Loading ssl/record/ssl3_record.c +10 −15 Original line number Diff line number Diff line Loading @@ -1211,13 +1211,13 @@ void ssl3_cbc_copy_mac(unsigned char *out, */ unsigned mac_end = rec->length; unsigned mac_start = mac_end - md_size; unsigned in_mac; /* * scan_start contains the number of bytes that we can ignore because the * MAC's position can only vary by 255 bytes. */ unsigned scan_start = 0; unsigned i, j; unsigned div_spoiler; unsigned rotate_offset; OPENSSL_assert(rec->orig_len >= md_size); Loading @@ -1230,24 +1230,19 @@ void ssl3_cbc_copy_mac(unsigned char *out, /* This information is public so it's safe to branch based on it. */ if (rec->orig_len > md_size + 255 + 1) scan_start = rec->orig_len - (md_size + 255 + 1); /* * div_spoiler contains a multiple of md_size that is used to cause the * modulo operation to be constant time. Without this, the time varies * based on the amount of padding when running on Intel chips at least. * The aim of right-shifting md_size is so that the compiler doesn't * figure out that it can remove div_spoiler as that would require it to * prove that md_size is always even, which I hope is beyond it. */ div_spoiler = md_size >> 1; div_spoiler <<= (sizeof(div_spoiler) - 1) * 8; rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; in_mac = 0; rotate_offset = 0; memset(rotated_mac, 0, md_size); for (i = scan_start, j = 0; i < rec->orig_len; i++) { unsigned char mac_started = constant_time_ge_8(i, mac_start); unsigned char mac_ended = constant_time_ge_8(i, mac_end); unsigned mac_started = constant_time_eq(i, mac_start); unsigned mac_ended = constant_time_lt(i, mac_end); unsigned char b = rec->data[i]; rotated_mac[j++] |= b & mac_started & ~mac_ended; in_mac |= mac_started; in_mac &= mac_ended; rotate_offset |= j & mac_started; rotated_mac[j++] |= b & in_mac; j &= constant_time_lt(j, md_size); } Loading Loading
ssl/record/ssl3_record.c +10 −15 Original line number Diff line number Diff line Loading @@ -1211,13 +1211,13 @@ void ssl3_cbc_copy_mac(unsigned char *out, */ unsigned mac_end = rec->length; unsigned mac_start = mac_end - md_size; unsigned in_mac; /* * scan_start contains the number of bytes that we can ignore because the * MAC's position can only vary by 255 bytes. */ unsigned scan_start = 0; unsigned i, j; unsigned div_spoiler; unsigned rotate_offset; OPENSSL_assert(rec->orig_len >= md_size); Loading @@ -1230,24 +1230,19 @@ void ssl3_cbc_copy_mac(unsigned char *out, /* This information is public so it's safe to branch based on it. */ if (rec->orig_len > md_size + 255 + 1) scan_start = rec->orig_len - (md_size + 255 + 1); /* * div_spoiler contains a multiple of md_size that is used to cause the * modulo operation to be constant time. Without this, the time varies * based on the amount of padding when running on Intel chips at least. * The aim of right-shifting md_size is so that the compiler doesn't * figure out that it can remove div_spoiler as that would require it to * prove that md_size is always even, which I hope is beyond it. */ div_spoiler = md_size >> 1; div_spoiler <<= (sizeof(div_spoiler) - 1) * 8; rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; in_mac = 0; rotate_offset = 0; memset(rotated_mac, 0, md_size); for (i = scan_start, j = 0; i < rec->orig_len; i++) { unsigned char mac_started = constant_time_ge_8(i, mac_start); unsigned char mac_ended = constant_time_ge_8(i, mac_end); unsigned mac_started = constant_time_eq(i, mac_start); unsigned mac_ended = constant_time_lt(i, mac_end); unsigned char b = rec->data[i]; rotated_mac[j++] |= b & mac_started & ~mac_ended; in_mac |= mac_started; in_mac &= mac_ended; rotate_offset |= j & mac_started; rotated_mac[j++] |= b & in_mac; j &= constant_time_lt(j, md_size); } Loading
Rich Salz <rsalz@openssl.org>