Merge pull request #1241 from Mbed-TLS/change-mpi-exp-mod-to-constant-time

Change mbedtls_mpi_core_exp_mod() to constant time

library/bignum_core.h

@@ -621,6 +621,9 @@ size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
  * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
  * \p AN_limbs.
  *
+ * This function operates in constant time with respect
+ * to the values of \p A, \p N and \p E.
+ *
  * \param[out] X     The destination MPI, as a little endian array of length
  *                   \p AN_limbs.
  * \param[in] A      The base MPI, as a little endian array of length \p AN_limbs.

tests/suites/test_suite_bignum_core.function

@@ -1303,14 +1303,27 @@ void mpi_core_exp_mod(char *input_N, char *input_A,
 
     TEST_CALLOC(T, working_limbs);
 
+    /* Temporary because MEMSAN doesn't support assembly implementation see #1243 */
+#if !defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+    TEST_CF_SECRET(A, A_limbs * sizeof(mbedtls_mpi_uint));
+    TEST_CF_SECRET(N, N_limbs * sizeof(mbedtls_mpi_uint));
+    TEST_CF_SECRET(E, E_limbs * sizeof(mbedtls_mpi_uint));
+#endif
     mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T);
 
+    TEST_CF_PUBLIC(Y, N_limbs * sizeof(mbedtls_mpi_uint));
+
     TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint)));
 
+#if !defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+    TEST_CF_SECRET(A, A_limbs * sizeof(mbedtls_mpi_uint));
+    TEST_CF_SECRET(N, N_limbs * sizeof(mbedtls_mpi_uint));
+    TEST_CF_SECRET(E, E_limbs * sizeof(mbedtls_mpi_uint));
+#endif
     /* Check when output aliased to input */
-
     mbedtls_mpi_core_exp_mod(A, A, N, N_limbs, E, E_limbs, R2, T);
 
+    TEST_CF_PUBLIC(A, A_limbs * sizeof(mbedtls_mpi_uint));
     TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint)));
 
 exit: