mp_cond_swap_ct: branchless masked XOR

Author: JeremiahM37

wolfcrypt/src/integer.c

@@ -549,21 +549,58 @@ int mp_exch (mp_int * a, mp_int * b)
   return MP_OKAY;
 }
 
+/* Constant-time conditional swap: must not branch on m (leaks scalar bit).
+ * m is normalized to 0 or 1 so a non-zero non-one value still acts as a
+ * swap rather than producing a partial-XOR mask. */
 int mp_cond_swap_ct_ex (mp_int * a, mp_int * b, int c, int m, mp_int * t)
 {
-    (void)c;
-    (void)t;
-    if (m == 1)
-        mp_exch(a, b);
+    int i;
+    int err;
+    int imask;
+    mp_digit mask;
+
+    m &= 1;
+    imask = -m;
+    mask = (mp_digit)0 - (mp_digit)m;
+
+    if ((err = mp_grow(a, c)) != MP_OKAY)
+        return err;
+    if ((err = mp_grow(b, c)) != MP_OKAY)
+        return err;
+    if ((err = mp_grow(t, c)) != MP_OKAY)
+        return err;
+
+    t->used = (a->used ^ b->used) & imask;
+    t->sign = (a->sign ^ b->sign) & imask;
+    for (i = 0; i < c; i++) {
+        t->dp[i] = (a->dp[i] ^ b->dp[i]) & mask;
+    }
+    a->used ^= t->used;
+    a->sign ^= t->sign;
+    for (i = 0; i < c; i++) {
+        a->dp[i] ^= t->dp[i];
+    }
+    b->used ^= t->used;
+    b->sign ^= t->sign;
+    for (i = 0; i < c; i++) {
+        b->dp[i] ^= t->dp[i];
+    }
+
     return MP_OKAY;
 }
 
 int mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m)
 {
-    (void)c;
-    if (m == 1)
-        mp_exch(a, b);
-    return MP_OKAY;
+    mp_int t;
+    int err;
+
+    if ((err = mp_init(&t)) != MP_OKAY)
+        return err;
+
+    err = mp_cond_swap_ct_ex(a, b, c, m, &t);
+
+    mp_clear(&t);
+    return err;
 }