cmac: make subkey gen more constant-time

The previous version had secret-dependent memory accesses. While it was probably not an issue in practice cause the two bytes of the array are probably on the same cache line anyway, as a matter of principle this should be avoided.
2024-11-23 02:25:39 +01:00 · 2016-01-13 13:05:03 +00:00 · 2016-01-13 13:05:03 +00:00 · 89b8d83723
commit 89b8d83723
parent 28ea791521
1 changed files with 16 additions and 2 deletions
--- a/library/cmac.c
+++ b/library/cmac.c
@ -93,7 +93,8 @@ void mbedtls_cmac_init( mbedtls_cmac_context *ctx )
 */
 static void multiply_by_u( unsigned char *output, const unsigned char *input )
 {
-    static const unsigned char Rb[2] = { 0x00, 0x87 }; /* block size 16 only */
+    const unsigned char Rb = 0x87; /* block size 16 only */
+    unsigned char mask;
    unsigned char overflow = 0;
    int i;

@ -103,7 +104,20 @@ static void multiply_by_u( unsigned char *output, const unsigned char *input )
        overflow = input[i] >> 7;
    }

-    output[15] ^= Rb[input[0] >> 7]; /* "Constant-time" operation */
+    /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
+     * using bit operations to avoid branches */
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( input[0] >> 7 );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    output[15] ^= Rb & mask;
 }

 /*