| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 May 2024 10:29:56 +0200
From: Andy Polyakov <appro@...ptogams.org>
To: Danny Tsen <dtsen@...ux.ibm.com>, linux-crypto@...r.kernel.org
Cc: herbert@...dor.apana.org.au, leitao@...ian.org, nayna@...ux.ibm.com,
linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
mpe@...erman.id.au, ltcgcw@...ux.vnet.ibm.com, dtsen@...ibm.com
Subject: Re: [PATCH 2/3] crypto: X25519 core functions for ppc64le
Hi,
> +static void cswap(fe51 p, fe51 q, unsigned int bit)
> +{
> + u64 t, i;
> + u64 c = 0 - (u64) bit;
> +
> + for (i = 0; i < 5; ++i) {
> + t = c & (p[i] ^ q[i]);
> + p[i] ^= t;
> + q[i] ^= t;
> + }
> +}
The "c" in cswap stands for "constant-time," and the problem is that
contemporary compilers have exhibited the ability to produce
non-constant-time machine code as result of compilation of the above
kind of technique. The outcome is platform-specific and ironically some
of PPC code generators were observed to generate "most"
non-constant-time code. "Most" in sense that execution time variations
would be most easy to catch. One way to work around the problem, at
least for the time being, is to add 'asm volatile("" : "+r"(c))' after
you calculate 'c'. But there is no guarantee that the next compiler
version won't see through it, hence the permanent solution is to do it
in assembly. I can put together something...
Cheers.
Powered by blists - more mailing lists