Skip to content

Commit 9b8d306

Browse files
committed
Fixed secret-dependent branch in poly_frommsg introduced by recent versions of clang with some flags (Thanks to Antoon Purnal for pointing this out!)
1 parent b628ba7 commit 9b8d306

File tree

3 files changed

+13
-3
lines changed

3 files changed

+13
-3
lines changed

Diff for: ref/poly.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
#include "reduce.h"
66
#include "cbd.h"
77
#include "symmetric.h"
8+
#include "verify.h"
89

910
/*************************************************
1011
* Name: poly_compress
@@ -166,16 +167,15 @@ void poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES])
166167
void poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES])
167168
{
168169
unsigned int i,j;
169-
int16_t mask;
170170

171171
#if (KYBER_INDCPA_MSGBYTES != KYBER_N/8)
172172
#error "KYBER_INDCPA_MSGBYTES must be equal to KYBER_N/8 bytes!"
173173
#endif
174174

175175
for(i=0;i<KYBER_N/8;i++) {
176176
for(j=0;j<8;j++) {
177-
mask = -(int16_t)((msg[i] >> j)&1);
178-
r->coeffs[8*i+j] = mask & ((KYBER_Q+1)/2);
177+
r->coeffs[8*i+j] = 0;
178+
cmov_int16(r->coeffs+8*i+j, ((KYBER_Q+1)/2), (msg[i] >> j)&1);
179179
}
180180
}
181181
}

Diff for: ref/verify.c

+7
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,10 @@ void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b)
5555
for(i=0;i<len;i++)
5656
r[i] ^= b & (r[i] ^ x[i]);
5757
}
58+
59+
60+
void cmov_int16(int16_t *r, int16_t v, uint16_t b)
61+
{
62+
b = -b;
63+
*r ^= b & ((*r) ^ v);
64+
}

Diff for: ref/verify.h

+3
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,7 @@ int verify(const uint8_t *a, const uint8_t *b, size_t len);
1111
#define cmov KYBER_NAMESPACE(cmov)
1212
void cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
1313

14+
#define cmov_int16 KYBER_NAMESPACE(cmov_int16)
15+
void cmov_int16(int16_t *r, int16_t v, uint16_t b);
16+
1417
#endif

0 commit comments

Comments
 (0)