AES CTR-DRGB: do not leak timing information

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11147)

diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index 85b204d3be3cbd44966c3aaa7658c029057a73c9..52559fab09d47556cce7c25eb57e7054d3973e8f 100644 (file)
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -21,19 +21,15 @@
  */
 static void inc_128(RAND_DRBG_CTR *ctr)
 {
-    int i;
-    unsigned char c;
-    unsigned char *p = &ctr->V[15];
-
-    for (i = 0; i < 16; i++, p--) {
-        c = *p;
-        c++;
-        *p = c;
-        if (c != 0) {
-            /* If we didn't wrap around, we're done. */
-            break;
-        }
-    }
+    unsigned char *p = &ctr->V[0];
+    u32 n = 16, c = 1;
+
+    do {
+        --n;
+        c += p[n];
+        p[n] = (u8)c;
+        c >>= 8;
+    } while (n);
 }
 
 static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)