openssl/sme8/openssl-fips-0.9.8e-cve-2013-0169.patch

diff -up openssl-fips-0.9.8e/crypto/cryptlib.c.lucky13 openssl-fips-0.9.8e/crypto/cryptlib.c
--- openssl-fips-0.9.8e/crypto/cryptlib.c.lucky13       2007-07-26 18:46:54.000000000 +0200
+++ openssl-fips-0.9.8e/crypto/cryptlib.c       2013-02-25 14:56:11.392381859 +0100
@@ -543,3 +543,16 @@ void OpenSSLDie(const char *file,int lin
        }
 
 void *OPENSSL_stderr(void)     { return stderr; }
+
+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
+       {
+       size_t i;
+       const unsigned char *a = in_a;
+       const unsigned char *b = in_b;
+       unsigned char x = 0;
+
+       for (i = 0; i < len; i++)
+               x |= a[i] ^ b[i];
+
+       return x;
+       }
diff -up openssl-fips-0.9.8e/crypto/crypto.h.lucky13 openssl-fips-0.9.8e/crypto/crypto.h
--- openssl-fips-0.9.8e/crypto/crypto.h.lucky13 2013-02-25 14:56:11.049380949 +0100
+++ openssl-fips-0.9.8e/crypto/crypto.h 2013-02-25 14:56:11.393381862 +0100
@@ -592,6 +592,13 @@ unsigned long *OPENSSL_ia32cap_loc(void)
 
 #endif /* def OPENSSL_FIPS */
 
+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
+ * takes an amount of time dependent on |len|, but independent of the contents
+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
+ * defined order as the return value when a != b is undefined, other than to be
+ * non-zero. */
+int CRYPTO_memcmp(const void *a, const void *b, size_t len);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff -up openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c.lucky13 openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c
--- openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c.lucky13   2007-03-22 01:38:34.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c   2013-02-25 14:56:11.394381865 +0100
@@ -136,7 +136,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigne
 
        EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
 
-       if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+       if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
                goto decoding_err;
        else
                {
diff -up openssl-fips-0.9.8e/ssl/d1_enc.c.lucky13 openssl-fips-0.9.8e/ssl/d1_enc.c
--- openssl-fips-0.9.8e/ssl/d1_enc.c.lucky13    2013-02-25 14:56:11.374381809 +0100
+++ openssl-fips-0.9.8e/ssl/d1_enc.c    2013-02-25 14:56:11.395381868 +0100
@@ -122,18 +122,30 @@
 #include <openssl/rand.h>
 
 
+/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
+ *       an internal error occured. */
 int dtls1_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
        EVP_CIPHER_CTX *ds;
        unsigned long l;
-       int bs,i,ii,j,k,n=0;
+       int bs,i,j,k,mac_size=0;
        const EVP_CIPHER *enc;
 
        if (send)
                {
-               if (s->write_hash != NULL)
-                       n=EVP_MD_size(s->write_hash);
+               if (s->write_hash)
+                       {
+                       mac_size=EVP_MD_size(s->write_hash);
+                       if (mac_size < 0)
+                               return -1;
+                       }
                ds=s->enc_write_ctx;
                rec= &(s->s3->wrec);
                if (s->enc_write_ctx == NULL)
@@ -147,15 +159,18 @@ int dtls1_enc(SSL *s, int send)
                                        __FILE__, __LINE__);
                        else if ( EVP_CIPHER_block_size(ds->cipher) > 1)
                                {
-                               if (!RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)))
+                               if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0)
                                        return -1;
                                }
                        }
                }
        else
                {
-               if (s->read_hash != NULL)
-                       n=EVP_MD_size(s->read_hash);
+               if (s->read_hash)
+                       {
+                       mac_size=EVP_MD_size(s->read_hash);
+                       OPENSSL_assert(mac_size >= 0);
+                       }
                ds=s->enc_read_ctx;
                rec= &(s->s3->rrec);
                if (s->enc_read_ctx == NULL)
@@ -219,11 +234,7 @@ int dtls1_enc(SSL *s, int send)
                if (!send)
                        {
                        if (l == 0 || l%bs != 0)
-                               {
-                               SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
                                return 0;
-                               }
                        }
                
                EVP_Cipher(ds,rec->data,rec->input,l);
@@ -238,43 +249,7 @@ int dtls1_enc(SSL *s, int send)
 #endif /* KSSL_DEBUG */
 
                if ((bs != 1) && !send)
-                       {
-                       ii=i=rec->data[l-1]; /* padding_length */
-                       i++;
-                       if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-                               {
-                               /* First packet is even in size, so check */
-                               if ((memcmp(s->s3->read_sequence,
-                                       "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
-                                       s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-                               if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                       i--;
-                               }
-                       /* TLS 1.0 does not bound the number of padding bytes by the block size.
-                        * All of them must have value 'padding_length'. */
-                       if (i + bs > (int)rec->length)
-                               {
-                               /* Incorrect padding. SSLerr() and ssl3_alert are done
-                                * by caller: we don't want to reveal whether this is
-                                * a decryption error or a MAC verification failure
-                                * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
-                                */
-                               return -1;
-                               }
-                       for (j=(int)(l-i); j<(int)l; j++)
-                               {
-                               if (rec->data[j] != ii)
-                                       {
-                                       /* Incorrect padding */
-                                       return -1;
-                                       }
-                               }
-                       rec->length-=i;
-
-                       rec->data += bs;    /* skip the implicit IV */
-                       rec->input += bs;
-                       rec->length -= bs;
-                       }
+                       return tls1_cbc_remove_padding(s, rec, bs, mac_size);
                }
        return(1);
        }
diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/d1_pkt.c
--- openssl-fips-0.9.8e/ssl/d1_pkt.c.lucky13    2013-02-25 14:56:11.278381571 +0100
+++ openssl-fips-0.9.8e/ssl/d1_pkt.c    2013-02-25 14:56:11.400381882 +0100
@@ -328,16 +328,12 @@ dtls1_get_buffered_record(SSL *s)
 static int
 dtls1_process_record(SSL *s)
 {
-    int al;
-       int clear=0;
-    int enc_err;
+       int i,al;
+       int enc_err;
        SSL_SESSION *sess;
-    SSL3_RECORD *rr;
-       unsigned int mac_size;
+       SSL3_RECORD *rr;
+       unsigned int mac_size, orig_len;
        unsigned char md[EVP_MAX_MD_SIZE];
-       int decryption_failed_or_bad_record_mac = 0;
-       unsigned char *mac = NULL;
-
 
        rr= &(s->s3->rrec);
     sess = s->session;
@@ -369,12 +365,16 @@ dtls1_process_record(SSL *s)
        rr->data=rr->input;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
-       if (enc_err <= 0)
+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */
+       if (enc_err == 0)
                {
-               /* To minimize information leaked via timing, we will always
-                * perform all computations before discarding the message.
-                */
-               decryption_failed_or_bad_record_mac = 1;
+               /* For DTLS we simply ignore bad packets. */
+               rr->length = 0;
+               s->packet_length = 0;
+               goto err;
                }
 
