GitLab

Mention dependency on GMP-6, and RSA performance regression.

* testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
decrypted storage. Update test of rsa_decrypt, to allow clobbering
of all of the passed in message area.

Patch from Simo Sorce.

Use new local helper functions, with their own itch functions.

Also renamed with leading underscore, and updated all callers.

Signed-off-by: Simo Sorce <simo@redhat.com>

Signed-off-by: Simo Sorce <simo@redhat.com>

add a side-channel silent pkcs1 decoding function for use in older
APIs.
Signed-off-by: Simo Sorce <simo@redhat.com>

* testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
valgrind marking, and document potential leakage of lowest and
highest bits of p and q.

* rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to
mpz_sizeinbase, since that potentially leaks most significant bits
of private key parameters a and b.

Signed-off-by: Simo Sorce <simo@redhat.com>

Use side-channel silent RSA root function as well as PKCS1 padding
functions.
This variant accepts only a fixed length message, and returns error
if the pkcs1 padding returns a different length message.
The buffer is always left unchanged on error so that a TLS
implementation can pre-initialize it with a random key to use on
decoding error.
Signed-off-by: Simo Sorce <simo@redhat.com>

Signed-off-by: Simo Sorce <simo@redhat.com>

Converts limbs to uint8_t buffer without conditional jumps.
Signed-off-by: Simo Sorce <simo@redhat.com>

Signed-off-by: Simo Sorce <simo@redhat.com>

Originally from Niels, with minor changes to avoid compiler warnings.