From ecc38f267f91dffdb8afaaea8d5e5853be72df21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Vejpustek?= <ondrej.vejpustek@satoshilabs.com>
Date: Fri, 6 Dec 2024 12:37:44 +0100
Subject: [PATCH] fix(crypto): make ge25519_cmove_stride4b constant time

---
 .../ed25519-donna/ed25519-donna-impl-base.c   | 58 +++++++++++--------
 1 file changed, 34 insertions(+), 24 deletions(-)

diff --git a/crypto/ed25519-donna/ed25519-donna-impl-base.c b/crypto/ed25519-donna/ed25519-donna-impl-base.c
index b6e435bd2c..5ef7b43863 100644
--- a/crypto/ed25519-donna/ed25519-donna-impl-base.c
+++ b/crypto/ed25519-donna/ed25519-donna-impl-base.c
@@ -389,18 +389,23 @@ void ge25519_double_scalarmult_vartime2(ge25519 *r, const ge25519 *p1, const big
  * cause the code to not generate conditional moves.  Don't use any -march=
  * with less than i686 on x86
  */
-static void ge25519_cmove_stride4(long * r, long * p, long * pos, long * n, int stride) {
-  long x0=r[0], x1=r[1], x2=r[2], x3=r[3], y0 = 0, y1 = 0, y2 = 0, y3 = 0;
+static void ge25519_cmove_stride4(unsigned long * r, unsigned long * p, unsigned long * pos, unsigned long * n, int stride) {
+  unsigned long x0=r[0], x1=r[1], x2=r[2], x3=r[3], y0 = 0, y1 = 0, y2 = 0, y3 = 0;
   for(; p<n; p+=stride) {
     volatile int flag=(p==pos);
     y0 = p[0];
     y1 = p[1];
     y2 = p[2];
     y3 = p[3];
-    x0 = flag ? y0 : x0;
-    x1 = flag ? y1 : x1;
-    x2 = flag ? y2 : x2;
-    x3 = flag ? y3 : x3;
+
+    const unsigned long mask_y = -flag;
+    const unsigned long mask_x = ~mask_y;
+
+    // x = flag ? y : x
+    x0 = (y0 & mask_y) | (x0 & mask_x);
+    x1 = (y1 & mask_y) | (x1 & mask_x);
+    x2 = (y2 & mask_y) | (x2 & mask_x);
+    x3 = (y3 & mask_y) | (x3 & mask_x);
   }
   r[0] = x0;
   r[1] = x1;
@@ -409,18 +414,23 @@ static void ge25519_cmove_stride4(long * r, long * p, long * pos, long * n, int
 }
 #define HAS_CMOVE_STRIDE4
 
-static void ge25519_cmove_stride4b(long * r, long * p, long * pos, long * n, int stride) {
-  long x0=p[0], x1=p[1], x2=p[2], x3=p[3], y0 = 0, y1 = 0, y2 = 0, y3 = 0;
+static void ge25519_cmove_stride4b(unsigned long * r, unsigned long * p, unsigned long * pos, unsigned long * n, int stride) {
+  unsigned long x0=p[0], x1=p[1], x2=p[2], x3=p[3], y0 = 0, y1 = 0, y2 = 0, y3 = 0;
   for(p+=stride; p<n; p+=stride) {
     volatile int flag=(p==pos);
     y0 = p[0];
     y1 = p[1];
     y2 = p[2];
     y3 = p[3];
-    x0 = flag ? y0 : x0;
-    x1 = flag ? y1 : x1;
-    x2 = flag ? y2 : x2;
-    x3 = flag ? y3 : x3;
+
+    const unsigned long mask_y = -flag;
+    const unsigned long mask_x = ~mask_y;
+
+    // x = flag ? y : x
+    x0 = (y0 & mask_y) | (x0 & mask_x);
+    x1 = (y1 & mask_y) | (x1 & mask_x);
+    x2 = (y2 & mask_y) | (x2 & mask_x);
+    x3 = (y3 & mask_y) | (x3 & mask_x);
   }
   r[0] = x0;
   r[1] = x1;
@@ -432,12 +442,12 @@ static void ge25519_cmove_stride4b(long * r, long * p, long * pos, long * n, int
 void ge25519_move_conditional_pniels_array(ge25519_pniels * r, const ge25519_pniels * p, int pos, int n) {
 #ifdef HAS_CMOVE_STRIDE4B
   size_t i = 0;
-  for(i=0; i<sizeof(ge25519_pniels)/sizeof(long); i+=4) {
-    ge25519_cmove_stride4b(((long*)r)+i,
-			   ((long*)p)+i,
-			   ((long*)(p+pos))+i,
-			   ((long*)(p+n))+i,
-			   sizeof(ge25519_pniels)/sizeof(long));
+  for(i=0; i<sizeof(ge25519_pniels)/sizeof(unsigned long); i+=4) {
+    ge25519_cmove_stride4b(((unsigned long*)r)+i,
+			   ((unsigned long*)p)+i,
+			   ((unsigned long*)(p+pos))+i,
+			   ((unsigned long*)(p+n))+i,
+			   sizeof(ge25519_pniels)/sizeof(unsigned long));
   }
 #else
   size_t i = 0;
@@ -449,12 +459,12 @@ void ge25519_move_conditional_pniels_array(ge25519_pniels * r, const ge25519_pni
 
 void ge25519_move_conditional_niels_array(ge25519_niels * r, const uint8_t p[8][96], int pos, int n) {
   size_t i = 0;
-  for(i=0; i<96/sizeof(long); i+=4) {
-    ge25519_cmove_stride4(((long*)r)+i,
-			  ((long*)p)+i,
-			  ((long*)(p+pos))+i,
-			  ((long*)(p+n))+i,
-			  96/sizeof(long));
+  for(i=0; i<96/sizeof(unsigned long); i+=4) {
+    ge25519_cmove_stride4(((unsigned long*)r)+i,
+			  ((unsigned long*)p)+i,
+			  ((unsigned long*)(p+pos))+i,
+			  ((unsigned long*)(p+n))+i,
+			  96/sizeof(unsigned long));
   }
 }