From 032c34e206730f7c7cede6909724c8f73db83637 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 7 Sep 2013 13:06:27 +0200 Subject: [PATCH] Don't use DH blinding for ephemeral DH --- include/polarssl/dhm.h | 7 ++++++- library/ssl_cli.c | 6 ++++-- library/ssl_srv.c | 6 ++++-- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h index 4874bc8df..09de70b0e 100644 --- a/include/polarssl/dhm.h +++ b/include/polarssl/dhm.h @@ -228,7 +228,12 @@ int dhm_make_public( dhm_context *ctx, int x_size, * \return 0 if successful, or an POLARSSL_ERR_DHM_XXX error code * * \note If f_rng is not NULL, it is used to blind the input as - * countermeasure against timing attacks. + * countermeasure against timing attacks. This is only useful + * when this function is called repeatedly with the same + * secret value (X field), eg when using DH key exchange as + * opposed to DHE. It is recommended to use a non-NULL f_rng + * only when needed, since otherwise this countermeasure has + * high overhead. */ int dhm_calc_secret( dhm_context *ctx, unsigned char *output, size_t *olen, diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e7512986c..19f0cb683 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1711,10 +1711,11 @@ static int ssl_write_client_key_exchange( ssl_context *ssl ) ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len; + /* No blinding needed for DHE, but will be needed for fixed DH! */ if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, ssl->handshake->premaster, &ssl->handshake->pmslen, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + NULL, NULL ) ) != 0 ) { SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); return( ret ); @@ -1842,8 +1843,9 @@ static int ssl_write_client_key_exchange( ssl_context *ssl ) *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 ); *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len ); + /* No blinding needed since this is ephemeral DHM */ if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, - p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) + p, &n, NULL, NULL ) ) != 0 ) { SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); return( ret ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f0936b403..21ceaf1f8 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2384,10 +2384,11 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl ) ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len; + /* No blinding needed for DHE, but will be needed for fixed DH! */ if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, ssl->handshake->premaster, &ssl->handshake->pmslen, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + NULL, NULL ) ) != 0 ) { SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); @@ -2472,8 +2473,9 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl ) n = ssl->handshake->dhm_ctx.len; + /* No blinding needed since this is ephemeral DHM */ if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, - p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) + p, &n, NULL, NULL ) ) != 0 ) { SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );