Merge #710: Eliminate harmless non-constant time operations on secret data.

7b50483ad7 Adds a declassify operation to aid constant-time analysis. (Gregory Maxwell) 34a67c773b Eliminate harmless non-constant time operations on secret data. (Gregory Maxwell) Pull request description: There were several places where the code was non-constant time for invalid secret inputs. These are harmless under sane use but get in the way of automatic const-time validation. (Nonce overflow in signing is not addressed, nor is s==0 in signing) ACKs for top commit: sipa: utACK 7b50483ad7 real-or-random: ACK 7b50483ad7 I read the code carefully and tested it jonasnick: reACK 7b50483ad7 Tree-SHA512: 0776c3a86e723d2f97b9b9cb31d0d0e59dfcf308093b3f46fbc859f73f9957f3fa977d03b57727232040368d058701ef107838f9b1ec98f925ec78ddad495c4e
2020-02-24 14:02:44 +01:00
parent 0585b8b2ee 7b50483ad7
commit 96d8ccbd16
20 changed files with 194 additions and 111 deletions
--- a/src/modules/ecdh/main_impl.h
+++ b/src/modules/ecdh/main_impl.h
@@ -32,36 +32,40 @@ int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const se
    secp256k1_gej res;
    secp256k1_ge pt;
    secp256k1_scalar s;
+    unsigned char x[32];
+    unsigned char y[32];
+
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(output != NULL);
    ARG_CHECK(point != NULL);
    ARG_CHECK(scalar != NULL);
+
    if (hashfp == NULL) {
        hashfp = secp256k1_ecdh_hash_function_default;
    }

    secp256k1_pubkey_load(ctx, &pt, point);
    secp256k1_scalar_set_b32(&s, scalar, &overflow);
-    if (overflow || secp256k1_scalar_is_zero(&s)) {
-        ret = 0;
-    } else {
-        unsigned char x[32];
-        unsigned char y[32];

-        secp256k1_ecmult_const(&res, &pt, &s, 256);
-        secp256k1_ge_set_gej(&pt, &res);
+    overflow |= secp256k1_scalar_is_zero(&s);
+    secp256k1_scalar_cmov(&s, &secp256k1_scalar_one, overflow);

-        /* Compute a hash of the point */
-        secp256k1_fe_normalize(&pt.x);
-        secp256k1_fe_normalize(&pt.y);
-        secp256k1_fe_get_b32(x, &pt.x);
-        secp256k1_fe_get_b32(y, &pt.y);
+    secp256k1_ecmult_const(&res, &pt, &s, 256);
+    secp256k1_ge_set_gej(&pt, &res);

-        ret = hashfp(output, x, y, data);
-    }
+    /* Compute a hash of the point */
+    secp256k1_fe_normalize(&pt.x);
+    secp256k1_fe_normalize(&pt.y);
+    secp256k1_fe_get_b32(x, &pt.x);
+    secp256k1_fe_get_b32(y, &pt.y);

+    ret = hashfp(output, x, y, data);
+
+    memset(x, 0, 32);
+    memset(y, 0, 32);
    secp256k1_scalar_clear(&s);
-    return ret;
+
+    return !!ret & !overflow;
 }

 #endif /* SECP256K1_MODULE_ECDH_MAIN_H */