From df44face56717f13c8e690232b80c9feab497465 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Tue, 4 Jun 2024 22:20:22 +1000 Subject: [PATCH] Kyber: fix kyber_from_msg() New compilers with specific optimization levels will produce non-constant time code for kyber_from_msg(). Add in an optimization blocker that stops the compiler from assuming anything about the value to be ANDed with KYBER_Q_1_HALF. --- wolfcrypt/src/wc_kyber.c | 5 +++++ wolfcrypt/src/wc_kyber_poly.c | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/wc_kyber.c b/wolfcrypt/src/wc_kyber.c index 5493c9e61..d611d4f21 100644 --- a/wolfcrypt/src/wc_kyber.c +++ b/wolfcrypt/src/wc_kyber.c @@ -59,6 +59,11 @@ /******************************************************************************/ +/* Declare variable to make compiler not optimize code in kyber_from_msg(). */ +volatile sword16 kyber_opt_blocker = 0; + +/******************************************************************************/ + /** * Initialize the Kyber key. * diff --git a/wolfcrypt/src/wc_kyber_poly.c b/wolfcrypt/src/wc_kyber_poly.c index a95d812db..7374a4849 100644 --- a/wolfcrypt/src/wc_kyber_poly.c +++ b/wolfcrypt/src/wc_kyber_poly.c @@ -34,6 +34,9 @@ #ifdef WOLFSSL_WC_KYBER +/* Declared in wc_kyber.c to stop compiler optimizer from simplifying. */ +extern volatile sword16 kyber_opt_blocker; + #ifdef USE_INTEL_SPEEDUP static word32 cpuid_flags = 0; #endif @@ -2773,6 +2776,8 @@ void kyber_decompress_5(sword16* p, const unsigned char* b) /* Convert bit from byte to 0 or (KYBER_Q + 1) / 2. * * Constant time implementation. + * XOR in kyber_opt_blocker to ensure optimizer doesn't know what will be ANDed + * with KYBER_Q_1_HALF and can't optimize to non-constant time code. * * @param [out] p Polynomial to hold converted value. * @param [in] msg Message to get bit from byte from. @@ -2780,7 +2785,8 @@ void kyber_decompress_5(sword16* p, const unsigned char* b) * @param [in] j Index of bit in byte. */ #define FROM_MSG_BIT(p, msg, i, j) \ - p[8 * (i) + (j)] = ((sword16)0 - (sword16)(((msg)[i] >> (j)) & 1)) & KYBER_Q_1_HALF + (p)[8 * (i) + (j)] = (((sword16)0 - (sword16)(((msg)[i] >> (j)) & 1)) ^ \ + kyber_opt_blocker) & KYBER_Q_1_HALF /* Convert message to polynomial. *