commit 645896e0ea881c5b16d0383b97086d6ce0c0e68c
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Dec 05 15:30:09 2019 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Dec 05 16:02:17 2019 +0100
tree ece224cb12ae71c08a690d1c5fe66f848b8305ae
parent 83d7881cec8e8d7a238a1dd9c58463b3218f1c79

Fix undefined order of volatile access

Found by the IAR compiler.

While at it, make 'diff' non-volatile in uECC_check_curve_integrity(), as
there is no good reason to make it volatile, and making it volatile only
increases the code size and the burden of defining access ordering.

tinycrypt/ecc.c

diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index d54019f..086555a 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -153,15 +153,20 @@
 		0x76, 0x0a, 0xe2, 0xbc, 0xce, 0x2a, 0xa2, 0xc6,
 		0x38, 0xf2, 0x19, 0x1d, 0x76, 0x72, 0x93, 0x49,
 	};
-	volatile unsigned char diff = 0;
+	unsigned char diff = 0;
+	unsigned char tmp1, tmp2;
 	volatile unsigned i;
 
 	if (uECC_compute_param_sha256(computed) != UECC_SUCCESS) {
 		return UECC_FAILURE;
 	}
 
-	for (i = 0; i < 32; i++)
-		diff |= computed[i] ^ reference[i];
+	for (i = 0; i < 32; i++) {
+		/* make sure the order of volatile accesses is well-defined */
+		tmp1 = computed[i];
+		tmp2 = reference[i];
+		diff |= tmp1 ^ tmp2;
+	}
 
 	/* i should be 32 */
 	mbedtls_platform_enforce_volatile_reads();
@@ -282,10 +287,13 @@
 {
 
 	uECC_word_t diff = 0;
+	uECC_word_t tmp1, tmp2;
 	volatile int i;
 
 	for (i = NUM_ECC_WORDS - 1; i >= 0; --i) {
-		diff |= (left[i] ^ right[i]);
+		tmp1 = left[i];
+		tmp2 = right[i];
+		diff |= (tmp1 ^ tmp2);
 	}
 
 	/* i should be -1 now */