Ola Lundqvist <o...@inguza.com> writes: > However I was referring to the side-channel problem that was reported > in the CVE and not to the unintended side-effect of the correction.
I see. > Do you know a way to trigger the problem reported in the CVE, please > let me know. I'm afraid it's not so easy. One approach is to try some attack tool to attack another process via the cache, but I'd expect that to be a little research project to set up. Another approach is to use valgrind. Insert valgrind annotations to mark the secret exponent as uninitialized data prior to calling the supposedly side-channel-silent operation. Then valgrind's memchecker will complain on unsafe instructions, nameley branches and memory addresses depending on the secret, and these are precisely the operations that may leak via timing or via the cache. One would also need to mark the output areas as valid and defined at the end of the signature functions. Unfortunately, one might get some warnings even after the fix, it probably doesn't make the computation *completely* silent. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
