Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY: fix timing variability in backend/serial/u32/scalar.rs #661

Merged
merged 1 commit into from
Jun 18, 2024
Merged

SECURITY: fix timing variability in backend/serial/u32/scalar.rs #661

merged 1 commit into from
Jun 18, 2024

Conversation

tarcieri
Copy link
Contributor

Similar security fix to #659, but for the 32-bit backend. See that PR for more information about the problem.

@tarcieri
SECURITY: fix timing variability in backend/serial/u32/scalar.rs
dac6f1b 
Similar security fix to #659, but for the 32-bit backend. See that PR
for more information about the problem.
@rozbb
Copy link
Contributor

rozbb commented Jun 18, 2024
edited
Loading

Relevant compiler outputs (thanks to @tarcieri):

Without fix. Notice the jns ("jump if not sign") instruction on line 106.

With fix

@tarcieri tarcieri mentioned this pull request Jun 18, 2024
Merged
@tarcieri
Copy link
Contributor Author

@rozbb the godbolt links might be worth including in the commit message when you squash-and-merge

@rozbb rozbb merged commit b4f9e4d into main Jun 18, 2024
44 checks passed
@tarcieri tarcieri deleted the 32-bit-fix branch June 18, 2024 19:02
tarcieri added a commit that referenced this pull request Jun 20, 2024
@tarcieri
curve: use subtle::BlackBox optimization barrier
fbd851b 
Replaces the security mitigation added in #659 and #661 for
masking-related timing variability which used an inline `black_box`
using the recently added `subtle::BlackBox` newtype (see
dalek-cryptography/subtle#123)

Internally `BlackBox` uses a volatile read by default (i.e. same
strategy which was used before) or when the `core_hint_black_box`
feature of `subtle` is enabled, it uses `core::hint::black_box`
(whose documentation was recently updated to reflect the nuances of
potential cryptographic use, see rust-lang/rust#126703)

This PR goes ahead and uses `BlackBox` for both `mask` and
`underflow_mask` where previously it was only used on `underflow_mask`.
The general pattern of bitwise masking inside a loop seems worrisome for
the optimizer potentially inserting branches in the future.

Below are godbolt inspections of the generated assembly, which are free
of the `jns` instructions originally spotted in #659/#661:

- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4
- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET
- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f
- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
@tarcieri tarcieri mentioned this pull request Jun 20, 2024
Merged
tarcieri added a commit that referenced this pull request Jun 24, 2024
@tarcieri
curve: use subtle::BlackBox optimization barrier
b4a374c 
Replaces the security mitigation added in #659 and #661 for
masking-related timing variability which used an inline `black_box`
using the recently added `subtle::BlackBox` newtype (see
dalek-cryptography/subtle#123)

Internally `BlackBox` uses a volatile read by default (i.e. same
strategy which was used before) or when the `core_hint_black_box`
feature of `subtle` is enabled, it uses `core::hint::black_box`
(whose documentation was recently updated to reflect the nuances of
potential cryptographic use, see rust-lang/rust#126703)

This PR goes ahead and uses `BlackBox` for both `mask` and
`underflow_mask` where previously it was only used on `underflow_mask`.
The general pattern of bitwise masking inside a loop seems worrisome for
the optimizer potentially inserting branches in the future.

Below are godbolt inspections of the generated assembly, which are free
of the `jns` instructions originally spotted in #659/#661:

- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4
- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET
- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f
- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
rozbb pushed a commit that referenced this pull request Jun 24, 2024
@tarcieri
curve: use subtle::BlackBox optimization barrier (#662)
5b7082b 
Replaces the security mitigation added in #659 and #661 for
masking-related timing variability which used an inline `black_box`
using the recently added `subtle::BlackBox` newtype (see
dalek-cryptography/subtle#123)

Internally `BlackBox` uses a volatile read by default (i.e. same
strategy which was used before) or when the `core_hint_black_box`
feature of `subtle` is enabled, it uses `core::hint::black_box`
(whose documentation was recently updated to reflect the nuances of
potential cryptographic use, see rust-lang/rust#126703)

This PR goes ahead and uses `BlackBox` for both `mask` and
`underflow_mask` where previously it was only used on `underflow_mask`.
The general pattern of bitwise masking inside a loop seems worrisome for
the optimizer potentially inserting branches in the future.

