5 files changed, 164 insertions, 116 deletions

diff --git a/mpi/Makefile.am b/mpi/Makefile.am
index 4a8d8881..d06594e1 100644
--- a/mpi/Makefile.am
+++ b/mpi/Makefile.am
@@ -173,6 +173,7 @@ libmpi_la_SOURCES = longlong.h	   \
 	      mpicoder.c     \
 	      mpih-div.c     \
 	      mpih-mul.c     \
-	      mpiutil.c      \
+	      mpih-const-time.c \
+	      mpiutil.c         \
               ec.c ec-internal.h ec-ed25519.c
 EXTRA_libmpi_la_SOURCES = asm-common-aarch64.h
diff --git a/mpi/ec.c b/mpi/ec.c
index ba5c954d..9ac95f64 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -354,20 +354,6 @@ ec_invm (gcry_mpi_t x, gcry_mpi_t a, mpi_ec_t ctx)
     }
 }
 
-static void
-mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize, unsigned long set)
-{
-  mpi_size_t i;
-  mpi_limb_t mask = ((mpi_limb_t)0) - set;
-  mpi_limb_t x;
-
-  for (i = 0; i < usize; i++)
-    {
-      x = mask & (wp[i] ^ up[i]);
-      wp[i] = wp[i] ^ x;
-    }
-}
-
 /* Routines for 2^255 - 19.  */
 
 #define LIMB_SIZE_25519 ((256+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB)
diff --git a/mpi/mpi-internal.h b/mpi/mpi-internal.h
index 898ca47e..fd44c0a8 100644
--- a/mpi/mpi-internal.h
+++ b/mpi/mpi-internal.h
@@ -254,6 +254,24 @@ mpi_limb_t _gcry_mpih_lshift( mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
 mpi_limb_t _gcry_mpih_rshift( mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
 							   unsigned cnt);
 
+/*-- mpih-const-time.c --*/
+#define mpih_set_cond(w,u,s,o) _gcry_mpih_set_cond ((w),(u),(s),(o))
+#define mpih_add_n_cond(w,u,v,s,o) _gcry_mpih_add_n_cond ((w),(u),(v),(s),(o))
+#define mpih_sub_n_cond(w,u,v,s,o) _gcry_mpih_sub_n_cond ((w),(u),(v),(s),(o))
+#define mpih_swap_cond(u,v,s,o) _gcry_mpih_swap_cond ((u),(v),(s),(o))
+#define mpih_abs_cond(w,u,s,o) _gcry_mpih_abs_cond ((w),(u),(s),(o))
+
+void _gcry_mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
+                          unsigned long op_enable);
+mpi_limb_t _gcry_mpih_add_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
+                                  mpi_size_t usize, unsigned long op_enable);
+mpi_limb_t _gcry_mpih_sub_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
+                                  mpi_size_t usize, unsigned long op_enable);
+void _gcry_mpih_swap_cond (mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
+                           unsigned long op_enable);
+void _gcry_mpih_abs_cond (mpi_ptr_t wp, mpi_ptr_t up,
+                          mpi_size_t usize, unsigned long op_enable);
+
 
 /* Define stuff for longlong.h.  */
 #define W_TYPE_SIZE BITS_PER_MPI_LIMB
diff --git a/mpi/mpi-inv.c b/mpi/mpi-inv.c
index 0114622d..0efe12ce 100644
--- a/mpi/mpi-inv.c
+++ b/mpi/mpi-inv.c
@@ -24,107 +24,6 @@
 #include "g10lib.h"
 
 /*
- *  W = U + V when OP_ENABLED=1
- *  otherwise, W = U
- */
-static mpi_limb_t
-mpih_add_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
-                 unsigned long op_enable)
-{
-  mpi_size_t i;
-  mpi_limb_t cy;
-  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
-
-  cy = 0;
-  for (i = 0; i < usize; i++)
-    {
-      mpi_limb_t x = up[i] + (vp[i] & mask);
-      mpi_limb_t cy1 = x < up[i];
-      mpi_limb_t cy2;
-
-      x = x + cy;
-      cy2 = x < cy;
-      cy = cy1 | cy2;
-      wp[i] = x;
-    }
-
-  return cy;
-}
-
-
-/*
- *  W = U - V when OP_ENABLED=1
- *  otherwise, W = U
- */
-static mpi_limb_t
-mpih_sub_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
-                 unsigned long op_enable)
-{
-  mpi_size_t i;
-  mpi_limb_t cy;
-  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
-
-  cy = 0;
-  for (i = 0; i < usize; i++)
-    {
-      mpi_limb_t x = up[i] - (vp[i] & mask);
-      mpi_limb_t cy1 = x > up[i];
-      mpi_limb_t cy2;
-
-      cy2 = x < cy;
-      x = x - cy;
-      cy = cy1 | cy2;
-      wp[i] = x;
-    }
-
-  return cy;
-}
-
-
-/*
- *  Swap value of U and V when OP_ENABLED=1
- *  otherwise, no change
- */
-static void
-mpih_swap_cond (mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
-                unsigned long op_enable)
-{
-  mpi_size_t i;
-  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
-
-  for (i = 0; i < usize; i++)
-    {
-      mpi_limb_t x = mask & (up[i] ^ vp[i]);
-
-      up[i] = up[i] ^ x;
-      vp[i] = vp[i] ^ x;
-    }
-}
-
-
-/*
- *  W = -U when OP_ENABLED=1
- *  otherwise, W = U
- */
-static void
-mpih_abs_cond (mpi_limb_t *wp, const mpi_limb_t *up, mpi_size_t usize,
-               unsigned long op_enable)
-{
-  mpi_size_t i;
-  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
-  mpi_limb_t cy = op_enable;
-
-  for (i = 0; i < usize; i++)
-    {
-      mpi_limb_t x = ~up[i] + cy;
-
-      cy = (x < ~up[i]);
-      wp[i] = up[i] ^ (mask & (x ^ up[i]));
-    }
-}
-
-
-/*
  * This uses a modular inversion algorithm designed by Niels Möller
  * which was implemented in Nettle.  The same algorithm was later also
  * adapted to GMP in mpn_sec_invert.
diff --git a/mpi/mpih-const-time.c b/mpi/mpih-const-time.c
new file mode 100644
index 00000000..ea8d5292
--- /dev/null
+++ b/mpi/mpih-const-time.c
@@ -0,0 +1,144 @@
+/* mpih-const-time.c  -  Constant-time MPI helper functions
+ *      Copyright (C) 2020  g10 Code GmbH
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mpi-internal.h"
+#include "g10lib.h"
+
+/*
+ *  W = U when OP_ENABLED=1
+ *  otherwise, W keeps old value
+ */
+void
+_gcry_mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
+                     unsigned long op_enable)
+{
+  mpi_size_t i;
+  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
+  mpi_limb_t x;
+
+  for (i = 0; i < usize; i++)
+    {
+      x = mask & (wp[i] ^ up[i]);
+      wp[i] = wp[i] ^ x;
+    }
+}
+
+
+/*
+ *  W = U + V when OP_ENABLED=1
+ *  otherwise, W = U
+ */
+mpi_limb_t
+_gcry_mpih_add_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
+                       mpi_size_t usize, unsigned long op_enable)
+{
+  mpi_size_t i;
+  mpi_limb_t cy;
+  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
+
+  cy = 0;
+  for (i = 0; i < usize; i++)
+    {
+      mpi_limb_t x = up[i] + (vp[i] & mask);
+      mpi_limb_t cy1 = x < up[i];
+      mpi_limb_t cy2;
+
+      x = x + cy;
+      cy2 = x < cy;
+      cy = cy1 | cy2;
+      wp[i] = x;
+    }
+
+  return cy;
+}
+
+
+/*
+ *  W = U - V when OP_ENABLED=1
+ *  otherwise, W = U
+ */
+mpi_limb_t
+_gcry_mpih_sub_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
+                       mpi_size_t usize, unsigned long op_enable)
+{
+  mpi_size_t i;
+  mpi_limb_t cy;
+  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
+
+  cy = 0;
+  for (i = 0; i < usize; i++)
+    {
+      mpi_limb_t x = up[i] - (vp[i] & mask);
+      mpi_limb_t cy1 = x > up[i];
+      mpi_limb_t cy2;
+
+      cy2 = x < cy;
+      x = x - cy;
+      cy = cy1 | cy2;
+      wp[i] = x;
+    }
+
+  return cy;
+}
+
+
+/*
+ *  Swap value of U and V when OP_ENABLED=1
+ *  otherwise, no change
+ */
+void
+_gcry_mpih_swap_cond (mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
+                      unsigned long op_enable)
+{
+  mpi_size_t i;
+  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
+
+  for (i = 0; i < usize; i++)
+    {
+      mpi_limb_t x = mask & (up[i] ^ vp[i]);
+
+      up[i] = up[i] ^ x;
+      vp[i] = vp[i] ^ x;
+    }
+}
+
+
+/*
+ *  W = -U when OP_ENABLED=1
+ *  otherwise, W = U
+ */
+void
+_gcry_mpih_abs_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
+                     unsigned long op_enable)
+{
+  mpi_size_t i;
+  mpi_limb_t mask = ((mpi_limb_t)0) - op_enable;
+  mpi_limb_t cy = op_enable;
+
+  for (i = 0; i < usize; i++)
+    {
+      mpi_limb_t x = ~up[i] + cy;
+
+      cy = (x < ~up[i]);
+      wp[i] = up[i] ^ (mask & (x ^ up[i]));
+    }
+}