Merge BoringSSL 12d9ed6: Avoid leaking intermediate states in point doubling special case.

2019-07-02 16:51:15 -10:00 · 2019-07-02 16:51:15 -10:00 · f2eaee928b
commit f2eaee928b
parent 1e89f2e612 12d9ed670d
3 changed files with 18 additions and 13 deletions
--- a/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl
+++ b/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl
@ -3158,17 +3158,24 @@ $code.=<<___;

 	or	$acc5, $acc4			# see if result is zero
 	or	$acc0, $acc4
-	or	$acc1, $acc4
+	or	$acc1, $acc4			# !is_equal(U1, U2)

-	.byte	0x3e				# predict taken
-	jnz	.Ladd_proceed$x			# is_equal(U1,U2)?
 	movq	%xmm2, $acc0
 	movq	%xmm3, $acc1
-	test	$acc0, $acc0
-	jnz	.Ladd_proceed$x			# (in1infty || in2infty)?
-	test	$acc1, $acc1
-	jz	.Ladd_double$x			# is_equal(S1,S2)?
+	or	$acc0, $acc4
+	.byte	0x3e				# predict taken
+	jnz	.Ladd_proceed$x			# !is_equal(U1, U2) || in1infty || in2infty

+	# We now know A = B or A = -B and neither is infinity. Compare the
+	# y-coordinates via S1 and S2.
+	test	$acc1, $acc1
+	jz	.Ladd_double$x			# is_equal(S1, S2)
+
+	# A = -B, so the result is infinity.
+	#
+	# TODO(davidben): Does .Ladd_proceed handle this case? It seems to, in
+	# which case we should eliminate this special-case and simplify the
+	# timing analysis.
 	movq	%xmm0, $r_ptr			# restore $r_ptr
 	pxor	%xmm0, %xmm0
 	movdqu	%xmm0, 0x00($r_ptr)
--- a/crypto/fipsmodule/ec/ecp_nistz256.c
+++ b/crypto/fipsmodule/ec/ecp_nistz256.c
@ -154,9 +154,8 @@ void GFp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, const P256_POINT
  elem_mul_mont(U2, in2_x, Z1sqr); /* U2 = X2*Z1^2 */
  elem_sub(H, U2, U1);             /* H = U2 - U1 */

-  /* This should not happen during sign/ecdh,
-   * so no constant time violation */
-  if (is_equal(U1, U2) && !in1infty && !in2infty) {
+  BN_ULONG is_exceptional = is_equal(U1, U2) & ~in1infty & ~in2infty;
+  if (is_exceptional) {
    if (is_equal(S1, S2)) {
      GFp_nistz256_point_double(r, a);
    } else {
--- a/crypto/fipsmodule/ec/ecp_nistz384.inl
+++ b/crypto/fipsmodule/ec/ecp_nistz384.inl
@ -114,9 +114,8 @@ void GFp_nistz384_point_add(P384_POINT *r, const P384_POINT *a,
  elem_mul_mont(U2, in2_x, Z1sqr); /* U2 = X2*Z1^2 */
  elem_sub(H, U2, U1);             /* H = U2 - U1 */

-  /* This should not happen during sign/ecdh,
-   * so no constant time violation */
-  if (is_equal(U1, U2) && !in1infty && !in2infty) {
+  BN_ULONG is_exceptional = is_equal(U1, U2) & ~in1infty & ~in2infty;
+  if (is_exceptional) {
    if (is_equal(S1, S2)) {
      GFp_nistz384_point_double(r, a);
    } else {