 #ifdef TLS_DEBUG
@@ -384,41 +384,62 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-if (   (sess == NULL) ||
-               (s->enc_read_ctx == NULL) ||
-               (s->read_hash == NULL))
-    clear=1;
-
-       if (!clear)
+       if ((sess != NULL) &&
+           (s->enc_read_ctx != NULL) &&
+           (s->read_hash != NULL))
                {
+               /* s->read_hash != NULL => mac_size != -1 */
+               unsigned char *mac = NULL;
+               unsigned char mac_tmp[EVP_MAX_MD_SIZE];
                mac_size=EVP_MD_size(s->read_hash);
+               OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
-               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+               /* kludge: *_cbc_remove_padding passes padding length in rr->type */
+               orig_len = rr->length+((unsigned int)rr->type>>8);
+
+               /* orig_len is the length of the record before any padding was
+                * removed. This is public information, as is the MAC in use,
+                * therefore we can safely process the record in a different
+                * amount of time if it's too short to possibly contain a MAC.
+                */
+               if (orig_len < mac_size ||
+                   /* CBC records must have a padding length byte too. */
+                   (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    orig_len < mac_size+1))
                        {
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
-#else
-                       decryption_failed_or_bad_record_mac = 1;
-#endif                 
                        }
-               /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-               if (rr->length >= mac_size)
+
+               if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
                        {
+                       /* We update the length so that the TLS header bytes
+                        * can be constructed correctly but we need to extract
+                        * the MAC in constant time from within the record,
+                        * without leaking the contents of the padding bytes.
+                        * */
+                       mac = mac_tmp;
+                       ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
                        rr->length -= mac_size;
-                       mac = &rr->data[rr->length];
                        }
                else
-                       rr->length = 0;
-               s->method->ssl3_enc->mac(s,md,0);
-               if (mac == NULL || memcmp(md, mac, mac_size) != 0)
                        {
-                       decryption_failed_or_bad_record_mac = 1;
+                       /* In this case there's no padding, so |orig_len|
+                        * equals |rec->length| and we checked that there's
+                        * enough bytes for |mac_size| above. */
+                       rr->length -= mac_size;
+                       mac = &rr->data[rr->length];
                        }
+
+               i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+                       enc_err = -1;
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+                       enc_err = -1;
                }
 
-       if (decryption_failed_or_bad_record_mac)
+       if (enc_err < 0)
                {
                /* decryption failed, silently discard message */
                rr->length = 0;
diff -up openssl-fips-0.9.8e/ssl/Makefile.lucky13 openssl-fips-0.9.8e/ssl/Makefile
--- openssl-fips-0.9.8e/ssl/Makefile.lucky13    2013-02-25 14:56:11.212381386 +0100
+++ openssl-fips-0.9.8e/ssl/Makefile    2013-02-25 14:56:11.404381893 +0100
@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
 SHARED_LIB= libssl$(SHLIB_EXT)
 LIBSRC=        \
        s2_meth.c   s2_srvr.c s2_clnt.c  s2_lib.c  s2_enc.c s2_pkt.c \
-       s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c \
+       s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
        s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
        t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c \
        d1_meth.c   d1_srvr.c d1_clnt.c  d1_lib.c  d1_pkt.c \
@@ -33,7 +33,7 @@ LIBSRC=       \
        bio_ssl.c ssl_err.c kssl.c t1_reneg.c
 LIBOBJ= \
        s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
-       s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o \
+       s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
        s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
        t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o \
        d1_meth.o   d1_srvr.o d1_clnt.o  d1_lib.o  d1_pkt.o \
diff -up openssl-fips-0.9.8e/ssl/s2_clnt.c.lucky13 openssl-fips-0.9.8e/ssl/s2_clnt.c
--- openssl-fips-0.9.8e/ssl/s2_clnt.c.lucky13   2013-02-25 14:56:11.097381084 +0100
+++ openssl-fips-0.9.8e/ssl/s2_clnt.c   2013-02-25 14:56:11.404381893 +0100
@@ -935,7 +935,7 @@ static int get_server_verify(SSL *s)
                s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
        p += 1;
 
-       if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
+       if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
                {
                ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
                SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
diff -up openssl-fips-0.9.8e/ssl/s2_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/s2_pkt.c
--- openssl-fips-0.9.8e/ssl/s2_pkt.c.lucky13    2003-12-27 17:10:30.000000000 +0100
+++ openssl-fips-0.9.8e/ssl/s2_pkt.c    2013-02-25 14:56:11.405381896 +0100
@@ -267,8 +267,7 @@ static int ssl2_read_internal(SSL *s, vo
                        s->s2->ract_data_length-=mac_size;
                        ssl2_mac(s,mac,0);
                        s->s2->ract_data_length-=s->s2->padding;
-                       if (    (memcmp(mac,s->s2->mac_data,
-                               (unsigned int)mac_size) != 0) ||
+                       if (    (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
                                (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
                                {
                                SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
diff -up openssl-fips-0.9.8e/ssl/s3_both.c.lucky13 openssl-fips-0.9.8e/ssl/s3_both.c
--- openssl-fips-0.9.8e/ssl/s3_both.c.lucky13   2013-02-25 14:56:11.221381411 +0100
+++ openssl-fips-0.9.8e/ssl/s3_both.c   2013-02-25 14:56:11.406381899 +0100
@@ -242,7 +242,7 @@ int ssl3_get_finished(SSL *s, int a, int
                goto f_err;
                }
 
-       if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
+       if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
                {
                al=SSL_AD_DECRYPT_ERROR;
                SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
diff -up openssl-fips-0.9.8e/ssl/s3_cbc.c.lucky13 openssl-fips-0.9.8e/ssl/s3_cbc.c
--- openssl-fips-0.9.8e/ssl/s3_cbc.c.lucky13    2013-02-25 14:56:11.407381902 +0100
+++ openssl-fips-0.9.8e/ssl/s3_cbc.c    2013-02-25 14:56:11.407381902 +0100
@@ -0,0 +1,783 @@
+/* ssl/s3_cbc.c */
+/* ====================================================================
+ * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ssl_locl.h"
+
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+
+/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
+ * field. (SHA-384/512 have 128-bit length.) */
+#define MAX_HASH_BIT_COUNT_BYTES 16
+
+/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
+ * Currently SHA-384/512 has a 128-byte block size and that's the largest
+ * supported by TLS.) */
+#define MAX_HASH_BLOCK_SIZE 128
+
+/* Some utility functions are needed:
+ *
+ * These macros return the given value with the MSB copied to all the other
+ * bits. They use the fact that arithmetic shift shifts-in the sign bit.
+ * However, this is not ensured by the C standard so you may need to replace
+ * them with something else on odd CPUs. */
+#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
+#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
+
+/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
+static unsigned constant_time_lt(unsigned a, unsigned b)
+       {
+       a -= b;
+       return DUPLICATE_MSB_TO_ALL(a);
+       }
+
+/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
+static unsigned constant_time_ge(unsigned a, unsigned b)
+       {
+       a -= b;
+       return DUPLICATE_MSB_TO_ALL(~a);
+       }
+
+/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
+static unsigned char constant_time_eq_8(unsigned a, unsigned b)
+       {
+       unsigned c = a ^ b;
+       c--;
+       return DUPLICATE_MSB_TO_ALL_8(c);
+       }
+
+/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
+ * record in |rec| by updating |rec->length| in constant time.
+ *
+ * block_size: the block size of the cipher used to encrypt the record.
+ * returns:
+ *   0: (in non-constant time) if the record is publicly invalid.
+ *   1: if the padding was valid
+ *  -1: otherwise. */
+int ssl3_cbc_remove_padding(const SSL* s,
+                           SSL3_RECORD *rec,
+                           unsigned block_size,
+                           unsigned mac_size)
+       {
+       unsigned padding_length, good;
+       const unsigned overhead = 1 /* padding length byte */ + mac_size;
+
+       /* These lengths are all public so we can test them in non-constant
+        * time. */
+       if (overhead > rec->length)
+               return 0;
+
+       padding_length = rec->data[rec->length-1];
+       good = constant_time_ge(rec->length, padding_length+overhead);
+       /* SSLv3 requires that the padding is minimal. */
+       good &= constant_time_ge(block_size, padding_length+1);
+       padding_length = good & (padding_length+1);
+       rec->length -= padding_length;
+       rec->type |= padding_length<<8; /* kludge: pass padding length */
+       return (int)((good & 1) | (~good & -1));
+}
+
+/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
+ * record in |rec| in constant time and returns 1 if the padding is valid and
+ * -1 otherwise. It also removes any explicit IV from the start of the record
+ * without leaking any timing about whether there was enough space after the
+ * padding was removed.
+ *
+ * block_size: the block size of the cipher used to encrypt the record.
+ * returns:
+ *   0: (in non-constant time) if the record is publicly invalid.
+ *   1: if the padding was valid
+ *  -1: otherwise. */
+int tls1_cbc_remove_padding(const SSL* s,
+                           SSL3_RECORD *rec,
+                           unsigned block_size,
+                           unsigned mac_size)
+       {
+       unsigned padding_length, good, to_check, i;
+       const unsigned overhead = 1 /* padding length byte */ + mac_size;
+       /* Check if version requires explicit IV */
+       if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
+               {
+               /* These lengths are all public so we can test them in
+                * non-constant time.
+                */
+               if (overhead + block_size > rec->length)
+                       return 0;
+               /* We can now safely skip explicit IV */
+               rec->data += block_size;
+               rec->input += block_size;
+               rec->length -= block_size;
+               }
+       else if (overhead > rec->length)
+               return 0;
+
+       padding_length = rec->data[rec->length-1];
+
+       /* NB: if compression is in operation the first packet may not be of
+        * even length so the padding bug check cannot be performed. This bug
+        * workaround has been around since SSLeay so hopefully it is either
+        * fixed now or no buggy implementation supports compression [steve]
+        */
+       if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand)
+               {
+               /* First packet is even in size, so check */
+               if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&
+                   !(padding_length & 1))
+                       {
+                       s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
+                       }
+               if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
+                   padding_length > 0)
+                       {
+                       padding_length--;
+                       }
+               }
+
+       good = constant_time_ge(rec->length, overhead+padding_length);
+       /* The padding consists of a length byte at the end of the record and
+        * then that many bytes of padding, all with the same value as the
+        * length byte. Thus, with the length byte included, there are i+1
+        * bytes of padding.
+        *
+        * We can't check just |padding_length+1| bytes because that leaks
+        * decrypted information. Therefore we always have to check the maximum
+        * amount of padding possible. (Again, the length of the record is
+        * public information so we can use it.) */
+       to_check = 255; /* maximum amount of padding. */
+       if (to_check > rec->length-1)
+               to_check = rec->length-1;
+
+       for (i = 0; i < to_check; i++)
+               {
+               unsigned char mask = constant_time_ge(padding_length, i);
+               unsigned char b = rec->data[rec->length-1-i];
+               /* The final |padding_length+1| bytes should all have the value
+                * |padding_length|. Therefore the XOR should be zero. */
+               good &= ~(mask&(padding_length ^ b));
+               }
+
+       /* If any of the final |padding_length+1| bytes had the wrong value,
+        * one or more of the lower eight bits of |good| will be cleared. We
+        * AND the bottom 8 bits together and duplicate the result to all the
+        * bits. */
+       good &= good >> 4;
+       good &= good >> 2;
+       good &= good >> 1;
+       good <<= sizeof(good)*8-1;
+       good = DUPLICATE_MSB_TO_ALL(good);
+
+       padding_length = good & (padding_length+1);
+       rec->length -= padding_length;
+       rec->type |= padding_length<<8; /* kludge: pass padding length */
+
+       return (int)((good & 1) | (~good & -1));
+       }
+
+/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
+ * constant time (independent of the concrete value of rec->length, which may
+ * vary within a 256-byte window).
+ *
+ * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
+ * this function.
+ *
+ * On entry:
+ *   rec->orig_len >= md_size
+ *   md_size <= EVP_MAX_MD_SIZE
+ *
+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
+ * a single or pair of cache-lines, then the variable memory accesses don't
+ * actually affect the timing. CPUs with smaller cache-lines [if any] are
+ * not multi-core and are not considered vulnerable to cache-timing attacks.
+ */
+#define CBC_MAC_ROTATE_IN_PLACE
+
+void ssl3_cbc_copy_mac(unsigned char* out,
+                      const SSL3_RECORD *rec,
+                      unsigned md_size,unsigned orig_len)
+       {
+#if defined(CBC_MAC_ROTATE_IN_PLACE)
+       unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE];
+       unsigned char *rotated_mac;
+#else
+       unsigned char rotated_mac[EVP_MAX_MD_SIZE];
+#endif
+
+       /* mac_end is the index of |rec->data| just after the end of the MAC. */
+       unsigned mac_end = rec->length;
+       unsigned mac_start = mac_end - md_size;
+       /* scan_start contains the number of bytes that we can ignore because
+        * the MAC's position can only vary by 255 bytes. */
+       unsigned scan_start = 0;
+       unsigned i, j;
+       unsigned div_spoiler;
+       unsigned rotate_offset;
+
+       OPENSSL_assert(orig_len >= md_size);
+       OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
+
+#if defined(CBC_MAC_ROTATE_IN_PLACE)
+       rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63);
+#endif
+
+       /* This information is public so it's safe to branch based on it. */
+       if (orig_len > md_size + 255 + 1)
+               scan_start = orig_len - (md_size + 255 + 1);
+       /* div_spoiler contains a multiple of md_size that is used to cause the
+        * modulo operation to be constant time. Without this, the time varies
+        * based on the amount of padding when running on Intel chips at least.
+        *
+        * The aim of right-shifting md_size is so that the compiler doesn't
+        * figure out that it can remove div_spoiler as that would require it
+        * to prove that md_size is always even, which I hope is beyond it. */
+       div_spoiler = md_size >> 1;
+       div_spoiler <<= (sizeof(div_spoiler)-1)*8;
+       rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
+
+       memset(rotated_mac, 0, md_size);
+       for (i = scan_start, j = 0; i < orig_len; i++)
+               {
+               unsigned char mac_started = constant_time_ge(i, mac_start);
+               unsigned char mac_ended = constant_time_ge(i, mac_end);
+               unsigned char b = rec->data[i];
+               rotated_mac[j++] |= b & mac_started & ~mac_ended;
+               j &= constant_time_lt(j,md_size);
+               }
+
+       /* Now rotate the MAC */
+#if defined(CBC_MAC_ROTATE_IN_PLACE)
+       j = 0;
+       for (i = 0; i < md_size; i++)
+               {
