tls: fix the case of sp_256_mont_tpl_10() leaving striay high bits

It has no effect on correctness, but interferes with compating internal state of different implementations. function old new delta sp_256_proj_point_dbl_10 443 451 +8 static.sp_256_mont_sub_10 46 49 +3 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2021-10-05 19:45:56 +0200
committer: Denys Vlasenko <vda.linux@googlemail.com> 2021-10-05 19:46:39 +0200
commit: 55578f2fb7c05357fb0b1ce84b616ba8ffd6d907 (patch)
tree: 9f8967394892f838cfebfb9e64b3d7aead6e5221
parent: 81d8af1970e70f2bffa9e67acb10e732cba555a6 (diff)
download: busybox-w32-55578f2fb7c05357fb0b1ce84b616ba8ffd6d907.tar.gz
busybox-w32-55578f2fb7c05357fb0b1ce84b616ba8ffd6d907.tar.bz2
busybox-w32-55578f2fb7c05357fb0b1ce84b616ba8ffd6d907.zip
3 files changed, 72 insertions, 11 deletions
diff --git a/networking/tls.c b/networking/tls.c
index 7ae9e5a1f..4f0e2b6eb 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -2326,6 +2326,48 @@ void FAST_FUNC tls_run_copy_loop(tls_state_t *tls, unsigned flags)
        const int INBUF_STEP = 4 * 1024;
        struct pollfd pfds[2];
+#if 0
+// Debug aid for comparing P256 implementations.
+// Enable this, set SP_DEBUG and FIXED_SECRET to 1,
+// and add
+//      tls_run_copy_loop(NULL, 0);
+// e.g. at the very beginning of wget_main()
+//
+{
+//kbuild:lib-$(CONFIG_TLS) += tls_sp_c32_new.o
+        uint8_t ecc_pub_key32[2 * 32];
+        uint8_t pubkey2x32[2 * 32];
+        uint8_t premaster32[32];
+//Fixed input key:
+//      memset(ecc_pub_key32, 0xee, sizeof(ecc_pub_key32));
+//Fixed 000000000000000000000000000000000000ab000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+//      memset(ecc_pub_key32, 0x00, sizeof(ecc_pub_key32));
+//      ecc_pub_key32[18] = 0xab;
+//Random key:
+        tls_get_random(ecc_pub_key32, sizeof(ecc_pub_key32));
+//Biased random (almost all zeros or almost all ones):
+//      srand(time(NULL) ^ getpid());
+//      if (rand() & 1)
+//              memset(ecc_pub_key32, 0x00, sizeof(ecc_pub_key32));
+//      else
+//              memset(ecc_pub_key32, 0xff, sizeof(ecc_pub_key32));
+//      ecc_pub_key32[rand() & 0x3f] = rand();
+        xmove_fd(xopen("p256.OLD", O_WRONLY | O_CREAT | O_TRUNC), 2);
+        curve_P256_compute_pubkey_and_premaster(
+                        pubkey2x32, premaster32,
+                        /*point:*/ ecc_pub_key32
+        );
+        xmove_fd(xopen("p256.NEW", O_WRONLY | O_CREAT | O_TRUNC), 2);
+        curve_P256_compute_pubkey_and_premaster_NEW(
+                        pubkey2x32, premaster32,
+                        /*point:*/ ecc_pub_key32
+        );
+        exit(1);
+}
+#endif
        pfds[0].fd = STDIN_FILENO;
        pfds[0].events = POLLIN;
        pfds[1].fd = tls->ifd;
diff --git a/networking/tls.h b/networking/tls.h
index 215e92b02..eb0fdd4cf 100644
--- a/networking/tls.h
+++ b/networking/tls.h
@@ -117,3 +117,7 @@ void curve_x25519_compute_pubkey_and_premaster(
 void curve_P256_compute_pubkey_and_premaster(
                uint8_t *pubkey2x32, uint8_t *premaster32,
                const uint8_t *peerkey2x32) FAST_FUNC;
+void curve_P256_compute_pubkey_and_premaster_NEW(
+                uint8_t *pubkey2x32, uint8_t *premaster32,
+                const uint8_t *peerkey2x32) FAST_FUNC;
diff --git a/networking/tls_sp_c32.c b/networking/tls_sp_c32.c
index 99f9c6839..bba22dee3 100644
--- a/networking/tls_sp_c32.c
+++ b/networking/tls_sp_c32.c
@@ -163,11 +163,13 @@ static void dump_512(const char *fmt, const sp_digit* cr)
        a[j] = 0;
