diff options
author | Jack Lloyd <[email protected]> | 2018-12-24 12:13:19 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-12-24 12:13:19 -0500 |
commit | f99827300605b7f4da4520e5d9cd402bd790fe15 (patch) | |
tree | ddb3c823d9e2c4d14c252668941a3862dc533289 /src/lib/math/numbertheory | |
parent | 5ec66f9788a1b511f6ba0f90ead2c9035c3e85fc (diff) |
In NIST P-xxx reductions unpoison S before using it
Was already done in P-256 but not in P-{192,224,384}.
This is a cache-based side channel which would be good to address. It
seems like it would be very difficult to exploit even with perfect
recovery, but crazier things have worked.
Diffstat (limited to 'src/lib/math/numbertheory')
-rw-r--r-- | src/lib/math/numbertheory/nistp_redc.cpp | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/src/lib/math/numbertheory/nistp_redc.cpp b/src/lib/math/numbertheory/nistp_redc.cpp index eca78d180..17089fcbe 100644 --- a/src/lib/math/numbertheory/nistp_redc.cpp +++ b/src/lib/math/numbertheory/nistp_redc.cpp @@ -176,8 +176,6 @@ void redc_p192(BigInt& x, secure_vector<word>& ws) // No underflow possible - BOTAN_ASSERT(S <= 2, "Expected overflow in P-192 reduce"); - /* This is a table of (i*P-192) % 2**192 for i in 1...3 */ @@ -193,6 +191,9 @@ void redc_p192(BigInt& x, secure_vector<word>& ws) #endif }; + CT::unpoison(S); + BOTAN_ASSERT(S <= 2, "Expected overflow"); + BOTAN_ASSERT_NOMSG(x.size() == p192_limbs + 1); word borrow = bigint_sub2(x.mutable_data(), p192_limbs + 1, p192_mults[S], p192_limbs); BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1); @@ -280,8 +281,6 @@ void redc_p224(BigInt& x, secure_vector<word>& ws) set_words(xw, 6, R0, 0); - BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow in P-224 reduce"); - static const word p224_mults[3][p224_limbs] = { #if (BOTAN_MP_WORD_BITS == 64) {0x0000000000000001, 0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF}, @@ -295,6 +294,9 @@ void redc_p224(BigInt& x, secure_vector<word>& ws) }; + CT::unpoison(S); + BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow"); + BOTAN_ASSERT_NOMSG(x.size() == p224_limbs + 1); word borrow = bigint_sub2(x.mutable_data(), p224_limbs + 1, p224_mults[S], p224_limbs); BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1); @@ -390,8 +392,6 @@ void redc_p256(BigInt& x, secure_vector<word>& ws) S += 5; // the top digits of 6*P-256 - BOTAN_DEBUG_ASSERT(S >= 0 && S <= 10); - /* This is a table of (i*P-256) % 2**256 for i in 1...10 */ @@ -424,6 +424,7 @@ void redc_p256(BigInt& x, secure_vector<word>& ws) }; CT::unpoison(S); + BOTAN_ASSERT(S >= 0 && S <= 10, "Expected overflow"); BOTAN_ASSERT_NOMSG(x.size() == p256_limbs + 1); word borrow = bigint_sub2(x.mutable_data(), p256_limbs + 1, p256_mults[S], p256_limbs); @@ -551,8 +552,6 @@ void redc_p384(BigInt& x, secure_vector<word>& ws) set_words(xw, 10, R0, R1); - BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow in P-384 reduction"); - /* This is a table of (i*P-384) % 2**384 for i in 1...4 */ @@ -578,6 +577,9 @@ void redc_p384(BigInt& x, secure_vector<word>& ws) #endif }; + CT::unpoison(S); + BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow"); + BOTAN_ASSERT_NOMSG(x.size() == p384_limbs + 1); word borrow = bigint_sub2(x.mutable_data(), p384_limbs + 1, p384_mults[S], p384_limbs); BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1); |