Change ecp_mul() prototype to allow randomization
(Also improve an error code while at it.)
diff --git a/include/polarssl/ecdh.h b/include/polarssl/ecdh.h
index 2184ab9..d91aea5 100644
--- a/include/polarssl/ecdh.h
+++ b/include/polarssl/ecdh.h
@@ -70,12 +70,20 @@
* \param z Destination MPI (shared secret)
* \param Q Public key from other party
* \param d Our secret exponent
+ * \param f_rng RNG function (see notes)
+ * \param p_rng RNG parameter
*
* \return 0 if successful,
* or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code
+ *
+ * \note If f_rng is not NULL, it is used to implement
+ * countermeasures against potential elaborate timing
+ * attacks, see \c ecp_mul() for details.
*/
int ecdh_compute_shared( const ecp_group *grp, mpi *z,
- const ecp_point *Q, const mpi *d );
+ const ecp_point *Q, const mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief Initialize context
@@ -156,11 +164,15 @@
* \param olen number of bytes written
* \param buf destination buffer
* \param blen buffer length
+ * \param f_rng RNG function, see notes for \c ecdh_compute_shared()
+ * \param p_rng RNG parameter
*
* \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code
*/
int ecdh_calc_secret( ecdh_context *ctx, size_t *olen,
- unsigned char *buf, size_t blen );
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief Checkup routine
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index ad31bff..5942231 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -411,17 +411,29 @@
* \param R Destination point
* \param m Integer by which to multiply
* \param P Point to multiply
+ * \param f_rng RNG function (see notes)
+ * \param p_rng RNG parameter
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- * POLARSSL_ERR_ECP_GENERIC if m < 0 of m has greater bit
- * length than N, the number of points in the group.
+ * POLARSSL_ERR_ECP_BAD_INPUT_DATA if m < 0 of m has greater
+ * bit length than N, the number of points in the group.
*
- * \note This function executes a constant number of operations
- * for random m in the allowed range.
+ * \note In order to prevent simple timing attacks, this function
+ * executes a constant number of operations (that is, point
+ * doubling and addition of distinct points) for random m in
+ * the allowed range.
+ *
+ * \note If f_rng is not NULL, it is used to randomize projective
+ * coordinates of indermediate results, in order to prevent
+ * more elaborate timing attacks relying on intermediate
+ * operations. (This is a prophylactic measure since so such
+ * attack has been published yet.)
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
- const mpi *m, const ecp_point *P );
+ const mpi *m, const ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
/**
* \brief Check that a point is a valid public key on this curve