eden-emu/mbedtls
20
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use new CT interface in ssl_tls12_server.c

Browse source 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman 2023-05-17 12:31:36 +01:00
parent 9f9c3b8c33
commit 293eedd3ad
1 changed files with 8 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

22
library/ssl_tls12_server.c
View file

@ -3481,9 +3481,8 @@ static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
unsigned char *pms = ssl->handshake->premaster + pms_offset; unsigned char *pms = ssl->handshake->premaster + pms_offset;
unsigned char ver[2]; unsigned char ver[2];
unsigned char fake_pms[48], peer_pms[48]; unsigned char fake_pms[48], peer_pms[48];
unsigned char mask; size_t peer_pmslen;
size_t i, peer_pmslen; mbedtls_ct_condition_t diff;
unsigned int diff;
/* In case of a failure in decryption, the decryption may write less than /* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't * 2 bytes of output, but we always read the first two bytes. It doesn't
@ -3512,13 +3511,10 @@ static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
/* Avoid data-dependent branches while checking for invalid /* Avoid data-dependent branches while checking for invalid
* padding, to protect against timing-based Bleichenbacher-type * padding, to protect against timing-based Bleichenbacher-type
* attacks. */ * attacks. */
diff = (unsigned int) ret; diff = mbedtls_ct_bool(ret);
diff |= peer_pmslen ^ 48; diff = mbedtls_ct_bool_or(diff, mbedtls_ct_bool_ne(peer_pmslen, 48));
diff |= peer_pms[0] ^ ver[0]; diff = mbedtls_ct_bool_or(diff, mbedtls_ct_bool_ne(peer_pms[0], ver[0]));
diff |= peer_pms[1] ^ ver[1]; diff = mbedtls_ct_bool_or(diff, mbedtls_ct_bool_ne(peer_pms[1], ver[1]));
/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
mask = mbedtls_ct_uint_mask(diff);
/* /*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
@ -3537,7 +3533,7 @@ static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
} }
#if defined(MBEDTLS_SSL_DEBUG_ALL) #if defined(MBEDTLS_SSL_DEBUG_ALL)
if (diff != 0) { if (diff != MBEDTLS_CT_FALSE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
} }
#endif #endif
@ -3551,9 +3547,7 @@ static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
/* Set pms to either the true or the fake PMS, without /* Set pms to either the true or the fake PMS, without
* data-dependent branches. */ * data-dependent branches. */
for (i = 0; i < ssl->handshake->pmslen; i++) { mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
}
return 0; return 0;
} }