From e10e06d8630f7ac3e1778346749036342241f016 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Nov 2014 18:15:12 +0100 Subject: [PATCH] Blind RSA operations even without CRT --- ChangeLog | 1 + include/polarssl/rsa.h | 2 -- library/rsa.c | 20 +++++--------------- 3 files changed, 6 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index fdcf028b5..23cbbacc5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ PolarSSL ChangeLog (Sorted per branch, date) Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). + * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. = PolarSSL 1.3.9 released 2014-10-20 Security diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h index c06c7d505..bad60092e 100644 --- a/include/polarssl/rsa.h +++ b/include/polarssl/rsa.h @@ -99,10 +99,8 @@ typedef struct mpi RP; /*!< cached R^2 mod P */ mpi RQ; /*!< cached R^2 mod Q */ -#if !defined(POLARSSL_RSA_NO_CRT) mpi Vi; /*!< cached blinding value */ mpi Vf; /*!< cached un-blinding value */ -#endif int padding; /*!< RSA_PKCS_V15 for 1.5 padding and RSA_PKCS_v21 for OAEP/PSS */ diff --git a/library/rsa.c b/library/rsa.c index 958085c8a..3006e9031 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -275,7 +275,6 @@ cleanup: return( 0 ); } -#if !defined(POLARSSL_RSA_NO_CRT) /* * Generate or update blinding values, see section 10 of: * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, @@ -329,7 +328,6 @@ cleanup: return( ret ); } -#endif /* !POLARSSL_RSA_NO_CRT */ /* * Do an RSA private key operation @@ -343,7 +341,6 @@ int rsa_private( rsa_context *ctx, int ret; size_t olen; mpi T, T1, T2; -#if !defined(POLARSSL_RSA_NO_CRT) mpi *Vi, *Vf; /* @@ -361,7 +358,6 @@ int rsa_private( rsa_context *ctx, Vi = &ctx->Vi; Vf = &ctx->Vf; #endif -#endif /* !POLARSSL_RSA_NO_CRT */ mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 ); @@ -372,11 +368,6 @@ int rsa_private( rsa_context *ctx, return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); } -#if defined(POLARSSL_RSA_NO_CRT) - ((void) f_rng); - ((void) p_rng); - MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); -#else if( f_rng != NULL ) { /* @@ -388,6 +379,9 @@ int rsa_private( rsa_context *ctx, MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); } +#if defined(POLARSSL_RSA_NO_CRT) + MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); +#else /* * faster decryption using the CRT * @@ -409,6 +403,7 @@ int rsa_private( rsa_context *ctx, */ MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) ); MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) ); +#endif /* POLARSSL_RSA_NO_CRT */ if( f_rng != NULL ) { @@ -419,14 +414,13 @@ int rsa_private( rsa_context *ctx, MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) ); MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); } -#endif /* POLARSSL_RSA_NO_CRT */ olen = ctx->len; MPI_CHK( mpi_write_binary( &T, output, olen ) ); cleanup: mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 ); -#if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C) +#if defined(POLARSSL_THREADING_C) mpi_free( &Vi_copy ); mpi_free( &Vf_copy ); #endif @@ -1425,10 +1419,8 @@ int rsa_copy( rsa_context *dst, const rsa_context *src ) MPI_CHK( mpi_copy( &dst->RP, &src->RP ) ); MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) ); -#if !defined(POLARSSL_RSA_NO_CRT) MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) ); MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) ); -#endif dst->padding = src->padding; dst->hash_id = src->hash_id; @@ -1445,9 +1437,7 @@ cleanup: */ void rsa_free( rsa_context *ctx ) { -#if !defined(POLARSSL_RSA_NO_CRT) mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf ); -#endif mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN ); mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP ); mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );