Merge pull request #5301 from SparkiDev/aes_gcm_word_ct

AES-GCM: make word implementation of GMULT constant time
2022-06-29 20:26:33 -07:00 · 2022-06-29 20:26:33 -07:00 · e8e35c9a92
parent 9cc928cb29 8b93d4510d
commit e8e35c9a92
1 changed files with 1 additions and 19 deletions
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -6626,9 +6626,7 @@ static void GMULT(word64* X, word64* Y)
    word64 Z[2] = {0,0};
    word64 V[2];
    int i, j;
-#ifdef AES_GCM_GMULT_CT
    word64 v1;
-#endif
    V[0] = X[0];  V[1] = X[1];

    for (i = 0; i < 2; i++)
@ -6636,7 +6634,7 @@ static void GMULT(word64* X, word64* Y)
        word64 y = Y[i];
        for (j = 0; j < 64; j++)
        {
-#ifdef AES_GCM_GMULT_CT
+#ifndef AES_GCM_GMULT_NCT
            word64 mask = 0 - (y >> 63);
            Z[0] ^= V[0] & mask;
            Z[1] ^= V[1] & mask;
@ -6647,27 +6645,11 @@ static void GMULT(word64* X, word64* Y)
            }
 #endif

-#ifdef AES_GCM_GMULT_CT
            v1 = (0 - (V[1] & 1)) & 0xE100000000000000ULL;
            V[1] >>= 1;
            V[1] |= V[0] << 63;
            V[0] >>= 1;
            V[0] ^= v1;
-#else
-            if (V[1] & 0x0000000000000001) {
-                V[1] >>= 1;
-                V[1] |= ((V[0] & 0x0000000000000001) ?
-                    0x8000000000000000ULL : 0);
-                V[0] >>= 1;
-                V[0] ^= 0xE100000000000000ULL;
-            }
-            else {
-                V[1] >>= 1;
-                V[1] |= ((V[0] & 0x0000000000000001) ?
-                    0x8000000000000000ULL : 0);
-                V[0] >>= 1;
-            }
-#endif
            y <<= 1;
        }
    }