+2023-11-22 Niels Möller <nisse@lysator.liu.se>
+
+ Revert part of the 2023-08-05 change.
+ * rsa-sec-decrypt.c (rsa_sec_decrypt): Merge with
+ _rsa_sec_decrypt, including input range check.
+ (_rsa_sec_decrypt): Deleted.
+ * rsa-internal.h (_rsa_sec_decrypt): Delete declaration.
+ * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Always
+ call rsa_sec_decrypt, but don't annotate the ciphertext input as
+ undefined/secret.
+
2023-11-15 Niels Möller <nisse@lysator.liu.se>
* ecc-mod-arith.c (ecc_mod_addmul_1): Use assert_maybe.
#define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch
#define _rsa_sec_compute_root _nettle_rsa_sec_compute_root
#define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
-#define _rsa_sec_decrypt _nettle_rsa_sec_decrypt
/* Internal functions. */
int
void *random_ctx, nettle_random_func *random,
mp_limb_t *x, const mp_limb_t *m);
-/* Variant without range check of the input, to ease testing for
- side-channel silence. */
-int
-_rsa_sec_decrypt (const struct rsa_public_key *pub,
- const struct rsa_private_key *key,
- void *random_ctx, nettle_random_func *random,
- size_t length, uint8_t *message,
- const mpz_t gibberish);
-
#endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
#include "gmp-glue.h"
-/* Variant without range check of the input, to ease testing for
- side-channel silence. */
int
-_rsa_sec_decrypt (const struct rsa_public_key *pub,
- const struct rsa_private_key *key,
- void *random_ctx, nettle_random_func *random,
- size_t length, uint8_t *message,
- const mpz_t gibberish)
+rsa_sec_decrypt(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ size_t length, uint8_t *message,
+ const mpz_t gibberish)
{
TMP_GMP_DECL (m, mp_limb_t);
TMP_GMP_DECL (em, uint8_t);
int res;
+ /* First check that input is in range. */
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
+ return 0;
+
TMP_GMP_ALLOC (m, mpz_size(pub->n));
TMP_GMP_ALLOC (em, key->size);
return res;
}
-int
-rsa_sec_decrypt (const struct rsa_public_key *pub,
- const struct rsa_private_key *key,
- void *random_ctx, nettle_random_func *random,
- size_t length, uint8_t *message,
- const mpz_t gibberish)
-{
- /* First check that input is in range. */
- if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
- return 0;
-
- return _rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish);
-}
#include "testutils.h"
#include "rsa.h"
-#include "rsa-internal.h"
#include "knuth-lfib.h"
#define MARK_MPZ_LIMBS_UNDEFINED(x) \
const mpz_t gibberish)
{
int ret;
- if (!test_side_channel)
- return rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish);
/* Makes valgrind trigger on any branches depending on the input
data. Except that (i) we have to allow rsa_sec_compute_root_tr to
mpn_sec_powm may leak information about the least significant
bits of p and q, due to table lookup in binvert_limb. */
mark_bytes_undefined (length, message);
- MARK_MPZ_LIMBS_UNDEFINED(gibberish);
MARK_MPZ_LIMBS_UNDEFINED(key->a);
MARK_MPZ_LIMBS_UNDEFINED(key->b);
MARK_MPZ_LIMBS_UNDEFINED(key->c);
mark_bytes_undefined((mpz_size (key->q) - 3) * sizeof(mp_limb_t),
mpz_limbs_read (key->q) + 1);
- /* Call variant not checking that 0 <= gibberish < n. */
- ret = _rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish);
+ ret = rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish);
mark_bytes_defined (length, message);
mark_bytes_defined (sizeof(ret), &ret);
- MARK_MPZ_LIMBS_DEFINED(gibberish);
MARK_MPZ_LIMBS_DEFINED(key->a);
MARK_MPZ_LIMBS_DEFINED(key->b);
MARK_MPZ_LIMBS_DEFINED(key->c);
projects / thirdparty / nettle.git / commitdiff
