[gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Mon May 10 21:06:45 CEST 2021
Niels Möller started a new discussion on lib/nettle/ecc/override/ecc-mod-arith.c.diff: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571824730
> +--- a/ecc-mod-arith.c
> ++++ b/ecc-mod-arith.c
> +@@ -125,3 +125,14 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
> + mpn_sqr (rp, ap, m->size);
> + m->reduce (m, rp);
> + }
> ++
> ++void
> ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
> ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
> ++{
> ++ mp_limb_t cy;
> ++ ecc_mod_mul(m, tp, ap, bp);
> ++
> ++ cy = mpn_sub_n (rp, tp, m->m, m->size);
> ++ cnd_copy (cy, rp, tp, m->size);
This will not work if rp == tp (unlike the version on master). I think it can be made to be more of a drop-in replacement for ecc_mod_mul, without the new tp argument. Something like
ecc_mod_mul (m, rp, ap, bp); /* clobbers 2*size limbs, size limbs final result */
cy = mpn_sub_n (rp + m->size, rp, m->m, m->size); /* area at rp + m->size now free to reuse */
cnd_copy (!cy, rp, rp + m->size, m->size);
(!cy should be the same as 1-cy here. I would hope either variant can be compiled without a conditional branch).
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1407#note_571824730
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210510/77509b14/attachment.html>
More information about the Gnutls-devel
mailing list