Make CBC decoding constant time.

This patch makes the decoding of SSLv3 and TLS CBC records constant time. Without this, a timing side-channel can be used to build a padding oracle and mount Vaudenay's attack. This patch also disables the stitched AESNI+SHA mode pending a similar fix to that code. In order to be easy to backport, this change is implemented in ssl/, rather than as a generic AEAD mode. In the future this should be changed around so that HMAC isn't in ssl/, but crypto/ as FIPS expects. (cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
author: Ben Laurie <ben@links.org> 2013-01-28 17:31:49 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2013-02-06 13:56:12 +0000
commit: fb0a59cc58e69203b1269d5f1c355f4944a8b350 (patch)
tree: 63b6f5511fbe638585c834b9bf8416254bac2056 /crypto/evp
parent: f5cd3561ba9363e6bcc58fcb6b1e94930f81967d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index 2a45d435e5..e230e6081e 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -195,11 +195,13 @@ void OpenSSL_add_all_ciphers(void)
 	EVP_add_cipher(EVP_aes_256_xts());
 	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
 	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#if 0  /* Disabled because of timing side-channel leaks. */
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
 	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
 #endif
 #endif
+#endif
 
 #ifndef OPENSSL_NO_CAMELLIA
 	EVP_add_cipher(EVP_camellia_128_ecb());
author	Ben Laurie <ben@links.org>	2013-01-28 17:31:49 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2013-02-06 13:56:12 +0000
commit	fb0a59cc58e69203b1269d5f1c355f4944a8b350 (patch)
tree	63b6f5511fbe638585c834b9bf8416254bac2056 /crypto/evp
parent	f5cd3561ba9363e6bcc58fcb6b1e94930f81967d (diff)