[openssl] master update
patrick.steuer at de.ibm.com
patrick.steuer at de.ibm.com
Tue Nov 5 13:06:37 UTC 2019
The branch master has been updated
via 677c4a012a7e72b5f2dd239639034f01fad850bf (commit)
via 6376c229c44a355248db17e9f0bb2e4567a16d0d (commit)
via 58738b1cad8777230226009a6bb4efa3def22216 (commit)
from 826112295ae94e5b15fe5073cfdf4cff6d79503b (commit)
- Log -----------------------------------------------------------------
commit 677c4a012a7e72b5f2dd239639034f01fad850bf
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date: Sun Nov 3 00:32:04 2019 +0100
s390x assembly pack: process x25519 and x448 non-canonical values
...in constant time.
Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10339)
commit 6376c229c44a355248db17e9f0bb2e4567a16d0d
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date: Sun Nov 3 00:01:20 2019 +0100
Add self-generated test vector for x448 non-canonical values
x25519 has such a test vector obtained from wycheproof but wycheproof
does not have a corresponding x448 test vector.
So add a self-generated test vector for that case.
Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10339)
commit 58738b1cad8777230226009a6bb4efa3def22216
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date: Sat Nov 2 23:50:26 2019 +0100
s390x assembly pack: fix x448 handling of non-canonical values
The s390x x448 implementation does not correctly reduce non-canonical
values i.e., u-coordinates >= p = 2^448 - 2^224 - 1.
Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10339)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/ecx_meth.c | 21 ++++++++++-----------
include/internal/constant_time.h | 28 ++++++++++++++++++++++++++++
test/recipes/30-test_evp_data/evppkey.txt | 7 +++++++
3 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index eace1a88cd..d141fe7b81 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -854,6 +854,7 @@ static const EVP_PKEY_METHOD ed448_pkey_meth = {
#ifdef S390X_EC_ASM
# include "s390x_arch.h"
+# include "internal/constant_time.h"
static void s390x_x25519_mod_p(unsigned char u[32])
{
@@ -867,16 +868,16 @@ static void s390x_x25519_mod_p(unsigned char u[32])
u_red[31] = (unsigned char)c;
c >>= 8;
- for (i = 30; c > 0 && i >= 0; i--) {
+ for (i = 30; i >= 0; i--) {
c += (unsigned int)u_red[i];
u_red[i] = (unsigned char)c;
c >>= 8;
}
- if (u_red[0] & 0x80) {
- u_red[0] &= 0x7f;
- memcpy(u, u_red, sizeof(u_red));
- }
+ c = (u_red[0] & 0x80) >> 7;
+ u_red[0] &= 0x7f;
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
+ u, u_red, sizeof(u_red));
}
static void s390x_x448_mod_p(unsigned char u[56])
@@ -901,16 +902,14 @@ static void s390x_x448_mod_p(unsigned char u[56])
u_red[27] = (unsigned char)c;
c >>= 8;
- for (i = 26; c > 0 && i >= 0; i--) {
+ for (i = 26; i >= 0; i--) {
c += (unsigned int)u_red[i];
u_red[i] = (unsigned char)c;
c >>= 8;
}
- if (u_red[0] & 0x80) {
- u_red[0] &= 0x7f;
- memcpy(u, u_red, sizeof(u_red));
- }
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
+ u, u_red, sizeof(u_red));
}
static int s390x_x25519_mul(unsigned char u_dst[32],
@@ -966,7 +965,7 @@ static int s390x_x448_mul(unsigned char u_dst[56],
memcpy(param.x448.d_src, d_src, 56);
s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
- s390x_x448_mod_p(param.x448.u_src);
+ s390x_x448_mod_p(param.x448.u_src + 8);
s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
param.x448.d_src[63] &= 252;
diff --git a/include/internal/constant_time.h b/include/internal/constant_time.h
index d98dae9545..dc75e31df1 100644
--- a/include/internal/constant_time.h
+++ b/include/internal/constant_time.h
@@ -352,6 +352,34 @@ static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,
*b ^= xor;
}
+/*
+ * mask must be 0xFF or 0x00.
+ * "constant time" is per len.
+ *
+ * if (mask) {
+ * unsigned char tmp[len];
+ *
+ * memcpy(tmp, a, len);
+ * memcpy(a, b);
+ * memcpy(b, tmp);
+ * }
+ */
+static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
+ unsigned char *a,
+ unsigned char *b,
+ size_t len)
+{
+ size_t i;
+ unsigned char tmp;
+
+ for (i = 0; i < len; i++) {
+ tmp = a[i] ^ b[i];
+ tmp &= mask;
+ a[i] ^= tmp;
+ b[i] ^= tmp;
+ }
+}
+
/*
* table is a two dimensional array of bytes. Each row has rowsize elements.
* Copies row number idx into out. rowsize and numrows are not considered
diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt
index d395f15664..9b3e514024 100644
--- a/test/recipes/30-test_evp_data/evppkey.txt
+++ b/test/recipes/30-test_evp_data/evppkey.txt
@@ -807,6 +807,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107b
PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw
+PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+
Derive=Alice-448
PeerKey=Bob-448-PUBLIC
SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
@@ -823,6 +825,11 @@ Derive=Bob-448-Raw
PeerKey=Alice-448-PUBLIC-Raw
SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+# Self-generated non-canonical
+Derive=Alice-448-Raw
+PeerKey=Bob-448-PUBLIC-Raw-NonCanonical
+SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb
+
# Illegal sign/verify operations with X448 key
Sign=Alice-448
More information about the openssl-commits
mailing list