Fix side-channel leakage in RSA decryption

Author: Legrandin

lib/Crypto/Cipher/PKCS1_OAEP.py

@@ -167,10 +167,8 @@ def decrypt(self, ciphertext):
             raise ValueError("Ciphertext with incorrect length.")
         # Step 2a (O2SIP)
         ct_int = bytes_to_long(ciphertext)
-        # Step 2b (RSADP)
-        m_int = self._key._decrypt(ct_int)
-        # Complete step 2c (I2OSP)
-        em = long_to_bytes(m_int, k)
+        # Step 2b (RSADP) and step 2c (I2OSP)
+        em = self._key._decrypt(ct_int)
         # Step 3a
         lHash = self._hashObj.new(self._label).digest()
         # Step 3b

lib/Crypto/Cipher/PKCS1_v1_5.py

@@ -176,11 +176,8 @@ def decrypt(self, ciphertext, sentinel, expected_pt_len=0):
         # Step 2a (O2SIP)
         ct_int = bytes_to_long(ciphertext)
 
-        # Step 2b (RSADP)
-        m_int = self._key._decrypt(ct_int)
-
-        # Complete step 2c (I2OSP)
-        em = long_to_bytes(m_int, k)
+        # Step 2b (RSADP) and Step 2c (I2OSP)
+        em = self._key._decrypt(ct_int)
 
         # Step 3 (not constant time when the sentinel is not a byte string)
         output = bytes(bytearray(k))

lib/Crypto/Math/_IntegerBase.py

@@ -390,3 +390,23 @@ def random_range(cls, **kwargs):
                                     )
         return norm_candidate + min_inclusive
 
+    @staticmethod
+    @abc.abstractmethod
+    def _mult_modulo_bytes(term1, term2, modulus):
+        """Multiply two integers, take the modulo, and encode as big endian.
+        This specialized method is used for RSA decryption.
+
+        Args:
+          term1 : integer
+            The first term of the multiplication, non-negative.
+          term2 : integer
+            The second term of the multiplication, non-negative.
+          modulus: integer
+            The modulus, a positive odd number.
+        :Returns:
+            A byte string, with the result of the modular multiplication
+            encoded in big endian mode.
+            It is as long as the modulus would be, with zero padding
+            on the left if needed.
+        """
+        pass

lib/Crypto/Math/_IntegerBase.pyi

@@ -60,4 +60,8 @@ class IntegerBase:
     def random(cls, **kwargs: Union[int,RandFunc]) -> IntegerBase : ...
     @classmethod
     def random_range(cls, **kwargs: Union[int,RandFunc]) -> IntegerBase : ...
+    @staticmethod
+    def _mult_modulo_bytes(term1: Union[IntegerBase, int],
+                           term2:  Union[IntegerBase, int],
+                           modulus: Union[IntegerBase, int]) -> bytes: ...
 

lib/Crypto/Math/_IntegerCustom.py

@@ -41,12 +41,18 @@
 from Crypto.Random.random import getrandbits
 
 c_defs = """
-int monty_pow(const uint8_t *base,
-               const uint8_t *exp,
-               const uint8_t *modulus,
-               uint8_t       *out,
-               size_t len,
-               uint64_t seed);
+int monty_pow(uint8_t       *out,
+              const uint8_t *base,
+              const uint8_t *exp,
+              const uint8_t *modulus,
+              size_t        len,
+              uint64_t      seed);
+
+int monty_multiply(uint8_t       *out,
+                   const uint8_t *term1,
+                   const uint8_t *term2,
+                   const uint8_t *modulus,
+                   size_t        len);
 """
 
 
@@ -116,3 +122,41 @@ def inplace_pow(self, exponent, modulus=None):
         result = bytes_to_long(get_raw_buffer(out))
         self._value = result
         return self
+
+    @staticmethod
+    def _mult_modulo_bytes(term1, term2, modulus):
+
+        # With modular reduction
+        mod_value = int(modulus)
+        if mod_value < 0:
+            raise ValueError("Modulus must be positive")
+        if mod_value == 0:
+            raise ZeroDivisionError("Modulus cannot be zero")
+
+        # C extension only works with odd moduli
+        if (mod_value & 1) == 0:
+            raise ValueError("Odd modulus is required")
+
+        # C extension only works with non-negative terms smaller than modulus
+        if term1 >= mod_value or term1 < 0:
+            term1 %= mod_value
+        if term2 >= mod_value or term2 < 0:
+            term2 %= mod_value
+
+        modulus_b = long_to_bytes(mod_value)
+        numbers_len = len(modulus_b)
+        term1_b = long_to_bytes(term1, numbers_len)
+        term2_b = long_to_bytes(term2, numbers_len)
+        out = create_string_buffer(numbers_len)
+
+        error = _raw_montgomery.monty_multiply(
+                    out,
+                    term1_b,
+                    term2_b,
+                    modulus_b,
+                    c_size_t(numbers_len)
+                    )
+        if error:
+            raise ValueError("monty_multiply failed with error: %d" % error)
+
+        return get_raw_buffer(out)

lib/Crypto/Math/_IntegerGMP.py

@@ -749,6 +749,26 @@ def jacobi_symbol(a, n):
             raise ValueError("n must be positive odd for the Jacobi symbol")
         return _gmp.mpz_jacobi(a._mpz_p, n._mpz_p)
 
