1 |
wellsi |
1.1 |
diff -up openssl-fips-0.9.8e/crypto/cryptlib.c.lucky13 openssl-fips-0.9.8e/crypto/cryptlib.c |
2 |
|
|
--- openssl-fips-0.9.8e/crypto/cryptlib.c.lucky13 2007-07-26 18:46:54.000000000 +0200 |
3 |
|
|
+++ openssl-fips-0.9.8e/crypto/cryptlib.c 2013-02-25 14:56:11.392381859 +0100 |
4 |
|
|
@@ -543,3 +543,16 @@ void OpenSSLDie(const char *file,int lin |
5 |
|
|
} |
6 |
|
|
|
7 |
|
|
void *OPENSSL_stderr(void) { return stderr; } |
8 |
|
|
+ |
9 |
|
|
+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) |
10 |
|
|
+ { |
11 |
|
|
+ size_t i; |
12 |
|
|
+ const unsigned char *a = in_a; |
13 |
|
|
+ const unsigned char *b = in_b; |
14 |
|
|
+ unsigned char x = 0; |
15 |
|
|
+ |
16 |
|
|
+ for (i = 0; i < len; i++) |
17 |
|
|
+ x |= a[i] ^ b[i]; |
18 |
|
|
+ |
19 |
|
|
+ return x; |
20 |
|
|
+ } |
21 |
|
|
diff -up openssl-fips-0.9.8e/crypto/crypto.h.lucky13 openssl-fips-0.9.8e/crypto/crypto.h |
22 |
|
|
--- openssl-fips-0.9.8e/crypto/crypto.h.lucky13 2013-02-25 14:56:11.049380949 +0100 |
23 |
|
|
+++ openssl-fips-0.9.8e/crypto/crypto.h 2013-02-25 14:56:11.393381862 +0100 |
24 |
|
|
@@ -592,6 +592,13 @@ unsigned long *OPENSSL_ia32cap_loc(void) |
25 |
|
|
|
26 |
|
|
#endif /* def OPENSSL_FIPS */ |
27 |
|
|
|
28 |
|
|
+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It |
29 |
|
|
+ * takes an amount of time dependent on |len|, but independent of the contents |
30 |
|
|
+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a |
31 |
|
|
+ * defined order as the return value when a != b is undefined, other than to be |
32 |
|
|
+ * non-zero. */ |
33 |
|
|
+int CRYPTO_memcmp(const void *a, const void *b, size_t len); |
34 |
|
|
+ |
35 |
|
|
/* BEGIN ERROR CODES */ |
36 |
|
|
/* The following lines are auto generated by the script mkerr.pl. Any changes |
37 |
|
|
* made after this point may be overwritten when the script is next run. |
38 |
|
|
diff -up openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c.lucky13 openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c |
39 |
|
|
--- openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c.lucky13 2007-03-22 01:38:34.000000000 +0100 |
40 |
|
|
+++ openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c 2013-02-25 14:56:11.394381865 +0100 |
41 |
|
|
@@ -136,7 +136,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigne |
42 |
|
|
|
43 |
|
|
EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); |
44 |
|
|
|
45 |
|
|
- if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) |
46 |
|
|
+ if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) |
47 |
|
|
goto decoding_err; |
48 |
|
|
else |
49 |
|
|
{ |
50 |
|
|
diff -up openssl-fips-0.9.8e/ssl/d1_enc.c.lucky13 openssl-fips-0.9.8e/ssl/d1_enc.c |
51 |
|
|
--- openssl-fips-0.9.8e/ssl/d1_enc.c.lucky13 2013-02-25 14:56:11.374381809 +0100 |
52 |
|
|
+++ openssl-fips-0.9.8e/ssl/d1_enc.c 2013-02-25 14:56:11.395381868 +0100 |
53 |
|
|
@@ -122,18 +122,30 @@ |
54 |
|
|
#include <openssl/rand.h> |
55 |
|
|
|
56 |
|
|
|
57 |
|
|
+/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
58 |
|
|
+ * |
59 |
|
|
+ * Returns: |
60 |
|
|
+ * 0: (in non-constant time) if the record is publically invalid (i.e. too |
61 |
|
|
+ * short etc). |
62 |
|
|
+ * 1: if the record's padding is valid / the encryption was successful. |
63 |
|
|
+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, |
64 |
|
|
+ * an internal error occured. */ |
65 |
|
|
int dtls1_enc(SSL *s, int send) |
66 |
|
|
{ |
67 |
|
|
SSL3_RECORD *rec; |
68 |
|
|
EVP_CIPHER_CTX *ds; |
69 |
|
|
unsigned long l; |
70 |
|
|
- int bs,i,ii,j,k,n=0; |
71 |
|
|
+ int bs,i,j,k,mac_size=0; |
72 |
|
|
const EVP_CIPHER *enc; |
73 |
|
|
|
74 |
|
|
if (send) |
75 |
|
|
{ |
76 |
|
|
- if (s->write_hash != NULL) |
77 |
|
|
- n=EVP_MD_size(s->write_hash); |
78 |
|
|
+ if (s->write_hash) |
79 |
|
|
+ { |
80 |
|
|
+ mac_size=EVP_MD_size(s->write_hash); |
81 |
|
|
+ if (mac_size < 0) |
82 |
|
|
+ return -1; |
83 |
|
|
+ } |
84 |
|
|
ds=s->enc_write_ctx; |
85 |
|
|
rec= &(s->s3->wrec); |
86 |
|
|
if (s->enc_write_ctx == NULL) |
87 |
|
|
@@ -147,15 +159,18 @@ int dtls1_enc(SSL *s, int send) |
88 |
|
|
__FILE__, __LINE__); |
89 |
|
|
else if ( EVP_CIPHER_block_size(ds->cipher) > 1) |
90 |
|
|
{ |
91 |
|
|
- if (!RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher))) |
92 |
|
|
+ if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0) |
93 |
|
|
return -1; |
94 |
|
|
} |
95 |
|
|
} |
96 |
|
|
} |
97 |
|
|
else |
98 |
|
|
{ |
99 |
|
|
- if (s->read_hash != NULL) |
100 |
|
|
- n=EVP_MD_size(s->read_hash); |
101 |
|
|
+ if (s->read_hash) |
102 |
|
|
+ { |
103 |
|
|
+ mac_size=EVP_MD_size(s->read_hash); |
104 |
|
|
+ OPENSSL_assert(mac_size >= 0); |
105 |
|
|
+ } |
106 |
|
|
ds=s->enc_read_ctx; |
107 |
|
|
rec= &(s->s3->rrec); |
108 |
|
|
if (s->enc_read_ctx == NULL) |
109 |
|
|
@@ -219,11 +234,7 @@ int dtls1_enc(SSL *s, int send) |
110 |
|
|
if (!send) |
111 |
|
|
{ |
112 |
|
|
if (l == 0 || l%bs != 0) |
113 |
|
|
- { |
114 |
|
|
- SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); |
115 |
|
|
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); |
116 |
|
|
return 0; |
117 |
|
|
- } |
118 |
|
|
} |
119 |
|
|
|
120 |
|
|
EVP_Cipher(ds,rec->data,rec->input,l); |
121 |
|
|
@@ -238,43 +249,7 @@ int dtls1_enc(SSL *s, int send) |
122 |
|
|
#endif /* KSSL_DEBUG */ |
123 |
|
|
|
124 |
|
|
if ((bs != 1) && !send) |
125 |
|
|
- { |
126 |
|
|
- ii=i=rec->data[l-1]; /* padding_length */ |
127 |
|
|
- i++; |
128 |
|
|
- if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) |
129 |
|
|
- { |
130 |
|
|
- /* First packet is even in size, so check */ |
131 |
|
|
- if ((memcmp(s->s3->read_sequence, |
132 |
|
|
- "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) |
133 |
|
|
- s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; |
134 |
|
|
- if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) |
135 |
|
|
- i--; |
136 |
|
|
- } |
137 |
|
|
- /* TLS 1.0 does not bound the number of padding bytes by the block size. |
138 |
|
|
- * All of them must have value 'padding_length'. */ |
139 |
|
|
- if (i + bs > (int)rec->length) |
140 |
|
|
- { |
141 |
|
|
- /* Incorrect padding. SSLerr() and ssl3_alert are done |
142 |
|
|
- * by caller: we don't want to reveal whether this is |
143 |
|
|
- * a decryption error or a MAC verification failure |
144 |
|
|
- * (see http://www.openssl.org/~bodo/tls-cbc.txt) |
145 |
|
|
- */ |
146 |
|
|
- return -1; |
147 |
|
|
- } |
148 |
|
|
- for (j=(int)(l-i); j<(int)l; j++) |
149 |
|
|
- { |
150 |
|
|
- if (rec->data[j] != ii) |
151 |
|
|
- { |
152 |
|
|
- /* Incorrect padding */ |
153 |
|
|
- return -1; |
154 |
|
|
- } |
155 |
|
|
- } |
156 |
|
|
- rec->length-=i; |
157 |
|
|
- |
158 |
|
|
- rec->data += bs; /* skip the implicit IV */ |
159 |
|
|
- rec->input += bs; |
160 |
|
|
- rec->length -= bs; |
161 |
|
|
- } |
162 |
|
|
+ return tls1_cbc_remove_padding(s, rec, bs, mac_size); |
163 |
|
|
} |
164 |
|
|
return(1); |
165 |
|
|
} |
166 |
|
|
diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/d1_pkt.c |
167 |
|
|
--- openssl-fips-0.9.8e/ssl/d1_pkt.c.lucky13 2013-02-25 14:56:11.278381571 +0100 |
168 |
|
|
+++ openssl-fips-0.9.8e/ssl/d1_pkt.c 2013-02-25 14:56:11.400381882 +0100 |
169 |
|
|
@@ -328,16 +328,12 @@ dtls1_get_buffered_record(SSL *s) |
170 |
|
|
static int |
171 |
|
|
dtls1_process_record(SSL *s) |
172 |
|
|
{ |
173 |
|
|
- int al; |
174 |
|
|
- int clear=0; |
175 |
|
|
- int enc_err; |
176 |
|
|
+ int i,al; |
177 |
|
|
+ int enc_err; |
178 |
|
|
SSL_SESSION *sess; |
179 |
|
|
- SSL3_RECORD *rr; |
180 |
|
|
