yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-23 06:45:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changed RSA blinding to a slower but thread-safe version

Browse Source
This commit is contained in:
Paul Bakker 2013-10-07 12:03:59 +02:00
parent adace27ec9
commit 6b06502c4b
3 changed files with 21 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,6 +1,9 @@
PolarSSL ChangeLog
= Version 1.2.10 released 2013-10-04
= Version 1.2.10 released 2013-10-07
Changes
* Changed RSA blinding to a slower but thread-safe version
Bugfix
* Fixed memory leak in RSA as a result of introduction of blinding
* Fixed ssl_pkcs11_decrypt() prototype

5
include/polarssl/rsa.h
View File

@ -151,11 +151,6 @@ typedef struct
mpi RP; /*!< cached R^2 mod P */
mpi RQ; /*!< cached R^2 mod Q */
#if !defined(POLARSSL_RSA_NO_CRT)
mpi Vi; /*!< cached blinding value */
mpi Vf; /*!< cached un-blinding value */
#endif
int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
RSA_PKCS_v21 for OAEP/PSS */
int hash_id; /*!< Hash identifier of md_type_t as

64
library/rsa.c
View File

@ -252,46 +252,6 @@ cleanup:
return( 0 );
}
#if !defined(POLARSSL_RSA_NO_CRT)
/*
* Generate or update blinding values, see section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
* DSS, and other systems. In : Advances in CryptologyCRYPTO96. Springer
* Berlin Heidelberg, 1996. p. 104-113.
*/
static int rsa_prepare_blinding( rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret;
if( ctx->Vf.p != NULL )
{
/* We already have blinding values, just update them by squaring */
MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
return( 0 );
}
/* Unblinding value: Vf = random number */
MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
/* Mathematically speaking, the algorithm should check Vf
* against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),
* so that Vf^-1 exists.
*/
/* Blinding value: Vi = Vf^(-e) mod N */
MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
cleanup:
return( ret );
}
#endif
/*
* Do an RSA private key operation
*/
@ -303,9 +263,10 @@ int rsa_private( rsa_context *ctx,
{
int ret;
size_t olen;
mpi T, T1, T2;
mpi T, T1, T2, Vi, Vf;
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
mpi_init( &Vi ); mpi_init( &Vf );
MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
@ -326,8 +287,19 @@ int rsa_private( rsa_context *ctx,
* Blinding
* T = T * Vi mod N
*/
MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
/* Unblinding value: Vf = random number */
MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
/* Mathematically speaking, the algorithm should check Vf
* against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),
* so that Vf^-1 exists.
*/
/* Blinding value: Vi = Vf^(-e) mod N */
MPI_CHK( mpi_inv_mod( &Vi, &Vf, &ctx->N ) );
MPI_CHK( mpi_exp_mod( &Vi, &Vi, &ctx->E, &ctx->N, &ctx->RN ) );
MPI_CHK( mpi_mul_mpi( &T, &T, &Vi ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
@ -359,7 +331,7 @@ int rsa_private( rsa_context *ctx,
* Unblind
* T = T * Vf mod N
*/
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
MPI_CHK( mpi_mul_mpi( &T, &T, &Vf ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
#endif
@ -370,6 +342,7 @@ int rsa_private( rsa_context *ctx,
cleanup:
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
mpi_free( &Vi ); mpi_free( &Vf );
if( ret != 0 )
return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
@ -1354,9 +1327,6 @@ int rsa_pkcs1_verify( rsa_context *ctx,
*/
void rsa_free( rsa_context *ctx )
{
#if !defined(POLARSSL_RSA_NO_CRT)
mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
#endif
mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );