• djm@openbsd.org's avatar
    upstream commit · 6d31193d
    djm@openbsd.org authored
    Improve crypto ordering for Encrypt-then-MAC (EtM) mode
    MAC algorithms.
    Previously we were computing the MAC, decrypting the packet and then
    checking the MAC. This gave rise to the possibility of creating a
    side-channel oracle in the decryption step, though no such oracle has
    been identified.
    This adds a mac_check() function that computes and checks the MAC in
    one pass, and uses it to advance MAC checking for EtM algorithms to
    before payload decryption.
    Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
    Martin Albrecht. feedback and ok markus@
    Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b