- unsigned int mac_size; |
181 |
|
|
+ SSL3_RECORD *rr; |
182 |
|
|
+ unsigned int mac_size, orig_len; |
183 |
|
|
unsigned char md[EVP_MAX_MD_SIZE]; |
184 |
|
|
- int decryption_failed_or_bad_record_mac = 0; |
185 |
|
|
- unsigned char *mac = NULL; |
186 |
|
|
- |
187 |
|
|
|
188 |
|
|
rr= &(s->s3->rrec); |
189 |
|
|
sess = s->session; |
190 |
|
|
@@ -369,12 +365,16 @@ dtls1_process_record(SSL *s) |
191 |
|
|
rr->data=rr->input; |
192 |
|
|
|
193 |
|
|
enc_err = s->method->ssl3_enc->enc(s,0); |
194 |
|
|
- if (enc_err <= 0) |
195 |
|
|
+ /* enc_err is: |
196 |
|
|
+ * 0: (in non-constant time) if the record is publically invalid. |
197 |
|
|
+ * 1: if the padding is valid |
198 |
|
|
+ * -1: if the padding is invalid */ |
199 |
|
|
+ if (enc_err == 0) |
200 |
|
|
{ |
201 |
|
|
- /* To minimize information leaked via timing, we will always |
202 |
|
|
- * perform all computations before discarding the message. |
203 |
|
|
- */ |
204 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
205 |
|
|
+ /* For DTLS we simply ignore bad packets. */ |
206 |
|
|
+ rr->length = 0; |
207 |
|
|
+ s->packet_length = 0; |
208 |
|
|
+ goto err; |
209 |
|
|
} |
210 |
|
|
|
211 |
|
|
#ifdef TLS_DEBUG |
212 |
|
|
@@ -384,41 +384,62 @@ printf("\n"); |
213 |
|
|
#endif |
214 |
|
|
|
215 |
|
|
/* r->length is now the compressed data plus mac */ |
216 |
|
|
-if ( (sess == NULL) || |
217 |
|
|
- (s->enc_read_ctx == NULL) || |
218 |
|
|
- (s->read_hash == NULL)) |
219 |
|
|
- clear=1; |
220 |
|
|
- |
221 |
|
|
- if (!clear) |
222 |
|
|
+ if ((sess != NULL) && |
223 |
|
|
+ (s->enc_read_ctx != NULL) && |
224 |
|
|
+ (s->read_hash != NULL)) |
225 |
|
|
{ |
226 |
|
|
+ /* s->read_hash != NULL => mac_size != -1 */ |
227 |
|
|
+ unsigned char *mac = NULL; |
228 |
|
|
+ unsigned char mac_tmp[EVP_MAX_MD_SIZE]; |
229 |
|
|
mac_size=EVP_MD_size(s->read_hash); |
230 |
|
|
+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); |
231 |
|
|
|
232 |
|
|
- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) |
233 |
|
|
+ /* kludge: *_cbc_remove_padding passes padding length in rr->type */ |
234 |
|
|
+ orig_len = rr->length+((unsigned int)rr->type>>8); |
235 |
|
|
+ |
236 |
|
|
+ /* orig_len is the length of the record before any padding was |
237 |
|
|
+ * removed. This is public information, as is the MAC in use, |
238 |
|
|
+ * therefore we can safely process the record in a different |
239 |
|
|
+ * amount of time if it's too short to possibly contain a MAC. |
240 |
|
|
+ */ |
241 |
|
|
+ if (orig_len < mac_size || |
242 |
|
|
+ /* CBC records must have a padding length byte too. */ |
243 |
|
|
+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
244 |
|
|
+ orig_len < mac_size+1)) |
245 |
|
|
{ |
246 |
|
|
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ |
247 |
|
|
- al=SSL_AD_RECORD_OVERFLOW; |
248 |
|
|
- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); |
249 |
|
|
+ al=SSL_AD_DECODE_ERROR; |
250 |
|
|
+ SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); |
251 |
|
|
goto f_err; |
252 |
|
|
-#else |
253 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
254 |
|
|
-#endif |
255 |
|
|
} |
256 |
|
|
- /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ |
257 |
|
|
- if (rr->length >= mac_size) |
258 |
|
|
+ |
259 |
|
|
+ if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) |
260 |
|
|
{ |
261 |
|
|
+ /* We update the length so that the TLS header bytes |
262 |
|
|
+ * can be constructed correctly but we need to extract |
263 |
|
|
+ * the MAC in constant time from within the record, |
264 |
|
|
+ * without leaking the contents of the padding bytes. |
265 |
|
|
+ * */ |
266 |
|
|
+ mac = mac_tmp; |
267 |
|
|
+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); |
268 |
|
|
rr->length -= mac_size; |
269 |
|
|
- mac = &rr->data[rr->length]; |
270 |
|
|
} |
271 |
|
|
else |
272 |
|
|
- rr->length = 0; |
273 |
|
|
- s->method->ssl3_enc->mac(s,md,0); |
274 |
|
|
- if (mac == NULL || memcmp(md, mac, mac_size) != 0) |
275 |
|
|
{ |
276 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
277 |
|
|
+ /* In this case there's no padding, so |orig_len| |
278 |
|
|
+ * equals |rec->length| and we checked that there's |
279 |
|
|
+ * enough bytes for |mac_size| above. */ |
280 |
|
|
+ rr->length -= mac_size; |
281 |
|
|
+ mac = &rr->data[rr->length]; |
282 |
|
|
} |
283 |
|
|
+ |
284 |
|
|
+ i=s->method->ssl3_enc->mac(s,md,0 /* not send */); |
285 |
|
|
+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) |
286 |
|
|
+ enc_err = -1; |
287 |
|
|
+ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) |
288 |
|
|
+ enc_err = -1; |
289 |
|
|
} |
290 |
|
|
|
291 |
|
|
- if (decryption_failed_or_bad_record_mac) |
292 |
|
|
+ if (enc_err < 0) |
293 |
|
|
{ |
294 |
|
|
/* decryption failed, silently discard message */ |
295 |
|
|
rr->length = 0; |
296 |
|
|
diff -up openssl-fips-0.9.8e/ssl/Makefile.lucky13 openssl-fips-0.9.8e/ssl/Makefile |
297 |
|
|
--- openssl-fips-0.9.8e/ssl/Makefile.lucky13 2013-02-25 14:56:11.212381386 +0100 |
298 |
|
|
+++ openssl-fips-0.9.8e/ssl/Makefile 2013-02-25 14:56:11.404381893 +0100 |
299 |
|
|
@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a |
300 |
|
|
SHARED_LIB= libssl$(SHLIB_EXT) |
301 |
|
|
LIBSRC= \ |
302 |
|
|
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ |
303 |
|
|
- s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ |
304 |
|
|
+ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \ |
305 |
|
|
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ |
306 |
|
|
t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ |
307 |
|
|
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ |
308 |
|
|
@@ -33,7 +33,7 @@ LIBSRC= \ |
309 |
|
|
bio_ssl.c ssl_err.c kssl.c t1_reneg.c |
310 |
|
|
LIBOBJ= \ |
311 |
|
|
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ |
312 |
|
|
- s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ |
313 |
|
|
+ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \ |
314 |
|
|
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ |
315 |
|
|
t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \ |
316 |
|
|
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \ |
317 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s2_clnt.c.lucky13 openssl-fips-0.9.8e/ssl/s2_clnt.c |
318 |
|
|
--- openssl-fips-0.9.8e/ssl/s2_clnt.c.lucky13 2013-02-25 14:56:11.097381084 +0100 |
319 |
|
|
+++ openssl-fips-0.9.8e/ssl/s2_clnt.c 2013-02-25 14:56:11.404381893 +0100 |
320 |
|
|
@@ -935,7 +935,7 @@ static int get_server_verify(SSL *s) |
321 |
|
|
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ |
322 |
|
|
p += 1; |
323 |
|
|
|
324 |
|
|
- if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) |
325 |
|
|
+ if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) |
326 |
|
|
{ |
327 |
|
|
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); |
328 |
|
|
SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); |
329 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s2_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/s2_pkt.c |
330 |
|
|
--- openssl-fips-0.9.8e/ssl/s2_pkt.c.lucky13 2003-12-27 17:10:30.000000000 +0100 |
331 |
|
|
+++ openssl-fips-0.9.8e/ssl/s2_pkt.c 2013-02-25 14:56:11.405381896 +0100 |
332 |
|
|
@@ -267,8 +267,7 @@ static int ssl2_read_internal(SSL *s, vo |
333 |
|
|
s->s2->ract_data_length-=mac_size; |
334 |
|
|
ssl2_mac(s,mac,0); |
335 |
|
|
s->s2->ract_data_length-=s->s2->padding; |
336 |
|
|
- if ( (memcmp(mac,s->s2->mac_data, |
337 |
|
|
- (unsigned int)mac_size) != 0) || |
338 |
|
|
+ if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) || |
