New function sec_zero_p.

6 files changed, 29 insertions, 26 deletions

diff --git a/ChangeLog b/ChangeLog
index 64d2b311..07ec71bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2021-10-23  Niels Möller  <nisse@lysator.liu.se>
+
+	* gmp-glue.c (sec_zero_p): New function.
+	* ecc-curve25519.c (ecc_curve25519_zero_p): Use it.
+	* ecc-curve448.c (ecc_curve448_zero_p): Use it.
+	* ecc-random.c (ecdsa_in_range): Use it.
+	(zero_p): Delete static function.
+
 2021-10-06  Niels Möller  <nisse@lysator.liu.se>
 
 	* testsuite/ecc-mod-test.c: Extend tests to give better coverage
diff --git a/ecc-curve25519.c b/ecc-curve25519.c
index 7182b2ff..3a85f07e 100644
--- a/ecc-curve25519.c
+++ b/ecc-curve25519.c
@@ -175,8 +175,6 @@ static int
 ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp)
 {
   mp_limb_t cy;
-  mp_limb_t w;
-  mp_size_t i;
 #if PHIGH_BITS > 0
   mp_limb_t hi = xp[ECC_LIMB_SIZE-1];
   xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS))
@@ -185,9 +183,7 @@ ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp)
   cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE);
   mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE);
 
-  for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++)
-    w |= xp[i];
-  return w == 0;
+  return sec_zero_p (xp, ECC_LIMB_SIZE);
 }
 
 /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero
diff --git a/ecc-curve448.c b/ecc-curve448.c
index bd87c5b8..2c3d54ba 100644
--- a/ecc-curve448.c
+++ b/ecc-curve448.c
@@ -158,15 +158,10 @@ static void ecc_curve448_inv (const struct ecc_modulo *p,
 static int
 ecc_curve448_zero_p (const struct ecc_modulo *p, mp_limb_t *xp)
 {
-  mp_limb_t cy;
-  mp_limb_t w;
-  mp_size_t i;
-  cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE);
+  mp_limb_t cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE);
   mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE);
 
-  for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++)
-    w |= xp[i];
-  return w == 0;
+  return sec_zero_p (xp, ECC_LIMB_SIZE);
 }
 
 /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero
diff --git a/ecc-random.c b/ecc-random.c
index 79df511c..a7b48d6a 100644
--- a/ecc-random.c
+++ b/ecc-random.c
@@ -42,24 +42,11 @@
 #include "nettle-internal.h"
 
 static int
-zero_p (const struct ecc_modulo *m,
-	const mp_limb_t *xp)
-{
-  mp_limb_t t;
-  mp_size_t i;
-
-  for (i = t = 0; i < m->size; i++)
-    t |= xp[i];
-
-  return t == 0;
-}
-
-static int
 ecdsa_in_range (const struct ecc_modulo *m,
 		const mp_limb_t *xp, mp_limb_t *scratch)
 {
   /* Check if 0 < x < q, with data independent timing. */
-  return !zero_p (m, xp)
+  return !sec_zero_p (xp, m->size)
     & (mpn_sub_n (scratch, xp, m->m, m->size) != 0);
 }
 
diff --git a/gmp-glue.c b/gmp-glue.c
index 3bfc6175..2d8f3d50 100644
--- a/gmp-glue.c
+++ b/gmp-glue.c
@@ -101,6 +101,18 @@ mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_
 
 #endif /* NETTLE_USE_MINI_GMP */
 
+int
+sec_zero_p (const mp_limb_t *ap, mp_size_t n)
+{
+  volatile mp_limb_t w;
+  mp_size_t i;
+
+  for (i = 0, w = 0; i < n; i++)
+    w |= ap[i];
+
+  return w == 0;
+}
+
 /* Additional convenience functions. */
 
 int
diff --git a/gmp-glue.h b/gmp-glue.h
index 7ebfd782..ac2f9a3a 100644
--- a/gmp-glue.h
+++ b/gmp-glue.h
@@ -39,6 +39,7 @@
 #define mpz_limbs_read_n _nettle_mpz_limbs_read_n
 #define mpz_limbs_copy _nettle_mpz_limbs_copy
 #define mpz_set_n _nettle_mpz_set_n
+#define sec_zero_p _nettle_sec_zero_p
 #define mpn_set_base256 _nettle_mpn_set_base256
 #define mpn_set_base256_le _nettle_mpn_set_base256_le
 #define mpn_get_base256 _nettle_mpn_get_base256
@@ -69,6 +70,10 @@ void
 mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n);
 #endif
 
+/* Side-channel silent variant of mpn_zero_p. */
+int
+sec_zero_p (const mp_limb_t *ap, mp_size_t n);
+
 #define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \
   (((n) * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)