Blame SOURCES/nettle-2.7.1-ecc-cve.patch

c91e6d
diff --git a/ecc-256.c b/ecc-256.c
c91e6d
index 571cf73..07841b1 100644
c91e6d
--- a/ecc-256.c
c91e6d
+++ b/ecc-256.c
c91e6d
@@ -108,7 +108,10 @@ ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp)
c91e6d
       u0 -= t;
c91e6d
       t = (u1 < cy);
c91e6d
       u1 -= cy;
c91e6d
-      u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
c91e6d
+
c91e6d
+      cy = cnd_add_n (t, rp + n - 4, ecc->p, 2);
c91e6d
+      u0 += cy;
c91e6d
+      u1 += (u0 < cy);
c91e6d
       u1 -= (-t) & 0xffffffff;
c91e6d
     }
c91e6d
   rp[2] = u0;
c91e6d
@@ -195,7 +198,7 @@ ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp)
c91e6d
 
c91e6d
       /* Conditional add of p */
c91e6d
       u1 += t;
c91e6d
-      u2 += (t<<32) + (u0 < t);
c91e6d
+      u2 += (t<<32) + (u1 < t);
c91e6d
 
c91e6d
       t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
c91e6d
       u1 += t;
c91e6d
diff --git a/x86_64/ecc-384-modp.asm b/x86_64/ecc-384-modp.asm
c91e6d
index 698838f..31b739e 100644
c91e6d
--- a/x86_64/ecc-384-modp.asm
c91e6d
+++ b/x86_64/ecc-384-modp.asm
c91e6d
@@ -20,7 +20,7 @@ C MA 02111-1301, USA.
c91e6d
 	.file "ecc-384-modp.asm"
c91e6d
 
c91e6d
 define(<RP>, <%rsi>)
c91e6d
-define(<D4>, <%rax>)
c91e6d
+define(<D5>, <%rax>)
c91e6d
 define(<T0>, <%rbx>)
c91e6d
 define(<T1>, <%rcx>)
c91e6d
 define(<T2>, <%rdx>)
c91e6d
@@ -35,8 +35,8 @@ define(

, <%r13>)

c91e6d
 define(
, <%r14>)
c91e6d
 define(<C2>, <%r15>)
c91e6d
 define(<C0>, H5)	C Overlap
c91e6d
-define(<D0>, RP)	C Overlap
c91e6d
-define(<TMP>, H4)	C Overlap
c91e6d
+define(<TMP>, RP)	C Overlap
c91e6d
+
c91e6d
 
c91e6d
 PROLOGUE(nettle_ecc_384_modp)
c91e6d
 	W64_ENTRY(2, 0)
c91e6d
@@ -48,34 +48,38 @@ PROLOGUE(nettle_ecc_384_modp)
c91e6d
 	push	%r14
c91e6d
 	push	%r15
c91e6d
 
c91e6d
-	C First get top 2 limbs, which need folding twice
c91e6d
+	C First get top 2 limbs, which need folding twice.
c91e6d
+	C B^10 = B^6 + B^4 + 2^32 (B-1)B^4.
c91e6d
+	C We handle the terms as follow:
c91e6d
 	C
c91e6d
-	C   H5 H4
c91e6d
-	C     -H5
c91e6d
-	C  ------
c91e6d
-	C   H0 D4
c91e6d
+	C B^6: Folded immediatly.
c91e6d
 	C
c91e6d
-	C Then shift right, (H1,H0,D4)  <--  (H0,D4) << 32
c91e6d
-	C and add
c91e6d
+	C B^4: Delayed, added in in the next folding.
c91e6d
 	C
c91e6d
-	C     H5 H4
c91e6d
-	C     H1 H0
c91e6d
-	C ----------
c91e6d
-	C  C2 H1 H0
c91e6d
-
c91e6d
-	mov	80(RP), D4
c91e6d
-	mov	88(RP), H0
c91e6d
-	mov	D4, H4
c91e6d
-	mov	H0, H5
c91e6d
-	sub	H0, D4
c91e6d
-	sbb	$0, H0
c91e6d
-
c91e6d
-	mov	D4, T2
c91e6d
-	mov	H0, H1
c91e6d
-	shl	$32, H0
c91e6d
-	shr	$32, T2
c91e6d
+	C 2^32(B-1) B^4: Low half limb delayed until the next
c91e6d
+	C folding. Top 1.5 limbs subtracted and shifter now, resulting
c91e6d
+	C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added
c91e6d
+	C in.
c91e6d
+
c91e6d
+	mov	80(RP), H4
c91e6d
+	mov	88(RP), H5
c91e6d
+	C Shift right 32 bits, into H1, H0
c91e6d
+	mov	H4, H0
c91e6d
+	mov	H5, H1
c91e6d
+	mov	H5, D5
c91e6d
 	shr	$32, H1
c91e6d
-	or	T2, H0
c91e6d
+	shl	$32, D5
c91e6d
+	shr	$32, H0
c91e6d
+	or	D5, H0
c91e6d
+
c91e6d
+	C	H1 H0
c91e6d
+	C       -  H1 H0
c91e6d
+	C       --------
c91e6d
+	C       H1 H0 D5
c91e6d
+	mov	H0, D5
c91e6d
+	neg	D5
c91e6d
+	sbb	H1, H0
c91e6d
+	sbb	$0, H1
c91e6d
 
c91e6d
 	xor	C2, C2
c91e6d
 	add	H4, H0
c91e6d
@@ -114,118 +118,95 @@ PROLOGUE(nettle_ecc_384_modp)
c91e6d
 	adc	H3, T5
c91e6d
 	adc	$0, C0
c91e6d
 
c91e6d
-	C   H3 H2 H1 H0  0
c91e6d
-	C - H4 H3 H2 H1 H0
c91e6d
-	C  ---------------
c91e6d
-	C   H3 H2 H1 H0 D0
c91e6d
-
c91e6d
-	mov	XREG(D4), XREG(D4)
c91e6d
-	mov	H0, D0
c91e6d
-	neg	D0
c91e6d
-	sbb	H1, H0
c91e6d
-	sbb	H2, H1
c91e6d
-	sbb	H3, H2
c91e6d
-	sbb	H4, H3
c91e6d
-	sbb	$0, D4
c91e6d
-
c91e6d
-	C Shift right. High bits are sign, to be added to C0.
c91e6d
-	mov	D4, TMP
c91e6d
-	sar	$32, TMP
c91e6d
-	shl	$32, D4
c91e6d
-	add	TMP, C0
c91e6d
-
c91e6d
+	C Shift left, including low half of H4
c91e6d
 	mov	H3, TMP
c91e6d
+	shl	$32, H4
c91e6d
 	shr	$32, TMP
c91e6d
-	shl	$32, H3
c91e6d
-	or	TMP, D4
c91e6d
+	or	TMP, H4
c91e6d
 
c91e6d
 	mov	H2, TMP
c91e6d
+	shl	$32, H3
c91e6d
 	shr	$32, TMP
c91e6d
-	shl	$32, H2
c91e6d
 	or	TMP, H3
c91e6d
 
c91e6d
 	mov	H1, TMP
c91e6d
+	shl	$32, H2
c91e6d
 	shr	$32, TMP
c91e6d
-	shl	$32, H1
c91e6d
 	or	TMP, H2
c91e6d
 
c91e6d
 	mov	H0, TMP
c91e6d
+	shl	$32, H1
c91e6d
 	shr	$32, TMP
c91e6d
-	shl	$32, H0
c91e6d
 	or	TMP, H1
c91e6d
 
c91e6d
-	mov	D0, TMP
c91e6d
-	shr	$32, TMP
c91e6d
-	shl	$32, D0
c91e6d
-	or	TMP, H0
c91e6d
+	shl	$32, H0
c91e6d
+
c91e6d
+	C   H4 H3 H2 H1 H0  0
c91e6d
+	C  -   H4 H3 H2 H1 H0
c91e6d
+	C  ---------------
c91e6d
+	C   H4 H3 H2 H1 H0 TMP
c91e6d
 
c91e6d
-	add	D0, T0
c91e6d
+	mov	H0, TMP
c91e6d
+	neg	TMP
c91e6d
+	sbb	H1, H0
c91e6d
+	sbb	H2, H1
c91e6d
+	sbb	H3, H2
c91e6d
+	sbb	H4, H3
c91e6d
+	sbb	$0, H4
c91e6d
+
c91e6d
+	add	TMP, T0
c91e6d
 	adc	H0, T1
c91e6d
 	adc	H1, T2
c91e6d
 	adc	H2, T3
c91e6d
 	adc	H3, T4
c91e6d
-	adc	D4, T5
c91e6d
+	adc	H4, T5
c91e6d
 	adc	$0, C0
c91e6d
 
c91e6d
 	C Remains to add in C2 and C0
c91e6d
-	C                         C0  C0<<32  (-2^32+1)C0
c91e6d
-	C    C2  C2<<32  (-2^32+1)C2
c91e6d
-	C where C2 is always positive, while C0 may be -1.
c91e6d
+	C Set H1, H0 = (2^96 - 2^32 + 1) C0
c91e6d
 	mov	C0, H0
c91e6d
 	mov	C0, H1
c91e6d
-	mov	C0, H2
c91e6d
-	sar	$63, C0		C Get sign
c91e6d
 	shl	$32, H1
c91e6d
-	sub	H1, H0		C Gives borrow iff C0 > 0
c91e6d
+	sub	H1, H0
c91e6d
 	sbb	$0, H1
c91e6d
-	add	C0, H2
c91e6d
 
c91e6d
+	C Set H3, H2 = (2^96 - 2^32 + 1) C2
c91e6d
+	mov	C2, H2
c91e6d
+	mov	C2, H3
c91e6d
+	shl	$32, H3
c91e6d
+	sub	H3, H2
c91e6d
+	sbb	$0, H3
c91e6d
+	add	C0, H2		C No carry. Could use lea trick
c91e6d
+
c91e6d
+	xor	C0, C0
c91e6d
 	add	H0, T0
c91e6d
 	adc	H1, T1
c91e6d
-	adc	$0, H2
c91e6d
-	adc	$0, C0
c91e6d
-
c91e6d
-	C Set (H1 H0)  <-- C2 << 96 - C2 << 32 + 1
c91e6d
-	mov	C2, H0
c91e6d
-	mov	C2, H1
c91e6d
-	shl	$32, H1
c91e6d
-	sub	H1, H0
c91e6d
-	sbb	$0, H1
c91e6d
-
c91e6d
-	add	H2, H0
c91e6d
-	adc	C0, H1
c91e6d
-	adc	C2, C0
c91e6d
-	mov	C0, H2
c91e6d
-	sar	$63, C0
c91e6d
-	add	H0, T2
c91e6d
-	adc	H1, T3
c91e6d
-	adc	H2, T4
c91e6d
-	adc	C0, T5
c91e6d
-	sbb	C0, C0
c91e6d
+	adc	H2, T2
c91e6d
+	adc	H3, T3
c91e6d
+	adc	C2, T4
c91e6d
+	adc	D5, T5		C Value delayed from initial folding
c91e6d
+	adc	$0, C0		C Use sbb and switch sign?
c91e6d
 
c91e6d
 	C Final unlikely carry
c91e6d
 	mov	C0, H0
c91e6d
 	mov	C0, H1
c91e6d
-	mov	C0, H2
c91e6d
-	sar	$63, C0
c91e6d
 	shl	$32, H1
c91e6d
 	sub	H1, H0
c91e6d
 	sbb	$0, H1
c91e6d
-	add	C0, H2
c91e6d
 
c91e6d
 	pop	RP
c91e6d
 
c91e6d
-	sub	H0, T0
c91e6d
+	add	H0, T0
c91e6d
 	mov	T0, (RP)
c91e6d
-	sbb	H1, T1
c91e6d
+	adc	H1, T1
c91e6d
 	mov	T1, 8(RP)
c91e6d
-	sbb	H2, T2
c91e6d
+	adc	C0, T2
c91e6d
 	mov	T2, 16(RP)
c91e6d
-	sbb	C0, T3
c91e6d
+	adc	$0, T3
c91e6d
 	mov	T3, 24(RP)
c91e6d
-	sbb	C0, T4
c91e6d
+	adc	$0, T4
c91e6d
 	mov	T4, 32(RP)
c91e6d
-	sbb	C0, T5
c91e6d
+	adc	$0, T5
c91e6d
 	mov	T5, 40(RP)
c91e6d
 
c91e6d
 	pop	%r15