summaryrefslogtreecommitdiff
path: root/sys/dev/pci/amas.h
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2024-06-25 14:10:46 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2024-06-25 14:10:46 +0000
commitf02c64296a18ec9595fe6efcb29e617c260ba9b9 (patch)
tree122e04d39d1646e5001777ffafac9a1dce655ba9 /sys/dev/pci/amas.h
parent01330aa804e90fda0c58556b0db12fcce7ec0ba5 (diff)
Implement RSA key exchange in constant time.
RSA key exchange is known to have multiple security weaknesses, including being potentially susceptible to padding oracle and timing attacks. The RSA key exchange code that we inherited from OpenSSL was riddled with timing leaks, many of which we fixed (or minimised) early on. However, a number of issues still remained, particularly those related to libcrypto's RSA decryption and padding checks. Rework the RSA key exchange code such that we decrypt with RSA_NO_PADDING and then check the padding ourselves in constant time. In this case, the pre-master secret is of a known length, hence the padding is also a known length based on the size of the RSA key. This makes it easy to implement a check that is much safer than having RSA_private_decrypt() depad for us. Regardless, we still strongly recommend disabling RSA key exchange and using other key exchange methods that provide perfect forward secrecy and do not depend on client generated keys. Thanks to Marcel Maehren, Nurullah Erinola, Robert Merget, Juraj Somorovsky, Joerg Schwenk and Hubert Kario for raising these issues with us at various points in time. ok tb@
Diffstat (limited to 'sys/dev/pci/amas.h')
0 files changed, 0 insertions, 0 deletions