Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
gnutls.10768
0002-dummy_wait-always-hash-the-same-amount-of-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch of Package gnutls.10768
From f3935c3429597dc6fe9e51fbb176ae0aa747eb4f Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Date: Wed, 20 Jun 2018 10:58:36 +0200 Subject: [PATCH 2/4] dummy_wait: always hash the same amount of blocks that would have been on minimum pad This improves protection against lucky13-type of attacks when encrypt-then-mac is not in use. Resolves #456 --- lib/gnutls_cipher.c | 63 ++++++++++++++++++++++++--------------------- 1 file changed, 33 insertions(+), 30 deletions(-) Index: gnutls-3.6.2/lib/cipher.c =================================================================== --- gnutls-3.6.2.orig/lib/cipher.c 2018-09-03 13:52:34.257867813 +0200 +++ gnutls-3.6.2/lib/cipher.c 2018-09-03 13:57:27.063793165 +0200 @@ -378,40 +378,41 @@ encrypt_packet(gnutls_session_t session, return length; } -static void dummy_wait(record_parameters_st * params, - gnutls_datum_t * plaintext, unsigned pad_failed, - unsigned int pad, unsigned total) +static void dummy_wait(record_parameters_st *params, + gnutls_datum_t *plaintext, + unsigned int mac_data, unsigned int max_mac_data) { /* this hack is only needed on CBC ciphers */ if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { - unsigned len, v; + unsigned v; + unsigned int tag_size = + _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); + unsigned hash_block = _gnutls_mac_block_size(params->mac); - /* force an additional hash compression function evaluation to prevent timing + /* force additional hash compression function evaluations to prevent timing * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. */ - if (pad_failed == 0 && pad > 0) { - len = _gnutls_mac_block_size(params->mac); - if (len > 0) { - if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) - /* v = 1 for the hash function padding + 16 for message length */ - v = 17; - else /* v = 1 for the hash function padding + 8 for message length */ - v = 9; - - if ((pad + total) % len > len - v - && total % len <= len - v) { - if (len < plaintext->size) - _gnutls_auth_cipher_add_auth - (¶ms->read. - cipher_state, - plaintext->data, len); - else - _gnutls_auth_cipher_add_auth - (¶ms->read. - cipher_state, - plaintext->data, - plaintext->size); - } + if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) + /* v = 1 for the hash function padding + 16 for message length */ + v = 17; + else /* v = 1 for the hash function padding + 8 for message length */ + v = 9; + + if (hash_block > 0) { + int max_blocks = (max_mac_data+v+hash_block-1)/hash_block; + int hashed_blocks = (mac_data+v+hash_block-1)/hash_block; + unsigned to_hash; + + max_blocks -= hashed_blocks; + if (max_blocks < 1) + return; + + to_hash = max_blocks * hash_block; + if ((unsigned)to_hash+1+tag_size < plaintext->size) { + _gnutls_auth_cipher_add_auth + (¶ms->read.cipher_state, + plaintext->data+plaintext->size-tag_size-to_hash-1, + to_hash); } } } @@ -749,8 +750,10 @@ decrypt_packet(gnutls_session_t session, if (unlikely (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { /* HMAC was not the same. */ - dummy_wait(params, plain, pad_failed, pad, - length + preamble_size); + gnutls_datum_t data = {plain->data, ciphertext->size}; + + dummy_wait(params, &data, length + preamble_size, + preamble_size + ciphertext->size - tag_size - 1); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor