Dmitry Baryshkov dbaryshkov@gmail.com writes:
diff --git a/ecc-random.c b/ecc-random.c index 79df511cb6b6..e80405fe46fd 100644 --- a/ecc-random.c +++ b/ecc-random.c @@ -60,7 +60,7 @@ ecdsa_in_range (const struct ecc_modulo *m, { /* Check if 0 < x < q, with data independent timing. */ return !zero_p (m, xp)
- & (mpn_sub_n (scratch, xp, m->m, m->size) != 0);
- && (mpn_sub_n (scratch, xp, m->m, m->size) != 0);
}
The use of & rather than the short-circuiting && here is intentional. Using && would imply a data dependant branch, and we can't have that, since this function is intended to be be side-channel silent.
The arguments to & are both 0 or 1, so the return value should be the same as with &&.
I haven't looked the generated code, though. I hope the compiler inlines zero_p and doesn't generate branches for t == 0 or for the logical negation in !zero_p(...). And the local variable t should probably be marked volatile. But on the other hand, maybe it doesn't matter if it's side-channel silent in the case that it returns false. These things are a bit more subtle than I like.
Regards, /Niels