nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity
0.80
putty-source/keygen/mpunsafe.h
Simon Tatham 59409d0947 Make mp_unsafe_mod_integer not be unsafe. 
I've moved it from mpunsafe.c into the main mpint.c, and renamed it
mp_mod_known_integer, because now it manages to avoid leaking
information about the mp_int you give it.

It can still potentially leak information about the small _modulus_
integer - hence the word 'known' in the new function name. This won't
be a problem in any existing use of the function, because it's used
during prime generation to check divisibility by all the small primes,
and optionally also check for residue 1 mod the RSA public exponent.
But all those values are well known and not secret.

This removes one source of side-channel leakage from prime generation.
2021-08-27 17:43:40 +01:00

40 lines
1.5 KiB
C
Raw Permalink Blame History

/*
* mpunsafe.h: functions that deal with mp_ints in ways that are *not*
* expected to be constant-time. Used during key generation, in which
* constant run time is a lost cause anyway.
*
* These functions are in a separate header, so that you can easily
* check that you're not calling them in the wrong context. They're
* also defined in a separate source file, which is only linked in to
* the key generation tools. Furthermore, that source file also
* defines a global symbol that intentionally conflicts with one
* defined in the SSH client code, so that any attempt to put these
* functions into the same binary as the live SSH client
* implementation will cause a link-time failure. They should only be
* linked into PuTTYgen and auxiliary test programs.
*
* Also, just in case those precautions aren't enough, all the unsafe
* functions have 'unsafe' in the name.
*/
#ifndef PUTTY_MPINT_UNSAFE_H
#define PUTTY_MPINT_UNSAFE_H
/*
* The most obvious unsafe thing you want to do with an mp_int is to
* get rid of leading zero words in its representation, so that its
* nominal size is as close as possible to its true size, and you
* don't waste any time processing it.
*
* mp_unsafe_shrink performs this operation in place, mutating the
* size field of the mp_int it's given. It returns the same pointer it
* was given.
*
* mp_unsafe_copy leaves the original mp_int alone and makes a new one
* with the minimal size.
*/
mp_int *mp_unsafe_shrink(mp_int *m);
mp_int *mp_unsafe_copy(mp_int *m);
#endif /* PUTTY_MPINT_UNSAFE_H */
Reference in New Issue View Git Blame Copy Permalink