diff options
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_cbc.c | 37 | ||||
-rw-r--r-- | ssl/ssl_algs.c | 2 |
2 files changed, 22 insertions, 17 deletions
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index b91d84098d..3c2c16539d 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s, if (overhead > rec->length) return 0; + /* We can always safely skip the explicit IV. We check at the beginning + * of this function that the record has at least enough space for the + * IV, MAC and padding length byte. (These can be checked in + * non-constant time because it's all public information.) So, if the + * padding was invalid, then we didn't change |rec->length| and this is + * safe. If the padding was valid then we know that we have at least + * overhead+padding_length bytes of space and so this is still safe + * because overhead accounts for the explicit IV. */ + if (has_explicit_iv) + { + rec->data += block_size; + rec->input += block_size; + rec->length -= block_size; + } + padding_length = rec->data[rec->length-1]; /* NB: if compression is in operation the first packet may not be of @@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s, } } + if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { + /* padding is already verified */ + rec->length -= padding_length; + return 1; + } + good = constant_time_ge(rec->length, overhead+padding_length); /* The padding consists of a length byte at the end of the record and * then that many bytes of padding, all with the same value as the @@ -209,21 +231,6 @@ int tls1_cbc_remove_padding(const SSL* s, rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ - /* We can always safely skip the explicit IV. We check at the beginning - * of this function that the record has at least enough space for the - * IV, MAC and padding length byte. (These can be checked in - * non-constant time because it's all public information.) So, if the - * padding was invalid, then we didn't change |rec->length| and this is - * safe. If the padding was valid then we know that we have at least - * overhead+padding_length bytes of space and so this is still safe - * because overhead accounts for the explicit IV. */ - if (has_explicit_iv) - { - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - } - return (int)((good & 1) | (~good & -1)); } diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 333a8d5377..d5a7a20e8a 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -90,12 +90,10 @@ int SSL_library_init(void) EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_cipher(EVP_aes_128_gcm()); EVP_add_cipher(EVP_aes_256_gcm()); -#if 0 /* Disabled because of timing side-channel leaks. */ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); #endif -#endif #endif #ifndef OPENSSL_NO_CAMELLIA |