From 77bd47982527ac98b5c1f37dc4dcdddbc06208b1 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Tue, 21 May 2024 18:17:22 +0000 Subject: [PATCH 1/2] Change mbedtls_mpi_core_mla() to be constant time Signed-off-by: Waleed Elmelegy --- library/bignum_core.c | 2 +- tests/suites/test_suite_bignum_core.function | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 1a3e0b9b6..b43be3032 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -489,7 +489,7 @@ mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *d, size_t d_len, while (excess_len--) { *d += c; - c = (*d < c); + c = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(*d, c), 1, 0); d++; } diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index db84d6238..1b89268f5 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -770,16 +770,36 @@ void mpi_core_mla(char *input_A, char *input_B, char *input_S, memcpy(a, A.p, A.n * sizeof(mbedtls_mpi_uint)); memcpy(x, X->p, X->n * sizeof(mbedtls_mpi_uint)); +#if !defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) + TEST_CF_SECRET(a, bytes); + TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_SECRET(S.p, sizeof(mbedtls_mpi_uint)); +#endif + /* 1a) A += B * s => we should get the correct carry */ TEST_EQUAL(mbedtls_mpi_core_mla(a, limbs, B.p, B.n, *S.p), *cy->p); +#if !defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) + TEST_CF_PUBLIC(a, bytes); + TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint)); + TEST_CF_PUBLIC(S.p, sizeof(mbedtls_mpi_uint)); +#endif + /* 1b) A += B * s => we should get the correct result */ TEST_MEMORY_COMPARE(a, bytes, x, bytes); if (A.n == B.n && memcmp(A.p, B.p, bytes) == 0) { /* Check when A and B are aliased */ memcpy(a, A.p, A.n * sizeof(mbedtls_mpi_uint)); +#if !defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) + TEST_CF_SECRET(a, bytes); + TEST_CF_SECRET(S.p, sizeof(mbedtls_mpi_uint)); +#endif TEST_EQUAL(mbedtls_mpi_core_mla(a, limbs, a, limbs, *S.p), *cy->p); +#if !defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) + TEST_CF_PUBLIC(a, bytes); + TEST_CF_PUBLIC(S.p, sizeof(mbedtls_mpi_uint)); +#endif TEST_MEMORY_COMPARE(a, bytes, x, bytes); } From 11a81cd7dd9f0863128137f036308287e679b713 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Thu, 23 May 2024 08:01:58 +0000 Subject: [PATCH 2/2] Add comment to mbedtls_mpi_core_mla() to indicate it is costant time Signed-off-by: Waleed Elmelegy --- library/bignum_core.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/bignum_core.h b/library/bignum_core.h index 92c8d47db..27c0f9df4 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -397,6 +397,9 @@ mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X, * * This function operates modulo `2^(biL*X_limbs)`. * + * This function operates in constant time with respect to the values + * of \p X and \p A and \p b. + * * \param[in,out] X The pointer to the (little-endian) array * representing the bignum to accumulate onto. * \param X_limbs The number of limbs of \p X. This must be