
,
length
,
message
);
mpz_clear
(
m
);
return
res
;
}
rsa.h
View file @
17a0f7e8
...
...
@@ -32,9 +32,6 @@
#include "md5.h"
#include "sha.h"
/* For nettle_random_func */
#include "nettle-meta.h"
#ifdef __cplusplus
extern
"C"
{
#endif
...
...
@@ -64,6 +61,7 @@ extern "C" {
#define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
#define rsa_encrypt nettle_rsa_encrypt
#define rsa_decrypt nettle_rsa_decrypt
#define rsa_decrypt_tr nettle_rsa_decrypt_tr
#define rsa_compute_root nettle_rsa_compute_root
#define rsa_generate_keypair nettle_rsa_generate_keypair
#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
...
...
@@ -260,7 +258,7 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key,
int
rsa_encrypt
(
const
struct
rsa_public_key
*
key
,
/* For padding */
void
*
random_ctx
,
nettle_random_func
random
,
void
*
random_ctx
,
nettle_random_func
*
random
,
unsigned
length
,
const
uint8_t
*
cleartext
,
mpz_t
cipher
);
...
...
@@ -274,6 +272,14 @@ rsa_decrypt(const struct rsa_private_key *key,
unsigned
*
length
,
uint8_t
*
cleartext
,
const
mpz_t
ciphertext
);
/* Timing-resistant version, using randomized RSA blinding. */
int
rsa_decrypt_tr
(
const
struct
rsa_public_key
*
pub
,
const
struct
rsa_private_key
*
key
,
void
*
random_ctx
,
nettle_random_func
*
random
,
unsigned
*
length
,
uint8_t
*
message
,
const
mpz_t
gibberish
);
/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
void
rsa_compute_root
(
const
struct
rsa_private_key
*
key
,
...
...
@@ -287,8 +293,8 @@ int
rsa_generate_keypair
(
struct
rsa_public_key
*
pub
,
struct
rsa_private_key
*
key
,
void
*
random_ctx
,
nettle_random_func
random
,
void
*
progress_ctx
,
nettle_progress_func
progress
,
void
*
random_ctx
,
nettle_random_func
*
random
,
void
*
progress_ctx
,
nettle_progress_func
*
progress
,
/* Desired size of modulo, in bits */
unsigned
n_size
,
...
...
testsuite/rsa-encrypt-test.c
View file @
17a0f7e8
...
...
@@ -16,7 +16,8 @@ test_main(void)
uint8_t
*
decrypted
;
unsigned
decrypted_length
;
uint8_t
after
;
mpz_t
gibberish
;
rsa_private_key_init
(
&
key
);
...
...
@@ -45,6 +46,9 @@ test_main(void)
decrypted
=
xalloc
(
msg_length
+
1
);
knuth_lfib_random
(
&
lfib
,
msg_length
+
1
,
decrypted
);
after
=
decrypted
[
msg_length
];
decrypted_length
=
msg_length
-
1
;
ASSERT
(
!
rsa_decrypt
(
&
key
,
&
decrypted_length
,
decrypted
,
gibberish
));
...
...
@@ -52,12 +56,28 @@ test_main(void)
ASSERT
(
rsa_decrypt
(
&
key
,
&
decrypted_length
,
decrypted
,
gibberish
));
ASSERT
(
decrypted_length
==
msg_length
);
ASSERT
(
MEMEQ
(
msg_length
,
msg
,
decrypted
));
ASSERT
(
decrypted
[
msg_length
]
==
after
);
knuth_lfib_random
(
&
lfib
,
msg_length
+
1
,
decrypted
);
after
=
decrypted
[
msg_length
];
decrypted_length
=
key
.
size
;
ASSERT
(
rsa_decrypt
(
&
key
,
&
decrypted_length
,
decrypted
,
gibberish
));
ASSERT
(
decrypted_length
==
msg_length
);
ASSERT
(
MEMEQ
(
msg_length
,
msg
,
decrypted
));
ASSERT
(
decrypted
[
msg_length
]
==
after
);
knuth_lfib_random
(
&
lfib
,
msg_length
+
1
,
decrypted
);
after
=
decrypted
[
msg_length
];
decrypted_length
=
msg_length
;
ASSERT
(
rsa_decrypt_tr
(
&
pub
,
&
key
,
&
lfib
,
(
nettle_random_func
*
)
knuth_lfib_random
,
&
decrypted_length
,
decrypted
,
gibberish
));
ASSERT
(
decrypted_length
==
msg_length
);
ASSERT
(
MEMEQ
(
msg_length
,
msg
,
decrypted
));
ASSERT
(
decrypted
[
msg_length
]
==
after
);
rsa_private_key_clear
(
&
key
);
rsa_public_key_clear
(
&
pub
);
mpz_clear
(
gibberish
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment