diff --git a/ChangeLog b/ChangeLog index 0884134dd17ffb83befaf6d4799b9346b70d99a1..c64bafb1c1148d5f62de27fe42df3373eafcf2b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,16 @@ 2012-04-09 Niels Möller + Timing resistant RSA decryption, based on RSA blinding code + contributed by Nikos Mavrogiannopoulos. + * rsa-decrypt-tr.c (rsa_decrypt_tr): New function. + (rsa_blind): Helper function. + (rsa_unblind): Helper function. + * rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include + nettle-meta.h, more consistent declrations of function pointer + arguments. + * testsuite/rsa-encrypt-test.c (test_main): Test rsa_encrypt_tr. + Check for writes past the end of the message area. + * Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c. * rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt. * pkcs1-decrypt.c (pkcs1_decrypt): New file and function, diff --git a/Makefile.in b/Makefile.in index cc36a6722c96112a694cb607237dbfeb432853b0..2e7b7fc3e22f68c491f402e184a8a9c64c1474d5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -106,7 +106,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ rsa-sha1-sign.c rsa-sha1-verify.c \ rsa-sha256-sign.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-verify.c \ - rsa-encrypt.c rsa-decrypt.c \ + rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \ rsa-keygen.c rsa-compat.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c \ diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c new file mode 100644 index 0000000000000000000000000000000000000000..d2e760366896a2a1556287fbfd1b8a2475b2e486 --- /dev/null +++ b/rsa-decrypt-tr.c @@ -0,0 +1,93 @@ +/* rsa-decrypt-tr.c + * + * RSA decryption, using randomized RSA blinding to be more resistant + * to timing attacks. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa.h" + +#include "bignum.h" +#include "pkcs1.h" + +/* Blinds the c, by computing c *= r^e (mod n), for a random r. Also + returns the inverse (ri), for use by rsa_unblind. */ +static void +rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func random, + mpz_t c, mpz_t ri) +{ + mpz_t r; + + mpz_init(r); + + /* c = c*(r^e) + * ri = r^(-1) + */ + do + { + nettle_mpz_random(r, random_ctx, random, pub->n); + /* invert r */ + } + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ + mpz_powm(r, r, pub->e, pub->n); + mpz_mul(c, c, r); + mpz_fdiv_r(c, c, pub->n); + + mpz_clear(r); +} + +/* c *= ri mod n */ +static void +rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) +{ + mpz_mul(c, c, ri); + mpz_fdiv_r(c, c, pub->n); +} + +int +rsa_decrypt_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func random, + unsigned *length, uint8_t *message, + const mpz_t gibberish) +{ + mpz_t m, ri; + int res; + + mpz_init_set(m, gibberish); + mpz_init (ri); + + rsa_blind (pub, random_ctx, random, m, ri); + rsa_compute_root(key, m, m); + rsa_unblind (pub, m, ri); + + res = pkcs1_decrypt (key->size, m, length, message); + mpz_clear(m); + return res; +} diff --git a/rsa.h b/rsa.h index a4ef8355dda0ae268eb63fb1ad368b148160ee4e..9dc7fe2bf57a5696cdf408ff068f5d07a4b60582 100644 --- a/rsa.h +++ b/rsa.h @@ -32,9 +32,6 @@ #include "md5.h" #include "sha.h" -/* For nettle_random_func */ -#include "nettle-meta.h" - #ifdef __cplusplus extern "C" { #endif @@ -64,6 +61,7 @@ extern "C" { #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest #define rsa_encrypt nettle_rsa_encrypt #define rsa_decrypt nettle_rsa_decrypt +#define rsa_decrypt_tr nettle_rsa_decrypt_tr #define rsa_compute_root nettle_rsa_compute_root #define rsa_generate_keypair nettle_rsa_generate_keypair #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp @@ -260,7 +258,7 @@ rsa_sha512_verify_digest(const struct rsa_public_key *key, int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ - void *random_ctx, nettle_random_func random, + void *random_ctx, nettle_random_func *random, unsigned length, const uint8_t *cleartext, mpz_t cipher); @@ -274,6 +272,14 @@ rsa_decrypt(const struct rsa_private_key *key, unsigned *length, uint8_t *cleartext, const mpz_t ciphertext); +/* Timing-resistant version, using randomized RSA blinding. */ +int +rsa_decrypt_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, + unsigned *length, uint8_t *message, + const mpz_t gibberish); + /* Compute x, the e:th root of m. Calling it with x == m is allowed. */ void rsa_compute_root(const struct rsa_private_key *key, @@ -287,8 +293,8 @@ int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, - void *random_ctx, nettle_random_func random, - void *progress_ctx, nettle_progress_func progress, + void *random_ctx, nettle_random_func *random, + void *progress_ctx, nettle_progress_func *progress, /* Desired size of modulo, in bits */ unsigned n_size, diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c index c009b75aaf18dd6f6a98e31427b4e8c9c39f26ed..29e57cf005c16c0a115dec6ad737bea2ff5d6dbe 100644 --- a/testsuite/rsa-encrypt-test.c +++ b/testsuite/rsa-encrypt-test.c @@ -16,7 +16,8 @@ test_main(void) uint8_t *decrypted; unsigned decrypted_length; - + uint8_t after; + mpz_t gibberish; rsa_private_key_init(&key); @@ -45,6 +46,9 @@ test_main(void) decrypted = xalloc(msg_length + 1); + knuth_lfib_random (&lfib, msg_length + 1, decrypted); + after = decrypted[msg_length]; + decrypted_length = msg_length - 1; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); @@ -52,12 +56,28 @@ test_main(void) ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); + ASSERT(decrypted[msg_length] == after); + + knuth_lfib_random (&lfib, msg_length + 1, decrypted); + after = decrypted[msg_length]; decrypted_length = key.size; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); + ASSERT(decrypted[msg_length] == after); + knuth_lfib_random (&lfib, msg_length + 1, decrypted); + after = decrypted[msg_length]; + + decrypted_length = msg_length; + ASSERT(rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + &decrypted_length, decrypted, gibberish)); + ASSERT(decrypted_length == msg_length); + ASSERT(MEMEQ(msg_length, msg, decrypted)); + ASSERT(decrypted[msg_length] == after); + rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish);