aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/math/numbertheory
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-12-24 12:13:19 -0500
committerJack Lloyd <[email protected]>2018-12-24 12:13:19 -0500
commitf99827300605b7f4da4520e5d9cd402bd790fe15 (patch)
treeddb3c823d9e2c4d14c252668941a3862dc533289 /src/lib/math/numbertheory
parent5ec66f9788a1b511f6ba0f90ead2c9035c3e85fc (diff)
In NIST P-xxx reductions unpoison S before using it
Was already done in P-256 but not in P-{192,224,384}. This is a cache-based side channel which would be good to address. It seems like it would be very difficult to exploit even with perfect recovery, but crazier things have worked.
Diffstat (limited to 'src/lib/math/numbertheory')
-rw-r--r--src/lib/math/numbertheory/nistp_redc.cpp18
1 files changed, 10 insertions, 8 deletions
diff --git a/src/lib/math/numbertheory/nistp_redc.cpp b/src/lib/math/numbertheory/nistp_redc.cpp
index eca78d180..17089fcbe 100644
--- a/src/lib/math/numbertheory/nistp_redc.cpp
+++ b/src/lib/math/numbertheory/nistp_redc.cpp
@@ -176,8 +176,6 @@ void redc_p192(BigInt& x, secure_vector<word>& ws)
// No underflow possible
- BOTAN_ASSERT(S <= 2, "Expected overflow in P-192 reduce");
-
/*
This is a table of (i*P-192) % 2**192 for i in 1...3
*/
@@ -193,6 +191,9 @@ void redc_p192(BigInt& x, secure_vector<word>& ws)
#endif
};
+ CT::unpoison(S);
+ BOTAN_ASSERT(S <= 2, "Expected overflow");
+
BOTAN_ASSERT_NOMSG(x.size() == p192_limbs + 1);
word borrow = bigint_sub2(x.mutable_data(), p192_limbs + 1, p192_mults[S], p192_limbs);
BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
@@ -280,8 +281,6 @@ void redc_p224(BigInt& x, secure_vector<word>& ws)
set_words(xw, 6, R0, 0);
- BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow in P-224 reduce");
-
static const word p224_mults[3][p224_limbs] = {
#if (BOTAN_MP_WORD_BITS == 64)
{0x0000000000000001, 0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
@@ -295,6 +294,9 @@ void redc_p224(BigInt& x, secure_vector<word>& ws)
};
+ CT::unpoison(S);
+ BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow");
+
BOTAN_ASSERT_NOMSG(x.size() == p224_limbs + 1);
word borrow = bigint_sub2(x.mutable_data(), p224_limbs + 1, p224_mults[S], p224_limbs);
BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
@@ -390,8 +392,6 @@ void redc_p256(BigInt& x, secure_vector<word>& ws)
S += 5; // the top digits of 6*P-256
- BOTAN_DEBUG_ASSERT(S >= 0 && S <= 10);
-
/*
This is a table of (i*P-256) % 2**256 for i in 1...10
*/
@@ -424,6 +424,7 @@ void redc_p256(BigInt& x, secure_vector<word>& ws)
};
CT::unpoison(S);
+ BOTAN_ASSERT(S >= 0 && S <= 10, "Expected overflow");
BOTAN_ASSERT_NOMSG(x.size() == p256_limbs + 1);
word borrow = bigint_sub2(x.mutable_data(), p256_limbs + 1, p256_mults[S], p256_limbs);
@@ -551,8 +552,6 @@ void redc_p384(BigInt& x, secure_vector<word>& ws)
set_words(xw, 10, R0, R1);
- BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow in P-384 reduction");
-
/*
This is a table of (i*P-384) % 2**384 for i in 1...4
*/
@@ -578,6 +577,9 @@ void redc_p384(BigInt& x, secure_vector<word>& ws)
#endif
};
+ CT::unpoison(S);
+ BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow");
+
BOTAN_ASSERT_NOMSG(x.size() == p384_limbs + 1);
word borrow = bigint_sub2(x.mutable_data(), p384_limbs + 1, p384_mults[S], p384_limbs);
BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);