commit 79a1da6948ee628de35f25d3bd5541a65374db87
author Janos Follath <janos.follath@gmail.com> Fri Oct 30 17:43:11 2015 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jan 08 14:48:01 2016 +0100
tree 87790b6c7dfdc22877697220af264fa72a3f8ff0
parent a65477d88560808b16f3c934a4cda470a1af8e36

Improved on the previous fix and added a test case to cover both types
of carries.

library/bignum.c

diff --git a/library/bignum.c b/library/bignum.c
index 5009a71..7841bea 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -883,22 +883,11 @@
 {
     int ret;
     size_t i, j;
-    mbedtls_mpi_uint *o, *p, c;
-    mbedtls_mpi TB;
+    mbedtls_mpi_uint *o, *p, c, tmp;
 
     if( X == B )
     {
-        B = A; A = X;
-
-        if( B == A )
-        {
-            // Making a temporary copy instead of shifting by one to deny
-            // the possibility of corresponding side-channel attacks.
-            mbedtls_mpi_init( &TB );
-            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
-            
-            B = &TB;
-        }
+        const mbedtls_mpi *T = A; A = X; B = T;
     }
 
     if( X != A )
@@ -917,10 +906,14 @@
 
     o = B->p; p = X->p; c = 0;
 
+    /*
+     * tmp is used because it might happen that p == o
+     */
     for( i = 0; i < j; i++, o++, p++ )
     {
+        tmp= *o;
         *p +=  c; c  = ( *p <  c );
-        *p += *o; c += ( *p < *o );
+        *p += tmp; c += ( *p < tmp );
     }
 
     while( c != 0 )
@@ -935,10 +928,6 @@
     }
 
 cleanup:
-    if( &TB == B ) 
-    {
-        mbedtls_mpi_free( &TB );
-    }
 
     return( ret );
 }