Fix for RSA Blinding
NIIBE Yutaka
gniibe at fsij.org
Tue Jan 28 08:14:52 CET 2014
Hello,
I think that we need a fix for RSA blinding. When the random value is
not coprime to N, rsa_decrypt simply fails with GPG_ERR_INTERNAL.
Comment says "r" should be relatively prime to N, but there is no code
to guarantee that. It would be better comment mentioned multiples of
p (and q), too.
When computation of invert successes, it means it's not coprime. Thus,
this is my proposal fix.
diff --git a/cipher/rsa.c b/cipher/rsa.c
index e595e38..9a8d235 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1023,13 +1023,12 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
ri = mpi_snew (ctx.nbits);
bldata = mpi_snew (ctx.nbits);
- _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
- mpi_mod (r, r, sk.n);
- if (!mpi_invm (ri, r, sk.n))
+ do
{
- rc = GPG_ERR_INTERNAL;
- goto leave;
+ _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
+ mpi_mod (r, r, sk.n);
}
+ while (!mpi_invm (ri, r, sk.n));
/* Do blinding. We calculate: y = (x * r^e) mod n, where r is
the random number, e is the public exponent, x is the
--
More information about the Gcrypt-devel
mailing list