grpc 1.0.1 → 1.1.2

data/third_party/boringssl/crypto/cipher/e_ssl3.c

@@ -97,8 +97,6 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   size_t mac_key_len = EVP_MD_size(md);
   size_t enc_key_len = EVP_CIPHER_key_length(cipher);
   assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
-  /* Although EVP_rc4() is a variable-length cipher, the default key size is
-   * correct for SSL3. */
 
   AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));
   if (ssl3_ctx == NULL) {
@@ -263,10 +261,10 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   total += len;
   assert(total == in_len);
 
-  /* Remove CBC padding and MAC. This would normally be timing-sensitive, but SSLv3 CBC
-   * ciphers are already broken. Support will be removed eventually.
+  /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
+   * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
    * https://www.openssl.org/~bodo/ssl-poodle.pdf */
-  unsigned data_len;
+  size_t data_len;
   if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
     unsigned padding_length = out[total - 1];
     if (total < padding_length + 1 + mac_len) {
@@ -297,16 +295,6 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   return 1;
 }
 
-static int aead_ssl3_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  if (EVP_CIPHER_CTX_cipher(&ssl3_ctx->cipher_ctx) != EVP_rc4()) {
-    return 0;
-  }
-
-  *out_key = (RC4_KEY*) ssl3_ctx->cipher_ctx.cipher_data;
-  return 1;
-}
-
 static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
                             size_t *out_iv_len) {
   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
@@ -320,18 +308,6 @@ static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
   return 1;
 }
 
-static int aead_rc4_md5_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                  size_t key_len, size_t tag_len,
-                                  enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5());
-}
-
-static int aead_rc4_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                   size_t key_len, size_t tag_len,
-                                   enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1());
-}
-
 static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                            size_t key_len, size_t tag_len,
                                            enum evp_aead_direction_t dir) {
@@ -360,34 +336,6 @@ static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                         EVP_sha1());
 }
 
-static const EVP_AEAD aead_rc4_md5_ssl3 = {
-    MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */
-    0,                      /* nonce len */
-    MD5_DIGEST_LENGTH,      /* overhead */
-    MD5_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_rc4_md5_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_rc4_state,
-    NULL, /* get_iv */
-};
-
-static const EVP_AEAD aead_rc4_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */
-    0,                      /* nonce len */
-    SHA_DIGEST_LENGTH,      /* overhead */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_rc4_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_rc4_state,
-    NULL, /* get_iv */
-};
-
 static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
     SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
     0,                           /* nonce len */
@@ -398,7 +346,6 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
-    NULL,                        /* get_rc4_state */
     aead_ssl3_get_iv,
 };
 
@@ -412,7 +359,6 @@ static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
-    NULL,                        /* get_rc4_state */
     aead_ssl3_get_iv,
 };
 
@@ -426,7 +372,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
-    NULL,                        /* get_rc4_state */
     aead_ssl3_get_iv,
 };
 
@@ -440,14 +385,9 @@ static const EVP_AEAD aead_null_sha1_ssl3 = {
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
-    NULL,                       /* get_rc4_state */
     NULL,                       /* get_iv */
 };
 
-const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; }
-
-const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void) { return &aead_rc4_sha1_ssl3; }
-
 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {
   return &aead_aes_128_cbc_sha1_ssl3;
 }

data/third_party/boringssl/crypto/cipher/e_tls.c

@@ -25,7 +25,7 @@
 #include <openssl/sha.h>
 #include <openssl/type_check.h>
 
-#include "../crypto/internal.h"
+#include "../internal.h"
 #include "internal.h"
 
 
@@ -71,8 +71,6 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   size_t enc_key_len = EVP_CIPHER_key_length(cipher);
   assert(mac_key_len + enc_key_len +
          (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
-  /* Although EVP_rc4() is a variable-length cipher, the default key size is
-   * correct for TLS. */
 
   AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));
   if (tls_ctx == NULL) {
@@ -264,20 +262,18 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
 
