|
|
@@ -737,26 +737,25 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
|
|
|
return bn_cmp_words(a, b, cl);
|
|
|
}
|
|
|
|
|
|
-/*
|
|
|
+/*-
|
|
|
* Constant-time conditional swap of a and b.
|
|
|
- * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
|
|
|
- * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
|
|
|
- * and that no more than nwords are used by either a or b.
|
|
|
- * a and b cannot be the same number
|
|
|
+ * a and b are swapped if condition is not 0.
|
|
|
+ * nwords is the number of words to swap.
|
|
|
+ * Assumes that at least nwords are allocated in both a and b.
|
|
|
+ * Assumes that no more than nwords are used by either a or b.
|
|
|
*/
|
|
|
void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
|
|
|
{
|
|
|
BN_ULONG t;
|
|
|
int i;
|
|
|
|
|
|
+ if (a == b)
|
|
|
+ return;
|
|
|
+
|
|
|
bn_wcheck_size(a, nwords);
|
|
|
bn_wcheck_size(b, nwords);
|
|
|
|
|
|
- assert(a != b);
|
|
|
- assert((condition & (condition - 1)) == 0);
|
|
|
- assert(sizeof(BN_ULONG) >= sizeof(int));
|
|
|
-
|
|
|
- condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
|
|
|
+ condition = ((~condition & ((condition - 1))) >> (BN_BITS2 - 1)) - 1;
|
|
|
|
|
|
t = (a->top ^ b->top) & condition;
|
|
|
a->top ^= t;
|
|
|
@@ -794,42 +793,16 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
|
|
|
a->flags ^= t;
|
|
|
b->flags ^= t;
|
|
|
|
|
|
-#define BN_CONSTTIME_SWAP(ind) \
|
|
|
- do { \
|
|
|
- t = (a->d[ind] ^ b->d[ind]) & condition; \
|
|
|
- a->d[ind] ^= t; \
|
|
|
- b->d[ind] ^= t; \
|
|
|
- } while (0)
|
|
|
-
|
|
|
- switch (nwords) {
|
|
|
- default:
|
|
|
- for (i = 10; i < nwords; i++)
|
|
|
- BN_CONSTTIME_SWAP(i);
|
|
|
- /* Fallthrough */
|
|
|
- case 10:
|
|
|
- BN_CONSTTIME_SWAP(9); /* Fallthrough */
|
|
|
- case 9:
|
|
|
- BN_CONSTTIME_SWAP(8); /* Fallthrough */
|
|
|
- case 8:
|
|
|
- BN_CONSTTIME_SWAP(7); /* Fallthrough */
|
|
|
- case 7:
|
|
|
- BN_CONSTTIME_SWAP(6); /* Fallthrough */
|
|
|
- case 6:
|
|
|
- BN_CONSTTIME_SWAP(5); /* Fallthrough */
|
|
|
- case 5:
|
|
|
- BN_CONSTTIME_SWAP(4); /* Fallthrough */
|
|
|
- case 4:
|
|
|
- BN_CONSTTIME_SWAP(3); /* Fallthrough */
|
|
|
- case 3:
|
|
|
- BN_CONSTTIME_SWAP(2); /* Fallthrough */
|
|
|
- case 2:
|
|
|
- BN_CONSTTIME_SWAP(1); /* Fallthrough */
|
|
|
- case 1:
|
|
|
- BN_CONSTTIME_SWAP(0);
|
|
|
- }
|
|
|
-#undef BN_CONSTTIME_SWAP
|
|
|
+ /* conditionally swap the data */
|
|
|
+ for (i = 0; i < nwords; i++) {
|
|
|
+ t = (a->d[i] ^ b->d[i]) & condition;
|
|
|
+ a->d[i] ^= t;
|
|
|
+ b->d[i] ^= t;
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
+#undef BN_CONSTTIME_SWAP_FLAGS
|
|
|
+
|
|
|
/* Bits of security, see SP800-57 */
|
|
|
|
|
|
int BN_security_bits(int L, int N)
|
Billy Brumley