        for (i = 0; i < 20 && j >= 0; i++) {
                b = 0;
-                a[j--] |= r[i] << s; b += 8 - s;
+                a[j--] |= r[i] << s;
+                b += 8 - s;
                if (j < 0)
                        break;
                while (b < 26) {
-                        a[j--] = r[i] >> b; b += 8;
+                        a[j--] = r[i] >> b;
+                        b += 8;
                        if (j < 0)
                                break;
                }
@@ -286,9 +288,10 @@ static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b
 {
        sp_256_add_10(r, a, b);
        sp_256_norm_10(r);
-        if ((r[9] >> 22) > 0)
+        if ((r[9] >> 22) > 0) {
                sp_256_sub_10(r, r, m);
-        sp_256_norm_10(r);
+                sp_256_norm_10(r);
+        }
 }
 /* Subtract two Montgomery form numbers (r = a - b % m) */
@@ -296,10 +299,12 @@ static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b
                const sp_digit* m)
 {
        sp_256_sub_10(r, a, b);
-        if (r[9] >> 22)
-                sp_256_add_10(r, r, m);
        sp_256_norm_10(r);
-        r[9] &= 0x03fffff; /* truncate to 22 bits */
+        if (r[9] >> 22) {
+                sp_256_add_10(r, r, m);
+                sp_256_norm_10(r);
+                r[9] &= 0x03fffff; /* truncate to 22 bits */
+        }
 }
 /* Double a Montgomery form number (r = a + a % m) */
@@ -317,14 +322,17 @@ static void sp_256_mont_tpl_10(sp_digit* r, const sp_digit* a, const sp_digit* m
 {
        sp_256_add_10(r, a, a);
        sp_256_norm_10(r);
-        if ((r[9] >> 22) > 0)
+        if ((r[9] >> 22) > 0) {
                sp_256_sub_10(r, r, m);
-        sp_256_norm_10(r);
+                sp_256_norm_10(r);
+        }
        sp_256_add_10(r, r, a);
        sp_256_norm_10(r);
-        if ((r[9] >> 22) > 0)
+        if ((r[9] >> 22) > 0) {
                sp_256_sub_10(r, r, m);
-        sp_256_norm_10(r);
+                sp_256_norm_10(r);
+        }
+        r[9] &= 0x03fffff; /* truncate to 22 bits */
 }
 /* Shift the result in the high 256 bits down to the bottom. */
@@ -650,6 +658,13 @@ static void sp_256_proj_point_dbl_10(sp_point* r, sp_point* p)
        if (r->infinity) /* If infinity, don't double */
                return;
+        if (SP_DEBUG) {
+                /* unused part of t2, may result in spurios
+                 * differences in debug output. Clear it.
+                 */
+                memset(t2, 0, sizeof(t2));
+        }
        /* T1 = Z * Z */
        sp_256_mont_sqr_10(t1, r->z /*, p256_mod, p256_mp_mod*/);
        /* Z = Y * Z */
author	Denys Vlasenko <vda.linux@googlemail.com>	2021-10-05 19:45:56 +0200
committer	Denys Vlasenko <vda.linux@googlemail.com>	2021-10-05 19:46:39 +0200
commit	55578f2fb7c05357fb0b1ce84b616ba8ffd6d907 (patch)
tree	9f8967394892f838cfebfb9e64b3d7aead6e5221
parent	81d8af1970e70f2bffa9e67acb10e732cba555a6 (diff)
download	busybox-w32-55578f2fb7c05357fb0b1ce84b616ba8ffd6d907.tar.gz busybox-w32-55578f2fb7c05357fb0b1ce84b616ba8ffd6d907.tar.bz2 busybox-w32-55578f2fb7c05357fb0b1ce84b616ba8ffd6d907.zip

diff --git a/networking/tls.c b/networking/tls.c index 7ae9e5a1f..4f0e2b6eb 100644 --- a/networking/tls.c +++ b/networking/tls.c
@@ -2326,6 +2326,48 @@ void FAST_FUNC tls_run_copy_loop(tls_state_t *tls, unsigned flags)
2326	const int INBUF_STEP = 4 * 1024;	2326	const int INBUF_STEP = 4 * 1024;
2327	struct pollfd pfds[2];	2327	struct pollfd pfds[2];
2328		2328
		2329	#if 0
		2330	// Debug aid for comparing P256 implementations.
