From: Niels Möller Date: Sat, 23 Oct 2021 18:39:15 +0000 (+0200) Subject: New function sec_zero_p. X-Git-Tag: nettle_3.8_release_20220602~87 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26b0f47b458767ec5a3a4d7980498b03a4e8ded7;p=thirdparty%2Fnettle.git New function sec_zero_p. --- diff --git a/ChangeLog b/ChangeLog index 64d2b311..07ec71bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2021-10-23 Niels Möller + + * gmp-glue.c (sec_zero_p): New function. + * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. + * ecc-curve448.c (ecc_curve448_zero_p): Use it. + * ecc-random.c (ecdsa_in_range): Use it. + (zero_p): Delete static function. + 2021-10-06 Niels Möller * testsuite/ecc-mod-test.c: Extend tests to give better coverage diff --git a/ecc-curve25519.c b/ecc-curve25519.c index 7182b2ff..3a85f07e 100644 --- a/ecc-curve25519.c +++ b/ecc-curve25519.c @@ -175,8 +175,6 @@ static int ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) { mp_limb_t cy; - mp_limb_t w; - mp_size_t i; #if PHIGH_BITS > 0 mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) @@ -185,9 +183,7 @@ ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE); - for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) - w |= xp[i]; - return w == 0; + return sec_zero_p (xp, ECC_LIMB_SIZE); } /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero diff --git a/ecc-curve448.c b/ecc-curve448.c index bd87c5b8..2c3d54ba 100644 --- a/ecc-curve448.c +++ b/ecc-curve448.c @@ -158,15 +158,10 @@ static void ecc_curve448_inv (const struct ecc_modulo *p, static int ecc_curve448_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) { - mp_limb_t cy; - mp_limb_t w; - mp_size_t i; - cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); + mp_limb_t cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE); - for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) - w |= xp[i]; - return w == 0; + return sec_zero_p (xp, ECC_LIMB_SIZE); } /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero diff --git a/ecc-random.c b/ecc-random.c index 79df511c..a7b48d6a 100644 --- a/ecc-random.c +++ b/ecc-random.c @@ -41,25 +41,12 @@ #include "ecc-internal.h" #include "nettle-internal.h" -static int -zero_p (const struct ecc_modulo *m, - const mp_limb_t *xp) -{ - mp_limb_t t; - mp_size_t i; - - for (i = t = 0; i < m->size; i++) - t |= xp[i]; - - return t == 0; -} - static int ecdsa_in_range (const struct ecc_modulo *m, const mp_limb_t *xp, mp_limb_t *scratch) { /* Check if 0 < x < q, with data independent timing. */ - return !zero_p (m, xp) + return !sec_zero_p (xp, m->size) & (mpn_sub_n (scratch, xp, m->m, m->size) != 0); } diff --git a/gmp-glue.c b/gmp-glue.c index 3bfc6175..2d8f3d50 100644 --- a/gmp-glue.c +++ b/gmp-glue.c @@ -101,6 +101,18 @@ mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_ #endif /* NETTLE_USE_MINI_GMP */ +int +sec_zero_p (const mp_limb_t *ap, mp_size_t n) +{ + volatile mp_limb_t w; + mp_size_t i; + + for (i = 0, w = 0; i < n; i++) + w |= ap[i]; + + return w == 0; +} + /* Additional convenience functions. */ int diff --git a/gmp-glue.h b/gmp-glue.h index 7ebfd782..ac2f9a3a 100644 --- a/gmp-glue.h +++ b/gmp-glue.h @@ -39,6 +39,7 @@ #define mpz_limbs_read_n _nettle_mpz_limbs_read_n #define mpz_limbs_copy _nettle_mpz_limbs_copy #define mpz_set_n _nettle_mpz_set_n +#define sec_zero_p _nettle_sec_zero_p #define mpn_set_base256 _nettle_mpn_set_base256 #define mpn_set_base256_le _nettle_mpn_set_base256_le #define mpn_get_base256 _nettle_mpn_get_base256 @@ -69,6 +70,10 @@ void mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n); #endif +/* Side-channel silent variant of mpn_zero_p. */ +int +sec_zero_p (const mp_limb_t *ap, mp_size_t n); + #define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \ (((n) * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)