You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
to be slightly more precise, don't bail in crypto.ml:123 when padding is incorrect, but use a random premastersecret for further communication [which obviously will fail once enc/dec is used]. otherwise bleichenbacher's attack can be done.
CBC decoding must be constant time... which is rather intricate, https://www.imperialviolet.org/2013/02/04/luckythirteen.html describes the countermeasures introduced by OpenSSL (and I believe we've to do it in a similar way)! the memory access pattern for invalid and valid padded data needs to be exactly the same...
some further thoughts on this: we need to get rid of data-dependent branches and allocation -- or runs of the garbage collector. maybe we need to take the GC lock (do a gc minor before) and turn interrupts off to get rid of all the timing issues imposed by high-level runtime.