aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorlloyd <[email protected]>2015-01-08 13:25:48 +0000
committerlloyd <[email protected]>2015-01-08 13:25:48 +0000
commit046da982c11170f2d37f9b3acd803a56fe325abd (patch)
treef98648a5e871401714e931e3ccc2f93dc3b6a321 /src/lib
parent8e92f925bcf6039f405f841219fdf3ff020cabf9 (diff)
Side channel commentary
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/math/mp/mp_karat.cpp11
-rw-r--r--src/lib/math/mp/mp_monty.cpp15
2 files changed, 26 insertions, 0 deletions
diff --git a/src/lib/math/mp/mp_karat.cpp b/src/lib/math/mp/mp_karat.cpp
index 62620f83d..f576ff612 100644
--- a/src/lib/math/mp/mp_karat.cpp
+++ b/src/lib/math/mp/mp_karat.cpp
@@ -48,6 +48,15 @@ void karatsuba_mul(word z[], const word x[], const word y[], size_t N,
clear_mem(workspace, 2*N);
+ /*
+ * If either of cmp0 or cmp1 is zero then z0 or z1 resp is zero here,
+ * resulting in a no-op - z0*z1 will be equal to zero so we don't need to do
+ * anything, clear_mem above already set the correct result.
+ *
+ * However we ignore the result of the comparisons and always perform the
+ * subtractions and recursively multiply to avoid the timing channel.
+ */
+
//if(cmp0 && cmp1)
{
if(cmp0 > 0)
@@ -106,6 +115,8 @@ void karatsuba_sqr(word z[], const word x[], size_t N, word workspace[])
clear_mem(workspace, 2*N);
+ // See comment in karatsuba_mul
+
//if(cmp)
{
if(cmp > 0)
diff --git a/src/lib/math/mp/mp_monty.cpp b/src/lib/math/mp/mp_monty.cpp
index 095457dbe..331153f06 100644
--- a/src/lib/math/mp/mp_monty.cpp
+++ b/src/lib/math/mp/mp_monty.cpp
@@ -56,12 +56,27 @@ void bigint_monty_redc(word z[],
}
}
+ /*
+ * The result might need to be reduced mod p. To avoid a timing
+ * channel, always perform the subtraction. If in the compution
+ * of x - p a borrow is required then x was already < p.
+ *
+ * x - p starts at ws[0] and is p_size+1 bytes long
+ * x starts at ws[p_size+1] and is also p_size+1 bytes log
+ * (that's the copy_mem)
+ *
+ * Select which address to copy from indexing off of the final
+ * borrow.
+ */
+
word borrow = 0;
for(size_t i = 0; i != p_size; ++i)
ws[i] = word_sub(z[p_size + i], p[i], &borrow);
ws[p_size] = word_sub(z[p_size+p_size], 0, &borrow);
+ BOTAN_ASSERT(borrow == 0 || borrow == 1, "Expected borrow");
+
copy_mem(ws + p_size + 1, z + p_size, p_size + 1);
copy_mem(z, ws + borrow*(p_size+1), p_size + 1);