From 0217d07326f0ffbe79d6ce09793843e135a67487 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 1 Aug 2024 14:25:32 +0200 Subject: [PATCH] Start introducing optblockers to prevent unwanted conditional jumps --- src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c | 4 +++- .../crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c index 8129d8be..054a9628 100644 --- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c +++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c @@ -288,6 +288,8 @@ slide_vartime(signed char *r, const unsigned char *a) } } +static volatile unsigned char optblocker_u8; + int ge25519_frombytes(ge25519_p3 *h, const unsigned char *s) { @@ -320,7 +322,7 @@ ge25519_frombytes(ge25519_p3 *h, const unsigned char *s) fe25519_cmov(h->X, x_sqrtm1, 1 - has_m_root); fe25519_neg(negx, h->X); - fe25519_cmov(h->X, negx, fe25519_isnegative(h->X) ^ (s[31] >> 7)); + fe25519_cmov(h->X, negx, fe25519_isnegative(h->X) ^ (((s[31] >> 5) ^ optblocker_u8) >> 2)); fe25519_mul(h->T, h->X, h->Y); return (has_m_root | has_p_root) - 1; diff --git a/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c b/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c index 0576c86e..03a80790 100644 --- a/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c +++ b/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c @@ -194,6 +194,8 @@ poly1305_init_ext(poly1305_state_internal_t *st, const unsigned char key[32], st->leftover = 0U; } +static volatile uint64_t optblocker_u64; + static POLY1305_NOINLINE void poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, unsigned long long bytes) @@ -745,7 +747,7 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, g1 &= 0xfffffffffff; g2 = h2 + c - ((uint64_t) 1 << 42); - c = (g2 >> 63) - 1; + c = (((g2 >> 61) ^ optblocker_u64) >> 2) - 1; nc = ~c; h0 = (h0 & nc) | (g0 & c); h1 = (h1 & nc) | (g1 & c);