Eliminate harmless non-constant time operations on secret data.

There were several places where the code was non-constant time
 for invalid secret inputs.  These are harmless under sane use
 but get in the way of automatic const-time validation.

(Nonce overflow in signing is not addressed, nor is s==0 in
 signing)
This commit is contained in:
Gregory Maxwell
2020-01-11 01:01:05 +00:00
parent 856a01d6ad
commit 34a67c773b
16 changed files with 154 additions and 101 deletions

View File

@@ -114,4 +114,11 @@ SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const
return *a == *b;
}
static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
uint32_t mask0, mask1;
mask0 = flag + ~((uint32_t)0);
mask1 = ~mask0;
*r = (*r & mask0) | (*a & mask1);
}
#endif /* SECP256K1_SCALAR_REPR_IMPL_H */