From 664fea481c13a944a7c065155ec1ccc928a2eaf2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 12 May 2023 12:11:37 +0100 Subject: [PATCH 01/12] Add x86-64 const-time assembly Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 8da15a84cb..73e91ccefe 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -71,6 +71,8 @@ #define MBEDTLS_CT_ARM_ASM #elif defined(__aarch64__) #define MBEDTLS_CT_AARCH64_ASM +#elif defined(__amd64__) || defined(__x86_64__) +#define MBEDTLS_CT_X86_64_ASM #endif #endif @@ -175,6 +177,19 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) "cc" /* clobbers flag bits */ ); return (mbedtls_ct_condition_t) x; +#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) + uint64_t s; + asm volatile ("mov %[x], %[s] \n\t" + "neg %[s] \n\t" + "or %[x], %[s] \n\t" + "sar $63, %[s] \n\t" + : + [s] "=&a" (s) + : + [x] "D" (x) + : + ); + return (mbedtls_ct_condition_t) s; #else const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x); #if defined(_MSC_VER) @@ -230,6 +245,19 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, "cc" ); return (mbedtls_ct_uint_t) condition; +#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) + asm volatile ("and %[condition], %[if1] \n\t" + "not %[condition] \n\t" + "and %[condition], %[if0] \n\t" + "or %[if1], %[if0] \n\t" + : + [condition] "+&D" (condition), + [if1] "+&S" (if1), + [if0] "+&a" (if0) + : + : + ); + return if0; #else mbedtls_ct_condition_t not_cond = (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition)); @@ -274,6 +302,25 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe "cc" ); return (mbedtls_ct_condition_t) x; +#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) + uint64_t mask; + asm volatile ("mov %[x], %[mask] \n\t" + "xor %[y], %[mask] \n\t" + "sub %[y], %[x] \n\t" + "and %[mask], %[y] \n\t" + "not %[mask] \n\t" + "and %[mask], %[x] \n\t" + "or %[y], %[x] \n\t" + "mov %[x], %[mask] \n\t" + "sar $63, %[mask] \n\t" + : + [mask] "=&a" (mask), + [x] "+&S" (x), + [y] "+&D" (y) + : + : + ); + return (mbedtls_ct_condition_t) mask; #else /* Ensure that the compiler cannot optimise the following operations over x and y, * even if it knows the value of x and y. From 81673bba77d5551b81394a059906ed0f2f8a2908 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sat, 13 May 2023 12:32:09 +0100 Subject: [PATCH 02/12] Add x86 const-time assembly Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 73e91ccefe..6fb7b9f6d8 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -73,6 +73,8 @@ #define MBEDTLS_CT_AARCH64_ASM #elif defined(__amd64__) || defined(__x86_64__) #define MBEDTLS_CT_X86_64_ASM +#elif defined(__i386__) +#define MBEDTLS_CT_X86_ASM #endif #endif @@ -190,6 +192,19 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) : ); return (mbedtls_ct_condition_t) s; +#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32) + uint32_t s; + asm volatile ("mov %[x], %[s] \n\t" + "neg %[s] \n\t" + "or %[s], %[x] \n\t" + "sar $31, %[x] \n\t" + : + [s] "=&c" (s), + [x] "+&a" (x) + : + : + ); + return (mbedtls_ct_condition_t) x; #else const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x); #if defined(_MSC_VER) @@ -258,6 +273,19 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, : ); return if0; +#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32) + asm volatile ("and %[condition], %[if1] \n\t" + "not %[condition] \n\t" + "and %[if0], %[condition] \n\t" + "or %[condition], %[if1] \n\t" + : + [condition] "+&c" (condition), + [if1] "+&a" (if1) + : + [if0] "b" (if0) + : + ); + return if1; #else mbedtls_ct_condition_t not_cond = (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition)); @@ -321,6 +349,25 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe : ); return (mbedtls_ct_condition_t) mask; +#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32) + uint32_t s; + asm volatile ("mov %[x], %[s] \n\t" + "xor %[y], %[s] \n\t" + "sub %[y], %[x] \n\t" + "not %[s] \n\t" + "and %[s], %[x] \n\t" + "not %[s] \n\t" + "and %[y], %[s] \n\t" + "or %[s], %[x] \n\t" + "sar $31, %[x] \n\t" + : + [s] "=&b" (s), + [x] "+&a" (x) + : + [y] "c" (y) + : + ); + return (mbedtls_ct_condition_t) x; #else /* Ensure that the compiler cannot optimise the following operations over x and y, * even if it knows the value of x and y. From 0cf9dd1056f5253b529a7de6e651146393426e6a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 12 May 2023 16:29:48 +0100 Subject: [PATCH 03/12] Whitespace - tidy up asm and make it more consistent Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 72 +++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 33 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 6fb7b9f6d8..054c71fabe 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -136,7 +136,7 @@ static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x) * seem to apply unified syntax globally, which breaks other asm code. */ #if !defined(__clang__) -#define RESTORE_ASM_SYNTAX ".syntax divided \n\t" +#define RESTORE_ASM_SYNTAX ".syntax divided \n\t" #else #define RESTORE_ASM_SYNTAX #endif @@ -154,9 +154,9 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) */ #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) mbedtls_ct_uint_t s; - asm volatile ("neg %x[s], %x[x] \n\t" - "orr %x[x], %x[s], %x[x] \n\t" - "asr %x[x], %x[x], 63" + asm volatile ("neg %x[s], %x[x] \n\t" + "orr %x[x], %x[s], %x[x] \n\t" + "asr %x[x], %x[x], 63 \n\t" : [s] "=&r" (s), [x] "+&r" (x) @@ -166,10 +166,10 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) return (mbedtls_ct_condition_t) x; #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) uint32_t s; - asm volatile (".syntax unified \n\t" - "negs %[s], %[x] \n\t" - "orrs %[x], %[x], %[s] \n\t" - "asrs %[x], %[x], #31 \n\t" + asm volatile (".syntax unified \n\t" + "negs %[s], %[x] \n\t" + "orrs %[x], %[x], %[s] \n\t" + "asrs %[x], %[x], #31 \n\t" RESTORE_ASM_SYNTAX : [s] "=&l" (s), @@ -232,9 +232,9 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, mbedtls_ct_uint_t if0) { #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) - asm volatile ("and %x[if1], %x[if1], %x[condition] \n\t" - "mvn %x[condition], %x[condition] \n\t" - "and %x[condition], %x[condition], %x[if0] \n\t" + asm volatile ("and %x[if1], %x[if1], %x[condition] \n\t" + "mvn %x[condition], %x[condition] \n\t" + "and %x[condition], %x[condition], %x[if0] \n\t" "orr %x[condition], %x[if1], %x[condition]" : [condition] "+&r" (condition), @@ -245,11 +245,11 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, ); return (mbedtls_ct_uint_t) condition; #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) - asm volatile (".syntax unified \n\t" - "ands %[if1], %[if1], %[condition] \n\t" - "mvns %[condition], %[condition] \n\t" - "ands %[condition], %[condition], %[if0] \n\t" - "orrs %[condition], %[if1], %[condition] \n\t" + asm volatile (".syntax unified \n\t" + "ands %[if1], %[if1], %[condition] \n\t" + "mvns %[condition], %[condition] \n\t" + "ands %[condition], %[condition], %[if0] \n\t" + "orrs %[condition], %[if1], %[condition] \n\t" RESTORE_ASM_SYNTAX : [condition] "+&l" (condition), @@ -297,34 +297,40 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe { #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) uint64_t s1; - asm volatile ("eor %x[s1], %x[y], %x[x] \n\t" - "sub %x[x], %x[x], %x[y] \n\t" - "bic %x[x], %x[x], %x[s1] \n\t" - "and %x[s1], %x[s1], %x[y] \n\t" - "orr %x[s1], %x[x], %x[s1] \n\t" + asm volatile ("eor %x[s1], %x[y], %x[x] \n\t" + "sub %x[x], %x[x], %x[y] \n\t" + "bic %x[x], %x[x], %x[s1] \n\t" + "and %x[s1], %x[s1], %x[y] \n\t" + "orr %x[s1], %x[x], %x[s1] \n\t" "asr %x[x], %x[s1], 63" - : [s1] "=&r" (s1), [x] "+&r" (x) - : [y] "r" (y) + : + [s1] "=&r" (s1), + [x] "+&r" (x) + : + [y] "r" (y) : ); return (mbedtls_ct_condition_t) x; #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) uint32_t s1; asm volatile ( - ".syntax unified \n\t" + ".syntax unified \n\t" #if defined(__thumb__) && !defined(__thumb2__) - "movs %[s1], %[x] \n\t" - "eors %[s1], %[s1], %[y] \n\t" + "movs %[s1], %[x] \n\t" + "eors %[s1], %[s1], %[y] \n\t" #else - "eors %[s1], %[x], %[y] \n\t" + "eors %[s1], %[x], %[y] \n\t" #endif - "subs %[x], %[x], %[y] \n\t" - "bics %[x], %[x], %[s1] \n\t" - "ands %[y], %[s1], %[y] \n\t" - "orrs %[x], %[x], %[y] \n\t" - "asrs %[x], %[x], #31 \n\t" + "subs %[x], %[x], %[y] \n\t" + "bics %[x], %[x], %[s1] \n\t" + "ands %[y], %[s1], %[y] \n\t" + "orrs %[x], %[x], %[y] \n\t" + "asrs %[x], %[x], #31 \n\t" RESTORE_ASM_SYNTAX - : [s1] "=&l" (s1), [x] "+&l" (x), [y] "+&l" (y) + : + [s1] "=&l" (s1), + [x] "+&l" (x), + [y] "+&l" (y) : : "cc" From d44dd961323f3e15e1e0b8978ff91b5cbfd117f3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 9 Aug 2023 14:10:14 +0100 Subject: [PATCH 04/12] Improve docs re duplicate declarations Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 054c71fabe..ab32deee9f 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -1,15 +1,6 @@ /** * Constant-time functions * - * For readability, the static inline definitions are here, and - * constant_time_internal.h has only the declarations. - * - * This results in duplicate declarations of the form: - * static inline void f() { ... } - * static inline void f(); - * when constant_time_internal.h is included. This appears to behave - * exactly as if the declaration-without-definition was not present. - * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * @@ -37,11 +28,20 @@ #include "mbedtls/bignum.h" #endif -/* constant_time_impl.h contains all the static inline implementations, - * so that constant_time_internal.h is more readable. +/* + * To improve readability of constant_time_internal.h, the static inline + * definitions are here, and constant_time_internal.h has only the declarations. * - * gcc generates warnings about duplicate declarations, so disable this - * warning. + * This results in duplicate declarations of the form: + * static inline void f(); // from constant_time_internal.h + * static inline void f() { ... } // from constant_time_impl.h + * when constant_time_internal.h is included. + * + * This appears to behave as if the declaration-without-definition was not present + * (except for warnings if gcc -Wredundant-decls or similar is used). + * + * Disable -Wredundant-decls so that gcc does not warn about this. This is re-enabled + * at the bottom of this file. */ #ifdef __GNUC__ #pragma GCC diagnostic push @@ -531,6 +531,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t } #ifdef __GNUC__ +/* Restore warnings for -Wredundant-decls on gcc */ #pragma GCC diagnostic pop #endif From b69239c604034ccd28971236b423d152c45d5727 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 9 Aug 2023 14:53:18 +0100 Subject: [PATCH 05/12] Improve docs in mbedtls_mpi_lt_mpi_ct Signed-off-by: Dave Rodgman --- library/bignum.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 0a0022cd37..61353ca53d 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -72,7 +72,7 @@ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, } /* - * Set sign_N to 1 if N >= 0, 0 if N < 0. + * Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0. * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0. */ X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1); @@ -83,7 +83,7 @@ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X, * That is if X is negative (X_is_negative == 1), then X < Y is true and it * is false if X is positive (X_is_negative == 0). */ - different_sign = mbedtls_ct_bool_xor(X_is_negative, Y_is_negative); // non-zero if different sign + different_sign = mbedtls_ct_bool_xor(X_is_negative, Y_is_negative); // true if different sign result = mbedtls_ct_bool_and(different_sign, X_is_negative); /* From 6d5261e38fa977bb579cf556726a87fd91fb4cd8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 9 Aug 2023 14:57:25 +0100 Subject: [PATCH 06/12] Fix typo in doxygen for mbedtls_ct_memcpy_offset Signed-off-by: Dave Rodgman --- library/constant_time_internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index 44b74aec63..ec9f25a993 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -455,8 +455,8 @@ void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition, * * memcpy(dst, src + offset, len) * - * This function copies \p len bytes from \p src_base + \p offset to \p - * dst, with a code flow and memory access pattern that does not depend on + * This function copies \p len bytes from \p src + \p offset to + * \p dst, with a code flow and memory access pattern that does not depend on * \p offset, but only on \p offset_min, \p offset_max and \p len. * * \note This function reads from \p dest, but the value that From