"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "rsa-sign-tr.c" between
nettle-3.7.2.tar.gz and nettle-3.7.3.tar.gz

About: Nettle is a low-level cryptographic library.

rsa-sign-tr.c  (nettle-3.7.2):rsa-sign-tr.c  (nettle-3.7.3)
skipping to change at line 134 skipping to change at line 134
mpz_clear (ri); mpz_clear (ri);
mpz_clear (t); mpz_clear (t);
return res; return res;
} }
int int
_rsa_sec_compute_root_tr(const struct rsa_public_key *pub, _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key, const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random, void *random_ctx, nettle_random_func *random,
mp_limb_t *x, const mp_limb_t *m, size_t mn) mp_limb_t *x, const mp_limb_t *m)
{ {
mp_size_t nn;
mpz_t mz; mpz_t mz;
mpz_t xz; mpz_t xz;
int res; int res;
mpz_init(mz);
mpz_init(xz); mpz_init(xz);
mpn_copyi(mpz_limbs_write(mz, mn), m, mn); nn = mpz_size (pub->n);
mpz_limbs_finish(mz, mn);
res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz); res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
mpz_roinit_n(mz, m, nn));
if (res) if (res)
mpz_limbs_copy(x, xz, mpz_size(pub->n)); mpz_limbs_copy(x, xz, nn);
mpz_clear(mz);
mpz_clear(xz); mpz_clear(xz);
return res; return res;
} }
#else #else
/* Blinds m, by computing c = m r^e (mod n), for a random r. Also /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
returns the inverse (ri), for use by rsa_unblind. */ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
no in-place operation.*/
static void static void
rsa_sec_blind (const struct rsa_public_key *pub, rsa_sec_blind (const struct rsa_public_key *pub,
void *random_ctx, nettle_random_func *random, void *random_ctx, nettle_random_func *random,
mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m, mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
mp_size_t mn)
{ {
const mp_limb_t *ep = mpz_limbs_read (pub->e); const mp_limb_t *ep = mpz_limbs_read (pub->e);
const mp_limb_t *np = mpz_limbs_read (pub->n); const mp_limb_t *np = mpz_limbs_read (pub->n);
mp_bitcnt_t ebn = mpz_sizeinbase (pub->e, 2); mp_bitcnt_t ebn = mpz_sizeinbase (pub->e, 2);
mp_size_t nn = mpz_size (pub->n); mp_size_t nn = mpz_size (pub->n);
size_t itch; size_t itch;
size_t i2; size_t i2;
mp_limb_t *scratch; mp_limb_t *scratch;
TMP_GMP_DECL (tp, mp_limb_t); TMP_GMP_DECL (tp, mp_limb_t);
TMP_GMP_DECL (rp, mp_limb_t); TMP_GMP_DECL (rp, mp_limb_t);
TMP_GMP_DECL (r, uint8_t); TMP_GMP_DECL (r, uint8_t);
TMP_GMP_ALLOC (rp, nn); TMP_GMP_ALLOC (rp, nn);
TMP_GMP_ALLOC (r, nn * sizeof(mp_limb_t)); TMP_GMP_ALLOC (r, nn * sizeof(mp_limb_t));
/* c = m*(r^e) mod n */ /* c = m*(r^e) mod n */
itch = mpn_sec_powm_itch(nn, ebn, nn); itch = mpn_sec_powm_itch(nn, ebn, nn);
i2 = mpn_sec_mul_itch(nn, mn); i2 = mpn_sec_mul_itch(nn, nn);
itch = MAX(itch, i2); itch = MAX(itch, i2);
i2 = mpn_sec_div_r_itch(nn + mn, nn); i2 = mpn_sec_div_r_itch(2*nn, nn);
itch = MAX(itch, i2); itch = MAX(itch, i2);
i2 = mpn_sec_invert_itch(nn); i2 = mpn_sec_invert_itch(nn);
itch = MAX(itch, i2); itch = MAX(itch, i2);
TMP_GMP_ALLOC (tp, nn + mn + itch); TMP_GMP_ALLOC (tp, 2*nn + itch);
scratch = tp + nn + mn; scratch = tp + 2*nn;
/* ri = r^(-1) */ /* ri = r^(-1) */
do do
{ {
random(random_ctx, nn * sizeof(mp_limb_t), (uint8_t *)r); random(random_ctx, nn * sizeof(mp_limb_t), (uint8_t *)r);
mpn_set_base256(rp, nn, r, nn * sizeof(mp_limb_t)); mpn_set_base256(rp, nn, r, nn * sizeof(mp_limb_t));
mpn_copyi(tp, rp, nn); mpn_copyi(tp, rp, nn);
/* invert r */ /* invert r */
} }
while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
/* normally mn == nn, but m can be smaller in some cases */ mpn_sec_mul (tp, c, nn, m, nn, scratch);
mpn_sec_mul (tp, c, nn, m, mn, scratch); mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
mpn_copyi(c, tp, nn); mpn_copyi(c, tp, nn);
TMP_GMP_FREE (r); TMP_GMP_FREE (r);
TMP_GMP_FREE (rp); TMP_GMP_FREE (rp);
TMP_GMP_FREE (tp); TMP_GMP_FREE (tp);
} }
/* m = c ri mod n */ /* m = c ri mod n. Allows x == c. */
static void static void
rsa_sec_unblind (const struct rsa_public_key *pub, rsa_sec_unblind (const struct rsa_public_key *pub,
mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
{ {
const mp_limb_t *np = mpz_limbs_read (pub->n); const mp_limb_t *np = mpz_limbs_read (pub->n);
mp_size_t nn = mpz_size (pub->n); mp_size_t nn = mpz_size (pub->n);
size_t itch; size_t itch;
size_t i2; size_t i2;
mp_limb_t *scratch; mp_limb_t *scratch;
skipping to change at line 302 skipping to change at line 300
/* Checks for any errors done in the RSA computation. That avoids /* Checks for any errors done in the RSA computation. That avoids
* attacks which rely on faults on hardware, or even software MPI * attacks which rely on faults on hardware, or even software MPI
* implementation. * implementation.
