From 475f06f60980a99fd9618827dfb91ad895158fef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 13 Jan 2016 13:05:03 +0000 Subject: [PATCH] cmac: make subkey gen more constant-time The previous version had secret-dependent memory accesses. While it was probably not an issue in practice cause the two bytes of the array are probably on the same cache line anyway, as a matter of principle this should be avoided. --- library/cmac.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/library/cmac.c b/library/cmac.c index 87846a617..af0439a43 100644 --- a/library/cmac.c +++ b/library/cmac.c @@ -93,7 +93,8 @@ void mbedtls_cmac_init( mbedtls_cmac_context *ctx ) */ static void multiply_by_u( unsigned char *output, const unsigned char *input ) { - static const unsigned char Rb[2] = { 0x00, 0x87 }; /* block size 16 only */ + const unsigned char Rb = 0x87; /* block size 16 only */ + unsigned char mask; unsigned char overflow = 0; int i; @@ -103,7 +104,20 @@ static void multiply_by_u( unsigned char *output, const unsigned char *input ) overflow = input[i] >> 7; } - output[15] ^= Rb[input[0] >> 7]; /* "Constant-time" operation */ + /* mask = ( input[0] >> 7 ) ? 0xff : 0x00 + * using bit operations to avoid branches */ + /* MSVC has a warning about unary minus on unsigned, but this is + * well-defined and precisely what we want to do here */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + mask = - ( input[0] >> 7 ); +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif + + output[15] ^= Rb & mask; } /*