e97de40e7b952038a5e3ce53c2640b4710137c4b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 29 Aug 2023 09:47:35 +0100 Subject: [PATCH 07/12] Typo fix Signed-off-by: Dave Rodgman --- library/constant_time_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index ec9f25a993..ff7ccc17b7 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -47,7 +47,7 @@ * These are all named mbedtls_ct__if and mbedtls_ct__if_else_0 * All arguments are considered secret. * example: size_t a = x ? b : c => a = mbedtls_ct_size_if(x, b, c) - * example: unsigned a = x ? b : 0 => a = mbedtls_ct_uint__if_else_0(x, b) + * example: unsigned a = x ? b : 0 => a = mbedtls_ct_uint_if_else_0(x, b) * * - block memory operations * Only some arguments are considered secret, as documented for each From 99f0cdc0e0a51ba67da76656643765bc095854bf Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Sep 2023 17:18:04 +0100 Subject: [PATCH 08/12] Remove not-needed mov in x86_64 asm Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index ab32deee9f..86f7510cb3 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -345,8 +345,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe "not %[mask] \n\t" "and %[mask], %[x] \n\t" "or %[y], %[x] \n\t" - "mov %[x], %[mask] \n\t" - "sar $63, %[mask] \n\t" + "sar $63, %[x] \n\t" : [mask] "=&a" (mask), [x] "+&S" (x), @@ -354,7 +353,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe : : ); - return (mbedtls_ct_condition_t) mask; + return (mbedtls_ct_condition_t) x; #elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32) uint32_t s; asm volatile ("mov %[x], %[s] \n\t" From 5f249852a50e74d8243e0777b18bdfb10d29b0f4 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Sep 2023 17:18:29 +0100 Subject: [PATCH 09/12] Better register allocation for x86_64 asm Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 86f7510cb3..a8c398ba97 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -348,8 +348,8 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe "sar $63, %[x] \n\t" : [mask] "=&a" (mask), - [x] "+&S" (x), - [y] "+&D" (y) + [x] "+&D" (x), + [y] "+&S" (y) : : ); From b6b8f6c68dcd5632d102c511b85334936776dbea Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Sep 2023 17:19:32 +0100 Subject: [PATCH 10/12] Make variable name consistent in x86_64 asm Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index a8c398ba97..4a75c60cd0 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -337,17 +337,17 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe ); return (mbedtls_ct_condition_t) x; #elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) - uint64_t mask; - asm volatile ("mov %[x], %[mask] \n\t" - "xor %[y], %[mask] \n\t" + uint64_t s; + asm volatile ("mov %[x], %[s] \n\t" + "xor %[y], %[s] \n\t" "sub %[y], %[x] \n\t" - "and %[mask], %[y] \n\t" - "not %[mask] \n\t" - "and %[mask], %[x] \n\t" + "and %[s], %[y] \n\t" + "not %[s] \n\t" + "and %[s], %[x] \n\t" "or %[y], %[x] \n\t" "sar $63, %[x] \n\t" : - [mask] "=&a" (mask), + [s] "=&a" (s), [x] "+&D" (x), [y] "+&S" (y) : From 4a97e736613eefaac3103642b68a44f5860398f9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Sep 2023 17:26:18 +0100 Subject: [PATCH 11/12] Eliminate a redundant not from x86 asm Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 4a75c60cd0..70e8b9a577 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -359,11 +359,10 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe asm volatile ("mov %[x], %[s] \n\t" "xor %[y], %[s] \n\t" "sub %[y], %[x] \n\t" + "and %[s], %[y] \n\t" "not %[s] \n\t" "and %[s], %[x] \n\t" - "not %[s] \n\t" - "and %[y], %[s] \n\t" - "or %[s], %[x] \n\t" + "or %[y], %[x] \n\t" "sar $31, %[x] \n\t" : [s] "=&b" (s), From 3f8e483eed49c46fb80d36b58639beb18b514c0f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Sep 2023 17:57:40 +0100 Subject: [PATCH 12/12] Mark y as modified in x86 asm for mbedtls_ct_uint_lt Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 70e8b9a577..4290e6024e 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -366,9 +366,9 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe "sar $31, %[x] \n\t" : [s] "=&b" (s), - [x] "+&a" (x) + [x] "+&a" (x), + [y] "+&c" (y) : - [y] "c" (y) : ); return (mbedtls_ct_condition_t) x;