rsa: Implement blinding also for signing.

* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
(secret_blinded): new.
(rsa_sign): Use blinding by default.
--

Although blinding of the RSA sign operation has a noticable speed
loss, we better be on the safe site by using it by default.

Signed-off-by: Werner Koch <wk@gnupg.org>

1 files changed, 48 insertions, 44 deletions

diff --git a/cipher/rsa.c b/cipher/rsa.c
index cb3c464a..ce8e215b 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1045,7 +1045,48 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
     }
 }
 
+static void
+secret_blinded (gcry_mpi_t output, gcry_mpi_t input,
+                RSA_secret_key *sk, unsigned int nbits)
+{
+  gcry_mpi_t r;	           /* Random number needed for blinding.  */
+  gcry_mpi_t ri;	   /* Modular multiplicative inverse of r.  */
+  gcry_mpi_t bldata;       /* Blinded data to decrypt.  */
+
+  /* First, we need a random number r between 0 and n - 1, which is
+   * relatively prime to n (i.e. it is neither p nor q).  The random
+   * number needs to be only unpredictable, thus we employ the
+   * gcry_create_nonce function by using GCRY_WEAK_RANDOM with
+   * gcry_mpi_randomize.  */
+  r  = mpi_snew (nbits);
+  ri = mpi_snew (nbits);
+  bldata = mpi_snew (nbits);
+
+  do
+    {
+      _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+      mpi_mod (r, r, sk->n);
+    }
+  while (!mpi_invm (ri, r, sk->n));
+
+  /* Do blinding.  We calculate: y = (x * r^e) mod n, where r is the
+   * random number, e is the public exponent, x is the non-blinded
+   * input data and n is the RSA modulus.  */
+  mpi_powm (bldata, r, sk->e, sk->n);
+  mpi_mulm (bldata, bldata, input, sk->n);
 
+  /* Perform decryption.  */
+  secret (output, bldata, sk);
+  _gcry_mpi_release (bldata);
+
+  /* Undo blinding.  Here we calculate: y = (x * r^-1) mod n, where x
+   * is the blinded decrypted data, ri is the modular multiplicative
+   * inverse of r and n is the RSA modulus.  */
+  mpi_mulm (output, output, ri, sk->n);
+
+  _gcry_mpi_release (r);
+  _gcry_mpi_release (ri);
+}
 
 /*********************************************
  **************  interface  ******************
@@ -1266,9 +1307,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   gcry_mpi_t data = NULL;
   RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
   gcry_mpi_t plain = NULL;
-  gcry_mpi_t r = NULL;	   /* Random number needed for blinding.  */
-  gcry_mpi_t ri = NULL;	   /* Modular multiplicative inverse of r.  */
-  gcry_mpi_t bldata = NULL;/* Blinded data to decrypt.  */
   unsigned char *unpad = NULL;
   size_t unpadlen = 0;
 
@@ -1321,44 +1359,10 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   /* We use blinding by default to mitigate timing attacks which can
      be practically mounted over the network as shown by Brumley and
      Boney in 2003.  */
-  if (!(ctx.flags & PUBKEY_FLAG_NO_BLINDING))
-    {
-      /* First, we need a random number r between 0 and n - 1, which
-	 is relatively prime to n (i.e. it is neither p nor q).  The
-	 random number needs to be only unpredictable, thus we employ
-	 the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
-	 gcry_mpi_randomize.  */
-      r  = mpi_snew (ctx.nbits);
-      ri = mpi_snew (ctx.nbits);
-      bldata = mpi_snew (ctx.nbits);
-
-      do
-        {
-          _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
-          mpi_mod (r, r, sk.n);
-        }
-      while (!mpi_invm (ri, r, sk.n));
-
-      /* Do blinding.  We calculate: y = (x * r^e) mod n, where r is
-         the random number, e is the public exponent, x is the
-         non-blinded data and n is the RSA modulus.  */
-      mpi_powm (bldata, r, sk.e, sk.n);
-      mpi_mulm (bldata, bldata, data, sk.n);
-
-      /* Perform decryption.  */
-      secret (plain, bldata, &sk);
-      _gcry_mpi_release (bldata); bldata = NULL;
-
-      /* Undo blinding.  Here we calculate: y = (x * r^-1) mod n,
-         where x is the blinded decrypted data, ri is the modular
-         multiplicative inverse of r and n is the RSA modulus.  */
-      mpi_mulm (plain, plain, ri, sk.n);
-
-      _gcry_mpi_release (r); r = NULL;
-      _gcry_mpi_release (ri); ri = NULL;
-    }
-  else
+  if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
     secret (plain, data, &sk);
+  else
+    secret_blinded (plain, data, &sk, ctx.nbits);
 
   if (DBG_CIPHER)
     log_printmpi ("rsa_decrypt  res", plain);
@@ -1403,9 +1407,6 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   _gcry_mpi_release (sk.q);
   _gcry_mpi_release (sk.u);
   _gcry_mpi_release (data);
-  _gcry_mpi_release (r);
-  _gcry_mpi_release (ri);
-  _gcry_mpi_release (bldata);
   sexp_release (l1);
   _gcry_pk_util_free_encoding_ctx (&ctx);
   if (DBG_CIPHER)
@@ -1461,7 +1462,10 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
 
   /* Do RSA computation.  */
   sig = mpi_new (0);
-  secret (sig, data, &sk);
+  if ((ctx.flags & PUBKEY_FLAG_NO_BLINDING))
+    secret (sig, data, &sk);
+  else
+    secret_blinded (sig, data, &sk, ctx.nbits);
   if (DBG_CIPHER)
     log_printmpi ("rsa_sign    res", sig);