Commit 475f06f6 authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard Committed by Simon Butcher

cmac: make subkey gen more constant-time

The previous version had secret-dependent memory accesses. While it was
probably not an issue in practice cause the two bytes of the array are
probably on the same cache line anyway, as a matter of principle this should
be avoided.
parent d6cf7547
......@@ -93,7 +93,8 @@ void mbedtls_cmac_init( mbedtls_cmac_context *ctx )
*/
static void multiply_by_u( unsigned char *output, const unsigned char *input )
{
static const unsigned char Rb[2] = { 0x00, 0x87 }; /* block size 16 only */
const unsigned char Rb = 0x87; /* block size 16 only */
unsigned char mask;
unsigned char overflow = 0;
int i;
......@@ -103,7 +104,20 @@ static void multiply_by_u( unsigned char *output, const unsigned char *input )
overflow = input[i] >> 7;
}
output[15] ^= Rb[input[0] >> 7]; /* "Constant-time" operation */
/* mask = ( input[0] >> 7 ) ? 0xff : 0x00
* using bit operations to avoid branches */
/* MSVC has a warning about unary minus on unsigned, but this is
* well-defined and precisely what we want to do here */
#if defined(_MSC_VER)
#pragma warning( push )
#pragma warning( disable : 4146 )
#endif
mask = - ( input[0] >> 7 );
#if defined(_MSC_VER)
#pragma warning( pop )
#endif
output[15] ^= Rb & mask;
}
/*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment