dropbear: rsa.c comparison

comparison rsa.c @ 219:654bc8327787

merge of 9522146cb07d4576f161fc4567c2c2fbd6f61fbb and b11630c15bc4d0649dba51c3572cac6f44e0ab0e

author	Matt Johnston <matt@ucc.asn.au>
date	Fri, 08 Jul 2005 13:28:03 +0000
parents	ea9277442ef2
children	c5d3ef11155f

comparison

equal deleted inserted replaced

-:3ee0c2f85e1e
+:654bc8327787
 #include "ssh.h"
 #include "random.h"
 #ifdef DROPBEAR_RSA
-static mp_int * rsa_pad_em(rsa_key * key,
+static void rsa_pad_em(rsa_key * key,
-		const unsigned char * data, unsigned int len);
+		const unsigned char * data, unsigned int len,
+		mp_int * rsa_em);
 /* Load a public rsa key from a buffer, initialising the values.
 * The key will have the same format as buf_put_rsa_key.
 * These should be freed with rsa_key_free.
 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 		unsigned int len) {
 	unsigned int slen;
 	DEF_MP_INT(rsa_s);
 	DEF_MP_INT(rsa_mdash);
-	mp_int *rsa_em = NULL;
+	DEF_MP_INT(rsa_em);
 	int ret = DROPBEAR_FAILURE;
 	TRACE(("enter buf_rsa_verify"))
 	assert(key != NULL);
-	m_mp_init_multi(&rsa_mdash, &rsa_s, NULL);
+	m_mp_init_multi(&rsa_mdash, &rsa_s, &rsa_em, NULL);
 	slen = buf_getint(buf);
 	if (slen != (unsigned int)mp_unsigned_bin_size(key->n)) {
 		TRACE(("bad size"))
 		goto out;
 		TRACE(("s > n-1"))
 		goto out;
 	}
 	/* create the magic PKCS padded value */
-	rsa_em = rsa_pad_em(key, data, len);
+	rsa_pad_em(key, data, len, &rsa_em);
 	if (mp_exptmod(&rsa_s, key->e, key->n, &rsa_mdash) != MP_OKAY) {
 		TRACE(("failed exptmod rsa_s"))
 		goto out;
 	}
-	if (mp_cmp(rsa_em, &rsa_mdash) == MP_EQ) {
+	if (mp_cmp(&rsa_em, &rsa_mdash) == MP_EQ) {
 		/* signature is valid */
 		TRACE(("success!"))
 		ret = DROPBEAR_SUCCESS;
 	}
 out:
-	if (rsa_em) {
+	mp_clear_multi(&rsa_mdash, &rsa_s, &rsa_em, NULL);
-		mp_clear(rsa_em);
-		m_free(rsa_em);
-	}
-	mp_clear_multi(&rsa_mdash, &rsa_s, NULL);
 	TRACE(("leave buf_rsa_verify: ret %d", ret))
 	return ret;
+}
-}
 #endif /* DROPBEAR_SIGNKEY_VERIFY */
 /* Sign the data presented with key, writing the signature contents
 * to the buffer */
 void buf_put_rsa_sign(buffer* buf, rsa_key *key, const unsigned char* data,
 		unsigned int len) {
 	unsigned int nsize, ssize;
 	unsigned int i;
 	DEF_MP_INT(rsa_s);
-	mp_int *rsa_em = NULL;
+	DEF_MP_INT(rsa_tmp1);
+	DEF_MP_INT(rsa_tmp2);
+	DEF_MP_INT(rsa_tmp3);
+	unsigned char *tmpbuf;
 	TRACE(("enter buf_put_rsa_sign"))
 	assert(key != NULL);
-	rsa_em = rsa_pad_em(key, data, len);
+	m_mp_init_multi(&rsa_s, &rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
-	m_mp_init(&rsa_s);
+	rsa_pad_em(key, data, len, &rsa_tmp1);
 	/* the actual signing of the padded data */
+#ifdef RSA_BLINDING
+	/* With blinding, s = (r^(-1))((em)*r^e)^d mod n */
+	/* generate the r blinding value */
