Cypherpunks.ru repositories - gostls13.git/commit

author	Filippo Valsorda <hi@filippo.io>
	Wed, 23 Dec 2015 02:03:44 +0000 (02:03 +0000)
committer	Russ Cox <rsc@golang.org>
	Tue, 4 Oct 2016 13:21:02 +0000 (13:21 +0000)
commit	f28cf8346c4ce7cb74bf97c7c69da21c43a78034
tree	3a0e2abedaa8ba6c014bf01bbfac514c3dcfa2f2	tree
parent	ad26bb5e3098cbfd7c0ad9a1dc9d38c92e50f06e	commit \| diff

crypto/tls: implement countermeasures against CBC padding oracles

The aim is to make the decrypt() timing profile constant, irrespective of
the CBC padding length or correctness. The old algorithm, on valid padding,
would only MAC bytes up to the padding length threshold, making CBC
ciphersuites vulnerable to plaintext recovery attacks as presented in the
"Lucky Thirteen" paper.

The new algorithm Write()s to the MAC all supposed payload, performs a
constant time Sum()---which required implementing a constant time Sum() in
crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest
of the data. This is performed whether the padding is good or not.

This should have no explicit secret-dependent timings, but it does NOT
attempt to normalize memory accesses to prevent cache timing leaks.

Updates #13385

Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7
Reviewed-on: https://go-review.googlesource.com/18130
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

src/crypto/sha1/sha1.go		diff \| blob \| history
src/crypto/sha1/sha1_test.go		diff \| blob \| history
src/crypto/tls/cipher_suites.go		diff \| blob \| history
src/crypto/tls/conn.go		diff \| blob \| history
src/crypto/tls/conn_test.go		diff \| blob \| history