[git] GCRYPT - branch, master, updated. libgcrypt-1.7.0-9-gef6e4d0

by Werner Koch cvs at cvs.gnupg.org
Fri Jun 3 15:45:36 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  ef6e4d004b10f5740bcd2125fb70e199dd21e3e8 (commit)
       via  82df6c63a72fdd969c3923523f10d0cef5713ac7 (commit)
      from  4121f15122501d8946f1589b303d1f7949c15e30 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ef6e4d004b10f5740bcd2125fb70e199dd21e3e8
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Jun 3 15:42:53 2016 +0200

    rsa: Implement blinding also for signing.
    
    * cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
    (secret_blinded): new.
    (rsa_sign): Use blinding by default.
    --
    
    Although blinding of the RSA sign operation has a noticable speed
    loss, we better be on the safe site by using it by default.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/cipher/rsa.c b/cipher/rsa.c
index cb3c464..ce8e215 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1045,7 +1045,48 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
     }
 }
 
+static void
+secret_blinded (gcry_mpi_t output, gcry_mpi_t input,
+                RSA_secret_key *sk, unsigned int nbits)
+{
+  gcry_mpi_t r;	           /* Random number needed for blinding.  */
+  gcry_mpi_t ri;	   /* Modular multiplicative inverse of r.  */
+  gcry_mpi_t bldata;       /* Blinded data to decrypt.  */
+
+  /* First, we need a random number r between 0 and n - 1, which is
+   * relatively prime to n (i.e. it is neither p nor q).  The random
+   * number needs to be only unpredictable, thus we employ the
+   * gcry_create_nonce function by using GCRY_WEAK_RANDOM with
+   * gcry_mpi_randomize.  */
+  r  = mpi_snew (nbits);
+  ri = mpi_snew (nbits);
+  bldata = mpi_snew (nbits);
+
+  do
+    {
+      _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+      mpi_mod (r, r, sk->n);
+    }
+  while (!mpi_invm (ri, r, sk->n));
+
+  /* Do blinding.  We calculate: y = (x * r^e) mod n, where r is the
+   * random number, e is the public exponent, x is the non-blinded
+   * input data and n is the RSA modulus.  */
+  mpi_powm (bldata, r, sk->e, sk->n);
+  mpi_mulm (bldata, bldata, input, sk->n);
 
+  /* Perform decryption.  */
+  secret (output, bldata, sk);
+  _gcry_mpi_release (bldata);
+
+  /* Undo blinding.  Here we calculate: y = (x * r^-1) mod n, where x
+   * is the blinded decrypted data, ri is the modular multiplicative
+   * inverse of r and n is the RSA modulus.  */
+  mpi_mulm (output, output, ri, sk->n);
+
+  _gcry_mpi_release (r);
+  _gcry_mpi_release (ri);
+}
 
 /*********************************************
  **************  interface  ******************
@@ -1266,9 +1307,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   gcry_mpi_t data = NULL;
   RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
   gcry_mpi_t plain = NULL;
-  gcry_mpi_t r = NULL;	   /* Random number needed for blinding.  */
-  gcry_mpi_t ri = NULL;	   /* Modular multiplicative inverse of r.  */
-  gcry_mpi_t bldata = NULL;/* Blinded data to decrypt.  */
   unsigned char *unpad = NULL;
   size_t unpadlen = 0;
 
@@ -1321,44 +1359,10 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   /* We use blinding by default to mitigate timing attacks which can
      be practically mounted over the network as shown by Brumley and
      Boney in 2003.  */
-  if (!(ctx.flags & PUBKEY_FLAG_NO_BLINDING))
-    {
-      /* First, we need a random number r between 0 and n - 1, which
-	 is relatively prime to n (i.e. it is neither p nor q).  The
-	 random number needs to be only unpredictable, thus we employ
-	 the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
-	 gcry_mpi_randomize.  */
-      r  = mpi_snew (ctx.nbits);
-      ri = mpi_snew (ctx.nbits);
-      bldata = mpi_snew (ctx.nbits);
-
-      do
-        {
-          _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
-          mpi_mod (r, r, sk.n);
-        }
-      while (!mpi_invm (ri, r, sk.n));
-
-      /* Do blinding.  We calculate: y = (x * r^e) mod n, where r is
-         the random number, e is the public exponent, x is the
-         non-blinded data and n is the RSA modulus.  */
-      mpi_powm (bldata, r, sk.e, sk.n);
-      mpi_mulm (bldata, bldata, data, sk.n);
-
-      /* Perform decryption.  */
-      secret (plain, bldata, &sk);
-      _gcry_mpi_release (bldata); bldata = NULL;
-
-      /* Undo blinding.  Here we calculate: y = (x * r^-1) mod n,
-         where x is the blinded decrypted data, ri is the modular
-         multiplicative inverse of r and n is the RSA modulus.  */
-      mpi_mulm (plain, plain, ri, sk.n);
-
-      _gcry_mpi_release (r); r = NULL;
-      _gcry_mpi_release (ri); ri = NULL;
-    }
-  else
+  if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
     secret (plain, data, &sk);
+  else
+    secret_blinded (plain, data, &sk, ctx.nbits);
 
   if (DBG_CIPHER)
     log_printmpi ("rsa_decrypt  res", plain);
@@ -1403,9 +1407,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   _gcry_mpi_release (sk.q);
   _gcry_mpi_release (sk.u);
   _gcry_mpi_release (data);
-  _gcry_mpi_release (r);
-  _gcry_mpi_release (ri);
-  _gcry_mpi_release (bldata);
   sexp_release (l1);
   _gcry_pk_util_free_encoding_ctx (&ctx);
   if (DBG_CIPHER)
@@ -1461,7 +1462,10 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
 
   /* Do RSA computation.  */
   sig = mpi_new (0);
-  secret (sig, data, &sk);
+  if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
+    secret (sig, data, &sk);
+  else
+    secret_blinded (sig, data, &sk, ctx.nbits);
   if (DBG_CIPHER)
     log_printmpi ("rsa_sign    res", sig);
 

commit 82df6c63a72fdd969c3923523f10d0cef5713ac7
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Jun 3 15:15:36 2016 +0200

    random: Remove debug output for getrandom(2) output.
    
    * random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
    output.
    --
    
    Fixes-commit: ee5a32226a7ca4ab067864e06623fc11a1768900
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/random/rndlinux.c b/random/rndlinux.c
index 592b9ac..f08c9f9 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -271,7 +271,6 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
                 log_fatal ("getrandom returned only"
                            " %ld of %zu requested bytes\n", ret, nbytes);
 
-              log_debug ("getrandom returned %zu requested bytes\n", nbytes);
               (*add)(buffer, nbytes, origin);
               length -= nbytes;
               continue; /* until LENGTH is zero.  */

-----------------------------------------------------------------------

Summary of changes:
 cipher/rsa.c      | 92 +++++++++++++++++++++++++++++--------------------------
 random/rndlinux.c |  1 -
 2 files changed, 48 insertions(+), 45 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org


_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits

More information about the Gcrypt-devel mailing list