339 |
|
|
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) |
340 |
|
|
{ |
341 |
|
|
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); |
342 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s3_both.c.lucky13 openssl-fips-0.9.8e/ssl/s3_both.c |
343 |
|
|
--- openssl-fips-0.9.8e/ssl/s3_both.c.lucky13 2013-02-25 14:56:11.221381411 +0100 |
344 |
|
|
+++ openssl-fips-0.9.8e/ssl/s3_both.c 2013-02-25 14:56:11.406381899 +0100 |
345 |
|
|
@@ -242,7 +242,7 @@ int ssl3_get_finished(SSL *s, int a, int |
346 |
|
|
goto f_err; |
347 |
|
|
} |
348 |
|
|
|
349 |
|
|
- if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) |
350 |
|
|
+ if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) |
351 |
|
|
{ |
352 |
|
|
al=SSL_AD_DECRYPT_ERROR; |
353 |
|
|
SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); |
354 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s3_cbc.c.lucky13 openssl-fips-0.9.8e/ssl/s3_cbc.c |
355 |
|
|
--- openssl-fips-0.9.8e/ssl/s3_cbc.c.lucky13 2013-02-25 14:56:11.407381902 +0100 |
356 |
|
|
+++ openssl-fips-0.9.8e/ssl/s3_cbc.c 2013-02-25 14:56:11.407381902 +0100 |
357 |
|
|
@@ -0,0 +1,783 @@ |
358 |
|
|
+/* ssl/s3_cbc.c */ |
359 |
|
|
+/* ==================================================================== |
360 |
|
|
+ * Copyright (c) 2012 The OpenSSL Project. All rights reserved. |
361 |
|
|
+ * |
362 |
|
|
+ * Redistribution and use in source and binary forms, with or without |
363 |
|
|
+ * modification, are permitted provided that the following conditions |
364 |
|
|
+ * are met: |
365 |
|
|
+ * |
366 |
|
|
+ * 1. Redistributions of source code must retain the above copyright |
367 |
|
|
+ * notice, this list of conditions and the following disclaimer. |
368 |
|
|
+ * |
369 |
|
|
+ * 2. Redistributions in binary form must reproduce the above copyright |
370 |
|
|
+ * notice, this list of conditions and the following disclaimer in |
371 |
|
|
+ * the documentation and/or other materials provided with the |
372 |
|
|
+ * distribution. |
373 |
|
|
+ * |
374 |
|
|
+ * 3. All advertising materials mentioning features or use of this |
375 |
|
|
+ * software must display the following acknowledgment: |
376 |
|
|
+ * "This product includes software developed by the OpenSSL Project |
377 |
|
|
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
378 |
|
|
+ * |
379 |
|
|
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
380 |
|
|
+ * endorse or promote products derived from this software without |
381 |
|
|
+ * prior written permission. For written permission, please contact |
382 |
|
|
+ * openssl-core@openssl.org. |
383 |
|
|
+ * |
384 |
|
|
+ * 5. Products derived from this software may not be called "OpenSSL" |
385 |
|
|
+ * nor may "OpenSSL" appear in their names without prior written |
386 |
|
|
+ * permission of the OpenSSL Project. |
387 |
|
|
+ * |
388 |
|
|
+ * 6. Redistributions of any form whatsoever must retain the following |
389 |
|
|
+ * acknowledgment: |
390 |
|
|
+ * "This product includes software developed by the OpenSSL Project |
391 |
|
|
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
392 |
|
|
+ * |
393 |
|
|
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
394 |
|
|
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
395 |
|
|
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
396 |
|
|
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
397 |
|
|
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
398 |
|
|
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
399 |
|
|
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
400 |
|
|
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
401 |
|
|
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
402 |
|
|
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
403 |
|
|
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
404 |
|
|
+ * OF THE POSSIBILITY OF SUCH DAMAGE. |
405 |
|
|
+ * ==================================================================== |
406 |
|
|
+ * |
407 |
|
|
+ * This product includes cryptographic software written by Eric Young |
408 |
|
|
+ * (eay@cryptsoft.com). This product includes software written by Tim |
409 |
|
|
+ * Hudson (tjh@cryptsoft.com). |
410 |
|
|
+ * |
411 |
|
|
+ */ |
412 |
|
|
+ |
413 |
|
|
+#include "ssl_locl.h" |
414 |
|
|
+ |
415 |
|
|
+#include <openssl/md5.h> |
416 |
|
|
+#include <openssl/sha.h> |
417 |
|
|
+ |
418 |
|
|
+/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length |
419 |
|
|
+ * field. (SHA-384/512 have 128-bit length.) */ |
420 |
|
|
+#define MAX_HASH_BIT_COUNT_BYTES 16 |
421 |
|
|
+ |
422 |
|
|
+/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. |
423 |
|
|
+ * Currently SHA-384/512 has a 128-byte block size and that's the largest |
424 |
|
|
+ * supported by TLS.) */ |
425 |
|
|
+#define MAX_HASH_BLOCK_SIZE 128 |
426 |
|
|
+ |
427 |
|
|
+/* Some utility functions are needed: |
428 |
|
|
+ * |
429 |
|
|
+ * These macros return the given value with the MSB copied to all the other |
430 |
|
|
+ * bits. They use the fact that arithmetic shift shifts-in the sign bit. |
431 |
|
|
+ * However, this is not ensured by the C standard so you may need to replace |
432 |
|
|
+ * them with something else on odd CPUs. */ |
433 |
|
|
+#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) ) |
434 |
|
|
+#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) |
435 |
|
|
+ |
436 |
|
|
+/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */ |
437 |
|
|
+static unsigned constant_time_lt(unsigned a, unsigned b) |
438 |
|
|
+ { |
439 |
|
|
+ a -= b; |
440 |
|
|
+ return DUPLICATE_MSB_TO_ALL(a); |
441 |
|
|
+ } |
442 |
|
|
+ |
443 |
|
|
+/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */ |
444 |
|
|
+static unsigned constant_time_ge(unsigned a, unsigned b) |
445 |
|
|
+ { |
446 |
|
|
+ a -= b; |
447 |
|
|
+ return DUPLICATE_MSB_TO_ALL(~a); |
448 |
|
|
+ } |
449 |
|
|
+ |
450 |
|
|
+/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ |
451 |
|
|
+static unsigned char constant_time_eq_8(unsigned a, unsigned b) |
452 |
|
|
+ { |
453 |
|
|
+ unsigned c = a ^ b; |
454 |
|
|
+ c--; |
455 |
|
|
+ return DUPLICATE_MSB_TO_ALL_8(c); |
456 |
|
|
+ } |
457 |
|
|
+ |
458 |
|
|
+/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC |
459 |
|
|
+ * record in |rec| by updating |rec->length| in constant time. |
460 |
|
|
+ * |
461 |
|
|
+ * block_size: the block size of the cipher used to encrypt the record. |
462 |
|
|
+ * returns: |
463 |
|
|
+ * 0: (in non-constant time) if the record is publicly invalid. |
464 |
|
|
+ * 1: if the padding was valid |
465 |
|
|
+ * -1: otherwise. */ |
466 |
|
|
+int ssl3_cbc_remove_padding(const SSL* s, |
467 |
|
|
+ SSL3_RECORD *rec, |
468 |
|
|
+ unsigned block_size, |
469 |
|
|
+ unsigned mac_size) |
470 |
|
|
+ { |
471 |
|
|
+ unsigned padding_length, good; |
472 |
|
|
+ const unsigned overhead = 1 /* padding length byte */ + mac_size; |
473 |
|
|
+ |
474 |
|
|
+ /* These lengths are all public so we can test them in non-constant |
475 |
|
|
+ * time. */ |
476 |
|
|
+ if (overhead > rec->length) |
477 |
|
|
+ return 0; |
478 |
|
|
+ |
479 |
|
|
+ padding_length = rec->data[rec->length-1]; |
480 |
|
|
+ good = constant_time_ge(rec->length, padding_length+overhead); |
481 |
|
|
+ /* SSLv3 requires that the padding is minimal. */ |
482 |
|
|
+ good &= constant_time_ge(block_size, padding_length+1); |
483 |
|
|
+ padding_length = good & (padding_length+1); |
484 |
|
|
+ rec->length -= padding_length; |
485 |
|
|
+ rec->type |= padding_length<<8; /* kludge: pass padding length */ |
486 |
|
|
+ return (int)((good & 1) | (~good & -1)); |
487 |
|
|
+} |
488 |
|
|
+ |
489 |
|
|
+/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC |
490 |
|
|
+ * record in |rec| in constant time and returns 1 if the padding is valid and |
491 |
|
|
+ * -1 otherwise. It also removes any explicit IV from the start of the record |
492 |
|
|
+ * without leaking any timing about whether there was enough space after the |
493 |
|
|
+ * padding was removed. |
494 |
|
|
+ * |
495 |
|
|
+ * block_size: the block size of the cipher used to encrypt the record. |
496 |
|
|
+ * returns: |
497 |
|
|
+ * 0: (in non-constant time) if the record is publicly invalid. |
498 |
|
|
+ * 1: if the padding was valid |
499 |
|
|
+ * -1: otherwise. */ |
500 |
|
|
+int tls1_cbc_remove_padding(const SSL* s, |
501 |
|
|
+ SSL3_RECORD *rec, |
502 |
|
|
+ unsigned block_size, |
503 |
|
|
+ unsigned mac_size) |
504 |
|
|
+ { |
505 |
|
|
+ unsigned padding_length, good, to_check, i; |
506 |
|
|
+ const unsigned overhead = 1 /* padding length byte */ + mac_size; |
507 |
|
|
+ /* Check if version requires explicit IV */ |
508 |
|
|
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) |
509 |
|
|
+ { |
510 |
|
|
+ /* These lengths are all public so we can test them in |
511 |
|
|
+ * non-constant time. |
512 |
|
|
+ */ |
513 |
|
|
+ if (overhead + block_size > rec->length) |
514 |
|
|
+ return 0; |
515 |
|
|
+ /* We can now safely skip explicit IV */ |
516 |
|
|
+ rec->data += block_size; |
517 |
|
|
+ rec->input += block_size; |
518 |
|
|
+ rec->length -= block_size; |
519 |
|
|
+ } |
520 |
|
|
+ else if (overhead > rec->length) |
521 |
|
|
+ return 0; |
522 |
|
|
+ |
523 |
|
|
+ padding_length = rec->data[rec->length-1]; |
524 |
|
|
+ |
525 |
|
|
+ /* NB: if compression is in operation the first packet may not be of |
526 |
|
|
+ * even length so the padding bug check cannot be performed. This bug |
527 |
|
|
+ * workaround has been around since SSLeay so hopefully it is either |
528 |
|
|
+ * fixed now or no buggy implementation supports compression [steve] |
529 |
|
|
+ */ |
530 |
|
|
+ if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) |
531 |
|
|
+ { |
532 |
|
|
+ /* First packet is even in size, so check */ |
533 |
|
|
+ if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) && |
534 |
|
|
+ !(padding_length & 1)) |
535 |
|
|
+ { |
536 |
|
|
+ s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; |
537 |
|
|
+ } |
538 |
|
|
+ if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && |
539 |
|
|
+ padding_length > 0) |
540 |
|
|
+ { |
541 |
|
|
+ padding_length--; |
542 |
|
|
+ } |
543 |
|
|
+ } |
544 |
|
|
+ |
545 |
|
|
+ good = constant_time_ge(rec->length, overhead+padding_length); |
546 |
|
|
+ /* The padding consists of a length byte at the end of the record and |
547 |
|
|
+ * then that many bytes of padding, all with the same value as the |
548 |
|
|
+ * length byte. Thus, with the length byte included, there are i+1 |
549 |
|
|
+ * bytes of padding. |
550 |
|
|
+ * |
551 |
|
|
+ * We can't check just |padding_length+1| bytes because that leaks |
552 |
|
|
+ * decrypted information. Therefore we always have to check the maximum |
553 |
|
|
+ * amount of padding possible. (Again, the length of the record is |
554 |
|
|
+ * public information so we can use it.) */ |
555 |
|
|
+ to_check = 255; /* maximum amount of padding. */ |
556 |
|
|
+ if (to_check > rec->length-1) |
557 |
|
|
+ to_check = rec->length-1; |
558 |
|
|
+ |
559 |
|
|
+ for (i = 0; i < to_check; i++) |
560 |
|
|
+ { |
561 |
|
|
+ unsigned char mask = constant_time_ge(padding_length, i); |
562 |
|
|
+ unsigned char b = rec->data[rec->length-1-i]; |
563 |
|
|
+ /* The final |padding_length+1| bytes should all have the value |
564 |
|
|
+ * |padding_length|. Therefore the XOR should be zero. */ |
565 |
|
|
+ good &= ~(mask&(padding_length ^ b)); |
566 |
|
|
+ } |
567 |
|
|
+ |
568 |
|
|
+ /* If any of the final |padding_length+1| bytes had the wrong value, |
569 |
|
|
+ * one or more of the lower eight bits of |good| will be cleared. We |
570 |
|
|
+ * AND the bottom 8 bits together and duplicate the result to all the |
571 |
|
|
+ * bits. */ |
572 |
|
|
+ good &= good >> 4; |
573 |
|
|
+ good &= good >> 2; |
574 |
|
|
+ good &= good >> 1; |
575 |
|
|
+ good <<= sizeof(good)*8-1; |
576 |
|
|
+ good = DUPLICATE_MSB_TO_ALL(good); |
577 |
|
|
+ |
578 |
|
|
+ padding_length = good & (padding_length+1); |
579 |
|
|
+ rec->length -= padding_length; |
580 |
|
|
+ rec->type |= padding_length<<8; /* kludge: pass padding length */ |
581 |
|
|
+ |
582 |
|
|
+ return (int)((good & 1) | (~good & -1)); |
583 |
|
|
+ } |
584 |
|
|
+ |
585 |
|
|
+/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in |
586 |
|
|
+ * constant time (independent of the concrete value of rec->length, which may |
587 |
|
|
+ * vary within a 256-byte window). |
588 |
|
|
+ * |
589 |
|
|
+ * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to |
590 |
|
|
+ * this function. |
591 |
|
|
+ * |
592 |
|
|
+ * On entry: |
593 |
|
|
+ * rec->orig_len >= md_size |
594 |
|
|
+ * md_size <= EVP_MAX_MD_SIZE |
595 |
|
|
+ * |
596 |
|
|
+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with |
597 |
|
|
+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into |
598 |
|
|
+ * a single or pair of cache-lines, then the variable memory accesses don't |
599 |
|
|
+ * actually affect the timing. CPUs with smaller cache-lines [if any] are |
600 |
|
|
+ * not multi-core and are not considered vulnerable to cache-timing attacks. |
601 |
|
|
+ */ |
602 |
|
|
+#define CBC_MAC_ROTATE_IN_PLACE |
603 |
|
|
+ |
604 |
|
|
+void ssl3_cbc_copy_mac(unsigned char* out, |
605 |
|
|
+ const SSL3_RECORD *rec, |
606 |
|
|
+ unsigned md_size,unsigned orig_len) |
607 |
|
|
+ { |
608 |
|
|
+#if defined(CBC_MAC_ROTATE_IN_PLACE) |
609 |
|
|
+ unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE]; |
610 |
|
|
+ unsigned char *rotated_mac; |
611 |
|
|
+#else |
612 |
|
|
+ unsigned char rotated_mac[EVP_MAX_MD_SIZE]; |
613 |
|
|
+#endif |
614 |
|
|
+ |
615 |
|
|
+ /* mac_end is the index of |rec->data| just after the end of the MAC. */ |
616 |
|
|
+ unsigned mac_end = rec->length; |
617 |
|
|
+ unsigned mac_start = mac_end - md_size; |
618 |
|
|
+ /* scan_start contains the number of bytes that we can ignore because |
619 |
|
|
+ * the MAC's position can only vary by 255 bytes. */ |
620 |
|
|
+ unsigned scan_start = 0; |
621 |
|
|
+ unsigned i, j; |
622 |
|
|
+ unsigned div_spoiler; |
623 |
|
|
+ unsigned rotate_offset; |
624 |
|
|
+ |
625 |
|
|
+ OPENSSL_assert(orig_len >= md_size); |
626 |
|
|
+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); |
627 |
|
|
+ |
628 |
|
|
+#if defined(CBC_MAC_ROTATE_IN_PLACE) |
629 |
|
|
+ rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63); |
630 |
|
|
+#endif |
631 |
|
|
+ |
632 |
|
|
+ /* This information is public so it's safe to branch based on it. */ |
633 |
|
|
+ if (orig_len > md_size + 255 + 1) |
634 |
|
|
+ scan_start = orig_len - (md_size + 255 + 1); |
635 |
|
|
+ /* div_spoiler contains a multiple of md_size that is used to cause the |
636 |
|
|
+ * modulo operation to be constant time. Without this, the time varies |
637 |
|
|
+ * based on the amount of padding when running on Intel chips at least. |
638 |
|
|
+ * |
639 |
|
|
+ * The aim of right-shifting md_size is so that the compiler doesn't |
640 |
|
|
+ * figure out that it can remove div_spoiler as that would require it |
641 |
|
|
+ * to prove that md_size is always even, which I hope is beyond it. */ |
642 |
|
|
+ div_spoiler = md_size >> 1; |
