[openssl/openssl] b643a4: Fix leakage when the cacheline is 32-bytes in CBC_...

Tomas Mraz noreply at reply.github.openssl.org
Mon May 9 14:41:07 UTC 2022


  Branch: refs/heads/openssl-3.0
  Home:   https://github.openssl.org/openssl/openssl
  Commit: b643a4df6153f7c28ab77d5e6126b2b5be3e7e42
      https://github.openssl.org/openssl/openssl/commit/b643a4df6153f7c28ab77d5e6126b2b5be3e7e42
  Author: basavesh <basavesh.shivakumar at gmail.com>
  Date:   2022-05-09 (Mon, 09 May 2022)

  Changed paths:
    M ssl/record/tls_pad.c

  Log Message:
  -----------
  Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACE

rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret.
Consider a weaker leakage model(CL) where only cacheline base address is leaked,
i.e address/32 for 32-byte cacheline(CL32).

Previous code used to perform two loads
    1. rotated_mac[rotate_offset ^ 32] and
    2. rotated_mac[rotate_offset++]
which would leak 2q + 1, 2q for 0 <= rotate_offset < 32
and 2q, 2q + 1 for 32 <= rotate_offset < 64

The proposed fix performs load operations which will always leak 2q, 2q + 1 and
selects the appropriate value in constant-time.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18033)

(cherry picked from commit 3b836385679504579ee1052ed4b4ef1d9f49fa13)




More information about the openssl-commits mailing list