Fix tls_cbc_digest_record is slow using SHA-384 and short messages

The formula used for this is now kVarianceBlocks = ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1 Notice that md_block_size=64 for SHA256, which results on the magic constant kVarianceBlocks = 6. However, md_block_size=128 for SHA384 leading to kVarianceBlocks = 4. CLA:trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7342)
2025-02-17 14:32:04 +08:00 · 2018-10-19 08:26:58 +10:00 · 2018-10-19 08:26:58 +10:00 · cb8164b05e
commit cb8164b05e
parent dc5831da59
1 changed files with 3 additions and 2 deletions
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@ -256,12 +256,13 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
     * of hash termination (0x80 + 64-bit length) don't fit in the final
     * block, we say that the final two blocks can vary based on the padding.
     * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
-     * required to be minimal. Therefore we say that the final six blocks can
+     * required to be minimal. Therefore we say that the final |variance_blocks|
+     * blocks can
     * vary based on the padding. Later in the function, if the message is
     * short and there obviously cannot be this many blocks then
     * variance_blocks can be reduced.
     */
-    variance_blocks = is_sslv3 ? 2 : 6;
+    variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
    /*
     * From now on we're dealing with the MAC, which conceptually has 13
     * bytes of `header' before the start of the data (TLS) or 71/75 bytes