diff --git a/src/headers/tomcrypt_custom.h b/src/headers/tomcrypt_custom.h index cfd4a79..362403b 100644 --- a/src/headers/tomcrypt_custom.h +++ b/src/headers/tomcrypt_custom.h @@ -289,10 +289,10 @@ #ifndef LTC_NO_MATH /* LibTomMath */ -/* #define LTM_LTC_DESC */ +/* #define LTM_DESC */ /* TomsFastMath */ -/* #define TFM_LTC_DESC */ +/* #define TFM_DESC */ #endif /* LTC_NO_MATH */ @@ -302,6 +302,9 @@ /* Include RSA support */ #define LTC_MRSA +/* Enable RSA blinding when doing private key operations? */ +/* #define LTC_RSA_BLINDING */ + /* Include Diffie-Hellman support */ #ifndef GPM_DESC /* is_prime fails for GPM */ @@ -382,6 +385,11 @@ #define LTC_PKCS_1 #endif +#if defined(TFM_DESC) && defined(LTC_RSA_BLINDING) + #warning RSA blinding currently not supported in combination with TFM + #undef LTC_RSA_BLINDING +#endif + #if defined(LTC_DER) && !defined(MPI) #error ASN.1 DER requires MPI functionality #endif diff --git a/src/headers/tomcrypt_math.h b/src/headers/tomcrypt_math.h index caf6b52..3158c4a 100644 --- a/src/headers/tomcrypt_math.h +++ b/src/headers/tomcrypt_math.h @@ -431,6 +431,15 @@ typedef struct { @return CRYPT_OK on success */ int (*submod)(void *a, void *b, void *c, void *d); + +/* ---- misc stuff ---- */ + /** Make a pseudo-random mpi + @param a The mpi to make random + @param size The desired length + @return CRYPT_OK on success + */ + int (*rand)(void *a, int size); + } ltc_math_descriptor; extern ltc_math_descriptor ltc_mp; @@ -515,6 +524,8 @@ extern const ltc_math_descriptor gmp_desc; #define mp_tohex(a, b) mp_toradix(a, b, 16) +#define mp_rand(a, b) ltc_mp.rand(a, b) + #endif /* $Source$ */ diff --git a/src/math/gmp_desc.c b/src/math/gmp_desc.c index beab976..9d7ff07 100644 --- a/src/math/gmp_desc.c +++ b/src/math/gmp_desc.c @@ -409,6 +409,13 @@ static int isprime(void *a, int *b) return CRYPT_OK; } +static int set_rand(void *a, int size) +{ + LTC_ARGCHK(a != NULL); + mpz_random(a, size); + return CRYPT_OK; +} + const ltc_math_descriptor gmp_desc = { "GNU MP", sizeof(mp_limb_t) * CHAR_BIT - GMP_NAIL_BITS, @@ -492,6 +499,8 @@ const ltc_math_descriptor gmp_desc = { &addmod, &submod, + &set_rand, + }; diff --git a/src/math/ltm_desc.c b/src/math/ltm_desc.c index 8d61af4..2945a47 100644 --- a/src/math/ltm_desc.c +++ b/src/math/ltm_desc.c @@ -408,7 +408,13 @@ static int isprime(void *a, int *b) err = mpi_to_ltc_error(mp_prime_is_prime(a, 8, b)); *b = (*b == MP_YES) ? LTC_MP_YES : LTC_MP_NO; return err; -} +} + +static int set_rand(void *a, int size) +{ + LTC_ARGCHK(a != NULL); + return mpi_to_ltc_error(mp_rand(a, size)); +} const ltc_math_descriptor ltm_desc = { @@ -494,6 +500,8 @@ const ltc_math_descriptor ltm_desc = { &addmod, &submod, + &set_rand, + }; diff --git a/src/math/tfm_desc.c b/src/math/tfm_desc.c index 82a7353..8218024 100644 --- a/src/math/tfm_desc.c +++ b/src/math/tfm_desc.c @@ -787,6 +787,8 @@ const ltc_math_descriptor tfm_desc = { &addmod, &submod, + NULL, + }; diff --git a/src/pk/rsa/rsa_exptmod.c b/src/pk/rsa/rsa_exptmod.c index f123398..45068b2 100644 --- a/src/pk/rsa/rsa_exptmod.c +++ b/src/pk/rsa/rsa_exptmod.c @@ -15,25 +15,28 @@ /** @file rsa_exptmod.c RSA LTC_PKCS exptmod, Tom St Denis -*/ +*/ #ifdef LTC_MRSA -/** - Compute an RSA modular exponentiation +/** + Compute an RSA modular exponentiation @param in The input data to send into RSA @param inlen The length of the input (octets) - @param out [out] The destination + @param out [out] The destination @param outlen [in/out] The max size and resulting size of the output @param which