Commit 900fd8f3 authored by Billy Brumley's avatar Billy Brumley Committed by Nicola Tuveri
Browse files

Clean up BN_consttime_swap. 

Updated "condition" logic lifted from Theo Buehler's LibreSSL commit https://github.com/libressl-portable/openbsd/commit/517358603b4be76d48a50007a0d414c2072697dd



Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7619)
parent 0777de15

crypto/bn/bn_lib.c

+17 −44
Original line number Diff line number Diff line
@@ -737,26 +737,25 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl) 
    return bn_cmp_words(a, b, cl);

}



/*

/*-

 * Constant-time conditional swap of a and b.

 * a and b are swapped if condition is not 0.  The code assumes that at most one bit of condition is set.

 * nwords is the number of words to swap.  The code assumes that at least nwords are allocated in both a and b,

 * and that no more than nwords are used by either a or b.

 * a and b cannot be the same number

 * a and b are swapped if condition is not 0.

 * nwords is the number of words to swap.

 * Assumes that at least nwords are allocated in both a and b.

 * Assumes that no more than nwords are used by either a or b.

 */

void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)

{

    BN_ULONG t;

    int i;



    if (a == b)

        return;



    bn_wcheck_size(a, nwords);

    bn_wcheck_size(b, nwords);



    assert(a != b);

    assert((condition & (condition - 1)) == 0);

    assert(sizeof(BN_ULONG) >= sizeof(int));



    condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;

    condition = ((~condition & ((condition - 1))) >> (BN_BITS2 - 1)) - 1;



    t = (a->top ^ b->top) & condition;

    a->top ^= t;
@@ -794,41 +793,15 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) 
    a->flags ^= t;

    b->flags ^= t;



#define BN_CONSTTIME_SWAP(ind) \

        do { \

                t = (a->d[ind] ^ b->d[ind]) & condition; \

                a->d[ind] ^= t; \

                b->d[ind] ^= t; \

        } while (0)



    switch (nwords) {

    default:

        for (i = 10; i < nwords; i++)

            BN_CONSTTIME_SWAP(i);

        /* Fallthrough */

    case 10:

        BN_CONSTTIME_SWAP(9);   /* Fallthrough */

    case 9:

        BN_CONSTTIME_SWAP(8);   /* Fallthrough */

    case 8:

        BN_CONSTTIME_SWAP(7);   /* Fallthrough */

    case 7:

        BN_CONSTTIME_SWAP(6);   /* Fallthrough */

    case 6:

        BN_CONSTTIME_SWAP(5);   /* Fallthrough */

    case 5:

        BN_CONSTTIME_SWAP(4);   /* Fallthrough */

    case 4:

        BN_CONSTTIME_SWAP(3);   /* Fallthrough */

    case 3:

        BN_CONSTTIME_SWAP(2);   /* Fallthrough */

    case 2:

        BN_CONSTTIME_SWAP(1);   /* Fallthrough */

    case 1:

        BN_CONSTTIME_SWAP(0);

    }

#undef BN_CONSTTIME_SWAP

    /* conditionally swap the data */

    for (i = 0; i < nwords; i++) {

        t = (a->d[i] ^ b->d[i]) & condition;

        a->d[i] ^= t;

        b->d[i] ^= t;

    }

}



#undef BN_CONSTTIME_SWAP_FLAGS



/* Bits of security, see SP800-57 */