On Sun, 2017-03-12 at 11:21 +0100, Niels Möller wrote:
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
Are you confident all pieces are side-channel silent, as indicated by the _tr suffix? It's possible to do some testing of that using valgrind; that's not done as thoroughly as I'd like, but one example is in testsuite/memeql-test.c.
I think it would be quite an interesting experiment testing for RSA contant time (PSS or not). I do not believe that the current counter- measures would really make it constant time, though I've never tested it.
There are tools which can assist in that checking: https://github.com/oreparaz/dudect https://github.com/agl/ctgrind
regards, Nikos