• Filippo Valsorda's avatar
    crypto/tls: implement countermeasures against CBC padding oracles · f28cf834
    Filippo Valsorda authored
    The aim is to make the decrypt() timing profile constant, irrespective of
    the CBC padding length or correctness.  The old algorithm, on valid padding,
    would only MAC bytes up to the padding length threshold, making CBC
    ciphersuites vulnerable to plaintext recovery attacks as presented in the
    "Lucky Thirteen" paper.
    
    The new algorithm Write()s to the MAC all supposed payload, performs a
    constant time Sum()---which required implementing a constant time Sum() in
    crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest
    of the data. This is performed whether the padding is good or not.
    
    This should have no explicit secret-dependent timings, but it does NOT
    attempt to normalize memory accesses to prevent cache timing leaks.
    
    Updates #13385
    
    Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7
    Reviewed-on: https://go-review.googlesource.com/18130
    Run-TryBot: Russ Cox <rsc@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: 's avatarRuss Cox <rsc@golang.org>
    f28cf834
conn.go 37.8 KB