Replace GF(256) division with a constant time impl (#9932)

hashicorp · Sep 16, 2020 · 9510adc · 9510adc
1 parent 30a8e71
commit 9510adc
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 34 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@ BUG FIXES:
 * secrets/gcp: Ensure that the IAM policy version is appropriately set after a roleset's bindings have changed. [[GH-93](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/93)]
 * agent/auth/kerberos: Fix `disable_fast_negotiation` not being set on the auth method when configured by user. [[GH-9892](https://github.com/hashicorp/vault/pull/9892)]
 * cli: Don't open or overwrite a raft snapshot file on an unsuccessful `vault operator raft snapshot` [[GH-9894](https://github.com/hashicorp/vault/pull/9894)]
+* core: Implement constant time version of shamir GF(2^8) math [[GH-9932](https://github.com/hashicorp/vault/pull/9932)]
 
 ## 1.5.4
 ### TBD

diff --git a/shamir/shamir.go b/shamir/shamir.go
@@ -88,57 +88,31 @@ func div(a, b uint8) uint8 {
 		panic("divide by zero")
 	}
 
-	var goodVal, zero uint8
 	log_a := logTable[a]
 	log_b := logTable[b]
-	diff := (int(log_a) - int(log_b)) % 255
-	if diff < 0 {
-		diff += 255
-	}
+	diff := ((int(log_a) - int(log_b))+255)%255
 
-	ret := expTable[diff]
+	ret := int(expTable[diff])
 
 	// Ensure we return zero if a is zero but aren't subject to timing attacks
-	goodVal = ret
-
-	if subtle.ConstantTimeByteEq(a, 0) == 1 {
-		ret = zero
-	} else {
-		ret = goodVal
-	}
-
-	return ret
+	ret = subtle.ConstantTimeSelect(subtle.ConstantTimeByteEq(a, 0), 0, ret)
+	return uint8(ret)
 }
 
 // mult multiplies two numbers in GF(2^8)
 func mult(a, b uint8) (out uint8) {
-	var goodVal, zero uint8
 	log_a := logTable[a]
 	log_b := logTable[b]
 	sum := (int(log_a) + int(log_b)) % 255
 
-	ret := expTable[sum]
+	ret := int(expTable[sum])
 
 	// Ensure we return zero if either a or b are zero but aren't subject to
 	// timing attacks
-	goodVal = ret
-
-	if subtle.ConstantTimeByteEq(a, 0) == 1 {
-		ret = zero
-	} else {
-		ret = goodVal
-	}
-
-	if subtle.ConstantTimeByteEq(b, 0) == 1 {
-		ret = zero
-	} else {
-		// This operation does not do anything logically useful. It
-		// only ensures a constant number of assignments to thwart
-		// timing attacks.
-		goodVal = zero
-	}
+	ret = subtle.ConstantTimeSelect(subtle.ConstantTimeByteEq(a, 0), 0, ret)
+	ret = subtle.ConstantTimeSelect(subtle.ConstantTimeByteEq(b, 0), 0, ret)
 
-	return ret
+	return uint8(ret)
 }
 
 // add combines two numbers in GF(2^8)