ni...@lysator.liu.se (Niels Möller) writes: > Daiki Ueno <u...@gnu.org> writes: > >> This series of patches implements the RSA-PSS signature scheme, as >> specified in RFC 3447. To keep the interface minimal but to allow TLS >> 1.3 implementations on top of this, only SHA256/384/512 variants are >> provided. > > Thanks! Sorry I've been a bit offline and not able to comment earlier.
No problem, thank you for the thorough review. I will send an update of the patches reflecting the comments. >> The prototypes of the top-level functions are as follows: >> >> int >> rsa_pss_shaXXX_sign_digest_tr(const struct rsa_public_key *pub, >> const struct rsa_private_key *key, >> void *random_ctx, nettle_random_func *random, >> size_t salt_length, const uint8_t *salt, >> const uint8_t *digest, >> mpz_t s); > > Are you confident all pieces are side-channel silent, as indicated by > the _tr suffix? Yes, I think so, at least for the PSS encoding functions, as long as all underlying constructs (hashes, memxor, etc) are side-channel silent. > It's possible to do some testing of that using valgrind; that's not > done as thoroughly as I'd like, but one example is in > testsuite/memeql-test.c. Thank you for the tip. I have added a similar client requests for SALT and DIGEST in pss-test.c, and confirmed that valgrind didn't report any "... depends on uninitialized value(s)" error. Regards, -- Daiki Ueno _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs