| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 020240624~5b7082b.patch | use subtle::BlackBox optimization barrier Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline `black_box` using the recently added `subtle::BlackBox` newtype (see dalek-cryptography/subtle#123) . Internally `BlackBox` uses a volatile read by default (i.e. same strategy which was used before) or when the `core_hint_black_box` feature of `subtle` is enabled, it uses `core::hint::black_box` (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703) . This PR goes ahead and uses `BlackBox` for both `mask` and `underflow_mask` where previously it was only used on `underflow_mask`. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future. . Below are godbolt inspections of the generated assembly, which are free of the `jns` instructions originally spotted in #659/#661: . * 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4 * 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET * 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f * 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv |
Tony Arcieri <bascule@gmail.com> | yes | upstream | upstream, https://github.com/dalek-cryptography/curve25519-dalek/commit/5b7082b | 2024-07-30 |
| 020240717~921bd7c.patch | use subtle::Choice for constant-time fixes Alternative to #659/#661 and #662 which leverages `subtle::Choice` and `subtle::ConditionallySelectable` as the optimization barriers. . Really the previous masking was there to conditionally add the scalar field modulus on underflow, so instead of that, we can conditionally select zero or the modulus using a `Choice` constructed from the underflow bit. |
Tony Arcieri <bascule@gmail.com> | yes | upstream | upstream, https://github.com/dalek-cryptography/curve25519-dalek/commit/921bd7c | 2024-07-30 |
| 1001_toml.patch | accept newer branch of crate toml | Jonas Smedegaard <dr@jones.dk> | no | 2024-02-12 | ||
| 1002_fence_tests.patch | add feature fences for tests | Jonas Smedegaard <dr@jones.dk> | no | 2024-06-09 | ||
| 2001_merlin.patch | avoid crate merlin merlin hardcodes a compile_error!() on big-endian architectures. | Blair Noctis <ncts@debian.org> | not-needed | debian | 2024-10-04 | |
| 2002_large_tests.patch | include large test assets Some tests deliberately fail with an error message explaining that some large test assets are omitted from distribution. Include those assets with Debian "binary" packages, as that is easier than maintaining a patch that [#ignore]'s them, and during source package build testing with option `--all`. |
Jonas Smedegaard <dr@jones.dk> | not-needed | 2024-05-17 | ||
| 2003_no_bench.patch | avoid benches | Jonas Smedegaard <dr@jones.dk> | not-needed | 2024-06-08 |