aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/news.rst18
-rw-r--r--src/build-data/buildh.in15
-rw-r--r--src/lib/pubkey/blinding.cpp40
-rw-r--r--src/lib/pubkey/blinding.h12
4 files changed, 66 insertions, 19 deletions
diff --git a/doc/news.rst b/doc/news.rst
index e1ee423f8..cae2270bd 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -4,11 +4,21 @@ Release Notes
Version 1.11.22, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* Public key operations can now be used with specified providers
- by passing an additional parameter to the constructor of
- the PK operation.
+* Public key operations can now be used with specified providers by passing an
+ additional parameter to the constructor of the PK operation.
-* OpenSSL RSA provider now supports signatures and verification.
+* OpenSSL RSA provider now supports signature creation and verification.
+
+* The blinding code used for RSA, Diffie-Hellman, ElGamal and Rabin-Williams now
+ periodically reinitializes the sequence of blinding values instead of always
+ deriving the next value by squaring the previous ones. The reinitializion
+ interval can be controlled by
+
+* Add System_RNG type. Previously the global system RNG was only accessible via
+ `system_rng` which returned a reference to the object. However is at times
+ useful to have a unique_ptr<RandomNumberGenerator> which will be either the
+ system RNG or an AutoSeeded_RNG, depending on availability, which this
+ additional type allows.
* The `configure.py` option `--no-autoload` is now also available
under the more understandable name `--minimized-build`.
diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in
index eaf4181b5..31069f0ae 100644
--- a/src/build-data/buildh.in
+++ b/src/build-data/buildh.in
@@ -71,9 +71,20 @@
* representation of an ECC point. Set to zero to diable this
* side-channel countermeasure.
*/
-#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 64
+#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 80
-#define BOTAN_CURVE_GFP_USE_MONTGOMERY_LADDER 0
+/*
+* Normally blinding is performed by choosing a random starting point (plus
+* its inverse, of a form appropriate to the algorithm being blinded), and
+* then choosing new blinding operands by successive squaring of both
+* values. This is much faster than computing a new starting point but
+* introduces some possible coorelation
+*
+* To avoid possible leakage problems in long-running processes, the blinder
+* periodically reinitializes the sequence. This value specifies how often
+* a new sequence should be started.
+*/
+#define BOTAN_BLINDING_REINIT_INTERVAL 32
/* PK key consistency checking toggles */
#define BOTAN_PUBLIC_KEY_STRONG_CHECKS_ON_LOAD 1
diff --git a/src/lib/pubkey/blinding.cpp b/src/lib/pubkey/blinding.cpp
index cd2b3d118..da9def797 100644
--- a/src/lib/pubkey/blinding.cpp
+++ b/src/lib/pubkey/blinding.cpp
@@ -1,6 +1,6 @@
/*
* Blinding for public key operations
-* (C) 1999-2010 Jack Lloyd
+* (C) 1999-2010,2015 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
@@ -16,24 +16,28 @@
namespace Botan {
-// TODO: use Montgomery
-
Blinder::Blinder(const BigInt& modulus,
- std::function<BigInt (const BigInt&)> fwd_func,
- std::function<BigInt (const BigInt&)> inv_func)
+ std::function<BigInt (const BigInt&)> fwd,
+ std::function<BigInt (const BigInt&)> inv) :
+ m_fwd_fn(fwd), m_inv_fn(inv)
{
m_reducer = Modular_Reducer(modulus);
+ m_modulus_bits = modulus.bits();
#if defined(BOTAN_HAS_SYSTEM_RNG)
- auto& rng = system_rng();
+ m_rng.reset(new System_RNG);
#else
- AutoSeeded_RNG rng;
+ m_rng.reset(new AutoSeeded_RNG);
#endif
- const BigInt k(rng, modulus.bits() - 1);
+ const BigInt k = blinding_nonce();
+ m_e = m_fwd_fn(k);
+ m_d = m_inv_fn(k);
+ }
- m_e = fwd_func(k);
- m_d = inv_func(k);
+BigInt Blinder::blinding_nonce() const
+ {
+ return BigInt(*m_rng, m_modulus_bits - 1);
}
BigInt Blinder::blind(const BigInt& i) const
@@ -41,8 +45,20 @@ BigInt Blinder::blind(const BigInt& i) const
if(!m_reducer.initialized())
throw std::runtime_error("Blinder not initialized, cannot blind");
- m_e = m_reducer.square(m_e);
- m_d = m_reducer.square(m_d);
+ ++m_counter;
+
+ if(BOTAN_BLINDING_REINIT_INTERVAL > 0 && (m_counter % BOTAN_BLINDING_REINIT_INTERVAL == 0))
+ {
+ const BigInt k = blinding_nonce();
+ m_e = m_fwd_fn(k);
+ m_d = m_inv_fn(k);
+ }
+ else
+ {
+ m_e = m_reducer.square(m_e);
+ m_d = m_reducer.square(m_d);
+ }
+
return m_reducer.multiply(i, m_e);
}
diff --git a/src/lib/pubkey/blinding.h b/src/lib/pubkey/blinding.h
index e57c7888e..2525276ca 100644
--- a/src/lib/pubkey/blinding.h
+++ b/src/lib/pubkey/blinding.h
@@ -1,6 +1,6 @@
/*
* Blinding for public key operations
-* (C) 1999-2010 Jack Lloyd
+* (C) 1999-2010,2015 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
@@ -14,6 +14,8 @@
namespace Botan {
+class RandomNumberGenerator;
+
/**
* Blinding Function Object
*/
@@ -33,8 +35,16 @@ class BOTAN_DLL Blinder
std::function<BigInt (const BigInt&)> inv_func);
private:
+ BigInt blinding_nonce() const;
+
Modular_Reducer m_reducer;
+ std::unique_ptr<RandomNumberGenerator> m_rng;
+ std::function<BigInt (const BigInt&)> m_fwd_fn;
+ std::function<BigInt (const BigInt&)> m_inv_fn;
+ size_t m_modulus_bits = 0;
+
mutable BigInt m_e, m_d;
+ mutable size_t m_counter = 0;
};
}