1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00
putty-source/keygen/mpunsafe.c
Simon Tatham 59409d0947 Make mp_unsafe_mod_integer not be unsafe.
I've moved it from mpunsafe.c into the main mpint.c, and renamed it
mp_mod_known_integer, because now it manages to avoid leaking
information about the mp_int you give it.

It can still potentially leak information about the small _modulus_
integer - hence the word 'known' in the new function name. This won't
be a problem in any existing use of the function, because it's used
during prime generation to check divisibility by all the small primes,
and optionally also check for residue 1 mod the RSA public exponent.
But all those values are well known and not secret.

This removes one source of side-channel leakage from prime generation.
2021-08-27 17:43:40 +01:00

48 lines
1.2 KiB
C

#include <assert.h>
#include <limits.h>
#include <stdio.h>
#include "defs.h"
#include "misc.h"
#include "puttymem.h"
#include "mpint.h"
#include "crypto/mpint_i.h"
/*
* This global symbol is also defined in ssh/kex2-client.c, to ensure
* that these unsafe non-constant-time mp_int functions can't end up
* accidentally linked in to any PuTTY tool that actually makes an SSH
* client connection.
*
* (Only _client_ connections, however. Uppity, being a test server
* only, is exempt.)
*/
const int deliberate_symbol_clash = 12345;
static size_t mp_unsafe_words_needed(mp_int *x)
{
size_t words = x->nw;
while (words > 1 && !x->w[words-1])
words--;
return words;
}
mp_int *mp_unsafe_shrink(mp_int *x)
{
x->nw = mp_unsafe_words_needed(x);
/* This potentially leaves some allocated words between the new
* and old values of x->nw, which won't be wiped by mp_free now
* that x->nw doesn't mention that they exist. But we've just
* checked they're all zero, so we don't need to wipe them now
* either. */
return x;
}
mp_int *mp_unsafe_copy(mp_int *x)
{
mp_int *copy = mp_make_sized(mp_unsafe_words_needed(x));
mp_copy_into(copy, x);
return copy;
}