From fb0a59cc58e69203b1269d5f1c355f4944a8b350 Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@links.org>
Date: Mon, 28 Jan 2013 17:31:49 +0000
Subject: Make CBC decoding constant time.

This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
---
 ssl/ssl3.h | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'ssl/ssl3.h')

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index d2a5208824..e41f288871 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -372,6 +372,10 @@ typedef struct ssl3_record_st
 /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
+/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
+				   was removed? This is used to implement the
+				   MAC check in constant time for CBC records.
+				 */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
-- 
cgit v1.2.3