Make GHASH more robust against timing attacks.

In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.

If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.

This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).

This patch will reduce the overall performance.

This patch also reverts commit 965871a ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.

Author: Legrandin

configure.ac

@@ -99,6 +99,7 @@ AC_TYPE_UINT16_T
 AC_TYPE_UINT32_T
 AC_TYPE_UINT64_T
 AC_TYPE_UINT8_T
+AC_TYPE_UINTPTR_T
 
 # Checks for library functions.
 AC_FUNC_MALLOC

lib/Crypto/Cipher/blockalgo.py

@@ -329,17 +329,14 @@ class _GHASH(_SmoothMAC):
     (x^128 + x^7 + x^2 + x + 1).
     """
 
-    def __init__(self, hash_subkey, block_size, table_size='64K'):
+    def __init__(self, hash_subkey, block_size):
         _SmoothMAC.__init__(self, block_size, None, 0)
-        if table_size == '64K':
-            self._hash_subkey = galois._ghash_expand(hash_subkey)
-        else:
-            self._hash_subkey = hash_subkey
+        self._hash_subkey = galois._ghash_expand(hash_subkey)
         self._last_y = bchr(0) * 16
         self._mac = galois._ghash
 
     def copy(self):
-        clone = _GHASH(self._hash_subkey, self._bs, table_size='0K')
+        clone = _GHASH(self._hash_subkey, self._bs)
         _SmoothMAC._deep_copy(self, clone)
         clone._last_y = self._last_y
         return clone
@@ -436,7 +433,7 @@ def _start_gcm(self, factory, key, *args, **kwargs):
                         bchr(0) * fill +
                         long_to_bytes(8 * len(self.nonce), 8))
 
-            mac = _GHASH(hash_subkey, factory.block_size, '0K')
+            mac = _GHASH(hash_subkey, factory.block_size)
             mac.update(ghash_in)
             self._j0 = bytes_to_long(mac.digest())
 
@@ -446,7 +443,7 @@ def _start_gcm(self, factory, key, *args, **kwargs):
         self._cipher = self._factory.new(key, MODE_CTR, counter=ctr)
 
         # Step 5 - Bootstrat GHASH
-        self._cipherMAC = _GHASH(hash_subkey, factory.block_size, '64K')
+        self._cipherMAC = _GHASH(hash_subkey, factory.block_size)
 
         # Step 6 - Prepare GCTR cipher for GMAC
         ctr = Counter.new(128, initial_value=self._j0, allow_wraparound=True)

src/config.h.in

@@ -69,6 +69,9 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if the system has the type `uintptr_t'. */
+#undef HAVE_UINTPTR_T
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
 
@@ -160,3 +163,7 @@
 /* Define to the type of an unsigned integer type of width exactly 8 bits if
    such a type exists and the standard includes do not define it. */
 #undef uint8_t
+
+/* Define to the type of an unsigned integer type wide enough to hold a
+   pointer, if such a type exists, and if the system does not define it. */
+#undef uintptr_t