File CVE-2017-14737.patch of Package Botan.5777

From 5f3a62a1243258af0c5f69d87553cc01ed785c5a Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Thu, 28 Sep 2017 10:29:15 -0400
Subject: [PATCH] Cache silent table lookup in modexp CVE-2017-14737

---
 src/math/bigint/bigint.cpp         | 22 ++++++++++++++++++++++
 src/math/bigint/bigint.h           |  6 ++++++
 src/math/numbertheory/powm_mnt.cpp |  9 ++++++---
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/src/math/bigint/bigint.cpp b/src/math/bigint/bigint.cpp
index e2e062f2d..4c02e76a3 100644
--- a/src/math/bigint/bigint.cpp
+++ b/src/math/bigint/bigint.cpp
@@ -10,6 +10,7 @@
 #include <botan/get_byte.h>
 #include <botan/parsing.h>
 #include <botan/internal/rounding.h>
+#include <botan/internal/ct_utils.h>
 
 namespace Botan {
 
@@ -373,4 +374,25 @@ void BigInt::binary_decode(const MemoryRegion<byte>& buf)
    binary_decode(buf, buf.size());
    }
 
+void BigInt::shrink_to_fit()
+   {
+   reg.resize(sig_words());
+   }
+
+void BigInt::const_time_lookup(SecureVector<word>& output,
+                               const std::vector<BigInt>& vec,
+                               size_t idx)
+   {
+   const size_t words = output.size();
+
+   clear_mem(output.data(), output.size());
+
+   for(size_t i = 0; i != vec.size(); ++i)
+      {
+      for(size_t w = 0; w != words; ++w)
+         output[w] |= CT::select<word>(CT::is_equal(i, idx), vec[i].word_at(w), 0);
+      }
+   }
+
+
 }
diff --git a/src/math/bigint/bigint.h b/src/math/bigint/bigint.h
index 87c7cb766..f34f6e9ec 100644
--- a/src/math/bigint/bigint.h
+++ b/src/math/bigint/bigint.h
@@ -500,6 +500,12 @@ class BOTAN_DLL BigInt
      */
      BigInt(NumberType type, size_t n);
 
+     void shrink_to_fit();
+
+     static void const_time_lookup(SecureVector<word>& output,
+                                   const std::vector<BigInt>& vec,
+                                   size_t idx);
+
    private:
       SecureVector<word> reg;
       Sign signedness;
diff --git a/src/math/numbertheory/powm_mnt.cpp b/src/math/numbertheory/powm_mnt.cpp
index d3845194c..295e9401a 100644
--- a/src/math/numbertheory/powm_mnt.cpp
+++ b/src/math/numbertheory/powm_mnt.cpp
@@ -68,6 +68,7 @@ void Montgomery_Exponentiator::set_base(const BigInt& base)
                        &workspace[0]);
 
       g[i].assign(&z[0], mod_words + 1);
+      g[i].grow_to(mod_words);
       }
    }
 
@@ -81,6 +82,7 @@ BigInt Montgomery_Exponentiator::execute() const
    BigInt x = R_mod;
    SecureVector<word> z(2 * (mod_words + 1));
    SecureVector<word> workspace(2 * (mod_words + 1));
+   SecureVector<word> e(mod_words);
 
    for(size_t i = exp_nibbles; i > 0; --i)
       {
@@ -98,12 +100,13 @@ BigInt Montgomery_Exponentiator::execute() const
 
       const u32bit nibble = exp.get_substring(window_bits*(i-1), window_bits);
 
-      const BigInt& y = g[nibble];
-
       zeroise(z);
+
+      BigInt::const_time_lookup(e, g, nibble);
+
       bigint_monty_mul(&z[0], z.size(),
                        x.data(), x.size(), x.sig_words(),
-                       y.data(), y.size(), y.sig_words(),
+                       e.data(), e.size(), e.size(),
                        modulus.data(), mod_words, mod_prime,
                        &workspace[0]);
 
-- 
2.14.1