[PATCH] MPI helper of addition one limb, Least Leak Intended
Jussi Kivilinna
jussi.kivilinna at iki.fi
Fri Feb 14 06:41:23 CET 2025
On 14.2.2025 6.57, Jacob Bachmeyer via Gcrypt-devel wrote:
> On 2/13/25 19:25, NIIBE Yutaka via Gcrypt-devel wrote:
>> Hello,
>>
>> This change introduces a function _gcry_mpih_add_1_lli for one limb
>> addition with least leak.
>>
>> diff --git a/mpi/mpi-inline.h b/mpi/mpi-inline.h
>> index 090e8a94..6954affb 100644
>> --- a/mpi/mpi-inline.h
>> +++ b/mpi/mpi-inline.h
>> @@ -68,6 +68,28 @@ _gcry_mpih_add_1( mpi_ptr_t res_ptr, mpi_ptr_t s1_ptr,
>> }
>> +/* Do same calculation as _gcry_mpih_add_1 does (under the condition
>> + of RES_PTR == S1_PTR), Least Leak Intended. */
>> +static inline mpi_limb_t
>> +_gcry_mpih_add_1_lli (mpi_ptr_t s1_ptr, mpi_size_t s1_size, mpi_limb_t s2_limb)
>> +{
>> + mpi_limb_t x;
>> + mpi_limb_t cy;
>> +
>> + x = *s1_ptr;
>> + s2_limb += x;
>> + *s1_ptr++ = s2_limb;
>> + cy = (s2_limb < x);
>> + while ( --s1_size )
>> + {
>> + x = *s1_ptr + cy;
>> + *s1_ptr++ = x;
>> + cy = mpih_limb_is_zero (x) & mpih_limb_is_not_zero (cy);
>> + }
>> +
>> + return cy;
>> +}
>> +
>
> Looking at this, I can now deduce that MPI values are stored in little-endian order, "x" is a working register, and "cy" is a carry flag.
>
> If I read this correctly, the carry handling is depending on integer overflow wrapping around, which is not actually defined behavior in C, although most platforms do handle it that way. Do we have an MPI_LIMB_MAX constant analogous to INT_MAX but for mpi_limb_t instead of int?
>
Limbs are unsigned integers and unsigned integer overflow is defined behavior.
-Jussi
More information about the Gcrypt-devel
mailing list