+               /* in case cache-line is 32 bytes, touch second line */
+               ((volatile unsigned char *)rotated_mac)[rotate_offset^32];
+               out[j++] = rotated_mac[rotate_offset++];
+               rotate_offset &= constant_time_lt(rotate_offset,md_size);
+               }
+#else
+       memset(out, 0, md_size);
+       rotate_offset = md_size - rotate_offset;
+       rotate_offset &= constant_time_lt(rotate_offset,md_size);
+       for (i = 0; i < md_size; i++)
+               {
+               for (j = 0; j < md_size; j++)
+                       out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
+               rotate_offset++;
+               rotate_offset &= constant_time_lt(rotate_offset,md_size);
+               }
+#endif
+       }
+
+/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+ * little-endian order. The value of p is advanced by four. */
+#define u32toLE(n, p) \
+       (*((p)++)=(unsigned char)(n), \
+        *((p)++)=(unsigned char)(n>>8), \
+        *((p)++)=(unsigned char)(n>>16), \
+        *((p)++)=(unsigned char)(n>>24))
+
+/* These functions serialize the state of a hash and thus perform the standard
+ * "final" operation without adding the padding and length that such a function
+ * typically does. */
+static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
+       {
+       MD5_CTX *md5 = ctx;
+       u32toLE(md5->A, md_out);
+       u32toLE(md5->B, md_out);
+       u32toLE(md5->C, md_out);
+       u32toLE(md5->D, md_out);
+       }
+
+static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
+       {
+       SHA_CTX *sha1 = ctx;
+       l2n(sha1->h0, md_out);
+       l2n(sha1->h1, md_out);
+       l2n(sha1->h2, md_out);
+       l2n(sha1->h3, md_out);
+       l2n(sha1->h4, md_out);
+       }
+#define LARGEST_DIGEST_CTX SHA_CTX
+
+#ifndef OPENSSL_NO_SHA256
+static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
+       {
+       SHA256_CTX *sha256 = ctx;
+       unsigned i;
+
+       for (i = 0; i < 8; i++)
+               {
+               l2n(sha256->h[i], md_out);
+               }
+       }
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA256_CTX
+#endif
+
+#ifndef OPENSSL_NO_SHA512
+static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
+       {
+       SHA512_CTX *sha512 = ctx;
+       unsigned i;
+
+       for (i = 0; i < 8; i++)
+               {
+               l2n8(sha512->h[i], md_out);
+               }
+       }
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA512_CTX
+#endif
+
+/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
+ * which ssl3_cbc_digest_record supports. */
+char ssl3_cbc_record_digest_supported(const EVP_MD *digest)
+       {
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode())
+               return 0;
+#endif
+       switch (EVP_MD_type(digest))
+               {
+               case NID_md5:
+               case NID_sha1:
+#ifndef OPENSSL_NO_SHA256
+               case NID_sha224:
+               case NID_sha256:
+#endif
+#ifndef OPENSSL_NO_SHA512
+               case NID_sha384:
+               case NID_sha512:
+#endif
+                       return 1;
+               default:
+                       return 0;
+               }
+       }
+
+/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
+ * record.
+ *
+ *   ctx: the EVP_MD_CTX from which we take the hash function.
+ *     ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
+ *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
+ *   md_out_size: if non-NULL, the number of output bytes is written here.
+ *   header: the 13-byte, TLS record header.
+ *   data: the record data itself, less any preceeding explicit IV.
+ *   data_plus_mac_size: the secret, reported length of the data and MAC
+ *     once the padding has been removed.
+ *   data_plus_mac_plus_padding_size: the public length of the whole
+ *     record, including padding.
+ *   is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
+ *
+ * On entry: by virtue of having been through one of the remove_padding
+ * functions, above, we know that data_plus_mac_size is large enough to contain
+ * a padding byte and MAC. (If the padding was invalid, it might contain the
+ * padding too. ) */
+void ssl3_cbc_digest_record(
+       const EVP_MD *digest,
+       unsigned char* md_out,
+       size_t* md_out_size,
+       const unsigned char header[13],
+       const unsigned char *data,
+       size_t data_plus_mac_size,
+       size_t data_plus_mac_plus_padding_size,
+       const unsigned char *mac_secret,
+       unsigned mac_secret_length,
+       char is_sslv3)
+       {
+       union { double align;
+               unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;
+       void (*md_final_raw)(void *ctx, unsigned char *md_out);
+       void (*md_transform)(void *ctx, const unsigned char *block);
+       unsigned md_size, md_block_size = 64;
+       unsigned sslv3_pad_length = 40, header_length, variance_blocks,
+                len, max_mac_bytes, num_blocks,
+                num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
+       unsigned int bits;      /* at most 18 bits */
+       unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
+       /* hmac_pad is the masked HMAC key. */
+       unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
+       unsigned char first_block[MAX_HASH_BLOCK_SIZE];
+       unsigned char mac_out[EVP_MAX_MD_SIZE];
+       unsigned i, j, md_out_size_u;
+       EVP_MD_CTX md_ctx;
+       /* mdLengthSize is the number of bytes in the length field that terminates
+       * the hash. */
+       unsigned md_length_size = 8;
+       char length_is_big_endian = 1;
+
+       /* This is a, hopefully redundant, check that allows us to forget about
+        * many possible overflows later in this function. */
+       OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
+
+       switch (EVP_MD_type(digest))
+               {
+               case NID_md5:
+                       MD5_Init((MD5_CTX*)md_state.c);
+                       md_final_raw = tls1_md5_final_raw;
+                       md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
+                       md_size = 16;
+                       sslv3_pad_length = 48;
+                       length_is_big_endian = 0;
+                       break;
+               case NID_sha1:
+                       SHA1_Init((SHA_CTX*)md_state.c);
+                       md_final_raw = tls1_sha1_final_raw;
+                       md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
+                       md_size = 20;
+                       break;
+#ifndef OPENSSL_NO_SHA256
+               case NID_sha224:
+                       SHA224_Init((SHA256_CTX*)md_state.c);
+                       md_final_raw = tls1_sha256_final_raw;
+                       md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
+                       md_size = 224/8;
+                       break;
+               case NID_sha256:
+                       SHA256_Init((SHA256_CTX*)md_state.c);
+                       md_final_raw = tls1_sha256_final_raw;
+                       md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
+                       md_size = 32;
+                       break;
+#endif
+#ifndef OPENSSL_NO_SHA512
+               case NID_sha384:
+                       SHA384_Init((SHA512_CTX*)md_state.c);
+                       md_final_raw = tls1_sha512_final_raw;
+                       md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
+                       md_size = 384/8;
+                       md_block_size = 128;
+                       md_length_size = 16;
+                       break;
+               case NID_sha512:
+                       SHA512_Init((SHA512_CTX*)md_state.c);
+                       md_final_raw = tls1_sha512_final_raw;
+                       md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
+                       md_size = 64;
+                       md_block_size = 128;
+                       md_length_size = 16;
+                       break;
+#endif
+               default:
+                       /* ssl3_cbc_record_digest_supported should have been
+                        * called first to check that the hash function is
+                        * supported. */
+                       OPENSSL_assert(0);
+                       if (md_out_size)
+                               *md_out_size = -1;
+                       return;
+               }
+
+       OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
+       OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
+       OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
+
+       header_length = 13;
+       if (is_sslv3)
+               {
+               header_length =
+                       mac_secret_length +
+                       sslv3_pad_length +
+                       8 /* sequence number */ +
+                       1 /* record type */ +
+                       2 /* record length */;
+               }
+
+       /* variance_blocks is the number of blocks of the hash that we have to
+        * calculate in constant time because they could be altered by the
+        * padding value.
+        *
+        * In SSLv3, the padding must be minimal so the end of the plaintext
+        * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
+        * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
+        * termination (0x80 + 64-bit length) don't fit in the final block, we
+        * say that the final two blocks can vary based on the padding.
+        *
+        * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
+        * required to be minimal. Therefore we say that the final six blocks
+        * can vary based on the padding.
+        *
+        * Later in the function, if the message is short and there obviously
+        * cannot be this many blocks then variance_blocks can be reduced. */
+       variance_blocks = is_sslv3 ? 2 : 6;
+       /* From now on we're dealing with the MAC, which conceptually has 13
+        * bytes of `header' before the start of the data (TLS) or 71/75 bytes
+        * (SSLv3) */
+       len = data_plus_mac_plus_padding_size + header_length;
+       /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
+       * |header|, assuming that there's no padding. */
+       max_mac_bytes = len - md_size - 1;
+       /* num_blocks is the maximum number of hash blocks. */
+       num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
+       /* In order to calculate the MAC in constant time we have to handle
+        * the final blocks specially because the padding value could cause the
+        * end to appear somewhere in the final |variance_blocks| blocks and we
+        * can't leak where. However, |num_starting_blocks| worth of data can
+        * be hashed right away because no padding value can affect whether
+        * they are plaintext. */
+       num_starting_blocks = 0;
+       /* k is the starting byte offset into the conceptual header||data where
+        * we start processing. */
+       k = 0;
+       /* mac_end_offset is the index just past the end of the data to be
+        * MACed. */
+       mac_end_offset = data_plus_mac_size + header_length - md_size;
+       /* c is the index of the 0x80 byte in the final hash block that
+        * contains application data. */
+       c = mac_end_offset % md_block_size;
+       /* index_a is the hash block number that contains the 0x80 terminating
+        * value. */
+       index_a = mac_end_offset / md_block_size;
+       /* index_b is the hash block number that contains the 64-bit hash
+        * length, in bits. */
+       index_b = (mac_end_offset + md_length_size) / md_block_size;
+       /* bits is the hash-length in bits. It includes the additional hash
+        * block for the masked HMAC key, or whole of |header| in the case of
+        * SSLv3. */
+
+       /* For SSLv3, if we're going to have any starting blocks then we need
+        * at least two because the header is larger than a single block. */
+       if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0))
+               {
+               num_starting_blocks = num_blocks - variance_blocks;
+               k = md_block_size*num_starting_blocks;
+               }
+
+       bits = 8*mac_end_offset;
+       if (!is_sslv3)
+               {
+               /* Compute the initial HMAC block. For SSLv3, the padding and
+                * secret bytes are included in |header| because they take more
+                * than a single block. */
+               bits += 8*md_block_size;
+               memset(hmac_pad, 0, md_block_size);
+               OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
+               memcpy(hmac_pad, mac_secret, mac_secret_length);
+               for (i = 0; i < md_block_size; i++)
+                       hmac_pad[i] ^= 0x36;
+
+               md_transform(md_state.c, hmac_pad);
+               }
+
+       if (length_is_big_endian)
+               {
+               memset(length_bytes,0,md_length_size-4);
+               length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
+               length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
+               length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
+               length_bytes[md_length_size-1] = (unsigned char)bits;
+               }
+       else
+               {
+               memset(length_bytes,0,md_length_size);
+               length_bytes[md_length_size-5] = (unsigned char)(bits>>24);
+               length_bytes[md_length_size-6] = (unsigned char)(bits>>16);
+               length_bytes[md_length_size-7] = (unsigned char)(bits>>8);
+               length_bytes[md_length_size-8] = (unsigned char)bits;
+               }
+
+       if (k > 0)
+               {
+               if (is_sslv3)
+                       {
+                       /* The SSLv3 header is larger than a single block.
+                        * overhang is the number of bytes beyond a single
+                        * block that the header consumes: either 7 bytes
+                        * (SHA1) or 11 bytes (MD5). */
+                       unsigned overhang = header_length-md_block_size;
+                       md_transform(md_state.c, header);
+                       memcpy(first_block, header + md_block_size, overhang);
+                       memcpy(first_block + overhang, data, md_block_size-overhang);
+                       md_transform(md_state.c, first_block);
+                       for (i = 1; i < k/md_block_size - 1; i++)
+                               md_transform(md_state.c, data + md_block_size*i - overhang);
+                       }
+               else
+                       {
+                       /* k is a multiple of md_block_size. */
+                       memcpy(first_block, header, 13);
+                       memcpy(first_block+13, data, md_block_size-13);
+                       md_transform(md_state.c, first_block);
+                       for (i = 1; i < k/md_block_size; i++)
+                               md_transform(md_state.c, data + md_block_size*i - 13);
+                       }
+               }
+
+       memset(mac_out, 0, sizeof(mac_out));
+
+       /* We now process the final hash blocks. For each block, we construct
+        * it in constant time. If the |i==index_a| then we'll include the 0x80
+        * bytes and zero pad etc. For each block we selectively copy it, in
+        * constant time, to |mac_out|. */
+       for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++)
+               {
+               unsigned char block[MAX_HASH_BLOCK_SIZE];
+               unsigned char is_block_a = constant_time_eq_8(i, index_a);
+               unsigned char is_block_b = constant_time_eq_8(i, index_b);
+               for (j = 0; j < md_block_size; j++)
+                       {
+                       unsigned char b = 0, is_past_c, is_past_cp1;
+                       if (k < header_length)
+                               b = header[k];
+                       else if (k < data_plus_mac_plus_padding_size + header_length)
+                               b = data[k-header_length];
+                       k++;
+
+                       is_past_c = is_block_a & constant_time_ge(j, c);
+                       is_past_cp1 = is_block_a & constant_time_ge(j, c+1);
+                       /* If this is the block containing the end of the
+                        * application data, and we are at the offset for the
+                        * 0x80 value, then overwrite b with 0x80. */
+                       b = (b&~is_past_c) | (0x80&is_past_c);
+                       /* If this the the block containing the end of the
+                        * application data and we're past the 0x80 value then
+                        * just write zero. */
+                       b = b&~is_past_cp1;
+                       /* If this is index_b (the final block), but not
+                        * index_a (the end of the data), then the 64-bit
+                        * length didn't fit into index_a and we're having to
+                        * add an extra block of zeros. */
+                       b &= ~is_block_b | is_block_a;
+
+                       /* The final bytes of one of the blocks contains the
+                        * length. */
+                       if (j >= md_block_size - md_length_size)
+                               {
+                               /* If this is index_b, write a length byte. */
+                               b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);
+                               }
+                       block[j] = b;
+                       }
+
+               md_transform(md_state.c, block);
+               md_final_raw(md_state.c, block);
+               /* If this is index_b, copy the hash value to |mac_out|. */
+               for (j = 0; j < md_size; j++)
+                       mac_out[j] |= block[j]&is_block_b;
+               }
+
+       EVP_MD_CTX_init(&md_ctx);
+       EVP_DigestInit_ex(&md_ctx, digest, NULL /* engine */);
+       if (is_sslv3)
+               {
+               /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
+               memset(hmac_pad, 0x5c, sslv3_pad_length);
+
+               EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
+               EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
+               EVP_DigestUpdate(&md_ctx, mac_out, md_size);
+               }
+       else
+               {
+               /* Complete the HMAC in the standard manner. */
+               for (i = 0; i < md_block_size; i++)
+                       hmac_pad[i] ^= 0x6a;
+
+               EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
+               EVP_DigestUpdate(&md_ctx, mac_out, md_size);
+               }
+       EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
+       if (md_out_size)
+               *md_out_size = md_out_size_u;
+       EVP_MD_CTX_cleanup(&md_ctx);
+       }
+
+#ifdef OPENSSL_FIPS
+
+/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
+ * we can ensure the number of blocks processed is equal for all cases
+ * by digesting additional data.
+ */
+
+void tls_fips_digest_extra(
+       const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx,
+       const unsigned char *data, size_t data_len, size_t orig_len)
+       {
+       size_t block_size, digest_pad, blocks_data, blocks_orig;
+       if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
+               return;
+       block_size = EVP_MD_block_size(hash);
+       /* We are in FIPS mode if we get this far so we know we have only SHA*
+        * digests and TLS to deal with.
+        * Minimum digest padding length is 17 for SHA384/SHA512 and 9
+        * otherwise.
+        * Additional header is 13 bytes. To get the number of digest blocks
+        * processed round up the amount of data plus padding to the nearest
+        * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
+        * So we have:
+        * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
+        * equivalently:
+        * blocks = (payload_len + digest_pad + 12)/block_size + 1
+        * HMAC adds a constant overhead.
+        * We're ultimately only interested in differences so this becomes
+        * blocks = (payload_len + 29)/128
+        * for SHA384/SHA512 and
+        * blocks = (payload_len + 21)/64
+        * otherwise.
+        */
+       digest_pad = block_size == 64 ? 21 : 29;
+       blocks_orig = (orig_len + digest_pad)/block_size;
+       blocks_data = (data_len + digest_pad)/block_size;
+       /* MAC enough blocks to make up the difference between the original
+        * and actual lengths plus one extra block to ensure this is never a
+        * no op. The "data" pointer should always have enough space to
+        * perform this operation as it is large enough for a maximum
+        * length TLS buffer. 
+        */
+       HMAC_Update(hctx, data,
+                               (blocks_orig - blocks_data + 1) * block_size);
+       }
+#endif
diff -up openssl-fips-0.9.8e/ssl/s3_enc.c.lucky13 openssl-fips-0.9.8e/ssl/s3_enc.c
--- openssl-fips-0.9.8e/ssl/s3_enc.c.lucky13    2013-02-25 14:56:11.285381591 +0100
+++ openssl-fips-0.9.8e/ssl/s3_enc.c    2013-02-25 14:56:11.407381902 +0100
@@ -434,12 +434,21 @@ void ssl3_cleanup_key_block(SSL *s)
        s->s3->tmp.key_block_length=0;
        }
 
