diff options
Diffstat (limited to 'crypto/ec')
50 files changed, 366 insertions, 262 deletions
diff --git a/crypto/ec/asm/ecp_nistz256-armv4.pl b/crypto/ec/asm/ecp_nistz256-armv4.pl index 83abbdd89578..ea538c0698d5 100755 --- a/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1394,7 +1394,7 @@ my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr); # 256-bit vectors on top. Then note that we push # starting from r0, which means that we have copy of # input arguments just below these temporary vectors. -# We use three of them for !in1infty, !in2intfy and +# We use three of them for ~in1infty, ~in2infty and # result of check for zero. $code.=<<___; @@ -1424,7 +1424,7 @@ ecp_nistz256_point_add: #endif movne r12,#-1 stmia r3,{r4-r11} - str r12,[sp,#32*18+8] @ !in2infty + str r12,[sp,#32*18+8] @ ~in2infty ldmia $a_ptr!,{r4-r11} @ copy in1_x add r3,sp,#$in1_x @@ -1445,7 +1445,7 @@ ecp_nistz256_point_add: #endif movne r12,#-1 stmia r3,{r4-r11} - str r12,[sp,#32*18+4] @ !in1infty + str r12,[sp,#32*18+4] @ ~in1infty add $a_ptr,sp,#$in2_z add $b_ptr,sp,#$in2_z @@ -1510,33 +1510,20 @@ ecp_nistz256_point_add: orr $a0,$a0,$a2 orr $a4,$a4,$a6 orr $a0,$a0,$a7 - orrs $a0,$a0,$a4 + orr $a0,$a0,$a4 @ ~is_equal(U1,U2) - bne .Ladd_proceed @ is_equal(U1,U2)? + ldr $t0,[sp,#32*18+4] @ ~in1infty + ldr $t1,[sp,#32*18+8] @ ~in2infty + ldr $t2,[sp,#32*18+12] @ ~is_equal(S1,S2) + mvn $t0,$t0 @ -1/0 -> 0/-1 + mvn $t1,$t1 @ -1/0 -> 0/-1 + orr $a0,$t0 + orr $a0,$t1 + orrs $a0,$t2 @ set flags - ldr $t0,[sp,#32*18+4] - ldr $t1,[sp,#32*18+8] - ldr $t2,[sp,#32*18+12] - tst $t0,$t1 - beq .Ladd_proceed @ (in1infty || in2infty)? - tst $t2,$t2 - beq .Ladd_double @ is_equal(S1,S2)? + @ if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) + bne .Ladd_proceed - ldr $r_ptr,[sp,#32*18+16] - eor r4,r4,r4 - eor r5,r5,r5 - eor r6,r6,r6 - eor r7,r7,r7 - eor r8,r8,r8 - eor r9,r9,r9 - eor r10,r10,r10 - eor r11,r11,r11 - stmia $r_ptr!,{r4-r11} - stmia $r_ptr!,{r4-r11} - stmia $r_ptr!,{r4-r11} - b .Ladd_done - -.align 4 .Ladd_double: ldr $a_ptr,[sp,#32*18+20] add sp,sp,#32*(18-5)+16 @ difference in frame sizes @@ -1601,15 +1588,15 @@ ecp_nistz256_point_add: add $b_ptr,sp,#$S2 bl __ecp_nistz256_sub_from @ p256_sub(res_y, res_y, S2); - ldr r11,[sp,#32*18+4] @ !in1intfy - ldr r12,[sp,#32*18+8] @ !in2intfy + ldr r11,[sp,#32*18+4] @ ~in1infty + ldr r12,[sp,#32*18+8] @ ~in2infty add r1,sp,#$res_x add r2,sp,#$in2_x - and r10,r11,r12 + and r10,r11,r12 @ ~in1infty & ~in2infty mvn r11,r11 add r3,sp,#$in1_x - and r11,r11,r12 - mvn r12,r12 + and r11,r11,r12 @ in1infty & ~in2infty + mvn r12,r12 @ in2infty ldr $r_ptr,[sp,#32*18+16] ___ for($i=0;$i<96;$i+=8) { # conditional moves @@ -1617,11 +1604,11 @@ $code.=<<___; ldmia r1!,{r4-r5} @ res_x ldmia r2!,{r6-r7} @ in2_x ldmia r3!,{r8-r9} @ in1_x - and r4,r4,r10 + and r4,r4,r10 @ ~in1infty & ~in2infty and r5,r5,r10 - and r6,r6,r11 + and r6,r6,r11 @ in1infty & ~in2infty and r7,r7,r11 - and r8,r8,r12 + and r8,r8,r12 @ in2infty and r9,r9,r12 orr r4,r4,r6 orr r5,r5,r7 @@ -1656,7 +1643,7 @@ my $Z1sqr = $S2; # 256-bit vectors on top. Then note that we push # starting from r0, which means that we have copy of # input arguments just below these temporary vectors. -# We use two of them for !in1infty, !in2intfy. +# We use two of them for ~in1infty, ~in2infty. my @ONE_mont=(1,0,0,-1,-1,-1,-2,0); @@ -1687,7 +1674,7 @@ ecp_nistz256_point_add_affine: #endif movne r12,#-1 stmia r3,{r4-r11} - str r12,[sp,#32*15+4] @ !in1infty + str r12,[sp,#32*15+4] @ ~in1infty ldmia $b_ptr!,{r4-r11} @ copy in2_x add r3,sp,#$in2_x @@ -1714,7 +1701,7 @@ ecp_nistz256_point_add_affine: it ne #endif movne r12,#-1 - str r12,[sp,#32*15+8] @ !in2infty + str r12,[sp,#32*15+8] @ ~in2infty add $a_ptr,sp,#$in1_z add $b_ptr,sp,#$in1_z @@ -1796,15 +1783,15 @@ ecp_nistz256_point_add_affine: add $b_ptr,sp,#$S2 bl __ecp_nistz256_sub_from @ p256_sub(res_y, res_y, S2); - ldr r11,[sp,#32*15+4] @ !in1intfy - ldr r12,[sp,#32*15+8] @ !in2intfy + ldr r11,[sp,#32*15+4] @ ~in1infty + ldr r12,[sp,#32*15+8] @ ~in2infty add r1,sp,#$res_x add r2,sp,#$in2_x - and r10,r11,r12 + and r10,r11,r12 @ ~in1infty & ~in2infty mvn r11,r11 add r3,sp,#$in1_x - and r11,r11,r12 - mvn r12,r12 + and r11,r11,r12 @ in1infty & ~in2infty + mvn r12,r12 @ in2infty ldr $r_ptr,[sp,#32*15] ___ for($i=0;$i<64;$i+=8) { # conditional moves @@ -1812,11 +1799,11 @@ $code.=<<___; ldmia r1!,{r4-r5} @ res_x ldmia r2!,{r6-r7} @ in2_x ldmia r3!,{r8-r9} @ in1_x - and r4,r4,r10 + and r4,r4,r10 @ ~in1infty & ~in2infty and r5,r5,r10 - and r6,r6,r11 + and r6,r6,r11 @ in1infty & ~in2infty and r7,r7,r11 - and r8,r8,r12 + and r8,r8,r12 @ in2infty and r9,r9,r12 orr r4,r4,r6 orr r5,r5,r7 @@ -1862,4 +1849,4 @@ foreach (split("\n",$code)) { print $_,"\n"; } -close STDOUT; # enforce flush +close STDOUT or die "error closing STDOUT: $!"; # enforce flush diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl index 887ddfb1ea9b..e93e18f29f19 100755 --- a/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -722,7 +722,7 @@ $code.=<<___; .align 5 ecp_nistz256_point_double: .inst 0xd503233f // paciasp - stp x29,x30,[sp,#-80]! + stp x29,x30,[sp,#-96]! add x29,sp,#0 stp x19,x20,[sp,#16] stp x21,x22,[sp,#32] @@ -855,7 +855,7 @@ ecp_nistz256_point_double: add sp,x29,#0 // destroy frame ldp x19,x20,[x29,#16] ldp x21,x22,[x29,#32] - ldp x29,x30,[sp],#80 + ldp x29,x30,[sp],#96 .inst 0xd50323bf // autiasp ret .size ecp_nistz256_point_double,.-ecp_nistz256_point_double @@ -872,7 +872,7 @@ my ($res_x,$res_y,$res_z, my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr); # above map() describes stack layout with 12 temporary # 256-bit vectors on top. -my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26)); +my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp0,$temp1,$temp2)=map("x$_",(21..28)); $code.=<<___; .globl ecp_nistz256_point_add @@ -880,12 +880,13 @@ $code.=<<___; .align 5 ecp_nistz256_point_add: .inst 0xd503233f // paciasp - stp x29,x30,[sp,#-80]! + stp x29,x30,[sp,#-96]! add x29,sp,#0 stp x19,x20,[sp,#16] stp x21,x22,[sp,#32] stp x23,x24,[sp,#48] stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] sub sp,sp,#32*12 ldp $a0,$a1,[$bp,#64] // in2_z @@ -899,7 +900,7 @@ ecp_nistz256_point_add: orr $t2,$a2,$a3 orr $in2infty,$t0,$t2 cmp $in2infty,#0 - csetm $in2infty,ne // !in2infty + csetm $in2infty,ne // ~in2infty add $rp,sp,#$Z2sqr bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); @@ -909,7 +910,7 @@ ecp_nistz256_point_add: orr $t2,$a2,$a3 orr $in1infty,$t0,$t2 cmp $in1infty,#0 - csetm $in1infty,ne // !in1infty + csetm $in1infty,ne // ~in1infty add $rp,sp,#$Z1sqr bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); @@ -950,7 +951,7 @@ ecp_nistz256_point_add: orr $acc0,$acc0,$acc1 // see if result is zero orr $acc2,$acc2,$acc3 - orr $temp,$acc0,$acc2 + orr $temp0,$acc0,$acc2 // ~is_equal(S1,S2) add $bp,sp,#$Z2sqr add $rp,sp,#$U1 @@ -971,32 +972,21 @@ ecp_nistz256_point_add: orr $acc0,$acc0,$acc1 // see if result is zero orr $acc2,$acc2,$acc3 - orr $acc0,$acc0,$acc2 - tst $acc0,$acc0 - b.ne .Ladd_proceed // is_equal(U1,U2)? + orr $acc0,$acc0,$acc2 // ~is_equal(U1,U2) - tst $in1infty,$in2infty - b.eq .Ladd_proceed // (in1infty || in2infty)? + mvn $temp1,$in1infty // -1/0 -> 0/-1 + mvn $temp2,$in2infty // -1/0 -> 0/-1 + orr $acc0,$acc0,$temp1 + orr $acc0,$acc0,$temp2 + orr $acc0,$acc0,$temp0 + cbnz $acc0,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) - tst $temp,$temp - b.eq .Ladd_double // is_equal(S1,S2)? - - eor $a0,$a0,$a0 - eor $a1,$a1,$a1 - stp $a0,$a1,[$rp_real] - stp $a0,$a1,[$rp_real,#16] - stp $a0,$a1,[$rp_real,#32] - stp $a0,$a1,[$rp_real,#48] - stp $a0,$a1,[$rp_real,#64] - stp $a0,$a1,[$rp_real,#80] - b .Ladd_done - -.align 4 .Ladd_double: mov $ap,$ap_real mov $rp,$rp_real ldp x23,x24,[x29,#48] ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] add sp,sp,#32*(12-4) // difference in stack frames b .Ldouble_shortcut @@ -1081,14 +1071,14 @@ ___ for($i=0;$i<64;$i+=32) { # conditional moves $code.=<<___; ldp $acc0,$acc1,[$ap_real,#$i] // in1 - cmp $in1infty,#0 // !$in1intfy, remember? + cmp $in1infty,#0 // ~$in1intfy, remember? ldp $acc2,$acc3,[$ap_real,#$i+16] csel $t0,$a0,$t0,ne csel $t1,$a1,$t1,ne ldp $a0,$a1,[sp,#$res_x+$i+32] // res csel $t2,$a2,$t2,ne csel $t3,$a3,$t3,ne - cmp $in2infty,#0 // !$in2intfy, remember? + cmp $in2infty,#0 // ~$in2intfy, remember? ldp $a2,$a3,[sp,#$res_x+$i+48] csel $acc0,$t0,$acc0,ne csel $acc1,$t1,$acc1,ne @@ -1102,13 +1092,13 @@ ___ } $code.=<<___; ldp $acc0,$acc1,[$ap_real,#$i] // in1 - cmp $in1infty,#0 // !$in1intfy, remember? + cmp $in1infty,#0 // ~$in1intfy, remember? ldp $acc2,$acc3,[$ap_real,#$i+16] csel $t0,$a0,$t0,ne csel $t1,$a1,$t1,ne csel $t2,$a2,$t2,ne csel $t3,$a3,$t3,ne - cmp $in2infty,#0 // !$in2intfy, remember? + cmp $in2infty,#0 // ~$in2intfy, remember? csel $acc0,$t0,$acc0,ne csel $acc1,$t1,$acc1,ne csel $acc2,$t2,$acc2,ne @@ -1122,7 +1112,8 @@ $code.=<<___; ldp x21,x22,[x29,#32] ldp x23,x24,[x29,#48] ldp x25,x26,[x29,#64] - ldp x29,x30,[sp],#80 + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 .inst 0xd50323bf // autiasp ret .size ecp_nistz256_point_add,.-ecp_nistz256_point_add @@ -1166,7 +1157,7 @@ ecp_nistz256_point_add_affine: orr $t2,$a2,$a3 orr $in1infty,$t0,$t2 cmp $in1infty,#0 - csetm $in1infty,ne // !in1infty + csetm $in1infty,ne // ~in1infty ldp $acc0,$acc1,[$bp] // in2_x ldp $acc2,$acc3,[$bp,#16] @@ -1180,7 +1171,7 @@ ecp_nistz256_point_add_affine: orr $t0,$t0,$t2 orr $in2infty,$acc0,$t0 cmp $in2infty,#0 - csetm $in2infty,ne // !in2infty + csetm $in2infty,ne // ~in2infty add $rp,sp,#$Z1sqr bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); @@ -1290,14 +1281,14 @@ ___ for($i=0;$i<64;$i+=32) { # conditional moves $code.=<<___; ldp $acc0,$acc1,[$ap_real,#$i] // in1 - cmp $in1infty,#0 // !$in1intfy, remember? + cmp $in1infty,#0 // ~$in1intfy, remember? ldp $acc2,$acc3,[$ap_real,#$i+16] csel $t0,$a0,$t0,ne csel $t1,$a1,$t1,ne ldp $a0,$a1,[sp,#$res_x+$i+32] // res csel $t2,$a2,$t2,ne csel $t3,$a3,$t3,ne - cmp $in2infty,#0 // !$in2intfy, remember? + cmp $in2infty,#0 // ~$in2intfy, remember? ldp $a2,$a3,[sp,#$res_x+$i+48] csel $acc0,$t0,$acc0,ne csel $acc1,$t1,$acc1,ne @@ -1314,13 +1305,13 @@ ___ } $code.=<<___; ldp $acc0,$acc1,[$ap_real,#$i] // in1 - cmp $in1infty,#0 // !$in1intfy, remember? + cmp $in1infty,#0 // ~$in1intfy, remember? ldp $acc2,$acc3,[$ap_real,#$i+16] csel $t0,$a0,$t0,ne csel $t1,$a1,$t1,ne csel $t2,$a2,$t2,ne csel $t3,$a3,$t3,ne - cmp $in2infty,#0 // !$in2intfy, remember? + cmp $in2infty,#0 // ~$in2intfy, remember? csel $acc0,$t0,$acc0,ne csel $acc1,$t1,$acc1,ne csel $acc2,$t2,$acc2,ne @@ -1880,4 +1871,4 @@ foreach (split("\n",$code)) { print $_,"\n"; } -close STDOUT; # enforce flush +close STDOUT or die "error closing STDOUT: $!"; # enforce flush diff --git a/crypto/ec/asm/ecp_nistz256-avx2.pl b/crypto/ec/asm/ecp_nistz256-avx2.pl index 794e56a082fc..5071d09ac2ec 100755 --- a/crypto/ec/asm/ecp_nistz256-avx2.pl +++ b/crypto/ec/asm/ecp_nistz256-avx2.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2014, Intel Corporation. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use @@ -47,7 +47,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); @@ -2077,4 +2077,4 @@ foreach (split("\n",$code)) { print $_,"\n"; } -close STDOUT; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/asm/ecp_nistz256-ppc64.pl b/crypto/ec/asm/ecp_nistz256-ppc64.pl index 984c7f205056..2bf54e2aa544 100755 --- a/crypto/ec/asm/ecp_nistz256-ppc64.pl +++ b/crypto/ec/asm/ecp_nistz256-ppc64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -2379,4 +2379,4 @@ foreach (split("\n",$code)) { print $_,"\n"; } -close STDOUT; # enforce flush +close STDOUT or die "error closing STDOUT: $!"; # enforce flush diff --git a/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/crypto/ec/asm/ecp_nistz256-sparcv9.pl index 4383bea4a7be..042e122718b7 100755 --- a/crypto/ec/asm/ecp_nistz256-sparcv9.pl +++ b/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -3057,4 +3057,4 @@ foreach (split("\n",$code)) { print $_,"\n"; } -close STDOUT; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/asm/ecp_nistz256-x86.pl b/crypto/ec/asm/ecp_nistz256-x86.pl index 0c6fc665bf46..e926d69b020b 100755 --- a/crypto/ec/asm/ecp_nistz256-x86.pl +++ b/crypto/ec/asm/ecp_nistz256-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1388,7 +1388,7 @@ for ($i=0;$i<7;$i++) { # above map() describes stack layout with 18 temporary # 256-bit vectors on top, then we take extra words for - # !in1infty, !in2infty, result of check for zero and + # ~in1infty, ~in2infty, result of check for zero and # OPENSSL_ia32cap_P copy. [one unused word for padding] &stack_push(8*18+5); if ($sse2) { @@ -1419,7 +1419,7 @@ for ($i=0;$i<7;$i++) { &sub ("eax","ebp"); &or ("ebp","eax"); &sar ("ebp",31); - &mov (&DWP(32*18+4,"esp"),"ebp"); # !in2infty + &mov (&DWP(32*18+4,"esp"),"ebp"); # ~in2infty &lea ("edi",&DWP($in1_x,"esp")); for($i=0;$i<96;$i+=16) { @@ -1441,7 +1441,7 @@ for ($i=0;$i<7;$i++) { &sub ("eax","ebp"); &or ("ebp","eax"); &sar ("ebp",31); - &mov (&DWP(32*18+0,"esp"),"ebp"); # !in1infty + &mov (&DWP(32*18+0,"esp"),"ebp"); # ~in1infty &mov ("eax",&DWP(32*18+12,"esp")); # OPENSSL_ia32cap_P copy &lea ("esi",&DWP($in2_z,"esp")); @@ -1516,23 +1516,19 @@ for ($i=0;$i<7;$i++) { &or ("eax",&DWP(0,"edi")); &or ("eax",&DWP(4,"edi")); &or ("eax",&DWP(8,"edi")); - &or ("eax",&DWP(12,"edi")); + &or ("eax",&DWP(12,"edi")); # ~is_equal(U1,U2) - &data_byte(0x3e); # predict taken - &jnz (&label("add_proceed")); # is_equal(U1,U2)? - - &mov ("eax",&DWP(32*18+0,"esp")); - &and ("eax",&DWP(32*18+4,"esp")); - &mov ("ebx",&DWP(32*18+8,"esp")); - &jz (&label("add_proceed")); # (in1infty || in2infty)? - &test ("ebx","ebx"); - &jz (&label("add_double")); # is_equal(S1,S2)? + &mov ("ebx",&DWP(32*18+0,"esp")); # ~in1infty + ¬ ("ebx"); # -1/0 -> 0/-1 + &or ("eax","ebx"); + &mov ("ebx",&DWP(32*18+4,"esp")); # ~in2infty + ¬ ("ebx"); # -1/0 -> 0/-1 + &or ("eax","ebx"); + &or ("eax",&DWP(32*18+8,"esp")); # ~is_equal(S1,S2) - &mov ("edi",&wparam(0)); - &xor ("eax","eax"); - &mov ("ecx",96/4); - &data_byte(0xfc,0xf3,0xab); # cld; stosd - &jmp (&label("add_done")); + # if (~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) + &data_byte(0x3e); # predict taken + &jnz (&label("add_proceed")); &set_label("add_double",16); &mov ("esi",&wparam(1)); @@ -1614,34 +1610,34 @@ for ($i=0;$i<7;$i++) { &lea ("edi",&DWP($res_y,"esp")); &call ("_ecp_nistz256_sub"); # p256_sub(res_y, res_y, S2); - &mov ("ebp",&DWP(32*18+0,"esp")); # !in1infty - &mov ("esi",&DWP(32*18+4,"esp")); # !in2infty + &mov ("ebp",&DWP(32*18+0,"esp")); # ~in1infty + &mov ("esi",&DWP(32*18+4,"esp")); # ~in2infty &mov ("edi",&wparam(0)); &mov ("edx","ebp"); ¬ ("ebp"); - &and ("edx","esi"); - &and ("ebp","esi"); - ¬ ("esi"); + &and ("edx","esi"); # ~in1infty & ~in2infty + &and ("ebp","esi"); # in1infty & ~in2infty + ¬ ("esi"); # in2infty ######################################## # conditional moves for($i=64;$i<96;$i+=4) { - &mov ("eax","edx"); + &mov ("eax","edx"); # ~in1infty & ~in2infty &and ("eax",&DWP($res_x+$i,"esp")); - &mov ("ebx","ebp"); + &mov ("ebx","ebp"); # in1infty & ~in2infty &and ("ebx",&DWP($in2_x+$i,"esp")); - &mov ("ecx","esi"); + &mov ("ecx","esi"); # in2infty &and ("ecx",&DWP($in1_x+$i,"esp")); &or ("eax","ebx"); &or ("eax","ecx"); &mov (&DWP($i,"edi"),"eax"); } for($i=0;$i<64;$i+=4) { - &mov ("eax","edx"); + &mov ("eax","edx"); # ~in1infty & ~in2infty &and ("eax",&DWP($res_x+$i,"esp")); - &mov ("ebx","ebp"); + &mov ("ebx","ebp"); # in1infty & ~in2infty &and ("ebx",&DWP($in2_x+$i,"esp")); - &mov ("ecx","esi"); + &mov ("ecx","esi"); # in2infty &and ("ecx",&DWP($in1_x+$i,"esp")); &or ("eax","ebx"); &or ("eax","ecx"); @@ -1668,7 +1664,7 @@ for ($i=0;$i<7;$i++) { # above map() describes stack layout with 15 temporary # 256-bit vectors on top, then we take extra words for - # !in1infty, !in2infty, and OPENSSL_ia32cap_P copy. + # ~in1infty, ~in2infty, and OPENSSL_ia32cap_P copy. &stack_push(8*15+3); if ($sse2) { &call ("_picup_eax"); @@ -1698,7 +1694,7 @@ for ($i=0;$i<7;$i++) { &sub ("eax","ebp"); &or ("ebp","eax"); &sar ("ebp",31); - &mov (&DWP(32*15+0,"esp"),"ebp"); # !in1infty + &mov (&DWP(32*15+0,"esp"),"ebp"); # ~in1infty &lea ("edi",&DWP($in2_x,"esp")); for($i=0;$i<64;$i+=16) { @@ -1724,7 +1720,7 @@ for ($i=0;$i<7;$i++) { &lea ("ebp",&DWP($in1_z,"esp")); &sar ("ebx",31); &lea ("edi",&DWP($Z1sqr,"esp")); - &mov (&DWP(32*15+4,"esp"),"ebx"); # !in2infty + &mov (&DWP(32*15+4,"esp"),"ebx"); # ~in2infty &call ("_ecp_nistz256_mul_mont"); # p256_sqr_mont(Z1sqr, in1_z); @@ -1823,14 +1819,14 @@ for ($i=0;$i<7;$i++) { &lea ("edi",&DWP($res_y,"esp")); &call ("_ecp_nistz256_sub"); # p256_sub(res_y, res_y, S2); - &mov ("ebp",&DWP(32*15+0,"esp")); # !in1infty - &mov ("esi",&DWP(32*15+4,"esp")); # !in2infty + &mov ("ebp",&DWP(32*15+0,"esp")); # ~in1infty + &mov ("esi",&DWP(32*15+4,"esp")); # ~in2infty &mov ("edi",&wparam(0)); &mov ("edx","ebp"); ¬ ("ebp"); - &and ("edx","esi"); - &and ("ebp","esi"); - ¬ ("esi"); + &and ("edx","esi"); # ~in1infty & ~in2infty + &and ("ebp","esi"); # in1infty & ~in2infty + ¬ ("esi"); # in2infty ######################################## # conditional moves @@ -1848,11 +1844,11 @@ for ($i=0;$i<7;$i++) { &mov (&DWP($i,"edi"),"eax"); } for($i=0;$i<64;$i+=4) { - &mov ("eax","edx"); + &mov ("eax","edx"); # ~in1infty & ~in2infty &and ("eax",&DWP($res_x+$i,"esp")); - &mov ("ebx","ebp"); + &mov ("ebx","ebp"); # in1infty & ~in2infty &and ("ebx",&DWP($in2_x+$i,"esp")); - &mov ("ecx","esi"); + &mov ("ecx","esi"); # in2infty &and ("ecx",&DWP($in1_x+$i,"esp")); &or ("eax","ebx"); &or ("eax","ecx"); @@ -1863,4 +1859,4 @@ for ($i=0;$i<7;$i++) { &asm_finish(); -close STDOUT; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/asm/ecp_nistz256-x86_64.pl b/crypto/ec/asm/ecp_nistz256-x86_64.pl index 10ccc6414a49..de9b194510bf 100755 --- a/crypto/ec/asm/ecp_nistz256-x86_64.pl +++ b/crypto/ec/asm/ecp_nistz256-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2014, Intel Corporation. All Rights Reserved. # Copyright (c) 2015 CloudFlare, Inc. # @@ -72,7 +72,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); @@ -1579,6 +1579,7 @@ $code.=<<___; .type ecp_nistz256_to_mont,\@function,2 .align 32 ecp_nistz256_to_mont: +.cfi_startproc ___ $code.=<<___ if ($addx); mov \$0x80100, %ecx @@ -1587,6 +1588,7 @@ ___ $code.=<<___; lea .LRR(%rip), $b_org jmp .Lmul_mont +.cfi_endproc .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont ################################################################################ @@ -2562,6 +2564,7 @@ $code.