diff options
author | Andy Polyakov <appro@openssl.org> | 2013-02-02 19:29:59 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-02-06 14:19:10 +0000 |
commit | 9970308c88dda1e55a10c970b73ff64e8f678d8f (patch) | |
tree | f18dc43efebdaf756a58b67c18194350c6f0997c /ssl/s3_cbc.c | |
parent | 2aec073a529f8d8dc0e625b9c444db9de7b46873 (diff) |
e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b59f3c2a2d33785b5563d929d0472f1721)
Diffstat (limited to 'ssl/s3_cbc.c')
-rw-r--r-- | ssl/s3_cbc.c | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index b91d84098d..3c2c16539d 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s, if (overhead > rec->length) return 0; + /* We can always safely skip the explicit IV. We check at the beginning + * of this function that the record has at least enough space for the + * IV, MAC and padding length byte. (These can be checked in + * non-constant time because it's all public information.) So, if the + * padding was invalid, then we didn't change |rec->length| and this is + * safe. If the padding was valid then we know that we have at least + * overhead+padding_length bytes of space and so this is still safe + * because overhead accounts for the explicit IV. */ + if (has_explicit_iv) + { + rec->data += block_size; + rec->input += block_size; + rec->length -= block_size; + } + padding_length = rec->data[rec->length-1]; /* NB: if compression is in operation the first packet may not be of @@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s, } } + if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { + /* padding is already verified */ + rec->length -= padding_length; + return 1; + } + good = constant_time_ge(rec->length, overhead+padding_length); /* The padding consists of a length byte at the end of the record and * then that many bytes of padding, all with the same value as the @@ -209,21 +231,6 @@ int tls1_cbc_remove_padding(const SSL* s, rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ - /* We can always safely skip the explicit IV. We check at the beginning - * of this function that the record has at least enough space for the - * IV, MAC and padding length byte. (These can be checked in - * non-constant time because it's all public information.) So, if the - * padding was invalid, then we didn't change |rec->length| and this is - * safe. If the padding was valid then we know that we have at least - * overhead+padding_length bytes of space and so this is still safe - * because overhead accounts for the explicit IV. */ - if (has_explicit_iv) - { - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - } - return (int)((good & 1) | (~good & -1)); } |