From dbaf6abb9ce830d74559d2eab13ca0799f3baeb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sun, 25 Nov 2018 19:46:30 +0100
Subject: [PATCH] Move decl. of rsa_sec_compute_root_tr to internal header.
Also renamed with leading underscore, and updated all callers.
---
ChangeLog | 8 ++++++++
rsa-decrypt-tr.c | 6 +++---
rsa-internal.h | 9 +++++++++
rsa-sec-decrypt.c | 6 +++---
rsa-sign-tr.c | 12 ++++++------
rsa.h | 9 ---------
6 files changed, 29 insertions(+), 21 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index b5075c9a..a9d0b1e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2018-11-25 Niels Möller <nisse@lysator.liu.se>
+ * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from...
+ (rsa_sec_compute_root_tr): ... old name. Updated callers.
+ * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ...
+ * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location.
+
* testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix
masking of most significant bits.
@@ -17,6 +22,9 @@
* testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
valgrind marking of return value.
+ Merged below changes from Simo Sorce, to make RSA private key
+ operations side-channel silent.
+
2018-11-08 Simo Sorce <simo@redhat.com>
* rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use
diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
index 8fbe847e..5dfb91b1 100644
--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -57,9 +57,9 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
TMP_GMP_ALLOC (m, key_limb_size);
TMP_GMP_ALLOC (em, key->size);
- res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
- mpz_limbs_read(gibberish),
- mpz_size(gibberish));
+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+ mpz_limbs_read(gibberish),
+ mpz_size(gibberish));
mpn_get_base256 (em, key->size, m, key_limb_size);
diff --git a/rsa-internal.h b/rsa-internal.h
index a1e18253..4e63f751 100644
--- a/rsa-internal.h
+++ b/rsa-internal.h
@@ -38,6 +38,7 @@
#define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch
#define _rsa_sec_compute_root _nettle_rsa_sec_compute_root
+#define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
#define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt
#define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable
@@ -49,6 +50,14 @@ _rsa_sec_compute_root(const struct rsa_private_key *key,
mp_limb_t *rp, const mp_limb_t *mp,
mp_limb_t *scratch);
+/* Safe side-channel silent variant, using RSA blinding, and checking the
+ * result after CRT. */
+int
+_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ mp_limb_t *x, const mp_limb_t *m, size_t mn);
+
/* additional resistance to memory access side-channel attacks.
* Note: message buffer is returned unchanged on error */
int
diff --git a/rsa-sec-decrypt.c b/rsa-sec-decrypt.c
index 35dbe162..e6a4b267 100644
--- a/rsa-sec-decrypt.c
+++ b/rsa-sec-decrypt.c
@@ -57,9 +57,9 @@ rsa_sec_decrypt(const struct rsa_public_key *pub,
TMP_GMP_ALLOC (m, mpz_size(pub->n));
TMP_GMP_ALLOC (em, key->size);
- res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
- mpz_limbs_read(gibberish),
- mpz_size(gibberish));
+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+ mpz_limbs_read(gibberish),
+ mpz_size(gibberish));
mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
index 524abb5a..be320b23 100644
--- a/rsa-sign-tr.c
+++ b/rsa-sign-tr.c
@@ -293,10 +293,10 @@ cnd_mpn_zero (int cnd, volatile mp_ptr rp, mp_size_t n)
* This version is side-channel silent even in case of error,
* the destination buffer is always overwritten */
int
-rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
- const struct rsa_private_key *key,
- void *random_ctx, nettle_random_func *random,
- mp_limb_t *x, const mp_limb_t *m, size_t mn)
+_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ mp_limb_t *x, const mp_limb_t *m, size_t mn)
{
TMP_GMP_DECL (c, mp_limb_t);
TMP_GMP_DECL (ri, mp_limb_t);
@@ -359,8 +359,8 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
TMP_GMP_ALLOC (l, l_size);
- res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
- mpz_limbs_read(m), mpz_size(m));
+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+ mpz_limbs_read(m), mpz_size(m));
if (res) {
mp_limb_t *xp = mpz_limbs_write (x, l_size);
mpn_copyi (xp, l, l_size);
diff --git a/rsa.h b/rsa.h
index 108bc7da..0aac6a26 100644
--- a/rsa.h
+++ b/rsa.h
@@ -91,7 +91,6 @@ extern "C" {
#define rsa_sec_decrypt nettle_rsa_sec_decrypt
#define rsa_compute_root nettle_rsa_compute_root
#define rsa_compute_root_tr nettle_rsa_compute_root_tr
-#define rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
#define rsa_generate_keypair nettle_rsa_generate_keypair
#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
#define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
@@ -447,14 +446,6 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
void *random_ctx, nettle_random_func *random,
mpz_t x, const mpz_t m);
-/* Safe side-channel silent variant, using RSA blinding, and checking the
- * result after CRT. */
-int
-rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
- const struct rsa_private_key *key,
- void *random_ctx, nettle_random_func *random,
- mp_limb_t *x, const mp_limb_t *m, size_t mn);
-
/* Key generation */
/* Note that the key structs must be initialized first. */
--
GitLab