mbedtls_mpi_cmp_mpi_ct: remove multiplications
Multiplication is known to have measurable timing variations based on
the operands. For example it typically is much faster if one of the
operands is zero. Remove them from constant time code.
diff --git a/library/bignum.c b/library/bignum.c
index e023afc..c275b45 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1098,6 +1098,11 @@
return ret;
}
+static int ct_bool_get_mask( unsigned int b )
+{
+ return ~( b - 1 );
+}
+
/*
* Compare signed values in constant time
*/
@@ -1129,7 +1134,7 @@
sign_X = X->s;
sign_Y = Y->s;
cond = ( ( sign_X ^ sign_Y ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
- *ret = cond * X->s;
+ *ret = ct_bool_get_mask( cond ) & X->s;
done = cond;
for( i = X->n; i > 0; i-- )
@@ -1142,8 +1147,8 @@
* }
*/
cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
- *ret |= ( cond * ( 1 - done ) ) * X->s;
- done |= cond * ( 1 - done );
+ *ret |= ct_bool_get_mask( cond & ( 1 - done ) ) & X->s;
+ done |= cond & ( 1 - done );
/*
* if( ( X->p[i - 1] < Y->p[i - 1] ) && !done )
@@ -1153,9 +1158,8 @@
* }
*/
cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
- *ret |= ( cond * ( 1 - done ) ) * -X->s;
- done |= cond * ( 1 - done );
-
+ *ret |= ct_bool_get_mask( cond & ( 1 - done ) ) & -X->s;
+ done |= cond & ( 1 - done );
}
return( 0 );