nisse@lysator.liu.se (Niels Möller) writes:
Daiki Ueno ueno@gnu.org writes:
This series of patches implements the RSA-PSS signature scheme, as specified in RFC 3447. To keep the interface minimal but to allow TLS 1.3 implementations on top of this, only SHA256/384/512 variants are provided.
Thanks! Sorry I've been a bit offline and not able to comment earlier.
No problem, thank you for the thorough review. I will send an update of the patches reflecting the comments.
The prototypes of the top-level functions are as follows:
int rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s);
Are you confident all pieces are side-channel silent, as indicated by the _tr suffix?
Yes, I think so, at least for the PSS encoding functions, as long as all underlying constructs (hashes, memxor, etc) are side-channel silent.
It's possible to do some testing of that using valgrind; that's not done as thoroughly as I'd like, but one example is in testsuite/memeql-test.c.
Thank you for the tip. I have added a similar client requests for SALT and DIGEST in pss-test.c, and confirmed that valgrind didn't report any "... depends on uninitialized value(s)" error.
Regards,