		2331	// Enable this, set SP_DEBUG and FIXED_SECRET to 1,
		2332	// and add
		2333	// tls_run_copy_loop(NULL, 0);
		2334	// e.g. at the very beginning of wget_main()
		2335	//
		2336	{
		2337	//kbuild:lib-$(CONFIG_TLS) += tls_sp_c32_new.o
		2338	uint8_t ecc_pub_key32[2 * 32];
		2339	uint8_t pubkey2x32[2 * 32];
		2340	uint8_t premaster32[32];
		2341
		2342	//Fixed input key:
		2343	// memset(ecc_pub_key32, 0xee, sizeof(ecc_pub_key32));
		2344	//Fixed 000000000000000000000000000000000000ab000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
		2345	// memset(ecc_pub_key32, 0x00, sizeof(ecc_pub_key32));
		2346	// ecc_pub_key32[18] = 0xab;
		2347	//Random key:
		2348	tls_get_random(ecc_pub_key32, sizeof(ecc_pub_key32));
		2349	//Biased random (almost all zeros or almost all ones):
		2350	// srand(time(NULL) ^ getpid());
		2351	// if (rand() & 1)
		2352	// memset(ecc_pub_key32, 0x00, sizeof(ecc_pub_key32));
		2353	// else
		2354	// memset(ecc_pub_key32, 0xff, sizeof(ecc_pub_key32));
		2355	// ecc_pub_key32[rand() & 0x3f] = rand();
		2356
		2357	xmove_fd(xopen("p256.OLD", O_WRONLY \| O_CREAT \| O_TRUNC), 2);
		2358	curve_P256_compute_pubkey_and_premaster(
		2359	pubkey2x32, premaster32,
		2360	/point:/ ecc_pub_key32
		2361	);
		2362	xmove_fd(xopen("p256.NEW", O_WRONLY \| O_CREAT \| O_TRUNC), 2);
		2363	curve_P256_compute_pubkey_and_premaster_NEW(
		2364	pubkey2x32, premaster32,
		2365	/point:/ ecc_pub_key32
		2366	);
		2367	exit(1);
		2368	}
		2369	#endif
		2370
2329	pfds[0].fd = STDIN_FILENO;	2371	pfds[0].fd = STDIN_FILENO;
2330	pfds[0].events = POLLIN;	2372	pfds[0].events = POLLIN;
2331	pfds[1].fd = tls->ifd;	2373	pfds[1].fd = tls->ifd;


diff --git a/networking/tls.h b/networking/tls.h index 215e92b02..eb0fdd4cf 100644 --- a/networking/tls.h +++ b/networking/tls.h
@@ -117,3 +117,7 @@ void curve_x25519_compute_pubkey_and_premaster(
117	void curve_P256_compute_pubkey_and_premaster(	117	void curve_P256_compute_pubkey_and_premaster(
118	uint8_t pubkey2x32, uint8_t premaster32,	118	uint8_t pubkey2x32, uint8_t premaster32,
119	const uint8_t *peerkey2x32) FAST_FUNC;	119	const uint8_t *peerkey2x32) FAST_FUNC;
		120
		121	void curve_P256_compute_pubkey_and_premaster_NEW(
		122	uint8_t pubkey2x32, uint8_t premaster32,
		123	const uint8_t *peerkey2x32) FAST_FUNC;


diff --git a/networking/tls_sp_c32.c b/networking/tls_sp_c32.c index 99f9c6839..bba22dee3 100644 --- a/networking/tls_sp_c32.c +++ b/networking/tls_sp_c32.c
@@ -163,11 +163,13 @@ static void dump_512(const char fmt, const sp_digit cr)
163	a[j] = 0;	163	a[j] = 0;
164	for (i = 0; i < 20 && j >= 0; i++) {	164	for (i = 0; i < 20 && j >= 0; i++) {
165	b = 0;	165	b = 0;
166	a[j--] \|= r[i] << s; b += 8 - s;	166	a[j--] \|= r[i] << s;
		167	b += 8 - s;
167	if (j < 0)	168	if (j < 0)