   /* Remove CBC padding. Code from here on is timing-sensitive with respect to
    * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
-  int padding_ok;
-  unsigned data_plus_mac_len, data_len;
+  unsigned padding_ok, data_plus_mac_len, data_len;
   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
-    padding_ok = EVP_tls_cbc_remove_padding(
-        &data_plus_mac_len, out, total,
-        EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
-        (unsigned)HMAC_size(&tls_ctx->hmac_ctx));
-    /* Publicly invalid. This can be rejected in non-constant time. */
-    if (padding_ok == 0) {
+    if (!EVP_tls_cbc_remove_padding(
+            &padding_ok, &data_plus_mac_len, out, total,
+            EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
+            (unsigned)HMAC_size(&tls_ctx->hmac_ctx))) {
+      /* Publicly invalid. This can be rejected in non-constant time. */
       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
       return 0;
     }
   } else {
-    padding_ok = 1;
+    padding_ok = ~0u;
     data_plus_mac_len = total;
     /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
      * already been checked against the MAC size at the top of the function. */
@@ -285,9 +281,9 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
   data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
 
-  /* At this point, |padding_ok| is 1 or -1. If 1, the padding is valid and the
-   * first |data_plus_mac_size| bytes after |out| are the plaintext and
-   * MAC. Either way, |data_plus_mac_size| is large enough to extract a MAC. */
+  /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
+   * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
+   * still large enough to extract a MAC, but it will be irrelevant. */
 
   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
    * length for legacy ciphers. */
@@ -338,7 +334,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    * EVP_tls_cbc_remove_padding. */
   unsigned good = constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len),
                                        0);
-  good &= constant_time_eq_int(padding_ok, 1);
+  good &= padding_ok;
   if (!good) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
@@ -350,20 +346,6 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   return 1;
 }
 
-static int aead_rc4_md5_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                 size_t key_len, size_t tag_len,
-                                 enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5(),
-                       0);
-}
-
-static int aead_rc4_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                  size_t key_len, size_t tag_len,
-                                  enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1(),
-                       0);
-}
-
 static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                                           size_t key_len, size_t tag_len,
                                           enum evp_aead_direction_t dir) {
@@ -431,17 +413,6 @@ static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
                        EVP_sha1(), 1);
 }
 
-static int aead_rc4_tls_get_rc4_state(const EVP_AEAD_CTX *ctx,
-                                      const RC4_KEY **out_key) {
-  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
-  if (EVP_CIPHER_CTX_cipher(&tls_ctx->cipher_ctx) != EVP_rc4()) {
-    return 0;
-  }
-
-  *out_key = (const RC4_KEY*) tls_ctx->cipher_ctx.cipher_data;
-  return 1;
-}
-
 static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
                            size_t *out_iv_len) {
   const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
@@ -462,34 +433,6 @@ static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
                        EVP_sha1(), 1 /* implicit iv */);
 }
 
-static const EVP_AEAD aead_rc4_md5_tls = {
-    MD5_DIGEST_LENGTH + 16, /* key len (MD5 + RC4) */
-    0,                      /* nonce len */
-    MD5_DIGEST_LENGTH,      /* overhead */
-    MD5_DIGEST_LENGTH,      /* max tag length */
-    NULL,                   /* init */
-    aead_rc4_md5_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_rc4_tls_get_rc4_state, /* get_rc4_state */
-    NULL,                       /* get_iv */
-};
-
-static const EVP_AEAD aead_rc4_sha1_tls = {
-    SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */
-    0,                      /* nonce len */
-    SHA_DIGEST_LENGTH,      /* overhead */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL,                   /* init */
-    aead_rc4_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_rc4_tls_get_rc4_state, /* get_rc4_state */
-    NULL,                       /* get_iv */
-};
-
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
     SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
     16,                     /* nonce len (IV) */
@@ -500,7 +443,6 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                   /* get_rc4_state */
     NULL,                   /* get_iv */
 };
 
@@ -514,7 +456,6 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                        /* get_rc4_state */
     aead_tls_get_iv,             /* get_iv */
 };
 
@@ -528,7 +469,6 @@ static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                      /* get_rc4_state */
     NULL,                      /* get_iv */
 };
 
@@ -542,7 +482,6 @@ static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                   /* get_rc4_state */
     NULL,                   /* get_iv */
 };
 
@@ -556,7 +495,6 @@ static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                        /* get_rc4_state */
     aead_tls_get_iv,             /* get_iv */
 };
 
@@ -570,7 +508,6 @@ static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                      /* get_rc4_state */
     NULL,                      /* get_iv */
 };
 
@@ -584,7 +521,6 @@ static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                      /* get_rc4_state */
     NULL,                      /* get_iv */
 };
 
