From 9354990a549d9ca3a3c0eec12ff77e1f883bceeb Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Tue, 30 Aug 2022 17:41:23 +0100
Subject: [PATCH] Don't use multiplication by condition in even a semi-constant
 time function

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 library/bignum_core.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/library/bignum_core.c b/library/bignum_core.c
index 2e183896a4..1ca69dc6ce 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -300,9 +300,23 @@ mbedtls_mpi_uint mbedtls_mpi_core_add_if( mbedtls_mpi_uint *A,
 {
     mbedtls_mpi_uint c = 0;
 
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* all-bits 1 if cond is 1, all-bits 0 if cond is 0 */
+    const mbedtls_mpi_uint mask = -(mbedtls_mpi_uint)cond;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
     for( size_t i = 0; i < limbs; i++ )
     {
-        mbedtls_mpi_uint add = cond * B[i];
+        mbedtls_mpi_uint add = mask & B[i];
         mbedtls_mpi_uint t = c + A[i];
         c = ( t < A[i] );
         t += add;