diff options
| author | Ben Laurie <ben@links.org> | 2013-01-28 17:31:49 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@links.org> | 2013-01-28 17:31:49 +0000 |
| commit | e130841bccfc0bb9da254dc84e23bc6a1c78a64e (patch) | |
| tree | 025095b97a98c1bfac9ad6eb32a3b4a23a5a1d81 /ssl/d1_enc.c | |
| parent | 2ee798880a246d648ecddadc5b91367bee4a5d98 (diff) | |
Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.
This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.
In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
Diffstat (limited to 'ssl/d1_enc.c')
| -rw-r--r-- | ssl/d1_enc.c | 49 |
1 files changed, 7 insertions, 42 deletions
diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c index 07a5e97ce5..c13b495a08 100644 --- a/ssl/d1_enc.c +++ b/ssl/d1_enc.c @@ -131,15 +131,15 @@ int dtls1_enc(SSL *s, int send) SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; - int bs,i,ii,j,k,n=0; + int bs,i,j,k,mac_size=0; const EVP_CIPHER *enc; if (send) { if (EVP_MD_CTX_md(s->write_hash)) { - n=EVP_MD_CTX_size(s->write_hash); - if (n < 0) + mac_size=EVP_MD_CTX_size(s->write_hash); + if (mac_size < 0) return -1; } ds=s->enc_write_ctx; @@ -164,8 +164,8 @@ int dtls1_enc(SSL *s, int send) { if (EVP_MD_CTX_md(s->read_hash)) { - n=EVP_MD_CTX_size(s->read_hash); - if (n < 0) + mac_size=EVP_MD_CTX_size(s->read_hash); + if (mac_size < 0) return -1; } ds=s->enc_read_ctx; @@ -245,44 +245,9 @@ int dtls1_enc(SSL *s, int send) } #endif /* KSSL_DEBUG */ + rec->orig_len = rec->length; if ((bs != 1) && !send) - { - ii=i=rec->data[l-1]; /* padding_length */ - i++; - if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) - { - /* First packet is even in size, so check */ - if ((memcmp(s->s3->read_sequence, - "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) - s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; - if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) - i--; - } - /* TLS 1.0 does not bound the number of padding bytes by the block size. - * All of them must have value 'padding_length'. */ - if (i + bs > (int)rec->length) - { - /* Incorrect padding. SSLerr() and ssl3_alert are done - * by caller: we don't want to reveal whether this is - * a decryption error or a MAC verification failure - * (see http://www.openssl.org/~bodo/tls-cbc.txt) - */ - return -1; - } - for (j=(int)(l-i); j<(int)l; j++) - { - if (rec->data[j] != ii) - { - /* Incorrect padding */ - return -1; - } - } - rec->length-=i; - - rec->data += bs; /* skip the implicit IV */ - rec->input += bs; - rec->length -= bs; - } + return tls1_cbc_remove_padding(s, rec, bs, mac_size); } return(1); } |