Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACE

rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret. Consider a weaker leakage model(CL) where only cacheline base address is leaked, i.e address/32 for 32-byte cacheline(CL32). Previous code used to perform two loads 1. rotated_mac[rotate_offset ^ 32] and 2. rotated_mac[rotate_offset++] which would leak 2q + 1, 2q for 0 <= rotate_offset < 32 and 2q, 2q + 1 for 32 <= rotate_offset < 64 The proposed fix performs load operations which will always leak 2q, 2q + 1 and selects the appropriate value in constant-time. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #18033) (cherry picked from commit 3b83638)
openssl · May 9, 2022 · b643a4d · b643a4d
1 parent 222ab33
commit b643a4d
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/ssl/record/tls_pad.c b/ssl/record/tls_pad.c
@@ -207,6 +207,7 @@ static int ssl3_cbc_copy_mac(size_t *reclen,
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
     unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
     unsigned char *rotated_mac;
+    char aux1, aux2, aux3, mask;
 #else
     unsigned char rotated_mac[EVP_MAX_MD_SIZE];
 #endif
@@ -288,12 +289,19 @@ static int ssl3_cbc_copy_mac(size_t *reclen,
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
     j = 0;
     for (i = 0; i < mac_size; i++) {
-        /* in case cache-line is 32 bytes, touch second line */
-        ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
+        /*
+         * in case cache-line is 32 bytes,
+         * load from both lines and select appropriately
+         */
+        aux1 = rotated_mac[rotate_offset & ~32];
+        aux2 = rotated_mac[rotate_offset | 32];
+        mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);
+        aux3 = constant_time_select_8(mask, aux1, aux2);
+        rotate_offset++;
 
         /* If the padding wasn't good we emit a random MAC */
         out[j++] = constant_time_select_8((unsigned char)(good & 0xff),
-                                          rotated_mac[rotate_offset++],
+                                          aux3,
                                           randmac[i]);
         rotate_offset &= constant_time_lt_s(rotate_offset, mac_size);
     }