Deconstify PK_Ops. It's quite reasonable that some op will want to

precompute only as needed, or will want to access some other expensive
resource or etc.

Change how the secret for generating blinding is done in cases where a
PRNG isn't available. Use the operations public op to hide the secret,
for instance the seed for a DH blinding variable is 2^x mod p.

Make use of being able to mutate internal structures in the RW signer,
since that does have access to a PRNG, so use it to initialize the
blinder on first call to sign().

1 files changed, 8 insertions, 3 deletions

diff --git a/src/pubkey/rsa/rsa.cpp b/src/pubkey/rsa/rsa.cpp
index 5047fdf7a..b278ade52 100644
--- a/src/pubkey/rsa/rsa.cpp
+++ b/src/pubkey/rsa/rsa.cpp
@@ -80,7 +80,7 @@ RSA_Private_Operation::RSA_Private_Operation(const RSA_PrivateKey& rsa) :
    powermod_d2_q(rsa.get_d2(), rsa.get_q()),
    mod_p(rsa.get_p())
    {
-   BigInt k = Blinder::choose_nonce(rsa.get_d(), n);
+   BigInt k = Blinder::choose_nonce(powermod_e_n(q), n);
    blinder = Blinder(powermod_e_n(k), inverse_mod(k, n), n);
    }
 
@@ -99,8 +99,13 @@ BigInt RSA_Private_Operation::private_op(const BigInt& m) const
 
 SecureVector<byte>
 RSA_Private_Operation::sign(const byte msg[], u32bit msg_len,
-                            RandomNumberGenerator&) const
+                            RandomNumberGenerator& rng)
    {
+   /* We don't check signatures against powermod_e_n here because
+      PK_Signer checks verification consistency for all signature
+      algorithms.
+   */
+
    BigInt m(msg, msg_len);
    BigInt x = blinder.unblind(private_op(blinder.blind(m)));
    return BigInt::encode_1363(x, n.bytes());
@@ -110,7 +115,7 @@ RSA_Private_Operation::sign(const byte msg[], u32bit msg_len,
 * RSA Decryption Operation
 */
 SecureVector<byte>
-RSA_Private_Operation::decrypt(const byte msg[], u32bit msg_len) const
+RSA_Private_Operation::decrypt(const byte msg[], u32bit msg_len)
    {
    BigInt m(msg, msg_len);
    BigInt x = blinder.unblind(private_op(blinder.blind(m)));