Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.
This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.
In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
Conflicts:
crypto/evp/c_allc.c
ssl/ssl_algs.c
ssl/ssl_locl.h
ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)
Conflicts:
ssl/d1_enc.c
ssl/s3_enc.c
ssl/s3_pkt.c
ssl/ssl3.h
ssl/ssl_algs.c
ssl/t1_enc.c
This commit is contained in:
Ben Laurie
committed by
Dr. Stephen Henson
Dr. Stephen Henson
parent
7ad132b133
commit
35a65e814b
@@ -304,6 +304,10 @@ typedef struct ssl3_record_st
|
||||
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
|
||||
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
|
||||
/*r */ PQ_64BIT seq_num; /* sequence number, needed by DTLS1 */
|
||||
/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
|
||||
was removed? This is used to implement the
|
||||
MAC check in constant time for CBC records.
|
||||
*/
|
||||
} SSL3_RECORD;
|
||||
|
||||
typedef struct ssl3_buffer_st
|
||||
|
||||
Reference in New Issue
Block a user