Add a value barrier to EVP_sha256_final_with_secret_suffix too In https://boringssl-review.googlesource.com/c/boringssl/+/85628, we added a value barrier to is_last_block because Clang had started undoing the constant-time for those few operations. This is part of the Lucky 13 mitigation the legacy TLS CBC_SHA ciphers. Turned out the legacy TLS CBC_SHA256 ciphers had the same problem. But because we didn't have EVP_AEAD-level tests for them, this went unnoticed. Thanks to Alex Gaynor for noticing that the two functions were inconsistently barriered and prompting me to check this. Change-Id: I57f80d0d918a529afdbf207abab51707288a3750 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/93188 Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/cipher/tls_cbc.cc b/crypto/cipher/tls_cbc.cc index 08eb73d..f0c5764 100644 --- a/crypto/cipher/tls_cbc.cc +++ b/crypto/cipher/tls_cbc.cc
@@ -305,8 +305,10 @@ input_idx += SHA256_CBLOCK - block_start; - // Fill in the length if this is the last block. - crypto_word_t is_last_block = constant_time_eq_w(i, last_block); + // Fill in the length if this is the last block. Use a value barrier to + // prevent Clang from compiling the conditional select as a jump. + crypto_word_t is_last_block = + value_barrier_w(constant_time_eq_w(i, last_block)); for (size_t j = 0; j < 4; j++) { block[SHA256_CBLOCK - 4 + j] |= is_last_block & length_bytes[j]; }