[openssl/openssl] b643a4: Fix leakage when the cacheline is 32-bytes in CBC_...
Tomas Mraz
noreply at reply.github.openssl.org
Mon May 9 14:41:07 UTC 2022
Branch: refs/heads/openssl-3.0
Home: https://github.openssl.org/openssl/openssl
Commit: b643a4df6153f7c28ab77d5e6126b2b5be3e7e42
https://github.openssl.org/openssl/openssl/commit/b643a4df6153f7c28ab77d5e6126b2b5be3e7e42
Author: basavesh <basavesh.shivakumar at gmail.com>
Date: 2022-05-09 (Mon, 09 May 2022)
Changed paths:
M ssl/record/tls_pad.c
Log Message:
-----------
Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACE
rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret.
Consider a weaker leakage model(CL) where only cacheline base address is leaked,
i.e address/32 for 32-byte cacheline(CL32).
Previous code used to perform two loads
1. rotated_mac[rotate_offset ^ 32] and
2. rotated_mac[rotate_offset++]
which would leak 2q + 1, 2q for 0 <= rotate_offset < 32
and 2q, 2q + 1 for 32 <= rotate_offset < 64
The proposed fix performs load operations which will always leak 2q, 2q + 1 and
selects the appropriate value in constant-time.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18033)
(cherry picked from commit 3b836385679504579ee1052ed4b4ef1d9f49fa13)
More information about the openssl-commits
mailing list