aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modexp.c7
-rw-r--r--rsa.c4
2 files changed, 7 insertions, 4 deletions
diff --git a/modexp.c b/modexp.c
index f097f33..3e634aa 100644
--- a/modexp.c
+++ b/modexp.c
@@ -182,8 +182,9 @@ hal_error_t hal_modexp(hal_core_t *core,
* We probably ought to take the mode (fast vs constant-time) as an
* argument, but for the moment we just guess that really short
* exponent means we're using the public key and can use fast mode,
- * all other cases are something to do with the private key and
- * therefore must use constant-time mode.
+ * really short messages are Miller-Rabin tests and can also use
+ * fast mode, all other cases are something to do with the private
+ * key and therefore must use constant-time mode.
*
* Unclear whether it's worth trying to figure out exactly how long
* the operands are: assuming a multiple of eight is safe, but makes
@@ -194,7 +195,7 @@ hal_error_t hal_modexp(hal_core_t *core,
*/
/* Select mode (1 = fast, 0 = safe) */
- check(set_register(core, MODEXPS6_ADDR_MODE, (exp_len <= 4)));
+ check(set_register(core, MODEXPS6_ADDR_MODE, (exp_len <= 4 || msg_len <= 4)));
/* Set modulus size in bits */
check(set_register(core, MODEXPS6_ADDR_MODULUS_WIDTH, mod_len * 8));
diff --git a/rsa.c b/rsa.c
index d2a7798..6fde683 100644
--- a/rsa.c
+++ b/rsa.c
@@ -207,10 +207,11 @@ static hal_error_t modexp(hal_core_t *core,
msg = reduced_msg;
}
+ const size_t msg_len = (fp_unsigned_bin_size(unconst_fp_int(msg)) + 3) & ~3;
const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;
- uint8_t msgbuf[mod_len];
+ uint8_t msgbuf[msg_len];
uint8_t expbuf[exp_len];
uint8_t modbuf[mod_len];
uint8_t resbuf[mod_len];
@@ -231,6 +232,7 @@ static hal_error_t modexp(hal_core_t *core,
memset(msgbuf, 0, sizeof(msgbuf));
memset(expbuf, 0, sizeof(expbuf));
memset(modbuf, 0, sizeof(modbuf));
+ memset(resbuf, 0, sizeof(resbuf));
return err;
}