[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Jakob Bohm jb-openssl at wisemo.com
Thu Dec 10 17:45:01 UTC 2015


On 10/12/2015 18:33, Viktor Dukhovni wrote:
> On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
>
>> static inline unsigned int constant_time_msb(unsigned int a) {
>> -  return 0 - (a >> (sizeof(a) * 8 - 1));
>> + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1))));
>> }
> The replacement is not right.  This function is supposed to return
> 0xfffffff for inputs with the high bit set, and 0x0000000 for inputs
> with the high bit not set.  Could you try:
>
>      static inline unsigned int constant_time_msb(unsigned int a) {
>        return 0 - (a >> ((int)(sizeof(a) * 8 - 1)));
>      }
>
> Just in case the compiler is promoting "a" to the (larger?) size
> of sizeof(a), which would cause an unsigned "a" to get a zero MSB,
> while a signed "a" would be promoted "correctly".
Look again, he is casting a to signed, then doing an
arithmetic right shift to extend the msb (sign bit)
to the rest of the word.  This works on 3 conditions:

1. The platform is actually using twos complement.
2. The signed right shift function invoked by the C
   compiler is a sign-preserving ("arithmetic") shift.
3. The compiler wasn't written by a fanatic who put
   the "right shift of negative signed values is
   undefined" rule above common sense.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/6f9aa448/attachment.html>


More information about the openssl-users mailing list