generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make CBC decoding constant time.

Browse Source 
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
This commit is contained in:
Ben Laurie
2013-01-28 17:31:49 +00:00
parent 2ee798880a
commit e130841bcc
9 changed files with 214 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/ssl3.h
View File

@@ -355,6 +355,10 @@ typedef struct ssl3_record_st
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
was removed? This is used to implement the
MAC check in constant time for CBC records.
*/
} SSL3_RECORD;
typedef struct ssl3_buffer_st