)]}'
{
  "commit": "12d9ed670da3edd64ce8175cfe0e091982989c18",
  "tree": "57bb48f000fd501a044e7f92484287fc5a517747",
  "parents": [
    "cef9d3f38d72f13412c79157c25753e22cb05f7e"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Fri Jun 14 17:06:52 2019 -0400"
  },
  "committer": {
    "name": "Adam Langley",
    "email": "agl@google.com",
    "time": "Wed Jun 19 17:19:04 2019 +0000"
  },
  "message": "Avoid leaking intermediate states in point doubling special case.\n\nPoint addition formulas for short Weierstrass curves are often\nincomplete and do not work for P + P. EC implementations usually rely on\nconstant-time operations never hitting this case, or at least it being\nrare[0].\n\nHowever, the condition checks several values. Our C functions use \u0026\u0026 and\n||, and the P-256 assembly also branches. This can leak intermediate\nvalues via a small side channel. Thanks to David Schrammel and Samuel\nWeiser for reporting this.\n\nnistz256 base point multiplication (keygen, ECDSA signing) is unaffected\ndue to ecp_nistz256_point_add_affine lacking a doubling case. nistp224\nand nistp256 base point multiplication, on some compilers, are saved by\nquirks of the \"mixed\" path. The generic code\u0027s base point multiplication\nand all methods\u0027 arbitrary point multiplication (ECDH; ephemeral keys\nmakes this less interesting) are affected.\n\nFix the branches in the nistz256 assembly, and use bit operations in C.\nNote the C versions are all different because P-224 believes true is 1,\nP-256 believes true is any non-zero value, and the generic code believes\ntrue is 0xf...f. This should be double-checked when reviewing.\n\nAside: The nistz256 assembly also special-cases nontrivial P + (-P) in\narbitrary point multiplication. Fortunately, the formulas in util.c hold\nthere and I believe one can show P + (-P) is unreachable for all curves.\nStill, it would be nice to omit the branch if we can verify the assembly\nworks anyway.\n\n[0] https://github.com/openssl/openssl/blob/03da376ff7504c63a1d00d57cf41bd7b7e93ff65/crypto/ec/ecp_nistp521.c#L1259\n\nChange-Id: I8958624cd6b5272e5076c6c1605ab089e85f4cb7\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36465\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "6a021dbcfea8dc5d63c7fb3e7d309ddf1c5b8d64",
      "old_mode": 33261,
      "old_path": "crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl",
      "new_id": "994cb82d53c816308ba0146488bd420cae02f19f",
      "new_mode": 33261,
      "new_path": "crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl"
    },
    {
      "type": "modify",
      "old_id": "6fb32c477f5d35a8e71d788403e269f8bb559490",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/ec/ec_montgomery.c",
      "new_id": "0cf1d910d15d06290d19576330368d7074ee8b42",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/ec/ec_montgomery.c"
    },
    {
      "type": "modify",
      "old_id": "cc88f15f68355e7a08e11c0eb49f1247698dc192",
      "old_mode": 33188,
      "old_path": "crypto/fipsmodule/ec/p224-64.c",
      "new_id": "f8af39bef8f23f6e9d105a8ecc564cccb3df27eb",
      "new_mode": 33188,
      "new_path": "crypto/fipsmodule/ec/p224-64.c"
    },
    {
      "type": "modify",
      "old_id": "8426beb3c0a0e3d6b10359dff1220f3666c99e41",
      "old_mode": 33188,
      "old_path": "third_party/fiat/p256.c",
      "new_id": "23ec71f98cd75184b113cbcd7aea0e2f7cd9ed9a",
      "new_mode": 33188,
      "new_path": "third_party/fiat/p256.c"
    }
  ]
}