Move mbedtls_mpi_safe_cond_swap function to the constant-time module

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-02-24 18:46:56 +00:00 · 2021-09-27 15:37:50 +02:00 · 2021-09-27 15:37:50 +02:00 · 58fc8a65ab
parent b8caeeed5c
commit 58fc8a65ab
2 changed files with 53 additions and 53 deletions
--- a/library/bignum.c
+++ b/library/bignum.c
@ -269,59 +269,6 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
    memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
 }
 /*
 * Conditionally swap X and Y, without leaking information
 * about whether the swap was made or not.
 * Here it is not ok to simply swap the pointers, which whould lead to
 * different memory access patterns when X and Y are used afterwards.
 */
 int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
 {
    int ret, s;
    size_t i;
    mbedtls_mpi_uint limb_mask;
    mbedtls_mpi_uint tmp;
    MPI_VALIDATE_RET( X != NULL );
    MPI_VALIDATE_RET( Y != NULL );
    if( X == Y )
        return( 0 );
    /* MSVC has a warning about unary minus on unsigned integer types,
     * but this is well-defined and precisely what we want to do here. */
 #if defined(_MSC_VER)
 #pragma warning( push )
 #pragma warning( disable : 4146 )
 #endif
    /* make sure swap is 0 or 1 in a time-constant manner */
    swap = (swap | (unsigned char)-swap) >> (sizeof( swap ) * 8 - 1);
    /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
    limb_mask = -swap;
 #if defined(_MSC_VER)
 #pragma warning( pop )
 #endif
    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
    s = X->s;
    X->s = mbedtls_cf_cond_select_sign( X->s, Y->s, swap );
    Y->s = mbedtls_cf_cond_select_sign( Y->s, s, swap );
    for( i = 0; i < X->n; i++ )
    {
        tmp = X->p[i];
        X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
        Y->p[i] = ( Y->p[i] & ~limb_mask ) | (     tmp & limb_mask );
    }
 cleanup:
    return( ret );
 }
 /*
 * Set value from integer
 */
--- a/library/constant_time.c
+++ b/library/constant_time.c
@ -584,4 +584,57 @@ cleanup:
    return( ret );
 }
 /*
 * Conditionally swap X and Y, without leaking information
 * about whether the swap was made or not.
 * Here it is not ok to simply swap the pointers, which whould lead to
 * different memory access patterns when X and Y are used afterwards.
 */
 int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
 {
    int ret, s;
    size_t i;
    mbedtls_mpi_uint limb_mask;
    mbedtls_mpi_uint tmp;
    MPI_VALIDATE_RET( X != NULL );
    MPI_VALIDATE_RET( Y != NULL );
    if( X == Y )
        return( 0 );
    /* MSVC has a warning about unary minus on unsigned integer types,
     * but this is well-defined and precisely what we want to do here. */
 #if defined(_MSC_VER)
 #pragma warning( push )
 #pragma warning( disable : 4146 )
 #endif
    /* make sure swap is 0 or 1 in a time-constant manner */
    swap = (swap | (unsigned char)-swap) >> (sizeof( swap ) * 8 - 1);
    /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
    limb_mask = -swap;
 #if defined(_MSC_VER)
 #pragma warning( pop )
 #endif
    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
    s = X->s;
    X->s = mbedtls_cf_cond_select_sign( X->s, Y->s, swap );
    Y->s = mbedtls_cf_cond_select_sign( Y->s, s, swap );
    for( i = 0; i < X->n; i++ )
    {
        tmp = X->p[i];
        X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
        Y->p[i] = ( Y->p[i] & ~limb_mask ) | (     tmp & limb_mask );
    }
 cleanup:
    return( ret );
 }
 #endif /* MBEDTLS_BIGNUM_C */