Commit 774ff8fe authored by Andy Polyakov's avatar Andy Polyakov
Browse files

bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word. 



Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6141)
parent 48bc0d99

crypto/bn/asm/alpha-mont.pl

+3 −6
Original line number Diff line number Diff line
@@ -297,15 +297,12 @@ bn_mul_mont: 
	mov	sp,$tp

	mov	$bp,$rp		# restore rp



	and	sp,$hi0,$ap

	bic	$bp,$hi0,$bp

	bis	$bp,$ap,$ap	# ap=borrow?tp:rp



.align	4

.Lcopy:	ldq	$aj,0($ap)	# copy or in-place refresh

.Lcopy:	ldq	$aj,0($tp)	# conditional copy

	ldq	$nj,0($rp)

	lda	$tp,8($tp)

	lda	$rp,8($rp)

	lda	$ap,8($ap)

	cmoveq	$hi0,$nj,$aj

	stq	zero,-8($tp)	# zap tp

	cmpult	$tp,$tj,AT

	stq	$aj,-8($rp)

crypto/bn/asm/armv4-mont.pl

+8 −7
Original line number Diff line number Diff line
@@ -262,14 +262,15 @@ bn_mul_mont: 
	mov	$tp,sp			@ "rewind" $tp

	sub	$rp,$rp,$aj		@ "rewind" $rp



	and	$ap,$tp,$nhi

	bic	$np,$rp,$nhi

	orr	$ap,$ap,$np		@ ap=borrow?tp:rp



.Lcopy:	ldr	$tj,[$ap],#4		@ copy or in-place refresh

.Lcopy:	ldr	$tj,[$tp]		@ conditional copy

	ldr	$aj,[$rp]

	str	sp,[$tp],#4		@ zap tp

	str	$tj,[$rp],#4

	cmp	$tp,$num

#ifdef	__thumb2__

	it	cc

#endif

	movcc	$aj,$tj

	str	$aj,[$rp],#4

	teq	$tp,$num		@ preserve carry

	bne	.Lcopy



	mov	sp,$num

crypto/bn/asm/ia64-mont.pl

+9 −9
Original line number Diff line number Diff line
@@ -341,19 +341,19 @@ bn_mul_mont_general: 
{ .mmb;	sub	rptr=rptr,len		// rewind

	sub	tptr=tptr,len

	clrrrb.pr			};;

{ .mmi;	and	aptr=tptr,topbit

	andcm	bptr=rptr,topbit

{ .mmi;	mov	aptr=rptr

	mov	bptr=tptr

	mov	pr.rot=1<<16		};;

{ .mii;	or	nptr=aptr,bptr

{ .mii;	cmp.eq	p0,p6=topbit,r0

	mov	ar.lc=lc

	mov	ar.ec=3			};;

	mov	ar.ec=2			};;



.Lcopy_ctop:

{ .mmb;	(p16)	ld8	n[0]=[nptr],8

	(p18)	st8	[tptr]=r0,8

	(p16)	nop.b	0		}

{ .mmb;	(p16)	nop.m	0

	(p18)	st8	[rptr]=n[2],8

{ .mmi;	(p16)	ld8	a[0]=[aptr],8

	(p16)	ld8	t[0]=[bptr],8

	(p6)	mov	a[1]=t[1]	};;	// (p17)

{ .mmb;	(p17)	st8	[rptr]=a[1],8

	(p17)	st8	[tptr]=r0,8

	br.ctop.sptk	.Lcopy_ctop	};;

.Lcopy_cend:

crypto/bn/asm/mips-mont.pl

+5 −7
Original line number Diff line number Diff line
@@ -386,15 +386,13 @@ $code.=<<___; 
	$PTR_SUB $rp,$num	# restore rp

	not	$hi1,$hi0



	and	$ap,$hi0,$sp

	and	$bp,$hi1,$rp

	or	$ap,$ap,$bp	# ap=borrow?tp:rp



.align	4

.Lcopy:	$LD	$aj,($ap)

	$PTR_ADD $ap,$BNSZ

.Lcopy:	$LD	$nj,($tp)	# conditional move

	$LD	$aj,($rp)

	$ST	$zero,($tp)

	$PTR_ADD $tp,$BNSZ

	and	$nj,$hi0

	and	$aj,$hi1

	or	$aj,$nj

	sltu	$at,$tp,$tj

	$ST	$aj,($rp)

	bnez	$at,.Lcopy

crypto/bn/asm/parisc-mont.pl

+11 −15
Original line number Diff line number Diff line
@@ -517,7 +517,6 @@ L\$sub 
	stws,ma		$hi1,4($rp)



	subb		$ti0,%r0,$hi1

	ldo		-4($tp),$tp

___

$code.=<<___ if ($BN_SZ==8);

	ldd,ma		8($tp),$ti0
@@ -532,20 +531,18 @@ L\$sub 


	extrd,u		$ti0,31,32,$ti0		; carry in flipped word order

	sub,db		$ti0,%r0,$hi1

	ldo		-8($tp),$tp

___

$code.=<<___;

	and		$tp,$hi1,$ap

	andcm		$rp,$hi1,$bp

	or		$ap,$bp,$np



	ldo		`$LOCALS+32`($fp),$tp

	sub		$rp,$arrsz,$rp		; rewind rp

	subi		0,$arrsz,$idx

	ldo		`$LOCALS+32`($fp),$tp

L\$copy

	ldd		$idx($np),$hi0

	ldd		0($tp),$ti0

	ldd		0($rp),$hi0

	std,ma		%r0,8($tp)

	addib,<>	8,$idx,.-8		; L\$copy

	comiclr,=	0,$hi1,%r0

	copy		$ti0,$hi0

	addib,<>	8,$idx,L\$copy

	std,ma		$hi0,8($rp)

___
@@ -856,17 +853,16 @@ L\$sub_pa11 
	stws,ma		$hi1,4($rp)



	subb		$ti0,%r0,$hi1

	ldo		-4($tp),$tp

	and		$tp,$hi1,$ap

	andcm		$rp,$hi1,$bp

	or		$ap,$bp,$np



	ldo		`$LOCALS+32`($fp),$tp

	sub		$rp,$arrsz,$rp		; rewind rp

	subi		0,$arrsz,$idx

	ldo		`$LOCALS+32`($fp),$tp

L\$copy_pa11

	ldwx		$idx($np),$hi0

	ldw		0($tp),$ti0

	ldw		0($rp),$hi0

	stws,ma		%r0,4($tp)

	comiclr,=	0,$hi1,%r0

	copy		$ti0,$hi0

	addib,<>	4,$idx,L\$copy_pa11

	stws,ma		$hi0,4($rp)