generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make CBC decoding constant time.

Browse Source 
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
This commit is contained in:
Ben Laurie
2013-01-28 17:31:49 +00:00
committed by Dr. Stephen Henson
parent 7c770d572a
commit 2acc020b77
9 changed files with 214 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ssl/ssl_algs.c
View File

@@ -90,10 +90,13 @@ int SSL_library_init(void)
EVP_add_cipher(EVP_aes_256_cbc());
EVP_add_cipher(EVP_aes_128_gcm());
EVP_add_cipher(EVP_aes_256_gcm());
#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif
#endif
#endif
#ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_cbc());