Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant time. Without this, a timing side-channel can be used to build a padding oracle and mount Vaudenay's attack. This patch also disables the stitched AESNI+SHA mode pending a similar fix to that code. In order to be easy to backport, this change is implemented in ssl/, rather than as a generic AEAD mode. In the future this should be changed around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
This commit is contained in:
Ben Laurie
102
ssl/s3_enc.c
102
ssl/s3_enc.c
@@ -471,7 +471,7 @@ int ssl3_enc(SSL *s, int send)
|
||||
SSL3_RECORD *rec;
|
||||
EVP_CIPHER_CTX *ds;
|
||||
unsigned long l;
|
||||
int bs,i;
|
||||
int bs,i,mac_size=0;
|
||||
const EVP_CIPHER *enc;
|
||||
|
||||
if (send)
|
||||
@@ -532,22 +532,12 @@ int ssl3_enc(SSL *s, int send)
|
||||
|
||||
EVP_Cipher(ds,rec->data,rec->input,l);
|
||||
|
||||
rec->orig_len = rec->length;
|
||||
|
||||
if (EVP_MD_CTX_md(s->read_hash) != NULL)
|
||||
mac_size = EVP_MD_CTX_size(s->read_hash);
|
||||
if ((bs != 1) && !send)
|
||||
{
|
||||
i=rec->data[l-1]+1;
|
||||
/* SSL 3.0 bounds the number of padding bytes by the block size;
|
||||
* padding bytes (except the last one) are arbitrary */
|
||||
if (i > bs)
|
||||
{
|
||||
/* Incorrect padding. SSLerr() and ssl3_alert are done
|
||||
* by caller: we don't want to reveal whether this is
|
||||
* a decryption error or a MAC verification failure
|
||||
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
|
||||
return -1;
|
||||
}
|
||||
/* now i <= bs <= rec->length */
|
||||
rec->length-=i;
|
||||
}
|
||||
return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
|
||||
}
|
||||
return(1);
|
||||
}
|
||||
@@ -716,7 +706,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
|
||||
EVP_MD_CTX md_ctx;
|
||||
const EVP_MD_CTX *hash;
|
||||
unsigned char *p,rec_char;
|
||||
unsigned int md_size;
|
||||
size_t md_size;
|
||||
int npad;
|
||||
int t;
|
||||
|
||||
@@ -741,28 +731,68 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
|
||||
md_size=t;
|
||||
npad=(48/md_size)*md_size;
|
||||
|
||||
/* Chop the digest off the end :-) */
|
||||
EVP_MD_CTX_init(&md_ctx);
|
||||
if (!send &&
|
||||
EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
|
||||
ssl3_cbc_record_digest_supported(hash))
|
||||
{
|
||||
/* This is a CBC-encrypted record. We must avoid leaking any
|
||||
* timing-side channel information about how many blocks of
|
||||
* data we are hashing because that gives an attacker a
|
||||
* timing-oracle. */
|
||||
|
||||
EVP_MD_CTX_copy_ex( &md_ctx,hash);
|
||||
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
|
||||
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
|
||||
EVP_DigestUpdate(&md_ctx,seq,8);
|
||||
rec_char=rec->type;
|
||||
EVP_DigestUpdate(&md_ctx,&rec_char,1);
|
||||
p=md;
|
||||
s2n(rec->length,p);
|
||||
EVP_DigestUpdate(&md_ctx,md,2);
|
||||
EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
|
||||
EVP_DigestFinal_ex( &md_ctx,md,NULL);
|
||||
/* npad is, at most, 48 bytes and that's with MD5:
|
||||
* 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
|
||||
*
|
||||
* With SHA-1 (the largest hash speced for SSLv3) the hash size
|
||||
* goes up 4, but npad goes down by 8, resulting in a smaller
|
||||
* total size. */
|
||||
unsigned char header[75];
|
||||
unsigned j = 0;
|
||||
memcpy(header+j, mac_sec, md_size);
|
||||
j += md_size;
|
||||
memcpy(header+j, ssl3_pad_1, npad);
|
||||
j += npad;
|
||||
memcpy(header+j, seq, 8);
|
||||
j += 8;
|
||||
header[j++] = rec->type;
|
||||
header[j++] = rec->length >> 8;
|
||||
header[j++] = rec->length & 0xff;
|
||||
|
||||
EVP_MD_CTX_copy_ex( &md_ctx,hash);
|
||||
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
|
||||
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
|
||||
EVP_DigestUpdate(&md_ctx,md,md_size);
|
||||
EVP_DigestFinal_ex( &md_ctx,md,&md_size);
|
||||
ssl3_cbc_digest_record(
|
||||
hash,
|
||||
md, &md_size,
|
||||
header, rec->input,
|
||||
rec->length + md_size, rec->orig_len,
|
||||
mac_sec, md_size,
|
||||
1 /* is SSLv3 */);
|
||||
}
|
||||
else
|
||||
{
|
||||
unsigned int md_size_u;
|
||||
/* Chop the digest off the end :-) */
|
||||
EVP_MD_CTX_init(&md_ctx);
|
||||
|
||||
EVP_MD_CTX_cleanup(&md_ctx);
|
||||
EVP_MD_CTX_copy_ex( &md_ctx,hash);
|
||||
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
|
||||
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
|
||||
EVP_DigestUpdate(&md_ctx,seq,8);
|
||||
rec_char=rec->type;
|
||||
EVP_DigestUpdate(&md_ctx,&rec_char,1);
|
||||
p=md;
|
||||
s2n(rec->length,p);
|
||||
EVP_DigestUpdate(&md_ctx,md,2);
|
||||
EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
|
||||
EVP_DigestFinal_ex( &md_ctx,md,NULL);
|
||||
|
||||
EVP_MD_CTX_copy_ex( &md_ctx,hash);
|
||||
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
|
||||
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
|
||||
EVP_DigestUpdate(&md_ctx,md,md_size);
|
||||
EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
|
||||
md_size = md_size_u;
|
||||
|
||||
EVP_MD_CTX_cleanup(&md_ctx);
|
||||
}
|
||||
|
||||
ssl3_record_sequence_update(seq);
|
||||
return(md_size);
|
||||
|
||||
Reference in New Issue
Block a user