commit 97cc3b1354a9b233344064ae338423cab0d94ce1
author Jaeden Amero <jaeden.amero@arm.com> Tue May 29 19:04:39 2018 +0100
committer Jaeden Amero <jaeden.amero@arm.com> Wed Jun 13 12:03:29 2018 +0100
tree b3b0a24c3409dac3790ac49860ad9f103d2b9c05
parent 5f77801ac3f6212f66547df93c11d8add3261878

gf128mul: Remove the jump table

If we're unlucky with memory placement, gf128mul_table_bbe may spread over
two cache lines and this would leak b >> 63 to a cache timing attack.
Instead, take an approach that is less likely to make different memory
loads depending on the value of b >> 63 and is also unlikely to be compiled
to a condition.

library/gf128mul.c

diff --git a/library/gf128mul.c b/library/gf128mul.c
index 251398f..661d0d3 100644
--- a/library/gf128mul.c
+++ b/library/gf128mul.c
@@ -51,11 +51,6 @@
 }
 #endif
 
-
-/* Jump table for not having ifs */
-static const uint16_t gf128mul_table_bbe[2] = { 0x00, 0x87 };
-
-
 /*
  * This function multiply a field element by x, by x^4 and by x^8
  * in the polynomial field representation. It uses 64-bit word operations
@@ -69,7 +64,7 @@
     GET_UINT64_LE(a, x, 0);
     GET_UINT64_LE(b, x, 8);
 
-    ra = (a << 1)  ^ gf128mul_table_bbe[b >> 63];
+    ra = (a << 1)  ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
     rb = (a >> 63) | (b << 1);
 
     PUT_UINT64_LE(ra, r, 0);