diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c index 0527ca4f1..a39acd49f 100644 --- a/lib/algorithms/mac.c +++ b/lib/algorithms/mac.c @@ -37,9 +37,9 @@ static const mac_entry_st hash_algorithms[] = { {"SHA256", HASH_OID_SHA256, MAC_OID_SHA256, GNUTLS_MAC_SHA256, 32, 32, 0, 0, 1, 64}, {"SHA384", HASH_OID_SHA384, MAC_OID_SHA384, GNUTLS_MAC_SHA384, 48, 48, 0, 0, 1, - 64}, + 128}, {"SHA512", HASH_OID_SHA512, MAC_OID_SHA512, GNUTLS_MAC_SHA512, 64, 64, 0, 0, 1, - 64}, + 128}, {"SHA224", HASH_OID_SHA224, MAC_OID_SHA224, GNUTLS_MAC_SHA224, 28, 28, 0, 0, 1, 64}, {"UMAC-96", NULL, NULL, GNUTLS_MAC_UMAC_96, 12, 16, 8, 0, 1, 0}, diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 58ce79775..37478a4c3 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -440,7 +440,7 @@ static void dummy_wait(record_parameters_st * params, { /* this hack is only needed on CBC ciphers */ if (_gnutls_cipher_is_block(params->cipher) == CIPHER_BLOCK) { - unsigned len; + unsigned len, v; /* force an additional hash compression function evaluation to prevent timing * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. @@ -448,11 +448,14 @@ static void dummy_wait(record_parameters_st * params, if (pad_failed == 0 && pad > 0) { len = _gnutls_mac_block_size(params->mac); if (len > 0) { - /* This is really specific to the current hash functions. - * It should be removed once a protocol fix is in place. - */ - if ((pad + total) % len > len - 9 - && total % len <= len - 9) { + if (params->mac && params->mac->id == GNUTLS_MAC_SHA384) + /* v = 1 for the hash function padding + 16 for message length */ + v = 17; + else /* v = 1 for the hash function padding + 8 for message length */ + v = 9; + + if ((pad + total) % len > len - v + && total % len <= len - v) { if (len < plaintext->size) _gnutls_auth_cipher_add_auth (¶ms->read. -- 2.14.3