From 2de607d8c952fef0cadf158b0a020037837911ac Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Wed, 11 Jul 2018 22:08:02 +0200 Subject: [PATCH] ec/asm/x25519-x86_64.pl: fix base 2^64 add/sub and final reduction. Base 2^64 addition/subtraction and final reduction failed to treat partially reduced values correctly. Thanks to Wycheproof Project for vectors and Paul Kehrer for report. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6699) --- crypto/ec/asm/x25519-x86_64.pl | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/crypto/ec/asm/x25519-x86_64.pl b/crypto/ec/asm/x25519-x86_64.pl index 930d7bdba1..0936d5bc6d 100755 --- a/crypto/ec/asm/x25519-x86_64.pl +++ b/crypto/ec/asm/x25519-x86_64.pl @@ -698,12 +698,16 @@ x25519_fe64_add: add %rax,$acc0 adc \$0,$acc1 - mov $acc0,8*0(%rdi) adc \$0,$acc2 mov $acc1,8*1(%rdi) adc \$0,$acc3 mov $acc2,8*2(%rdi) + sbb %rax,%rax # cf -> mask mov $acc3,8*3(%rdi) + and \$38,%rax + + add %rax,$acc0 + mov $acc0,8*0(%rdi) ret .size x25519_fe64_add,.-x25519_fe64_add @@ -727,12 +731,16 @@ x25519_fe64_sub: sub %rax,$acc0 sbb \$0,$acc1 - mov $acc0,8*0(%rdi) sbb \$0,$acc2 mov $acc1,8*1(%rdi) sbb \$0,$acc3 mov $acc2,8*2(%rdi) + sbb %rax,%rax # cf -> mask mov $acc3,8*3(%rdi) + and \$38,%rax + + sub %rax,$acc0 + mov $acc0,8*0(%rdi) ret .size x25519_fe64_sub,.-x25519_fe64_sub @@ -751,6 +759,7 @@ x25519_fe64_tobytes: sar \$63,$acc3 # most significant bit -> mask shr \$1,%rax # most significant bit cleared and \$19,$acc3 + add \$19,$acc3 # compare to modulus in the same go add $acc3,$acc0 adc \$0,$acc1 @@ -760,14 +769,18 @@ x25519_fe64_tobytes: lea (%rax,%rax),$acc3 sar \$63,%rax # most significant bit -> mask shr \$1,$acc3 # most significant bit cleared + not %rax and \$19,%rax - add %rax,$acc0 + sub %rax,$acc0 + sbb \$0,$acc1 + sbb \$0,$acc2 + sbb \$0,$acc3 + mov $acc0,8*0(%rdi) mov $acc1,8*1(%rdi) mov $acc2,8*2(%rdi) mov $acc3,8*3(%rdi) - mov $acc0,8*0(%rdi) ret .size x25519_fe64_tobytes,.-x25519_fe64_tobytes -- 2.25.1