From 44dfebd37113657e0f7ee39eb6af6c418f63bebe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sun, 15 Nov 2015 21:23:42 +0100
Subject: Use rsa_compute_root_tr also in rsa_decrypt_tr.

---
 ChangeLog                    |  7 +++++++
 rsa-decrypt-tr.c             | 10 +++-------
 testsuite/rsa-encrypt-test.c |  7 +++++++
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5c45072f..2ff02f5c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2015-09-14  Niels Möller  <nisse@lysator.liu.se>
 
+	* rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr.
+	Mainly for simplicity and consistency, I'm not aware of any CRT
+	fault attacks on RSA decryption.
+
+	* testsuite/rsa-encrypt-test.c (test_main): Added test with
+	invalid private key.
+
 	* rsa-sign-tr.c (rsa_compute_root_tr): New file and function.
 	* rsa.h: Declare it.
 	* rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr.
diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
index e28bee79..e4fbc5fe 100644
--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -48,18 +48,14 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
 	       size_t *length, uint8_t *message,
 	       const mpz_t gibberish)
 {
-  mpz_t m, ri;
+  mpz_t m;
   int res;
 
   mpz_init_set(m, gibberish);
-  mpz_init (ri);
 
-  _rsa_blind (pub, random_ctx, random, m, ri);
-  rsa_compute_root(key, m, m);
-  _rsa_unblind (pub, m, ri);
-  mpz_clear (ri);
+  res = (rsa_compute_root_tr (pub, key, random_ctx, random, m, gibberish)
+	 && pkcs1_decrypt (key->size, m, length, message));
 
-  res = pkcs1_decrypt (key->size, m, length, message);
   mpz_clear(m);
   return res;
 }
diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c
index 7104e24b..ecdbdb6b 100644
--- a/testsuite/rsa-encrypt-test.c
+++ b/testsuite/rsa-encrypt-test.c
@@ -78,6 +78,13 @@ test_main(void)
   ASSERT(MEMEQ(msg_length, msg, decrypted));
   ASSERT(decrypted[msg_length] == after);
 
+  /* Test invalid key. */
+  mpz_add_ui (key.q, key.q, 2);
+  decrypted_length = key.size;
+  ASSERT(!rsa_decrypt_tr(&pub, &key,
+			 &lfib, (nettle_random_func *) knuth_lfib_random,
+			 &decrypted_length, decrypted, gibberish));
+
   rsa_private_key_clear(&key);
   rsa_public_key_clear(&pub);
   mpz_clear(gibberish);
-- 
cgit v1.2.1