From f2bbbc280212702e837c154d9c7b598ff795afd7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Sun, 25 Nov 2018 19:23:38 +0100
Subject: [PATCH] Switch rsa_compute_root to use side-channel safe variant

---
 ChangeLog  |  5 ++++-
 rsa-sign.c | 40 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 31787d16..b5075c9a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,7 +17,10 @@
 	* testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
 	valgrind marking of return value.
 
-2018-11-08  Simo Sorce	  <simo@redhat.com>
+2018-11-08  Simo Sorce  <simo@redhat.com>
+
+	* rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use
+	_rsa_sec_compute_root.
 
 	* testsuite/rsa-sec-compute-root-test.c: Add more tests for new
 	side-channel silent functions.
diff --git a/rsa-sign.c b/rsa-sign.c
index 332420fe..9a6409a9 100644
--- a/rsa-sign.c
+++ b/rsa-sign.c
@@ -35,9 +35,11 @@
 # include "config.h"
 #endif
 
-#include "rsa.h"
+#include <assert.h>
 
-#include "bignum.h"
+#include "rsa.h"
+#include "rsa-internal.h"
+#include "gmp-glue.h"
 
 void
 rsa_private_key_init(struct rsa_private_key *key)
@@ -90,6 +92,8 @@ rsa_private_key_prepare(struct rsa_private_key *key)
   return (key->size > 0);
 }
 
+#if NETTLE_USE_MINI_GMP
+
 /* Computing an rsa root. */
 void
 rsa_compute_root(const struct rsa_private_key *key,
@@ -148,3 +152,35 @@ rsa_compute_root(const struct rsa_private_key *key,
 
   mpz_clear(xp); mpz_clear(xq);
 }
+
+#else /* !NETTLE_USE_MINI_GMP */
+
+/* Computing an rsa root. */
+void
+rsa_compute_root(const struct rsa_private_key *key,
+		 mpz_t x, const mpz_t m)
+{
+  TMP_GMP_DECL (scratch, mp_limb_t);
+  TMP_GMP_DECL (ml, mp_limb_t);
+  mp_limb_t *xl;
+  size_t key_size;
+
+  key_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+  assert(mpz_size (m) <= key_size);
+
+  /* we need a copy because m can be shorter than key_size,
+   * but _rsa_sec_compute_root expect all inputs to be
+   * normalized to a key_size long buffer length */
+  TMP_GMP_ALLOC (ml, key_size);
+  mpz_limbs_copy(ml, m, key_size);
+
+  TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+
+  xl = mpz_limbs_write (x, key_size);
+  _rsa_sec_compute_root (key, xl, ml, scratch);
+  mpz_limbs_finish (x, key_size);
+
+  TMP_GMP_FREE (ml);
+  TMP_GMP_FREE (scratch);
+}
+#endif /* !NETTLE_USE_MINI_GMP */
-- 
GitLab