From 62e00a321e7a13ce43cb945c74f38aab6ed09ecc Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 8 Oct 2013 10:43:50 +0900 Subject: [PATCH] Update from PolarSSL --- ChangeLog | 5 ++- polarssl/ChangeLog | 9 +++++ polarssl/include/polarssl/rsa.h | 5 --- polarssl/library/rsa.c | 59 +++++++++++---------------------- 4 files changed, 32 insertions(+), 46 deletions(-) diff --git a/ChangeLog b/ChangeLog index 73739ed..66ded49 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ * src/openpgp.c (modify_binary): Allow odd size of certificate. + * polarssl/library/rsa.c: Update from PolarSSL 1.2.10. + * polarssl/include/polarssl/rsa.h: Ditto. + 2013-10-07 Niibe Yutaka * polarssl/library/bignum.c (mpi_sub_hlp): Return CARRY. @@ -25,7 +28,7 @@ 2013-10-05 Niibe Yutaka - * polarssl/include/polarssl/aes.h: Updated from PolarSSL 1.2.9. + * polarssl/include/polarssl/aes.h: Update from PolarSSL 1.2.9. * polarssl/include/polarssl/bignum.h: Ditto. * polarssl/include/polarssl/config.h: Ditto. * polarssl/include/polarssl/rsa.h: Ditto. diff --git a/polarssl/ChangeLog b/polarssl/ChangeLog index 80208e5..86beaf7 100644 --- a/polarssl/ChangeLog +++ b/polarssl/ChangeLog @@ -1,5 +1,14 @@ PolarSSL ChangeLog += Version 1.2.10 released 2013-10-07 +Changes + * Changed RSA blinding to a slower but thread-safe version + +Bugfix + * Fixed memory leak in RSA as a result of introduction of blinding + * Fixed ssl_pkcs11_decrypt() prototype + * Fixed MSVC project files + = Version 1.2.9 released 2013-10-01 Changes * x509_verify() now case insensitive for cn (RFC 6125 6.4) diff --git a/polarssl/include/polarssl/rsa.h b/polarssl/include/polarssl/rsa.h index f98c842..0377e98 100644 --- a/polarssl/include/polarssl/rsa.h +++ b/polarssl/include/polarssl/rsa.h @@ -151,11 +151,6 @@ typedef struct mpi RP; /*!< cached R^2 mod P */ mpi RQ; /*!< cached R^2 mod Q */ -#if !defined(POLARSSL_RSA_NO_CRT) - mpi Vi; /*!< cached blinding value */ - mpi Vf; /*!< cached un-blinding value */ -#endif - int padding; /*!< RSA_PKCS_V15 for 1.5 padding and RSA_PKCS_v21 for OAEP/PSS */ int hash_id; /*!< Hash identifier of md_type_t as diff --git a/polarssl/library/rsa.c b/polarssl/library/rsa.c index 0847e46..901e32b 100644 --- a/polarssl/library/rsa.c +++ b/polarssl/library/rsa.c @@ -252,41 +252,6 @@ cleanup: return( 0 ); } -#if !defined(POLARSSL_RSA_NO_CRT) -/* - * Generate or update blinding values, see section 10 of: - * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA, - * DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer - * Berlin Heidelberg, 1996. p. 104-113. - */ -static int rsa_prepare_blinding( rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) -{ - int ret; - - if( ctx->Vf.p != NULL ) - { - /* We already have blinding values, just update them by squaring */ - MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) ); - MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) ); - MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); - MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); - - return( 0 ); - } - - /* Unblinding value: Vf = random number */ - MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) ); - - /* Blinding value: Vi = Vf^(-e) mod N */ - MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) ); - MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); - -cleanup: - return( ret ); -} -#endif - /* * Do an RSA private key operation */ @@ -298,9 +263,10 @@ int rsa_private( rsa_context *ctx, { int ret; size_t olen; - mpi T, T1, T2; + mpi T, T1, T2, Vi, Vf; mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 ); + mpi_init( &Vi ); mpi_init( &Vf ); MPI_CHK( mpi_read_binary( &T, input, ctx->len ) ); @@ -313,6 +279,8 @@ int rsa_private( rsa_context *ctx, #endif #if defined(POLARSSL_RSA_NO_CRT) + ((void) f_rng); + ((void) p_rng); MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); #else if( f_rng != NULL ) @@ -321,8 +289,19 @@ int rsa_private( rsa_context *ctx, * Blinding * T = T * Vi mod N */ - MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); - MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) ); + /* Unblinding value: Vf = random number */ + MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) ); + + /* Mathematically speaking, the algorithm should check Vf + * against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N), + * so that Vf^-1 exists. + */ + + /* Blinding value: Vi = Vf^(-e) mod N */ + MPI_CHK( mpi_inv_mod( &Vi, &Vf, &ctx->N ) ); + MPI_CHK( mpi_exp_mod( &Vi, &Vi, &ctx->E, &ctx->N, &ctx->RN ) ); + + MPI_CHK( mpi_mul_mpi( &T, &T, &Vi ) ); MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); } @@ -354,7 +333,7 @@ int rsa_private( rsa_context *ctx, * Unblind * T = T * Vf mod N */ - MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) ); + MPI_CHK( mpi_mul_mpi( &T, &T, &Vf ) ); MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) ); } #endif @@ -365,6 +344,7 @@ int rsa_private( rsa_context *ctx, cleanup: mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 ); + mpi_free( &Vi ); mpi_free( &Vf ); if( ret != 0 ) return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret ); @@ -1351,7 +1331,6 @@ int rsa_pkcs1_verify( rsa_context *ctx, */ void rsa_free( rsa_context *ctx ) { - mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf ); mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN ); mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP ); mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );