Move decl. of rsa_sec_compute_root_tr to internal header.

Also renamed with leading underscore, and updated all callers.

ChangeLog

 2018-11-25  Niels Möller  <nisse@lysator.liu.se>
 
+	* rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from...
+	(rsa_sec_compute_root_tr): ... old name. Updated callers.
+	* rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ...
+	* rsa-internal.h (_rsa_sec_compute_root_tr): ... new location.
+
 	* testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix
 	masking of most significant bits.
 
@@ -17,6 +22,9 @@
 	* testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
 	valgrind marking of return value.
 
+	Merged below changes from Simo Sorce, to make RSA private key
+	operations side-channel silent.
+
 2018-11-08  Simo Sorce  <simo@redhat.com>
 
 	* rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use

rsa-decrypt-tr.c

@@ -57,9 +57,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
   TMP_GMP_ALLOC (m, key_limb_size);
   TMP_GMP_ALLOC (em, key->size);
 
-  res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
-                                 mpz_limbs_read(gibberish),
-                                 mpz_size(gibberish));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+				  mpz_limbs_read(gibberish),
+				  mpz_size(gibberish));
 
   mpn_get_base256 (em, key->size, m, key_limb_size);
 

rsa-internal.h

@@ -38,6 +38,7 @@
 
 #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch
 #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root
+#define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
 #define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt
 #define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable
 
@@ -49,6 +50,14 @@ _rsa_sec_compute_root(const struct rsa_private_key *key,
                       mp_limb_t *rp, const mp_limb_t *mp,
                       mp_limb_t *scratch);
 
+/* Safe side-channel silent variant, using RSA blinding, and checking the
+ * result after CRT. */
+int
+_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 mp_limb_t *x, const mp_limb_t *m, size_t mn);
+
 /* additional resistance to memory access side-channel attacks.
  * Note: message buffer is returned unchanged on error */
 int

rsa-sec-decrypt.c

@@ -57,9 +57,9 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
   TMP_GMP_ALLOC (m, mpz_size(pub->n));
   TMP_GMP_ALLOC (em, key->size);
 
-  res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
-                                 mpz_limbs_read(gibberish),
-                                 mpz_size(gibberish));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+				  mpz_limbs_read(gibberish),
+				  mpz_size(gibberish));
 
   mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
 

rsa-sign-tr.c

@@ -293,10 +293,10 @@ cnd_mpn_zero (int cnd, volatile mp_ptr rp, mp_size_t n)
  * This version is side-channel silent even in case of error,
  * the destination buffer is always overwritten */
 int
-rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
-		        const struct rsa_private_key *key,
-		        void *random_ctx, nettle_random_func *random,
-		        mp_limb_t *x, const mp_limb_t *m, size_t mn)
+_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+			 const struct rsa_private_key *key,
+			 void *random_ctx, nettle_random_func *random,
+			 mp_limb_t *x, const mp_limb_t *m, size_t mn)
 {
   TMP_GMP_DECL (c, mp_limb_t);
   TMP_GMP_DECL (ri, mp_limb_t);
@@ -359,8 +359,8 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
   mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
   TMP_GMP_ALLOC (l, l_size);
 
-  res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
-                                 mpz_limbs_read(m), mpz_size(m));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+				  mpz_limbs_read(m), mpz_size(m));
   if (res) {
     mp_limb_t *xp = mpz_limbs_write (x, l_size);
     mpn_copyi (xp, l, l_size);

rsa.h

@@ -91,7 +91,6 @@ extern "C" {
 #define rsa_sec_decrypt nettle_rsa_sec_decrypt
 #define rsa_compute_root nettle_rsa_compute_root
 #define rsa_compute_root_tr nettle_rsa_compute_root_tr
-#define rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
 #define rsa_generate_keypair nettle_rsa_generate_keypair
 #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
 #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
@@ -447,14 +446,6 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
 		    void *random_ctx, nettle_random_func *random,
 		    mpz_t x, const mpz_t m);
 
-/* Safe side-channel silent variant, using RSA blinding, and checking the
- * result after CRT. */
-int
-rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
-		        const struct rsa_private_key *key,
-		        void *random_ctx, nettle_random_func *random,
-		        mp_limb_t *x, const mp_limb_t *m, size_t mn);
-
 /* Key generation */
 
 /* Note that the key structs must be initialized first. */