From: djm Date: Wed, 31 May 2017 00:34:33 +0000 (+0000) Subject: make the AES-XTS mode a little more constant-time, though the AES X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=59fd9969866f463fd4f899d77a4c218d391a7636;p=openbsd make the AES-XTS mode a little more constant-time, though the AES implementation that it depends on currently isn't. ok mikeb tom --- diff --git a/sys/crypto/xform.c b/sys/crypto/xform.c index 71e173b44fd..f94a44eab27 100644 --- a/sys/crypto/xform.c +++ b/sys/crypto/xform.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xform.c,v 1.57 2017/05/17 17:54:29 mikeb Exp $ */ +/* $OpenBSD: xform.c,v 1.58 2017/05/31 00:34:33 djm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -521,11 +521,10 @@ aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) carry_in = 0; for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { carry_out = ctx->tweak[i] & 0x80; - ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); - carry_in = carry_out; + ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in; + carry_in = carry_out >> 7; } - if (carry_in) - ctx->tweak[0] ^= AES_XTS_ALPHA; + ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in); explicit_bzero(block, sizeof(block)); } diff --git a/sys/lib/libsa/aes_xts.c b/sys/lib/libsa/aes_xts.c index 5f89c56c0cb..31822f814e5 100644 --- a/sys/lib/libsa/aes_xts.c +++ b/sys/lib/libsa/aes_xts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_xts.c,v 1.1 2012/10/09 12:36:50 jsing Exp $ */ +/* $OpenBSD: aes_xts.c,v 1.2 2017/05/31 00:34:33 djm Exp $ */ /* * Copyright (C) 2008, Damien Miller * @@ -64,11 +64,10 @@ aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) carry_in = 0; for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { carry_out = ctx->tweak[i] & 0x80; - ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); - carry_in = carry_out; + ctx->tweak[i] = (ctx->tweak[i] << 1) | carry_in; + carry_in = carry_out >> 7; } - if (carry_in) - ctx->tweak[0] ^= AES_XTS_ALPHA; + ctx->tweak[0] ^= (AES_XTS_ALPHA & -carry_in); explicit_bzero(block, sizeof(block)); }