Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.
This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.
In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
This commit is contained in:
Ben Laurie
committed by
Dr. Stephen Henson
Dr. Stephen Henson
parent
7c770d572a
commit
2acc020b77
@@ -372,6 +372,10 @@ typedef struct ssl3_record_st
|
||||
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
|
||||
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
|
||||
/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
|
||||
/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
|
||||
was removed? This is used to implement the
|
||||
MAC check in constant time for CBC records.
|
||||
*/
|
||||
} SSL3_RECORD;
|
||||
|
||||
typedef struct ssl3_buffer_st
|
||||
|
||||
Reference in New Issue
Block a user