diff options
author | Jussi Kivilinna <jussi.kivilinna@iki.fi> | 2021-04-03 21:54:44 +0300 |
---|---|---|
committer | Jussi Kivilinna <jussi.kivilinna@iki.fi> | 2021-04-09 17:23:21 +0300 |
commit | 9bc3d8de6e2a8cdef37c118f0a70376ed777eeee (patch) | |
tree | 0e46b9efa578880312ec7e2f60ec7e6e68957f80 | |
parent | c7c25b6e6e6b52bbed26d8016145c404eb118f19 (diff) | |
download | libgcrypt-9bc3d8de6e2a8cdef37c118f0a70376ed777eeee.tar.gz |
mpi: harden add_n_cond, sub_n_cond and abs_cond against EM leakage
* mpi/mpih-const-time.c (_gcry_mpih_add_n_cond)
(_gcry_mpih_sub_n_cond): Always perform calculation with both UP and
VP; Use two masks for selecting output.
(_gcry_mpih_abs_cond): Always calculate absolute value of UP; Use
two masks for selecting output.
--
GnuPG-bug-id: T5330
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
-rw-r--r-- | mpi/mpih-const-time.c | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/mpi/mpih-const-time.c b/mpi/mpih-const-time.c index 3a69e6ba..b527ad79 100644 --- a/mpi/mpih-const-time.c +++ b/mpi/mpih-const-time.c @@ -60,22 +60,24 @@ _gcry_mpih_add_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp, { mpi_size_t i; mpi_limb_t cy; - mpi_limb_t mask = ((mpi_limb_t)0) - op_enable; + mpi_limb_t mask1 = vzero - op_enable; + mpi_limb_t mask2 = op_enable - vone; cy = 0; for (i = 0; i < usize; i++) { - mpi_limb_t x = up[i] + (vp[i] & mask); - mpi_limb_t cy1 = x < up[i]; + mpi_limb_t u = up[i]; + mpi_limb_t x = u + vp[i]; + mpi_limb_t cy1 = x < u; mpi_limb_t cy2; x = x + cy; cy2 = x < cy; cy = cy1 | cy2; - wp[i] = x; + wp[i] = (u & mask2) | (x & mask1); } - return cy; + return cy & mask1; } @@ -89,22 +91,24 @@ _gcry_mpih_sub_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp, { mpi_size_t i; mpi_limb_t cy; - mpi_limb_t mask = ((mpi_limb_t)0) - op_enable; + mpi_limb_t mask1 = vzero - op_enable; + mpi_limb_t mask2 = op_enable - vone; cy = 0; for (i = 0; i < usize; i++) { - mpi_limb_t x = up[i] - (vp[i] & mask); - mpi_limb_t cy1 = x > up[i]; + mpi_limb_t u = up[i]; + mpi_limb_t x = u - vp[i]; + mpi_limb_t cy1 = x > u; mpi_limb_t cy2; cy2 = x < cy; x = x - cy; cy = cy1 | cy2; - wp[i] = x; + wp[i] = (u & mask2) | (x & mask1); } - return cy; + return cy & mask1; } @@ -139,15 +143,17 @@ _gcry_mpih_abs_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize, unsigned long op_enable) { mpi_size_t i; - mpi_limb_t mask = ((mpi_limb_t)0) - op_enable; + mpi_limb_t mask1 = vzero - op_enable; + mpi_limb_t mask2 = op_enable - vone; mpi_limb_t cy = op_enable; for (i = 0; i < usize; i++) { - mpi_limb_t x = ~up[i] + cy; + mpi_limb_t u = up[i]; + mpi_limb_t x = ~u + cy; - cy = (x < ~up[i]); - wp[i] = up[i] ^ (mask & (x ^ up[i])); + cy = (x < ~u); + wp[i] = (u & mask2) | (x & mask1); } } |