/src/nettle/rsa-sec-decrypt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* rsa-sec-decrypt.c |
2 | | |
3 | | RSA decryption, using randomized RSA blinding to be more resistant |
4 | | to side-channel attacks like timing attacks or cache based memory |
5 | | access measurements. |
6 | | |
7 | | Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos |
8 | | Copyright (C) 2018 Red Hat, Inc. |
9 | | |
10 | | This file is part of GNU Nettle. |
11 | | |
12 | | GNU Nettle is free software: you can redistribute it and/or |
13 | | modify it under the terms of either: |
14 | | |
15 | | * the GNU Lesser General Public License as published by the Free |
16 | | Software Foundation; either version 3 of the License, or (at your |
17 | | option) any later version. |
18 | | |
19 | | or |
20 | | |
21 | | * the GNU General Public License as published by the Free |
22 | | Software Foundation; either version 2 of the License, or (at your |
23 | | option) any later version. |
24 | | |
25 | | or both in parallel, as here. |
26 | | |
27 | | GNU Nettle is distributed in the hope that it will be useful, |
28 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
29 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
30 | | General Public License for more details. |
31 | | |
32 | | You should have received copies of the GNU General Public License and |
33 | | the GNU Lesser General Public License along with this program. If |
34 | | not, see http://www.gnu.org/licenses/. |
35 | | */ |
36 | | |
37 | | #if HAVE_CONFIG_H |
38 | | # include "config.h" |
39 | | #endif |
40 | | |
41 | | #include "rsa.h" |
42 | | #include "pkcs1-internal.h" |
43 | | #include "rsa-internal.h" |
44 | | |
45 | | #include "gmp-glue.h" |
46 | | |
47 | | int |
48 | | rsa_sec_decrypt(const struct rsa_public_key *pub, |
49 | | const struct rsa_private_key *key, |
50 | | void *random_ctx, nettle_random_func *random, |
51 | | size_t length, uint8_t *message, |
52 | | const mpz_t gibberish) |
53 | 0 | { |
54 | 0 | TMP_GMP_DECL (m, mp_limb_t); |
55 | 0 | TMP_GMP_DECL (em, uint8_t); |
56 | 0 | int res; |
57 | | |
58 | | /* First check that input is in range. */ |
59 | 0 | if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) |
60 | 0 | return 0; |
61 | | |
62 | 0 | TMP_GMP_ALLOC (m, mpz_size(pub->n)); |
63 | 0 | TMP_GMP_ALLOC (em, key->size); |
64 | | |
65 | | /* We need a copy because m can be shorter than key_size, |
66 | | * but _rsa_sec_compute_root_tr expect all inputs to be |
67 | | * normalized to a key_size long buffer length */ |
68 | 0 | mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); |
69 | |
|
70 | 0 | res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); |
71 | |
|
72 | 0 | mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); |
73 | |
|
74 | 0 | res &= _pkcs1_sec_decrypt (length, message, key->size, em); |
75 | |
|
76 | 0 | TMP_GMP_FREE (em); |
77 | 0 | TMP_GMP_FREE (m); |
78 | 0 | return res; |
79 | 0 | } |
80 | | |