diff options
| author | Emilia Kasper <emilia@openssl.org> | 2014-08-28 19:43:49 +0200 |
|---|---|---|
| committer | Janusz Kozerski <j.kozerski@samsung.com> | 2014-10-20 15:26:05 +0200 |
| commit | aa4180df90711670172a4409d935bce71f6f51d4 (patch) | |
| tree | e305c734be3c2bc311fc36c771de3b7eded30e92 /ssl/s3_cbc.c | |
| parent | 1735ece938c848d8bd2a004dd5f7e993eb0d0b1a (diff) | |
| download | openssl-aa4180df90711670172a4409d935bce71f6f51d4.tar.gz openssl-aa4180df90711670172a4409d935bce71f6f51d4.tar.bz2 openssl-aa4180df90711670172a4409d935bce71f6f51d4.zip | |
RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
Diffstat (limited to 'ssl/s3_cbc.c')
| -rw-r--r-- | ssl/s3_cbc.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 2aa6a26..11f13ad 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -96,7 +96,7 @@ int ssl3_cbc_remove_padding(const SSL* s, padding_length = good & (padding_length+1); rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ - return (int)((good & 1) | (~good & -1)); + return constant_time_select_int(good, 1, -1); } /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC @@ -193,7 +193,7 @@ int tls1_cbc_remove_padding(const SSL* s, rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ - return (int)((good & 1) | (~good & -1)); + return constant_time_select_int(good, 1, -1); } /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in @@ -652,7 +652,7 @@ void ssl3_cbc_digest_record( /* If this is the block containing the end of the * application data, and we are at the offset for the * 0x80 value, then overwrite b with 0x80. */ - b = (b&~is_past_c) | (0x80&is_past_c); + b = constant_time_select_8(is_past_c, 0x80, b); /* If this the the block containing the end of the * application data and we're past the 0x80 value then * just write zero. */ @@ -668,7 +668,8 @@ void ssl3_cbc_digest_record( if (j >= md_block_size - md_length_size) { /* If this is index_b, write a length byte. */ - b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]); + b = constant_time_select_8( + is_block_b, length_bytes[j-(md_block_size-md_length_size)], b); } block[j] = b; } |