Quantcast

[git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-78-g719468e

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[git] GCRYPT - branch, master, updated. libgcrypt-1.7.3-78-g719468e

by NIIBE Yutaka
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  719468e53133d3bdf12156c5bfdea2bf15f9f6f1 (commit)
      from  654024081cfa103c87bb163b117ea3568171d408 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 719468e53133d3bdf12156c5bfdea2bf15f9f6f1
Author: NIIBE Yutaka <[hidden email]>
Date:   Tue Apr 4 17:38:05 2017 +0900

    mpi: Simplify mpi_powm.
   
    * mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.
   
    --
   
    This fix is not a solution for the problem reported (yet).  The
    problem is that the current algorithm of _gcry_mpi_powm depends on
    exponent and some information leaks is possible.
   
    Reported-by: Andreas Zankl <[hidden email]>
    Signed-off-by: NIIBE Yutaka <[hidden email]>

diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index a780ebd..7b3dc31 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -609,12 +609,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
       if (e == 0)
         {
           j += c;
-          i--;
-          if ( i < 0 )
-            {
-              c = 0;
-              break;
-            }
+          if ( --i < 0 )
+            break;
 
           e = ep[i];
           c = BITS_PER_MPI_LIMB;
@@ -629,38 +625,33 @@ _gcry_mpi_powm (gcry_mpi_t res,
           c -= c0;
           j += c0;
 
+          e0 = (e >> (BITS_PER_MPI_LIMB - W));
           if (c >= W)
-            {
-              e0 = (e >> (BITS_PER_MPI_LIMB - W));
-              e = (e << W);
-              c -= W;
-            }
+            c0 = 0;
           else
             {
-              i--;
-              if ( i < 0 )
+              if ( --i < 0 )
                 {
-                  e = (e >> (BITS_PER_MPI_LIMB - c));
-                  break;
+                  e0 = (e >> (BITS_PER_MPI_LIMB - c));
+                  j += c - W;
+                  goto last_step;
+                }
+              else
+                {
+                  c0 = c;
+                  e = ep[i];
+                  c = BITS_PER_MPI_LIMB;
+                  e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0)));
                 }
-
-              c0 = c;
-              e0 = (e >> (BITS_PER_MPI_LIMB - W))
-                | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0));
-              e = (ep[i] << (W - c0));
-              c = BITS_PER_MPI_LIMB - W + c0;
             }
 
+          e = e << (W - c0);
+          c -= (W - c0);
+
+        last_step:
           count_trailing_zeros (c0, e0);
           e0 = (e0 >> c0) >> 1;
 
-          for (j += W - c0; j; j--)
-            {
-              mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
-              tp = rp; rp = xp; xp = tp;
-              rsize = xsize;
-            }
-
           /*
            *  base_u <= precomp[e0]
            *  base_u_size <= precomp_size[e0]
@@ -677,25 +668,23 @@ _gcry_mpi_powm (gcry_mpi_t res,
               u.d = precomp[k];
 
               mpi_set_cond (&w, &u, k == e0);
-              base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+              base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
             }
 
-          mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
-                   mp, msize, &karactx);
-          tp = rp; rp = xp; xp = tp;
-          rsize = xsize;
+          for (j += W - c0; j >= 0; j--)
+            {
+              mul_mod (xp, &xsize, rp, rsize,
+                       j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
+                       mp, msize, &karactx);
+              tp = rp; rp = xp; xp = tp;
+              rsize = xsize;
+            }
 
           j = c0;
+          if ( i < 0 )
+            break;
         }
 
-    if (c != 0)
-      {
-        j += c;
-        count_trailing_zeros (c, e);
-        e = (e >> c);
-        j -= c;
-      }
-
     while (j--)
       {
         mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
@@ -703,40 +692,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
         rsize = xsize;
       }
 
-    if (e != 0)
-      {
-        /*
-         * base_u <= precomp[(e>>1)]
-         * base_u_size <= precomp_size[(e>>1)]
-         */
-        base_u_size = 0;
-        for (k = 0; k < (1<< (W - 1)); k++)
-          {
-            struct gcry_mpi w, u;
-            w.alloced = w.nlimbs = precomp_size[k];
-            u.alloced = u.nlimbs = precomp_size[k];
-            w.sign = u.sign = 0;
-            w.flags = u.flags = 0;
-            w.d = base_u;
-            u.d = precomp[k];
-
-            mpi_set_cond (&w, &u, k == (e>>1));
-            base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
-          }
-
-        mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
-                 mp, msize, &karactx);
-        tp = rp; rp = xp; xp = tp;
-        rsize = xsize;
-
-        for (; c; c--)
-          {
-            mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
-            tp = rp; rp = xp; xp = tp;
-            rsize = xsize;
-          }
-      }
-
     /* We shifted MOD, the modulo reduction argument, left
        MOD_SHIFT_CNT steps.  Adjust the result by reducing it with the
        original MOD.

-----------------------------------------------------------------------

Summary of changes:
 mpi/mpi-pow.c | 105 +++++++++++++++++-----------------------------------------
 1 file changed, 30 insertions(+), 75 deletions(-)


hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org


_______________________________________________
Gnupg-commits mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-commits


_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Loading...