Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
gnutls.10768
0001-dummy_wait-correctly-account-the-length-fi...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch of Package gnutls.10768
From 2c439321fc2970f8f1b20e8d9d8e96e76c331c6e Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Date: Wed, 20 Jun 2018 10:42:09 +0200 Subject: [PATCH 1/4] dummy_wait: correctly account the length field in SHA384 HMAC The existing lucky13 attack count-measures did not work correctly for SHA384 HMAC. The overall impact of that should not be significant as SHA384 is prioritized lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported by the peer. Relates #455 --- lib/algorithms/mac.c | 4 ++-- lib/gnutls_cipher.c | 15 +++++++++------ 2 files changed, 11 insertions(+), 8 deletions(-) Index: gnutls-3.6.2/lib/algorithms/mac.c =================================================================== --- gnutls-3.6.2.orig/lib/algorithms/mac.c 2018-09-03 13:51:06.233289054 +0200 +++ gnutls-3.6.2/lib/algorithms/mac.c 2018-09-03 13:51:07.749299022 +0200 @@ -59,14 +59,14 @@ static const mac_entry_st hash_algorithm .id = GNUTLS_MAC_SHA384, .output_size = 48, .key_size = 48, - .block_size = 64}, + .block_size = 128}, {.name = "SHA512", .oid = HASH_OID_SHA512, .mac_oid = MAC_OID_SHA512, .id = GNUTLS_MAC_SHA512, .output_size = 64, .key_size = 64, - .block_size = 64}, + .block_size = 128}, {.name = "SHA224", .oid = HASH_OID_SHA224, .mac_oid = MAC_OID_SHA224, Index: gnutls-3.6.2/lib/cipher.c =================================================================== --- gnutls-3.6.2.orig/lib/cipher.c 2018-09-03 13:51:06.237289080 +0200 +++ gnutls-3.6.2/lib/cipher.c 2018-09-03 13:51:28.945438372 +0200 @@ -384,7 +384,7 @@ static void dummy_wait(record_parameters { /* this hack is only needed on CBC ciphers */ if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { - unsigned len; + unsigned len, v; /* force an additional hash compression function evaluation to prevent timing * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. @@ -392,11 +392,14 @@ static void dummy_wait(record_parameters if (pad_failed == 0 && pad > 0) { len = _gnutls_mac_block_size(params->mac); if (len > 0) { - /* This is really specific to the current hash functions. - * It should be removed once a protocol fix is in place. - */ - if ((pad + total) % len > len - 9 - && total % len <= len - 9) { + if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) + /* v = 1 for the hash function padding + 16 for message length */ + v = 17; + else /* v = 1 for the hash function padding + 8 for message length */ + v = 9; + + if ((pad + total) % len > len - v + && total % len <= len - v) { if (len < plaintext->size) _gnutls_auth_cipher_add_auth (¶ms->read.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor