diff options
| author | Roland Shoemaker <roland@golang.org> | 2025-01-21 16:03:14 -0800 |
|---|---|---|
| committer | Carlos Amedee <carlos@golang.org> | 2025-01-31 09:38:23 -0800 |
| commit | 6644ed63b1e6ccc129647ef6b0d4647fdbe14056 (patch) | |
| tree | cb6aeda962019a15e7a98bf2420a3ded28405cf8 | |
| parent | ab44565bcd9ad975b87ffd78c36c1fae1644d0bf (diff) | |
| download | go-6644ed63b1e6ccc129647ef6b0d4647fdbe14056.tar.xz | |
[release-branch.go1.23] crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le
Remove the branching instruction from p256NegCond which made it variable
time. The technique used matches that used in p256MovCond.
Fixes #71383
Fixes #71423
Fixes CVE-2025-22866
Change-Id: Ibc2a46814d856cbbdaf6cc0c5a415ed5d42ca793
Reviewed-on: https://go-review.googlesource.com/c/go/+/643735
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Paul Murphy <murp@ibm.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 6fc23a3cff5e38ff72923fee50f51254dcdc6e93)
Reviewed-on: https://go-review.googlesource.com/c/go/+/645515
Reviewed-by: Carlos Amedee <carlos@golang.org>
| -rw-r--r-- | src/crypto/internal/nistec/p256_asm_ppc64le.s | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/crypto/internal/nistec/p256_asm_ppc64le.s b/src/crypto/internal/nistec/p256_asm_ppc64le.s index 1475dfb1d9..b13bd512a6 100644 --- a/src/crypto/internal/nistec/p256_asm_ppc64le.s +++ b/src/crypto/internal/nistec/p256_asm_ppc64le.s @@ -126,14 +126,23 @@ GLOBL p256mul<>(SB), 8, $160 #define PH V31 #define CAR1 V6 + +#define SEL V8 +#define ZER V9 + // func p256NegCond(val *p256Point, cond int) TEXT ·p256NegCond(SB), NOSPLIT, $0-16 MOVD val+0(FP), P1ptr MOVD $16, R16 - MOVD cond+8(FP), R6 - CMP $0, R6 - BC 12, 2, LR // just return if cond == 0 + // Copy cond into SEL (cond is R1 + 8 (cond offset) + 32) + MOVD $40, R17 + LXVDSX (R1)(R17), SEL + // Zeroize ZER + VSPLTISB $0, ZER + // SEL controls whether to return the original value (Y1H/Y1L) + // or the negated value (T1H/T1L). + VCMPEQUD SEL, ZER, SEL MOVD $p256mul<>+0x00(SB), CPOOL @@ -150,6 +159,9 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16 VSUBUQM PL, Y1L, T1L // subtract part2 giving result VSUBEUQM PH, Y1H, CAR1, T1H // subtract part1 using carry from part2 + VSEL T1H, Y1H, SEL, T1H + VSEL T1L, Y1L, SEL, T1L + XXPERMDI T1H, T1H, $2, T1H XXPERMDI T1L, T1L, $2, T1L @@ -166,6 +178,8 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16 #undef PL #undef PH #undef CAR1 +#undef SEL +#undef ZER #define P3ptr R3 #define P1ptr R4 |