#
# Version 4.3 implements switch between compact and non-compact block
# functions in AES_cbc_encrypt depending on how much data was asked
-# to process in one stroke.
+# to be processed in one stroke.
#
+######################################################################
# Timing attacks are classified in two classes: synchronous when
-# attacker consciously initiates cryptographic operation and collect
+# attacker consciously initiates cryptographic operation and collects
# timing data of various character afterwards, and asynchronous when
# malicious code is executed on same CPU simultaneously with AES,
# instruments itself and performs statistical analysis of this data.
# timing. But note that *if* plain-text was concealed in such way that
# input to block function is distributed *uniformly*, then attack
# wouldn't apply. Now note that some encryption modes, most notably
-# CBC, do masks the plain-text in this exact way [secure cipher output
+# CBC, do mask the plain-text in this exact way [secure cipher output
# is distributed uniformly]. Yes, one still might find input that
# would reveal the information about given key, but if amount of
-# candidate inputs to be tried is larger than amount possible key
+# candidate inputs to be tried is larger than amount of possible key
# combinations then attack becomes infeasible. This is why revised
# AES_cbc_encrypt "dares" to switch to larger S-box when larger chunk
# of data is to be processed in one stroke. The current size limit of
&pushf (); # kludge, never executed
&set_label("slow_enc_tail",16);
- &emms ();
+ &emms () if (!$x86only);
&mov ($key eq "edi"? $key:"",$s3); # load out to edi
&mov ($s1,16);
&sub ($s1,$s2);
&mov ($acc,$_inp); # load inp
&lea ($acc,&DWP(16,$acc)); # advance inp
&mov ($_inp,$acc); # save inp
- &mov ($_len,$s2); # save len
&jnz (&label("slow_dec_loop_x86"));
&mov ("esp",$_esp);
&popf ();
projects / oweals / openssl.git / blobdiff