Make Montgomery reduction constant time.

It was already close, but the carry loop would break early and
selecting which value to copy out was indexed on the borrow bit. Have
the carry loop run through, and add a const-time conditional copy
operation and use that to copy the output.

Convert ct_utils to CT namespace. Templatize the utils, which I was
hesitant to do initially but is pretty useful when dealing with
arbitrary word sizes.

Remove the poison macros, replace with inline funcs which reads
cleaner at the call site.

1 files changed, 6 insertions, 2 deletions

diff --git a/doc/news.rst b/doc/news.rst
index 00a102427..72ab4ad9f 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -14,12 +14,16 @@ Version 1.11.22, Not Yet Released
   By writing the code such that it does not depend on secret inputs for branch
   or memory indexes, such a side channel would be much less likely to exist.
 
+  The OAEP code has previously made an attempt at constant time operation, but
+  it used a construct which many compilers converted into a conditional jump.
+
 * Add support for using ctgrind (https://github.com/agl/ctgrind) to test that
   sections of code do not use secret inputs to decide branches or memory indexes.
   The testing relies on dynamic checking using valgrind.
 
-  So far PKCS #1 decoding, OAEP decoding, IDEA, and Curve25519 have been notated
-  and confirmed to be constant time.
+  So far PKCS #1 decoding, OAEP decoding, Montgomery reduction, IDEA, and
+  Curve25519 have been notated and confirmed to be constant time on Linux/x86-64
+  when compiled by gcc.
 
 * Public key operations can now be used with specified providers by passing an
   additional parameter to the constructor of the PK operation.