+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding is invalid or, if sending, an internal error
+ *       occured.
+ */
 int ssl3_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
        EVP_CIPHER_CTX *ds;
        unsigned long l;
-       int bs,i;
+       int bs,i,mac_size=0;
        const EVP_CIPHER *enc;
 
        if (send)
@@ -490,32 +499,17 @@ int ssl3_enc(SSL *s, int send)
                if (!send)
                        {
                        if (l == 0 || l%bs != 0)
-                               {
-                               SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
                                return 0;
-                               }
                        /* otherwise, rec->length >= bs */
                        }
                
                EVP_Cipher(ds,rec->data,rec->input,l);
 
+               if (s->read_hash != NULL)
+                       mac_size = EVP_MD_size(s->read_hash);
+
                if ((bs != 1) && !send)
-                       {
-                       i=rec->data[l-1]+1;
-                       /* SSL 3.0 bounds the number of padding bytes by the block size;
-                        * padding bytes (except the last one) are arbitrary */
-                       if (i > bs)
-                               {
-                               /* Incorrect padding. SSLerr() and ssl3_alert are done
-                                * by caller: we don't want to reveal whether this is
-                                * a decryption error or a MAC verification failure
-                                * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
-                               return -1;
-                               }
-                       /* now i <= bs <= rec->length */
-                       rec->length-=i;
-                       }
+                       return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
                }
        return(1);
        }
@@ -592,7 +586,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md
        EVP_MD_CTX md_ctx;
        const EVP_MD *hash;
        unsigned char *p,rec_char;
-       unsigned int md_size;
+       size_t md_size, orig_len;
        int npad;
 
        if (send)
@@ -613,28 +607,72 @@ int ssl3_mac(SSL *ssl, unsigned char *md
        md_size=EVP_MD_size(hash);
        npad=(48/md_size)*md_size;
 
-       /* Chop the digest off the end :-) */
-       EVP_MD_CTX_init(&md_ctx);
-
-       EVP_DigestInit_ex(  &md_ctx,hash, NULL);
-       EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-       EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
-       EVP_DigestUpdate(&md_ctx,seq,8);
-       rec_char=rec->type;
-       EVP_DigestUpdate(&md_ctx,&rec_char,1);
-       p=md;
-       s2n(rec->length,p);
-       EVP_DigestUpdate(&md_ctx,md,2);
-       EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
-       EVP_DigestFinal_ex( &md_ctx,md,NULL);
-
-       EVP_DigestInit_ex(  &md_ctx,hash, NULL);
-       EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-       EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
-       EVP_DigestUpdate(&md_ctx,md,md_size);
-       EVP_DigestFinal_ex( &md_ctx,md,&md_size);
+       /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */
+       orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
+       rec->type &= 0xff;
+
+       if (!send &&
+           EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+           ssl3_cbc_record_digest_supported(hash))
+               {
+               /* This is a CBC-encrypted record. We must avoid leaking any
+                * timing-side channel information about how many blocks of
+                * data we are hashing because that gives an attacker a
+                * timing-oracle. */
+
+               /* npad is, at most, 48 bytes and that's with MD5:
+                *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
+                *
+                * With SHA-1 (the largest hash speced for SSLv3) the hash size
+                * goes up 4, but npad goes down by 8, resulting in a smaller
+                * total size. */
+               unsigned char header[75];
+               unsigned j = 0;
+               memcpy(header+j, mac_sec, md_size);
+               j += md_size;
+               memcpy(header+j, ssl3_pad_1, npad);
+               j += npad;
+               memcpy(header+j, seq, 8);
+               j += 8;
+               header[j++] = rec->type;
+               header[j++] = rec->length >> 8;
+               header[j++] = rec->length & 0xff;
+
+               ssl3_cbc_digest_record(
+                       hash,
+                       md, &md_size,
+                       header, rec->input,
+                       rec->length + md_size, orig_len,
+                       mac_sec, md_size,
+                       1 /* is SSLv3 */);
+               }
+       else
+               {
+               unsigned int md_size_u;
+               /* Chop the digest off the end :-) */
+               EVP_MD_CTX_init(&md_ctx);
+
+               EVP_DigestInit_ex( &md_ctx,hash, NULL);
+               EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
+               EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
+               EVP_DigestUpdate(&md_ctx,seq,8);
+               rec_char=rec->type;
+               EVP_DigestUpdate(&md_ctx,&rec_char,1);
+               p=md;
+               s2n(rec->length,p);
+               EVP_DigestUpdate(&md_ctx,md,2);
+               EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
+               EVP_DigestFinal_ex( &md_ctx,md,NULL);
+
+               EVP_DigestInit_ex( &md_ctx,hash, NULL);
+               EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
+               EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
+               EVP_DigestUpdate(&md_ctx,md,md_size);
+               EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
+               md_size = md_size_u;
 
