add WC_NO_CACHE_RESISTANT option for old code path

2016-09-13 16:45:15 -07:00
parent b77c350153
commit 7b3fc558ec
2 changed files with 16 additions and 2 deletions
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@ -1877,7 +1877,8 @@ int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
 #else /* ECC_TIMING_RESISTANT */


-#if defined(TFM_TIMINING_RESISTANT) && defined(USE_FAST_MATH)
+#ifndef WC_NO_CACHE_RESISTANT
+#if defined(TFM_TIMING_RESISTANT) && defined(USE_FAST_MATH)
    /* let's use the one we already have */
    extern const wolfssl_word wc_off_on_addr[2];
 #else
@ -1895,7 +1896,8 @@ int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
        0xffffffffU
    #endif
    };
-#endif
+#endif /* TFM_TIMING_RESISTANT && USE_FAST_MATH */
+#endif /* WC_NO_CACHE_RESISTANT */

 /**
   Perform a point multiplication  (timing resistant)
@ -2034,6 +2036,10 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
           if (err == MP_OKAY)
               err = ecc_projective_add_point(M[0], M[1], M[i^1], a, modulus,
                                                                       mp);
+#ifdef WC_NO_CACHE_RESISTANT
+           if (err == MP_OKAY)
+               err = ecc_projective_dbl_point(M[i], M[i], a, modulus, mp);
+#else
            /* instead of using M[i] for double, which leaks key bit to cache
             * monitor, use M[2] as temp, make sure address calc is constant,
             * keep &M[0] and &M[1] in cache */
@ -2072,6 +2078,7 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
                               ((wolfssl_word)&M[1]->z & wc_off_on_addr[i])) );
           if (err != MP_OKAY)
               break;
+#endif /* WC_NO_CACHE_RESISTANT */
       } /* end for */
   }

--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@ -1035,6 +1035,7 @@ int fp_addmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)

 #ifdef TFM_TIMING_RESISTANT

+#ifndef WC_NO_CACHE_RESISTANT
 /* all off / all on pointer addresses for constant calculations */
 /* ecc.c uses same table */
 const wolfssl_word wc_off_on_addr[2] =
@ -1052,6 +1053,8 @@ const wolfssl_word wc_off_on_addr[2] =
 #endif
 };

+#endif /* WC_NO_CACHE_RESISTANT */
+
 /* timing resistant montgomery ladder based exptmod
   Based on work by Marc Joye, Sung-Ming Yen, "The Montgomery Powering Ladder",
   Cryptographic Hardware and Embedded Systems, CHES 2002
@ -1111,6 +1114,9 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
    /* do ops */
    fp_mul(&R[0], &R[1], &R[y^1]); fp_montgomery_reduce(&R[y^1], P, mp);

+#ifdef WC_NO_CACHE_RESISTANT
+    fp_sqr(&R[y], &R[y]);          fp_montgomery_reduce(&R[y], P, mp);
+#else
    /* instead of using R[y] for sqr, which leaks key bit to cache monitor,
     * use R[2] as temp, make sure address calc is constant, keep
     * &R[0] and &R[1] in cache */
@ -1121,6 +1127,7 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
    fp_copy(&R[2],
            (fp_int*) ( ((wolfssl_word)&R[0] & wc_off_on_addr[y^1]) +
                        ((wolfssl_word)&R[1] & wc_off_on_addr[y]) ) );
+#endif /* WC_NO_CACHE_RESISTANT */
  }

   fp_montgomery_reduce(&R[0], P, mp);