643 |
|
|
+ div_spoiler <<= (sizeof(div_spoiler)-1)*8; |
644 |
|
|
+ rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; |
645 |
|
|
+ |
646 |
|
|
+ memset(rotated_mac, 0, md_size); |
647 |
|
|
+ for (i = scan_start, j = 0; i < orig_len; i++) |
648 |
|
|
+ { |
649 |
|
|
+ unsigned char mac_started = constant_time_ge(i, mac_start); |
650 |
|
|
+ unsigned char mac_ended = constant_time_ge(i, mac_end); |
651 |
|
|
+ unsigned char b = rec->data[i]; |
652 |
|
|
+ rotated_mac[j++] |= b & mac_started & ~mac_ended; |
653 |
|
|
+ j &= constant_time_lt(j,md_size); |
654 |
|
|
+ } |
655 |
|
|
+ |
656 |
|
|
+ /* Now rotate the MAC */ |
657 |
|
|
+#if defined(CBC_MAC_ROTATE_IN_PLACE) |
658 |
|
|
+ j = 0; |
659 |
|
|
+ for (i = 0; i < md_size; i++) |
660 |
|
|
+ { |
661 |
|
|
+ /* in case cache-line is 32 bytes, touch second line */ |
662 |
|
|
+ ((volatile unsigned char *)rotated_mac)[rotate_offset^32]; |
663 |
|
|
+ out[j++] = rotated_mac[rotate_offset++]; |
664 |
|
|
+ rotate_offset &= constant_time_lt(rotate_offset,md_size); |
665 |
|
|
+ } |
666 |
|
|
+#else |
667 |
|
|
+ memset(out, 0, md_size); |
668 |
|
|
+ rotate_offset = md_size - rotate_offset; |
669 |
|
|
+ rotate_offset &= constant_time_lt(rotate_offset,md_size); |
670 |
|
|
+ for (i = 0; i < md_size; i++) |
671 |
|
|
+ { |
672 |
|
|
+ for (j = 0; j < md_size; j++) |
673 |
|
|
+ out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset); |
674 |
|
|
+ rotate_offset++; |
675 |
|
|
+ rotate_offset &= constant_time_lt(rotate_offset,md_size); |
676 |
|
|
+ } |
677 |
|
|
+#endif |
678 |
|
|
+ } |
679 |
|
|
+ |
680 |
|
|
+/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in |
681 |
|
|
+ * little-endian order. The value of p is advanced by four. */ |
682 |
|
|
+#define u32toLE(n, p) \ |
683 |
|
|
+ (*((p)++)=(unsigned char)(n), \ |
684 |
|
|
+ *((p)++)=(unsigned char)(n>>8), \ |
685 |
|
|
+ *((p)++)=(unsigned char)(n>>16), \ |
686 |
|
|
+ *((p)++)=(unsigned char)(n>>24)) |
687 |
|
|
+ |
688 |
|
|
+/* These functions serialize the state of a hash and thus perform the standard |
689 |
|
|
+ * "final" operation without adding the padding and length that such a function |
690 |
|
|
+ * typically does. */ |
691 |
|
|
+static void tls1_md5_final_raw(void* ctx, unsigned char *md_out) |
692 |
|
|
+ { |
693 |
|
|
+ MD5_CTX *md5 = ctx; |
694 |
|
|
+ u32toLE(md5->A, md_out); |
695 |
|
|
+ u32toLE(md5->B, md_out); |
696 |
|
|
+ u32toLE(md5->C, md_out); |
697 |
|
|
+ u32toLE(md5->D, md_out); |
698 |
|
|
+ } |
699 |
|
|
+ |
700 |
|
|
+static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out) |
701 |
|
|
+ { |
702 |
|
|
+ SHA_CTX *sha1 = ctx; |
703 |
|
|
+ l2n(sha1->h0, md_out); |
704 |
|
|
+ l2n(sha1->h1, md_out); |
705 |
|
|
+ l2n(sha1->h2, md_out); |
706 |
|
|
+ l2n(sha1->h3, md_out); |
707 |
|
|
+ l2n(sha1->h4, md_out); |
708 |
|
|
+ } |
709 |
|
|
+#define LARGEST_DIGEST_CTX SHA_CTX |
710 |
|
|
+ |
711 |
|
|
+#ifndef OPENSSL_NO_SHA256 |
712 |
|
|
+static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) |
713 |
|
|
+ { |
714 |
|
|
+ SHA256_CTX *sha256 = ctx; |
715 |
|
|
+ unsigned i; |
716 |
|
|
+ |
717 |
|
|
+ for (i = 0; i < 8; i++) |
718 |
|
|
+ { |
719 |
|
|
+ l2n(sha256->h[i], md_out); |
720 |
|
|
+ } |
721 |
|
|
+ } |
722 |
|
|
+#undef LARGEST_DIGEST_CTX |
723 |
|
|
+#define LARGEST_DIGEST_CTX SHA256_CTX |
724 |
|
|
+#endif |
725 |
|
|
+ |
726 |
|
|
+#ifndef OPENSSL_NO_SHA512 |
727 |
|
|
+static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) |
728 |
|
|
+ { |
729 |
|
|
+ SHA512_CTX *sha512 = ctx; |
730 |
|
|
+ unsigned i; |
731 |
|
|
+ |
732 |
|
|
+ for (i = 0; i < 8; i++) |
733 |
|
|
+ { |
734 |
|
|
+ l2n8(sha512->h[i], md_out); |
735 |
|
|
+ } |
736 |
|
|
+ } |
737 |
|
|
+#undef LARGEST_DIGEST_CTX |
738 |
|
|
+#define LARGEST_DIGEST_CTX SHA512_CTX |
739 |
|
|
+#endif |
740 |
|
|
+ |
741 |
|
|
+/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function |
742 |
|
|
+ * which ssl3_cbc_digest_record supports. */ |
743 |
|
|
+char ssl3_cbc_record_digest_supported(const EVP_MD *digest) |
744 |
|
|
+ { |
745 |
|
|
+#ifdef OPENSSL_FIPS |
746 |
|
|
+ if (FIPS_mode()) |
747 |
|
|
+ return 0; |
748 |
|
|
+#endif |
749 |
|
|
+ switch (EVP_MD_type(digest)) |
750 |
|
|
+ { |
751 |
|
|
+ case NID_md5: |
752 |
|
|
+ case NID_sha1: |
753 |
|
|
+#ifndef OPENSSL_NO_SHA256 |
754 |
|
|
+ case NID_sha224: |
755 |
|
|
+ case NID_sha256: |
756 |
|
|
+#endif |
757 |
|
|
+#ifndef OPENSSL_NO_SHA512 |
758 |
|
|
+ case NID_sha384: |
759 |
|
|
+ case NID_sha512: |
760 |
|
|
+#endif |
761 |
|
|
+ return 1; |
762 |
|
|
+ default: |
763 |
|
|
+ return 0; |
764 |
|
|
+ } |
765 |
|
|
+ } |
766 |
|
|
+ |
767 |
|
|
+/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS |
768 |
|
|
+ * record. |
769 |
|
|
+ * |
770 |
|
|
+ * ctx: the EVP_MD_CTX from which we take the hash function. |
771 |
|
|
+ * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. |
772 |
|
|
+ * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. |
773 |
|
|
+ * md_out_size: if non-NULL, the number of output bytes is written here. |
774 |
|
|
+ * header: the 13-byte, TLS record header. |
775 |
|
|
+ * data: the record data itself, less any preceeding explicit IV. |
776 |
|
|
+ * data_plus_mac_size: the secret, reported length of the data and MAC |
777 |
|
|
+ * once the padding has been removed. |
778 |
|
|
+ * data_plus_mac_plus_padding_size: the public length of the whole |
779 |
|
|
+ * record, including padding. |
780 |
|
|
+ * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. |
781 |
|
|
+ * |
782 |
|
|
+ * On entry: by virtue of having been through one of the remove_padding |
783 |
|
|
+ * functions, above, we know that data_plus_mac_size is large enough to contain |
784 |
|
|
+ * a padding byte and MAC. (If the padding was invalid, it might contain the |
785 |
|
|
+ * padding too. ) */ |
786 |
|
|
+void ssl3_cbc_digest_record( |
787 |
|
|
+ const EVP_MD *digest, |
788 |
|
|
+ unsigned char* md_out, |
789 |
|
|
+ size_t* md_out_size, |
790 |
|
|
+ const unsigned char header[13], |
791 |
|
|
+ const unsigned char *data, |
792 |
|
|
+ size_t data_plus_mac_size, |
793 |
|
|
+ size_t data_plus_mac_plus_padding_size, |
794 |
|
|
+ const unsigned char *mac_secret, |
795 |
|
|
+ unsigned mac_secret_length, |
796 |
|
|
+ char is_sslv3) |
797 |
|
|
+ { |
798 |
|
|
+ union { double align; |
799 |
|
|
+ unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state; |
800 |
|
|
+ void (*md_final_raw)(void *ctx, unsigned char *md_out); |
801 |
|
|
+ void (*md_transform)(void *ctx, const unsigned char *block); |
802 |
|
|
+ unsigned md_size, md_block_size = 64; |
803 |
|
|
+ unsigned sslv3_pad_length = 40, header_length, variance_blocks, |
804 |
|
|
+ len, max_mac_bytes, num_blocks, |
805 |
|
|
+ num_starting_blocks, k, mac_end_offset, c, index_a, index_b; |
806 |
|
|
+ unsigned int bits; /* at most 18 bits */ |
807 |
|
|
+ unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; |
808 |
|
|
+ /* hmac_pad is the masked HMAC key. */ |
809 |
|
|
+ unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; |
810 |
|
|
+ unsigned char first_block[MAX_HASH_BLOCK_SIZE]; |
811 |
|
|
+ unsigned char mac_out[EVP_MAX_MD_SIZE]; |
812 |
|
|
+ unsigned i, j, md_out_size_u; |
813 |
|
|
+ EVP_MD_CTX md_ctx; |
814 |
|
|
+ /* mdLengthSize is the number of bytes in the length field that terminates |
815 |
|
|
+ * the hash. */ |
816 |
|
|
+ unsigned md_length_size = 8; |
817 |
|
|
+ char length_is_big_endian = 1; |
818 |
|
|
+ |
819 |
|
|
+ /* This is a, hopefully redundant, check that allows us to forget about |
820 |
|
|
+ * many possible overflows later in this function. */ |
821 |
|
|
+ OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); |
822 |
|
|
+ |
823 |
|
|
+ switch (EVP_MD_type(digest)) |
824 |
|
|
+ { |
825 |
|
|
+ case NID_md5: |
826 |
|
|
+ MD5_Init((MD5_CTX*)md_state.c); |
827 |
|
|
+ md_final_raw = tls1_md5_final_raw; |
828 |
|
|
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; |
829 |
|
|
+ md_size = 16; |
830 |
|
|
+ sslv3_pad_length = 48; |
831 |
|
|
+ length_is_big_endian = 0; |
832 |
|
|
+ break; |
833 |
|
|
+ case NID_sha1: |
834 |
|
|
+ SHA1_Init((SHA_CTX*)md_state.c); |
835 |
|
|
+ md_final_raw = tls1_sha1_final_raw; |
836 |
|
|
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; |
837 |
|
|
+ md_size = 20; |
838 |
|
|
+ break; |
839 |
|
|
+#ifndef OPENSSL_NO_SHA256 |
840 |
|
|
+ case NID_sha224: |
841 |
|
|
+ SHA224_Init((SHA256_CTX*)md_state.c); |
842 |
|
|
+ md_final_raw = tls1_sha256_final_raw; |
843 |
|
|
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; |
844 |
|
|
+ md_size = 224/8; |
845 |
|
|
+ break; |
846 |
|
|
+ case NID_sha256: |
847 |
|
|
+ SHA256_Init((SHA256_CTX*)md_state.c); |
848 |
|
|
+ md_final_raw = tls1_sha256_final_raw; |
849 |
|
|
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; |
850 |
|
|
+ md_size = 32; |
851 |
|
|
+ break; |
852 |
|
|
+#endif |
853 |
|
|
+#ifndef OPENSSL_NO_SHA512 |
854 |
|
|
+ case NID_sha384: |
855 |
|
|
+ SHA384_Init((SHA512_CTX*)md_state.c); |
856 |
|
|
+ md_final_raw = tls1_sha512_final_raw; |
857 |
|
|
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; |
858 |
|
|
+ md_size = 384/8; |
859 |
|
|
+ md_block_size = 128; |
860 |
|
|
+ md_length_size = 16; |
861 |
|
|
+ break; |
862 |
|
|
+ case NID_sha512: |
863 |
|
|
+ SHA512_Init((SHA512_CTX*)md_state.c); |
864 |
|
|
+ md_final_raw = tls1_sha512_final_raw; |
865 |
|
|
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; |
866 |
|
|
+ md_size = 64; |
867 |
|
|
+ md_block_size = 128; |
868 |
|
|
+ md_length_size = 16; |
869 |
|
|
+ break; |
870 |
|
|
+#endif |
871 |
|
|
+ default: |
872 |
|
|
+ /* ssl3_cbc_record_digest_supported should have been |
873 |
|
|
+ * called first to check that the hash function is |
874 |
|
|
+ * supported. */ |
875 |
|
|
+ OPENSSL_assert(0); |
876 |
|
|
+ if (md_out_size) |
877 |
|
|
+ *md_out_size = -1; |
878 |
|
|
+ return; |
879 |
|
|
+ } |
880 |
|
|
+ |
881 |
|
|
+ OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); |
882 |
|
|
+ OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); |
883 |
|
|
+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); |
884 |
|
|
+ |
885 |
|
|
+ header_length = 13; |
886 |
|
|
+ if (is_sslv3) |
887 |
|
|
+ { |
888 |
|
|
+ header_length = |
889 |
|
|
+ mac_secret_length + |
890 |
|
|
+ sslv3_pad_length + |
891 |
|
|
+ 8 /* sequence number */ + |
892 |
|
|
+ 1 /* record type */ + |
893 |
|
|
+ 2 /* record length */; |
894 |
|
|
+ } |
895 |
|
|
+ |
896 |
|
|
+ /* variance_blocks is the number of blocks of the hash that we have to |
897 |
|
|
+ * calculate in constant time because they could be altered by the |
898 |
|
|
+ * padding value. |
899 |
|
|
+ * |
900 |
|
|
+ * In SSLv3, the padding must be minimal so the end of the plaintext |
901 |
|
|
+ * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that |
902 |
|
|
+ * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash |
903 |
|
|
+ * termination (0x80 + 64-bit length) don't fit in the final block, we |
904 |
|
|
+ * say that the final two blocks can vary based on the padding. |
905 |
|
|
+ * |
906 |
|
|
+ * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not |
907 |
|
|
+ * required to be minimal. Therefore we say that the final six blocks |
908 |
|
|
+ * can vary based on the padding. |
909 |
|
|
+ * |
910 |
|
|
+ * Later in the function, if the message is short and there obviously |
911 |
|
|
+ * cannot be this many blocks then variance_blocks can be reduced. */ |
912 |
|
|
+ variance_blocks = is_sslv3 ? 2 : 6; |
913 |
|
|
+ /* From now on we're dealing with the MAC, which conceptually has 13 |
914 |
|
|
+ * bytes of `header' before the start of the data (TLS) or 71/75 bytes |
915 |
|
|
+ * (SSLv3) */ |
916 |
|
|
+ len = data_plus_mac_plus_padding_size + header_length; |
917 |
|
|
+ /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including |
918 |
|
|
+ * |header|, assuming that there's no padding. */ |
919 |
|
|
+ max_mac_bytes = len - md_size - 1; |
920 |
|
|
+ /* num_blocks is the maximum number of hash blocks. */ |
921 |
|
|
+ num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; |
922 |
|
|
+ /* In order to calculate the MAC in constant time we have to handle |
923 |
|
|
+ * the final blocks specially because the padding value could cause the |
924 |
|
|
+ * end to appear somewhere in the final |variance_blocks| blocks and we |
925 |
|
|
+ * can't leak where. However, |num_starting_blocks| worth of data can |
926 |
|
|
+ * be hashed right away because no padding value can affect whether |
927 |
|
|
+ * they are plaintext. */ |
928 |
|
|
+ num_starting_blocks = 0; |
929 |
|
|
+ /* k is the starting byte offset into the conceptual header||data where |
930 |
|
|
+ * we start processing. */ |
931 |
|
|
+ k = 0; |
932 |
|
|
+ /* mac_end_offset is the index just past the end of the data to be |
933 |
|
|
+ * MACed. */ |
934 |
|
|
+ mac_end_offset = data_plus_mac_size + header_length - md_size; |
935 |
|
|
+ /* c is the index of the 0x80 byte in the final hash block that |
936 |
|
|
+ * contains application data. */ |
937 |
|
|
+ c = mac_end_offset % md_block_size; |
938 |
|
|
+ /* index_a is the hash block number that contains the 0x80 terminating |
939 |
|
|
+ * value. */ |
940 |
|
|
+ index_a = mac_end_offset / md_block_size; |
941 |
|
|
+ /* index_b is the hash block number that contains the 64-bit hash |
942 |
|
|
+ * length, in bits. */ |
943 |
|
|
+ index_b = (mac_end_offset + md_length_size) / md_block_size; |
944 |
|
|
+ /* bits is the hash-length in bits. It includes the additional hash |
945 |
|
|
+ * block for the masked HMAC key, or whole of |header| in the case of |
946 |
|
|
+ * SSLv3. */ |
947 |
|
|
+ |
948 |
|
|
+ /* For SSLv3, if we're going to have any starting blocks then we need |
949 |
|
|
+ * at least two because the header is larger than a single block. */ |
950 |
|
|
+ if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) |
951 |
|
|
+ { |
952 |
|
|
+ num_starting_blocks = num_blocks - variance_blocks; |
953 |
|
|
+ k = md_block_size*num_starting_blocks; |
954 |
|
|
+ } |
955 |
|
|
+ |
956 |
|
|
+ bits = 8*mac_end_offset; |
957 |
|
|
+ if (!is_sslv3) |
958 |
|
|
+ { |
959 |
|
|
+ /* Compute the initial HMAC block. For SSLv3, the padding and |
960 |
|
|
+ * secret bytes are included in |header| because they take more |
961 |
|
|
+ * than a single block. */ |
962 |
|
|
+ bits += 8*md_block_size; |
963 |
|
|
+ memset(hmac_pad, 0, md_block_size); |
964 |
|
|
+ OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); |
965 |
|
|
+ memcpy(hmac_pad, mac_secret, mac_secret_length); |
966 |
|
|
+ for (i = 0; i < md_block_size; i++) |
967 |
|
|
+ hmac_pad[i] ^= 0x36; |
968 |
|
|
+ |
969 |
|
|
+ md_transform(md_state.c, hmac_pad); |
970 |
|
|
+ } |
971 |
|
|
+ |
972 |
|
|
+ if (length_is_big_endian) |
973 |
|
|
+ { |
974 |
|
|
+ memset(length_bytes,0,md_length_size-4); |
975 |
|
|
+ length_bytes[md_length_size-4] = (unsigned char)(bits>>24); |
976 |
|
|
+ length_bytes[md_length_size-3] = (unsigned char)(bits>>16); |
977 |
|
|
+ length_bytes[md_length_size-2] = (unsigned char)(bits>>8); |
978 |
|
|
