Update from PolarSSL
This commit is contained in:
NIIBE Yutaka
@@ -2,6 +2,9 @@
|
||||
|
||||
* src/openpgp.c (modify_binary): Allow odd size of certificate.
|
||||
|
||||
* polarssl/library/rsa.c: Update from PolarSSL 1.2.10.
|
||||
* polarssl/include/polarssl/rsa.h: Ditto.
|
||||
|
||||
2013-10-07 Niibe Yutaka <gniibe@fsij.org>
|
||||
|
||||
* polarssl/library/bignum.c (mpi_sub_hlp): Return CARRY.
|
||||
@@ -25,7 +28,7 @@
|
||||
|
||||
2013-10-05 Niibe Yutaka <gniibe@fsij.org>
|
||||
|
||||
* polarssl/include/polarssl/aes.h: Updated from PolarSSL 1.2.9.
|
||||
* polarssl/include/polarssl/aes.h: Update from PolarSSL 1.2.9.
|
||||
* polarssl/include/polarssl/bignum.h: Ditto.
|
||||
* polarssl/include/polarssl/config.h: Ditto.
|
||||
* polarssl/include/polarssl/rsa.h: Ditto.
|
||||
|
||||
@@ -1,5 +1,14 @@
|
||||
PolarSSL ChangeLog
|
||||
|
||||
= Version 1.2.10 released 2013-10-07
|
||||
Changes
|
||||
* Changed RSA blinding to a slower but thread-safe version
|
||||
|
||||
Bugfix
|
||||
* Fixed memory leak in RSA as a result of introduction of blinding
|
||||
* Fixed ssl_pkcs11_decrypt() prototype
|
||||
* Fixed MSVC project files
|
||||
|
||||
= Version 1.2.9 released 2013-10-01
|
||||
Changes
|
||||
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
|
||||
|
||||
@@ -151,11 +151,6 @@ typedef struct
|
||||
mpi RP; /*!< cached R^2 mod P */
|
||||
mpi RQ; /*!< cached R^2 mod Q */
|
||||
|
||||
#if !defined(POLARSSL_RSA_NO_CRT)
|
||||
mpi Vi; /*!< cached blinding value */
|
||||
mpi Vf; /*!< cached un-blinding value */
|
||||
#endif
|
||||
|
||||
int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
|
||||
RSA_PKCS_v21 for OAEP/PSS */
|
||||
int hash_id; /*!< Hash identifier of md_type_t as
|
||||
|
||||
@@ -252,41 +252,6 @@ cleanup:
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if !defined(POLARSSL_RSA_NO_CRT)
|
||||
/*
|
||||
* Generate or update blinding values, see section 10 of:
|
||||
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
|
||||
* DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
|
||||
* Berlin Heidelberg, 1996. p. 104-113.
|
||||
*/
|
||||
static int rsa_prepare_blinding( rsa_context *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
|
||||
{
|
||||
int ret;
|
||||
|
||||
if( ctx->Vf.p != NULL )
|
||||
{
|
||||
/* We already have blinding values, just update them by squaring */
|
||||
MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
|
||||
MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
|
||||
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
|
||||
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/* Unblinding value: Vf = random number */
|
||||
MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
|
||||
|
||||
/* Blinding value: Vi = Vf^(-e) mod N */
|
||||
MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
|
||||
MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
|
||||
|
||||
cleanup:
|
||||
return( ret );
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Do an RSA private key operation
|
||||
*/
|
||||
@@ -298,9 +263,10 @@ int rsa_private( rsa_context *ctx,
|
||||
{
|
||||
int ret;
|
||||
size_t olen;
|
||||
mpi T, T1, T2;
|
||||
mpi T, T1, T2, Vi, Vf;
|
||||
|
||||
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
|
||||
mpi_init( &Vi ); mpi_init( &Vf );
|
||||
|
||||
MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
|
||||
|
||||
@@ -313,6 +279,8 @@ int rsa_private( rsa_context *ctx,
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_RSA_NO_CRT)
|
||||
((void) f_rng);
|
||||
((void) p_rng);
|
||||
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
|
||||
#else
|
||||
if( f_rng != NULL )
|
||||
@@ -321,8 +289,19 @@ int rsa_private( rsa_context *ctx,
|
||||
* Blinding
|
||||
* T = T * Vi mod N
|
||||
*/
|
||||
MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
|
||||
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
|
||||
/* Unblinding value: Vf = random number */
|
||||
MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
|
||||
|
||||
/* Mathematically speaking, the algorithm should check Vf
|
||||
* against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),
|
||||
* so that Vf^-1 exists.
|
||||
*/
|
||||
|
||||
/* Blinding value: Vi = Vf^(-e) mod N */
|
||||
MPI_CHK( mpi_inv_mod( &Vi, &Vf, &ctx->N ) );
|
||||
MPI_CHK( mpi_exp_mod( &Vi, &Vi, &ctx->E, &ctx->N, &ctx->RN ) );
|
||||
|
||||
MPI_CHK( mpi_mul_mpi( &T, &T, &Vi ) );
|
||||
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
|
||||
}
|
||||
|
||||
@@ -354,7 +333,7 @@ int rsa_private( rsa_context *ctx,
|
||||
* Unblind
|
||||
* T = T * Vf mod N
|
||||
*/
|
||||
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
|
||||
MPI_CHK( mpi_mul_mpi( &T, &T, &Vf ) );
|
||||
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
|
||||
}
|
||||
#endif
|
||||
@@ -365,6 +344,7 @@ int rsa_private( rsa_context *ctx,
|
||||
cleanup:
|
||||
|
||||
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
|
||||
mpi_free( &Vi ); mpi_free( &Vf );
|
||||
|
||||
if( ret != 0 )
|
||||
return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
|
||||
@@ -1351,7 +1331,6 @@ int rsa_pkcs1_verify( rsa_context *ctx,
|
||||
*/
|
||||
void rsa_free( rsa_context *ctx )
|
||||
{
|
||||
mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
|
||||
mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
|
||||
mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
|
||||
mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
|
||||
|
||||
Reference in New Issue
Block a user