• Filippo Valsorda's avatar
    crypto/tls: implement countermeasures against CBC padding oracles · f28cf834
    Filippo Valsorda authored
    The aim is to make the decrypt() timing profile constant, irrespective of
    the CBC padding length or correctness.  The old algorithm, on valid padding,
    would only MAC bytes up to the padding length threshold, making CBC
    ciphersuites vulnerable to plaintext recovery attacks as presented in the
    "Lucky Thirteen" paper.
    
    The new algorithm Write()s to the MAC all supposed payload, performs a
    constant time Sum()---which required implementing a constant time Sum() in
    crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest
    of the data. This is performed whether the padding is good or not.
    
    This should have no explicit secret-dependent timings, but it does NOT
    attempt to normalize memory accesses to prevent cache timing leaks.
    
    Updates #13385
    
    Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7
    Reviewed-on: https://go-review.googlesource.com/18130
    Run-TryBot: Russ Cox <rsc@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: 's avatarRuss Cox <rsc@golang.org>
    f28cf834
Name
Last commit
Last update
.github Loading commit data...
api Loading commit data...
doc Loading commit data...
lib/time Loading commit data...
misc Loading commit data...
src Loading commit data...
test Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
AUTHORS Loading commit data...
CONTRIBUTING.md Loading commit data...
CONTRIBUTORS Loading commit data...
LICENSE Loading commit data...
PATENTS Loading commit data...
README.md Loading commit data...
favicon.ico Loading commit data...
robots.txt Loading commit data...