commit 74e18ebf7784746358255c51916699be9004d9c1
author Dave Rodgman <dave.rodgman@arm.com> Wed May 17 12:21:32 2023 +0100
committer Dave Rodgman <dave.rodgman@arm.com> Fri May 26 12:42:48 2023 +0100
tree d0a2f7b6af6a1779e62934812cb3ed2aa00707ca
parent 40a41d046183b2e8361f147d4963e5468a38d791

Improve const-timeness of mbedtls_ct_bool_lt

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

library/constant_time_impl.h

diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h
index 218a4a6..f4ad115 100644
--- a/library/constant_time_impl.h
+++ b/library/constant_time_impl.h
@@ -123,12 +123,13 @@
     /* Ensure that the compiler cannot optimise the following operations over x and y,
      * even if it knows the value of x and y.
      */
+    const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
     const mbedtls_ct_uint_t yo = mbedtls_ct_compiler_opaque(y);
     /*
      * Check if the most significant bits (MSB) of the operands are different.
      * cond is true iff the MSBs differ.
      */
-    mbedtls_ct_condition_t cond = mbedtls_ct_bool((x ^ yo) >> (MBEDTLS_CT_SIZE - 1));
+    mbedtls_ct_condition_t cond = mbedtls_ct_bool((xo ^ yo) >> (MBEDTLS_CT_SIZE - 1));
 
     /*
      * If the MSB are the same then the difference x-y will be negative (and
@@ -140,7 +141,7 @@
      */
 
     // Select either y, or x - y
-    mbedtls_ct_uint_t ret = mbedtls_ct_if(cond, yo, (mbedtls_ct_uint_t) (x - yo));
+    mbedtls_ct_uint_t ret = mbedtls_ct_if(cond, yo, (mbedtls_ct_uint_t) (xo - yo));
 
     // Extract only the MSB of ret
     ret = ret >> (MBEDTLS_CT_SIZE - 1);