commit 9354990a549d9ca3a3c0eec12ff77e1f883bceeb
author Tom Cosgrove <tom.cosgrove@arm.com> Tue Aug 30 17:41:23 2022 +0100
committer Tom Cosgrove <tom.cosgrove@arm.com> Wed Aug 31 17:15:02 2022 +0100
tree 0b2f8cb9cb7c6f3de7b9a8056ed3a495403378df
parent f0c8a8cf44373a31ce3eef39effc578628ffaca0

Don't use multiplication by condition in even a semi-constant time function

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

library/bignum_core.c

diff --git a/library/bignum_core.c b/library/bignum_core.c
index 2e18389..1ca69dc 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -300,9 +300,23 @@
 {
     mbedtls_mpi_uint c = 0;
 
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* all-bits 1 if cond is 1, all-bits 0 if cond is 0 */
+    const mbedtls_mpi_uint mask = -(mbedtls_mpi_uint)cond;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
     for( size_t i = 0; i < limbs; i++ )
     {
-        mbedtls_mpi_uint add = cond * B[i];
+        mbedtls_mpi_uint add = mask & B[i];
         mbedtls_mpi_uint t = c + A[i];
         c = ( t < A[i] );
         t += add;