From 84c25e5767cc907f5b7379da734139560776e103 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Sun, 6 Oct 2013 09:28:58 +0900
Subject: [PATCH] another way to mitigate timing attack

---
 ChangeLog                 |  8 +++++
 polarssl/library/bignum.c | 70 +++++++++++++++++++++++++++++++++++++--
 src/call-rsa.c            | 13 ++++----
 3 files changed, 83 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0e0bb58..04be424 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2013-10-06  Niibe Yutaka  <gniibe@fsij.org>
+
+	* polarssl/library/bignum.c (mpi_mul_hlp_mm): New.  Handle
+	extra-carry in constant time to mitigate timing attack.
+	(mpi_montmul): Use mpi_mul_hlp_mm.
+	* src/call-rsa.c (rsa_sign, rsa_decrypt, rsa_verify): Don't
+	use RSA blinding.
+
 2013-10-05  Niibe Yutaka  <gniibe@fsij.org>
 
 	* polarssl/include/polarssl/aes.h: Updated from PolarSSL 1.2.9.
diff --git a/polarssl/library/bignum.c b/polarssl/library/bignum.c
index f34074b..8b7603b 100644
--- a/polarssl/library/bignum.c
+++ b/polarssl/library/bignum.c
@@ -1326,6 +1326,72 @@ int mpi_mod_int( t_uint *r, const mpi *A, t_sint b )
     return( 0 );
 }
 
+static void mpi_mul_hlp_mm ( size_t i, t_uint *s, t_uint *d, t_uint b)
+{
+    t_uint c = 0;
+
+#if defined(MULADDC_1024_LOOP)
+    MULADDC_1024_LOOP
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#elif defined(MULADDC_HUIT)
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_HUIT
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#else
+    for( ; i >= 16; i -= 16 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#endif
+
+    *d += c; c = ( *d < c ); d++;
+    *d += c;
+}
+
 /*
  * Fast Montgomery initialization (thanks to Tom St Denis)
  */
@@ -1366,8 +1432,8 @@ static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_uint mm, const mp
         u0 = A->p[i];
         u1 = ( d[0] + u0 * B->p[0] ) * mm;
 
-        mpi_mul_hlp( m, B->p, d, u0 );
-        mpi_mul_hlp( n, N->p, d, u1 );
+        mpi_mul_hlp_mm( m, B->p, d, u0);
+        mpi_mul_hlp_mm( n, N->p, d, u1);
 
         *d++ = u0; d[n + 1] = 0;
     }
diff --git a/src/call-rsa.c b/src/call-rsa.c
index cf6322a..b8fe79f 100644
--- a/src/call-rsa.c
+++ b/src/call-rsa.c
@@ -45,7 +45,6 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
   mpi P1, Q1, H;
   int ret = 0;
   unsigned char temp[RSA_SIGNATURE_LENGTH];
-  uint8_t index = 0;
 
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
 
@@ -56,7 +55,9 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
   MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], rsa_ctx.len / 2) );
   MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
 			    rsa_ctx.len / 2) );
+#if 0
   MPI_CHK( mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q) );
+#endif
   MPI_CHK( mpi_sub_int (&P1, &rsa_ctx.P, 1) );
   MPI_CHK( mpi_sub_int (&Q1, &rsa_ctx.Q, 1) );
   MPI_CHK( mpi_mul_mpi (&H, &P1, &Q1) );
@@ -70,7 +71,7 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
     {
       DEBUG_INFO ("RSA sign...");
 
-      ret = rsa_rsassa_pkcs1_v15_sign (&rsa_ctx, random_gen, &index,
+      ret = rsa_rsassa_pkcs1_v15_sign (&rsa_ctx, NULL, NULL,
 				       RSA_PRIVATE, SIG_RSA_RAW,
 				       msg_len, raw_message, temp);
       memcpy (output, temp, RSA_SIGNATURE_LENGTH);
@@ -127,7 +128,6 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
   mpi P1, Q1, H;
   int ret;
   unsigned int output_len;
-  uint8_t index = 0;
 
   DEBUG_INFO ("RSA decrypt:");
   DEBUG_WORD ((uint32_t)&output_len);
@@ -142,7 +142,9 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
   MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], KEY_CONTENT_LEN / 2) );
   MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
 			    KEY_CONTENT_LEN / 2) );
+#if 0
   MPI_CHK( mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q) );
+#endif
   MPI_CHK( mpi_sub_int (&P1, &rsa_ctx.P, 1) );
   MPI_CHK( mpi_sub_int (&Q1, &rsa_ctx.Q, 1) );
   MPI_CHK( mpi_mul_mpi (&H, &P1, &Q1) );
@@ -155,7 +157,7 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
   if (ret == 0)
     {
       DEBUG_INFO ("RSA decrypt ...");
-      ret = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, random_gen, &index,
+      ret = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, NULL, NULL,
 					 RSA_PRIVATE, &output_len, input,
 					 output, MAX_RES_APDU_DATA_SIZE);
     }
@@ -180,7 +182,6 @@ int
 rsa_verify (const uint8_t *pubkey, const uint8_t *hash, const uint8_t *sig)
 {
   int ret;
-  uint8_t index = 0;
 
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
   rsa_ctx.len = KEY_CONTENT_LEN;
@@ -189,7 +190,7 @@ rsa_verify (const uint8_t *pubkey, const uint8_t *hash, const uint8_t *sig)
 
   DEBUG_INFO ("RSA verify...");
 
-  MPI_CHK( rsa_rsassa_pkcs1_v15_verify (&rsa_ctx, random_gen, &index,
+  MPI_CHK( rsa_rsassa_pkcs1_v15_verify (&rsa_ctx, NULL, NULL,
 					RSA_PUBLIC, SIG_RSA_SHA256, 32,
 					hash, sig) );
  cleanup: