From 80152a229a353e31dfdffba23b94bb4057b5cc11 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Thu, 22 Oct 2020 15:47:39 -0400
Subject: [PATCH] tpm12: Add a note to RSA related to EVP conversion for
 constant-time

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/tpm12/tpm_crypto.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/tpm12/tpm_crypto.c b/src/tpm12/tpm_crypto.c
index 4e563324..9fb4fcef 100644
--- a/src/tpm12/tpm_crypto.c
+++ b/src/tpm12/tpm_crypto.c
@@ -1069,6 +1069,15 @@ TPM_RESULT TPM_RSAPublicEncryptRaw(unsigned char *encrypt_data,	/* output */
    'signature_length' bytes are moved to 'signature'.  'signature_length' is at most
    'signature_size'.  signature must point to RSA_size(rsa) bytes of memory.
 */
+/* Note regarding conversion to EVP_PKEY_sign for the purpose of constant-timeness:
+
+  - TPM_SS_RSASSAPKCS1v15_SHA1:
+      EVP_PKEY_sign() will call pkey_rsa_sign() which in turn will call RSA_sign() for
+      RSA_PKCS1_PADDING. This is the same as we do here.
+  - TPM_SS_RSASSAPKCS1v15_DER:
+      EVP_PKEY_sign() must not have a message digest since none of the padding choices calls
+      RSA_padding_add_PKCS1_type_1(), so we would have to do the padding again ourselves.
+*/
 
 TPM_RESULT TPM_RSASign(unsigned char *signature,        /* output */
                        unsigned int *signature_length,  /* output, size of signature */