Make mp_unsafe_mod_integer not be unsafe.

I've moved it from mpunsafe.c into the main mpint.c, and renamed it mp_mod_known_integer, because now it manages to avoid leaking information about the mp_int you give it. It can still potentially leak information about the small _modulus_ integer - hence the word 'known' in the new function name. This won't be a problem in any existing use of the function, because it's used during prime generation to check divisibility by all the small primes, and optionally also check for residue 1 mod the RSA public exponent. But all those values are well known and not secret. This removes one source of side-channel leakage from prime generation.
2025-07-02 03:52:49 -05:00 · 2021-08-27 17:43:40 +01:00
parent 22fab78376
commit 59409d0947
5 changed files with 90 additions and 20 deletions
--- a/keygen/mpunsafe.h
+++ b/keygen/mpunsafe.h
@ -36,11 +36,4 @@
 mp_int *mp_unsafe_shrink(mp_int *m);
 mp_int *mp_unsafe_copy(mp_int *m);

-/*
- * Compute the residue of x mod m. This is implemented in the most
- * obvious way using the C % operator, which won't be constant-time on
- * many C implementations.
- */
-uint32_t mp_unsafe_mod_integer(mp_int *x, uint32_t m);
-
 #endif /* PUTTY_MPINT_UNSAFE_H */