Which exponent to use, e.g. PK_PRIVATE or PK_PUBLIC - @param key The RSA key to use + @param key The RSA key to use @return CRYPT_OK if successful -*/ +*/ int rsa_exptmod(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen, int which, rsa_key *key) { - void *tmp, *tmpa, *tmpb, *rnd, *rndi /* inverse of rnd */; + void *tmp, *tmpa, *tmpb; + #ifdef LTC_RSA_BLINDING + void *rnd = NULL, *rndi = NULL /* inverse of rnd */; + #endif unsigned long x; int err; @@ -41,7 +44,7 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen, LTC_ARGCHK(out != NULL); LTC_ARGCHK(outlen != NULL); LTC_ARGCHK(key != NULL); - + /* is the key of the right type for the operation? */ if (which == PK_PRIVATE && (key->type != PK_PRIVATE)) { return CRYPT_PK_NOT_PRIVATE; @@ -53,7 +56,7 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen, } /* init and copy into tmp */ - if ((err = mp_init_multi(&tmp, &tmpa, &tmpb, &rnd, &rndi, NULL)) != CRYPT_OK) + if ((err = mp_init_multi(&tmp, &tmpa, &tmpb, NULL)) != CRYPT_OK) { return err; } if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, (int)inlen)) != CRYPT_OK) { goto error; } @@ -67,49 +70,55 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen, /* are we using the private exponent and is the key optimized? */ if (which == PK_PRIVATE) { + #ifdef LTC_RSA_BLINDING + if ((err = mp_init_multi(&rnd, &rndi, NULL)) != CRYPT_OK) + { goto error; } /* do blinding */ err = mp_rand(rnd, mp_count_bits(key->N)); if (err != CRYPT_OK) { - goto error; + goto error_blind; } /* rndi = 1/rnd mod N */ err = mp_invmod(rnd, key->N, rndi); if (err != CRYPT_OK) { - goto error; + goto error_blind; } /* rnd = rnd^e */ err = mp_exptmod( rnd, key->e, key->N, rnd); if (err != CRYPT_OK) { - goto error; + goto error_blind; } /* tmp = tmp*rnd mod N */ err = mp_mulmod( tmp, rnd, key->N, tmp); if (err != CRYPT_OK) { - goto error; + goto error_blind; } + #endif /* LTC_RSA_BLINDING */ /* tmpa = tmp^dP mod p */ - if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK) { goto error; } + if ((err = mp_exptmod(tmp, key->dP, key->p, tmpa)) != CRYPT_OK) { goto error_blind; } /* tmpb = tmp^dQ mod q */ - if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK) { goto error; } + if ((err = mp_exptmod(tmp, key->dQ, key->q, tmpb)) != CRYPT_OK) { goto error_blind; } /* tmp = (tmpa - tmpb) * qInv (mod p) */ - if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK) { goto error; } - if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK) { goto error; } + if ((err = mp_sub(tmpa, tmpb, tmp)) != CRYPT_OK) { goto error_blind; } + if ((err = mp_mulmod(tmp, key->qP, key->p, tmp)) != CRYPT_OK) { goto error_blind; } /* tmp = tmpb + q * tmp */ - if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK) { goto error; } - if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK) { goto error; } + if ((err = mp_mul(tmp, key->q, tmp)) != CRYPT_OK) { goto error_blind; } + if ((err = mp_add(tmp, tmpb, tmp)) != CRYPT_OK) { goto error_blind; } + #ifdef LTC_RSA_BLINDING /* unblind */ err = mp_mulmod( tmp, rndi, key->N, tmp); if (err != CRYPT_OK) { - goto error; + goto error_blind; } + #endif } else { /* exptmod it */ if ((err = mp_exptmod(tmp, key->e, key->N, tmp)) != CRYPT_OK) { goto error; } @@ -136,8 +145,12 @@ int rsa_exptmod(const unsigned char *in, unsigned long inlen, /* clean up and return */ err = CRYPT_OK; +error_blind: + #ifdef LTC_RSA_BLINDING + mp_clear_multi(rnd, rndi, NULL); + #endif error: - mp_clear_multi(tmp, tmpa, tmpb, rnd, rndi, NULL); + mp_clear_multi(tmp, tmpa, tmpb, NULL); return err; }