From 47fede0d6db5a8c484fa61aaab3831b3cb4c364a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Wed, 29 Apr 2015 01:35:48 +0200
Subject: [PATCH] Add countermeasure against cache-based lucky 13

---
 ChangeLog         | 2 ++
 library/ssl_tls.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index ab1b78bad..3d8560487 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,8 @@ Security
    * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
      extendedKeyUsage on the leaf certificate was lost (results not accessible
      via ssl_get_verify_results()).
+   * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
+     https://dl.acm.org/citation.cfm?id=2714625
 
 Features
    * Add x509_crt_verify_info() to display certificate verification results.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 72cd6d21a..f079adc45 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1825,7 +1825,8 @@ static int ssl_decrypt_buf( ssl_context *ssl )
                              ssl->in_msglen );
             md_hmac_finish( &ssl->transform_in->md_ctx_dec,
                              ssl->in_msg + ssl->in_msglen );
-            for( j = 0; j < extra_run; j++ )
+            /* Call md_process at least once due to cache attacks */
+            for( j = 0; j < extra_run + 1; j++ )
                 md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
 
             md_hmac_reset( &ssl->transform_in->md_ctx_dec );