Rewrite pkcs1_decrypt as a wrapper around _pkcs1_sec_decrypt_variable.

* testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
decrypted storage. Update test of rsa_decrypt, to allow clobbering
of all of the passed in message area.

diff --git a/ChangeLog b/ChangeLog
index 4aba09b46e32cf220f8bc8478095dcfb58372d21..ffa8198c223ad29b6fe58dcf963b49598f340553 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2018-11-28  Niels Möller  <nisse@lysator.liu.se>
 
+       * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
+       decrypted storage. Update test of rsa_decrypt, to allow clobbering
+       of all of the passed in message area.
+
+       * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around
+       _pkcs1_sec_decrypt_variable. Improves side-channel silence of the
+       only caller, rsa_decrypt.
+
        * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make
        dist. Patch from Simo Sorce.
 

diff --git a/pkcs1-decrypt.c b/pkcs1-decrypt.c
index 7acd2d57e4a697d0d8db5771036cba0b052d2d20..1a02c7062159e1fb2c8d732cfc1dd7bc6b9886c1 100644 (file)
--- a/pkcs1-decrypt.c
+++ b/pkcs1-decrypt.c
@@ -41,6 +41,7 @@
 
 #include "bignum.h"
 #include "gmp-glue.h"
+#include "rsa-internal.h"
 
 int
 pkcs1_decrypt (size_t key_size,
@@ -48,49 +49,13 @@ pkcs1_decrypt (size_t key_size,
               size_t *length, uint8_t *message)
 {
   TMP_GMP_DECL(em, uint8_t);
-  uint8_t *terminator;
-  size_t padding;
-  size_t message_length;
   int ret;
 
   TMP_GMP_ALLOC(em, key_size);
   nettle_mpz_get_str_256(key_size, em, m);
 
-  /* Check format */
-  if (em[0] || em[1] != 2)
-    {
-      ret = 0;
-      goto cleanup;
-    }
-
-  terminator = memchr(em + 2, 0, key_size - 2);
-
-  if (!terminator)
-    {
-      ret = 0;
-      goto cleanup;
-    }
-  
-  padding = terminator - (em + 2);
-  if (padding < 8)
-    {
-      ret = 0;
-      goto cleanup;
-    }
-
-  message_length = key_size - 3 - padding;
-
-  if (*length < message_length)
-    {
-      ret = 0;
-      goto cleanup;
-    }
-  
-  memcpy(message, terminator + 1, message_length);
-  *length = message_length;
-
-  ret = 1;
-cleanup:
+  ret = _pkcs1_sec_decrypt_variable (length, message, key_size, em);
+
   TMP_GMP_FREE(em);
   return ret;
 }

diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c
index a7397b545b7e3c3ac4fbba619a867f9fa8f39248..87525f78e647d46e1d824c4e48e61dec25ad5acd 100644 (file)
--- a/testsuite/rsa-encrypt-test.c
+++ b/testsuite/rsa-encrypt-test.c
@@ -30,6 +30,8 @@ test_main(void)
 
   if (verbose)
     fprintf(stderr, "msg: `%s', length = %d\n", msg, (int) msg_length);
+
+  ASSERT(msg_length <= key.size);
   
   ASSERT(rsa_encrypt(&pub,
                     &lfib, (nettle_random_func *) knuth_lfib_random,
@@ -42,7 +44,7 @@ test_main(void)
       mpz_out_str(stderr, 10, gibberish);
     }
   
-  decrypted = xalloc(msg_length + 1);
+  decrypted = xalloc(key.size + 1);
 
   knuth_lfib_random (&lfib, msg_length + 1, decrypted);
   after = decrypted[msg_length];
@@ -56,14 +58,14 @@ test_main(void)
   ASSERT(MEMEQ(msg_length, msg, decrypted));
   ASSERT(decrypted[msg_length] == after);
 
-  knuth_lfib_random (&lfib, msg_length + 1, decrypted);
-  after = decrypted[msg_length];
+  knuth_lfib_random (&lfib, key.size + 1, decrypted);
+  after = decrypted[key.size];
 
   decrypted_length = key.size;
   ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish));
   ASSERT(decrypted_length == msg_length);
   ASSERT(MEMEQ(msg_length, msg, decrypted));
-  ASSERT(decrypted[msg_length] == after);
+  ASSERT(decrypted[key.size] == after);
   
   knuth_lfib_random (&lfib, msg_length + 1, decrypted);
   after = decrypted[msg_length];