Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant time. Without this, a timing side-channel can be used to build a padding oracle and mount Vaudenay's attack. This patch also disables the stitched AESNI+SHA mode pending a similar fix to that code. In order to be easy to backport, this change is implemented in ssl/, rather than as a generic AEAD mode. In the future this should be changed around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
This commit is contained in:
Ben Laurie
@@ -215,6 +215,15 @@
|
||||
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l) )&0xff))
|
||||
|
||||
#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l)>>48)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l)>>40)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l)>>32)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l)>>24)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l)>>16)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
|
||||
*((c)++)=(unsigned char)(((l) )&0xff))
|
||||
|
||||
#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
|
||||
l|=((BN_ULLONG)(*((c)++)))<<32, \
|
||||
l|=((BN_ULLONG)(*((c)++)))<<24, \
|
||||
@@ -1133,4 +1142,29 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
|
||||
int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
|
||||
int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
|
||||
|
||||
/* s3_cbc.c */
|
||||
void ssl3_cbc_copy_mac(unsigned char* out,
|
||||
const SSL3_RECORD *rec,
|
||||
unsigned md_size);
|
||||
int ssl3_cbc_remove_padding(const SSL* s,
|
||||
SSL3_RECORD *rec,
|
||||
unsigned block_size,
|
||||
unsigned mac_size);
|
||||
int tls1_cbc_remove_padding(const SSL* s,
|
||||
SSL3_RECORD *rec,
|
||||
unsigned block_size,
|
||||
unsigned mac_size);
|
||||
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
|
||||
void ssl3_cbc_digest_record(
|
||||
const EVP_MD_CTX *ctx,
|
||||
unsigned char* md_out,
|
||||
size_t* md_out_size,
|
||||
const unsigned char header[13],
|
||||
const unsigned char *data,
|
||||
size_t data_plus_mac_size,
|
||||
size_t data_plus_mac_plus_padding_size,
|
||||
const unsigned char *mac_secret,
|
||||
unsigned mac_secret_length,
|
||||
char is_sslv3);
|
||||
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user