From 6fc23a3cff5e38ff72923fee50f51254dcdc6e93 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Tue, 21 Jan 2025 16:03:14 -0800 Subject: [PATCH] crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le Remove the branching instruction from p256NegCond which made it variable time. The technique used matches that used in p256MovCond. Fixes #71383 Fixes CVE-2025-22866 Change-Id: Ibc2a46814d856cbbdaf6cc0c5a415ed5d42ca793 Reviewed-on: https://go-review.googlesource.com/c/go/+/643735 Reviewed-by: David Chase Reviewed-by: Filippo Valsorda Reviewed-by: Paul Murphy LUCI-TryBot-Result: Go LUCI --- .../fips140/nistec/p256_asm_ppc64le.s | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s b/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s index 7c46b268ef..7efaa6ac18 100644 --- a/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s +++ b/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s @@ -126,14 +126,23 @@ GLOBL p256mul<>(SB), 8, $160 #define PH V31 #define CAR1 V6 + +#define SEL V8 +#define ZER V9 + // func p256NegCond(val *p256Point, cond int) TEXT ·p256NegCond(SB), NOSPLIT, $0-16 MOVD val+0(FP), P1ptr MOVD $16, R16 - MOVD cond+8(FP), R6 - CMP $0, R6 - BC 12, 2, LR // just return if cond == 0 + // Copy cond into SEL (cond is R1 + 8 (cond offset) + 32) + MOVD $40, R17 + LXVDSX (R1)(R17), SEL + // Zeroize ZER + VSPLTISB $0, ZER + // SEL controls whether to return the original value (Y1H/Y1L) + // or the negated value (T1H/T1L). + VCMPEQUD SEL, ZER, SEL MOVD $p256mul<>+0x00(SB), CPOOL @@ -150,6 +159,9 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16 VSUBUQM PL, Y1L, T1L // subtract part2 giving result VSUBEUQM PH, Y1H, CAR1, T1H // subtract part1 using carry from part2 + VSEL T1H, Y1H, SEL, T1H + VSEL T1L, Y1L, SEL, T1L + XXPERMDI T1H, T1H, $2, T1H XXPERMDI T1L, T1L, $2, T1L @@ -166,6 +178,8 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16 #undef PL #undef PH #undef CAR1 +#undef SEL +#undef ZER #define P3ptr R3 #define P1ptr R4 -- 2.48.1