rsa: Constant time decryption
The current MPI code is not constant time, potentially leaking plaintext when the attacker can observe enough decipher operations using RSA PKCS#1.5. This is described as a Marvin Attack:
This change set consists of several steps:
- Blinding removal is changed to use constant time MPI operation (multiplication and modulo). This is the first step that operates on the plaintext and that could leak some information
- The conversion of the MPI to string using
gcry_mpi_print()
is not constant time and implicitly strips leading zeroes, technically leaking plaintext. The OAEP use ofgcry_mpi_print()
is slightly better, but still not constant time as the leading zeroes are dropped and then restored. - The last step, conversion of the plaintext to the S-expression leaks the message length too, which was changed to operate on fixed-length buffer.
Edited by Jakub Jelen