e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
authorAndy Polyakov <appro@openssl.org>
Sat, 2 Feb 2013 18:29:59 +0000 (19:29 +0100)
committerAndy Polyakov <appro@openssl.org>
Sat, 2 Feb 2013 18:35:09 +0000 (19:35 +0100)
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.

crypto/evp/c_allc.c
crypto/evp/e_aes_cbc_hmac_sha1.c
ssl/s3_cbc.c
ssl/ssl_algs.c

index e230e60..2a45d43 100644 (file)
@@ -195,13 +195,11 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_256_xts());
        EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
        EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-#if 0  /* Disabled because of timing side-channel leaks. */
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
        EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
        EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
 #endif
 #endif
-#endif
 
 #ifndef OPENSSL_NO_CAMELLIA
        EVP_add_cipher(EVP_camellia_128_ecb());
index 710fb79..18fc921 100644 (file)
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -90,6 +90,10 @@ typedef struct
        defined(_M_AMD64)       || defined(_M_X64)      || \
        defined(__INTEL__)      )
 
+#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
+# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
+#endif
+
 extern unsigned int OPENSSL_ia32cap_P[2];
 #define AESNI_CAPABLE   (1<<(57-32))
 
@@ -167,6 +171,9 @@ static void sha1_update(SHA_CTX *c,const void *data,size_t len)
                SHA1_Update(c,ptr,res);
 }
 
+#ifdef SHA1_Update
+#undef SHA1_Update
+#endif
 #define SHA1_Update sha1_update
 
 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -184,6 +191,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        sha_off = SHA_CBLOCK-key->md.num;
 #endif
 
+       key->payload_length = NO_PAYLOAD_LENGTH;
+
        if (len%AES_BLOCK_SIZE) return 0;
 
        if (ctx->encrypt) {
@@ -234,47 +243,203 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        &key->ks,ctx->iv,1);
                }
        } else {
-               unsigned char mac[SHA_DIGEST_LENGTH];
+               union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
+                       unsigned char c[SHA_DIGEST_LENGTH]; } mac;
 
                /* decrypt HMAC|padding at once */
                aesni_cbc_encrypt(in,out,len,
                                &key->ks,ctx->iv,0);
 
                if (plen) {     /* "TLS" mode of operation */
-                       /* figure out payload length */
-                       if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH))
-                               return 0;
-
-                       len -= (out[len-1]+1+SHA_DIGEST_LENGTH);
+                       size_t inp_len, mask, j, i;
+                       unsigned int res, maxpad, pad, bitlen;
+                       int ret = 1;
+                       union { unsigned int  u[SHA_LBLOCK];
+                               unsigned char c[SHA_CBLOCK]; }
+                               *data = (void *)key->md.data;
 
                        if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
-                           >= TLS1_1_VERSION) {
-                               len -= AES_BLOCK_SIZE;
+                           >= TLS1_1_VERSION)
                                iv = AES_BLOCK_SIZE;
-                       }
 
-                       key->aux.tls_aad[plen-2] = len>>8;
-                       key->aux.tls_aad[plen-1] = len;
+                       if (len<(iv+SHA_DIGEST_LENGTH+1))
+                               return 0;
+
+                       /* omit explicit iv */
+                       out += iv;
+                       len -= iv;
+
+                       /* figure out payload length */
+                       pad = out[len-1];
+                       maxpad = len-(SHA_DIGEST_LENGTH+1);
+                       maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
+                       maxpad &= 255;
+
+                       inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
+                       mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
+                       inp_len &= mask;
+                       ret &= (int)mask;
 
-                       /* calculate HMAC and verify it */
+                       key->aux.tls_aad[plen-2] = inp_len>>8;
+                       key->aux.tls_aad[plen-1] = inp_len;
+
+                       /* calculate HMAC */
                        key->md = key->head;
                        SHA1_Update(&key->md,key->aux.tls_aad,plen);
-                       SHA1_Update(&key->md,out+iv,len);
-                       SHA1_Final(mac,&key->md);
 
