Merge pull request #268 from archanaravindar/vartime1.21

backport of fix for variable time crypto/internal/nistec/p256NegCond on ppc64le

Author: archanaravindar

patches/012-var-time-p256NegCond-fix.patch

@@ -0,0 +1,62 @@
+From 4110ddf37e41f255325863871dff657bd86bcdfd Mon Sep 17 00:00:00 2001
+From: Archana Ravindar <[email protected]>
+Date: Tue, 18 Feb 2025 13:46:23 +0530
+Subject: [PATCH 1/1] var time p256NegCond fix
+
+---
+ src/crypto/internal/nistec/p256_asm_ppc64le.s | 20 ++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/crypto/internal/nistec/p256_asm_ppc64le.s b/src/crypto/internal/nistec/p256_asm_ppc64le.s
+index 6b787609b9..ba1b6cd715 100644
+--- a/src/crypto/internal/nistec/p256_asm_ppc64le.s
++++ b/src/crypto/internal/nistec/p256_asm_ppc64le.s
+@@ -124,14 +124,23 @@ GLOBL p256mul<>(SB), 8, $160
+ #define PH    V31
+ 
+ #define CAR1  V6
++#define SEL V8
++#define ZER V9
++
++
+ // func p256NegCond(val *p256Point, cond int)
+ TEXT ·p256NegCond(SB), NOSPLIT, $0-16
+ 	MOVD val+0(FP), P1ptr
+ 	MOVD $16, R16
+ 
+-	MOVD cond+8(FP), R6
+-	CMP  $0, R6
+-	BC   12, 2, LR      // just return if cond == 0
++	// Copy cond into SEL (cond is R1 + 8 (cond offset) + 32)
++	MOVD $40, R17
++	LXVDSX (R1)(R17), SEL
++	// Zeroize ZER
++	VSPLTISB $0, ZER
++	// SEL controls whether to return the original value (Y1H/Y1L)
++	// or the negated value (T1H/T1L).
++	VCMPEQUD SEL, ZER, SEL
+ 
+ 	MOVD $p256mul<>+0x00(SB), CPOOL
+ 
+@@ -148,6 +157,9 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16
+ 	VSUBUQM  PL, Y1L, T1L       // subtract part2 giving result
+ 	VSUBEUQM PH, Y1H, CAR1, T1H // subtract part1 using carry from part2
+ 
++	VSEL T1H, Y1H, SEL, T1H
++	VSEL T1L, Y1L, SEL, T1L
++
+ 	XXPERMDI T1H, T1H, $2, T1H
+ 	XXPERMDI T1L, T1L, $2, T1L
+ 
+@@ -164,6 +176,8 @@ TEXT ·p256NegCond(SB), NOSPLIT, $0-16
+ #undef PL
+ #undef PH
+ #undef CAR1
++#undef SEL
++#undef ZER
+ 
+ #define P3ptr   R3
+ #define P1ptr   R4
+-- 
+2.47.1
+