diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-12-31 16:08:48 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-12-31 16:08:48 +0700 |
commit | 5e5e67028e5b16a18580c52a17516cdb314eddc5 (patch) | |
tree | ecbf5b59e75fe81861d2ee8e8356d2e3d04b71fd /crypto/src | |
parent | Various updates to GCM from Java build (diff) | |
download | BouncyCastle.NET-ed25519-5e5e67028e5b16a18580c52a17516cdb314eddc5.tar.xz |
TLS update from Java
Diffstat (limited to 'crypto/src')
-rw-r--r-- | crypto/src/crypto/tls/TlsBlockCipher.cs | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/crypto/src/crypto/tls/TlsBlockCipher.cs b/crypto/src/crypto/tls/TlsBlockCipher.cs index 82c0318b2..d81b881fc 100644 --- a/crypto/src/crypto/tls/TlsBlockCipher.cs +++ b/crypto/src/crypto/tls/TlsBlockCipher.cs @@ -262,10 +262,19 @@ namespace Org.BouncyCastle.Crypto.Tls byte[] receivedMac = Arrays.CopyOfRange(ciphertext, end - macSize, end); byte[] calculatedMac = mReadMac.CalculateMac(seqNo, type, ciphertext, offset, len - macSize); - bool badMac = !Arrays.ConstantTimeAreEqual(calculatedMac, receivedMac); - - if (badMac) + bool badMacEtm = !Arrays.ConstantTimeAreEqual(calculatedMac, receivedMac); + if (badMacEtm) + { + /* + * RFC 7366 3. The MAC SHALL be evaluated before any further processing such as + * decryption is performed, and if the MAC verification fails, then processing SHALL + * terminate immediately. For TLS, a fatal bad_record_mac MUST be generated [2]. For + * DTLS, the record MUST be discarded, and a fatal bad_record_mac MAY be generated + * [4]. This immediate response to a bad MAC eliminates any timing channels that may + * be available through the use of manipulated packet data. + */ throw new TlsFatalAlert(AlertDescription.bad_record_mac); + } } if (useExplicitIV) @@ -283,6 +292,7 @@ namespace Org.BouncyCastle.Crypto.Tls // If there's anything wrong with the padding, this will return zero int totalPad = CheckPaddingConstantTime(ciphertext, offset, blocks_length, blockSize, encryptThenMac ? 0 : macSize); + bool badMac = (totalPad == 0); int dec_output_length = blocks_length - totalPad; @@ -295,14 +305,12 @@ namespace Org.BouncyCastle.Crypto.Tls byte[] calculatedMac = mReadMac.CalculateMacConstantTime(seqNo, type, ciphertext, offset, macInputLen, blocks_length - macSize, randomData); - bool badMac = !Arrays.ConstantTimeAreEqual(calculatedMac, receivedMac); - - if (badMac || totalPad == 0) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } + badMac |= !Arrays.ConstantTimeAreEqual(calculatedMac, receivedMac); } + if (badMac) + throw new TlsFatalAlert(AlertDescription.bad_record_mac); + return Arrays.CopyOfRange(ciphertext, offset, offset + dec_output_length); } |