+ length_bytes[md_length_size-1] = (unsigned char)bits; |
979 |
|
|
+ } |
980 |
|
|
+ else |
981 |
|
|
+ { |
982 |
|
|
+ memset(length_bytes,0,md_length_size); |
983 |
|
|
+ length_bytes[md_length_size-5] = (unsigned char)(bits>>24); |
984 |
|
|
+ length_bytes[md_length_size-6] = (unsigned char)(bits>>16); |
985 |
|
|
+ length_bytes[md_length_size-7] = (unsigned char)(bits>>8); |
986 |
|
|
+ length_bytes[md_length_size-8] = (unsigned char)bits; |
987 |
|
|
+ } |
988 |
|
|
+ |
989 |
|
|
+ if (k > 0) |
990 |
|
|
+ { |
991 |
|
|
+ if (is_sslv3) |
992 |
|
|
+ { |
993 |
|
|
+ /* The SSLv3 header is larger than a single block. |
994 |
|
|
+ * overhang is the number of bytes beyond a single |
995 |
|
|
+ * block that the header consumes: either 7 bytes |
996 |
|
|
+ * (SHA1) or 11 bytes (MD5). */ |
997 |
|
|
+ unsigned overhang = header_length-md_block_size; |
998 |
|
|
+ md_transform(md_state.c, header); |
999 |
|
|
+ memcpy(first_block, header + md_block_size, overhang); |
1000 |
|
|
+ memcpy(first_block + overhang, data, md_block_size-overhang); |
1001 |
|
|
+ md_transform(md_state.c, first_block); |
1002 |
|
|
+ for (i = 1; i < k/md_block_size - 1; i++) |
1003 |
|
|
+ md_transform(md_state.c, data + md_block_size*i - overhang); |
1004 |
|
|
+ } |
1005 |
|
|
+ else |
1006 |
|
|
+ { |
1007 |
|
|
+ /* k is a multiple of md_block_size. */ |
1008 |
|
|
+ memcpy(first_block, header, 13); |
1009 |
|
|
+ memcpy(first_block+13, data, md_block_size-13); |
1010 |
|
|
+ md_transform(md_state.c, first_block); |
1011 |
|
|
+ for (i = 1; i < k/md_block_size; i++) |
1012 |
|
|
+ md_transform(md_state.c, data + md_block_size*i - 13); |
1013 |
|
|
+ } |
1014 |
|
|
+ } |
1015 |
|
|
+ |
1016 |
|
|
+ memset(mac_out, 0, sizeof(mac_out)); |
1017 |
|
|
+ |
1018 |
|
|
+ /* We now process the final hash blocks. For each block, we construct |
1019 |
|
|
+ * it in constant time. If the |i==index_a| then we'll include the 0x80 |
1020 |
|
|
+ * bytes and zero pad etc. For each block we selectively copy it, in |
1021 |
|
|
+ * constant time, to |mac_out|. */ |
1022 |
|
|
+ for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++) |
1023 |
|
|
+ { |
1024 |
|
|
+ unsigned char block[MAX_HASH_BLOCK_SIZE]; |
1025 |
|
|
+ unsigned char is_block_a = constant_time_eq_8(i, index_a); |
1026 |
|
|
+ unsigned char is_block_b = constant_time_eq_8(i, index_b); |
1027 |
|
|
+ for (j = 0; j < md_block_size; j++) |
1028 |
|
|
+ { |
1029 |
|
|
+ unsigned char b = 0, is_past_c, is_past_cp1; |
1030 |
|
|
+ if (k < header_length) |
1031 |
|
|
+ b = header[k]; |
1032 |
|
|
+ else if (k < data_plus_mac_plus_padding_size + header_length) |
1033 |
|
|
+ b = data[k-header_length]; |
1034 |
|
|
+ k++; |
1035 |
|
|
+ |
1036 |
|
|
+ is_past_c = is_block_a & constant_time_ge(j, c); |
1037 |
|
|
+ is_past_cp1 = is_block_a & constant_time_ge(j, c+1); |
1038 |
|
|
+ /* If this is the block containing the end of the |
1039 |
|
|
+ * application data, and we are at the offset for the |
1040 |
|
|
+ * 0x80 value, then overwrite b with 0x80. */ |
1041 |
|
|
+ b = (b&~is_past_c) | (0x80&is_past_c); |
1042 |
|
|
+ /* If this the the block containing the end of the |
1043 |
|
|
+ * application data and we're past the 0x80 value then |
1044 |
|
|
+ * just write zero. */ |
1045 |
|
|
+ b = b&~is_past_cp1; |
1046 |
|
|
+ /* If this is index_b (the final block), but not |
1047 |
|
|
+ * index_a (the end of the data), then the 64-bit |
1048 |
|
|
+ * length didn't fit into index_a and we're having to |
1049 |
|
|
+ * add an extra block of zeros. */ |
1050 |
|
|
+ b &= ~is_block_b | is_block_a; |
1051 |
|
|
+ |
1052 |
|
|
+ /* The final bytes of one of the blocks contains the |
1053 |
|
|
+ * length. */ |
1054 |
|
|
+ if (j >= md_block_size - md_length_size) |
1055 |
|
|
+ { |
1056 |
|
|
+ /* If this is index_b, write a length byte. */ |
1057 |
|
|
+ b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]); |
1058 |
|
|
+ } |
1059 |
|
|
+ block[j] = b; |
1060 |
|
|
+ } |
1061 |
|
|
+ |
1062 |
|
|
+ md_transform(md_state.c, block); |
1063 |
|
|
+ md_final_raw(md_state.c, block); |
1064 |
|
|
+ /* If this is index_b, copy the hash value to |mac_out|. */ |
1065 |
|
|
+ for (j = 0; j < md_size; j++) |
1066 |
|
|
+ mac_out[j] |= block[j]&is_block_b; |
1067 |
|
|
+ } |
1068 |
|
|
+ |
1069 |
|
|
+ EVP_MD_CTX_init(&md_ctx); |
1070 |
|
|
+ EVP_DigestInit_ex(&md_ctx, digest, NULL /* engine */); |
1071 |
|
|
+ if (is_sslv3) |
1072 |
|
|
+ { |
1073 |
|
|
+ /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ |
1074 |
|
|
+ memset(hmac_pad, 0x5c, sslv3_pad_length); |
1075 |
|
|
+ |
1076 |
|
|
+ EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); |
1077 |
|
|
+ EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); |
1078 |
|
|
+ EVP_DigestUpdate(&md_ctx, mac_out, md_size); |
1079 |
|
|
+ } |
1080 |
|
|
+ else |
1081 |
|
|
+ { |
1082 |
|
|
+ /* Complete the HMAC in the standard manner. */ |
1083 |
|
|
+ for (i = 0; i < md_block_size; i++) |
1084 |
|
|
+ hmac_pad[i] ^= 0x6a; |
1085 |
|
|
+ |
1086 |
|
|
+ EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); |
1087 |
|
|
+ EVP_DigestUpdate(&md_ctx, mac_out, md_size); |
1088 |
|
|
+ } |
1089 |
|
|
+ EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); |
1090 |
|
|
+ if (md_out_size) |
1091 |
|
|
+ *md_out_size = md_out_size_u; |
1092 |
|
|
+ EVP_MD_CTX_cleanup(&md_ctx); |
1093 |
|
|
+ } |
1094 |
|
|
+ |
1095 |
|
|
+#ifdef OPENSSL_FIPS |
1096 |
|
|
+ |
1097 |
|
|
+/* Due to the need to use EVP in FIPS mode we can't reimplement digests but |
1098 |
|
|
+ * we can ensure the number of blocks processed is equal for all cases |
1099 |
|
|
+ * by digesting additional data. |
1100 |
|
|
+ */ |
1101 |
|
|
+ |
1102 |
|
|
+void tls_fips_digest_extra( |
1103 |
|
|
+ const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx, |
1104 |
|
|
+ const unsigned char *data, size_t data_len, size_t orig_len) |
1105 |
|
|
+ { |
1106 |
|
|
+ size_t block_size, digest_pad, blocks_data, blocks_orig; |
1107 |
|
|
+ if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) |
1108 |
|
|
+ return; |
1109 |
|
|
+ block_size = EVP_MD_block_size(hash); |
1110 |
|
|
+ /* We are in FIPS mode if we get this far so we know we have only SHA* |
1111 |
|
|
+ * digests and TLS to deal with. |
1112 |
|
|
+ * Minimum digest padding length is 17 for SHA384/SHA512 and 9 |
1113 |
|
|
+ * otherwise. |
1114 |
|
|
+ * Additional header is 13 bytes. To get the number of digest blocks |
1115 |
|
|
+ * processed round up the amount of data plus padding to the nearest |
1116 |
|
|
+ * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. |
1117 |
|
|
+ * So we have: |
1118 |
|
|
+ * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size |
1119 |
|
|
+ * equivalently: |
1120 |
|
|
+ * blocks = (payload_len + digest_pad + 12)/block_size + 1 |
1121 |
|
|
+ * HMAC adds a constant overhead. |
1122 |
|
|
+ * We're ultimately only interested in differences so this becomes |
1123 |
|
|
+ * blocks = (payload_len + 29)/128 |
1124 |
|
|
+ * for SHA384/SHA512 and |
1125 |
|
|
+ * blocks = (payload_len + 21)/64 |
1126 |
|
|
+ * otherwise. |
1127 |
|
|
+ */ |
1128 |
|
|
+ digest_pad = block_size == 64 ? 21 : 29; |
1129 |
|
|
+ blocks_orig = (orig_len + digest_pad)/block_size; |
1130 |
|
|
+ blocks_data = (data_len + digest_pad)/block_size; |
1131 |
|
|
+ /* MAC enough blocks to make up the difference between the original |
1132 |
|
|
+ * and actual lengths plus one extra block to ensure this is never a |
1133 |
|
|
+ * no op. The "data" pointer should always have enough space to |
1134 |
|
|
