Merge branch 'main-f' into interim-crate

curve25519-dalek-derive/Cargo.toml

@@ -6,7 +6,7 @@ edition = "2021"
 repository = "https://github.com/dalek-cryptography/curve25519-dalek"
 homepage = "https://github.com/dalek-cryptography/curve25519-dalek"
 documentation = "https://docs.rs/curve25519-dalek-derive"
-license = "MIT/Apache-2.0"
+license = "MIT OR Apache-2.0"
 readme = "README.md"
 description = "curve25519-dalek Derives"
 

curve25519-dalek-derive/tests/tests.rs

@@ -23,10 +23,6 @@ where
     a - b
 }
 
-#[unsafe_target_feature("sse2")]
-#[cfg(feature = "dummy")]
-fn function_with_cfg() {}
-
 #[unsafe_target_feature("sse2")]
 #[rustfmt::skip]
 fn function_with_rustfmt_skip() {}
@@ -45,9 +41,6 @@ impl Struct {
     fn member_function_with_const_arg<const N: u32>(self) -> u32 {
         self.a - N
     }
-
-    #[cfg(feature = "dummy")]
-    fn member_function_with_cfg() {}
 }
 
 struct StructWithGenerics<T>
@@ -93,7 +86,7 @@ mod inner {
     }
 }
 
-#[unsafe_target_feature_specialize("sse2", "avx2", conditional("avx512ifma", disabled))]
+#[unsafe_target_feature_specialize("sse2", "avx2")]
 mod inner_spec {
     #[for_target_feature("sse2")]
     const CONST: u32 = 1;

curve25519-dalek/CHANGELOG.md

@@ -5,6 +5,11 @@ major series.
 
 ## 4.x series
 
+### 4.1.3
+
+* Security: Fix timing leak in Scalar subtraction on u32, u64, fiat_u32, and fiat_u64 backends
+* Fix assorted new warnings and lints from rustc and clippy
+
 ### 4.1.2
 
 * Fix nightly SIMD build

curve25519-dalek/Cargo.toml

@@ -4,7 +4,7 @@ name = "curve25519-dalek"
 # - update CHANGELOG
 # - update README if required by semver
 # - if README was updated, also update module documentation in src/lib.rs
-version = "4.1.2"
+version = "4.1.3"
 edition = "2021"
 rust-version = "1.60.0"
 authors = ["Isis Lovecruft <[email protected]>",
@@ -51,7 +51,7 @@ ff = { version = "0.13", default-features = false, optional = true }
 group = { version = "0.13", default-features = false, optional = true }
 rand_core = { version = "0.6.4", default-features = false, optional = true }
 digest = { version = "0.10", default-features = false, optional = true }
-subtle = { version = "2.3.0", default-features = false }
+subtle = { version = "2.6.0", default-features = false }
 serde = { version = "1.0", default-features = false, optional = true, features = ["derive"] }
 zeroize = { version = "1", default-features = false, optional = true }
 

curve25519-dalek/src/backend/serial/u32/scalar.rs

@@ -12,6 +12,7 @@
 
 use core::fmt::Debug;
 use core::ops::{Index, IndexMut};
+use subtle::BlackBox;
 
 #[cfg(feature = "zeroize")]
 use zeroize::Zeroize;
@@ -186,21 +187,23 @@ impl Scalar29 {
     /// Compute `a - b` (mod l).
     pub fn sub(a: &Scalar29, b: &Scalar29) -> Scalar29 {
         let mut difference = Scalar29::ZERO;
-        let mask = (1u32 << 29) - 1;
+        let mask = BlackBox::new((1u32 << 29) - 1);
 
         // a - b
         let mut borrow: u32 = 0;
         for i in 0..9 {
             borrow = a[i].wrapping_sub(b[i] + (borrow >> 31));
-            difference[i] = borrow & mask;
+            difference[i] = borrow & mask.get();
         }
 
         // conditionally add l if the difference is negative
-        let underflow_mask = ((borrow >> 31) ^ 1).wrapping_sub(1);
+        let underflow_mask = BlackBox::new(((borrow >> 31) ^ 1).wrapping_sub(1));
         let mut carry: u32 = 0;
         for i in 0..9 {
-            carry = (carry >> 29) + difference[i] + (constants::L[i] & underflow_mask);
-            difference[i] = carry & mask;
+            // SECURITY: `BlackBox` prevents LLVM from inserting a `jns` conditional on x86(_64)
+            // which can be used to bypass this section when `underflow_mask` is zero.
+            carry = (carry >> 29) + difference[i] + (constants::L[i] & underflow_mask.get());
+            difference[i] = carry & mask.get();
         }
 
         difference

curve25519-dalek/src/backend/serial/u64/scalar.rs

@@ -13,6 +13,7 @@
 
 use core::fmt::Debug;
 use core::ops::{Index, IndexMut};
+use subtle::BlackBox;
 
 #[cfg(feature = "zeroize")]
 use zeroize::Zeroize;
@@ -175,21 +176,23 @@ impl Scalar52 {
     /// Compute `a - b` (mod l)
     pub fn sub(a: &Scalar52, b: &Scalar52) -> Scalar52 {
         let mut difference = Scalar52::ZERO;
-        let mask = (1u64 << 52) - 1;
+        let mask = BlackBox::new((1u64 << 52) - 1);
 
         // a - b
         let mut borrow: u64 = 0;
         for i in 0..5 {
             borrow = a[i].wrapping_sub(b[i] + (borrow >> 63));
-            difference[i] = borrow & mask;
+            difference[i] = borrow & mask.get();
         }
 
         // conditionally add l if the difference is negative
-        let underflow_mask = ((borrow >> 63) ^ 1).wrapping_sub(1);
+        let underflow_mask = BlackBox::new(((borrow >> 63) ^ 1).wrapping_sub(1));
         let mut carry: u64 = 0;
         for i in 0..5 {
-            carry = (carry >> 52) + difference[i] + (constants::L[i] & underflow_mask);
-            difference[i] = carry & mask;
+            // SECURITY: `BlackBox` prevents LLVM from inserting a `jns` conditional on x86(_64)
+            // which can be used to bypass this section when `underflow_mask` is zero.
+            carry = (carry >> 52) + difference[i] + (constants::L[i] & underflow_mask.get());
+            difference[i] = carry & mask.get();
         }
 
         difference

ed25519-dalek/src/signing.rs

@@ -131,7 +131,7 @@ impl SigningKey {
     /// # Returns
     ///
     /// A `Result` whose okay value is an EdDSA [`SigningKey`] or whose error value
-    /// is an `SignatureError` describing the error that occurred.
+    /// is a `SignatureError` describing the error that occurred.
     #[inline]
     pub fn from_keypair_bytes(bytes: &[u8; 64]) -> Result<SigningKey, SignatureError> {
         let (secret_key, verifying_key) = bytes.split_at(SECRET_KEY_LENGTH);

x25519-dalek/src/lib.rs

@@ -15,7 +15,6 @@
 // README.md as the crate documentation.
 
 #![no_std]
-#![cfg_attr(feature = "bench", feature(test))]
 #![cfg_attr(docsrs, feature(doc_auto_cfg, doc_cfg, doc_cfg_hide))]
 #![cfg_attr(docsrs, doc(cfg_hide(docsrs)))]
 #![deny(missing_docs)]