mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.

Browse Source 
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
This commit is contained in:
Andy Polyakov 2013-02-02 19:29:59 +01:00
parent f3e99ea072
commit 125093b59f
4 changed files with 208 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/evp/c_allc.c
View File

@ -195,13 +195,11 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_256_xts());
EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif
#endif
#endif
#ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_ecb());

207
crypto/evp/e_aes_cbc_hmac_sha1.c
View File

@ -1,5 +1,5 @@
/* ====================================================================
* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
* Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -90,6 +90,10 @@ typedef struct
defined(_M_AMD64) || defined(_M_X64) || \
defined(__INTEL__) )
#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
#endif
extern unsigned int OPENSSL_ia32cap_P[2];
#define AESNI_CAPABLE (1<<(57-32))
@ -167,6 +171,9 @@ static void sha1_update(SHA_CTX *c,const void *data,size_t len)
SHA1_Update(c,ptr,res);
}
#ifdef SHA1_Update
#undef SHA1_Update
#endif
#define SHA1_Update sha1_update
static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@ -184,6 +191,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
sha_off = SHA_CBLOCK-key->md.num;
#endif
key->payload_length = NO_PAYLOAD_LENGTH;
if (len%AES_BLOCK_SIZE) return 0;
if (ctx->encrypt) {
@ -234,47 +243,203 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
&key->ks,ctx->iv,1);
}
} else {
unsigned char mac[SHA_DIGEST_LENGTH];
union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
unsigned char c[SHA_DIGEST_LENGTH]; } mac;
/* decrypt HMAC|padding at once */
aesni_cbc_encrypt(in,out,len,
&key->ks,ctx->iv,0);
if (plen) { /* "TLS" mode of operation */
/* figure out payload length */
if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH))
return 0;
len -= (out[len-1]+1+SHA_DIGEST_LENGTH);
size_t inp_len, mask, j, i;
unsigned int res, maxpad, pad, bitlen;
int ret = 1;
union { unsigned int u[SHA_LBLOCK];
unsigned char c[SHA_CBLOCK]; }
*data = (void *)key->md.data;
if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
>= TLS1_1_VERSION) {
len -= AES_BLOCK_SIZE;
>= TLS1_1_VERSION)
iv = AES_BLOCK_SIZE;
}
key->aux.tls_aad[plen-2] = len>>8;
key->aux.tls_aad[plen-1] = len;
if (len<(iv+SHA_DIGEST_LENGTH+1))
return 0;
/* calculate HMAC and verify it */
/* omit explicit iv */
out += iv;
len -= iv;
/* figure out payload length */
pad = out[len-1];
maxpad = len-(SHA_DIGEST_LENGTH+1);
maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
maxpad &= 255;
inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
inp_len &= mask;
ret &= (int)mask;
key->aux.tls_aad[plen-2] = inp_len>>8;
key->aux.tls_aad[plen-1] = inp_len;
/* calculate HMAC */
key->md = key->head;
SHA1_Update(&key->md,key->aux.tls_aad,plen);
SHA1_Update(&key->md,out+iv,len);
SHA1_Final(mac,&key->md);
#if 1
len -= SHA_DIGEST_LENGTH; /* amend mac */
if (len>=(256+SHA_CBLOCK)) {
j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
j += SHA_CBLOCK-key->md.num;
SHA1_Update(&key->md,out,j);
out += j;
len -= j;
inp_len -= j;
}
/* but pretend as if we hashed padded payload */
bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */
mac.c[0] = 0;
mac.c[1] = (unsigned char)(bitlen>>16);
mac.c[2] = (unsigned char)(bitlen>>8);
mac.c[3] = (unsigned char)bitlen;
bitlen = mac.u[0];
mac.u[0]=0;
mac.u[1]=0;
mac.u[2]=0;
mac.u[3]=0;
mac.u[4]=0;
for (res=key->md.num, j=0;j<len;j++) {
size_t c = out[j];
mask = (j-inp_len)>>(sizeof(j)*8-8);
c &= mask;
c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
data->c[res++]=(unsigned char)c;
if (res!=SHA_CBLOCK) continue;
mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
data->u[SHA_LBLOCK-1] |= bitlen&mask;
sha1_block_data_order(&key->md,data,1);
mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
mac.u[0] |= key->md.h0 & mask;
mac.u[1] |= key->md.h1 & mask;
mac.u[2] |= key->md.h2 & mask;
mac.u[3] |= key->md.h3 & mask;
mac.u[4] |= key->md.h4 & mask;
res=0;
}
for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
if (res>SHA_CBLOCK-8) {
mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
data->u[SHA_LBLOCK-1] |= bitlen&mask;
sha1_block_data_order(&key->md,data,1);
mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
mac.u[0] |= key->md.h0 & mask;
mac.u[1] |= key->md.h1 & mask;
mac.u[2] |= key->md.h2 & mask;
mac.u[3] |= key->md.h3 & mask;
mac.u[4] |= key->md.h4 & mask;
memset(data,0,SHA_CBLOCK);
j+=64;
}
data->u[SHA_LBLOCK-1] = bitlen;
sha1_block_data_order(&key->md,data,1);
mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
mac.u[0] |= key->md.h0 & mask;
mac.u[1] |= key->md.h1 & mask;
mac.u[2] |= key->md.h2 & mask;
mac.u[3] |= key->md.h3 & mask;
mac.u[4] |= key->md.h4 & mask;
#ifdef BSWAP
mac.u[0] = BSWAP(mac.u[0]);
mac.u[1] = BSWAP(mac.u[1]);
mac.u[2] = BSWAP(mac.u[2]);
mac.u[3] = BSWAP(mac.u[3]);
mac.u[4] = BSWAP(mac.u[4]);
#else
for (i=0;i<5;i++) {
res = mac.u[i];
mac.c[4*i+0]=(unsigned char)(res>>24);
mac.c[4*i+1]=(unsigned char)(res>>16);
mac.c[4*i+2]=(unsigned char)(res>>8);
mac.c[4*i+3]=(unsigned char)res;
}
#endif
len += SHA_DIGEST_LENGTH;
#else
SHA1_Update(&key->md,out,inp_len);
res = key->md.num;
SHA1_Final(mac.c,&key->md);
{
unsigned int inp_blocks, pad_blocks;
/* but pretend as if we hashed padded payload */
inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
res += (unsigned int)(len-inp_len);
pad_blocks = res / SHA_CBLOCK;
res %= SHA_CBLOCK;
pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
for (;inp_blocks<pad_blocks;inp_blocks++)
sha1_block_data_order(&key->md,data,1);
}
#endif
key->md = key->tail;
SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH);
SHA1_Final(mac,&key->md);
SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
SHA1_Final(mac.c,&key->md);
if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH))
return 0;
/* verify HMAC */
out += inp_len;
len -= inp_len;
#if 1
{
unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
size_t off = out-p;
unsigned int c, cmask;
maxpad += SHA_DIGEST_LENGTH;
for (res=0,i=0,j=0;j<maxpad;j++) {
c = p[j];
cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
res |= (c^pad)&~cmask; /* ... and padding */
cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
res |= (c^mac.c[i])&cmask;
i += 1&cmask;
}
maxpad -= SHA_DIGEST_LENGTH;
res = 0-((0-res)>>(sizeof(res)*8-1));
ret &= (int)~res;
}
#else
for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
res |= out[i]^mac.c[i];
res = 0-((0-res)>>(sizeof(res)*8-1));
ret &= (int)~res;
/* verify padding */
pad = (pad&~res) | (maxpad&res);
out = out+len-1-pad;
for (res=0,i=0;i<pad;i++)
res |= out[i]^pad;
res = (0-res)>>(sizeof(res)*8-1);
ret &= (int)~res;
#endif
return ret;
} else {
SHA1_Update(&key->md,out,len);
}
}
key->payload_length = NO_PAYLOAD_LENGTH;
return 1;
}

