Merge pull request #142 from paragonie/php81-float

Fix #140
paragonie · Mar 23, 2022 · f6550aa · f6550aa
2 parents 0c88481 + d17b49c
commit f6550aa
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 50 deletions.
diff --git a/src/Core/Curve25519.php b/src/Core/Curve25519.php
@@ -342,6 +342,9 @@ public static function fe_mul(
         ParagonIE_Sodium_Core_Curve25519_Fe $f,
         ParagonIE_Sodium_Core_Curve25519_Fe $g
     ) {
+        // Ensure limbs aren't oversized.
+        $f = self::fe_normalize($f);
+        $g = self::fe_normalize($g);
         $f0 = $f[0];
         $f1 = $f[1];
         $f2 = $f[2];
@@ -476,6 +479,7 @@ public static function fe_mul(
         $f9g7_38 = self::mul($g7_19, $f9_2, 26);
         $f9g8_19 = self::mul($g8_19, $f9, 25);
         $f9g9_38 = self::mul($g9_19, $f9_2, 26);
+
         $h0 = $f0g0 + $f1g9_38 + $f2g8_19 + $f3g7_38 + $f4g6_19 + $f5g5_38 + $f6g4_19 + $f7g3_38 + $f8g2_19 + $f9g1_38;
         $h1 = $f0g1 + $f1g0    + $f2g9_19 + $f3g8_19 + $f4g7_19 + $f5g6_19 + $f6g5_19 + $f7g4_19 + $f8g3_19 + $f9g2_19;
         $h2 = $f0g2 + $f1g1_2  + $f2g0    + $f3g9_38 + $f4g8_19 + $f5g7_38 + $f6g6_19 + $f7g5_38 + $f8g4_19 + $f9g3_38;
@@ -530,18 +534,20 @@ public static function fe_mul(
         $h1 += $carry0;
         $h0 -= $carry0 << 26;
 
-        return ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
-            array(
-                (int) $h0,
-                (int) $h1,
-                (int) $h2,
-                (int) $h3,
-                (int) $h4,
-                (int) $h5,
-                (int) $h6,
-                (int) $h7,
-                (int) $h8,
-                (int) $h9
+        return self::fe_normalize(
+            ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
+                array(
+                    (int) $h0,
+                    (int) $h1,
+                    (int) $h2,
+                    (int) $h3,
+                    (int) $h4,
+                    (int) $h5,
+                    (int) $h6,
+                    (int) $h7,
+                    (int) $h8,
+                    (int) $h9
+                )
             )
         );
     }
@@ -563,7 +569,7 @@ public static function fe_neg(ParagonIE_Sodium_Core_Curve25519_Fe $f)
         for ($i = 0; $i < 10; ++$i) {
             $h[$i] = -$f[$i];
         }
-        return $h;
+        return self::fe_normalize($h);
     }
 
     /**
@@ -578,6 +584,7 @@ public static function fe_neg(ParagonIE_Sodium_Core_Curve25519_Fe $f)
      */
     public static function fe_sq(ParagonIE_Sodium_Core_Curve25519_Fe $f)
     {
+        $f = self::fe_normalize($f);
         $f0 = (int) $f[0];
         $f1 = (int) $f[1];
         $f2 = (int) $f[2];
@@ -711,18 +718,20 @@ public static function fe_sq(ParagonIE_Sodium_Core_Curve25519_Fe $f)
         $h1 += $carry0;
         $h0 -= $carry0 << 26;
 
-        return ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
-            array(
-                (int) $h0,
-                (int) $h1,
-                (int) $h2,
-                (int) $h3,
-                (int) $h4,
-                (int) $h5,
-                (int) $h6,
-                (int) $h7,
-                (int) $h8,
-                (int) $h9
+        return self::fe_normalize(
+            ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
+                array(
+                    (int) $h0,
+                    (int) $h1,
+                    (int) $h2,
+                    (int) $h3,
+                    (int) $h4,
+                    (int) $h5,
+                    (int) $h6,
+                    (int) $h7,
+                    (int) $h8,
+                    (int) $h9
+                )
             )
         );
     }
@@ -740,6 +749,7 @@ public static function fe_sq(ParagonIE_Sodium_Core_Curve25519_Fe $f)
      */
     public static function fe_sq2(ParagonIE_Sodium_Core_Curve25519_Fe $f)
     {
+        $f = self::fe_normalize($f);
         $f0 = (int) $f[0];
         $f1 = (int) $f[1];
         $f2 = (int) $f[2];
@@ -874,18 +884,20 @@ public static function fe_sq2(ParagonIE_Sodium_Core_Curve25519_Fe $f)
         $h1 += $carry0;
         $h0 -= $carry0 << 26;
 
-        return ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
-            array(
-                (int) $h0,
-                (int) $h1,
-                (int) $h2,
-                (int) $h3,
-                (int) $h4,
-                (int) $h5,
-                (int) $h6,
-                (int) $h7,
-                (int) $h8,
-                (int) $h9
+        return self::fe_normalize(
+            ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
+                array(
+                    (int) $h0,
+                    (int) $h1,
+                    (int) $h2,
+                    (int) $h3,
+                    (int) $h4,
+                    (int) $h5,
+                    (int) $h6,
+                    (int) $h7,
+                    (int) $h8,
+                    (int) $h9
+                )
             )
         );
     }
@@ -958,6 +970,7 @@ public static function fe_invert(ParagonIE_Sodium_Core_Curve25519_Fe $Z)
      */
     public static function fe_pow22523(ParagonIE_Sodium_Core_Curve25519_Fe $z)
     {
+        $z = self::fe_normalize($z);
         # fe_sq(t0, z);
         # fe_sq(t1, t0);
         # fe_sq(t1, t1);
@@ -1085,18 +1098,20 @@ public static function fe_pow22523(ParagonIE_Sodium_Core_Curve25519_Fe $z)
      */
     public static function fe_sub(ParagonIE_Sodium_Core_Curve25519_Fe $f, ParagonIE_Sodium_Core_Curve25519_Fe $g)
     {
-        return ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
-            array(
-                (int) ($f[0] - $g[0]),
-                (int) ($f[1] - $g[1]),
-                (int) ($f[2] - $g[2]),
-                (int) ($f[3] - $g[3]),
-                (int) ($f[4] - $g[4]),
-                (int) ($f[5] - $g[5]),
-                (int) ($f[6] - $g[6]),
-                (int) ($f[7] - $g[7]),
-                (int) ($f[8] - $g[8]),
-                (int) ($f[9] - $g[9])
+        return self::fe_normalize(
+            ParagonIE_Sodium_Core_Curve25519_Fe::fromArray(
+                array(
+                    (int) ($f[0] - $g[0]),
+                    (int) ($f[1] - $g[1]),
+                    (int) ($f[2] - $g[2]),
+                    (int) ($f[3] - $g[3]),
+                    (int) ($f[4] - $g[4]),
+                    (int) ($f[5] - $g[5]),
+                    (int) ($f[6] - $g[6]),
+                    (int) ($f[7] - $g[7]),
+                    (int) ($f[8] - $g[8]),
+                    (int) ($f[9] - $g[9])
+                )
             )
         );
     }
@@ -3782,4 +3797,40 @@ public static function clamp($s)
         $s_[31] &= 128;
         return self::intArrayToString($s_);
     }
+
+    /**
+     * Ensure limbs are less than 28 bits long to prevent float promotion.
+     *
+     * This uses a constant-time conditional swap under the hood.
+     *
+     * @param ParagonIE_Sodium_Core_Curve25519_Fe $f
+     * @return ParagonIE_Sodium_Core_Curve25519_Fe
+     */
+    public static function fe_normalize(ParagonIE_Sodium_Core_Curve25519_Fe $f)
+    {
+        $x = (PHP_INT_SIZE << 3) - 1; // 31 or 63
+
+        $g = self::fe_copy($f);
+        for ($i = 0; $i < 10; ++$i) {
+            $mask = -(($g[$i] >> $x) & 1);
+
+            /*
+             * Get two candidate normalized values for $g[$i], depending on the sign of $g[$i]:
+             */
+            $a = $g[$i] & 0x7ffffff;
+            $b = -((-$g[$i]) & 0x7ffffff);
+
+            /*
+             * Return the appropriate candidate value, based on the sign of the original input:
+             *
+             * The following is equivalent to this ternary:
+             *
+             * $g[$i] = (($g[$i] >> $x) & 1) ? $a : $b;
+             *
+             * Except what's written doesn't contain timing leaks.
+             */
+            $g[$i] = ($a ^ (($a ^ $b) & $mask));
+        }
+        return $g;
+    }
 }
diff --git a/src/Core32/Curve25519.php b/src/Core32/Curve25519.php
@@ -1833,7 +1833,14 @@ public static function ge_precomp_0()
      */
     public static function equal($b, $c)
     {
-        return (int) ((($b ^ $c) - 1 & 0xffffffff) >> 31);
+        $b0 = $b & 0xffff;
+        $b1 = ($b >> 16) & 0xffff;
+        $c0 = $c & 0xffff;
+        $c1 = ($c >> 16) & 0xffff;
+
+        $d0 = (($b0 ^ $c0) - 1) >> 15;
+        $d1 = (($b1 ^ $c1) - 1) >> 15;
+        return ($d0 & $d1) & 1;
     }
 
     /**