Closed
Description
For both Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock there is some code to avoid timing attacks:
word32 u = 0;
#ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS
for (i=0; i<2048; i+=cacheLineSize)
#else
for (i=0; i<1024; i+=cacheLineSize)
#endif
u &= *(const word32 *)(((const byte *)Te)+i);
u &= Te[255];
s0 |= u; s1 |= u; s2 |= u; s3 |= u;As far as I understand it, the goal is to do at least one read per cache line in order to preload Te into the cache. However when looking at the x86 binary (obtained in the Debian package), I noticed that if the loop structure remains, the memory reads have been optimized away:
.text:00280499 mov edx, ds:(_ZN8CryptoPP15g_cacheLineSizeE_ptr - 3A4000h)[ebx]
.text:0028049F mov ecx, [edx]
.text:002804A1 xor edx, edx
.text:002804A3 nop
.text:002804A4 lea esi, [esi+0]
.text:002804A8
.text:002804A8 loc_2804A8: ; CODE XREF: CryptoPP::Rijndael::Enc::ProcessAndXorBlock(uchar const*,uchar const*,uchar *)+D0�j
.text:002804A8 add edx, ecx
.text:002804AA cmp edx, 7FFh
.text:002804B0 jbe short loc_2804A8This counter measure seems to be removed by the compiler. Hence, the binary may be vulnerable to timing attacks.