@@ -598,7 +534,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                   /* get_rc4_state */
     NULL,                   /* get_iv */
 };
 
@@ -612,7 +547,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                       /* get_rc4_state */
     aead_tls_get_iv,            /* get_iv */
 };
 
@@ -626,14 +560,9 @@ static const EVP_AEAD aead_null_sha1_tls = {
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
-    NULL,                       /* get_rc4_state */
     NULL,                       /* get_iv */
 };
 
-const EVP_AEAD *EVP_aead_rc4_md5_tls(void) { return &aead_rc4_md5_tls; }
-
-const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; }
-
 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
   return &aead_aes_128_cbc_sha1_tls;
 }

data/third_party/boringssl/crypto/cipher/internal.h

@@ -95,8 +95,6 @@ struct evp_aead_st {
               const uint8_t *in, size_t in_len, const uint8_t *ad,
               size_t ad_len);
 
-  int (*get_rc4_state)(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key);
-
   int (*get_iv)(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
                 size_t *out_len);
 };
@@ -104,15 +102,15 @@ struct evp_aead_st {
 
 /* EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
  * record in |in|. This decrypted record should not include any "decrypted"
- * explicit IV. It sets |*out_len| to the length with the padding removed or
- * |in_len| if invalid.
+ * explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
+ * it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
+ * padding is valid and zero otherwise. It then sets |*out_len| to the length
+ * with the padding removed or |in_len| if invalid.
  *
- * block_size: the block size of the cipher used to encrypt the record.
- * returns:
- *   0: (in non-constant time) if the record is publicly invalid.
- *   1: if the padding was valid
- *  -1: otherwise. */
-int EVP_tls_cbc_remove_padding(unsigned *out_len,
+ * If the function returns one, it runs in time independent of the contents of
+ * |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
+ * |EVP_tls_cbc_copy_mac|'s precondition. */
+int EVP_tls_cbc_remove_padding(unsigned *out_padding_ok, unsigned *out_len,
                                const uint8_t *in, unsigned in_len,
                                unsigned block_size, unsigned mac_size);
 

data/third_party/boringssl/crypto/cipher/tls_cbc.c

@@ -54,10 +54,11 @@
 #include <string.h>
 
 #include <openssl/digest.h>
-#include <openssl/obj.h>
+#include <openssl/nid.h>
 #include <openssl/sha.h>
 
 #include "../internal.h"
+#include "internal.h"
 
 
 /* TODO(davidben): unsigned should be size_t. The various constant_time
@@ -72,7 +73,7 @@
  * supported by TLS.) */
 #define MAX_HASH_BLOCK_SIZE 128
 
-int EVP_tls_cbc_remove_padding(unsigned *out_len,
+int EVP_tls_cbc_remove_padding(unsigned *out_padding_ok, unsigned *out_len,
                                const uint8_t *in, unsigned in_len,
                                unsigned block_size, unsigned mac_size) {
   unsigned padding_length, good, to_check, i;
@@ -118,26 +119,16 @@ int EVP_tls_cbc_remove_padding(unsigned *out_len,
    * bad padding would give POODLE's padding oracle. */
   padding_length = good & (padding_length + 1);
   *out_len = in_len - padding_length;
-
-  return constant_time_select_int(good, 1, -1);
+  *out_padding_ok = good;
+  return 1;
 }
 
-/* If CBC_MAC_ROTATE_IN_PLACE is defined then EVP_tls_cbc_copy_mac is performed
- * with variable accesses in a 64-byte-aligned buffer. Assuming that this fits
- * into a single or pair of cache-lines, then the variable memory accesses don't
- * actually affect the timing. CPUs with smaller cache-lines [if any] are not
- * multi-core and are not considered vulnerable to cache-timing attacks. */
-#define CBC_MAC_ROTATE_IN_PLACE
-
 void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
                           const uint8_t *in, unsigned in_len,
                           unsigned orig_len) {
-#if defined(CBC_MAC_ROTATE_IN_PLACE)
-  uint8_t rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
-  uint8_t *rotated_mac;
-#else
-  uint8_t rotated_mac[EVP_MAX_MD_SIZE];
-#endif
+  uint8_t rotated_mac1[EVP_MAX_MD_SIZE], rotated_mac2[EVP_MAX_MD_SIZE];
+  uint8_t *rotated_mac = rotated_mac1;
+  uint8_t *rotated_mac_tmp = rotated_mac2;
 
   /* mac_end is the index of |in| just after the end of the MAC. */
   unsigned mac_end = in_len;
@@ -152,10 +143,6 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
   assert(in_len >= md_size);
   assert(md_size <= EVP_MAX_MD_SIZE);
 
-#if defined(CBC_MAC_ROTATE_IN_PLACE)
-  rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
-#endif
-
   /* This information is public so it's safe to branch based on it. */
   if (orig_len > md_size + 255 + 1) {
     scan_start = orig_len - (md_size + 255 + 1);
@@ -176,6 +163,45 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
    * + md_size = 256 + 48 (since SHA-384 is the largest hash) = 304. */
   assert(rotate_offset <= 304);
 
+  /* Below is an SMT-LIB2 verification that the Barrett reductions below are
+   * correct within this range:
+   *
+   * (define-fun barrett (
+   *     (x (_ BitVec 32))
+   *     (mul (_ BitVec 32))
+   *     (shift (_ BitVec 32))
+   *     (divisor (_ BitVec 32)) ) (_ BitVec 32)
+   *   (let ((q (bvsub x (bvmul divisor (bvlshr (bvmul x mul) shift))) ))
+   *     (ite (bvuge q divisor)
+   *       (bvsub q divisor)
+   *       q)))
+   *
+   * (declare-fun x () (_ BitVec 32))
+   *
+   * (assert (or
+   *   (let (
+   *     (divisor (_ bv20 32))
+   *     (mul (_ bv25 32))
+   *     (shift (_ bv9 32))
+   *     (limit (_ bv853 32)))
+   *
+   *     (and (bvule x limit) (not (= (bvurem x divisor)
+   *                                  (barrett x mul shift divisor)))))
+   *
+   *   (let (
+   *     (divisor (_ bv48 32))
+   *     (mul (_ bv10 32))
+   *     (shift (_ bv9 32))
+   *     (limit (_ bv768 32)))
+   *
+   *     (and (bvule x limit) (not (= (bvurem x divisor)
+   *                                  (barrett x mul shift divisor)))))
+   * ))
+   *
+   * (check-sat)
+   * (get-model)
+   */
+
   if (md_size == 16) {
     rotate_offset &= 15;
   } else if (md_size == 20) {
@@ -210,27 +236,30 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
     j &= constant_time_lt(j, md_size);
   }
 
-/* Now rotate the MAC */
-#if defined(CBC_MAC_ROTATE_IN_PLACE)
-  j = 0;
-  for (i = 0; i < md_size; i++) {
-    /* in case cache-line is 32 bytes, touch second line */
-    ((volatile uint8_t *)rotated_mac)[rotate_offset ^ 32];
-    out[j++] = rotated_mac[rotate_offset++];
-    rotate_offset &= constant_time_lt(rotate_offset, md_size);
-  }
-#else
-  memset(out, 0, md_size);
-  rotate_offset = md_size - rotate_offset;
-  rotate_offset &= constant_time_lt(rotate_offset, md_size);
-  for (i = 0; i < md_size; i++) {
-    for (j = 0; j < md_size; j++) {
-      out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
+  /* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
+   * position. */
+  for (unsigned offset = 1; offset < md_size;
+       offset <<= 1, rotate_offset >>= 1) {
+    /* Rotate by |offset| iff the corresponding bit is set in
+     * |rotate_offset|, placing the result in |rotated_mac_tmp|. */
+    const uint8_t skip_rotate = (rotate_offset & 1) - 1;
+    for (i = 0, j = offset; i < md_size; i++, j++) {
+      if (j >= md_size) {
+        j -= md_size;
+      }
+      rotated_mac_tmp[i] =
+          constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]);
     }
-    rotate_offset++;
-    rotate_offset &= constant_time_lt(rotate_offset, md_size);
+
+    /* Swap pointers so |rotated_mac| contains the (possibly) rotated value.
+     * Note the number of iterations and thus the identity of these pointers is
+     * public information. */
+    uint8_t *tmp = rotated_mac;
+    rotated_mac = rotated_mac_tmp;
+    rotated_mac_tmp = tmp;
   }
-#endif
+
+  memcpy(out, rotated_mac, md_size);
 }
 
 /* u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in