Use temporary buffer to hold the peer's HMAC

This paves the way for a constant-flow implementation of HMAC checking, by making sure that the comparison happens at a constant address. The missing step is obviously to copy the HMAC from the secret offset to this temporary buffer with constant flow, which will be done in the next few commits. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-03-04 19:09:48 +00:00 · 2020-08-25 11:07:25 +02:00 · 2020-08-25 11:07:25 +02:00 · bf7a49eacc
parent d863a67a74
commit bf7a49eacc
1 changed files with 7 additions and 3 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2142,6 +2142,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
    if( auth_done == 0 )
    {
        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+        unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];

        ssl->in_msglen -= ssl->transform_in->maclen;

@ -2156,6 +2157,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
                      ssl->in_msg, ssl->in_msglen,
                      ssl->in_ctr, ssl->in_msgtype,
                      mac_expect );
+            memcpy( mac_peer, ssl->in_msg + ssl->in_msglen,
+                              ssl->transform_in->maclen );
        }
        else
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
@ -2200,6 +2203,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
             * attacks much tighter and hopefully impractical. */
            ssl_read_memory( ssl->in_msg + min_len,
                                 max_len - min_len + ssl->transform_in->maclen );
+            memcpy( mac_peer, ssl->in_msg + ssl->in_msglen,
+                              ssl->transform_in->maclen );
        }
        else
 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@ -2211,11 +2216,10 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )

 #if defined(MBEDTLS_SSL_DEBUG_ALL)
        MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
-        MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_msg + ssl->in_msglen,
-                               ssl->transform_in->maclen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", mac_peer, ssl->transform_in->maclen );
 #endif

-        if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
+        if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
                                      ssl->transform_in->maclen ) != 0 )
        {
 #if defined(MBEDTLS_SSL_DEBUG_ALL)