mp_cond_swap_ct: branchless masked XOR

JeremiahM37 · JeremiahM37 · commit 2020c3f203e4 · 2026-05-04T17:04:46.000Z
diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c
@@ -549,21 +549,49 @@ int mp_exch (mp_int * a, mp_int * b)
   return MP_OKAY;
 }
 
+/* Constant-time conditional swap: must not branch on m (leaks scalar bit). */
 int mp_cond_swap_ct_ex (mp_int * a, mp_int * b, int c, int m, mp_int * t)
 {
-    (void)c;
-    (void)t;
-    if (m == 1)
-        mp_exch(a, b);
+    int i;
+    int err;
+    int imask = -m;
+    mp_digit mask = (mp_digit)0 - (mp_digit)m;
+
+    if ((err = mp_grow(a, c)) != MP_OKAY)
+        return err;
+    if ((err = mp_grow(b, c)) != MP_OKAY)
+        return err;
+    if ((err = mp_grow(t, c)) != MP_OKAY)
+        return err;
+
+    t->used = (a->used ^ b->used) & imask;
+    for (i = 0; i < c; i++) {
+        t->dp[i] = (a->dp[i] ^ b->dp[i]) & mask;
+    }
+    a->used ^= t->used;
+    for (i = 0; i < c; i++) {
+        a->dp[i] ^= t->dp[i];
+    }
+    b->used ^= t->used;
+    for (i = 0; i < c; i++) {
+        b->dp[i] ^= t->dp[i];
+    }
+
     return MP_OKAY;
 }
 
 int mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m)
 {
-    (void)c;
-    if (m == 1)
-        mp_exch(a, b);
-    return MP_OKAY;
+    mp_int t;
+    int err;
+
+    if ((err = mp_init(&t)) != MP_OKAY)
+        return err;
+
+    err = mp_cond_swap_ct_ex(a, b, c, m, &t);
+
+    mp_clear(&t);
+    return err;
 }
 
 
