summary refs log tree commit diff
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2023-03-21 13:15:17 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2023-03-21 13:15:17 +0700
commitc39acb84ac19a97e2e5e91e9ba377b4443cd6a4a (patch)
tree395745924807bee483fa5d4b10c2569ffde4ebac
parentRefactor MiscPemGenerator (diff)
downloadBouncyCastle.NET-ed25519-c39acb84ac19a97e2e5e91e9ba377b4443cd6a4a.tar.xz
BIKE: address side-channel vulnerability in ConvertToCompact()
-rw-r--r--crypto/src/pqc/crypto/bike/BikeEngine.cs12
1 files changed, 8 insertions, 4 deletions
diff --git a/crypto/src/pqc/crypto/bike/BikeEngine.cs b/crypto/src/pqc/crypto/bike/BikeEngine.cs
index e96a38d3a..22559fb03 100644
--- a/crypto/src/pqc/crypto/bike/BikeEngine.cs
+++ b/crypto/src/pqc/crypto/bike/BikeEngine.cs
@@ -608,10 +608,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.Bike
                     if ((i * 8 + j) == this.r)
                         break;
 
-                    if (((h[i] >> j) & 1) == 1)
-                    {
-                        compactVersion[count++] = i * 8 + j;
-                    }
+                    int mask = (h[i] >> j) & 1;
+
+                    // if mask == 1 compactVersion = (i * 8 + j)
+                    // if mask == 0 compactVersion = compactVersion
+                    compactVersion[count] = (i * 8 + j) & -mask | compactVersion[count] & ~-mask;
+
+                    count += mask - hw;
+                    count += (count >> 31) & hw;
                 }
             }
         }