diff options
author | Ben Laurie <ben@links.org> | 2013-01-28 17:31:49 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2013-02-06 13:56:12 +0000 |
commit | fb0a59cc58e69203b1269d5f1c355f4944a8b350 (patch) | |
tree | 63b6f5511fbe638585c834b9bf8416254bac2056 /ssl/ssl3.h | |
parent | f5cd3561ba9363e6bcc58fcb6b1e94930f81967d (diff) |
Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.
This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.
In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
Diffstat (limited to 'ssl/ssl3.h')
-rw-r--r-- | ssl/ssl3.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/ssl3.h b/ssl/ssl3.h index d2a5208824..e41f288871 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -372,6 +372,10 @@ typedef struct ssl3_record_st /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ /*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ +/*rw*/ unsigned int orig_len; /* How many bytes were available before padding + was removed? This is used to implement the + MAC check in constant time for CBC records. + */ } SSL3_RECORD; typedef struct ssl3_buffer_st |