-       EVP_MD_CTX_cleanup(&md_ctx);
+               EVP_MD_CTX_cleanup(&md_ctx);
+       }
 
        ssl3_record_sequence_update(seq);
        return(md_size);
diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/s3_pkt.c
--- openssl-fips-0.9.8e/ssl/s3_pkt.c.lucky13    2013-02-25 14:56:11.225381423 +0100
+++ openssl-fips-0.9.8e/ssl/s3_pkt.c    2013-02-25 14:56:11.408381905 +0100
@@ -237,11 +237,8 @@ static int ssl3_get_record(SSL *s)
        unsigned char *p;
        unsigned char md[EVP_MAX_MD_SIZE];
        short version;
-       unsigned int mac_size;
-       int clear=0;
+       unsigned mac_size, orig_len;
        size_t extra;
-       int decryption_failed_or_bad_record_mac = 0;
-       unsigned char *mac = NULL;
 
        rr= &(s->s3->rrec);
        sess=s->session;
@@ -347,17 +344,15 @@ again:
        rr->data=rr->input;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
-       if (enc_err <= 0)
+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */
+       if (enc_err == 0)
                {
-               if (enc_err == 0)
-                       /* SSLerr() and ssl3_send_alert() have been called */
-                       goto err;
-
-               /* Otherwise enc_err == -1, which indicates bad padding
-                * (rec->length has not been changed in this case).
-                * To minimize information leaked via timing, we will perform
-                * the MAC computation anyway. */
-               decryption_failed_or_bad_record_mac = 1;
+               al=SSL_AD_DECRYPTION_FAILED;
+               SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+               goto f_err;
                }
 
 #ifdef TLS_DEBUG
@@ -367,51 +362,62 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-       if (    (sess == NULL) ||
-               (s->enc_read_ctx == NULL) ||
-               (s->read_hash == NULL))
-               clear=1;
-
-       if (!clear)
-               {
+       if ((sess != NULL) &&
+           (s->enc_read_ctx != NULL) &&
+           (s->read_hash != NULL))
+               {
+               /* s->read_hash != NULL => mac_size != -1 */
+               unsigned char *mac = NULL;
+               unsigned char mac_tmp[EVP_MAX_MD_SIZE];
                mac_size=EVP_MD_size(s->read_hash);
+               OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
-               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
+               /* kludge: *_cbc_remove_padding passes padding length in rr->type */
+               orig_len = rr->length+((unsigned int)rr->type>>8);
+
+               /* orig_len is the length of the record before any padding was
+                * removed. This is public information, as is the MAC in use,
+                * therefore we can safely process the record in a different
+                * amount of time if it's too short to possibly contain a MAC.
+                */
+               if (orig_len < mac_size ||
+                   /* CBC records must have a padding length byte too. */
+                   (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    orig_len < mac_size+1))
                        {
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
-#else
-                       decryption_failed_or_bad_record_mac = 1;
-#endif                 
                        }
-               /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-               if (rr->length >= mac_size)
+
+               if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
                        {
+                       /* We update the length so that the TLS header bytes
+                        * can be constructed correctly but we need to extract
+                        * the MAC in constant time from within the record,
+                        * without leaking the contents of the padding bytes.
+                        * */
+                       mac = mac_tmp;
+                       ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
                        rr->length -= mac_size;
-                       mac = &rr->data[rr->length];
                        }
                else
                        {
-                       /* record (minus padding) is too short to contain a MAC */
-#if 0 /* OK only for stream ciphers */
-                       al=SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
-                       goto f_err;
-#else
-                       decryption_failed_or_bad_record_mac = 1;
-                       rr->length = 0;
-#endif
-                       }
-               i=s->method->ssl3_enc->mac(s,md,0);
-               if (mac == NULL || memcmp(md, mac, mac_size) != 0)
-                       {
-                       decryption_failed_or_bad_record_mac = 1;
+                       /* In this case there's no padding, so |orig_len|
+                        * equals |rec->length| and we checked that there's
+                        * enough bytes for |mac_size| above. */
+                       rr->length -= mac_size;
+                       mac = &rr->data[rr->length];
                        }
+
+               i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+                       enc_err = -1;
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
+                       enc_err = -1;
                }
 
-       if (decryption_failed_or_bad_record_mac)
+       if (enc_err < 0)
                {
                /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
                 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.lucky13 openssl-fips-0.9.8e/ssl/ssl_locl.h
--- openssl-fips-0.9.8e/ssl/ssl_locl.h.lucky13  2013-02-25 14:56:11.219381406 +0100
+++ openssl-fips-0.9.8e/ssl/ssl_locl.h  2013-02-25 14:57:27.348538698 +0100
@@ -133,6 +133,7 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
+#include <openssl/hmac.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include <openssl/symhacks.h>
@@ -187,6 +188,15 @@
                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
                         *((c)++)=(unsigned char)(((l)    )&0xff))
 
+#define l2n8(l,c)      (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
+                        *((c)++)=(unsigned char)(((l)>>48)&0xff), \
+                        *((c)++)=(unsigned char)(((l)>>40)&0xff), \
+                        *((c)++)=(unsigned char)(((l)>>32)&0xff), \
+                        *((c)++)=(unsigned char)(((l)>>24)&0xff), \
+                        *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+                        *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+                        *((c)++)=(unsigned char)(((l)    )&0xff))
+
 #define n2l6(c,l)      (l =((BN_ULLONG)(*((c)++)))<<40, \
                         l|=((BN_ULLONG)(*((c)++)))<<32, \
                         l|=((BN_ULLONG)(*((c)++)))<<24, \
@@ -946,5 +956,33 @@ int ssl_add_clienthello_renegotiate_ext(
                                        int maxlen);
 int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
                                          int *al);
+/* s3_cbc.c */
+void ssl3_cbc_copy_mac(unsigned char* out,
+                      const SSL3_RECORD *rec,
+                      unsigned md_size,unsigned orig_len);
+int ssl3_cbc_remove_padding(const SSL* s,
+                           SSL3_RECORD *rec,
+                           unsigned block_size,
+                           unsigned mac_size);
+int tls1_cbc_remove_padding(const SSL* s,
+                           SSL3_RECORD *rec,
+                           unsigned block_size,
+                           unsigned mac_size);
+char ssl3_cbc_record_digest_supported(const EVP_MD *hash);
+void ssl3_cbc_digest_record(
+       const EVP_MD *hash,
+       unsigned char* md_out,
+       size_t* md_out_size,
+       const unsigned char header[13],
+       const unsigned char *data,
+       size_t data_plus_mac_size,
+       size_t data_plus_mac_plus_padding_size,
+       const unsigned char *mac_secret,
+       unsigned mac_secret_length,
+       char is_sslv3);
+
+void tls_fips_digest_extra(
+       const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx,
+       const unsigned char *data, size_t data_len, size_t orig_len);
 
 #endif
diff -up openssl-fips-0.9.8e/ssl/t1_enc.c.lucky13 openssl-fips-0.9.8e/ssl/t1_enc.c
--- openssl-fips-0.9.8e/ssl/t1_enc.c.lucky13    2013-02-25 14:56:11.027380889 +0100
+++ openssl-fips-0.9.8e/ssl/t1_enc.c    2013-02-25 15:30:15.511540650 +0100
@@ -523,18 +523,25 @@ err:
        return(0);
        }
 
