Re: [PATCH 2/3] crypto: X25519 core functions for ppc64le

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Andy,

Points taken.  And much appreciate for the help.

Thanks.

-Danny

On 5/15/24 3:29 AM, Andy Polyakov wrote:
Hi,

+static void cswap(fe51 p, fe51 q, unsigned int bit)
+{
+    u64 t, i;
+    u64 c = 0 - (u64) bit;
+
+    for (i = 0; i < 5; ++i) {
+        t = c & (p[i] ^ q[i]);
+        p[i] ^= t;
+        q[i] ^= t;
+    }
+}

The "c" in cswap stands for "constant-time," and the problem is that contemporary compilers have exhibited the ability to produce non-constant-time machine code as result of compilation of the above kind of technique. The outcome is platform-specific and ironically some of PPC code generators were observed to generate "most" non-constant-time code. "Most" in sense that execution time variations would be most easy to catch. One way to work around the problem, at least for the time being, is to add 'asm volatile("" : "+r"(c))' after you calculate 'c'. But there is no guarantee that the next compiler version won't see through it, hence the permanent solution is to do it in assembly. I can put together something...

Cheers.





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux