From 6d31193d0baa3da339c196ac49625b7ba1c2ecc7 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 8 Jul 2016 03:44:42 +0000 Subject: upstream commit Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms. Previously we were computing the MAC, decrypting the packet and then checking the MAC. This gave rise to the possibility of creating a side-channel oracle in the decryption step, though no such oracle has been identified. This adds a mac_check() function that computes and checks the MAC in one pass, and uses it to advance MAC checking for EtM algorithms to before payload decryption. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. feedback and ok markus@ Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b --- mac.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'mac.c') diff --git a/mac.c b/mac.c index f63fbff0..6b12cd19 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.32 2015/01/15 18:32:54 naddy Exp $ */ +/* $OpenBSD: mac.c,v 1.33 2016/07/08 03:44:42 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -167,7 +167,8 @@ mac_init(struct sshmac *mac) } int -mac_compute(struct sshmac *mac, u_int32_t seqno, const u_char *data, int datalen, +mac_compute(struct sshmac *mac, u_int32_t seqno, + const u_char *data, int datalen, u_char *digest, size_t dlen) { static union { @@ -211,6 +212,24 @@ mac_compute(struct sshmac *mac, u_int32_t seqno, const u_char *data, int datalen return 0; } +int +mac_check(struct sshmac *mac, u_int32_t seqno, + const u_char *data, size_t dlen, + const u_char *theirmac, size_t mlen) +{ + u_char ourmac[SSH_DIGEST_MAX_LENGTH]; + int r; + + if (mac->mac_len > mlen) + return SSH_ERR_INVALID_ARGUMENT; + if ((r = mac_compute(mac, seqno, data, dlen, + ourmac, sizeof(ourmac))) != 0) + return r; + if (timingsafe_bcmp(ourmac, theirmac, mac->mac_len) != 0) + return SSH_ERR_MAC_INVALID; + return 0; +} + void mac_clear(struct sshmac *mac) { -- cgit v1.2.3