yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 11:25:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove a secret-dependent branch in Montgomery multiplication

Browse Source 
In mpi_montmul, an auxiliary function for modular
exponentiation (mbedtls_mpi_mod_exp) that performs Montgomery
multiplication, the last step is a conditional subtraction to force
the result into the correct range. The current implementation uses a
branch and therefore may leak information about secret data to an
adversary who can observe what branch is taken through a side channel.

Avoid this potential leak by always doing the same subtraction and
doing a contant-trace conditional assignment to set the result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2020-06-04 21:05:24 +02:00
parent c81c5889e9
commit 8f6726623a
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
library/bignum.c
View File

@ -1956,12 +1956,15 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
memcpy( A->p, d, ( n + 1 ) * ciL );
/* If A >= N then A -= N. Do the subtraction unconditionally to prevent
* timing attacks. Modify T as a side effect. */
if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
mpi_sub_hlp( n, N->p, A->p );
else
/* prevent timing attacks */
mpi_sub_hlp( n, A->p, T->p );
* timing attacks. */
/* Set d to A + (2^biL)^n - N. */
d[n] += 1;
mpi_sub_hlp( n, N->p, d );
/* Now d - (2^biL)^n = A - N so d >= (2^biL)^n iff A >= N.
* So we want to copy the result of the subtraction iff d->p[n] != 0.
* Note that d->p[n] is either 0 or 1 since A - N <= N <= (2^biL)^n. */
mpi_safe_cond_assign( n + 1, A->p, d, d[n] );
A->p[n] = 0;
}
/*