From: Jai S <jsathy97@gmail.com>
Date: Wed, 7 May 2025 18:01:06 +0000 (+0530)
Subject: Use value barrier for constant_time_cond_swap_*
X-Git-Tag: openssl-3.3.4~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7133fc4a38b1da938b38e173f530fca807521743;p=thirdparty%2Fopenssl.git

Use value barrier for constant_time_cond_swap_*

Resolves #27497

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27581)

(cherry picked from commit 8a9e0d0f499a288cf3363668870806d5e7be3924)
---

diff --git a/include/internal/constant_time.h b/include/internal/constant_time.h
index 2b49afe1ea2..c3f5acfd594 100644
--- a/include/internal/constant_time.h
+++ b/include/internal/constant_time.h
@@ -296,6 +296,18 @@ static ossl_inline size_t value_barrier_s(size_t a)
     return r;
 }
 
+/* Convenience method for unsigned char. */
+static ossl_inline unsigned char value_barrier_8(unsigned char a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+    unsigned char r;
+    __asm__("" : "=r"(r) : "0"(a));
+#else
+    volatile unsigned char r = a;
+#endif
+    return r;
+}
+
 static ossl_inline unsigned int constant_time_select(unsigned int mask,
                                                      unsigned int a,
                                                      unsigned int b)
@@ -356,7 +368,7 @@ static ossl_inline void constant_time_cond_swap_32(uint32_t mask, uint32_t *a,
 {
     uint32_t xor = *a ^ *b;
 
-    xor &= mask;
+    xor &= value_barrier_32(mask);
     *a ^= xor;
     *b ^= xor;
 }
@@ -376,7 +388,7 @@ static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,
 {
     uint64_t xor = *a ^ *b;
 
-    xor &= mask;
+    xor &= value_barrier_64(mask);
     *a ^= xor;
     *b ^= xor;
 }
@@ -403,7 +415,7 @@ static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
 
     for (i = 0; i < len; i++) {
         tmp = a[i] ^ b[i];
-        tmp &= mask;
+        tmp &= value_barrier_8(mask);
         a[i] ^= tmp;
         b[i] ^= tmp;
     }