cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Don't use DH blinding for ephemeral DH

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2013-09-07 13:06:27 +02:00
parent ce6352a791
commit 032c34e206
3 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
include/polarssl/dhm.h
View File

@ -228,7 +228,12 @@ int dhm_make_public( dhm_context *ctx, int x_size,
* \return 0 if successful, or an POLARSSL_ERR_DHM_XXX error code * \return 0 if successful, or an POLARSSL_ERR_DHM_XXX error code
* *
* \note If f_rng is not NULL, it is used to blind the input as * \note If f_rng is not NULL, it is used to blind the input as
* countermeasure against timing attacks. * countermeasure against timing attacks. This is only useful
* when this function is called repeatedly with the same
* secret value (X field), eg when using DH key exchange as
* opposed to DHE. It is recommended to use a non-NULL f_rng
* only when needed, since otherwise this countermeasure has
* high overhead.
*/ */
int dhm_calc_secret( dhm_context *ctx, int dhm_calc_secret( dhm_context *ctx,
unsigned char *output, size_t *olen, unsigned char *output, size_t *olen,

6
library/ssl_cli.c
View File

@ -1711,10 +1711,11 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len; ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
/* No blinding needed for DHE, but will be needed for fixed DH! */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster, ssl->handshake->premaster,
&ssl->handshake->pmslen, &ssl->handshake->pmslen,
ssl->f_rng, ssl->p_rng ) ) != 0 ) NULL, NULL ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( ret ); return( ret );
@ -1842,8 +1843,9 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
*(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 ); *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
*(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len ); *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
/* No blinding needed since this is ephemeral DHM */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) p, &n, NULL, NULL ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( ret ); return( ret );

6
library/ssl_srv.c
View File

@ -2384,10 +2384,11 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len; ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
/* No blinding needed for DHE, but will be needed for fixed DH! */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
ssl->handshake->premaster, ssl->handshake->premaster,
&ssl->handshake->pmslen, &ssl->handshake->pmslen,
ssl->f_rng, ssl->p_rng ) ) != 0 ) NULL, NULL ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
@ -2472,8 +2473,9 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
n = ssl->handshake->dhm_ctx.len; n = ssl->handshake->dhm_ctx.len;
/* No blinding needed since this is ephemeral DHM */
if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) p, &n, NULL, NULL ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );