Make mp_unsafe_mod_integer not be unsafe.

I've moved it from mpunsafe.c into the main mpint.c, and renamed it mp_mod_known_integer, because now it manages to avoid leaking information about the mp_int you give it. It can still potentially leak information about the small _modulus_ integer - hence the word 'known' in the new function name. This won't be a problem in any existing use of the function, because it's used during prime generation to check divisibility by all the small primes, and optionally also check for residue 1 mod the RSA public exponent. But all those values are well known and not secret. This removes one source of side-channel leakage from prime generation.
2025-07-01 03:22:48 -05:00 · 2021-08-27 17:43:40 +01:00
parent 22fab78376
commit 59409d0947
5 changed files with 90 additions and 20 deletions
--- a/keygen/mpunsafe.c
+++ b/keygen/mpunsafe.c
@ -45,13 +45,3 @@ mp_int *mp_unsafe_copy(mp_int *x)
    mp_copy_into(copy, x);
    return copy;
 }
-
-uint32_t mp_unsafe_mod_integer(mp_int *x, uint32_t modulus)
-{
-    uint64_t accumulator = 0;
-    for (size_t i = mp_max_bytes(x); i-- > 0 ;) {
-        accumulator = 0x100 * accumulator + mp_get_byte(x, i);
-        accumulator %= modulus;
-    }
-    return accumulator;
-}
--- a/keygen/mpunsafe.h
+++ b/keygen/mpunsafe.h
@ -36,11 +36,4 @@
 mp_int *mp_unsafe_shrink(mp_int *m);
 mp_int *mp_unsafe_copy(mp_int *m);

-/*
- * Compute the residue of x mod m. This is implemented in the most
- * obvious way using the C % operator, which won't be constant-time on
- * many C implementations.
- */
-uint32_t mp_unsafe_mod_integer(mp_int *x, uint32_t m);
-
 #endif /* PUTTY_MPINT_UNSAFE_H */
--- a/keygen/primecandidate.c
+++ b/keygen/primecandidate.c
@ -341,8 +341,8 @@ void pcs_ready(PrimeCandidateSource *s)
        int64_t mod = s->avoids[i].mod, res = s->avoids[i].res;
        if (mod != last_mod) {
            last_mod = mod;
-            addend_m = mp_unsafe_mod_integer(s->addend, mod);
-            factor_m = mp_unsafe_mod_integer(s->factor, mod);
+            addend_m = mp_mod_known_integer(s->addend, mod);
+            factor_m = mp_mod_known_integer(s->factor, mod);
        }

        if (factor_m == 0) {
@ -385,7 +385,7 @@ mp_int *pcs_generate(PrimeCandidateSource *s)

            if (mod != last_mod) {
                last_mod = mod;
-                x_res = mp_unsafe_mod_integer(x, mod);
+                x_res = mp_mod_known_integer(x, mod);
            }

            if (x_res == avoid_res) {