Michael Hamburg
9 years ago
3 changed files with 5 additions and 8 deletions
Unified View
Diff Options
-
+3 -3src/decaf.c
-
+1 -4src/include/constant_time.h
-
+1 -1src/p25519/f_arithmetic.c
+ 3
- 3
src/decaf.c
View File
| @@ -93,7 +93,7 @@ static INLINE mask_t bool_to_mask (decaf_bool_t m) { | |||||
| /** Constant time, x = is_z ? z : y */ | /** Constant time, x = is_z ? z : y */ | ||||
| static INLINE void | static INLINE void | ||||
| cond_sel(gf x, const gf y, const gf z, mask_t is_z) { | cond_sel(gf x, const gf y, const gf z, mask_t is_z) { | ||||
| constant_time_select(x,z,y,sizeof(gf),is_z,0); | |||||
| constant_time_select(x,y,z,sizeof(gf),is_z,0); | |||||
| } | } | ||||
| /** Constant time, if (neg) x=-x; */ | /** Constant time, if (neg) x=-x; */ | ||||
| @@ -1537,7 +1537,7 @@ void API_NS(point_cond_sel) ( | |||||
| const point_t b, | const point_t b, | ||||
| decaf_bool_t pick_b | decaf_bool_t pick_b | ||||
| ) { | ) { | ||||
| constant_time_select(out,b,a,sizeof(point_t),bool_to_mask(pick_b),0); | |||||
| constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0); | |||||
| } | } | ||||
| void API_NS(scalar_cond_sel) ( | void API_NS(scalar_cond_sel) ( | ||||
| @@ -1546,7 +1546,7 @@ void API_NS(scalar_cond_sel) ( | |||||
| const scalar_t b, | const scalar_t b, | ||||
| decaf_bool_t pick_b | decaf_bool_t pick_b | ||||
| ) { | ) { | ||||
| constant_time_select(out,b,a,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0])); | |||||
| constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0])); | |||||
| } | } | ||||
| /* FUTURE: restore Curve25519 Montgomery ladder? */ | /* FUTURE: restore Curve25519 Montgomery ladder? */ | ||||
+ 1
- 4
src/include/constant_time.h
View File
| @@ -303,16 +303,13 @@ constant_time_mask ( | |||||
| * | * | ||||
| * Note that the output is not __restrict__, but if it overlaps either | * Note that the output is not __restrict__, but if it overlaps either | ||||
| * input, it must be equal and not partially overlap. | * input, it must be equal and not partially overlap. | ||||
| * | |||||
| * TODO: this has the opposite convention of certain other cond select functions, | |||||
| * because they are effectively [a,b][bool(mask)] instead of mask ? a : b. | |||||
| */ | */ | ||||
| static __inline__ void | static __inline__ void | ||||
| __attribute__((unused,always_inline)) | __attribute__((unused,always_inline)) | ||||
| constant_time_select ( | constant_time_select ( | ||||
| void *a_, | void *a_, | ||||
| const void *bTrue_, | |||||
| const void *bFalse_, | const void *bFalse_, | ||||
| const void *bTrue_, | |||||
| word_t elem_bytes, | word_t elem_bytes, | ||||
| mask_t mask, | mask_t mask, | ||||
| size_t alignment_bytes | size_t alignment_bytes | ||||
+ 1
- 1
src/p25519/f_arithmetic.c
View File
| @@ -39,6 +39,6 @@ void gf_isr (gf a, const gf x) { | |||||
| mask_t mask = gf_eq(st[1],ONE) | gf_eq(st[1],SQRT_MINUS_ONE); | mask_t mask = gf_eq(st[1],ONE) | gf_eq(st[1],SQRT_MINUS_ONE); | ||||
| constant_time_select(tmp1, ONE, SQRT_MINUS_ONE, sizeof(tmp1), mask, 0); | |||||
| constant_time_select(tmp1, SQRT_MINUS_ONE, ONE, sizeof(tmp1), mask, 0); | |||||
| gf_mul(a,tmp1,st[0]); | gf_mul(a,tmp1,st[0]); | ||||
| } | } | ||||