feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #2353 from SparkiDev/ecc_nonce

Browse Source 
Improve nonce use in ECC mulmod
This commit is contained in:
toddouska
2019-07-17 11:23:12 -07:00
committed by GitHub
parent 9a2f4bb8f8 483f6a5acd
commit 8b6e66f095
1 changed files with 47 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
wolfcrypt/src/ecc.c
View File

@ -2479,7 +2479,7 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
#define M_POINTS 8 #define M_POINTS 8
int first = 1, bitbuf = 0, bitcpy = 0, j; int first = 1, bitbuf = 0, bitcpy = 0, j;
#else #else
#define M_POINTS 3 #define M_POINTS 4
#endif #endif
ecc_point *tG, *M[M_POINTS]; ecc_point *tG, *M[M_POINTS];
@ -2771,7 +2771,9 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
mode = 0; mode = 0;
bitcnt = 1; bitcnt = 1;
buf = 0; buf = 0;
digidx = get_digit_count(k) - 1; digidx = get_digit_count(modulus) - 1;
/* The order MAY be 1 bit longer than the modulus. */
digidx += (modulus->dp[digidx] >> (DIGIT_BIT-1));
/* perform ops */ /* perform ops */
if (err == MP_OKAY) { if (err == MP_OKAY) {
@ -2790,25 +2792,53 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
i = (buf >> (DIGIT_BIT - 1)) & 1; i = (buf >> (DIGIT_BIT - 1)) & 1;
buf <<= 1; buf <<= 1;
if (mode == 0 && i == 0) { if (mode == 0) {
mode = i;
/* timing resistant - dummy operations */ /* timing resistant - dummy operations */
if (err == MP_OKAY) if (err == MP_OKAY)
err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus, err = ecc_projective_add_point(M[1], M[2], M[2], a, modulus,
mp); mp);
#ifdef WC_NO_CACHE_RESISTANT
if (err == MP_OKAY) if (err == MP_OKAY)
err = ecc_projective_dbl_point(M[1], M[2], a, modulus, mp); err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
if (err == MP_OKAY) #else
continue; /* instead of using M[i] for double, which leaks key bit to cache
} * monitor, use M[2] as temp, make sure address calc is constant,
* keep M[0] and M[1] in cache */
if (mode == 0 && i == 1) { if (err == MP_OKAY)
mode = 1; err = mp_copy((mp_int*)
/* timing resistant - dummy operations */ ( ((wolfssl_word)M[0]->x & wc_off_on_addr[i^1]) +
if (err == MP_OKAY) ((wolfssl_word)M[1]->x & wc_off_on_addr[i])),
err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus, M[2]->x);
mp); if (err == MP_OKAY)
if (err == MP_OKAY) err = mp_copy((mp_int*)
err = ecc_projective_dbl_point(M[1], M[2], a, modulus, mp); ( ((wolfssl_word)M[0]->y & wc_off_on_addr[i^1]) +
((wolfssl_word)M[1]->y & wc_off_on_addr[i])),
M[2]->y);
if (err == MP_OKAY)
err = mp_copy((mp_int*)
( ((wolfssl_word)M[0]->z & wc_off_on_addr[i^1]) +
((wolfssl_word)M[1]->z & wc_off_on_addr[i])),
M[2]->z);
if (err == MP_OKAY)
err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
/* copy M[2] back to M[i] */
if (err == MP_OKAY)
err = mp_copy(M[2]->x,
(mp_int*)
( ((wolfssl_word)M[0]->x & wc_off_on_addr[i^1]) +
((wolfssl_word)M[1]->x & wc_off_on_addr[i])) );
if (err == MP_OKAY)
err = mp_copy(M[2]->y,
(mp_int*)
( ((wolfssl_word)M[0]->y & wc_off_on_addr[i^1]) +
((wolfssl_word)M[1]->y & wc_off_on_addr[i])) );
if (err == MP_OKAY)
err = mp_copy(M[2]->z,
(mp_int*)
( ((wolfssl_word)M[0]->z & wc_off_on_addr[i^1]) +
((wolfssl_word)M[1]->z & wc_off_on_addr[i])) );
#endif
if (err == MP_OKAY) if (err == MP_OKAY)
continue; continue;
} }