+    @staticmethod
+    def _mult_modulo_bytes(term1, term2, modulus):
+        if not isinstance(term1, IntegerGMP):
+            term1 = IntegerGMP(term1)
+        if not isinstance(term2, IntegerGMP):
+            term2 = IntegerGMP(term2)
+        if not isinstance(modulus, IntegerGMP):
+            modulus = IntegerGMP(modulus)
+
+        if modulus < 0:
+            raise ValueError("Modulus must be positive")
+        if modulus == 0:
+            raise ZeroDivisionError("Modulus cannot be zero")
+        if (modulus & 1) == 0:
+            raise ValueError("Odd modulus is required")
+
+        numbers_len = len(modulus.to_bytes())
+        result = ((term1 * term2) % modulus).to_bytes(numbers_len)
+        return result
+
     # Clean-up
     def __del__(self):
 

lib/Crypto/Math/_IntegerNative.py

@@ -368,3 +368,15 @@ def jacobi_symbol(a, n):
         n1 = n % a1
         # Step 8
         return s * IntegerNative.jacobi_symbol(n1, a1)
+
+    @staticmethod
+    def _mult_modulo_bytes(term1, term2, modulus):
+        if modulus < 0:
+            raise ValueError("Modulus must be positive")
+        if modulus == 0:
+            raise ZeroDivisionError("Modulus cannot be zero")
+        if (modulus & 1) == 0:
+            raise ValueError("Odd modulus is required")
+
+        number_len = len(long_to_bytes(modulus))
+        return long_to_bytes((term1 * term2) % modulus, number_len)

lib/Crypto/PublicKey/RSA.py

@@ -38,6 +38,7 @@
 from Crypto import Random
 from Crypto.Util.py3compat import tobytes, bord, tostr
 from Crypto.Util.asn1 import DerSequence, DerNull
+from Crypto.Util.number import bytes_to_long
 
 from Crypto.Math.Numbers import Integer
 from Crypto.Math.Primality import (test_probable_prime,
@@ -198,10 +199,11 @@ def _decrypt(self, ciphertext):
         h = ((m2 - m1) * self._u) % self._q
         mp = h * self._p + m1
         # Step 4: Compute m = m' * (r**(-1)) mod n
-        result = (r.inverse(self._n) * mp) % self._n
-        # Verify no faults occurred
-        if ciphertext != pow(result, self._e, self._n):
-            raise ValueError("Fault detected in RSA decryption")
+        # then encode into a big endian byte string
+        result = Integer._mult_modulo_bytes(
+                    r.inverse(self._n),
+                    mp,
+                    self._n)
         return result
 
     def has_private(self):

lib/Crypto/SelfTest/Math/__init__.py

@@ -38,9 +38,11 @@ def get_tests(config={}):
     from Crypto.SelfTest.Math import test_Numbers
     from Crypto.SelfTest.Math import test_Primality
     from Crypto.SelfTest.Math import test_modexp
+    from Crypto.SelfTest.Math import test_modmult
     tests += test_Numbers.get_tests(config=config)
     tests += test_Primality.get_tests(config=config)
     tests += test_modexp.get_tests(config=config)
+    tests += test_modmult.get_tests(config=config)
     return tests
 
 if __name__ == '__main__':

lib/Crypto/SelfTest/Math/test_Numbers.py

@@ -696,6 +696,34 @@ def test_hex(self):
         v1, = self.Integers(0x10)
         self.assertEqual(hex(v1), "0x10")
 
+    def test_mult_modulo_bytes(self):
+        modmult = self.Integer._mult_modulo_bytes
+
+        res = modmult(4, 5, 19)
+        self.assertEqual(res, b'\x01')
+
+        res = modmult(4 - 19, 5, 19)
+        self.assertEqual(res, b'\x01')
+
+        res = modmult(4, 5 - 19, 19)
+        self.assertEqual(res, b'\x01')
+
+        res = modmult(4 + 19, 5, 19)
+        self.assertEqual(res, b'\x01')
+
+        res = modmult(4, 5 + 19, 19)
+        self.assertEqual(res, b'\x01')
+
+        modulus = 2**512 - 1    # 64 bytes
+        t1 = 13**100
+        t2 = 17**100
+        expect = b"\xfa\xb2\x11\x87\xc3(y\x07\xf8\xf1n\xdepq\x0b\xca\xf3\xd3B,\xef\xf2\xfbf\xcc)\x8dZ*\x95\x98r\x96\xa8\xd5\xc3}\xe2q:\xa2'z\xf48\xde%\xef\t\x07\xbc\xc4[C\x8bUE2\x90\xef\x81\xaa:\x08"
+        self.assertEqual(expect, modmult(t1, t2, modulus))
+
+        self.assertRaises(ZeroDivisionError, modmult, 4, 5, 0)
+        self.assertRaises(ValueError, modmult, 4, 5, -1)
+        self.assertRaises(ValueError, modmult, 4, 5, 4)
+
 
 class TestIntegerInt(TestIntegerBase):