Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer. The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained. ok beck@ inoguchi@ tb@
author: jsing <> 2020-10-03 17:35:17 +0000
committer: jsing <> 2020-10-03 17:35:17 +0000
commit: 3058247715ff89d092334e9137126e12b7220589 (patch)
tree: f4def91d73228cb651f854abf6bf23f4d3c22025 /src/lib/libssl/s3_cbc.c
parent: 0f1f8d13de82c94a30254ca849b3933f8356101b (diff)
download: openbsd-3058247715ff89d092334e9137126e12b7220589.tar.gz
openbsd-3058247715ff89d092334e9137126e12b7220589.tar.bz2
openbsd-3058247715ff89d092334e9137126e12b7220589.zip
1 files changed, 14 insertions, 16 deletions
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 74e0562c2d..4f84c9485b 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.23 2020/10/03 17:35:16 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
 *
@@ -101,7 +101,7 @@ constant_time_eq_8(unsigned int a, unsigned int b)
        return DUPLICATE_MSB_TO_ALL_8(c);
 }
-/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
+/* ssl3_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
 * record in |rec| in constant time and returns 1 if the padding is valid and
 * -1 otherwise. It also removes any explicit IV from the start of the record
 * without leaking any timing about whether there was enough space after the
@@ -113,26 +113,24 @@ constant_time_eq_8(unsigned int a, unsigned int b)
 *   1: if the padding was valid
 *  -1: otherwise. */
 int
-tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
+ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len,
-    unsigned int block_size, unsigned int mac_size)
+    unsigned int mac_size)
 {
        unsigned int padding_length, good, to_check, i;
        const unsigned int overhead = 1 /* padding length byte */ + mac_size;
-        /* Check if version requires explicit IV */
+        /*
-        if (SSL_USE_EXPLICIT_IV(s)) {
+         * These lengths are all public so we can test them in
-                /* These lengths are all public so we can test them in
+         * non-constant time.
-                 * non-constant time.
+         */
-                 */
+        if (overhead + eiv_len > rec->length)
-                if (overhead + block_size > rec->length)
-                        return 0;
-                /* We can now safely skip explicit IV */
-                rec->data += block_size;
-                rec->input += block_size;
-                rec->length -= block_size;
-        } else if (overhead > rec->length)
                return 0;
+        /* We can now safely skip explicit IV, if any. */
+        rec->data += eiv_len;
+        rec->input += eiv_len;
+        rec->length -= eiv_len;
        padding_length = rec->data[rec->length - 1];
        good = constant_time_ge(rec->length, overhead + padding_length);
author	jsing <>	2020-10-03 17:35:17 +0000
committer	jsing <>	2020-10-03 17:35:17 +0000
commit	3058247715ff89d092334e9137126e12b7220589 (patch)
tree	f4def91d73228cb651f854abf6bf23f4d3c22025 /src/lib/libssl/s3_cbc.c
parent	0f1f8d13de82c94a30254ca849b3933f8356101b (diff)
download	openbsd-3058247715ff89d092334e9137126e12b7220589.tar.gz openbsd-3058247715ff89d092334e9137126e12b7220589.tar.bz2 openbsd-3058247715ff89d092334e9137126e12b7220589.zip