From gniibe at fsij.org Mon Feb 3 01:31:20 2025 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 03 Feb 2025 09:31:20 +0900 Subject: [PATCH] MPI helper of multiplication, Least Leak Intended In-Reply-To: <877c6b8pp8.fsf@akagi.fsij.org> References: <877c6b8pp8.fsf@akagi.fsij.org> Message-ID: <87seovj2cn.fsf@akagi.fsij.org> NIIBE Yutaka wrote: > Honestly speaking, it's "Least Leak Intended", and I couldn't declare > it constant-time. I pushed the change for _gcry_mpih_mul_lli. And I also pushed the change for _gcry_mpih_mod_lli. The implementation was already there, it's renaming _gcry_mpih_mod_lli from _gcry_mpih_mod. -- From jussi.kivilinna at iki.fi Mon Feb 3 20:22:07 2025 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Mon, 3 Feb 2025 21:22:07 +0200 Subject: [PATCH 1/3] t-fips-service-ind: fix broken fail print Message-ID: <20250203192209.3072952-1-jussi.kivilinna@iki.fi> * tests/t-fips-service-ind.c (check_cipher_o_s_e_d_c): Fix typo '<' to ','. -- Signed-off-by: Jussi Kivilinna --- tests/t-fips-service-ind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/t-fips-service-ind.c b/tests/t-fips-service-ind.c index 74521bb3..ed5f8d3f 100644 --- a/tests/t-fips-service-ind.c +++ b/tests/t-fips-service-ind.c @@ -767,7 +767,7 @@ check_cipher_o_s_e_d_c (int reject) err = gcry_cipher_set_decryption_tag (h, tag, 16); if (err) - fail ("gcry_cipher_set_decryption_tag %d failed: %s\n", tvidx< + fail ("gcry_cipher_set_decryption_tag %d failed: %s\n", tvidx, gpg_strerror (err)); } -- 2.45.2 From jussi.kivilinna at iki.fi Mon Feb 3 20:22:08 2025 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Mon, 3 Feb 2025 21:22:08 +0200 Subject: [PATCH 2/3] mpih-const-time: avoid branches in _gcry_mpih_cmp_ui In-Reply-To: <20250203192209.3072952-1-jussi.kivilinna@iki.fi> References: <20250203192209.3072952-1-jussi.kivilinna@iki.fi> Message-ID: <20250203192209.3072952-2-jussi.kivilinna@iki.fi> * mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Avoid conditional branches for return value selection. -- Signed-off-by: Jussi Kivilinna --- mpi/mpih-const-time.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/mpi/mpih-const-time.c b/mpi/mpih-const-time.c index e684b956..d8b66c46 100644 --- a/mpi/mpih-const-time.c +++ b/mpi/mpih-const-time.c @@ -222,20 +222,15 @@ _gcry_mpih_mod_lli (mpi_ptr_t vp, mpi_size_t vsize, int _gcry_mpih_cmp_ui (mpi_ptr_t up, mpi_size_t usize, unsigned long v) { - int is_all_zero = 1; + unsigned long is_all_zero = ct_ulong_gen_mask(1); + int cmp0; mpi_size_t i; + cmp0 = -mpih_ct_limb_less_than (up[0], v); + cmp0 |= mpih_ct_limb_greater_than (up[0], v); + for (i = 1; i < usize; i++) - is_all_zero &= mpih_limb_is_zero (up[i]); + is_all_zero &= ct_ulong_gen_mask(mpih_limb_is_zero (up[i])); - if (is_all_zero) - { - if (up[0] < v) - return -1; - else if (up[0] > v) - return 1; - else - return 0; - } - return 1; + return cmp0 & (int)is_all_zero; } -- 2.45.2 From jussi.kivilinna at iki.fi Mon Feb 3 20:22:09 2025 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Mon, 3 Feb 2025 21:22:09 +0200 Subject: [PATCH 3/3] mpi/longlong: prevent optimization of carry instructions to branches In-Reply-To: <20250203192209.3072952-1-jussi.kivilinna@iki.fi> References: <20250203192209.3072952-1-jussi.kivilinna@iki.fi> Message-ID: <20250203192209.3072952-3-jussi.kivilinna@iki.fi> * mpi/longlong.h: Include "const-time.h" (add_ssaaaa, sub_ddmmss): Prevent optimization of carry handling to conditional branches in generic variant of double width addition and subtraction as was seen with GCC on riscv64. (umul_ppmm): Avoid conditional branch in generic 16x16=>32bit multiplication version of umul_ppmm. * src/const-time.h (CT_DEOPTIMIZE_VAR): New. -- RISC-V has "sltu" instruction for generating carry value and generic version of add_ssaaaa and sub_ddmmss typically used this instruction. However, sometimes compiler gets too clever and instead generates code with conditional branch, which is not good for constant time code. Commit changes add_ssaaaaa and sub_ddmmss to clobber high word of calculation in a way that prevents such optimizations. Signed-off-by: Jussi Kivilinna --- mpi/longlong.h | 47 +++++++++++++++++++++++++++++++---------------- src/const-time.h | 8 ++++++++ 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/mpi/longlong.h b/mpi/longlong.h index 21bd1a7e..7dc67591 100644 --- a/mpi/longlong.h +++ b/mpi/longlong.h @@ -20,6 +20,8 @@ along with this file; see the file COPYING.LIB. If not, see > W_TYPE_SIZE); \ - (sl) = (UWtype)(__audw); \ + __auwh = (UWtype)(__audw >> W_TYPE_SIZE); \ + __auwl = (UWtype)(__audw); \ + CT_DEOPTIMIZE_VAR(__auwh); \ + (sh) = __auwh; \ + (sl) = __auwl; \ } while (0) #elif !defined (add_ssaaaa) # define add_ssaaaa(sh, sl, ah, al, bh, bl) \ do { \ - UWtype __x; \ - __x = (al) + (bl); \ - (sh) = (ah) + (bh) + (__x < (al)); \ - (sl) = __x; \ + UWtype __xl, __xh; \ + __xl = (al) + (bl); \ + __xh = __xl < (al); \ + __xh = (ah) + (bh) + __xh; \ + CT_DEOPTIMIZE_VAR(__xh); \ + (sh) = __xh; \ + (sl) = __xl; \ } while (0) #endif @@ -1606,22 +1615,29 @@ typedef unsigned int UTItype __attribute__ ((mode (TI))); # define sub_ddmmss(sh, sl, ah, al, bh, bl) \ do { \ UDWtype __audw = (ah); \ + UWtype __auwh, __auwl; \ UDWtype __budw = (bh); \ __audw <<= W_TYPE_SIZE; \ __audw |= (al); \ __budw <<= W_TYPE_SIZE; \ __budw |= (bl); \ __audw -= __budw; \ - (sh) = (UWtype)(__audw >> W_TYPE_SIZE); \ - (sl) = (UWtype)(__audw); \ + __auwh = (UWtype)(__audw >> W_TYPE_SIZE); \ + __auwl = (UWtype)(__audw); \ + CT_DEOPTIMIZE_VAR(__auwh); \ + (sh) = __auwh; \ + (sl) = __auwl; \ } while (0) #elif !defined (sub_ddmmss) # define sub_ddmmss(sh, sl, ah, al, bh, bl) \ do { \ - UWtype __x; \ - __x = (al) - (bl); \ - (sh) = (ah) - (bh) - (__x > (al)); \ - (sl) = __x; \ + UWtype __xl, __xh; \ + __xl = (al) - (bl); \ + __xh = (__xl > (al)); \ + __xh = (ah) - (bh) - __xh; \ + CT_DEOPTIMIZE_VAR(__xh); \ + (sh) = __xh; \ + (sl) = __xl; \ } while (0) #endif @@ -1651,10 +1667,9 @@ typedef unsigned int UTItype __attribute__ ((mode (TI))); __x3 = (UWtype) __uh * __vh; \ \ __x1 += __ll_highpart (__x0);/* this can't give carry */ \ - __x1 += __x2; /* but this indeed can */ \ - if (__x1 < __x2) /* did we get it? */ \ - __x3 += __ll_B; /* yes, add it in the proper pos. */ \ - \ + /* but this indeed can, and if so, add it in the proper pos: */ \ + add_ssaaaa(__x2, __x1, 0, __x1, 0, __x2); \ + __x3 += __x2 << (W_TYPE_SIZE / 2); \ (w1) = __x3 + __ll_highpart (__x1); \ (w0) = (__ll_lowpart (__x1) << W_TYPE_SIZE/2) + __ll_lowpart (__x0);\ } while (0) diff --git a/src/const-time.h b/src/const-time.h index 46eb187d..c2acbb73 100644 --- a/src/const-time.h +++ b/src/const-time.h @@ -82,6 +82,14 @@ unsigned int _gcry_ct_not_memequal (const void *b1, const void *b2, size_t len); any structure. */ unsigned int _gcry_ct_memequal (const void *b1, const void *b2, size_t len); +/* Prevent compiler from assuming value of variable and from making + non-constant time optimizations. */ +#ifdef HAVE_GCC_ASM_VOLATILE_MEMORY +# define CT_DEOPTIMIZE_VAR(var) asm volatile ("\n" : "+r" (var) :: "memory") +#else +# define CT_DEOPTIMIZE_VAR(var) (void)((var) += _gcry_ct_vzero) +#endif + /* * Return all bits set if A is 1 and return 0 otherwise. */ -- 2.45.2 From harmen at stoppels.ch Wed Feb 5 09:52:02 2025 From: harmen at stoppels.ch (Harmen Stoppels) Date: Wed, 05 Feb 2025 09:52:02 +0100 Subject: [PATCH] Simplify flag munging for rndjent.c Message-ID: * random/Makefile.am (o_flag_munging): append -O0 Replace `echo ... | sed` idiom with simply appending -O0. This overrides previous optimization flags. Hopefully that ends the series of patches to these lines. --- random/Makefile.am | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/random/Makefile.am b/random/Makefile.am index 41041e8a..b6487192 100644 --- a/random/Makefile.am +++ b/random/Makefile.am @@ -55,9 +55,9 @@ jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h # The rndjent module needs to be compiled without optimization. */ if ENABLE_O_FLAG_MUNGING -o_flag_munging = sed -e 's/[[:blank:]]-O$[1-9sgz][1-9sgz]*$/ -O0 /g' -e 's/[[:blank:]]-Ofast/ -O0 /g' +o_flag_munging = -O0 else -o_flag_munging = cat +o_flag_munging = endif rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \ @@ -67,7 +67,7 @@ rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \ $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \ $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \ $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h - `echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + $(COMPILE) $(o_flag_munging) -c $(srcdir)/rndjent.c rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \ $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \ @@ -76,4 +76,4 @@ rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \ $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \ $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \ $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h - `echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) ` + $(LTCOMPILE) $(o_flag_munging) -c $(srcdir)/rndjent.c -- 2.43.0