[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[Andy Polyakov]

The branch OpenSSL_1_1_0-stable has been updated
       via  0e3200b59d2de69e2a577eb269c5e65d2a3dfa11 (commit)
      from  f5eab25a7c03c5fb1d3fab55c506907f8fbd427e (commit)


- Log -----------------------------------------------------------------
commit 0e3200b59d2de69e2a577eb269c5e65d2a3dfa11
Author: Andy Polyakov <appro at openssl.org>
Date:   Mon Jan 23 20:06:26 2017 +0100

    Replace div-spoiler hack with simpler code, GH#1027,2253.
    
    This is 1.1.0-specific 8f77fab82486c19ab48eee07718e190f76e6ea9a redux.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/record/ssl3_record.c | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 32a97af..e5cbd61 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1211,13 +1211,13 @@ void ssl3_cbc_copy_mac(unsigned char *out,
      */
     unsigned mac_end = rec->length;
     unsigned mac_start = mac_end - md_size;
+    unsigned in_mac;
     /*
      * scan_start contains the number of bytes that we can ignore because the
      * MAC's position can only vary by 255 bytes.
      */
     unsigned scan_start = 0;
     unsigned i, j;
-    unsigned div_spoiler;
     unsigned rotate_offset;
 
     OPENSSL_assert(rec->orig_len >= md_size);
@@ -1230,24 +1230,19 @@ void ssl3_cbc_copy_mac(unsigned char *out,
     /* This information is public so it's safe to branch based on it. */
     if (rec->orig_len > md_size + 255 + 1)
         scan_start = rec->orig_len - (md_size + 255 + 1);
-    /*
-     * div_spoiler contains a multiple of md_size that is used to cause the
-     * modulo operation to be constant time. Without this, the time varies
-     * based on the amount of padding when running on Intel chips at least.
-     * The aim of right-shifting md_size is so that the compiler doesn't
-     * figure out that it can remove div_spoiler as that would require it to
-     * prove that md_size is always even, which I hope is beyond it.
-     */
-    div_spoiler = md_size >> 1;
-    div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
-    rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
 
+    in_mac = 0;
+    rotate_offset = 0;
     memset(rotated_mac, 0, md_size);
     for (i = scan_start, j = 0; i < rec->orig_len; i++) {
-        unsigned char mac_started = constant_time_ge_8(i, mac_start);
-        unsigned char mac_ended = constant_time_ge_8(i, mac_end);
+        unsigned mac_started = constant_time_eq(i, mac_start);
+        unsigned mac_ended = constant_time_lt(i, mac_end);
         unsigned char b = rec->data[i];
-        rotated_mac[j++] |= b & mac_started & ~mac_ended;
+
+        in_mac |= mac_started;
+        in_mac &= mac_ended;
+        rotate_offset |= j & mac_started;
+        rotated_mac[j++] |= b & in_mac;
         j &= constant_time_lt(j, md_size);
     }