Closed Bug 1831983 Opened 2 years ago Closed 2 years ago

Add a constant-time select function

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jschanck, Assigned: jschanck)

References

Details

Attachments

(2 files)

Bug 1831983 - Add a constant time select function. r=mt
48 bytes, text/x-phabricator-request
Details | Review
Bug 1831983 - clang-format lib/freebl/stubs.c. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Bug 1826451 will pull a Kyber implementation from the pq-crystals repository. While reviewing the upstream code, I realized there is an unstated assumption that verify.c will be in a separate translation unit from kem.c. (I violated this assumption while vendoring the code.)

When these two files are concatenated into the same translation unit, there is a risk that cmov (read: conditional move) from verify.c will be inlined into crypto_kem_dec from kem.c. Once that inlining occurs, the compiler might see that b is 0/1-valued and then insert a branch into (the inlined copy of) cmov.

I filed kyber #55 upstream to add a value barrier on the b input to cmov. But another solution is for NSS to maintain its own implementation.

For re-usability, I think we want a slightly more general function than cmov. I suggest we add a branch-free implementation of the following:

void select(void *dest, const void *src0, const void *src1, size_t n, unsigned char b) {
    if (!b) {
         memmove(dest, src0, len);
    } else {
         memmove(dest, src1, len);
    }
}

https://hg.mozilla.org/projects/nss/rev/eed35db9c1643d61ea46025ffbdf653bb7e7ba70

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: