From 3bf9217ba4096274cc7f23c34d02f017eff50703 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Meusel?= Date: Fri, 12 Jul 2024 13:28:29 +0200 Subject: [PATCH 1/2] CT::poison() in X448 Co-Authored-By: Fabian Albert --- src/lib/pubkey/curve448/x448/x448.cpp | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/lib/pubkey/curve448/x448/x448.cpp b/src/lib/pubkey/curve448/x448/x448.cpp index 5830575bbc..ce508f8a13 100644 --- a/src/lib/pubkey/curve448/x448/x448.cpp +++ b/src/lib/pubkey/curve448/x448/x448.cpp @@ -66,15 +66,13 @@ X448_PrivateKey::X448_PrivateKey(const AlgorithmIdentifier& /*alg_id*/, std::spa X448_PrivateKey::X448_PrivateKey(std::span secret_key) { BOTAN_ARG_CHECK(secret_key.size() == X448_LEN, "Invalid size for X448 private key"); - m_private = {secret_key.begin(), secret_key.end()}; + m_private.assign(secret_key.begin(), secret_key.end()); + auto scope = CT::scoped_poison(m_private); x448_basepoint_from_data(m_public, std::span(m_private).first()); + CT::unpoison(m_public); } -X448_PrivateKey::X448_PrivateKey(RandomNumberGenerator& rng) { - m_private.resize(X448_LEN); - rng.randomize(m_private); - x448_basepoint_from_data(m_public, std::span(m_private).first()); -} +X448_PrivateKey::X448_PrivateKey(RandomNumberGenerator& rng) : X448_PrivateKey(rng.random_vec(X448_LEN)) {} std::unique_ptr X448_PrivateKey::public_key() const { return std::make_unique(public_value()); @@ -87,6 +85,7 @@ secure_vector X448_PrivateKey::private_key_bits() const { bool X448_PrivateKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const { std::array public_point; BOTAN_ASSERT_NOMSG(m_private.size() == X448_LEN); + auto scope = CT::scoped_poison(m_private); x448_basepoint_from_data(public_point, std::span(m_private).first()); return CT::is_equal(public_point.data(), m_public.data(), m_public.size()).as_bool(); } @@ -106,13 +105,18 @@ class X448_KA_Operation final : public PK_Ops::Key_Agreement_with_KDF { size_t agreed_value_size() const override { return X448_LEN; } secure_vector raw_agree(const uint8_t w_data[], size_t w_len) override { + auto scope = CT::scoped_poison(m_sk); + std::span w(w_data, w_len); BOTAN_ARG_CHECK(w.size() == X448_LEN, "Invalid size for X448 private key"); BOTAN_ASSERT_NOMSG(m_sk.size() == X448_LEN); const auto k = decode_scalar(m_sk); const auto u = decode_point(w); - return encode_point(x448(k, u)); + auto shared_secret = encode_point(x448(k, u)); + CT::unpoison(shared_secret); + + return shared_secret; } private: From acaa6245db3a6ce2499782b3b478adda00bff76c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Meusel?= Date: Fri, 12 Jul 2024 14:33:54 +0200 Subject: [PATCH 2/2] CT::poison() in Ed448 Co-Authored-By: Fabian Albert --- src/lib/pubkey/curve448/curve448_scalar.cpp | 1 + src/lib/pubkey/curve448/ed448/ed448.cpp | 15 ++++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/lib/pubkey/curve448/curve448_scalar.cpp b/src/lib/pubkey/curve448/curve448_scalar.cpp index 3366c76ad5..a75be94248 100644 --- a/src/lib/pubkey/curve448/curve448_scalar.cpp +++ b/src/lib/pubkey/curve448/curve448_scalar.cpp @@ -72,6 +72,7 @@ std::array add(std::span x std::array res; copy_mem(res, x); const word carry = bigint_add2_nc(res.data(), res.size(), y.data(), y.size()); + CT::unpoison(carry); BOTAN_ASSERT(carry == 0, "Result fits in output"); return res; } diff --git a/src/lib/pubkey/curve448/ed448/ed448.cpp b/src/lib/pubkey/curve448/ed448/ed448.cpp index 6ef430bc08..81f75ec059 100644 --- a/src/lib/pubkey/curve448/ed448/ed448.cpp +++ b/src/lib/pubkey/curve448/ed448/ed448.cpp @@ -12,6 +12,7 @@ #include #include #include +#include #include #include @@ -65,18 +66,16 @@ Ed448_PrivateKey::Ed448_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::s m_public = create_pk_from_sk(std::span(m_private).first()); } -Ed448_PrivateKey::Ed448_PrivateKey(RandomNumberGenerator& rng) { - m_private.resize(ED448_LEN); - rng.randomize(m_private); - m_public = create_pk_from_sk(std::span(m_private).first()); -} +Ed448_PrivateKey::Ed448_PrivateKey(RandomNumberGenerator& rng) : Ed448_PrivateKey(rng.random_vec(ED448_LEN)) {} Ed448_PrivateKey::Ed448_PrivateKey(std::span key_bits) { if(key_bits.size() != ED448_LEN) { throw Decoding_Error("Invalid size for Ed448 private key"); } - m_private = {key_bits.begin(), key_bits.end()}; + m_private.assign(key_bits.begin(), key_bits.end()); + auto scope = CT::scoped_poison(m_private); m_public = create_pk_from_sk(std::span(m_private).first()); + CT::unpoison(m_public); } std::unique_ptr Ed448_PrivateKey::public_key() const { @@ -178,7 +177,7 @@ class Ed448_Sign_Operation final : public PK_Ops::Signature { copy_mem(m_pk, std::span(pk_bits).first()); const auto sk_bits = key.raw_private_key_bits(); BOTAN_ASSERT_NOMSG(sk_bits.size() == ED448_LEN); - m_sk = {sk_bits.begin(), sk_bits.end()}; + m_sk.assign(sk_bits.begin(), sk_bits.end()); if(m_prehash_function) { m_message = std::make_unique(*m_prehash_function); } else { @@ -190,8 +189,10 @@ class Ed448_Sign_Operation final : public PK_Ops::Signature { secure_vector sign(RandomNumberGenerator& /*rng*/) override { BOTAN_ASSERT_NOMSG(m_sk.size() == ED448_LEN); + auto scope = CT::scoped_poison(m_sk); const auto sig = sign_message( std::span(m_sk).first(), m_pk, m_prehash_function.has_value(), {}, m_message->get_and_clear()); + CT::unpoison(sig); return {sig.begin(), sig.end()}; }