Move decl. of rsa_sec_compute_root_tr to internal header.

Also renamed with leading underscore, and updated all callers.

Move decl. of rsa_sec_compute_root_tr to internal header.
Also renamed with leading underscore, and updated all callers.
dbaf6abb · Niels Möller · f2bbbc28 · dbaf6abb · dbaf6abb · dbaf6abb
Commit dbaf6abb authored Nov 25, 2018 by Niels Möller
--- a/ChangeLog
+++ b/ChangeLog
 2018-11-25  Niels Möller  <nisse@lysator.liu.se>

+	* rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from...
+	(rsa_sec_compute_root_tr): ... old name. Updated callers.
+	* rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ...
+	* rsa-internal.h (_rsa_sec_compute_root_tr): ... new location.
+
 	* testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix
 	masking of most significant bits.

@@ -17,6 +22,9 @@
 	* testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
 	valgrind marking of return value.

+	Merged below changes from Simo Sorce, to make RSA private key
+	operations side-channel silent.
+
 2018-11-08  Simo Sorce  <simo@redhat.com>

 	* rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use

--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -57,9 +57,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
  TMP_GMP_ALLOC (m, key_limb_size);
  TMP_GMP_ALLOC (em, key->size);

-  res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
-                                 mpz_limbs_read(gibberish),
-                                 mpz_size(gibberish));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+				  mpz_limbs_read(gibberish),
+				  mpz_size(gibberish));

  mpn_get_base256 (em, key->size, m, key_limb_size);


--- a/rsa-internal.h
+++ b/rsa-internal.h
@@ -38,6 +38,7 @@

 #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch
 #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root
+#define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
 #define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt
 #define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable

@@ -49,6 +50,14 @@ _rsa_sec_compute_root(const struct rsa_private_key *key,
                      mp_limb_t *rp, const mp_limb_t *mp,
                      mp_limb_t *scratch);

+/* Safe side-channel silent variant, using RSA blinding, and checking the
+ * result after CRT. */
+int
+_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 mp_limb_t *x, const mp_limb_t *m, size_t mn);
+
 /* additional resistance to memory access side-channel attacks.
 * Note: message buffer is returned unchanged on error */
 int

--- a/rsa-sec-decrypt.c
+++ b/rsa-sec-decrypt.c
@@ -57,9 +57,9 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
  TMP_GMP_ALLOC (m, mpz_size(pub->n));
  TMP_GMP_ALLOC (em, key->size);

-  res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
-                                 mpz_limbs_read(gibberish),
-                                 mpz_size(gibberish));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+				  mpz_limbs_read(gibberish),
+				  mpz_size(gibberish));

  mpn_get_base256 (em, key->size, m, mpz_size(pub->n));


--- a/rsa-sign-tr.c
+++ b/rsa-sign-tr.c
@@ -293,10 +293,10 @@ cnd_mpn_zero (int cnd, volatile mp_ptr rp, mp_size_t n)
 * This version is side-channel silent even in case of error,
 * the destination buffer is always overwritten */
 int
-rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
-		        const struct rsa_private_key *key,
-		        void *random_ctx, nettle_random_func *random,
-		        mp_limb_t *x, const mp_limb_t *m, size_t mn)
+_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 mp_limb_t *x, const mp_limb_t *m, size_t mn)
 {
  TMP_GMP_DECL (c, mp_limb_t);
  TMP_GMP_DECL (ri, mp_limb_t);
@@ -359,8 +359,8 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
  mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
  TMP_GMP_ALLOC (l, l_size);

-  res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
-                                 mpz_limbs_read(m), mpz_size(m));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+				  mpz_limbs_read(m), mpz_size(m));
  if (res) {
    mp_limb_t *xp = mpz_limbs_write (x, l_size);
    mpn_copyi (xp, l, l_size);

--- a/rsa.h
+++ b/rsa.h
@@ -91,7 +91,6 @@ extern "C" {
 #define rsa_sec_decrypt nettle_rsa_sec_decrypt
 #define rsa_compute_root nettle_rsa_compute_root
 #define rsa_compute_root_tr nettle_rsa_compute_root_tr
-#define rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
 #define rsa_generate_keypair nettle_rsa_generate_keypair
 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
@@ -447,14 +446,6 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
 		    void *random_ctx, nettle_random_func *random,
 		    mpz_t x, const mpz_t m);

-/* Safe side-channel silent variant, using RSA blinding, and checking the
- * result after CRT. */
-int
-rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
-		        const struct rsa_private_key *key,
-		        void *random_ctx, nettle_random_func *random,
-		        mp_limb_t *x, const mp_limb_t *m, size_t mn);
-
 /* Key generation */

 /* Note that the key structs must be initialized first. */