From: Roland Shoemaker Date: Wed, 22 Jan 2025 00:03:14 +0000 (-0800) Subject: [release-branch.go1.23] crypto/internal/fips140/nistec: make p256NegCond constant... X-Git-Tag: go1.23.6~1 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=6644ed63b1e6ccc129647ef6b0d4647fdbe14056;p=gostls13.git [release-branch.go1.23] crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le Remove the branching instruction from p256NegCond which made it variable time. The technique used matches that used in p256MovCond. Fixes #71383 Fixes #71423 Fixes CVE-2025-22866 Change-Id: Ibc2a46814d856cbbdaf6cc0c5a415ed5d42ca793 Reviewed-on: https://go-review.googlesource.com/c/go/+/643735 Reviewed-by: David Chase Reviewed-by: Filippo Valsorda Reviewed-by: Paul Murphy LUCI-TryBot-Result: Go LUCI (cherry picked from commit 6fc23a3cff5e38ff72923fee50f51254dcdc6e93) Reviewed-on: https://go-review.googlesource.com/c/go/+/645515 Reviewed-by: Carlos Amedee --- diff --git a/src/crypto/internal/nistec/p256_asm_ppc64le.s b/src/crypto/internal/nistec/p256_asm_ppc64le.s index 1475dfb1d9..b13bd512a6 100644 --- a/src/crypto/internal/nistec/p256_asm_ppc64le.s +++ b/src/crypto/internal/nistec/p256_asm_ppc64le.s @@ -126,14 +126,23 @@ GLOBL p256mul<>(SB), 8, $160 #define PH V31 #define CAR1 V6 + +#define SEL V8 +#define ZER V9 + // func p256NegCond(val *p256Point, cond int) TEXT ·p256NegCond(SB), NOSPLIT, $0-16 MOVD val+0(FP), P1ptr MOVD $16, R16 - MOVD cond+8(FP), R6 - CMP $0, R6 - BC 12, 2, LR // just return if cond == 0 + // Copy cond into SEL (cond is R1 + 8 (cond offset) + 32) + MOVD $40, R17 + LXVDSX (R1)(R17), SEL + // Zeroize ZER + VSPLTISB $0, ZER + // SEL controls whether to return the original value (Y1H/Y1L) + // or the negated value (T1H/T1L). + VCMPEQUD SEL, ZER, SEL MOVD $p256mul<>+0x00(SB), CPOOL @@ -150,6 +159,9 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16 VSUBUQM PL, Y1L, T1L // subtract part2 giving result VSUBEUQM PH, Y1H, CAR1, T1H // subtract part1 using carry from part2 + VSEL T1H, Y1H, SEL, T1H + VSEL T1L, Y1L, SEL, T1L + XXPERMDI T1H, T1H, $2, T1H XXPERMDI T1L, T1L, $2, T1L @@ -166,6 +178,8 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16 #undef PL #undef PH #undef CAR1 +#undef SEL +#undef ZER #define P3ptr R3 #define P1ptr R4