Opened 3 years ago

Last modified 3 years ago

#22197 new defect

Audit all of our Go code that uses `crypto/aes`.

Reported by: yawning Owned by:
Priority: Medium Milestone:
Component: Circumvention Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The implementation is not constant time (and neither is the GHASH provided by crypto/cipher) without AES-NI/PCLMULQDQ or equivalent. I do not believe that we use either in a situation where it matters, but we should double check to confirm this. This affects any uses of the raw primitive, when wrapped in the various block cipher modes, and when used via TLS.

Known uses:

  • obfs2
  • obfs3
  • scramblesuit
  • meek without a helper

Child Tickets

Change History (1)

comment:1 Changed 3 years ago by yawning

For the non-TLS cases, a constant time AES could be easily substituted (and I have one for Go, though performance is not great). Making Go's TLS safe against timing attacks will require forking the TLS stack in the runtime library.

nb: I don't see myself doing a constant time GHASH. So just replacing the AES is insufficient to fix GCM-AES.

Last edited 3 years ago by yawning (previous) (diff)
Note: See TracTickets for help on using tickets.