Make CBC decoding constant time.

This patch makes the decoding of SSLv3 and TLS CBC records constant time. Without this, a timing side-channel can be used to build a padding oracle and mount Vaudenay's attack. This patch also disables the stitched AESNI+SHA mode pending a similar fix to that code. In order to be easy to backport, this change is implemented in ssl/, rather than as a generic AEAD mode. In the future this should be changed around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
author: Ben Laurie <ben@links.org> 2013-01-28 17:31:49 +0000
committer: Ben Laurie <ben@links.org> 2013-01-28 17:31:49 +0000
commit: e130841bccfc0bb9da254dc84e23bc6a1c78a64e (patch)
tree: 025095b97a98c1bfac9ad6eb32a3b4a23a5a1d81 /ssl/ssl3.h
parent: 2ee798880a246d648ecddadc5b91367bee4a5d98 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 247e88c2d6..87d3e0fccb 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -355,6 +355,10 @@ typedef struct ssl3_record_st
 /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
+/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
+				   was removed? This is used to implement the
+				   MAC check in constant time for CBC records.
+				 */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
author	Ben Laurie <ben@links.org>	2013-01-28 17:31:49 +0000
committer	Ben Laurie <ben@links.org>	2013-01-28 17:31:49 +0000
commit	e130841bccfc0bb9da254dc84e23bc6a1c78a64e (patch)
tree	025095b97a98c1bfac9ad6eb32a3b4a23a5a1d81 /ssl/ssl3.h
parent	2ee798880a246d648ecddadc5b91367bee4a5d98 (diff)