+#if 1
+                       len -= SHA_DIGEST_LENGTH;               /* amend mac */
+                       if (len>=(256+SHA_CBLOCK)) {
+                               j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
+                               j += SHA_CBLOCK-key->md.num;
+                               SHA1_Update(&key->md,out,j);
+                               out += j;
+                               len -= j;
+                               inp_len -= j;
+                       }
+
+                       /* but pretend as if we hashed padded payload */
+                       bitlen = key->md.Nl+(inp_len<<3);       /* at most 18 bits */
+                       mac.c[0] = 0;
+                       mac.c[1] = (unsigned char)(bitlen>>16);
+                       mac.c[2] = (unsigned char)(bitlen>>8);
+                       mac.c[3] = (unsigned char)bitlen;
+                       bitlen = mac.u[0];
+
+                       mac.u[0]=0;
+                       mac.u[1]=0;
+                       mac.u[2]=0;
+                       mac.u[3]=0;
+                       mac.u[4]=0;
+
+                       for (res=key->md.num, j=0;j<len;j++) {
+                               size_t c = out[j];
+                               mask = (j-inp_len)>>(sizeof(j)*8-8);
+                               c &= mask;
+                               c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
+                               data->c[res++]=(unsigned char)c;
+
+                               if (res!=SHA_CBLOCK) continue;
+
+                               mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+                               data->u[SHA_LBLOCK-1] |= bitlen&mask;
+                               sha1_block_data_order(&key->md,data,1);
+                               mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+                               mac.u[0] |= key->md.h0 & mask;
+                               mac.u[1] |= key->md.h1 & mask;
+                               mac.u[2] |= key->md.h2 & mask;
+                               mac.u[3] |= key->md.h3 & mask;
+                               mac.u[4] |= key->md.h4 & mask;
+                               res=0;
+                       }
+
+                       for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
+
+                       if (res>SHA_CBLOCK-8) {
+                               mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+                               data->u[SHA_LBLOCK-1] |= bitlen&mask;
+                               sha1_block_data_order(&key->md,data,1);
+                               mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+                               mac.u[0] |= key->md.h0 & mask;
+                               mac.u[1] |= key->md.h1 & mask;
+                               mac.u[2] |= key->md.h2 & mask;
+                               mac.u[3] |= key->md.h3 & mask;
+                               mac.u[4] |= key->md.h4 & mask;
+
+                               memset(data,0,SHA_CBLOCK);
+                               j+=64;
+                       }
+                       data->u[SHA_LBLOCK-1] = bitlen;
+                       sha1_block_data_order(&key->md,data,1);
+                       mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+                       mac.u[0] |= key->md.h0 & mask;
+                       mac.u[1] |= key->md.h1 & mask;
+                       mac.u[2] |= key->md.h2 & mask;
+                       mac.u[3] |= key->md.h3 & mask;
+                       mac.u[4] |= key->md.h4 & mask;
+
+#ifdef BSWAP
+                       mac.u[0] = BSWAP(mac.u[0]);
+                       mac.u[1] = BSWAP(mac.u[1]);
+                       mac.u[2] = BSWAP(mac.u[2]);
+                       mac.u[3] = BSWAP(mac.u[3]);
+                       mac.u[4] = BSWAP(mac.u[4]);
+#else
+                       for (i=0;i<5;i++) {
+                               res = mac.u[i];
+                               mac.c[4*i+0]=(unsigned char)(res>>24);
+                               mac.c[4*i+1]=(unsigned char)(res>>16);
+                               mac.c[4*i+2]=(unsigned char)(res>>8);
+                               mac.c[4*i+3]=(unsigned char)res;
+                       }
+#endif
+                       len += SHA_DIGEST_LENGTH;
+#else
+                       SHA1_Update(&key->md,out,inp_len);
+                       res = key->md.num;
+                       SHA1_Final(mac.c,&key->md);
+
+                       {
+                       unsigned int inp_blocks, pad_blocks;
+
+                       /* but pretend as if we hashed padded payload */
+                       inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+                       res += (unsigned int)(len-inp_len);
+                       pad_blocks = res / SHA_CBLOCK;
+                       res %= SHA_CBLOCK;
+                       pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+                       for (;inp_blocks<pad_blocks;inp_blocks++)
+                               sha1_block_data_order(&key->md,data,1);
+                       }
+#endif
                        key->md = key->tail;
-                       SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH);
-                       SHA1_Final(mac,&key->md);
+                       SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
+                       SHA1_Final(mac.c,&key->md);
 
-                       if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH))
-                               return 0;
+                       /* verify HMAC */
+                       out += inp_len;
+                       len -= inp_len;
+#if 1
+                       {
+                       unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
+                       size_t off = out-p;
+                       unsigned int c, cmask;
+
+                       maxpad += SHA_DIGEST_LENGTH;
+                       for (res=0,i=0,j=0;j<maxpad;j++) {
+                               c = p[j];
+                               cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
+                               res |= (c^pad)&~cmask;  /* ... and padding */
+                               cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
+                               res |= (c^mac.c[i])&cmask;
+                               i += 1&cmask;
+                       }
+                       maxpad -= SHA_DIGEST_LENGTH;
+
+                       res = 0-((0-res)>>(sizeof(res)*8-1));
+                       ret &= (int)~res;
+                       }
+#else
+                       for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
+                               res |= out[i]^mac.c[i];
+                       res = 0-((0-res)>>(sizeof(res)*8-1));
+                       ret &= (int)~res;
+
+                       /* verify padding */
+                       pad = (pad&~res) | (maxpad&res);
+                       out = out+len-1-pad;
+                       for (res=0,i=0;i<pad;i++)
+                               res |= out[i]^pad;
+
+                       res = (0-res)>>(sizeof(res)*8-1);
+                       ret &= (int)~res;
+#endif
+                       return ret;
                } else {
                        SHA1_Update(&key->md,out,len);
                }
        }
 
-       key->payload_length = NO_PAYLOAD_LENGTH;
-
        return 1;
        }
 
index b91d840..3c2c165 100644 (file)
@@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s,
        if (overhead > rec->length)
                return 0;
 
+       /* We can always safely skip the explicit IV. We check at the beginning
+        * of this function that the record has at least enough space for the
+        * IV, MAC and padding length byte. (These can be checked in
+        * non-constant time because it's all public information.) So, if the
+        * padding was invalid, then we didn't change |rec->length| and this is
+        * safe. If the padding was valid then we know that we have at least
+        * overhead+padding_length bytes of space and so this is still safe
+        * because overhead accounts for the explicit IV. */
+       if (has_explicit_iv)
+               {
+               rec->data += block_size;
+               rec->input += block_size;
+               rec->length -= block_size;
+               }
+
        padding_length = rec->data[rec->length-1];
 
        /* NB: if compression is in operation the first packet may not be of
@@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s,
                        }
                }
 
+       if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
+               {
+               /* padding is already verified */
+               rec->length -= padding_length;
+               return 1;
+               }
+
        good = constant_time_ge(rec->length, overhead+padding_length);
        /* The padding consists of a length byte at the end of the record and
         * then that many bytes of padding, all with the same value as the
@@ -209,21 +231,6 @@ int tls1_cbc_remove_padding(const SSL* s,
        rec->length -= padding_length;
        rec->type |= padding_length<<8; /* kludge: pass padding length */
 
-       /* We can always safely skip the explicit IV. We check at the beginning
-        * of this function that the record has at least enough space for the
-        * IV, MAC and padding length byte. (These can be checked in
-        * non-constant time because it's all public information.) So, if the
-        * padding was invalid, then we didn't change |rec->length| and this is
-        * safe. If the padding was valid then we know that we have at least
-        * overhead+padding_length bytes of space and so this is still safe
-        * because overhead accounts for the explicit IV. */
-       if (has_explicit_iv)
-               {
-               rec->data += block_size;
-               rec->input += block_size;
-               rec->length -= block_size;
-               }
-
        return (int)((good & 1) | (~good & -1));
        }
 
index 41ccbaa..9c34d19 100644 (file)
@@ -90,12 +90,10 @@ int SSL_library_init(void)
        EVP_add_cipher(EVP_aes_256_cbc());
        EVP_add_cipher(EVP_aes_128_gcm());
        EVP_add_cipher(EVP_aes_256_gcm());
-#if 0 /* Disabled because of timing side-channel leaks. */
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
        EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
        EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
 #endif
-#endif
 
 #endif
 #ifndef OPENSSL_NO_CAMELLIA