aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-10-02 14:05:50 +0000
committerlloyd <[email protected]>2012-10-02 14:05:50 +0000
commit7e0820857855d1e60ff886083bd30ec682c612fd (patch)
tree5a76232282a113d4062d55187eeb587056082136 /src
parent9e2bfe5928a40ab70eab2f8e5d5faedac0a57302 (diff)
Generate the fake pre master needed if the RSA computation fails ahead
of time. Otherwise we expose a timing channel WRT using the RNG.
Diffstat (limited to 'src')
-rw-r--r--src/tls/msg_client_kex.cpp20
1 files changed, 16 insertions, 4 deletions
diff --git a/src/tls/msg_client_kex.cpp b/src/tls/msg_client_kex.cpp
index b5539d550..10b439aaf 100644
--- a/src/tls/msg_client_kex.cpp
+++ b/src/tls/msg_client_kex.cpp
@@ -288,6 +288,21 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents,
Protocol_Version client_version = state.client_hello()->version();
+ /*
+ * This is used as the pre-master if RSA decryption fails.
+ * Otherwise we can be used as an oracle. See Bleichenbacher
+ * "Chosen Ciphertext Attacks against Protocols Based on RSA
+ * Encryption Standard PKCS #1", Crypto 98
+ *
+ * Create it here instead if in the catch clause as otherwise we
+ * expose a timing channel WRT the generation of the fake value.
+ * Some timing channel likely remains due to exception handling
+ * and the like.
+ */
+ secure_vector<byte> fake_pre_master = rng.random_vec(48);
+ fake_pre_master[0] = client_version.major_version();
+ fake_pre_master[1] = client_version.minor_version();
+
try
{
if(state.version() == Protocol_Version::SSL_V3)
@@ -309,10 +324,7 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents,
}
catch(...)
{
- // Randomize to hide timing channel
- m_pre_master = rng.random_vec(48);
- m_pre_master[0] = client_version.major_version();
- m_pre_master[1] = client_version.minor_version();
+ m_pre_master = fake_pre_master;
}
}
else