diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index 5942231335..31f9e6ddba 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -427,8 +427,10 @@ int ecp_sub( const ecp_group *grp, ecp_point *R, * \note If f_rng is not NULL, it is used to randomize projective * coordinates of indermediate results, in order to prevent * more elaborate timing attacks relying on intermediate - * operations. (This is a prophylactic measure since so such - * attack has been published yet.) + * operations. (This is a prophylactic measure since no such + * attack has been published yet.) Since this contermeasure + * has very low overhead, it is recommended to always provide + * a non-NULL f_rng parameter when using secret inputs. */ int ecp_mul( const ecp_group *grp, ecp_point *R, const mpi *m, const ecp_point *P, diff --git a/programs/test/ecp-bench.c b/programs/test/ecp-bench.c index e200c42677..923111876a 100644 --- a/programs/test/ecp-bench.c +++ b/programs/test/ecp-bench.c @@ -28,6 +28,29 @@ int main( int argc, char *argv[] ) #else +static int myrand( void *rng_state, unsigned char *output, size_t len ) +{ + size_t use_len; + int rnd; + + if( rng_state != NULL ) + rng_state = NULL; + + while( len > 0 ) + { + use_len = len; + if( use_len > sizeof(int) ) + use_len = sizeof(int); + + rnd = rand(); + memcpy( output, &rnd, use_len ); + output += use_len; + len -= use_len; + } + + return( 0 ); +} + static void dhm_bench_case( const char *s, const char *p, const char *g, const char *x ) { @@ -161,7 +184,7 @@ static void ecp_bench_case( size_t dp, const char *s, const char *m ) set_alarm( 3 ); for( i = 1; ! alarmed; i++ ) - ecp_mul( &grp, &R, &M, &grp.G, NULL, NULL ); + ecp_mul( &grp, &R, &M, &grp.G, myrand, NULL ); printf( "%9lu mul/s\n", i / 3 );