[PATCH 02/10] cipher-xts: harden mask generation against branch optimization
Jussi Kivilinna
jussi.kivilinna at iki.fi
Sat Sep 27 09:54:11 CEST 2025
* cipher/cipher-xts.c (xts_gfmul_byA): Generate mask with const-time
helper.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
---
cipher/cipher-xts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cipher/cipher-xts.c b/cipher/cipher-xts.c
index 754f289c..6c684263 100644
--- a/cipher/cipher-xts.c
+++ b/cipher/cipher-xts.c
@@ -33,7 +33,7 @@ static inline void xts_gfmul_byA (unsigned char *out, const unsigned char *in)
{
u64 hi = buf_get_le64 (in + 8);
u64 lo = buf_get_le64 (in + 0);
- u64 carry = -(hi >> 63) & 0x87;
+ u64 carry = ct_ulong_gen_mask(hi >> 63) & 0x87;
hi = (hi << 1) + (lo >> 63);
lo = (lo << 1) ^ carry;
--
2.48.1
More information about the Gcrypt-devel
mailing list