On 14.2.2025 3.25, NIIBE Yutaka via Gcrypt-devel wrote:
Hello,
This change introduces a function _gcry_mpih_add_1_lli for one limb
addition with least leak.
diff --git a/mpi/mpi-inline.h b/mpi/mpi-inline.h
index 090e8a94..6954affb 100644
--- a/mpi/mpi-inline.h
+++ b/mpi/mpi-inline.h
@@ -68,6 +68,28 @@ _gcry_mpih_add_1( mpi_ptr_t res_ptr, mpi_ptr_t s1_ptr,
}
+/* Do same calculation as _gcry_mpih_add_1 does (under the condition
+ of RES_PTR == S1_PTR), Least Leak Intended. */
+static inline mpi_limb_t
+_gcry_mpih_add_1_lli (mpi_ptr_t s1_ptr, mpi_size_t s1_size, mpi_limb_t s2_limb)
+{
+ mpi_limb_t x;
+ mpi_limb_t cy;
+
+ x = *s1_ptr;
+ s2_limb += x;
+ *s1_ptr++ = s2_limb;
+ cy = (s2_limb < x);
+ while ( --s1_size )
+ {
+ x = *s1_ptr + cy;
+ *s1_ptr++ = x;
+ cy = mpih_limb_is_zero (x) & mpih_limb_is_not_zero (cy);
+ }
+
+ return cy;
I think this function could use 'add_ssaaaa' macro to handle addition with
carry.
Something like this (completely untested):
cy = s2_limb;
while ( s1_size )
{
x = *s1_ptr;
add_ssaaaa(cy, x, 0, cy, 0, x);
*s1_ptr++ = x;
s1_size--;
}
return cy;
-Jussi
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
