ct/lc_ct_cmp: improve interface

Return 0xffffffff if arguments compare equal, 0 otherwise. Change all consumers accordingly.
2024-06-06 13:49:25 +00:00 · 2024-06-06 13:49:25 +00:00 · 52ab9ca179
commit 52ab9ca179
parent ad42d99e0b
5 changed files with 12 additions and 9 deletions
--- a/4
+++ b/4
@ -15,9 +15,7 @@ Utilities
 ---------

 - Constant-time operations
-  - [/] compare: returns `0` if match, non-`0` otherwise. The non-`0`
-    case might leak information. Would be better to return `0xffffffff`
-    if match, `0` otherwise.
+  - [x] compare

 Hash
 ----
--- a/aead_chacha20_poly1305.c
+++ b/aead_chacha20_poly1305.c
@ -162,7 +162,7 @@ chacha20_poly1305_open(const uint8_t *key, size_t keylen, const uint8_t *iv,
 	    !poly1305_final(&pctx, tag, &olen))
 		return 0;

-	if (lc_ct_cmp(tag, tagp, LC_POLY1305_TAGLEN) != 0)
+	if (!lc_ct_cmp(tag, tagp, LC_POLY1305_TAGLEN))
 		return 0;

 	lc_scrub(buf, sizeof(buf));
--- a/ct.c
+++ b/ct.c
@ -25,5 +25,10 @@ lc_ct_cmp(const uint8_t *x, const uint8_t *y, size_t l)
 	for (; l > 0; l--)
 		r |= *x++ ^ *y++;

-	return r;
+	/* Ensures that if any bit is set, then bit 7 is set. */
+	r |= r << 4;
+	r |= r << 2;
+	r |= r << 1;
+
+	return 0xffffffff + ((r & 0x80) >> 7);
 }
--- a/wycheproof_aead.c
+++ b/wycheproof_aead.c
@ -249,7 +249,7 @@ main(int argc, char *argv[])
 	}

 	if (ctlen != encoutlen - LC_POLY1305_TAGLEN ||
-	    lc_ct_cmp(encout, ct, ctlen) != 0) {
+	    !lc_ct_cmp(encout, ct, ctlen)) {
 		if (verbose) {
 			fprintf(stderr, "ct (%zu, %zu)\n", ctlen,
 			    encoutlen - LC_POLY1305_TAGLEN);
@ -265,7 +265,7 @@ main(int argc, char *argv[])
 		return 1;
 	}
 	if (taglenarg != LC_POLY1305_TAGLEN ||
-	    lc_ct_cmp(encout + ctlen, tag, LC_POLY1305_TAGLEN) != 0) {
+	    !lc_ct_cmp(encout + ctlen, tag, LC_POLY1305_TAGLEN)) {
 		if (verbose) {
 			fprintf(stderr, "tag (%zu, %zu)\n", taglenarg,
 			    (size_t)LC_POLY1305_TAGLEN);
@ -300,7 +300,7 @@ main(int argc, char *argv[])
 		return 1;
 	}

-	if (msglen != decoutlen || lc_ct_cmp(decout, msg, msglen) != 0) {
+	if (msglen != decoutlen || !lc_ct_cmp(decout, msg, msglen)) {
 		if (verbose) {
 			fprintf(stderr, "ct (%zu, %zu)\n", msglen, decoutlen);
 			lc_hexdump_fp(stderr, msg, msglen);
--- a/wycheproof_mac.c
+++ b/wycheproof_mac.c
@ -212,7 +212,7 @@ main(int argc, char *argv[])
 	 * be the full-length hash.
 	 */
 	if (taglen != taglenarg ||
-	    lc_ct_cmp(buf, tag, taglen) != 0) {
+	    !lc_ct_cmp(buf, tag, taglen)) {
 		if (verbose) {
 			fprintf(stderr, "tag (%zu, %zu, %zu)\n", taglen,
 			    taglenarg, olen);