2015-09-14 Niels Möller <nisse@lysator.liu.se>
+ * rsa-sign-tr.c (rsa_blind, rsa_unblind): Moved here, made static,
+ dropped leading underscore.
+ * rsa-blind.c: Deleted file.
+ * rsa.h: Deleted coresponding declarations.
+
* rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr.
Mainly for simplicity and consistency, I'm not aware of any CRT
fault attacks on RSA decryption.
rsa-sha256-sign.c rsa-sha256-verify.c \
rsa-sha512-sign.c rsa-sha512-verify.c \
rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \
- rsa-keygen.c rsa-blind.c \
+ rsa-keygen.c \
rsa2sexp.c sexp2rsa.c \
dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \
dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \
+++ /dev/null
-/* rsa-blind.c
-
- RSA blinding. Used for resistance to timing-attacks.
-
- Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos
-
- This file is part of GNU Nettle.
-
- GNU Nettle is free software: you can redistribute it and/or
- modify it under the terms of either:
-
- * the GNU Lesser General Public License as published by the Free
- Software Foundation; either version 3 of the License, or (at your
- option) any later version.
-
- or
-
- * the GNU General Public License as published by the Free
- Software Foundation; either version 2 of the License, or (at your
- option) any later version.
-
- or both in parallel, as here.
-
- GNU Nettle is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-
- You should have received copies of the GNU General Public License and
- the GNU Lesser General Public License along with this program. If
- not, see http://www.gnu.org/licenses/.
-*/
-
-#if HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include "rsa.h"
-
-#include "bignum.h"
-
-/* Blinds m, by computing c = m r^e (mod n), for a random r. Also
- returns the inverse (ri), for use by rsa_unblind. */
-void
-_rsa_blind (const struct rsa_public_key *pub,
- void *random_ctx, nettle_random_func *random,
- mpz_t c, mpz_t ri, const mpz_t m)
-{
- mpz_t r;
-
- mpz_init(r);
-
- /* c = m*(r^e)
- * ri = r^(-1)
- */
- do
- {
- nettle_mpz_random(r, random_ctx, random, pub->n);
- /* invert r */
- }
- while (!mpz_invert (ri, r, pub->n));
-
- /* c = c*(r^e) mod n */
- mpz_powm(r, r, pub->e, pub->n);
- mpz_mul(c, m, r);
- mpz_fdiv_r(c, c, pub->n);
-
- mpz_clear(r);
-}
-
-/* m = c ri mod n */
-void
-_rsa_unblind (const struct rsa_public_key *pub,
- mpz_t m, const mpz_t ri, const mpz_t c)
-{
- mpz_mul(m, c, ri);
- mpz_fdiv_r(m, m, pub->n);
-}
Creating RSA signatures, with some additional checks.
- Copyright (C) 2015 Niels Möller
+ Copyright (C) 2001, 2015 Niels Möller
+ Copyright (C) 2012 Nikos Mavrogiannopoulos
This file is part of GNU Nettle.
#include "rsa.h"
+/* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+ returns the inverse (ri), for use by rsa_unblind. */
+static void
+rsa_blind (const struct rsa_public_key *pub,
+ void *random_ctx, nettle_random_func *random,
+ mpz_t c, mpz_t ri, const mpz_t m)
+{
+ mpz_t r;
+
+ mpz_init(r);
+
+ /* c = m*(r^e)
+ * ri = r^(-1)
+ */
+ do
+ {
+ nettle_mpz_random(r, random_ctx, random, pub->n);
+ /* invert r */
+ }
+ while (!mpz_invert (ri, r, pub->n));
+
+ /* c = c*(r^e) mod n */
+ mpz_powm(r, r, pub->e, pub->n);
+ mpz_mul(c, m, r);
+ mpz_fdiv_r(c, c, pub->n);
+
+ mpz_clear(r);
+}
+
+/* m = c ri mod n */
+static void
+rsa_unblind (const struct rsa_public_key *pub,
+ mpz_t m, const mpz_t ri, const mpz_t c)
+{
+ mpz_mul(m, c, ri);
+ mpz_fdiv_r(m, m, pub->n);
+}
+
/* Checks for any errors done in the RSA computation. That avoids
* attacks which rely on faults on hardware, or even software MPI
* implementation. */
mpz_init (ri);
mpz_init (t);
- _rsa_blind (pub, random_ctx, random, mb, ri, m);
+ rsa_blind (pub, random_ctx, random, mb, ri, m);
rsa_compute_root (key, xb, mb);
res = (mpz_cmp(mb, t) == 0);
if (res)
- _rsa_unblind (pub, x, ri, xb);
+ rsa_unblind (pub, x, ri, xb);
mpz_clear (mb);
mpz_clear (xb);
#define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
#define _rsa_verify _nettle_rsa_verify
#define _rsa_check_size _nettle_rsa_check_size
-#define _rsa_blind _nettle_rsa_blind
-#define _rsa_unblind _nettle_rsa_unblind
/* This limit is somewhat arbitrary. Technically, the smallest modulo
which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
size_t
_rsa_check_size(mpz_t n);
-void
-_rsa_blind (const struct rsa_public_key *pub,
- void *random_ctx, nettle_random_func *random,
- mpz_t c, mpz_t ri, const mpz_t m);
-void
-_rsa_unblind (const struct rsa_public_key *pub,
- mpz_t m, const mpz_t ri, const mpz_t c);
-
#ifdef __cplusplus
}
#endif
projects / thirdparty / nettle.git / commitdiff
