* [PATCH 5/5] ecc: make l_ecc_point_from_data fully constant time
@ 2022-02-04 17:06 James Prestwood
0 siblings, 0 replies; only message in thread
From: James Prestwood @ 2022-02-04 17:06 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1153 bytes --]
This was modified earlier to be constant time but there was one
minor problem with how 'sub' was determined. That logic could short
circuit which could alter the timing. The change in timing would be
extremely small, especially compared to the previous fix making
_vli_mod_sub() execute always but in any case there would be a small
difference.
This patch uses l_secure_select_byte to select either of the two
subtraction conditions which depend on the point type.
---
ell/ecc.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ell/ecc.c b/ell/ecc.c
index eba9aef..d59b900 100644
--- a/ell/ecc.c
+++ b/ell/ecc.c
@@ -562,10 +562,9 @@ LIB_EXPORT struct l_ecc_point *l_ecc_point_from_data(
if (!_ecc_compute_y(curve, p->y, p->x))
goto failed;
- sub = ((type == L_ECC_POINT_TYPE_COMPRESSED_BIT0 &&
- !(p->y[0] & 1)) ||
- (type == L_ECC_POINT_TYPE_COMPRESSED_BIT1 &&
- (p->y[0] & 1)));
+ sub = l_secure_select_byte(
+ type == L_ECC_POINT_TYPE_COMPRESSED_BIT0,
+ !(p->y[1] & 1), p->y[0] & 1);
_vli_mod_sub(tmp, curve->p, p->y, curve->p, curve->ndigits);
--
2.31.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-02-04 17:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-04 17:06 [PATCH 5/5] ecc: make l_ecc_point_from_data fully constant time James Prestwood
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.