+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
+ *       an internal error occured.
+ */
 int tls1_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
        EVP_CIPHER_CTX *ds;
        unsigned long l;
-       int bs,i,ii,j,k,n=0;
+       int bs,i,j,k,pad=0,ret,mac_size=0;
        const EVP_CIPHER *enc;
 
        if (send)
                {
-               if (s->write_hash != NULL)
-                       n=EVP_MD_size(s->write_hash);
                ds=s->enc_write_ctx;
                rec= &(s->s3->wrec);
                if (s->enc_write_ctx == NULL)
@@ -544,8 +551,6 @@ int tls1_enc(SSL *s, int send)
                }
        else
                {
-               if (s->read_hash != NULL)
-                       n=EVP_MD_size(s->read_hash);
                ds=s->enc_read_ctx;
                rec= &(s->s3->rrec);
                if (s->enc_read_ctx == NULL)
@@ -558,11 +563,11 @@ int tls1_enc(SSL *s, int send)
        printf("tls1_enc(%d)\n", send);
 #endif    /* KSSL_DEBUG */
 
-       if ((s->session == NULL) || (ds == NULL) ||
-               (enc == NULL))
+       if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
                {
                memmove(rec->data,rec->input,rec->length);
                rec->input=rec->data;
+               ret = 1;
                }
        else
                {
@@ -609,11 +614,7 @@ int tls1_enc(SSL *s, int send)
                if (!send)
                        {
                        if (l == 0 || l%bs != 0)
-                               {
-                               SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
                                return 0;
-                               }
                        }
                
                EVP_Cipher(ds,rec->data,rec->input,l);
@@ -627,49 +628,15 @@ int tls1_enc(SSL *s, int send)
                 }
 #endif /* KSSL_DEBUG */
 
+               ret = 1;
+               if (s->read_hash != NULL)
+                       mac_size = EVP_MD_size(s->read_hash);
                if ((bs != 1) && !send)
-                       {
-                       ii=i=rec->data[l-1]; /* padding_length */
-                       i++;
-                       /* NB: if compression is in operation the first packet
-                        * may not be of even length so the padding bug check
-                        * cannot be performed. This bug workaround has been
-                        * around since SSLeay so hopefully it is either fixed
-                        * now or no buggy implementation supports compression 
-                        * [steve]
-                        */
-                       if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-                               && !s->expand)
-                               {
-                               /* First packet is even in size, so check */
-                               if ((memcmp(s->s3->read_sequence,
-                                       "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
-                                       s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-                               if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                       i--;
-                               }
-                       /* TLS 1.0 does not bound the number of padding bytes by the block size.
-                        * All of them must have value 'padding_length'. */
-                       if (i > (int)rec->length)
-                               {
-                               /* Incorrect padding. SSLerr() and ssl3_alert are done
-                                * by caller: we don't want to reveal whether this is
-                                * a decryption error or a MAC verification failure
-                                * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
-                               return -1;
-                               }
-                       for (j=(int)(l-i); j<(int)l; j++)
-                               {
-                               if (rec->data[j] != ii)
-                                       {
-                                       /* Incorrect padding */
-                                       return -1;
-                                       }
-                               }
-                       rec->length-=i;
-                       }
+                       ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
+               if (pad && !send)
+                       rec->length -= pad;
                }
-       return(1);
+       return ret;
        }
 
 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
@@ -717,10 +684,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
        SSL3_RECORD *rec;
        unsigned char *mac_sec,*seq;
        const EVP_MD *hash;
-       unsigned int md_size;
+       size_t md_size, orig_len;
        int i;
        HMAC_CTX hmac;
-       unsigned char buf[5]; 
+       unsigned char header[13];
 
        if (send)
                {
@@ -739,20 +706,6 @@ int tls1_mac(SSL *ssl, unsigned char *md
 
        md_size=EVP_MD_size(hash);
 
-       buf[0]=rec->type;
-       if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
-               {
-               buf[1]=TLS1_VERSION_MAJOR;
-               buf[2]=TLS1_VERSION_MINOR;
-               }
-       else    {
-               buf[1]=(unsigned char)(ssl->version>>8);
-               buf[2]=(unsigned char)(ssl->version);
-               }
-
-       buf[3]=rec->length>>8;
-       buf[4]=rec->length&0xff;
-
        /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
        HMAC_CTX_init(&hmac);
        HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
@@ -764,16 +717,57 @@ int tls1_mac(SSL *ssl, unsigned char *md
                s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
                memcpy (p,&seq[2],6);
 
-               HMAC_Update(&hmac,dtlsseq,8);
+               memcpy(header, dtlsseq, 8);
                }
        else
-               HMAC_Update(&hmac,seq,8);
+               memcpy(header, seq, 8);
 
-       HMAC_Update(&hmac,buf,5);
-       HMAC_Update(&hmac,rec->input,rec->length);
-       HMAC_Final(&hmac,md,&md_size);
-       HMAC_CTX_cleanup(&hmac);
+       /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
+       orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
+       rec->type &= 0xff;
+
+       header[8]=rec->type;
+       header[9]=(unsigned char)(ssl->version>>8);
+       header[10]=(unsigned char)(ssl->version);
+       header[11]=(rec->length)>>8;
+       header[12]=(rec->length)&0xff;
+
+       if (!send &&
+           EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+           ssl3_cbc_record_digest_supported(hash))
+               {
+               /* This is a CBC-encrypted record. We must avoid leaking any
+                * timing-side channel information about how many blocks of
+                * data we are hashing because that gives an attacker a
+                * timing-oracle. */
+               ssl3_cbc_digest_record(
+                       hash,
+                       md, &md_size,
+                       header, rec->input,
+                       rec->length + md_size, orig_len,
+                       ssl->s3->read_mac_secret,
+                       EVP_MD_size(ssl->read_hash),
+                       0 /* not SSLv3 */);
+               }
+       else
+               {
+               unsigned mds;
 
+               HMAC_Update(&hmac,header,sizeof(header));
+               HMAC_Update(&hmac,rec->input,rec->length);
+               HMAC_Final(&hmac,md,&mds);
+               md_size = mds;
+#ifdef OPENSSL_FIPS
+               if (!send && FIPS_mode())
+                       tls_fips_digest_extra(
+                                       ssl->enc_read_ctx,
+                                       hash,
+                                       &hmac, rec->input,
+                                       rec->length, orig_len);
+#endif
+               }
+               
+       HMAC_CTX_cleanup(&hmac);
 #ifdef TLS_DEBUG
 printf("sec=");
 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
diff -up openssl-fips-0.9.8e/test/testssl.lucky13 openssl-fips-0.9.8e/test/testssl
--- openssl-fips-0.9.8e/test/testssl.lucky13    2005-02-02 00:48:36.000000000 +0100
+++ openssl-fips-0.9.8e/test/testssl    2013-02-25 14:56:11.422381943 +0100
@@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_
 echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
 $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 
+echo "Testing ciphersuites"
+for protocol in SSLv3; do
+  echo "Testing ciphersuites for $protocol"
+  for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+    echo "Testing $cipher"
+    prot=""
+    if [ $protocol == "SSLv3" ] ; then
+      prot="-ssl3"
+    fi
+    $ssltest -cipher $cipher $prot
+    if [ $? -ne 0 ] ; then
+         echo "Failed $cipher"
+         exit 1
+    fi
+  done
+done
+
 #############################################################################
 
 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then