Fix constant time conditional multiplication.

Ternary operators still create branching scenarios, and the CPU may use branch prediction to speed up processing which creates a variable-time possibility.

diff --git a/src/lib/crypto/nano-nacl.ts b/src/lib/crypto/nano-nacl.ts
index 9d6d1b9ff6974306e9aa267c6d73ec5a9df0bbf1..f44367869ff22980110c693968d41f87ce3ff7ac 100644 (file)
--- a/src/lib/crypto/nano-nacl.ts
+++ b/src/lib/crypto/nano-nacl.ts
@@ -375,7 +375,15 @@ export class NanoNaCl {
 \r
                this.Square(chk, r[0])\r
                this.Multiply(chk, chk, den)\r
-               this.Multiply(this.neq25519(chk, num) ? r[0] : new Float64Array(16), r[0], this.I)\r
+\r
+               // if neq is true, multiply r[0] by I, else multiply by 1 for a no-op\r
+               const neq = this.neq25519(chk, num)\r
+               const I = new Float64Array(this.I)\r
+               for (let i = 0; i < 16; i++) {\r
+                       I[i] *= neq\r
+               }\r
+               I[0] += neq ^ 1\r
+               this.Multiply(r[0], r[0], I)\r
 \r
                this.Square(chk, r[0])\r
                this.Multiply(chk, chk, den)\r