From a4ddb6e212e3039e4e02c821100fd03178fb5681 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Wed, 30 Nov 2016 10:16:04 -0500 Subject: [PATCH] Remove unnecessary constant-time operation. j and md_size are public values, so this can just be done directly. (If they weren't, we'd have worse problems.) This makes the loop look the same as the rotation loop below. Change-Id: Ic75550ad4e40b2015668cb12c26ca2d20bd285b6 Reviewed-on: https://boringssl-review.googlesource.com/12474 Commit-Queue: David Benjamin Reviewed-by: Adam Langley --- crypto/cipher/tls_cbc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/cipher/tls_cbc.c b/crypto/cipher/tls_cbc.c index 9fd3507d..0c1540e7 100644 --- a/crypto/cipher/tls_cbc.c +++ b/crypto/cipher/tls_cbc.c @@ -226,11 +226,13 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size, } memset(rotated_mac, 0, md_size); - for (unsigned i = scan_start, j = 0; i < orig_len; i++) { + for (unsigned i = scan_start, j = 0; i < orig_len; i++, j++) { + if (j >= md_size) { + j -= md_size; + } uint8_t mac_started = constant_time_ge_8(i, mac_start); uint8_t mac_ended = constant_time_ge_8(i, mac_end); - rotated_mac[j++] |= in[i] & mac_started & ~mac_ended; - j &= constant_time_lt(j, md_size); + rotated_mac[j] |= in[i] & mac_started & ~mac_ended; } /* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit