Intended to silence warning from the clang static analyzer.

* rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop.
Reported by Andreas Gustafsson.
* testsuite/rsa-sec-decrypt-test.c (test_main): Likewise.

Mention dependency on GMP-6, and RSA performance regression.

* testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
decrypted storage. Update test of rsa_decrypt, to allow clobbering
of all of the passed in message area.

Patch from Simo Sorce.

Use new local helper functions, with their own itch functions.

Also renamed with leading underscore, and updated all callers.

Simo Sorce authored 6 years ago and Niels Möller committed 6 years ago

Signed-off-by: Simo Sorce <simo@redhat.com>

Simo Sorce authored 6 years ago and Niels Möller committed 6 years ago

Signed-off-by: Simo Sorce <simo@redhat.com>

Simo Sorce authored 6 years ago and Niels Möller committed 6 years ago

add a side-channel silent pkcs1 decoding function for use in older
APIs.

Signed-off-by: Simo Sorce <simo@redhat.com>

* testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
valgrind marking, and document potential leakage of lowest and
highest bits of p and q.

* rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to
mpz_sizeinbase, since that potentially leaks most significant bits
of private key parameters a and b.

Simo Sorce authored 6 years ago and Niels Möller committed 6 years ago

Signed-off-by: Simo Sorce <simo@redhat.com>

Simo Sorce authored 6 years ago and Niels Möller committed 6 years ago

Use side-channel silent RSA root function as well as PKCS1 padding
functions.
This variant accepts only a fixed length message, and returns error
if the pkcs1 padding returns a different length message.
The buffer is always left unchanged on error so that a TLS
implementation can pre-initialize it with a random key to use on
decoding error.

Signed-off-by: Simo Sorce <simo@redhat.com>