=<<___; .type ecp_nistz256_scatter_w5,\@abi-omnipotent .align 32 ecp_nistz256_scatter_w5: +.cfi_startproc lea -3($index,$index,2), $index movdqa 0x00($in_t), %xmm0 shl \$5, $index @@ -2578,6 +2581,7 @@ ecp_nistz256_scatter_w5: movdqa %xmm5, 0x50($val,$index) ret +.cfi_endproc .size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5 ################################################################################ @@ -2685,6 +2689,7 @@ $code.=<<___; .type ecp_nistz256_scatter_w7,\@abi-omnipotent .align 32 ecp_nistz256_scatter_w7: +.cfi_startproc movdqu 0x00($in_t), %xmm0 shl \$6, $index movdqu 0x10($in_t), %xmm1 @@ -2696,6 +2701,7 @@ ecp_nistz256_scatter_w7: movdqa %xmm3, 0x30($val,$index) ret +.cfi_endproc .size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7 ################################################################################ @@ -3020,8 +3026,10 @@ $code.=<<___; .type ecp_nistz256_avx2_gather_w7,\@function,3 .align 32 ecp_nistz256_avx2_gather_w7: +.cfi_startproc .byte 0x0f,0x0b # ud2 ret +.cfi_endproc .size ecp_nistz256_avx2_gather_w7,.-ecp_nistz256_avx2_gather_w7 ___ } @@ -3618,28 +3626,18 @@ $code.=<<___; or $acc5, $acc4 # see if result is zero or $acc0, $acc4 + or $acc1, $acc4 # !is_equal(U1, U2) + + movq %xmm2, $acc0 # in1infty | in2infty + movq %xmm3, $acc1 # !is_equal(S1, S2) + + or $acc0, $acc4 or $acc1, $acc4 + # if (!is_equal(U1, U2) | in1infty | in2infty | !is_equal(S1, S2)) .byte 0x3e # predict taken - jnz .Ladd_proceed$x # is_equal(U1,U2)? - movq %xmm2, $acc0 - movq %xmm3, $acc1 - test $acc0, $acc0 - jnz .Ladd_proceed$x # (in1infty || in2infty)? - test $acc1, $acc1 - jz .Ladd_double$x # is_equal(S1,S2)? + jnz .Ladd_proceed$x - movq %xmm0, $r_ptr # restore $r_ptr - pxor %xmm0, %xmm0 - movdqu %xmm0, 0x00($r_ptr) - movdqu %xmm0, 0x10($r_ptr) - movdqu %xmm0, 0x20($r_ptr) - movdqu %xmm0, 0x30($r_ptr) - movdqu %xmm0, 0x40($r_ptr) - movdqu %xmm0, 0x50($r_ptr) - jmp .Ladd_done$x - -.align 32 .Ladd_double$x: movq %xmm1, $a_ptr # restore $a_ptr movq %xmm0, $r_ptr # restore $r_ptr @@ -4738,4 +4736,4 @@ ___ $code =~ s/\`([^\`]*)\`/eval $1/gem; print $code; -close STDOUT; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/asm/x25519-ppc64.pl b/crypto/ec/asm/x25519-ppc64.pl index 6e8b36420f53..f4b523bf8a08 100755 --- a/crypto/ec/asm/x25519-ppc64.pl +++ b/crypto/ec/asm/x25519-ppc64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -821,4 +821,4 @@ ___ $code =~ s/\`([^\`]*)\`/eval $1/gem; print $code; -close STDOUT; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/asm/x25519-x86_64.pl b/crypto/ec/asm/x25519-x86_64.pl index 18dc6af9fae9..3d9d1dc1ad0c 100755 --- a/crypto/ec/asm/x25519-x86_64.pl +++ b/crypto/ec/asm/x25519-x86_64.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -90,7 +90,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $addx = ($ver>=3.03); } @@ -488,12 +488,14 @@ $code.=<<___; .type x25519_fe64_eligible,\@abi-omnipotent .align 32 x25519_fe64_eligible: +.cfi_startproc mov OPENSSL_ia32cap_P+8(%rip),%ecx xor %eax,%eax and \$0x80100,%ecx cmp \$0x80100,%ecx cmove %ecx,%eax ret +.cfi_endproc .size x25519_fe64_eligible,.-x25519_fe64_eligible .globl x25519_fe64_mul @@ -722,6 +724,7 @@ x25519_fe64_sqr: .align 32 x25519_fe64_mul121666: .Lfe64_mul121666_body: +.cfi_startproc mov \$121666,%edx mulx 8*0(%rsi),$acc0,%rcx mulx 8*1(%rsi),$acc1,%rax @@ -750,6 +753,7 @@ x25519_fe64_mul121666: .Lfe64_mul121666_epilogue: ret +.cfi_endproc .size x25519_fe64_mul121666,.-x25519_fe64_mul121666 .globl x25519_fe64_add @@ -757,6 +761,7 @@ x25519_fe64_mul121666: .align 32 x25519_fe64_add: .Lfe64_add_body: +.cfi_startproc mov 8*0(%rsi),$acc0 mov 8*1(%rsi),$acc1 mov 8*2(%rsi),$acc2 @@ -785,6 +790,7 @@ x25519_fe64_add: .Lfe64_add_epilogue: ret +.cfi_endproc .size x25519_fe64_add,.-x25519_fe64_add .globl x25519_fe64_sub @@ -792,6 +798,7 @@ x25519_fe64_add: .align 32 x25519_fe64_sub: .Lfe64_sub_body: +.cfi_startproc mov 8*0(%rsi),$acc0 mov 8*1(%rsi),$acc1 mov 8*2(%rsi),$acc2 @@ -820,6 +827,7 @@ x25519_fe64_sub: .Lfe64_sub_epilogue: ret +.cfi_endproc .size x25519_fe64_sub,.-x25519_fe64_sub .globl x25519_fe64_tobytes @@ -827,6 +835,7 @@ x25519_fe64_sub: .align 32 x25519_fe64_tobytes: .Lfe64_to_body: +.cfi_startproc mov 8*0(%rsi),$acc0 mov 8*1(%rsi),$acc1 mov 8*2(%rsi),$acc2 @@ -862,6 +871,7 @@ x25519_fe64_tobytes: .Lfe64_to_epilogue: ret +.cfi_endproc .size x25519_fe64_tobytes,.-x25519_fe64_tobytes ___ } else { @@ -870,8 +880,10 @@ $code.=<<___; .type x25519_fe64_eligible,\@abi-omnipotent .align 32 x25519_fe64_eligible: +.cfi_startproc xor %eax,%eax ret +.cfi_endproc .size x25519_fe64_eligible,.-x25519_fe64_eligible .globl x25519_fe64_mul @@ -887,8 +899,10 @@ x25519_fe64_mul121666: x25519_fe64_add: x25519_fe64_sub: x25519_fe64_tobytes: +.cfi_startproc .byte 0x0f,0x0b # ud2 ret +.cfi_endproc .size x25519_fe64_mul,.-x25519_fe64_mul ___ } @@ -1114,4 +1128,4 @@ ___ $code =~ s/\`([^\`]*)\`/eval $1/gem; print $code; -close STDOUT; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index c5d887ec4cd4..952da0e65385 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -8,7 +8,7 @@ */ #include <string.h> -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/sha.h> #if defined(X25519_ASM) && (defined(__x86_64) || defined(__x86_64__) || \ diff --git a/crypto/ec/curve448/arch_32/arch_intrinsics.h b/crypto/ec/curve448/arch_32/arch_intrinsics.h index 48081c77170b..5f6389863d15 100644 --- a/crypto/ec/curve448/arch_32/arch_intrinsics.h +++ b/crypto/ec/curve448/arch_32/arch_intrinsics.h @@ -10,10 +10,10 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_ARCH_32_ARCH_INTRINSICS_H -# define HEADER_ARCH_32_ARCH_INTRINSICS_H +#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H +# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H -#include "internal/constant_time_locl.h" +#include "internal/constant_time.h" # define ARCH_WORD_BITS 32 @@ -24,4 +24,4 @@ static ossl_inline uint64_t widemul(uint32_t a, uint32_t b) return ((uint64_t)a) * b; } -#endif /* HEADER_ARCH_32_ARCH_INTRINSICS_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H */ diff --git a/crypto/ec/curve448/arch_32/f_impl.h b/crypto/ec/curve448/arch_32/f_impl.h index bbde84a03897..e1ddddaee08d 100644 --- a/crypto/ec/curve448/arch_32/f_impl.h +++ b/crypto/ec/curve448/arch_32/f_impl.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_ARCH_32_F_IMPL_H -# define HEADER_ARCH_32_F_IMPL_H +#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H +# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H # define GF_HEADROOM 2 # define LIMB(x) ((x) & ((1 << 28) - 1)), ((x) >> 28) @@ -57,4 +57,4 @@ void gf_weak_reduce(gf a) a->limb[0] = (a->limb[0] & mask) + tmp; } -#endif /* HEADER_ARCH_32_F_IMPL_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H */ diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index 19bd3857812c..12d97f06795b 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -15,7 +15,7 @@ #include "point_448.h" #include "ed448.h" -#include "curve448_lcl.h" +#include "curve448_local.h" #define COFACTOR 4 diff --git a/crypto/ec/curve448/curve448_lcl.h b/crypto/ec/curve448/curve448_local.h index 2bc3bd84c86d..b27770661f89 100644 --- a/crypto/ec/curve448/curve448_lcl.h +++ b/crypto/ec/curve448/curve448_local.h @@ -6,8 +6,8 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ -#ifndef HEADER_CURVE448_LCL_H -# define HEADER_CURVE448_LCL_H +#ifndef OSSL_CRYPTO_EC_CURVE448_LOCAL_H +# define OSSL_CRYPTO_EC_CURVE448_LOCAL_H # include "curve448utils.h" int X448(uint8_t out_shared_key[56], const uint8_t private_key[56], @@ -35,4 +35,4 @@ int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114], int ED448_public_from_private(uint8_t out_public_key[57], const uint8_t private_key[57]); -#endif /* HEADER_CURVE448_LCL_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */ diff --git a/crypto/ec/curve448/curve448utils.h b/crypto/ec/curve448/curve448utils.h index 9032bb4f730a..86c258e745e4 100644 --- a/crypto/ec/curve448/curve448utils.h +++ b/crypto/ec/curve448/curve448utils.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_CURVE448UTILS_H -# define HEADER_CURVE448UTILS_H +#ifndef OSSL_CRYPTO_EC_CURVE448UTILS_H +# define OSSL_CRYPTO_EC_CURVE448UTILS_H # include <openssl/e_os2.h> diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index 5fe939e8e19d..c1e5c2832f9b 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_ED448_H -# define HEADER_ED448_H +#ifndef OSSL_CRYPTO_EC_CURVE448_ED448_H +# define OSSL_CRYPTO_EC_CURVE448_ED448_H # include "point_448.h" @@ -192,4 +192,4 @@ c448_error_t c448_ed448_convert_private_key_to_x448( uint8_t x[X448_PRIVATE_BYTES], const uint8_t ed[EDDSA_448_PRIVATE_BYTES]); -#endif /* HEADER_ED448_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_ED448_H */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index b28f7dff9138..82741f543549 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -12,7 +12,7 @@ #include <string.h> #include <openssl/crypto.h> #include <openssl/evp.h> -#include "curve448_lcl.h" +#include "curve448_local.h" #include "word.h" #include "ed448.h" #include "internal/numbers.h" @@ -50,7 +50,12 @@ static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, const uint8_t *context, size_t context_len) { - const char *dom_s = "SigEd448"; +#ifdef CHARSET_EBCDIC + const char dom_s[] = {0x53, 0x69, 0x67, 0x45, + 0x64, 0x34, 0x34, 0x38, 0x00}; +#else + const char dom_s[] = "SigEd448"; +#endif uint8_t dom[2]; if (context_len > UINT8_MAX) diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h index d96d4c023d44..ccd04482d205 100644 --- a/crypto/ec/curve448/field.h +++ b/crypto/ec/curve448/field.h @@ -10,10 +10,10 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_FIELD_H -# define HEADER_FIELD_H +#ifndef OSSL_CRYPTO_EC_CURVE448_FIELD_H +# define OSSL_CRYPTO_EC_CURVE448_FIELD_H -# include "internal/constant_time_locl.h" +# include "internal/constant_time.h" # include <string.h> # include <assert.h> # include "word.h" @@ -165,4 +165,4 @@ static ossl_inline void gf_cond_swap(gf x, gf_s * RESTRICT y, mask_t swap) } } -#endif /* HEADER_FIELD_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_FIELD_H */ diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index 399f91b9a1d9..93e715fd9c8d 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_POINT_448_H -# define HEADER_POINT_448_H +#ifndef OSSL_CRYPTO_EC_CURVE448_POINT_448_H +# define OSSL_CRYPTO_EC_CURVE448_POINT_448_H # include "curve448utils.h" # include "field.h" @@ -298,4 +298,4 @@ void curve448_scalar_destroy(curve448_scalar_t scalar); /* Overwrite point with zeros. */ void curve448_point_destroy(curve448_point_t point); -#endif /* HEADER_POINT_448_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_POINT_448_H */ diff --git a/crypto/ec/curve448/word.h b/crypto/ec/curve448/word.h index a48b9e053a5c..237cc9b63139 100644 --- a/crypto/ec/curve448/word.h +++ b/crypto/ec/curve448/word.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef HEADER_WORD_H -# define HEADER_WORD_H +#ifndef OSSL_CRYPTO_EC_CURVE448_WORD_H +# define OSSL_CRYPTO_EC_CURVE448_WORD_H # include <string.h> # include <assert.h> @@ -78,4 +78,4 @@ static ossl_inline mask_t bool_to_mask(c448_bool_t m) return ret; } -#endif /* HEADER_WORD_H */ +#endif /* OSSL_CRYPTO_EC_CURVE448_WORD_H */ diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index ee300518d69c..48543265eeab 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -10,7 +10,7 @@ #include <openssl/err.h> -#include "ec_lcl.h" +#include "ec_local.h" #ifndef OPENSSL_NO_EC2M diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 898e741fcb97..84e5537a034a 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -10,8 +10,8 @@ #include <openssl/err.h> -#include "internal/bn_int.h" -#include "ec_lcl.h" +#include "crypto/bn.h" +#include "ec_local.h" #ifndef OPENSSL_NO_EC2M diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index c086f47ab3cc..221038373921 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -14,9 +14,9 @@ #include <openssl/bn.h> #include <openssl/cms.h> #include <openssl/asn1t.h> -#include "internal/asn1_int.h" -#include "internal/evp_int.h" -#include "ec_lcl.h" +#include "crypto/asn1.h" +#include "crypto/evp.h" +#include "ec_local.h" #ifndef OPENSSL_NO_CMS static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 1ce1181fc10a..336afc989d30 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -8,7 +8,7 @@ */ #include <string.h> -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/err.h> #include <openssl/asn1t.h> #include <openssl/objects.h> @@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, unsigned char *buffer = NULL; const EC_POINT *point = NULL; point_conversion_form_t form; + ASN1_INTEGER *orig; if (params == NULL) { if ((ret = ECPARAMETERS_new()) == NULL) { @@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB); goto err; } - ret->order = BN_to_ASN1_INTEGER(tmp, ret->order); + ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order); if (ret->order == NULL) { + ret->order = orig; ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } @@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, /* set the cofactor (optional) */ tmp = EC_GROUP_get0_cofactor(group); if (tmp != NULL) { - ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); + ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor); if (ret->cofactor == NULL) { + ret->cofactor = orig; ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); goto err; } @@ -846,6 +849,20 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) * serialized using explicit parameters by default. */ EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE); + + /* + * If the input params do not contain the optional seed field we make + * sure it is not added to the returned group. + * + * The seed field is not really used inside libcrypto anyway, and + * adding it to parsed explicit parameter keys would alter their DER + * encoding output (because of the extra field) which could impact + * applications fingerprinting keys by their DER encoding. + */ + if (params->curve->seed == NULL) { + if (EC_GROUP_set_seed(ret, NULL, 0) != 1) + goto err; + } } ok = 1; diff --git a/crypto/ec/ec_check.c b/crypto/ec/ec_check.c index eeb06ec1cbe3..d0706d2857e6 100644 --- a/crypto/ec/ec_check.c +++ b/crypto/ec/ec_check.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/err.h> int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx) diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 477349d4413e..8de486cbd763 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -9,7 +9,7 @@ */ #include <string.h> -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/err.h> #include <openssl/obj_mac.h> #include <openssl/opensslconf.h> diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c index 0ec346c125ad..944e317d9d14 100644 --- a/crypto/ec/ec_cvt.c +++ b/crypto/ec/ec_cvt.c @@ -9,7 +9,7 @@ */ #include <openssl/err.h> -#include "ec_lcl.h" +#include "ec_local.h" EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 9349abf03079..08aaac5d8a6f 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -10,7 +10,7 @@ #include "internal/cryptlib.h" #include <string.h> -#include "ec_lcl.h" +#include "ec_local.h" #include "internal/refcount.h" #include <openssl/err.h> #include <openssl/engine.h> diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c index 64a5d20872e4..53a4a9295201 100644 --- a/crypto/ec/ec_kmeth.c +++ b/crypto/ec/ec_kmeth.c @@ -11,7 +11,7 @@ #include <openssl/ec.h> #include <openssl/engine.h> #include <openssl/err.h> -#include "ec_lcl.h" +#include "ec_local.h" static const EC_KEY_METHOD openssl_ec_key_method = { diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 1289c8608edd..3554ada82797 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -13,7 +13,7 @@ #include <openssl/err.h> #include <openssl/opensslv.h> -#include "ec_lcl.h" +#include "ec_local.h" /* functions for EC_GROUP objects */ diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_local.h index fbdb04ea3a04..e656fbd5e775 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_local.h @@ -14,7 +14,7 @@ #include <openssl/ec.h> #include <openssl/bn.h> #include "internal/refcount.h" -#include "internal/ec_int.h" +#include "crypto/ec.h" #if defined(__SUNPRO_C) # if __SUNPRO_C >= 0x520 diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 57bdf116f1b6..7980a6728288 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -12,8 +12,8 @@ #include <openssl/err.h> #include "internal/cryptlib.h" -#include "internal/bn_int.h" -#include "ec_lcl.h" +#include "crypto/bn.h" +#include "ec_local.h" #include "internal/refcount.h" /* diff --git a/crypto/ec/ec_oct.c b/crypto/ec/ec_oct.c index 522f79e67360..7ddc86b047ca 100644 --- a/crypto/ec/ec_oct.c +++ b/crypto/ec/ec_oct.c @@ -13,7 +13,7 @@ #include <openssl/err.h> #include <openssl/opensslv.h> -#include "ec_lcl.h" +#include "ec_local.h" int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, int y_bit, BN_CTX *ctx) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 454be16c5439..64d2cc93a620 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -12,9 +12,9 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/ec.h> -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/evp.h> -#include "internal/evp_int.h" +#include "crypto/evp.h" /* EC pkey context structure */ diff --git a/crypto/ec/ec_print.c b/crypto/ec/ec_print.c index 027a51928aab..660fc400fb75 100644 --- a/crypto/ec/ec_print.c +++ b/crypto/ec/ec_print.c @@ -9,7 +9,7 @@ #include <openssl/crypto.h> #include <openssl/err.h> -#include "ec_lcl.h" +#include "ec_local.h" BIGNUM *EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *point, @@ -39,13 +39,13 @@ EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, EC_POINT *ret; if ((buf_len = BN_num_bytes(bn)) == 0) - return NULL; + buf_len = 1; if ((buf = OPENSSL_malloc(buf_len)) == NULL) { ECerr(EC_F_EC_POINT_BN2POINT, ERR_R_MALLOC_FAILURE); return NULL; } - if (!BN_bn2bin(bn, buf)) { + if (!BN_bn2binpad(bn, buf, buf_len)) { OPENSSL_free(buf); return NULL; } diff --git a/crypto/ec/ecdh_kdf.c b/crypto/ec/ecdh_kdf.c index d686f9d897df..96efac62f66f 100644 --- a/crypto/ec/ecdh_kdf.c +++ b/crypto/ec/ecdh_kdf.c @@ -10,7 +10,7 @@ #include <string.h> #include <openssl/ec.h> #include <openssl/evp.h> -#include "ec_lcl.h" +#include "ec_local.h" /* Key derivation function from X9.63/SECG */ /* Way more than we will ever need */ diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c index ab51ee7138ff..0be00d43da4e 100644 --- a/crypto/ec/ecdh_ossl.c +++ b/crypto/ec/ecdh_ossl.c @@ -17,7 +17,7 @@ #include <openssl/bn.h> #include <openssl/objects.h> #include <openssl/ec.h> -#include "ec_lcl.h" +#include "ec_local.h" int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, const EC_POINT *pub_key, const EC_KEY *ecdh) diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index c35ed2dcd0e7..1da87bfb5e39 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -11,8 +11,8 @@ #include <openssl/err.h> #include <openssl/obj_mac.h> #include <openssl/rand.h> -#include "internal/bn_int.h" -#include "ec_lcl.h" +#include "crypto/bn.h" +#include "ec_local.h" int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, @@ -309,7 +309,7 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, goto err; ret = ECDSA_do_verify(dgst, dgst_len, s, eckey); err: - OPENSSL_clear_free(der, derlen); + OPENSSL_free(der); ECDSA_SIG_free(s); return ret; } diff --git a/crypto/ec/ecdsa_sign.c b/crypto/ec/ecdsa_sign.c index aee06e991bad..dc79c8c8e3df 100644 --- a/crypto/ec/ecdsa_sign.c +++ b/crypto/ec/ecdsa_sign.c @@ -8,7 +8,7 @@ */ #include <openssl/ec.h> -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/err.h> ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) diff --git a/crypto/ec/ecdsa_vrf.c b/crypto/ec/ecdsa_vrf.c index f61a20063e4b..ff597bdc143c 100644 --- a/crypto/ec/ecdsa_vrf.c +++ b/crypto/ec/ecdsa_vrf.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,7 @@ */ #include <openssl/ec.h> -#include "ec_lcl.h" +#include "ec_local.h" #include <openssl/err.h> /*- @@ -23,7 +23,7 @@ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, if (eckey->meth->verify_sig != NULL) return eckey->meth->verify_sig(dgst, dgst_len, sig, eckey); ECerr(EC_F_ECDSA_DO_VERIFY, EC_R_OPERATION_NOT_SUPPORTED); - return 0; + return -1; } /*- @@ -39,5 +39,5 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, return eckey->meth->verify(type, dgst, dgst_len, sigbuf, sig_len, eckey); ECerr(EC_F_ECDSA_VERIFY, EC_R_OPERATION_NOT_SUPPORTED); - return 0; + return -1; } diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 252e66ef3791..bdc39d5efb0e 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -10,7 +10,7 @@ #include <openssl/err.h> -#include "ec_lcl.h" +#include "ec_local.h" const EC_METHOD *EC_GFp_mont_method(void) { diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c index 5eaa99d8402b..9fd01279a891 100644 --- a/crypto/ec/ecp_nist.c +++ b/crypto/ec/ecp_nist.c @@ -12,7 +12,7 @@ #include <openssl/err.h> #include <openssl/obj_mac.h> -#include "ec_lcl.h" +#include "ec_local.h" const EC_METHOD *EC_GFp_nist_method(void) { diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index fbbdb9d9386c..9a9ced8f1343 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,7 @@ NON_EMPTY_TRANSLATION_UNIT # include <stdint.h> # include <string.h> # include <openssl/err.h> -# include "ec_lcl.h" +# include "ec_local.h" # if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 /* even with gcc, the typedef won't work for 32-bit platforms */ @@ -907,6 +907,7 @@ static void point_add(felem x3, felem y3, felem z3, felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out; widefelem tmp, tmp2; limb z1_is_zero, z2_is_zero, x_equal, y_equal; + limb points_equal; if (!mixed) { /* ftmp2 = z2^2 */ @@ -963,15 +964,41 @@ static void point_add(felem x3, felem y3, felem z3, felem_reduce(ftmp, tmp); /* - * the formulae are incorrect if the points are equal so we check for - * this and do doubling if this happens + * The formulae are incorrect if the points are equal, in affine coordinates + * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this + * happens. + * + * We use bitwise operations to avoid potential side-channels introduced by + * the short-circuiting behaviour of boolean operators. */ x_equal = felem_is_zero(ftmp); y_equal = felem_is_zero(ftmp3); + /* + * The special case of either point being the point at infinity (z1 and/or + * z2 are zero), is handled separately later on in this function, so we + * avoid jumping to point_double here in those special cases. + */ z1_is_zero = felem_is_zero(z1); z2_is_zero = felem_is_zero(z2); - /* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */ - if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) { + + /* + * Compared to `ecp_nistp256.c` and `ecp_nistp521.c`, in this + * specific implementation `felem_is_zero()` returns truth as `0x1` + * (rather than `0xff..ff`). + * + * This implies that `~true` in this implementation becomes + * `0xff..fe` (rather than `0x0`): for this reason, to be used in + * the if expression, we mask out only the last bit in the next + * line. + */ + points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)) & 1; + + if (points_equal) { + /* + * This is obviously not constant-time but, as mentioned before, this + * case never happens during single point multiplication, so there is no + * timing leak for ECDH or ECDSA signing. + */ point_double(x3, y3, z3, x1, y1, z1); return; } diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 22ba69aa44ba..e23e9d2a0b34 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,7 +39,7 @@ NON_EMPTY_TRANSLATION_UNIT # include <stdint.h> # include <string.h> # include <openssl/err.h> -# include "ec_lcl.h" +# include "ec_local.h" # if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 /* even with gcc, the typedef won't work for 32-bit platforms */ @@ -74,8 +74,8 @@ static const felem_bytearray nistp256_curve_params[5] = { {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* a = -3 */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc}, /* b */ - {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc}, + {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, /* b */ 0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b}, @@ -1241,6 +1241,7 @@ static void point_add(felem x3, felem y3, felem z3, longfelem tmp, tmp2; smallfelem small1, small2, small3, small4, small5; limb x_equal, y_equal, z1_is_zero, z2_is_zero; + limb points_equal; felem_shrink(small3, z1); @@ -1340,7 +1341,26 @@ static void point_add(felem x3, felem y3, felem z3, felem_shrink(small1, ftmp5); y_equal = smallfelem_is_zero(small1); - if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) { + /* + * The formulae are incorrect if the points are equal, in affine coordinates + * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this + * happens. + * + * We use bitwise operations to avoid potential side-channels introduced by + * the short-circuiting behaviour of boolean operators. + * + * The special case of either point being the point at infinity (z1 and/or + * z2 are zero), is handled separately later on in this function, so we + * avoid jumping to point_double here in those special cases. + */ + points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); + + if (points_equal) { + /* + * This is obviously not constant-time but, as mentioned before, this + * case never happens during single point multiplication, so there is no + * timing leak for ECDH or ECDSA signing. + */ point_double(x3, y3, z3, x1, y1, z1); return; } diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 6340f4827937..75eeba853679 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,7 @@ NON_EMPTY_TRANSLATION_UNIT # include <string.h> # include <openssl/err.h> -# include "ec_lcl.h" +# include "ec_local.h" # if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 /* even with gcc, the typedef won't work for 32-bit platforms */ @@ -1158,6 +1158,7 @@ static void point_add(felem x3, felem y3, felem z3, felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; largefelem tmp, tmp2; limb x_equal, y_equal, z1_is_zero, z2_is_zero; + limb points_equal; z1_is_zero = felem_is_zero(z1); z2_is_zero = felem_is_zero(z2); @@ -1242,7 +1243,24 @@ static void point_add(felem x3, felem y3, felem z3, felem_scalar64(ftmp5, 2); /* ftmp5[i] < 2^61 */ - if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) { + /* + * The formulae are incorrect if the points are equal, in affine coordinates + * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this + * happens. + * + * We use bitwise operations to avoid potential side-channels introduced by + * the short-circuiting behaviour of boolean operators. + * + * The special case of either point being the point at infinity (z1 and/or + * z2 are zero), is handled separately later on in this function, so we + * avoid jumping to point_double here in those special cases. + * + * Notice the comment below on the implications of this branching for timing + * leaks and why it is considered practically irrelevant. + */ + points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); + + if (points_equal) { /* * This is obviously not constant-time but it will almost-never happen * for ECDH / ECDSA. The case where it can happen is during scalar-mult diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c index f89a2f0aacc1..60e1325c340f 100644 --- a/crypto/ec/ecp_nistputil.c +++ b/crypto/ec/ecp_nistputil.c @@ -33,7 +33,7 @@ NON_EMPTY_TRANSLATION_UNIT */ # include <stddef.h> -# include "ec_lcl.h" +# include "ec_local.h" /* * Convert an array of points into affine coordinates. (If the point at diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 7ad5eb627de1..ba9268138862 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2014, Intel Corporation. All Rights Reserved. * Copyright (c) 2015, CloudFlare, Inc. * @@ -21,8 +21,8 @@ #include <string.h> #include "internal/cryptlib.h" -#include "internal/bn_int.h" -#include "ec_lcl.h" +#include "crypto/bn.h" +#include "ec_local.h" #include "internal/refcount.h" #if BN_BITS2 != 64 @@ -358,16 +358,47 @@ static void ecp_nistz256_point_add(P256_POINT *r, ecp_nistz256_sub(H, U2, U1); /* H = U2 - U1 */ /* - * This should not happen during sign/ecdh, so no constant time violation + * The formulae are incorrect if the points are equal so we check for + * this and do doubling if this happens. + * + * Points here are in Jacobian projective coordinates (Xi, Yi, Zi) + * that are bound to the affine coordinates (xi, yi) by the following + * equations: + * - xi = Xi / (Zi)^2 + * - y1 = Yi / (Zi)^3 + * + * For the sake of optimization, the algorithm operates over + * intermediate variables U1, U2 and S1, S2 that are derived from + * the projective coordinates: + * - U1 = X1 * (Z2)^2 ; U2 = X2 * (Z1)^2 + * - S1 = Y1 * (Z2)^3 ; S2 = Y2 * (Z1)^3 + * + * It is easy to prove that is_equal(U1, U2) implies that the affine + * x-coordinates are equal, or either point is at infinity. + * Likewise is_equal(S1, S2) implies that the affine y-coordinates are + * equal, or either point is at infinity. + * + * The special case of either point being the point at infinity (Z1 or Z2 + * is zero), is handled separately later on in this function, so we avoid + * jumping to point_double here in those special cases. + * + * When both points are inverse of each other, we know that the affine + * x-coordinates are equal, and the y-coordinates have different sign. + * Therefore since U1 = U2, we know H = 0, and therefore Z3 = H*Z1*Z2 + * will equal 0, thus the result is infinity, if we simply let this + * function continue normally. + * + * We use bitwise operations to avoid potential side-channels introduced by + * the short-circuiting behaviour of boolean operators. */ - if (is_equal(U1, U2) && !in1infty && !in2infty) { - if (is_equal(S1, S2)) { - ecp_nistz256_point_double(r, a); - return; - } else { - memset(r, 0, sizeof(*r)); - return; - } + if (is_equal(U1, U2) & ~in1infty & ~in2infty & is_equal(S1, S2)) { + /* + * This is obviously not constant-time but it should never happen during + * single point multiplication, so there is no timing leak for ECDH or + * ECDSA signing. + */ + ecp_nistz256_point_double(r, a); + return; } ecp_nistz256_sqr_mont(Rsqr, R); /* R^2 */ diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 7ade1b3d2173..9460763256fd 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -11,7 +11,7 @@ #include <openssl/err.h> #include <openssl/symhacks.h> -#include "ec_lcl.h" +#include "ec_local.h" int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index e6e4c9d2cbb7..b354bfe9ce9e 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -11,7 +11,7 @@ #include <openssl/err.h> #include <openssl/symhacks.h> -#include "ec_lcl.h" +#include "ec_local.h" const EC_METHOD *EC_GFp_simple_method(void) { diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index c87419b5db38..9dc5259e4afc 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -12,10 +12,10 @@ #include <openssl/x509.h> #include <openssl/ec.h> #include <openssl/rand.h> -#include "internal/asn1_int.h" -#include "internal/evp_int.h" -#include "ec_lcl.h" -#include "curve448/curve448_lcl.h" +#include "crypto/asn1.h" +#include "crypto/evp.h" +#include "ec_local.h" +#include "curve448/curve448_local.h" #define X25519_BITS 253 #define X25519_SECURITY_BITS 128 @@ -191,7 +191,7 @@ static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) } rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE); - ASN1_OCTET_STRING_free(oct); + ASN1_STRING_clear_free(oct); return rv; } |