Changeset View
Changeset View
Standalone View
Standalone View
cipher/rsa.c
Show All 23 Lines | |||||
*/ | */ | ||||
#include <config.h> | #include <config.h> | ||||
#include <stdio.h> | #include <stdio.h> | ||||
#include <stdlib.h> | #include <stdlib.h> | ||||
#include <string.h> | #include <string.h> | ||||
#include "util.h" | #include "util.h" | ||||
#include "mpi.h" | #include "mpi.h" | ||||
#include "../mpi/mpi-internal.h" | |||||
#include "cipher.h" | #include "cipher.h" | ||||
#include "rsa.h" | #include "rsa.h" | ||||
/* Blinding is used to mitigate side-channel attacks. You may undef | /* Blinding is used to mitigate side-channel attacks. You may undef | ||||
this to speed up the operation in case the system is secured | this to speed up the operation in case the system is secured | ||||
against physical and network mounted side-channel attacks. */ | against physical and network mounted side-channel attacks. */ | ||||
#define USE_BLINDING 1 | #define USE_BLINDING 1 | ||||
▲ Show 20 Lines • Show All 280 Lines • ▼ Show 20 Lines | # ifdef USE_BLINDING | ||||
randomize_mpi (r, mpi_get_nbits (skey->n), 0); | randomize_mpi (r, mpi_get_nbits (skey->n), 0); | ||||
mpi_fdiv_r (r, r, skey->n); | mpi_fdiv_r (r, r, skey->n); | ||||
mpi_powm (bdata, r, skey->e, skey->n); | mpi_powm (bdata, r, skey->e, skey->n); | ||||
mpi_mulm (bdata, bdata, input, skey->n); | mpi_mulm (bdata, bdata, input, skey->n); | ||||
input = bdata; | input = bdata; | ||||
# endif /* USE_BLINDING */ | # endif /* USE_BLINDING */ | ||||
/* RSA secret operation: */ | /* RSA secret operation: */ | ||||
/* m1 = c ^ (d mod (p-1)) mod p */ | MPI D_blind = mpi_alloc_secure (nlimbs); | ||||
MPI rr; | |||||
unsigned int rr_nbits; | |||||
rr_nbits = mpi_get_nbits (skey->p) / 4; | |||||
if (rr_nbits < 96) | |||||
rr_nbits = 96; | |||||
rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); | |||||
/* d_blind = (d mod (p-1)) + (p-1) * r */ | |||||
/* m1 = c ^ d_blind mod p */ | |||||
randomize_mpi (rr, rr_nbits, 0); | |||||
mpi_set_highbit (rr, rr_nbits - 1); | |||||
mpi_sub_ui( h, skey->p, 1 ); | mpi_sub_ui( h, skey->p, 1 ); | ||||
mpi_mul ( D_blind, h, rr ); | |||||
mpi_fdiv_r( h, skey->d, h ); | mpi_fdiv_r( h, skey->d, h ); | ||||
mpi_powm( m1, input, h, skey->p ); | mpi_add ( D_blind, D_blind, h ); | ||||
/* m2 = c ^ (d mod (q-1)) mod q */ | mpi_powm ( m1, input, D_blind, skey->p ); | ||||
/* d_blind = (d mod (q-1)) + (q-1) * r */ | |||||
/* m2 = c ^ d_blind mod q */ | |||||
randomize_mpi (rr, rr_nbits, 0); | |||||
mpi_set_highbit (rr, rr_nbits - 1); | |||||
mpi_sub_ui( h, skey->q, 1 ); | mpi_sub_ui( h, skey->q, 1 ); | ||||
mpi_mul ( D_blind, h, rr ); | |||||
mpi_fdiv_r( h, skey->d, h ); | mpi_fdiv_r( h, skey->d, h ); | ||||
mpi_powm( m2, input, h, skey->q ); | mpi_add ( D_blind, D_blind, h ); | ||||
mpi_powm ( m2, input, D_blind, skey->q ); | |||||
mpi_free ( rr ); | |||||
mpi_free ( D_blind ); | |||||
/* h = u * ( m2 - m1 ) mod q */ | /* h = u * ( m2 - m1 ) mod q */ | ||||
mpi_sub( h, m2, m1 ); | mpi_sub( h, m2, m1 ); | ||||
if ( mpi_is_neg( h ) ) | if ( mpi_is_neg( h ) ) | ||||
mpi_add ( h, h, skey->q ); | mpi_add ( h, h, skey->q ); | ||||
mpi_mulm( h, skey->u, h, skey->q ); | mpi_mulm( h, skey->u, h, skey->q ); | ||||
/* m = m2 + h * p */ | /* m = m2 + h * p */ | ||||
mpi_mul ( h, h, skey->p ); | mpi_mul ( h, h, skey->p ); | ||||
mpi_add ( output, m1, h ); | mpi_add ( output, m1, h ); | ||||
▲ Show 20 Lines • Show All 191 Lines • Show Last 20 Lines |