Cross-platform constant-time CBC validation

[colmmacc]

At present, s2n's CBC validation is not constant time. Instead s2n closes down connections on validation errors, which does make it impractical to mount alert-based timing attacks within the same TLS session. However, validating CBC records in constant time is still desirable. A nanosleep-to-deadline approach has been tested and found to work, but nanosleep is not available on older platforms. A constant-time-CPU-operation approach may be better, but will require testing on several architectures.

[colmmacc]

The current CBC validation in s2n does now run in close to a constant number of CPU operations. There are two remaining sources of non-constancy:

1. A branch is used to return 0 or 1 depending on the CBC validation. It is possible to use the double negation operator (!!) in a way that produces a constant number of operations, but it is not easy to set s2n_errno without a branch. This results in a 3 operation delta between the good and bad cases. This is a smaller delta than other existing implementations.
2. A 255 sized table is used to consult the padding to check against. In theory the table lookup may be subject to cache timing attacks, in practise, there are so few possible padding lengths used that they are all warm in the cache. Even with a cold cache, a unit test is included which tries to detect any discernable timing difference between the good and bad cases (none have been so far). The alternative here would be to use clever bitwise operations to perform the checks, however this makes the code less clear and does not follow the good practise of "generate a correct copy of what you would like to check, and compare to the copy". In summary: having a table of correctly formatted copies of CBC paddings makes the check substantially simpler and results in no detectable timing difference.