Fix for RSA Blinding

NIIBE Yutaka gniibe at
Tue Jan 28 08:14:52 CET 2014


I think that we need a fix for RSA blinding.  When the random value is
not coprime to N, rsa_decrypt simply fails with GPG_ERR_INTERNAL.

Comment says "r" should be relatively prime to N, but there is no code
to guarantee that.  It would be better comment mentioned multiples of
p (and q), too.

When computation of invert successes, it means it's not coprime.  Thus,
this is my proposal fix.

diff --git a/cipher/rsa.c b/cipher/rsa.c
index e595e38..9a8d235 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1023,13 +1023,12 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
       ri = mpi_snew (ctx.nbits);
       bldata = mpi_snew (ctx.nbits);
-      _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
-      mpi_mod (r, r, sk.n);
-      if (!mpi_invm (ri, r, sk.n))
+      do
-          rc = GPG_ERR_INTERNAL;
-          goto leave;
+          _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
+          mpi_mod (r, r, sk.n);
+      while (!mpi_invm (ri, r, sk.n));
       /* Do blinding.  We calculate: y = (x * r^e) mod n, where r is
          the random number, e is the public exponent, x is the

More information about the Gcrypt-devel mailing list