From 97cc3b1354a9b233344064ae338423cab0d94ce1 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 29 May 2018 19:04:39 +0100 Subject: [PATCH] gf128mul: Remove the jump table If we're unlucky with memory placement, gf128mul_table_bbe may spread over two cache lines and this would leak b >> 63 to a cache timing attack. Instead, take an approach that is less likely to make different memory loads depending on the value of b >> 63 and is also unlikely to be compiled to a condition. --- library/gf128mul.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/library/gf128mul.c b/library/gf128mul.c index 251398f47..661d0d3cd 100644 --- a/library/gf128mul.c +++ b/library/gf128mul.c @@ -51,11 +51,6 @@ } #endif - -/* Jump table for not having ifs */ -static const uint16_t gf128mul_table_bbe[2] = { 0x00, 0x87 }; - - /* * This function multiply a field element by x, by x^4 and by x^8 * in the polynomial field representation. It uses 64-bit word operations @@ -69,7 +64,7 @@ void mbedtls_gf128mul_x_ble(mbedtls_be128 r, const mbedtls_be128 x) GET_UINT64_LE(a, x, 0); GET_UINT64_LE(b, x, 8); - ra = (a << 1) ^ gf128mul_table_bbe[b >> 63]; + ra = (a << 1) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); rb = (a >> 63) | (b << 1); PUT_UINT64_LE(ra, r, 0);