On Wed, Aug 3, 2016 at 10:53 AM, Niels Möller nisse@lysator.liu.se wrote:
I guess one can add some workaround for applications, in particuar gnutls, which don't use _prepare. But please fix that before you make the next release.
My main concern is that rsa_private_key_prepare() multiplies q and p, and for gnutls it is a temporary object, i.e., constructed on the fly from the internal format for keys that gnutls uses. Switching to this function would mean an additional multiplication per RSA operation. The equivalent public key function is fine to use.
Said that, I have already replaced the manual setting of size with a call to the prepare functions, but I'd prefer the prepare functions to come at no significant cost (especially since when calling prepare I already know the size of n).
Do you think it is sufficient for gnutls to add an extra check that p and q are odd in nettle's rsa_compute_root? (Used also by rsa_compute_root_tr).
It makes sense for sanity check reasons as well (detect broken keys early rather than late).
regards, Nikos