[PATCH 01/10] rijndael: harden mask generation against branch optimization

Sat Sep 27 09:54:10 CEST 2025

* cipher/rijndael.c (do_setkey): Generate 'rcon' mask with const-time
helper.
(_gcry_aes_xts_crypt): Generate tweak mask with const-time helper.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
---
 cipher/rijndael.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cipher/rijndael.c b/cipher/rijndael.c
index 972685b4..910073d2 100644
--- a/cipher/rijndael.c
+++ b/cipher/rijndael.c
@@ -991,7 +991,7 @@ do_setkey (RIJNDAEL_context *ctx, const byte *key, const unsigned keylen,
             {
               j = 0;
               temp0 = sbox4(rol(temp0, 24)) ^ rcon;
-              rcon = ((rcon << 1) ^ (-(rcon >> 7) & 0x1b)) & 0xff;
+              rcon = ((rcon << 1) ^ (ct_ulong_gen_mask(rcon >> 7) & 0x1b)) & 0xff;
             }
           else if (KC == 8 && j == 4)
             {
@@ -1760,7 +1760,7 @@ _gcry_aes_xts_crypt (void *context, unsigned char *tweak,
       buf_put_le64 (outbuf + 8, tmp_hi);
 
       /* Generate next tweak. */
-      carry = -(tweak_next_hi >> 63) & 0x87;
+      carry = ct_ulong_gen_mask(tweak_next_hi >> 63) & 0x87;
       tweak_next_hi = (tweak_next_hi << 1) + (tweak_next_lo >> 63);
       tweak_next_lo = (tweak_next_lo << 1) ^ carry;
 
-- 
2.48.1