Below are godbolt inspections of the generated assembly, which are free
of the `jns` instructions originally spotted in #659/#661:

- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4
- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET
- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f
- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
tarcieri added a commit that referenced this pull request Jun 25, 2024
@tarcieri
curve: use subtle::Choice for constant-time fixes
6ab5814 
Alternative to #659/#661 and #662 which leverages `subtle::Choice` and
`subtle::ConditionallySelectable` as the optimization barriers.

Really the previous masking was there to conditionally add the scalar
field modulus on underflow, so instead of that, we can conditionally
select zero or the modulus using a `Choice` constructed from the
underflow bit.
@tarcieri tarcieri mentioned this pull request Jun 25, 2024
Merged
jmwample pushed a commit to jmwample/curve25519-dalek that referenced this pull request Jun 26, 2024
@tarcieri @jmwample
SECURITY: fix timing variability in backend/serial/u32/scalar.rs (dal…
d55ca44 
…ek-cryptography#661)

Similar security fix to dalek-cryptography#659, but for the 32-bit backend. See that PR
for more information about the problem. Relevant compiler outputs (thanks to @tarcieri):

Without fix
https://godbolt.org/z/zvaWxzvqv
Notice the `jns` ("jump if not sign") instruction on line 106.

With fix
https://godbolt.org/z/jc9j7eb8E
jmwample pushed a commit to jmwample/curve25519-dalek that referenced this pull request Jun 26, 2024
@tarcieri @jmwample
curve: use subtle::BlackBox optimization barrier (dalek-cryptograph…
676d572 
…y#662)

Replaces the security mitigation added in dalek-cryptography#659 and dalek-cryptography#661 for
masking-related timing variability which used an inline `black_box`
using the recently added `subtle::BlackBox` newtype (see
dalek-cryptography/subtle#123)

Internally `BlackBox` uses a volatile read by default (i.e. same
strategy which was used before) or when the `core_hint_black_box`
feature of `subtle` is enabled, it uses `core::hint::black_box`
(whose documentation was recently updated to reflect the nuances of
potential cryptographic use, see rust-lang/rust#126703)

This PR goes ahead and uses `BlackBox` for both `mask` and
`underflow_mask` where previously it was only used on `underflow_mask`.
The general pattern of bitwise masking inside a loop seems worrisome for
the optimizer potentially inserting branches in the future.

Below are godbolt inspections of the generated assembly, which are free
of the `jns` instructions originally spotted in dalek-cryptography#659/dalek-cryptography#661:

- 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4
- 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET
- 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f
- 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
yihau pushed a commit to anza-xyz/curve25519-dalek that referenced this pull request Jun 27, 2024
@tarcieri @yihau
SECURITY: fix timing variability in backend/serial/u32/scalar.rs (dal…
d10985b 
…ek-cryptography#661)

Similar security fix to dalek-cryptography#659, but for the 32-bit backend. See that PR
for more information about the problem. Relevant compiler outputs (thanks to @tarcieri):

Without fix
https://godbolt.org/z/zvaWxzvqv
Notice the `jns` ("jump if not sign") instruction on line 106.

With fix
https://godbolt.org/z/jc9j7eb8E
yihau pushed a commit to anza-xyz/curve25519-dalek that referenced this pull request Jun 27, 2024
@tarcieri @yihau
SECURITY: fix timing variability in backend/serial/u32/scalar.rs (dal…
aea9c17 
…ek-cryptography#661)

Similar security fix to dalek-cryptography#659, but for the 32-bit backend. See that PR
for more information about the problem. Relevant compiler outputs (thanks to @tarcieri):

Without fix
https://godbolt.org/z/zvaWxzvqv
Notice the `jns` ("jump if not sign") instruction on line 106.

With fix
https://godbolt.org/z/jc9j7eb8E
tarcieri added a commit that referenced this pull request Jul 17, 2024
@tarcieri
curve: use subtle::Choice for constant-time fixes (#665)
921bd7c 
Alternative to #659/#661 and #662 which leverages `subtle::Choice` and
`subtle::ConditionallySelectable` as the optimization barriers.

Really the previous masking was there to conditionally add the scalar
field modulus on underflow, so instead of that, we can conditionally
select zero or the modulus using a `Choice` constructed from the
underflow bit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug safety - constant timedness
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tarcieri @rozbb