Merge pull request #4204 from Rohde-Schwarz/ct/poison_curve448

CT::poison() for Curve448
randombit · Jul 12, 2024 · 6945e90 · 6945e90
2 parents d88042e + acaa624
commit 6945e90
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 14 deletions.
diff --git a/src/lib/pubkey/curve448/curve448_scalar.cpp b/src/lib/pubkey/curve448/curve448_scalar.cpp
@@ -72,6 +72,7 @@ std::array<word, Scalar448::WORDS> add(std::span<const word, Scalar448::WORDS> x
    std::array<word, Scalar448::WORDS> res;
    copy_mem(res, x);
    const word carry = bigint_add2_nc(res.data(), res.size(), y.data(), y.size());
+   CT::unpoison(carry);
    BOTAN_ASSERT(carry == 0, "Result fits in output");
    return res;
 }

diff --git a/src/lib/pubkey/curve448/ed448/ed448.cpp b/src/lib/pubkey/curve448/ed448/ed448.cpp
@@ -12,6 +12,7 @@
 #include <botan/der_enc.h>
 #include <botan/hash.h>
 #include <botan/rng.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/internal/ed448_internal.h>
 #include <botan/internal/pk_ops_impl.h>
 
@@ -65,18 +66,16 @@ Ed448_PrivateKey::Ed448_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::s
    m_public = create_pk_from_sk(std::span(m_private).first<ED448_LEN>());
 }
 
-Ed448_PrivateKey::Ed448_PrivateKey(RandomNumberGenerator& rng) {
-   m_private.resize(ED448_LEN);
-   rng.randomize(m_private);
-   m_public = create_pk_from_sk(std::span(m_private).first<ED448_LEN>());
-}
+Ed448_PrivateKey::Ed448_PrivateKey(RandomNumberGenerator& rng) : Ed448_PrivateKey(rng.random_vec(ED448_LEN)) {}
 
 Ed448_PrivateKey::Ed448_PrivateKey(std::span<const uint8_t> key_bits) {
    if(key_bits.size() != ED448_LEN) {
       throw Decoding_Error("Invalid size for Ed448 private key");
    }
-   m_private = {key_bits.begin(), key_bits.end()};
+   m_private.assign(key_bits.begin(), key_bits.end());
+   auto scope = CT::scoped_poison(m_private);
    m_public = create_pk_from_sk(std::span(m_private).first<ED448_LEN>());
+   CT::unpoison(m_public);
 }
 
 std::unique_ptr<Public_Key> Ed448_PrivateKey::public_key() const {
@@ -178,7 +177,7 @@ class Ed448_Sign_Operation final : public PK_Ops::Signature {
          copy_mem(m_pk, std::span(pk_bits).first<ED448_LEN>());
          const auto sk_bits = key.raw_private_key_bits();
          BOTAN_ASSERT_NOMSG(sk_bits.size() == ED448_LEN);
-         m_sk = {sk_bits.begin(), sk_bits.end()};
+         m_sk.assign(sk_bits.begin(), sk_bits.end());
          if(m_prehash_function) {
             m_message = std::make_unique<Prehashed_Ed448_Message>(*m_prehash_function);
          } else {
@@ -190,8 +189,10 @@ class Ed448_Sign_Operation final : public PK_Ops::Signature {
 
       secure_vector<uint8_t> sign(RandomNumberGenerator& /*rng*/) override {
          BOTAN_ASSERT_NOMSG(m_sk.size() == ED448_LEN);
+         auto scope = CT::scoped_poison(m_sk);
          const auto sig = sign_message(
             std::span(m_sk).first<ED448_LEN>(), m_pk, m_prehash_function.has_value(), {}, m_message->get_and_clear());
+         CT::unpoison(sig);
          return {sig.begin(), sig.end()};
       }
 

diff --git a/src/lib/pubkey/curve448/x448/x448.cpp b/src/lib/pubkey/curve448/x448/x448.cpp
@@ -66,15 +66,13 @@ X448_PrivateKey::X448_PrivateKey(const AlgorithmIdentifier& /*alg_id*/, std::spa
 
 X448_PrivateKey::X448_PrivateKey(std::span<const uint8_t> secret_key) {
    BOTAN_ARG_CHECK(secret_key.size() == X448_LEN, "Invalid size for X448 private key");
-   m_private = {secret_key.begin(), secret_key.end()};
+   m_private.assign(secret_key.begin(), secret_key.end());
+   auto scope = CT::scoped_poison(m_private);
    x448_basepoint_from_data(m_public, std::span(m_private).first<X448_LEN>());
+   CT::unpoison(m_public);
 }
 
-X448_PrivateKey::X448_PrivateKey(RandomNumberGenerator& rng) {
-   m_private.resize(X448_LEN);
-   rng.randomize(m_private);
-   x448_basepoint_from_data(m_public, std::span(m_private).first<X448_LEN>());
-}
+X448_PrivateKey::X448_PrivateKey(RandomNumberGenerator& rng) : X448_PrivateKey(rng.random_vec(X448_LEN)) {}
 
 std::unique_ptr<Public_Key> X448_PrivateKey::public_key() const {
    return std::make_unique<X448_PublicKey>(public_value());
@@ -87,6 +85,7 @@ secure_vector<uint8_t> X448_PrivateKey::private_key_bits() const {
 bool X448_PrivateKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
    std::array<uint8_t, X448_LEN> public_point;
    BOTAN_ASSERT_NOMSG(m_private.size() == X448_LEN);
+   auto scope = CT::scoped_poison(m_private);
    x448_basepoint_from_data(public_point, std::span(m_private).first<X448_LEN>());
    return CT::is_equal(public_point.data(), m_public.data(), m_public.size()).as_bool();
 }
@@ -106,13 +105,18 @@ class X448_KA_Operation final : public PK_Ops::Key_Agreement_with_KDF {
       size_t agreed_value_size() const override { return X448_LEN; }
 
       secure_vector<uint8_t> raw_agree(const uint8_t w_data[], size_t w_len) override {
+         auto scope = CT::scoped_poison(m_sk);
+
          std::span<const uint8_t> w(w_data, w_len);
          BOTAN_ARG_CHECK(w.size() == X448_LEN, "Invalid size for X448 private key");
          BOTAN_ASSERT_NOMSG(m_sk.size() == X448_LEN);
          const auto k = decode_scalar(m_sk);
          const auto u = decode_point(w);
 
-         return encode_point(x448(k, u));
+         auto shared_secret = encode_point(x448(k, u));
+         CT::unpoison(shared_secret);
+
+         return shared_secret;
       }
 
    private: