generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.

Browse Source 
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b59f)
This commit is contained in:
Andy Polyakov
2013-02-02 19:29:59 +01:00
committed by Dr. Stephen Henson
parent eeb486a5f4
commit 5966f4d973
4 changed files with 208 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
ssl/s3_cbc.c
View File

@@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s,
if (overhead > rec->length)
return 0;
/* We can always safely skip the explicit IV. We check at the beginning
* of this function that the record has at least enough space for the
* IV, MAC and padding length byte. (These can be checked in
* non-constant time because it's all public information.) So, if the
* padding was invalid, then we didn't change |rec->length| and this is
* safe. If the padding was valid then we know that we have at least
* overhead+padding_length bytes of space and so this is still safe
* because overhead accounts for the explicit IV. */
if (has_explicit_iv)
{
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
}
padding_length = rec->data[rec->length-1];
/* NB: if compression is in operation the first packet may not be of
@@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s,
}
}
if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
{
/* padding is already verified */
rec->length -= padding_length;
return 1;
}
good = constant_time_ge(rec->length, overhead+padding_length);
/* The padding consists of a length byte at the end of the record and
* then that many bytes of padding, all with the same value as the
@@ -209,21 +231,6 @@ int tls1_cbc_remove_padding(const SSL* s,
rec->length -= padding_length;
rec->type |= padding_length<<8; /* kludge: pass padding length */
/* We can always safely skip the explicit IV. We check at the beginning
* of this function that the record has at least enough space for the
* IV, MAC and padding length byte. (These can be checked in
* non-constant time because it's all public information.) So, if the
* padding was invalid, then we didn't change |rec->length| and this is
* safe. If the padding was valid then we know that we have at least
* overhead+padding_length bytes of space and so this is still safe
* because overhead accounts for the explicit IV. */
if (has_explicit_iv)
{
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
}
return (int)((good & 1) | (~good & -1));
}