QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-18 12:29:42 +00:00
Code Issues Projects Releases Wiki Activity

Replace div-spoiler hack with simpler code, GH#1027,2253.

Browse Source 
This is 1.1.0-specific 8f77fab82486c19ab48eee07718e190f76e6ea9a redux.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Andy Polyakov 2017-01-23 20:06:26 +01:00
parent f5eab25a7c
commit 0e3200b59d
1 changed files with 10 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
ssl/record/ssl3_record.c
View File

@ -1211,13 +1211,13 @@ void ssl3_cbc_copy_mac(unsigned char *out,
*/ */
unsigned mac_end = rec->length; unsigned mac_end = rec->length;
unsigned mac_start = mac_end - md_size; unsigned mac_start = mac_end - md_size;
unsigned in_mac;
/* /*
* scan_start contains the number of bytes that we can ignore because the * scan_start contains the number of bytes that we can ignore because the
* MAC's position can only vary by 255 bytes. * MAC's position can only vary by 255 bytes.
*/ */
unsigned scan_start = 0; unsigned scan_start = 0;
unsigned i, j; unsigned i, j;
unsigned div_spoiler;
unsigned rotate_offset; unsigned rotate_offset;
OPENSSL_assert(rec->orig_len >= md_size); OPENSSL_assert(rec->orig_len >= md_size);
@ -1230,24 +1230,19 @@ void ssl3_cbc_copy_mac(unsigned char *out,
/* This information is public so it's safe to branch based on it. */ /* This information is public so it's safe to branch based on it. */
if (rec->orig_len > md_size + 255 + 1) if (rec->orig_len > md_size + 255 + 1)
scan_start = rec->orig_len - (md_size + 255 + 1); scan_start = rec->orig_len - (md_size + 255 + 1);
/*
* div_spoiler contains a multiple of md_size that is used to cause the
* modulo operation to be constant time. Without this, the time varies
* based on the amount of padding when running on Intel chips at least.
* The aim of right-shifting md_size is so that the compiler doesn't
* figure out that it can remove div_spoiler as that would require it to
* prove that md_size is always even, which I hope is beyond it.
*/
div_spoiler = md_size >> 1;
div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
in_mac = 0;
rotate_offset = 0;
memset(rotated_mac, 0, md_size); memset(rotated_mac, 0, md_size);
for (i = scan_start, j = 0; i < rec->orig_len; i++) { for (i = scan_start, j = 0; i < rec->orig_len; i++) {
unsigned char mac_started = constant_time_ge_8(i, mac_start); unsigned mac_started = constant_time_eq(i, mac_start);
unsigned char mac_ended = constant_time_ge_8(i, mac_end); unsigned mac_ended = constant_time_lt(i, mac_end);
unsigned char b = rec->data[i]; unsigned char b = rec->data[i];
rotated_mac[j++] |= b & mac_started & ~mac_ended;
in_mac |= mac_started;
in_mac &= mac_ended;
rotate_offset |= j & mac_started;
rotated_mac[j++] |= b & in_mac;
j &= constant_time_lt(j, md_size); j &= constant_time_lt(j, md_size);
} }