* mpi/mpih-const-time.c (_gcry_mpih_set_cond): Replace single mask + XOR
with dual mask + AND/OR; Add comment about reason for dual mask usage.
(_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond)
(_gcry_mpih_abs_cond): Add comment about reason for dual mask usage.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
mpi/mpih-const-time.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/mpi/mpih-const-time.c b/mpi/mpih-const-time.c
index 3f0440a9..388d2a91 100644
--- a/mpi/mpih-const-time.c
+++ b/mpi/mpih-const-time.c
@@ -39,11 +39,15 @@ void
_gcry_mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
unsigned long op_enable)
{
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
+ mpi_limb_t mask1 = vzero - op_enable;
+ mpi_limb_t mask2 = op_enable - vone;
mpi_size_t i;
- mpi_limb_t mask = vzero - op_enable;
for (i = 0; i < usize; i++)
- wp[i] ^= mask & (wp[i] ^ up[i]);
+ {
+ wp[i] = (wp[i] & mask2) | (up[i] & mask1);
+ }
}
@@ -55,10 +59,11 @@ mpi_limb_t
_gcry_mpih_add_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
mpi_size_t usize, unsigned long op_enable)
{
- mpi_size_t i;
- mpi_limb_t cy;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
+ mpi_size_t i;
+ mpi_limb_t cy;
cy = 0;
for (i = 0; i < usize; i++)
@@ -86,10 +91,11 @@ mpi_limb_t
_gcry_mpih_sub_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
mpi_size_t usize, unsigned long op_enable)
{
- mpi_size_t i;
- mpi_limb_t cy;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
+ mpi_size_t i;
+ mpi_limb_t cy;
cy = 0;
for (i = 0; i < usize; i++)
@@ -117,9 +123,10 @@ void
_gcry_mpih_swap_cond (mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
unsigned long op_enable)
{
- mpi_size_t i;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
+ mpi_size_t i;
for (i = 0; i < usize; i++)
{
@@ -139,10 +146,11 @@ void
_gcry_mpih_abs_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
unsigned long op_enable)
{
- mpi_size_t i;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
mpi_limb_t cy = op_enable;
+ mpi_size_t i;
for (i = 0; i < usize; i++)
{
--
2.40.1
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
with dual mask + AND/OR; Add comment about reason for dual mask usage.
(_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond)
(_gcry_mpih_abs_cond): Add comment about reason for dual mask usage.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
mpi/mpih-const-time.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/mpi/mpih-const-time.c b/mpi/mpih-const-time.c
index 3f0440a9..388d2a91 100644
--- a/mpi/mpih-const-time.c
+++ b/mpi/mpih-const-time.c
@@ -39,11 +39,15 @@ void
_gcry_mpih_set_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
unsigned long op_enable)
{
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
+ mpi_limb_t mask1 = vzero - op_enable;
+ mpi_limb_t mask2 = op_enable - vone;
mpi_size_t i;
- mpi_limb_t mask = vzero - op_enable;
for (i = 0; i < usize; i++)
- wp[i] ^= mask & (wp[i] ^ up[i]);
+ {
+ wp[i] = (wp[i] & mask2) | (up[i] & mask1);
+ }
}
@@ -55,10 +59,11 @@ mpi_limb_t
_gcry_mpih_add_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
mpi_size_t usize, unsigned long op_enable)
{
- mpi_size_t i;
- mpi_limb_t cy;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
+ mpi_size_t i;
+ mpi_limb_t cy;
cy = 0;
for (i = 0; i < usize; i++)
@@ -86,10 +91,11 @@ mpi_limb_t
_gcry_mpih_sub_n_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
mpi_size_t usize, unsigned long op_enable)
{
- mpi_size_t i;
- mpi_limb_t cy;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
+ mpi_size_t i;
+ mpi_limb_t cy;
cy = 0;
for (i = 0; i < usize; i++)
@@ -117,9 +123,10 @@ void
_gcry_mpih_swap_cond (mpi_ptr_t up, mpi_ptr_t vp, mpi_size_t usize,
unsigned long op_enable)
{
- mpi_size_t i;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
+ mpi_size_t i;
for (i = 0; i < usize; i++)
{
@@ -139,10 +146,11 @@ void
_gcry_mpih_abs_cond (mpi_ptr_t wp, mpi_ptr_t up, mpi_size_t usize,
unsigned long op_enable)
{
- mpi_size_t i;
+ /* Note: dual mask with AND/OR used for EM leakage mitigation */
mpi_limb_t mask1 = vzero - op_enable;
mpi_limb_t mask2 = op_enable - vone;
mpi_limb_t cy = op_enable;
+ mpi_size_t i;
for (i = 0; i < usize; i++)
{
--
2.40.1
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel