From b8ee5c07c2e6a64f104b542218fccc3c0751ae3b Mon Sep 17 00:00:00 2001 From: Torben Hansen <50673096+torben-hansen@users.noreply.github.com> Date: Tue, 31 Oct 2023 19:07:06 -0700 Subject: [PATCH] Document that x25519 function does not implement zero-check s2n-bignum original commit: https://github.com/awslabs/s2n-bignum/commit/8d4c2e4156958ee04e3388548250377544685c9a --- arm/curve25519/curve25519_x25519.S | 3 ++- arm/curve25519/curve25519_x25519_alt.S | 3 ++- arm/curve25519/curve25519_x25519_byte.S | 3 ++- arm/curve25519/curve25519_x25519_byte_alt.S | 3 ++- x86_att/curve25519/curve25519_x25519.S | 3 ++- x86_att/curve25519/curve25519_x25519_alt.S | 3 ++- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/arm/curve25519/curve25519_x25519.S b/arm/curve25519/curve25519_x25519.S index d66884d5d4..0b7ec7a111 100644 --- a/arm/curve25519/curve25519_x25519.S +++ b/arm/curve25519/curve25519_x25519.S @@ -13,7 +13,8 @@ // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the // point at infinity. Both n and X inputs are first slightly modified/mangled // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748); -// in particular the lower three bits of n are set to zero. +// in particular the lower three bits of n are set to zero. Does not implement +// the zero-check specified in Section 6.1. // // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point // ---------------------------------------------------------------------------- diff --git a/arm/curve25519/curve25519_x25519_alt.S b/arm/curve25519/curve25519_x25519_alt.S index 4e9b91b48e..3a521a602f 100644 --- a/arm/curve25519/curve25519_x25519_alt.S +++ b/arm/curve25519/curve25519_x25519_alt.S @@ -13,7 +13,8 @@ // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the // point at infinity. Both n and X inputs are first slightly modified/mangled // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748); -// in particular the lower three bits of n are set to zero. +// in particular the lower three bits of n are set to zero. Does not implement +// the zero-check specified in Section 6.1. // // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point // ---------------------------------------------------------------------------- diff --git a/arm/curve25519/curve25519_x25519_byte.S b/arm/curve25519/curve25519_x25519_byte.S index d64eb73ed2..6162a38082 100644 --- a/arm/curve25519/curve25519_x25519_byte.S +++ b/arm/curve25519/curve25519_x25519_byte.S @@ -13,7 +13,8 @@ // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the // point at infinity. Both n and X inputs are first slightly modified/mangled // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748); -// in particular the lower three bits of n are set to zero. +// in particular the lower three bits of n are set to zero. Does not implement +// the zero-check specified in Section 6.1. // // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point // ---------------------------------------------------------------------------- diff --git a/arm/curve25519/curve25519_x25519_byte_alt.S b/arm/curve25519/curve25519_x25519_byte_alt.S index 7f79cfd803..f59e611467 100644 --- a/arm/curve25519/curve25519_x25519_byte_alt.S +++ b/arm/curve25519/curve25519_x25519_byte_alt.S @@ -13,7 +13,8 @@ // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the // point at infinity. Both n and X inputs are first slightly modified/mangled // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748); -// in particular the lower three bits of n are set to zero. +// in particular the lower three bits of n are set to zero. Does not implement +// the zero-check specified in Section 6.1. // // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point // ---------------------------------------------------------------------------- diff --git a/x86_att/curve25519/curve25519_x25519.S b/x86_att/curve25519/curve25519_x25519.S index 2a97ee9407..9914fdd01c 100644 --- a/x86_att/curve25519/curve25519_x25519.S +++ b/x86_att/curve25519/curve25519_x25519.S @@ -20,7 +20,8 @@ // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the // point at infinity. Both n and X inputs are first slightly modified/mangled // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748); -// in particular the lower three bits of n are set to zero. +// in particular the lower three bits of n are set to zero. Does not implement +// the zero-check specified in Section 6.1. // // Standard x86-64 ABI: RDI = res, RSI = scalar, RDX = point // Microsoft x64 ABI: RCX = res, RDX = scalar, R8 = point diff --git a/x86_att/curve25519/curve25519_x25519_alt.S b/x86_att/curve25519/curve25519_x25519_alt.S index 241c4505af..ca92a9206a 100644 --- a/x86_att/curve25519/curve25519_x25519_alt.S +++ b/x86_att/curve25519/curve25519_x25519_alt.S @@ -20,7 +20,8 @@ // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the // point at infinity. Both n and X inputs are first slightly modified/mangled // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748); -// in particular the lower three bits of n are set to zero. +// in particular the lower three bits of n are set to zero. Does not implement +// the zero-check specified in Section 6.1. // // Standard x86-64 ABI: RDI = res, RSI = scalar, RDX = point // Microsoft x64 ABI: RCX = res, RDX = scalar, R8 = point