From b2f438fc57997fc40f5bd808c1579cad86553eef Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 26 May 2017 08:47:03 +0700 Subject: No variable-length padding w/ truncated MAC (unless EtM enabled) --- crypto/src/crypto/tls/TlsBlockCipher.cs | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/TlsBlockCipher.cs b/crypto/src/crypto/tls/TlsBlockCipher.cs index d81b881fc..76b476a18 100644 --- a/crypto/src/crypto/tls/TlsBlockCipher.cs +++ b/crypto/src/crypto/tls/TlsBlockCipher.cs @@ -160,13 +160,22 @@ namespace Org.BouncyCastle.Crypto.Tls int padding_length = blockSize - 1 - (enc_input_length % blockSize); - // TODO[DTLS] Consider supporting in DTLS (without exceeding send limit though) - if (!version.IsDtls && !version.IsSsl) + /* + * Don't use variable-length padding with truncated MACs. + * + * See "Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol", Paterson, + * Ristenpart, Shrimpton. + */ + if (encryptThenMac || !context.SecurityParameters.truncatedHMac) { - // Add a random number of extra blocks worth of padding - int maxExtraPadBlocks = (255 - padding_length) / blockSize; - int actualExtraPadBlocks = ChooseExtraPadBlocks(context.SecureRandom, maxExtraPadBlocks); - padding_length += actualExtraPadBlocks * blockSize; + // TODO[DTLS] Consider supporting in DTLS (without exceeding send limit though) + if (!version.IsDtls && !version.IsSsl) + { + // Add a random number of extra blocks worth of padding + int maxExtraPadBlocks = (255 - padding_length) / blockSize; + int actualExtraPadBlocks = ChooseExtraPadBlocks(context.SecureRandom, maxExtraPadBlocks); + padding_length += actualExtraPadBlocks * blockSize; + } } int totalSize = len + macSize + padding_length + 1; -- cgit 1.5.1