rsa: Add exponent blinding.

* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.

--

Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.

Signed-off-by: Marcus Brinkmann <[email protected]>

1 files changed, 29 insertions, 4 deletions

diff --git a/cipher/rsa.c b/cipher/rsa.c
index 5efab1d6f..5d7b4f763 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -29,6 +29,7 @@
 #include <string.h>
 #include "util.h"
 #include "mpi.h"
+#include "../mpi/mpi-internal.h"
 #include "cipher.h"
 #include "rsa.h"
 
@@ -325,14 +326,38 @@ secret(MPI output, MPI input, RSA_secret_key *skey )
 # endif /* USE_BLINDING */
 
     /* RSA secret operation:  */
-    /* m1 = c ^ (d mod (p-1)) mod p */
+    MPI D_blind = mpi_alloc_secure (nlimbs);
+    MPI rr;
+    unsigned int rr_nbits;
+
+    rr_nbits = mpi_get_nbits (skey->p) / 4;
+    if (rr_nbits < 96)
+      rr_nbits = 96;
+    rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
+
+    /* d_blind = (d mod (p-1)) + (p-1) * r            */
+    /* m1 = c ^ d_blind mod p */
+    randomize_mpi (rr, rr_nbits, 0);
+    mpi_set_highbit (rr, rr_nbits - 1);
     mpi_sub_ui( h, skey->p, 1  );
+    mpi_mul ( D_blind, h, rr );
     mpi_fdiv_r( h, skey->d, h );
-    mpi_powm( m1, input, h, skey->p );
-    /* m2 = c ^ (d mod (q-1)) mod q */
+    mpi_add ( D_blind, D_blind, h );
+    mpi_powm ( m1, input, D_blind, skey->p );
+
+    /* d_blind = (d mod (q-1)) + (q-1) * r            */
+    /* m2 = c ^ d_blind mod q */
+    randomize_mpi (rr, rr_nbits, 0);
+    mpi_set_highbit (rr, rr_nbits - 1);
     mpi_sub_ui( h, skey->q, 1  );
+    mpi_mul ( D_blind, h, rr );
     mpi_fdiv_r( h, skey->d, h );
-    mpi_powm( m2, input, h, skey->q );
+    mpi_add ( D_blind, D_blind, h );
+    mpi_powm ( m2, input, D_blind, skey->q );
+
+    mpi_free ( rr );
+    mpi_free ( D_blind );
+
     /* h = u * ( m2 - m1 ) mod q */
     mpi_sub( h, m2, m1 );
     if ( mpi_is_neg( h ) )