diff options
Diffstat (limited to 'src/lib/tls/msg_client_kex.cpp')
-rw-r--r-- | src/lib/tls/msg_client_kex.cpp | 52 |
1 files changed, 22 insertions, 30 deletions
diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp index d7689df45..77e9795f4 100644 --- a/src/lib/tls/msg_client_kex.cpp +++ b/src/lib/tls/msg_client_kex.cpp @@ -270,41 +270,33 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents, if(!dynamic_cast<const RSA_PrivateKey*>(server_rsa_kex_key)) throw Internal_Error("Expected RSA key but got " + server_rsa_kex_key->algo_name()); + TLS_Data_Reader reader("ClientKeyExchange", contents); + const std::vector<byte> encrypted_pre_master = reader.get_range<byte>(2, 0, 65535); + PK_Decryptor_EME decryptor(*server_rsa_kex_key, "PKCS1v15"); - Protocol_Version client_version = state.client_hello()->version(); + const byte client_major = state.client_hello()->version().major_version(); + const byte client_minor = state.client_hello()->version().minor_version(); /* - * This is used as the pre-master if RSA decryption fails. - * Otherwise we can be used as an oracle. See Bleichenbacher - * "Chosen Ciphertext Attacks against Protocols Based on RSA - * Encryption Standard PKCS #1", Crypto 98 - * - * Create it here instead if in the catch clause as otherwise we - * expose a timing channel WRT the generation of the fake value. - * Some timing channel likely remains due to exception handling - * and the like. + * PK_Decryptor::decrypt_or_random will return a random value if + * either the length does not match the expected value or if the + * version number embedded in the PMS does not match the one sent + * in the client hello. */ - secure_vector<byte> fake_pre_master = rng.random_vec(48); - fake_pre_master[0] = client_version.major_version(); - fake_pre_master[1] = client_version.minor_version(); - - try - { - TLS_Data_Reader reader("ClientKeyExchange", contents); - m_pre_master = decryptor.decrypt(reader.get_range<byte>(2, 0, 65535)); - - if(m_pre_master.size() != 48 || - client_version.major_version() != m_pre_master[0] || - client_version.minor_version() != m_pre_master[1]) - { - throw Decoding_Error("Client_Key_Exchange: Secret corrupted"); - } - } - catch(...) - { - m_pre_master = fake_pre_master; - } + const size_t expected_plaintext_size = 48; + const size_t expected_content_size = 2; + const byte expected_content_bytes[expected_content_size] = { client_major, client_minor }; + const byte expected_content_pos[expected_content_size] = { 0, 1 }; + + m_pre_master = + decryptor.decrypt_or_random(encrypted_pre_master.data(), + encrypted_pre_master.size(), + expected_plaintext_size, + rng, + expected_content_bytes, + expected_content_pos, + expected_content_size); } else { |