Start introducing optblockers to prevent unwanted conditional jumps

2024-12-19 10:05:05 -07:00 · 2024-08-01 14:25:32 +02:00 · 2024-08-01 14:25:32 +02:00 · 0217d07326
commit 0217d07326
parent fb80cbfa59
2 changed files with 6 additions and 2 deletions
--- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
@ -288,6 +288,8 @@ slide_vartime(signed char *r, const unsigned char *a)
    }
 }

+static volatile unsigned char optblocker_u8;
+
 int
 ge25519_frombytes(ge25519_p3 *h, const unsigned char *s)
 {
@ -320,7 +322,7 @@ ge25519_frombytes(ge25519_p3 *h, const unsigned char *s)
    fe25519_cmov(h->X, x_sqrtm1, 1 - has_m_root);

    fe25519_neg(negx, h->X);
-    fe25519_cmov(h->X, negx, fe25519_isnegative(h->X) ^ (s[31] >> 7));
+    fe25519_cmov(h->X, negx, fe25519_isnegative(h->X) ^ (((s[31] >> 5) ^ optblocker_u8) >> 2));
    fe25519_mul(h->T, h->X, h->Y);

    return (has_m_root | has_p_root) - 1;
--- a/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c
+++ b/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c
@ -194,6 +194,8 @@ poly1305_init_ext(poly1305_state_internal_t *st, const unsigned char key[32],
    st->leftover = 0U;
 }

+static volatile uint64_t optblocker_u64;
+
 static POLY1305_NOINLINE void
 poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m,
                unsigned long long bytes)
@ -745,7 +747,7 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m,
        g1 &= 0xfffffffffff;
        g2 = h2 + c - ((uint64_t) 1 << 42);

-        c  = (g2 >> 63) - 1;
+        c  = (((g2 >> 61) ^ optblocker_u64) >> 2) - 1;
        nc = ~c;
        h0 = (h0 & nc) | (g0 & c);
        h1 = (h1 & nc) | (g1 & c);