Use temporary buffer to hold the peer's HMAC

This paves the way for a constant-flow implementation of HMAC checking, by
making sure that the comparison happens at a constant address. The missing
step is obviously to copy the HMAC from the secret offset to this temporary
buffer with constant flow, which will be done in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2020-08-25 11:07:25 +02:00
parent f0b469e42b
commit ce45d1a759

View File

@ -2319,6 +2319,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
if( auth_done == 0 ) if( auth_done == 0 )
{ {
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
ssl->in_msglen -= ssl->transform_in->maclen; ssl->in_msglen -= ssl->transform_in->maclen;
@ -2333,6 +2334,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
ssl->in_msg, ssl->in_msglen, ssl->in_msg, ssl->in_msglen,
ssl->in_ctr, ssl->in_msgtype, ssl->in_ctr, ssl->in_msgtype,
mac_expect ); mac_expect );
memcpy( mac_peer, ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen );
} }
else else
#endif /* MBEDTLS_SSL_PROTO_SSL3 */ #endif /* MBEDTLS_SSL_PROTO_SSL3 */
@ -2377,6 +2380,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
* attacks much tighter and hopefully impractical. */ * attacks much tighter and hopefully impractical. */
ssl_read_memory( ssl->in_msg + min_len, ssl_read_memory( ssl->in_msg + min_len,
max_len - min_len + ssl->transform_in->maclen ); max_len - min_len + ssl->transform_in->maclen );
memcpy( mac_peer, ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen );
} }
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@ -2388,11 +2393,10 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_DEBUG_ALL) #if defined(MBEDTLS_SSL_DEBUG_ALL)
MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen ); MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen, MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, ssl->transform_in->maclen );
ssl->transform_in->maclen );
#endif #endif
if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect, if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
ssl->transform_in->maclen ) != 0 ) ssl->transform_in->maclen ) != 0 )
{ {
#if defined(MBEDTLS_SSL_DEBUG_ALL) #if defined(MBEDTLS_SSL_DEBUG_ALL)