TeaSpeak/tomcrypt
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

harden RSA CRT by implementing the proposed countermeasure

Browse Source 
... from ch. 1.3 of [1]

[1] https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
This commit is contained in:
Steffen Jaeckel 2015-09-08 02:44:17 +02:00
parent 19e2526b82
commit 01f1845402
2 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/headers/tomcrypt_custom.h
View File

@ -402,6 +402,11 @@
#define LTC_RSA_BLINDING
#endif /* LTC_NO_RSA_BLINDING */
#if defined(LTC_MRSA) && !defined(LTC_NO_RSA_CRT_HARDENING)
/* Enable RSA CRT hardening when doing private key operations by default */
#define LTC_RSA_CRT_HARDENING
#endif /* LTC_NO_RSA_CRT_HARDENING */
#if defined(LTC_MECC) && !defined(LTC_NO_ECC_TIMING_RESISTANT)
/* Enable ECC timing resistant version by default */
#define LTC_ECC_TIMING_RESISTANT

14
src/pk/rsa/rsa_exptmod.c
View File

@ -38,7 +38,7 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen,
void *rnd, *rndi /* inverse of rnd */;
#endif
unsigned long x;
int err;
int err, no_crt;
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(out != NULL);
@ -100,7 +100,9 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen,
}
#endif /* LTC_RSA_BLINDING */
if ((key->dP == NULL) || (mp_get_digit_count(key->dP) == 0)) {
no_crt = (key->dP == NULL) || (mp_get_digit_count(key->dP) == 0);
if (no_crt) {
/*
* In case CRT optimization parameters are not provided,
* the private key is directly used to exptmod it
@ -129,6 +131,14 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen,
goto error;
}
#endif
#ifdef LTC_RSA_CRT_HARDENING
if (!no_crt) {
if ((err = mp_exptmod(tmp, key->e, key->N, tmpa)) != CRYPT_OK) { goto error; }
if ((err = mp_read_unsigned_bin(tmpb, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto error; }
if (mp_cmp(tmpa, tmpb) != LTC_MP_EQ) { err = CRYPT_ERROR; goto error; }
}
#endif
} else {
/* exptmod it */
if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK) { goto error; }