• Filippo Valsorda's avatar
    crypto/tls: implement countermeasures against CBC padding oracles · f28cf834
    Filippo Valsorda authored
    The aim is to make the decrypt() timing profile constant, irrespective of
    the CBC padding length or correctness.  The old algorithm, on valid padding,
    would only MAC bytes up to the padding length threshold, making CBC
    ciphersuites vulnerable to plaintext recovery attacks as presented in the
    "Lucky Thirteen" paper.
    
    The new algorithm Write()s to the MAC all supposed payload, performs a
    constant time Sum()---which required implementing a constant time Sum() in
    crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest
    of the data. This is performed whether the padding is good or not.
    
    This should have no explicit secret-dependent timings, but it does NOT
    attempt to normalize memory accesses to prevent cache timing leaks.
    
    Updates #13385
    
    Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7
    Reviewed-on: https://go-review.googlesource.com/18130
    Run-TryBot: Russ Cox <rsc@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: 's avatarRuss Cox <rsc@golang.org>
    f28cf834
Name
Last commit
Last update
..
aes Loading commit data...
cipher Loading commit data...
des Loading commit data...
dsa Loading commit data...
ecdsa Loading commit data...
elliptic Loading commit data...
hmac Loading commit data...
md5 Loading commit data...
rand Loading commit data...
rc4 Loading commit data...
rsa Loading commit data...
sha1 Loading commit data...
sha256 Loading commit data...
sha512 Loading commit data...
subtle Loading commit data...
tls Loading commit data...
x509 Loading commit data...
crypto.go Loading commit data...