[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-170-g6636c4f
by NIIBE Yutaka
cvs at cvs.gnupg.org
Fri Feb 27 06:18:03 CET 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via 6636c4fd0c6ceab9f79827bf96967d1e112c0b82 (commit)
via 1fa8cdb933505960d4e4b4842b122d4e06953e88 (commit)
from 410d70bad9a650e3837055e36f157894ae49a57d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Thu Feb 26 21:07:01 2015 +0900
mpi: Avoid data-dependent timing variations in mpi_powm.
* mpi/mpi-pow.c (mpi_powm): Access all data in the table by
mpi_set_cond.
--
Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack. This change fixes
this particular data-dependent access pattern.
Cherry-picked from commit 5e72b6c76ebee720f69b8a5c212f52d38eb50287
in LIBGCRYPT-1-6-BRANCH.
diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index 930d344..70bf9e8 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -422,6 +422,7 @@ _gcry_mpi_powm (gcry_mpi_t res,
mpi_size_t W;
mpi_ptr_t base_u;
mpi_size_t base_u_size;
+ mpi_size_t max_u_size;
esize = expo->nlimbs;
msize = mod->nlimbs;
@@ -540,7 +541,7 @@ _gcry_mpi_powm (gcry_mpi_t res,
/* Main processing. */
{
- mpi_size_t i, j;
+ mpi_size_t i, j, k;
mpi_ptr_t xp;
mpi_size_t xsize;
int c;
@@ -559,7 +560,7 @@ _gcry_mpi_powm (gcry_mpi_t res,
if (W > 1) /* X := BASE^2 */
mul_mod (xp, &xsize, bp, bsize, bp, bsize, mp, msize, &karactx);
base_u = precomp[0] = mpi_alloc_limb_space (bsize, esec);
- base_u_size = precomp_size[0] = bsize;
+ base_u_size = max_u_size = precomp_size[0] = bsize;
MPN_COPY (precomp[0], bp, bsize);
for (i = 1; i < (1 << (W - 1)); i++)
{ /* PRECOMP[i] = BASE^(2 * i + 1) */
@@ -571,9 +572,14 @@ _gcry_mpi_powm (gcry_mpi_t res,
mp, msize, &karactx);
base_u = precomp[i] = mpi_alloc_limb_space (rsize, esec);
base_u_size = precomp_size[i] = rsize;
+ if (max_u_size < base_u_size)
+ max_u_size = base_u_size;
MPN_COPY (precomp[i], rp, rsize);
}
+ base_u = mpi_alloc_limb_space (max_u_size, esec);
+ MPN_ZERO (base_u, max_u_size);
+
i = esize - 1;
/* Main loop.
@@ -659,8 +665,24 @@ _gcry_mpi_powm (gcry_mpi_t res,
rsize = xsize;
}
- base_u = precomp[e0];
- base_u_size = precomp_size[e0];
+ /*
+ * base_u <= precomp[e0]
+ * base_u_size <= precomp_size[e0]
+ */
+ base_u_size = 0;
+ for (k = 0; k < (1<< (W - 1)); k++)
+ {
+ struct gcry_mpi w, u;
+ w.alloced = w.nlimbs = precomp_size[k];
+ u.alloced = u.nlimbs = precomp_size[k];
+ w.sign = u.sign = 0;
+ w.flags = u.flags = 0;
+ w.d = base_u;
+ u.d = precomp[k];
+
+ mpi_set_cond (&w, &u, k == e0);
+ base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+ }
mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
mp, msize, &karactx);
@@ -687,8 +709,24 @@ _gcry_mpi_powm (gcry_mpi_t res,
if (e != 0)
{
- base_u = precomp[(e>>1)];
- base_u_size = precomp_size[(e>>1)];
+ /*
+ * base_u <= precomp[(e>>1)]
+ * base_u_size <= precomp_size[(e>>1)]
+ */
+ base_u_size = 0;
+ for (k = 0; k < (1<< (W - 1)); k++)
+ {
+ struct gcry_mpi w, u;
+ w.alloced = w.nlimbs = precomp_size[k];
+ u.alloced = u.nlimbs = precomp_size[k];
+ w.sign = u.sign = 0;
+ w.flags = u.flags = 0;
+ w.d = base_u;
+ u.d = precomp[k];
+
+ mpi_set_cond (&w, &u, k == (e>>1));
+ base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
+ }
mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
mp, msize, &karactx);
@@ -739,6 +777,7 @@ _gcry_mpi_powm (gcry_mpi_t res,
_gcry_mpih_release_karatsuba_ctx (&karactx );
for (i = 0; i < (1 << (W - 1)); i++)
_gcry_mpi_free_limb_space( precomp[i], esec ? precomp_size[i] : 0 );
+ _gcry_mpi_free_limb_space (base_u, esec ? max_u_size : 0);
}
/* Fixup for negative results. */
commit 1fa8cdb933505960d4e4b4842b122d4e06953e88
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Feb 11 22:30:02 2015 +0900
mpi: Revise mpi_powm.
* mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.
--
The name of precomputed table was b_2i3 which stands for BASE^(2*I+3).
But it's too cryptic, so, it's renamed. Besides, we needed to
distinguish the case of I==0, that was not good. Since it's OK to
increase the size of table by one, it's BASE^(2*I+1), now.
diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index 0f0947f..930d344 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -381,7 +381,7 @@ mul_mod (mpi_ptr_t xp, mpi_size_t *xsize_p,
*xsize_p = rsize + ssize;
}
-#define SIZE_B_2I3 ((1 << (5 - 1)) - 1)
+#define SIZE_PRECOMP ((1 << (5 - 1)))
/****************
* RES = BASE ^ EXPO mod MOD
@@ -417,8 +417,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
unsigned int bp_nlimbs = 0;
unsigned int ep_nlimbs = 0;
unsigned int xp_nlimbs = 0;
- mpi_ptr_t b_2i3[SIZE_B_2I3]; /* Pre-computed array: BASE^3, ^5, ^7, ... */
- mpi_size_t b_2i3size[SIZE_B_2I3];
+ mpi_ptr_t precomp[SIZE_PRECOMP]; /* Pre-computed array: BASE^1, ^3, ^5, ... */
+ mpi_size_t precomp_size[SIZE_PRECOMP];
mpi_size_t W;
mpi_ptr_t base_u;
mpi_size_t base_u_size;
@@ -555,31 +555,23 @@ _gcry_mpi_powm (gcry_mpi_t res,
memset( &karactx, 0, sizeof karactx );
negative_result = (ep[0] & 1) && bsign;
- /* Precompute B_2I3[], BASE^(2 * i + 3), BASE^3, ^5, ^7, ... */
+ /* Precompute PRECOMP[], BASE^(2 * i + 1), BASE^1, ^3, ^5, ... */
if (W > 1) /* X := BASE^2 */
mul_mod (xp, &xsize, bp, bsize, bp, bsize, mp, msize, &karactx);
- for (i = 0; i < (1 << (W - 1)) - 1; i++)
- { /* B_2I3[i] = BASE^(2 * i + 3) */
- if (i == 0)
- {
- base_u = bp;
- base_u_size = bsize;
- }
- else
- {
- base_u = b_2i3[i-1];
- base_u_size = b_2i3size[i-1];
- }
-
+ base_u = precomp[0] = mpi_alloc_limb_space (bsize, esec);
+ base_u_size = precomp_size[0] = bsize;
+ MPN_COPY (precomp[0], bp, bsize);
+ for (i = 1; i < (1 << (W - 1)); i++)
+ { /* PRECOMP[i] = BASE^(2 * i + 1) */
if (xsize >= base_u_size)
mul_mod (rp, &rsize, xp, xsize, base_u, base_u_size,
mp, msize, &karactx);
else
mul_mod (rp, &rsize, base_u, base_u_size, xp, xsize,
mp, msize, &karactx);
- b_2i3[i] = mpi_alloc_limb_space (rsize, esec);
- b_2i3size[i] = rsize;
- MPN_COPY (b_2i3[i], rp, rsize);
+ base_u = precomp[i] = mpi_alloc_limb_space (rsize, esec);
+ base_u_size = precomp_size[i] = rsize;
+ MPN_COPY (precomp[i], rp, rsize);
}
i = esize - 1;
@@ -667,16 +659,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
rsize = xsize;
}
- if (e0 == 0)
- {
- base_u = bp;
- base_u_size = bsize;
- }
- else
- {
- base_u = b_2i3[e0 - 1];
- base_u_size = b_2i3size[e0 -1];
- }
+ base_u = precomp[e0];
+ base_u_size = precomp_size[e0];
mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
mp, msize, &karactx);
@@ -703,16 +687,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
if (e != 0)
{
- if ((e>>1) == 0)
- {
- base_u = bp;
- base_u_size = bsize;
- }
- else
- {
- base_u = b_2i3[(e>>1) - 1];
- base_u_size = b_2i3size[(e>>1) -1];
- }
+ base_u = precomp[(e>>1)];
+ base_u_size = precomp_size[(e>>1)];
mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
mp, msize, &karactx);
@@ -761,8 +737,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
MPN_NORMALIZE (rp, rsize);
_gcry_mpih_release_karatsuba_ctx (&karactx );
- for (i = 0; i < (1 << (W - 1)) - 1; i++)
- _gcry_mpi_free_limb_space( b_2i3[i], esec ? b_2i3size[i] : 0 );
+ for (i = 0; i < (1 << (W - 1)); i++)
+ _gcry_mpi_free_limb_space( precomp[i], esec ? precomp_size[i] : 0 );
}
/* Fixup for negative results. */
-----------------------------------------------------------------------
Summary of changes:
mpi/mpi-pow.c | 93 ++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 54 insertions(+), 39 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits
More information about the Gcrypt-devel
mailing list