From: Niels Möller Date: Mon, 14 Sep 2015 19:29:59 +0000 (+0200) Subject: Moved _rsa_blind and _rsa_unblind to rsa-sign-tr.c, and made static. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56606478493b531cd317373af573505cda826f30;p=thirdparty%2Fnettle.git Moved _rsa_blind and _rsa_unblind to rsa-sign-tr.c, and made static. --- diff --git a/ChangeLog b/ChangeLog index d199a702..c57b6f7e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2015-09-14 Niels Möller + * rsa-sign-tr.c (rsa_blind, rsa_unblind): Moved here, made static, + dropped leading underscore. + * rsa-blind.c: Deleted file. + * rsa.h: Deleted coresponding declarations. + * rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr. Mainly for simplicity and consistency, I'm not aware of any CRT fault attacks on RSA decryption. diff --git a/Makefile.in b/Makefile.in index 03f1177c..ac24f27c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -151,7 +151,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ rsa-sha256-sign.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \ - rsa-keygen.c rsa-blind.c \ + rsa-keygen.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \ dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \ diff --git a/rsa-blind.c b/rsa-blind.c deleted file mode 100644 index 746ef863..00000000 --- a/rsa-blind.c +++ /dev/null @@ -1,78 +0,0 @@ -/* rsa-blind.c - - RSA blinding. Used for resistance to timing-attacks. - - Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "rsa.h" - -#include "bignum.h" - -/* Blinds m, by computing c = m r^e (mod n), for a random r. Also - returns the inverse (ri), for use by rsa_unblind. */ -void -_rsa_blind (const struct rsa_public_key *pub, - void *random_ctx, nettle_random_func *random, - mpz_t c, mpz_t ri, const mpz_t m) -{ - mpz_t r; - - mpz_init(r); - - /* c = m*(r^e) - * ri = r^(-1) - */ - do - { - nettle_mpz_random(r, random_ctx, random, pub->n); - /* invert r */ - } - while (!mpz_invert (ri, r, pub->n)); - - /* c = c*(r^e) mod n */ - mpz_powm(r, r, pub->e, pub->n); - mpz_mul(c, m, r); - mpz_fdiv_r(c, c, pub->n); - - mpz_clear(r); -} - -/* m = c ri mod n */ -void -_rsa_unblind (const struct rsa_public_key *pub, - mpz_t m, const mpz_t ri, const mpz_t c) -{ - mpz_mul(m, c, ri); - mpz_fdiv_r(m, m, pub->n); -} diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c index 4e73f8b8..3d80ed4e 100644 --- a/rsa-sign-tr.c +++ b/rsa-sign-tr.c @@ -2,7 +2,8 @@ Creating RSA signatures, with some additional checks. - Copyright (C) 2015 Niels Möller + Copyright (C) 2001, 2015 Niels Möller + Copyright (C) 2012 Nikos Mavrogiannopoulos This file is part of GNU Nettle. @@ -37,6 +38,44 @@ #include "rsa.h" +/* Blinds m, by computing c = m r^e (mod n), for a random r. Also + returns the inverse (ri), for use by rsa_unblind. */ +static void +rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, + mpz_t c, mpz_t ri, const mpz_t m) +{ + mpz_t r; + + mpz_init(r); + + /* c = m*(r^e) + * ri = r^(-1) + */ + do + { + nettle_mpz_random(r, random_ctx, random, pub->n); + /* invert r */ + } + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ + mpz_powm(r, r, pub->e, pub->n); + mpz_mul(c, m, r); + mpz_fdiv_r(c, c, pub->n); + + mpz_clear(r); +} + +/* m = c ri mod n */ +static void +rsa_unblind (const struct rsa_public_key *pub, + mpz_t m, const mpz_t ri, const mpz_t c) +{ + mpz_mul(m, c, ri); + mpz_fdiv_r(m, m, pub->n); +} + /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. */ @@ -54,7 +93,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, mpz_init (ri); mpz_init (t); - _rsa_blind (pub, random_ctx, random, mb, ri, m); + rsa_blind (pub, random_ctx, random, mb, ri, m); rsa_compute_root (key, xb, mb); @@ -62,7 +101,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, res = (mpz_cmp(mb, t) == 0); if (res) - _rsa_unblind (pub, x, ri, xb); + rsa_unblind (pub, x, ri, xb); mpz_clear (mb); mpz_clear (xb); diff --git a/rsa.h b/rsa.h index 43a9c19c..3b5a68a9 100644 --- a/rsa.h +++ b/rsa.h @@ -86,8 +86,6 @@ extern "C" { #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp #define _rsa_verify _nettle_rsa_verify #define _rsa_check_size _nettle_rsa_check_size -#define _rsa_blind _nettle_rsa_blind -#define _rsa_unblind _nettle_rsa_unblind /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But @@ -421,14 +419,6 @@ _rsa_verify(const struct rsa_public_key *key, size_t _rsa_check_size(mpz_t n); -void -_rsa_blind (const struct rsa_public_key *pub, - void *random_ctx, nettle_random_func *random, - mpz_t c, mpz_t ri, const mpz_t m); -void -_rsa_unblind (const struct rsa_public_key *pub, - mpz_t m, const mpz_t ri, const mpz_t c); - #ifdef __cplusplus } #endif