commit e10e06d8630f7ac3e1778346749036342241f016
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Nov 06 18:15:12 2014 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Nov 06 18:25:44 2014 +0100
tree 39c0b6cae9bdbd478a0696444e8a45f2a1491952
parent d056ce0e3e0de9f45157cc1cc25982db4620d7d8

Blind RSA operations even without CRT

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index fdcf028..23cbbac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
 Changes
    * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
      switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
+   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
 
 = PolarSSL 1.3.9 released 2014-10-20
 Security

include/polarssl/rsa.h

diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index c06c7d5..bad6009 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -99,10 +99,8 @@
     mpi RP;                     /*!<  cached R^2 mod P  */
     mpi RQ;                     /*!<  cached R^2 mod Q  */
 
-#if !defined(POLARSSL_RSA_NO_CRT)
     mpi Vi;                     /*!<  cached blinding value     */
     mpi Vf;                     /*!<  cached un-blinding value  */
-#endif
 
     int padding;                /*!<  RSA_PKCS_V15 for 1.5 padding and
                                       RSA_PKCS_v21 for OAEP/PSS         */

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index 958085c..3006e90 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -275,7 +275,6 @@
     return( 0 );
 }
 
-#if !defined(POLARSSL_RSA_NO_CRT)
 /*
  * Generate or update blinding values, see section 10 of:
  *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
@@ -329,7 +328,6 @@
 
     return( ret );
 }
-#endif /* !POLARSSL_RSA_NO_CRT */
 
 /*
  * Do an RSA private key operation
@@ -343,7 +341,6 @@
     int ret;
     size_t olen;
     mpi T, T1, T2;
-#if !defined(POLARSSL_RSA_NO_CRT)
     mpi *Vi, *Vf;
 
     /*
@@ -361,7 +358,6 @@
     Vi = &ctx->Vi;
     Vf = &ctx->Vf;
 #endif
-#endif /* !POLARSSL_RSA_NO_CRT */
 
     mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
 
@@ -372,11 +368,6 @@
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
     }
 
-#if defined(POLARSSL_RSA_NO_CRT)
-    ((void) f_rng);
-    ((void) p_rng);
-    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
-#else
     if( f_rng != NULL )
     {
         /*
@@ -388,6 +379,9 @@
         MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
     }
 
+#if defined(POLARSSL_RSA_NO_CRT)
+    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
+#else
     /*
      * faster decryption using the CRT
      *
@@ -409,6 +403,7 @@
      */
     MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
     MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
+#endif /* POLARSSL_RSA_NO_CRT */
 
     if( f_rng != NULL )
     {
@@ -419,14 +414,13 @@
         MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
         MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
     }
-#endif /* POLARSSL_RSA_NO_CRT */
 
     olen = ctx->len;
     MPI_CHK( mpi_write_binary( &T, output, olen ) );
 
 cleanup:
     mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
-#if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
+#if defined(POLARSSL_THREADING_C)
     mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
 #endif
 
@@ -1425,10 +1419,8 @@
     MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
     MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
 
-#if !defined(POLARSSL_RSA_NO_CRT)
     MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
     MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
-#endif
 
     dst->padding = src->padding;
     dst->hash_id = src->hash_id;
@@ -1445,9 +1437,7 @@
  */
 void rsa_free( rsa_context *ctx )
 {
-#if !defined(POLARSSL_RSA_NO_CRT)
     mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
-#endif
     mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
     mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
     mpi_free( &ctx->Q  ); mpi_free( &ctx->P  ); mpi_free( &ctx->D );