wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5301 from SparkiDev/aes_gcm_word_ct

Browse Source 
AES-GCM: make word implementation of GMULT constant time
This commit is contained in:
David Garske
2022-06-29 20:26:33 -07:00
committed by GitHub
parent 9cc928cb29 8b93d4510d
commit e8e35c9a92
1 changed files with 1 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
wolfcrypt/src/aes.c
View File

@@ -6626,9 +6626,7 @@ static void GMULT(word64* X, word64* Y)
word64 Z[2] = {0,0}; word64 Z[2] = {0,0};
word64 V[2]; word64 V[2];
int i, j; int i, j;
#ifdef AES_GCM_GMULT_CT
word64 v1; word64 v1;
#endif
V[0] = X[0]; V[1] = X[1]; V[0] = X[0]; V[1] = X[1];
for (i = 0; i < 2; i++) for (i = 0; i < 2; i++)
@@ -6636,7 +6634,7 @@ static void GMULT(word64* X, word64* Y)
word64 y = Y[i]; word64 y = Y[i];
for (j = 0; j < 64; j++) for (j = 0; j < 64; j++)
{ {
#ifdef AES_GCM_GMULT_CT #ifndef AES_GCM_GMULT_NCT
word64 mask = 0 - (y >> 63); word64 mask = 0 - (y >> 63);
Z[0] ^= V[0] & mask; Z[0] ^= V[0] & mask;
Z[1] ^= V[1] & mask; Z[1] ^= V[1] & mask;
@@ -6647,27 +6645,11 @@ static void GMULT(word64* X, word64* Y)
} }
#endif #endif
#ifdef AES_GCM_GMULT_CT
v1 = (0 - (V[1] & 1)) & 0xE100000000000000ULL; v1 = (0 - (V[1] & 1)) & 0xE100000000000000ULL;
V[1] >>= 1; V[1] >>= 1;
V[1] |= V[0] << 63; V[1] |= V[0] << 63;
V[0] >>= 1; V[0] >>= 1;
V[0] ^= v1; V[0] ^= v1;
#else
if (V[1] & 0x0000000000000001) {
V[1] >>= 1;
V[1] |= ((V[0] & 0x0000000000000001) ?
0x8000000000000000ULL : 0);
V[0] >>= 1;
V[0] ^= 0xE100000000000000ULL;
}
else {
V[1] >>= 1;
V[1] |= ((V[0] & 0x0000000000000001) ?
0x8000000000000000ULL : 0);
V[0] >>= 1;
}
#endif
y <<= 1; y <<= 1;
} }
} }