|
|
b88a44 |
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
|
|
|
b88a44 |
index 37478a4c3..65dde6899 100644
|
|
|
b88a44 |
--- a/lib/gnutls_cipher.c
|
|
|
b88a44 |
+++ b/lib/gnutls_cipher.c
|
|
|
b88a44 |
@@ -434,40 +434,41 @@ compressed_to_ciphertext(gnutls_session_t session,
|
|
|
b88a44 |
return length;
|
|
|
b88a44 |
}
|
|
|
b88a44 |
|
|
|
b88a44 |
-static void dummy_wait(record_parameters_st * params,
|
|
|
b88a44 |
- gnutls_datum_t * plaintext, unsigned pad_failed,
|
|
|
b88a44 |
- unsigned int pad, unsigned total)
|
|
|
b88a44 |
+static void dummy_wait(record_parameters_st *params,
|
|
|
b88a44 |
+ gnutls_datum_t *plaintext,
|
|
|
b88a44 |
+ unsigned int mac_data, unsigned int max_mac_data)
|
|
|
b88a44 |
{
|
|
|
b88a44 |
/* this hack is only needed on CBC ciphers */
|
|
|
b88a44 |
if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) {
|
|
|
b88a44 |
- unsigned len, v;
|
|
|
b88a44 |
+ unsigned v;
|
|
|
b88a44 |
+ unsigned int tag_size =
|
|
|
b88a44 |
+ _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state);
|
|
|
b88a44 |
+ unsigned hash_block = _gnutls_mac_block_size(params->mac);
|
|
|
b88a44 |
|
|
|
b88a44 |
- /* force an additional hash compression function evaluation to prevent timing
|
|
|
b88a44 |
+ /* force additional hash compression function evaluations to prevent timing
|
|
|
b88a44 |
* attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
|
|
|
b88a44 |
*/
|
|
|
b88a44 |
- if (pad_failed == 0 && pad > 0) {
|
|
|
b88a44 |
- len = _gnutls_mac_block_size(params->mac);
|
|
|
b88a44 |
- if (len > 0) {
|
|
|
b88a44 |
- if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
|
|
|
b88a44 |
- /* v = 1 for the hash function padding + 16 for message length */
|
|
|
b88a44 |
- v = 17;
|
|
|
b88a44 |
- else /* v = 1 for the hash function padding + 8 for message length */
|
|
|
b88a44 |
- v = 9;
|
|
|
b88a44 |
-
|
|
|
b88a44 |
- if ((pad + total) % len > len - v
|
|
|
b88a44 |
- && total % len <= len - v) {
|
|
|
b88a44 |
- if (len < plaintext->size)
|
|
|
b88a44 |
- _gnutls_auth_cipher_add_auth
|
|
|
b88a44 |
- (¶ms->read.
|
|
|
b88a44 |
- cipher_state,
|
|
|
b88a44 |
- plaintext->data, len);
|
|
|
b88a44 |
- else
|
|
|
b88a44 |
- _gnutls_auth_cipher_add_auth
|
|
|
b88a44 |
- (¶ms->read.
|
|
|
b88a44 |
- cipher_state,
|
|
|
b88a44 |
- plaintext->data,
|
|
|
b88a44 |
- plaintext->size);
|
|
|
b88a44 |
- }
|
|
|
b88a44 |
+ if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
|
|
|
b88a44 |
+ /* v = 1 for the hash function padding + 16 for message length */
|
|
|
b88a44 |
+ v = 17;
|
|
|
b88a44 |
+ else /* v = 1 for the hash function padding + 8 for message length */
|
|
|
b88a44 |
+ v = 9;
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ if (hash_block > 0) {
|
|
|
b88a44 |
+ int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
|
|
|
b88a44 |
+ int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
|
|
|
b88a44 |
+ unsigned to_hash;
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ max_blocks -= hashed_blocks;
|
|
|
b88a44 |
+ if (max_blocks < 1)
|
|
|
b88a44 |
+ return;
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ to_hash = max_blocks * hash_block;
|
|
|
b88a44 |
+ if ((unsigned)to_hash+1+tag_size < plaintext->size) {
|
|
|
b88a44 |
+ _gnutls_auth_cipher_add_auth
|
|
|
b88a44 |
+ (¶ms->read.cipher_state,
|
|
|
b88a44 |
+ plaintext->data+plaintext->size-tag_size-to_hash-1,
|
|
|
b88a44 |
+ to_hash);
|
|
|
b88a44 |
}
|
|
|
b88a44 |
}
|
|
|
b88a44 |
}
|
|
|
b88a44 |
@@ -725,8 +726,10 @@ ciphertext_to_compressed(gnutls_session_t session,
|
|
|
b88a44 |
if (unlikely
|
|
|
b88a44 |
(memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
|
|
|
b88a44 |
/* HMAC was not the same. */
|
|
|
b88a44 |
- dummy_wait(params, compressed, pad_failed, pad,
|
|
|
b88a44 |
- length + preamble_size);
|
|
|
b88a44 |
+ gnutls_datum_t data = {compressed->data, ciphertext->size};
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ dummy_wait(params, &data, length + preamble_size,
|
|
|
b88a44 |
+ preamble_size + ciphertext->size - tag_size - 1);
|
|
|
b88a44 |
|
|
|
b88a44 |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
|
b88a44 |
}
|
|
|
b88a44 |
--
|
|
|
b88a44 |
2.14.3
|
|
|
b88a44 |
|