From 924b11742296c13816a9f301e76fea023003920c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 31 Jan 2013 14:35:34 +0000 Subject: [PATCH] Timing fix mitigation for FIPS mode. We have to use EVP in FIPS mode so we can only partially mitigate timing differences. Make an extra call to HMAC_Update to hash additonal blocks to cover any timing differences caused by removal of padding. --- ssl/s3_cbc.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ ssl/ssl_locl.h | 3 +++ ssl/t1_enc.c | 8 ++++++++ 3 files changed, 62 insertions(+) diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index a29ff66b79..1819f6cf01 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -367,6 +367,10 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) * which ssl3_cbc_digest_record supports. */ char ssl3_cbc_record_digest_supported(const EVP_MD *digest) { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return 0; +#endif switch (digest->type) { case NID_md5: @@ -693,3 +697,50 @@ void ssl3_cbc_digest_record( *md_out_size = md_out_size_u; EVP_MD_CTX_cleanup(&md_ctx); } + +#ifdef OPENSSL_FIPS + +/* Due to the need to use EVP in FIPS mode we can't reimplement digests but + * we can ensure the number of blocks processed is equal for all cases + * by digesting additional data. + */ + +void tls_fips_digest_extra( + const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx, + const unsigned char *data, size_t data_len, size_t orig_len) + { + size_t block_size, digest_pad, blocks_data, blocks_orig; + if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) + return; + block_size = EVP_MD_block_size(hash); + /* We are in FIPS mode if we get this far so we know we have only SHA* + * digests and TLS to deal with. + * Minimum digest padding length is 17 for SHA384/SHA512 and 9 + * otherwise. + * Additional header is 13 bytes. To get the number of digest blocks + * processed round up the amount of data plus padding to the nearest + * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. + * So we have: + * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size + * equivalently: + * blocks = (payload_len + digest_pad + 12)/block_size + 1 + * HMAC adds a constant overhead. + * We're ultimately only interested in differences so this becomes + * blocks = (payload_len + 29)/128 + * for SHA384/SHA512 and + * blocks = (payload_len + 21)/64 + * otherwise. + */ + digest_pad = block_size == 64 ? 21 : 29; + blocks_orig = (orig_len + digest_pad)/block_size; + blocks_data = (data_len + digest_pad)/block_size; + /* MAC enough blocks to make up the difference between the original + * and actual lengths plus one extra block to ensure this is never a + * no op. The "data" pointer should always have enough space to + * perform this operation as it is large enough for a maximum + * length TLS buffer. + */ + HMAC_Update(hctx, data, + (blocks_orig - blocks_data + 1) * block_size); + } +#endif diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 2f923a5e65..57e92323fc 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1037,5 +1037,8 @@ void ssl3_cbc_digest_record( unsigned mac_secret_length, char is_sslv3); +void tls_fips_digest_extra( + const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx, + const unsigned char *data, size_t data_len, size_t orig_len); #endif diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index d621293a74..e75a66ba9d 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -758,6 +758,14 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) HMAC_Update(&hmac,rec->input,rec->length); HMAC_Final(&hmac,md,&mds); md_size = mds; +#ifdef OPENSSL_FIPS + if (!send && FIPS_mode()) + tls_fips_digest_extra( + ssl->enc_read_ctx, + hash, + &hmac, rec->input, + rec->length, rec->orig_len); +#endif } HMAC_CTX_cleanup(&hmac); -- 2.34.1