AES CTR-DRGB: do not leak timing information

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11147)
2025-01-18 13:44:20 +08:00 · 2020-02-22 01:20:09 +01:00 · 2020-02-22 01:20:09 +01:00 · 069165d106
commit 069165d106
parent 96218269f4
1 changed files with 8 additions and 12 deletions
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@ -21,19 +21,15 @@
 */
 static void inc_128(RAND_DRBG_CTR *ctr)
 {
-    int i;
-    unsigned char c;
-    unsigned char *p = &ctr->V[15];
+    unsigned char *p = &ctr->V[0];
+    u32 n = 16, c = 1;

-    for (i = 0; i < 16; i++, p--) {
-        c = *p;
-        c++;
-        *p = c;
-        if (c != 0) {
-            /* If we didn't wrap around, we're done. */
-            break;
-        }
-    }
+    do {
+        --n;
+        c += p[n];
+        p[n] = (u8)c;
+        c >>= 8;
+    } while (n);
 }

 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)