+	/* rsa_tmp2 is r */
+	gen_random_mpint(key->n, &rsa_tmp2);
+	/* rsa_tmp1 is em */
+	/* em' = em * r^e mod n */
+	mp_exptmod(&rsa_tmp2, key->e, key->n, &rsa_s); /* rsa_s used as a temp var*/
+	mp_invmod(&rsa_tmp2, key->n, &rsa_tmp3);
+	mp_mulmod(&rsa_tmp1, &rsa_s, key->n, &rsa_tmp2);
+	/* rsa_tmp2 is em' */
+	/* s' = (em')^d mod n */
+	mp_exptmod(&rsa_tmp2, key->d, key->n, &rsa_tmp1);
+	/* rsa_tmp1 is s' */
+	/* rsa_tmp3 is r^(-1) mod n */
+	/* s = (s')r^(-1) mod n */
+	mp_mulmod(&rsa_tmp1, &rsa_tmp3, key->n, &rsa_s);
+#else
 	/* s = em^d mod n */
-	if (mp_exptmod(rsa_em, key->d, key->n, &rsa_s) != MP_OKAY) {
+	/* rsa_tmp1 is em */
+	if (mp_exptmod(&rsa_tmp1, key->d, key->n, &rsa_s) != MP_OKAY) {
 		dropbear_exit("rsa error");
 	}
-	mp_clear(rsa_em);
-	m_free(rsa_em);
+#endif /* RSA_BLINDING */
+	mp_clear_multi(&rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
 	/* create the signature to return */
 	buf_putstring(buf, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN);
 	nsize = mp_unsigned_bin_size(key->n);
 	}
 	buf_incrwritepos(buf, ssize);
 	mp_clear(&rsa_s);
 #if defined(DEBUG_RSA) && defined(DEBUG_TRACE)
-	printhex(buf->data, buf->len);
+	printhex("RSA sig", buf->data, buf->len);
 #endif
 	TRACE(("leave buf_put_rsa_sign"))
 }
 * where FF is repeated enough times to make EM one byte
 * shorter than the size of key->n
 *
 * prefix is the ASN1 designator prefix,
 * hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14
+*
+* rsa_em must be a pointer to an initialised mp_int.
 */
-static mp_int * rsa_pad_em(rsa_key * key,
+static void rsa_pad_em(rsa_key * key,
-		const unsigned char * data, unsigned int len) {
+		const unsigned char * data, unsigned int len,
+		mp_int * rsa_em) {
 	/* ASN1 designator (including the 0x00 preceding) */
-	const char rsa_asn1_magic[] =
+	const unsigned char rsa_asn1_magic[] =
 		{0x00, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b,
 		 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
-#define RSA_ASN1_MAGIC_LEN 16
+	const unsigned int RSA_ASN1_MAGIC_LEN = 16;
 	buffer * rsa_EM = NULL;
 	hash_state hs;
 	unsigned int nsize;
-	mp_int * rsa_em = NULL;
 	assert(key != NULL);
 	assert(data != NULL);
 	nsize = mp_unsigned_bin_size(key->n);
 	assert(rsa_EM->pos == rsa_EM->size);
 	/* Create the mp_int from the encoded bytes */
 	buf_setpos(rsa_EM, 0);
-	rsa_em = (mp_int*)m_malloc(sizeof(mp_int));
+	bytes_to_mp(rsa_em, buf_getptr(rsa_EM, rsa_EM->size),
-	m_mp_init(rsa_em);
+			rsa_EM->size);
-	if (mp_read_unsigned_bin(rsa_em, buf_getptr(rsa_EM, rsa_EM->size),
-				rsa_EM->size) != MP_OKAY) {
-		dropbear_exit("rsa error");
-	}
 	buf_free(rsa_EM);
-	return rsa_em;
 }
 #endif /* DROPBEAR_RSA */

Mercurial > dropbear

comparison rsa.c @ 219:654bc8327787