From ea53a55c0f39a0f5f6b4edf4d733188e88f094a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 10 Sep 2013 13:29:30 +0200 Subject: [PATCH] Refactor to prepare for RSA blinding optimisation --- include/polarssl/rsa.h | 5 +++++ library/rsa.c | 46 +++++++++++++++++++++++++++++------------- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h index 4e85ca6cc..71fbff2d8 100644 --- a/include/polarssl/rsa.h +++ b/include/polarssl/rsa.h @@ -89,6 +89,11 @@ typedef struct mpi RP; /*!< cached R^2 mod P */ mpi RQ; /*!< cached R^2 mod Q */ +#if !defined(POLARSSL_RSA_NO_CRT) + mpi Vi; /*!< cached blinding value */ + mpi Vf; /*!< cached un-blinding value */ +#endif + int padding; /*!< RSA_PKCS_V15 for 1.5 padding and RSA_PKCS_v21 for OAEP/PSS */ int hash_id; /*!< Hash identifier of md_type_t as diff --git a/library/rsa.c b/library/rsa.c index c39a338a3..0a943c234 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -253,6 +253,27 @@ cleanup: return( 0 ); } +#if !defined(POLARSSL_RSA_NO_CRT) +/* + * Generate blinding values + */ +static int rsa_prepare_blinding( rsa_context *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + int ret; + + /* Unblinding value: Vf = random number */ + MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); + + /* Blinding value: Vi = Vf^(-e) mod N */ + MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) ); + MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); + +cleanup: + return( ret ); +} +#endif + /* * Do an RSA private key operation */ @@ -265,11 +286,8 @@ int rsa_private( rsa_context *ctx, int ret; size_t olen; mpi T, T1, T2; - mpi A, X; - mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 ); - mpi_init( &A ); mpi_init( &X ); MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) @@ -284,14 +302,12 @@ int rsa_private( rsa_context *ctx, if( f_rng != NULL ) { /* - * RSA Blinding - * A = rnd MPI - * T = A^E * T mod N + * Blinding + * T = T * Vi mod N */ - MPI_CHK( mpi_fill_random( &A, ctx->len - 1, f_rng, p_rng ) ); - MPI_CHK( mpi_exp_mod( &X, &A, &ctx->E, &ctx->N, NULL ) ); - MPI_CHK( mpi_mul_mpi( &X, &X, &T ) ); - MPI_CHK( mpi_mod_mpi( &T, &X, &ctx->N ) ); + MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); + MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) ); + MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); } /* @@ -320,10 +336,9 @@ int rsa_private( rsa_context *ctx, { /* * Unblind - * T = T / A mod N + * T = T * Vf mod N */ - MPI_CHK( mpi_inv_mod( &A, &A, &ctx->N ) ); - MPI_CHK( mpi_mul_mpi( &T, &T, &A ) ); + MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) ); MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); } #endif @@ -334,7 +349,6 @@ int rsa_private( rsa_context *ctx, cleanup: mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 ); - mpi_free( &A ); mpi_free( &X ); if( ret != 0 ) return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret ); @@ -1280,6 +1294,9 @@ int rsa_copy( rsa_context *dst, const rsa_context *src ) MPI_CHK( mpi_copy( &dst->RP, &src->RP ) ); MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) ); + MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) ); + MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) ); + dst->padding = src->padding; dst->hash_id = src->padding; @@ -1295,6 +1312,7 @@ cleanup: */ void rsa_free( rsa_context *ctx ) { + mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf ); mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN ); mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP ); mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );