| blob | db6e389973f0a29109eb8ec7b8653f0acf9fd512 |
1 Description: fix sidechannel attack via timing variations in mpi_powm
2 Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=deb6f231ba85f65283c9e1deb3e2dea3b6ca46dc
3 Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d9f002899d26dc64f1502ae5050632340a4780fe
4 Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5e72b6c76ebee720f69b8a5c212f52d38eb50287
6 Index: libgcrypt11-1.5.4/mpi/mpi-pow.c
7 ===================================================================
8 --- libgcrypt11-1.5.4.orig/mpi/mpi-pow.c 2015-03-26 08:14:32.728379999 -0400
9 +++ libgcrypt11-1.5.4/mpi/mpi-pow.c 2015-03-26 08:14:32.720379940 -0400
10 @@ -381,7 +381,7 @@
11 *xsize_p = rsize + ssize;
12 }
14 -#define SIZE_B_2I3 ((1 << (5 - 1)) - 1)
15 +#define SIZE_PRECOMP ((1 << (5 - 1)))
17 /****************
18 * RES = BASE ^ EXPO mod MOD
19 @@ -417,11 +417,12 @@
20 unsigned int bp_nlimbs = 0;
21 unsigned int ep_nlimbs = 0;
22 unsigned int xp_nlimbs = 0;
23 - mpi_ptr_t b_2i3[SIZE_B_2I3]; /* Pre-computed array: BASE^3, ^5, ^7, ... */
24 - mpi_size_t b_2i3size[SIZE_B_2I3];
25 + mpi_ptr_t precomp[SIZE_PRECOMP]; /* Pre-computed array: BASE^1, ^3, ^5, ... */
26 + mpi_size_t precomp_size[SIZE_PRECOMP];
27 mpi_size_t W;
28 mpi_ptr_t base_u;
29 mpi_size_t base_u_size;
30 + mpi_size_t max_u_size;
32 esize = expo->nlimbs;
33 msize = mod->nlimbs;
34 @@ -540,7 +541,7 @@
36 /* Main processing. */
37 {
38 - mpi_size_t i, j;
39 + mpi_size_t i, j, k;
40 mpi_ptr_t xp;
41 mpi_size_t xsize;
42 int c;
43 @@ -555,33 +556,30 @@
44 memset( &karactx, 0, sizeof karactx );
45 negative_result = (ep[0] & 1) && bsign;
47 - /* Precompute B_2I3[], BASE^(2 * i + 3), BASE^3, ^5, ^7, ... */
48 + /* Precompute PRECOMP[], BASE^(2 * i + 1), BASE^1, ^3, ^5, ... */
49 if (W > 1) /* X := BASE^2 */
50 mul_mod (xp, &xsize, bp, bsize, bp, bsize, mp, msize, &karactx);
51 - for (i = 0; i < (1 << (W - 1)) - 1; i++)
52 - { /* B_2I3[i] = BASE^(2 * i + 3) */
53 - if (i == 0)
54 - {
55 - base_u = bp;
56 - base_u_size = bsize;
57 - }
58 - else
59 - {
60 - base_u = b_2i3[i-1];
61 - base_u_size = b_2i3size[i-1];
62 - }
63 -
64 + base_u = precomp[0] = mpi_alloc_limb_space (bsize, esec);
65 + base_u_size = max_u_size = precomp_size[0] = bsize;
66 + MPN_COPY (precomp[0], bp, bsize);
67 + for (i = 1; i < (1 << (W - 1)); i++)
68 + { /* PRECOMP[i] = BASE^(2 * i + 1) */
69 if (xsize >= base_u_size)
70 mul_mod (rp, &rsize, xp, xsize, base_u, base_u_size,
71 mp, msize, &karactx);
72 else
73 mul_mod (rp, &rsize, base_u, base_u_size, xp, xsize,
74 mp, msize, &karactx);
75 - b_2i3[i] = mpi_alloc_limb_space (rsize, esec);
76 - b_2i3size[i] = rsize;
77 - MPN_COPY (b_2i3[i], rp, rsize);
78 + base_u = precomp[i] = mpi_alloc_limb_space (rsize, esec);
79 + base_u_size = precomp_size[i] = rsize;
80 + if (max_u_size < base_u_size)
81 + max_u_size = base_u_size;
82 + MPN_COPY (precomp[i], rp, rsize);
83 }
85 + base_u = mpi_alloc_limb_space (max_u_size, esec);
86 + MPN_ZERO (base_u, max_u_size);
87 +
88 i = esize - 1;
90 /* Main loop.
91 @@ -667,15 +665,23 @@
92 rsize = xsize;
93 }
95 - if (e0 == 0)
96 + /*
97 + * base_u <= precomp[e0]
98 + * base_u_size <= precomp_size[e0]
99 + */
100 + base_u_size = 0;
101 + for (k = 0; k < (1<< (W - 1)); k++)
102 {
103 - base_u = bp;
104 - base_u_size = bsize;
105 - }
106 - else
107 - {
108 - base_u = b_2i3[e0 - 1];
109 - base_u_size = b_2i3size[e0 -1];
110 + struct gcry_mpi w, u;
111 + w.alloced = w.nlimbs = precomp_size[k];
112 + u.alloced = u.nlimbs = precomp_size[k];
113 + w.sign = u.sign = 0;
114 + w.flags = u.flags = 0;
115 + w.d = base_u;
116 + u.d = precomp[k];
117 +
118 + mpi_set_cond (&w, &u, k == e0);
119 + base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
120 }
122 mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
123 @@ -703,15 +709,23 @@
125 if (e != 0)
126 {
127 - if ((e>>1) == 0)
128 + /*
129 + * base_u <= precomp[(e>>1)]
130 + * base_u_size <= precomp_size[(e>>1)]
131 + */
132 + base_u_size = 0;
133 + for (k = 0; k < (1<< (W - 1)); k++)
134 {
135 - base_u = bp;
136 - base_u_size = bsize;
137 - }
138 - else
139 - {
140 - base_u = b_2i3[(e>>1) - 1];
141 - base_u_size = b_2i3size[(e>>1) -1];
142 + struct gcry_mpi w, u;
143 + w.alloced = w.nlimbs = precomp_size[k];
144 + u.alloced = u.nlimbs = precomp_size[k];
145 + w.sign = u.sign = 0;
146 + w.flags = u.flags = 0;
147 + w.d = base_u;
148 + u.d = precomp[k];
149 +
150 + mpi_set_cond (&w, &u, k == (e>>1));
151 + base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
152 }
154 mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
155 @@ -761,8 +775,9 @@
156 MPN_NORMALIZE (rp, rsize);
158 _gcry_mpih_release_karatsuba_ctx (&karactx );
159 - for (i = 0; i < (1 << (W - 1)) - 1; i++)
160 - _gcry_mpi_free_limb_space( b_2i3[i], esec ? b_2i3size[i] : 0 );
161 + for (i = 0; i < (1 << (W - 1)); i++)
162 + _gcry_mpi_free_limb_space( precomp[i], esec ? precomp_size[i] : 0 );
163 + _gcry_mpi_free_limb_space (base_u, esec ? max_u_size : 0);
164 }
166 /* Fixup for negative results. */
167 Index: libgcrypt11-1.5.4/mpi/mpiutil.c
168 ===================================================================
169 --- libgcrypt11-1.5.4.orig/mpi/mpiutil.c 2015-03-26 08:14:32.728379999 -0400
170 +++ libgcrypt11-1.5.4/mpi/mpiutil.c 2015-03-26 08:14:32.720379940 -0400
171 @@ -386,6 +386,31 @@
172 / BITS_PER_MPI_LIMB );
173 }
175 +gcry_mpi_t
176 +_gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, unsigned long set)
177 +{
178 + mpi_size_t i;
179 + mpi_size_t nlimbs = u->alloced;
180 + mpi_limb_t mask = ((mpi_limb_t)0) - !!set;
181 + mpi_limb_t x;
182 +
183 + if (w->alloced != u->alloced)
184 + log_bug ("mpi_set_cond: different sizes\n");
185 +
186 + for (i = 0; i < nlimbs; i++)
187 + {
188 + x = mask & (w->d[i] ^ u->d[i]);
189 + w->d[i] = w->d[i] ^ x;
190 + }
191 +
192 + x = mask & (w->nlimbs ^ u->nlimbs);
193 + w->nlimbs = w->nlimbs ^ x;
194 +
195 + x = mask & (w->sign ^ u->sign);
196 + w->sign = w->sign ^ x;
197 + return w;
198 +}
199 +
201 gcry_mpi_t
202 gcry_mpi_snew( unsigned int nbits )
203 Index: libgcrypt11-1.5.4/src/mpi.h
204 ===================================================================
205 --- libgcrypt11-1.5.4.orig/src/mpi.h 2015-03-26 08:14:32.728379999 -0400
206 +++ libgcrypt11-1.5.4/src/mpi.h 2015-03-26 08:15:07.112640773 -0400
207 @@ -116,8 +116,11 @@
208 #define mpi_swap(a,b) _gcry_mpi_swap ((a),(b))
209 #define mpi_new(n) _gcry_mpi_new ((n))
210 #define mpi_snew(n) _gcry_mpi_snew ((n))
211 +#define mpi_set_cond(w,u,set) _gcry_mpi_set_cond ((w),(u),(set))
213 void _gcry_mpi_clear( gcry_mpi_t a );
214 +gcry_mpi_t _gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u,
215 + unsigned long swap);
216 gcry_mpi_t _gcry_mpi_alloc_like( gcry_mpi_t a );
217 gcry_mpi_t _gcry_mpi_alloc_set_ui( unsigned long u);
218 gcry_err_code_t _gcry_mpi_get_ui (gcry_mpi_t w, ulong *u);