Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor fe_isnonzero to fe_isnonzero_vartime #1893

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Refactor fe_isnonzero to fe_isnonzero_vartime #1893

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9962055
Refactor fe_isnonzero to fe_isnonzero_vartime
tisonkun Jan 11, 2024
eb530d1
Update verify_slices_are_equal not use CRYPTO_memcmp
tisonkun Jan 11, 2024
6510eb5
fixup test
tisonkun Jan 11, 2024
b9a275c
revert all previous commits
tisonkun Jan 13, 2024
e7143af
address comment
tisonkun Jan 13, 2024
8aba2ef
Merge branch 'main' into fe_isnonzero_vartime
tisonkun Feb 21, 2024
407599a
fe_isnonzero_vartime is not constant-time fn
tisonkun Feb 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,6 @@ include = [
"crypto/limbs/limbs.c",
"crypto/limbs/limbs.h",
"crypto/limbs/limbs.inl",
"crypto/mem.c",
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
"crypto/perlasm/arm-xlate.pl",
"crypto/perlasm/x86asm.pl",
"crypto/perlasm/x86gas.pl",
Expand All @@ -113,7 +112,6 @@ include = [
"include/ring-core/asm_base.h",
"include/ring-core/base.h",
"include/ring-core/check.h",
"include/ring-core/mem.h",
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
"include/ring-core/poly1305.h",
"include/ring-core/target.h",
"include/ring-core/type_check.h",
Expand Down
2 changes: 0 additions & 2 deletions build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ const RING_SRCS: &[(&[&str], &str)] = &[
(&[], "crypto/fipsmodule/ec/gfp_p384.c"),
(&[], "crypto/fipsmodule/ec/p256.c"),
(&[], "crypto/limbs/limbs.c"),
(&[], "crypto/mem.c"),
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
(&[], "crypto/poly1305/poly1305.c"),

(&[AARCH64, ARM, X86_64, X86], "crypto/crypto.c"),
Expand Down Expand Up @@ -885,7 +884,6 @@ fn prefix_all_symbols(pp: char, prefix_prefix: &str, prefix: &str) -> String {
];

static SYMBOLS_TO_PREFIX: &[&str] = &[
"CRYPTO_memcmp",
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
"CRYPTO_poly1305_finish",
"CRYPTO_poly1305_finish_neon",
"CRYPTO_poly1305_init",
Expand Down
16 changes: 9 additions & 7 deletions crypto/curve25519/curve25519.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@
//
// The field functions are shared by Ed25519 and X25519 where possible.

#include <ring-core/mem.h>

#include "internal.h"
#include "../internal.h"

Expand Down Expand Up @@ -397,14 +395,18 @@ static void fe_invert(fe *out, const fe *z) {

// return 0 if f == 0
// return 1 if f != 0
static int fe_isnonzero(const fe_loose *f) {
static int fe_isnonzero_vartime(const fe_loose *f) {
fe tight;
fe_carry(&tight, f);
uint8_t s[32];
fe_tobytes(s, &tight);

static const uint8_t zero[32] = {0};
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
for (unsigned i = 0; i < 32; i++) {
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
if (s[i] != 0) {
return 1;
}
}
return 0;
}

// return 1 if f is in {1,3,5,...,q-2}
Expand Down Expand Up @@ -507,9 +509,9 @@ int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) {
fe_sq_tt(&vxx, &h->X);
fe_mul_ttl(&vxx, &vxx, &v);
fe_sub(&check, &vxx, &u);
if (fe_isnonzero(&check)) {
if (fe_isnonzero_vartime(&check)) {
fe_add(&check, &vxx, &u);
if (fe_isnonzero(&check)) {
if (fe_isnonzero_vartime(&check)) {
return 0;
}
fe_mul_ttt(&h->X, &h->X, &sqrtm1);
Expand Down
70 changes: 0 additions & 70 deletions crypto/mem.c
View file
Open in desktop

This file was deleted.

69 changes: 0 additions & 69 deletions include/ring-core/mem.h
View file
Open in desktop

This file was deleted.

17 changes: 5 additions & 12 deletions src/constant_time.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,27 +14,20 @@

//! Constant-time operations.

use crate::{c, error};
use crate::error;

/// Returns `Ok(())` if `a == b` and `Err(error::Unspecified)` otherwise.
/// The comparison of `a` and `b` is done in constant time with respect to the
/// contents of each, but NOT in constant time with respect to the lengths of
/// `a` and `b`.
pub fn verify_slices_are_equal(a: &[u8], b: &[u8]) -> Result<(), error::Unspecified> {
if a.len() != b.len() {
return Err(error::Unspecified);
}
let result = unsafe { CRYPTO_memcmp(a.as_ptr(), b.as_ptr(), a.len()) };
match result {
0 => Ok(()),
_ => Err(error::Unspecified),
if a != b {
tisonkun marked this conversation as resolved.
Show resolved Hide resolved
Err(error::Unspecified)
} else {
Ok(())
}
}

prefixed_extern! {
fn CRYPTO_memcmp(a: *const u8, b: *const u8, len: c::size_t) -> c::int;
}

#[cfg(test)]
mod tests {
use crate::limb::LimbMask;
Expand Down