Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add function for constant-flow variable-length HMAC computation #3470

Closed
mpg opened this issue Jul 1, 2020 · 0 comments
Closed

Add function for constant-flow variable-length HMAC computation #3470

mpg opened this issue Jul 1, 2020 · 0 comments
Assignees
@mpg
Labels
component-tls enhancement
Milestone
August 2020 Sprint

Comments

@mpg
Copy link
Contributor

mpg commented Jul 1, 2020
edited
Loading

Decryption/authentication of (D)TLS record encrypted with legacy CBC (that is CBC without EtM) includes computing the HMAC of the decrypted, unpadded data, without leaking its length (as this would leak information about the padding, exploited by the Lucky 13 attack.

Currently this is done using dummy evaluations of the compression function as described in the original Lucky 13 paper, section 7, "Careful implementation of MEE-TLS-CBC decryption", point 5. However subsequent research has shown while effective against remote attackers, this tends to be fragile when facing local attackers. A more robust strategy is described in this post, section "Calculating the MAC".

This task is to implement a function using that strategy with a signature like for example:

int mbedtls_ssl_ct_hmac( mbedtls_md_context_t *ctx,
                         const unsigned char *add_data, size_t add_data_len,
                         const unsigned char *data, size_t data_len_secret,
                         size_t min_data_len, size_t max_data_len,
                         unsigned char output[MBEDTLS_MD_MAX_SIZE] );

such that it is functionally equivalent to

mbedtls_md_hmac_update( ctx, add_data, add_data_len );
mbedtls_md_hmac_update( ctx, data, data_len_secret );
mbedtls_md_hmac_finish( ctx, output );

as long as min_data_len <= data_len_secret <= max_data_len but with no branches or memory access patterns depending on data_len_secret.

This function must come with unit tests. In the development branch, it should probably be defined in ssl_msg.c and be declared MBEDTLS_STATIC_TESTABLE. In the LTS branches, it should probably be defined in ssl_tls.c and declared in ssl_internal.h.

Note: this task is just about creating the function and its unit tests, not necessarily integrating it in ssl_decrypt_buf() yet. This is to avoid a dependency on #3469 (negative testing of ssl_decrypt_buf()). However if #3469 is ready before this one, then creating this function and integrating it in ssl_decrypt_buf() can be done in the same PR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mpg mpg

Labels
component-tls enhancement
Projects
None yet
Milestone
August 2020 Sprint
Development

No branches or pull requests
2 participants
@mpg @danh-arm