nisse@lysator.liu.se (Niels Möller) writes:
I've pushed ongoing work to the branch rsa-crt-hardening.
And now I've added a couple of new functions. Any comments before I merge this to the master branch? ChangeLog entries below.
The idea is that when we add documentation for the new functions it is easier to discourage use of the old RSA signature functions, which date back to 2003.
Regards, /Niels
2015-09-17 Niels Möller nisse@lysator.liu.se
* rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New file, new functions. * rsa-sha1-sign-tr.c (rsa_sha1_sign_tr, rsa_sha1_sign_digest_tr): Likewise. * rsa-sha256-sign-tr.c (rsa_sha256_sign_tr) (rsa_sha256_sign_digest_tr): Likewise. * rsa-sha512-sign-tr.c (rsa_sha512_sign_tr) (rsa_sha512_sign_digest_tr): Likewise. * rsa.h: Added corresponding prototypes. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/testutils.c (SIGN): Extend macro to test new functions, and the rsa_*_sign_digest functions. Updated callers.
2015-09-14 Niels Möller nisse@lysator.liu.se
* rsa-sign-tr.c (rsa_blind, rsa_unblind): Moved here, made static, dropped leading underscore. * rsa-blind.c: Deleted file. * rsa.h: Deleted coresponding declarations.
* rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr. Mainly for simplicity and consistency, I'm not aware of any CRT fault attacks on RSA decryption.
* testsuite/rsa-encrypt-test.c (test_main): Added test with invalid private key.
* rsa-sign-tr.c (rsa_compute_root_tr): New file and function. * rsa.h: Declare it. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr. (rsa_verify_res): Deleted, replaced by rsa_compute_root_tr. * testsuite/rsa-sign-tr-test.c (test_rsa_sign_tr): Check that signature argument is unchanged on failure. * Makefile.in (hogweed_SOURCES): Added rsa-sign-tr.c.
2015-09-13 Niels Möller nisse@lysator.liu.se
* rsa-blind.c (_rsa_blind, _rsa_unblind): Separate source and destination arguments. Updated callers.