nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-02 12:02:47 -05:00
Code Issues Projects Releases Wiki Activity

Make mp_unsafe_mod_integer not be unsafe.

Browse Source 
I've moved it from mpunsafe.c into the main mpint.c, and renamed it
mp_mod_known_integer, because now it manages to avoid leaking
information about the mp_int you give it.

It can still potentially leak information about the small _modulus_
integer - hence the word 'known' in the new function name. This won't
be a problem in any existing use of the function, because it's used
during prime generation to check divisibility by all the small primes,
and optionally also check for residue 1 mod the RSA public exponent.
But all those values are well known and not secret.

This removes one source of side-channel leakage from prime generation.
This commit is contained in:
Simon Tatham
2021-08-27 17:43:40 +01:00
parent 22fab78376
commit 59409d0947
5 changed files with 90 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
keygen/primecandidate.c
View File

@ -341,8 +341,8 @@ void pcs_ready(PrimeCandidateSource *s)
int64_t mod = s->avoids[i].mod, res = s->avoids[i].res;
if (mod != last_mod) {
last_mod = mod;
addend_m = mp_unsafe_mod_integer(s->addend, mod);
factor_m = mp_unsafe_mod_integer(s->factor, mod);
addend_m = mp_mod_known_integer(s->addend, mod);
factor_m = mp_mod_known_integer(s->factor, mod);
}
if (factor_m == 0) {
@ -385,7 +385,7 @@ mp_int *pcs_generate(PrimeCandidateSource *s)
if (mod != last_mod) {
last_mod = mod;
x_res = mp_unsafe_mod_integer(x, mod);
x_res = mp_mod_known_integer(x, mod);
}
if (x_res == avoid_res) {