Constant time/cache PKCS#1 RSA decryptiontmp-fix-CVE-2018-16868

This patch tries to make the code have the same time and memory access
aptterns across all branches of the decryption function so that timining
or cache side channels are minimized or neutralized.

To do so it uses a new nettle rsa decryption function that is
side-channel silent.

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index 5fa0fb99db..d69e30ca51 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -75,6 +75,12 @@ typedef int (*gnutls_privkey_decrypt_func) (gnutls_privkey_t key,
 					    const gnutls_datum_t *ciphertext,
 					    gnutls_datum_t * plaintext);
 
+typedef int (*gnutls_privkey_decrypt_func2) (gnutls_privkey_t key,
+					     void *userdata,
+					     const gnutls_datum_t *ciphertext,
+					     unsigned char * plaintext,
+					     size_t plaintext_size);
+
 /* to be called to sign pre-hashed data. The input will be
  * the output of the hash (such as SHA256) corresponding to
  * the signature algorithm. The algorithm GNUTLS_SIGN_RSA_RAW
@@ -542,12 +548,17 @@ int gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
 			      const gnutls_datum_t * hash_data,
 			      gnutls_datum_t * signature);
 
-
 int gnutls_privkey_decrypt_data(gnutls_privkey_t key,
 				unsigned int flags,
 				const gnutls_datum_t * ciphertext,
 				gnutls_datum_t * plaintext);
 
+int gnutls_privkey_decrypt_data2(gnutls_privkey_t key,
+				 unsigned int flags,
+				 const gnutls_datum_t * ciphertext,
+				 unsigned char * plaintext,
+                                 size_t plaintext_size);
+
 int
 gnutls_privkey_export_rsa_raw(gnutls_privkey_t key,
 				    gnutls_datum_t * m, gnutls_datum_t * e,