* This version is side-channel silent even in case of error, * This version is side-channel silent even in case of error,
* the destination buffer is always overwritten */ * the destination buffer is always overwritten */
int int
_rsa_sec_compute_root_tr(const struct rsa_public_key *pub, _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key, const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random, void *random_ctx, nettle_random_func *random,
mp_limb_t *x, const mp_limb_t *m, size_t mn) mp_limb_t *x, const mp_limb_t *m)
{ {
TMP_GMP_DECL (c, mp_limb_t); TMP_GMP_DECL (c, mp_limb_t);
TMP_GMP_DECL (ri, mp_limb_t); TMP_GMP_DECL (ri, mp_limb_t);
TMP_GMP_DECL (scratch, mp_limb_t); TMP_GMP_DECL (scratch, mp_limb_t);
size_t key_limb_size; size_t key_limb_size;
int ret; int ret;
key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); key_limb_size = mpz_size(pub->n);
/* mpz_powm_sec handles only odd moduli. If p, q or n is even, the /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
key is invalid and rejected by rsa_private_key_prepare. However, key is invalid and rejected by rsa_private_key_prepare. However,
some applications, notably gnutls, don't use this function, and some applications, notably gnutls, don't use this function, and
we don't want an invalid key to lead to a crash down inside we don't want an invalid key to lead to a crash down inside
mpz_powm_sec. So do an additional check here. */ mpz_powm_sec. So do an additional check here. */
if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
{ {
mpn_zero(x, key_limb_size); mpn_zero(x, key_limb_size);
return 0; return 0;
} }
assert(mpz_size(pub->n) == key_limb_size); assert(mpz_size(pub->n) == key_limb_size);
assert(mn <= key_limb_size);
TMP_GMP_ALLOC (c, key_limb_size); TMP_GMP_ALLOC (c, key_limb_size);
TMP_GMP_ALLOC (ri, key_limb_size); TMP_GMP_ALLOC (ri, key_limb_size);
TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn); rsa_sec_blind (pub, random_ctx, random, c, ri, m);
_rsa_sec_compute_root(key, c, x, scratch); _rsa_sec_compute_root(key, x, c, scratch);
ret = rsa_sec_check_root(pub, c, x); ret = rsa_sec_check_root(pub, x, c);
rsa_sec_unblind(pub, x, ri, c); rsa_sec_unblind(pub, x, ri, x);
cnd_mpn_zero(1 - ret, x, key_limb_size); cnd_mpn_zero(1 - ret, x, key_limb_size);
TMP_GMP_FREE (scratch); TMP_GMP_FREE (scratch);
TMP_GMP_FREE (ri); TMP_GMP_FREE (ri);
TMP_GMP_FREE (c); TMP_GMP_FREE (c);
return ret; return ret;
} }
/* Checks for any errors done in the RSA computation. That avoids /* Checks for any errors done in the RSA computation. That avoids
skipping to change at line 360 skipping to change at line 357
* is not completely side-channel silent. There are conditionals * is not completely side-channel silent. There are conditionals
* in buffer copying both in case of success or error. * in buffer copying both in case of success or error.
*/ */
int int
rsa_compute_root_tr(const struct rsa_public_key *pub, rsa_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key, const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random, void *random_ctx, nettle_random_func *random,
mpz_t x, const mpz_t m) mpz_t x, const mpz_t m)
{ {
TMP_GMP_DECL (l, mp_limb_t); TMP_GMP_DECL (l, mp_limb_t);
mp_size_t nn = mpz_size(pub->n);
int res; int res;
mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); TMP_GMP_ALLOC (l, nn);
TMP_GMP_ALLOC (l, l_size); mpz_limbs_copy(l, m, nn);
res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
mpz_limbs_read(m), mpz_size(m));
if (res) { if (res) {
mp_limb_t *xp = mpz_limbs_write (x, l_size); mp_limb_t *xp = mpz_limbs_write (x, nn);
mpn_copyi (xp, l, l_size); mpn_copyi (xp, l, nn);
mpz_limbs_finish (x, l_size); mpz_limbs_finish (x, nn);
} }
TMP_GMP_FREE (l); TMP_GMP_FREE (l);
return res; return res;
} }
#endif #endif
 End of changes. 25 change blocks. 
32 lines changed or deleted 29 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)