37
ssl/s3_cbc.c
View File

@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s,
if (overhead > rec->length)
return 0;
/* We can always safely skip the explicit IV. We check at the beginning
* of this function that the record has at least enough space for the
* IV, MAC and padding length byte. (These can be checked in
* non-constant time because it's all public information.) So, if the
* padding was invalid, then we didn't change |rec->length| and this is
* safe. If the padding was valid then we know that we have at least
* overhead+padding_length bytes of space and so this is still safe
* because overhead accounts for the explicit IV. */
if (has_explicit_iv)
{
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
}
padding_length = rec->data[rec->length-1];
/* NB: if compression is in operation the first packet may not be of
@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s,
}
}
if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
{
/* padding is already verified */
rec->length -= padding_length;
return 1;
}
good = constant_time_ge(rec->length, overhead+padding_length);
/* The padding consists of a length byte at the end of the record and
* then that many bytes of padding, all with the same value as the
@ -209,21 +231,6 @@ int tls1_cbc_remove_padding(const SSL* s,
rec->length -= padding_length;
rec->type |= padding_length<<8; /* kludge: pass padding length */
/* We can always safely skip the explicit IV. We check at the beginning
* of this function that the record has at least enough space for the
* IV, MAC and padding length byte. (These can be checked in
* non-constant time because it's all public information.) So, if the
* padding was invalid, then we didn't change |rec->length| and this is
* safe. If the padding was valid then we know that we have at least
* overhead+padding_length bytes of space and so this is still safe
* because overhead accounts for the explicit IV. */
if (has_explicit_iv)
{
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
}
return (int)((good & 1) | (~good & -1));
}

2
ssl/ssl_algs.c
View File

@ -90,12 +90,10 @@ int SSL_library_init(void)
EVP_add_cipher(EVP_aes_256_cbc());
EVP_add_cipher(EVP_aes_128_gcm());
EVP_add_cipher(EVP_aes_256_gcm());
#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif
#endif
#endif
#ifndef OPENSSL_NO_CAMELLIA