168	break;	169	break;
169	while (b < 26) {	170	while (b < 26) {
170	a[j--] = r[i] >> b; b += 8;	171	a[j--] = r[i] >> b;
		172	b += 8;
171	if (j < 0)	173	if (j < 0)
172	break;	174	break;
173	}	175	}
@@ -286,9 +288,10 @@ static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b
286	{	288	{
287	sp_256_add_10(r, a, b);	289	sp_256_add_10(r, a, b);
288	sp_256_norm_10(r);	290	sp_256_norm_10(r);
289	if ((r[9] >> 22) > 0)	291	if ((r[9] >> 22) > 0) {
290	sp_256_sub_10(r, r, m);	292	sp_256_sub_10(r, r, m);
291	sp_256_norm_10(r);	293	sp_256_norm_10(r);
		294	}
292	}	295	}
293		296
294	/* Subtract two Montgomery form numbers (r = a - b % m) */	297	/* Subtract two Montgomery form numbers (r = a - b % m) */
@@ -296,10 +299,12 @@ static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b
296	const sp_digit* m)	299	const sp_digit* m)
297	{	300	{
298	sp_256_sub_10(r, a, b);	301	sp_256_sub_10(r, a, b);
299	if (r[9] >> 22)
300	sp_256_add_10(r, r, m);
301	sp_256_norm_10(r);	302	sp_256_norm_10(r);
302	r[9] &= 0x03fffff; /* truncate to 22 bits */	303	if (r[9] >> 22) {
		304	sp_256_add_10(r, r, m);
		305	sp_256_norm_10(r);
		306	r[9] &= 0x03fffff; /* truncate to 22 bits */
		307	}
303	}	308	}
304		309
305	/* Double a Montgomery form number (r = a + a % m) */	310	/* Double a Montgomery form number (r = a + a % m) */
@@ -317,14 +322,17 @@ static void sp_256_mont_tpl_10(sp_digit* r, const sp_digit* a, const sp_digit* m
317	{	322	{
318	sp_256_add_10(r, a, a);	323	sp_256_add_10(r, a, a);
319	sp_256_norm_10(r);	324	sp_256_norm_10(r);
320	if ((r[9] >> 22) > 0)	325	if ((r[9] >> 22) > 0) {
321	sp_256_sub_10(r, r, m);	326	sp_256_sub_10(r, r, m);
322	sp_256_norm_10(r);	327	sp_256_norm_10(r);
		328	}
323	sp_256_add_10(r, r, a);	329	sp_256_add_10(r, r, a);
324	sp_256_norm_10(r);	330	sp_256_norm_10(r);
325	if ((r[9] >> 22) > 0)	331	if ((r[9] >> 22) > 0) {
326	sp_256_sub_10(r, r, m);	332	sp_256_sub_10(r, r, m);
327	sp_256_norm_10(r);	333	sp_256_norm_10(r);
		334	}
		335	r[9] &= 0x03fffff; /* truncate to 22 bits */
328	}	336	}
329		337
330	/* Shift the result in the high 256 bits down to the bottom. */	338	/* Shift the result in the high 256 bits down to the bottom. */
@@ -650,6 +658,13 @@ static void sp_256_proj_point_dbl_10(sp_point* r, sp_point* p)
650	if (r->infinity) /* If infinity, don't double */	658	if (r->infinity) /* If infinity, don't double */
651	return;	659	return;
652		660
		661	if (SP_DEBUG) {
		662	/* unused part of t2, may result in spurios
		663	* differences in debug output. Clear it.
		664	*/
		665	memset(t2, 0, sizeof(t2));
		666	}
		667
653	/* T1 = Z * Z */	668	/* T1 = Z * Z */
654	sp_256_mont_sqr_10(t1, r->z /, p256_mod, p256_mp_mod/);	669	sp_256_mont_sqr_10(t1, r->z /, p256_mod, p256_mp_mod/);
655	/* Z = Y * Z */	670	/* Z = Y * Z */