[openssl/openssl] 6ef91d: Fix leakage when the cacheline is 32-bytes in CBC_...
Tomas Mraz
noreply at reply.github.openssl.org
Mon May 9 14:41:49 UTC 2022
Branch: refs/heads/OpenSSL_1_1_1-stable
Home: https://github.openssl.org/openssl/openssl
Commit: 6ef91d8153e04a2302bff11b29caf7e888b62fe8
https://github.openssl.org/openssl/openssl/commit/6ef91d8153e04a2302bff11b29caf7e888b62fe8
Author: basavesh <basavesh.shivakumar at gmail.com>
Date: 2022-05-09 (Mon, 09 May 2022)
Changed paths:
M ssl/record/ssl3_record.c
Log Message:
-----------
Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACE
rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret.
Consider a weaker leakage model(CL) where only cacheline base address is leaked,
i.e address/32 for 32-byte cacheline(CL32).
Previous code used to perform two loads
1. rotated_mac[rotate_offset ^ 32] and
2. rotated_mac[rotate_offset++]
which would leak 2q + 1, 2q for 0 <= rotate_offset < 32
and 2q, 2q + 1 for 32 <= rotate_offset < 64
The proposed fix performs load operations which will always leak 2q, 2q + 1 and
selects the appropriate value in constant-time.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18050)
More information about the openssl-commits
mailing list