diff options
author | lloyd <[email protected]> | 2012-10-02 14:05:50 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-10-02 14:05:50 +0000 |
commit | 7e0820857855d1e60ff886083bd30ec682c612fd (patch) | |
tree | 5a76232282a113d4062d55187eeb587056082136 /src | |
parent | 9e2bfe5928a40ab70eab2f8e5d5faedac0a57302 (diff) |
Generate the fake pre master needed if the RSA computation fails ahead
of time. Otherwise we expose a timing channel WRT using the RNG.
Diffstat (limited to 'src')
-rw-r--r-- | src/tls/msg_client_kex.cpp | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/tls/msg_client_kex.cpp b/src/tls/msg_client_kex.cpp index b5539d550..10b439aaf 100644 --- a/src/tls/msg_client_kex.cpp +++ b/src/tls/msg_client_kex.cpp @@ -288,6 +288,21 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents, Protocol_Version client_version = state.client_hello()->version(); + /* + * This is used as the pre-master if RSA decryption fails. + * Otherwise we can be used as an oracle. See Bleichenbacher + * "Chosen Ciphertext Attacks against Protocols Based on RSA + * Encryption Standard PKCS #1", Crypto 98 + * + * Create it here instead if in the catch clause as otherwise we + * expose a timing channel WRT the generation of the fake value. + * Some timing channel likely remains due to exception handling + * and the like. + */ + secure_vector<byte> fake_pre_master = rng.random_vec(48); + fake_pre_master[0] = client_version.major_version(); + fake_pre_master[1] = client_version.minor_version(); + try { if(state.version() == Protocol_Version::SSL_V3) @@ -309,10 +324,7 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents, } catch(...) { - // Randomize to hide timing channel - m_pre_master = rng.random_vec(48); - m_pre_master[0] = client_version.major_version(); - m_pre_master[1] = client_version.minor_version(); + m_pre_master = fake_pre_master; } } else |