diff options
-rw-r--r-- | modexp.c | 7 | ||||
-rw-r--r-- | rsa.c | 4 |
2 files changed, 7 insertions, 4 deletions
@@ -182,8 +182,9 @@ hal_error_t hal_modexp(hal_core_t *core, * We probably ought to take the mode (fast vs constant-time) as an * argument, but for the moment we just guess that really short * exponent means we're using the public key and can use fast mode, - * all other cases are something to do with the private key and - * therefore must use constant-time mode. + * really short messages are Miller-Rabin tests and can also use + * fast mode, all other cases are something to do with the private + * key and therefore must use constant-time mode. * * Unclear whether it's worth trying to figure out exactly how long * the operands are: assuming a multiple of eight is safe, but makes @@ -194,7 +195,7 @@ hal_error_t hal_modexp(hal_core_t *core, */ /* Select mode (1 = fast, 0 = safe) */ - check(set_register(core, MODEXPS6_ADDR_MODE, (exp_len <= 4))); + check(set_register(core, MODEXPS6_ADDR_MODE, (exp_len <= 4 || msg_len <= 4))); /* Set modulus size in bits */ check(set_register(core, MODEXPS6_ADDR_MODULUS_WIDTH, mod_len * 8)); @@ -207,10 +207,11 @@ static hal_error_t modexp(hal_core_t *core, msg = reduced_msg; } + const size_t msg_len = (fp_unsigned_bin_size(unconst_fp_int(msg)) + 3) & ~3; const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3; const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3; - uint8_t msgbuf[mod_len]; + uint8_t msgbuf[msg_len]; uint8_t expbuf[exp_len]; uint8_t modbuf[mod_len]; uint8_t resbuf[mod_len]; @@ -231,6 +232,7 @@ static hal_error_t modexp(hal_core_t *core, memset(msgbuf, 0, sizeof(msgbuf)); memset(expbuf, 0, sizeof(expbuf)); memset(modbuf, 0, sizeof(modbuf)); + memset(resbuf, 0, sizeof(resbuf)); return err; } |