• Manuel Pégourié-Gonnard's avatar
    Fix Lucky 13 cache attack on MD/SHA padding · 1cc1fb05
    Manuel Pégourié-Gonnard authored
    The basis for the Lucky 13 family of attacks is for an attacker to be able to
    distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
    Since our code sets padlen = 0 for invalid padding, the length of the input to
    the HMAC function gives information about that.
    Information about this length (modulo the MD/SHA block size) can be deduced
    from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
    If MD/SHA padding is read from a (static) buffer, a local attacker could get
    information about how much is used via a cache attack targeting that buffer.
    Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
    one, which is always read fully by the process() function.