[Pkg-gnupg-commit] [gnupg1] 12/30: rsa: Add exponent blinding.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Aug 2 06:35:09 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg1.
commit 8fd9f72e1b2e578e45c98c978cab4f6d47683d2c
Author: Marcus Brinkmann <mb at g10code.com>
Date: Fri Jul 7 21:03:10 2017 +0900
rsa: Add exponent blinding.
* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.
--
Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.
Signed-off-by: Marcus Brinkmann <mb at g10code.com>
---
cipher/rsa.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/cipher/rsa.c b/cipher/rsa.c
index 5efab1d..5d7b4f7 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -29,6 +29,7 @@
#include <string.h>
#include "util.h"
#include "mpi.h"
+#include "../mpi/mpi-internal.h"
#include "cipher.h"
#include "rsa.h"
@@ -325,14 +326,38 @@ secret(MPI output, MPI input, RSA_secret_key *skey )
# endif /* USE_BLINDING */
/* RSA secret operation: */
- /* m1 = c ^ (d mod (p-1)) mod p */
+ MPI D_blind = mpi_alloc_secure (nlimbs);
+ MPI rr;
+ unsigned int rr_nbits;
+
+ rr_nbits = mpi_get_nbits (skey->p) / 4;
+ if (rr_nbits < 96)
+ rr_nbits = 96;
+ rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
+
+ /* d_blind = (d mod (p-1)) + (p-1) * r */
+ /* m1 = c ^ d_blind mod p */
+ randomize_mpi (rr, rr_nbits, 0);
+ mpi_set_highbit (rr, rr_nbits - 1);
mpi_sub_ui( h, skey->p, 1 );
+ mpi_mul ( D_blind, h, rr );
mpi_fdiv_r( h, skey->d, h );
- mpi_powm( m1, input, h, skey->p );
- /* m2 = c ^ (d mod (q-1)) mod q */
+ mpi_add ( D_blind, D_blind, h );
+ mpi_powm ( m1, input, D_blind, skey->p );
+
+ /* d_blind = (d mod (q-1)) + (q-1) * r */
+ /* m2 = c ^ d_blind mod q */
+ randomize_mpi (rr, rr_nbits, 0);
+ mpi_set_highbit (rr, rr_nbits - 1);
mpi_sub_ui( h, skey->q, 1 );
+ mpi_mul ( D_blind, h, rr );
mpi_fdiv_r( h, skey->d, h );
- mpi_powm( m2, input, h, skey->q );
+ mpi_add ( D_blind, D_blind, h );
+ mpi_powm ( m2, input, D_blind, skey->q );
+
+ mpi_free ( rr );
+ mpi_free ( D_blind );
+
/* h = u * ( m2 - m1 ) mod q */
mpi_sub( h, m2, m1 );
if ( mpi_is_neg( h ) )
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg1.git
More information about the Pkg-gnupg-commit
mailing list