+ * perform this operation as it is large enough for a maximum |
1135 |
|
|
+ * length TLS buffer. |
1136 |
|
|
+ */ |
1137 |
|
|
+ HMAC_Update(hctx, data, |
1138 |
|
|
+ (blocks_orig - blocks_data + 1) * block_size); |
1139 |
|
|
+ } |
1140 |
|
|
+#endif |
1141 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s3_enc.c.lucky13 openssl-fips-0.9.8e/ssl/s3_enc.c |
1142 |
|
|
--- openssl-fips-0.9.8e/ssl/s3_enc.c.lucky13 2013-02-25 14:56:11.285381591 +0100 |
1143 |
|
|
+++ openssl-fips-0.9.8e/ssl/s3_enc.c 2013-02-25 14:56:11.407381902 +0100 |
1144 |
|
|
@@ -434,12 +434,21 @@ void ssl3_cleanup_key_block(SSL *s) |
1145 |
|
|
s->s3->tmp.key_block_length=0; |
1146 |
|
|
} |
1147 |
|
|
|
1148 |
|
|
+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
1149 |
|
|
+ * |
1150 |
|
|
+ * Returns: |
1151 |
|
|
+ * 0: (in non-constant time) if the record is publically invalid (i.e. too |
1152 |
|
|
+ * short etc). |
1153 |
|
|
+ * 1: if the record's padding is valid / the encryption was successful. |
1154 |
|
|
+ * -1: if the record's padding is invalid or, if sending, an internal error |
1155 |
|
|
+ * occured. |
1156 |
|
|
+ */ |
1157 |
|
|
int ssl3_enc(SSL *s, int send) |
1158 |
|
|
{ |
1159 |
|
|
SSL3_RECORD *rec; |
1160 |
|
|
EVP_CIPHER_CTX *ds; |
1161 |
|
|
unsigned long l; |
1162 |
|
|
- int bs,i; |
1163 |
|
|
+ int bs,i,mac_size=0; |
1164 |
|
|
const EVP_CIPHER *enc; |
1165 |
|
|
|
1166 |
|
|
if (send) |
1167 |
|
|
@@ -490,32 +499,17 @@ int ssl3_enc(SSL *s, int send) |
1168 |
|
|
if (!send) |
1169 |
|
|
{ |
1170 |
|
|
if (l == 0 || l%bs != 0) |
1171 |
|
|
- { |
1172 |
|
|
- SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); |
1173 |
|
|
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); |
1174 |
|
|
return 0; |
1175 |
|
|
- } |
1176 |
|
|
/* otherwise, rec->length >= bs */ |
1177 |
|
|
} |
1178 |
|
|
|
1179 |
|
|
EVP_Cipher(ds,rec->data,rec->input,l); |
1180 |
|
|
|
1181 |
|
|
+ if (s->read_hash != NULL) |
1182 |
|
|
+ mac_size = EVP_MD_size(s->read_hash); |
1183 |
|
|
+ |
1184 |
|
|
if ((bs != 1) && !send) |
1185 |
|
|
- { |
1186 |
|
|
- i=rec->data[l-1]+1; |
1187 |
|
|
- /* SSL 3.0 bounds the number of padding bytes by the block size; |
1188 |
|
|
- * padding bytes (except the last one) are arbitrary */ |
1189 |
|
|
- if (i > bs) |
1190 |
|
|
- { |
1191 |
|
|
- /* Incorrect padding. SSLerr() and ssl3_alert are done |
1192 |
|
|
- * by caller: we don't want to reveal whether this is |
1193 |
|
|
- * a decryption error or a MAC verification failure |
1194 |
|
|
- * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ |
1195 |
|
|
- return -1; |
1196 |
|
|
- } |
1197 |
|
|
- /* now i <= bs <= rec->length */ |
1198 |
|
|
- rec->length-=i; |
1199 |
|
|
- } |
1200 |
|
|
+ return ssl3_cbc_remove_padding(s, rec, bs, mac_size); |
1201 |
|
|
} |
1202 |
|
|
return(1); |
1203 |
|
|
} |
1204 |
|
|
@@ -592,7 +586,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md |
1205 |
|
|
EVP_MD_CTX md_ctx; |
1206 |
|
|
const EVP_MD *hash; |
1207 |
|
|
unsigned char *p,rec_char; |
1208 |
|
|
- unsigned int md_size; |
1209 |
|
|
+ size_t md_size, orig_len; |
1210 |
|
|
int npad; |
1211 |
|
|
|
1212 |
|
|
if (send) |
1213 |
|
|
@@ -613,28 +607,72 @@ int ssl3_mac(SSL *ssl, unsigned char *md |
1214 |
|
|
md_size=EVP_MD_size(hash); |
1215 |
|
|
npad=(48/md_size)*md_size; |
1216 |
|
|
|
1217 |
|
|
- /* Chop the digest off the end :-) */ |
1218 |
|
|
- EVP_MD_CTX_init(&md_ctx); |
1219 |
|
|
- |
1220 |
|
|
- EVP_DigestInit_ex( &md_ctx,hash, NULL); |
1221 |
|
|
- EVP_DigestUpdate(&md_ctx,mac_sec,md_size); |
1222 |
|
|
- EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); |
1223 |
|
|
- EVP_DigestUpdate(&md_ctx,seq,8); |
1224 |
|
|
- rec_char=rec->type; |
1225 |
|
|
- EVP_DigestUpdate(&md_ctx,&rec_char,1); |
1226 |
|
|
- p=md; |
1227 |
|
|
- s2n(rec->length,p); |
1228 |
|
|
- EVP_DigestUpdate(&md_ctx,md,2); |
1229 |
|
|
- EVP_DigestUpdate(&md_ctx,rec->input,rec->length); |
1230 |
|
|
- EVP_DigestFinal_ex( &md_ctx,md,NULL); |
1231 |
|
|
- |
1232 |
|
|
- EVP_DigestInit_ex( &md_ctx,hash, NULL); |
1233 |
|
|
- EVP_DigestUpdate(&md_ctx,mac_sec,md_size); |
1234 |
|
|
- EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); |
1235 |
|
|
- EVP_DigestUpdate(&md_ctx,md,md_size); |
1236 |
|
|
- EVP_DigestFinal_ex( &md_ctx,md,&md_size); |
1237 |
|
|
+ /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */ |
1238 |
|
|
+ orig_len = rec->length+md_size+((unsigned int)rec->type>>8); |
1239 |
|
|
+ rec->type &= 0xff; |
1240 |
|
|
+ |
1241 |
|
|
+ if (!send && |
1242 |
|
|
+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
1243 |
|
|
+ ssl3_cbc_record_digest_supported(hash)) |
1244 |
|
|
+ { |
1245 |
|
|
+ /* This is a CBC-encrypted record. We must avoid leaking any |
1246 |
|
|
+ * timing-side channel information about how many blocks of |
1247 |
|
|
+ * data we are hashing because that gives an attacker a |
1248 |
|
|
+ * timing-oracle. */ |
1249 |
|
|
+ |
1250 |
|
|
+ /* npad is, at most, 48 bytes and that's with MD5: |
1251 |
|
|
+ * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. |
1252 |
|
|
+ * |
1253 |
|
|
+ * With SHA-1 (the largest hash speced for SSLv3) the hash size |
1254 |
|
|
+ * goes up 4, but npad goes down by 8, resulting in a smaller |
1255 |
|
|
+ * total size. */ |
1256 |
|
|
+ unsigned char header[75]; |
1257 |
|
|
+ unsigned j = 0; |
1258 |
|
|
+ memcpy(header+j, mac_sec, md_size); |
1259 |
|
|
+ j += md_size; |
1260 |
|
|
+ memcpy(header+j, ssl3_pad_1, npad); |
1261 |
|
|
+ j += npad; |
1262 |
|
|
+ memcpy(header+j, seq, 8); |
1263 |
|
|
+ j += 8; |
1264 |
|
|
+ header[j++] = rec->type; |
1265 |
|
|
+ header[j++] = rec->length >> 8; |
1266 |
|
|
+ header[j++] = rec->length & 0xff; |
1267 |
|
|
+ |
1268 |
|
|
+ ssl3_cbc_digest_record( |
1269 |
|
|
+ hash, |
1270 |
|
|
+ md, &md_size, |
1271 |
|
|
+ header, rec->input, |
1272 |
|
|
+ rec->length + md_size, orig_len, |
1273 |
|
|
+ mac_sec, md_size, |
1274 |
|
|
+ 1 /* is SSLv3 */); |
1275 |
|
|
+ } |
1276 |
|
|
+ else |
1277 |
|
|
+ { |
1278 |
|
|
+ unsigned int md_size_u; |
1279 |
|
|
+ /* Chop the digest off the end :-) */ |
1280 |
|
|
+ EVP_MD_CTX_init(&md_ctx); |
1281 |
|
|
+ |
1282 |
|
|
+ EVP_DigestInit_ex( &md_ctx,hash, NULL); |
1283 |
|
|
+ EVP_DigestUpdate(&md_ctx,mac_sec,md_size); |
1284 |
|
|
+ EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); |
1285 |
|
|
+ EVP_DigestUpdate(&md_ctx,seq,8); |
1286 |
|
|
+ rec_char=rec->type; |
1287 |
|
|
+ EVP_DigestUpdate(&md_ctx,&rec_char,1); |
1288 |
|
|
+ p=md; |
1289 |
|
|
+ s2n(rec->length,p); |
1290 |
|
|
+ EVP_DigestUpdate(&md_ctx,md,2); |
1291 |
|
|
+ EVP_DigestUpdate(&md_ctx,rec->input,rec->length); |
1292 |
|
|
+ EVP_DigestFinal_ex( &md_ctx,md,NULL); |
1293 |
|
|
+ |
1294 |
|
|
+ EVP_DigestInit_ex( &md_ctx,hash, NULL); |
1295 |
|
|
+ EVP_DigestUpdate(&md_ctx,mac_sec,md_size); |
1296 |
|
|
+ EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); |
1297 |
|
|
+ EVP_DigestUpdate(&md_ctx,md,md_size); |
1298 |
|
|
+ EVP_DigestFinal_ex( &md_ctx,md,&md_size_u); |
1299 |
|
|
+ md_size = md_size_u; |
1300 |
|
|
|
1301 |
|
|
- EVP_MD_CTX_cleanup(&md_ctx); |
1302 |
|
|
+ EVP_MD_CTX_cleanup(&md_ctx); |
1303 |
|
|
+ } |
1304 |
|
|
|
1305 |
|
|
ssl3_record_sequence_update(seq); |
1306 |
|
|
return(md_size); |
1307 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/s3_pkt.c |
1308 |
|
|
--- openssl-fips-0.9.8e/ssl/s3_pkt.c.lucky13 2013-02-25 14:56:11.225381423 +0100 |
1309 |
|
|
+++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2013-02-25 14:56:11.408381905 +0100 |
1310 |
|
|
@@ -237,11 +237,8 @@ static int ssl3_get_record(SSL *s) |
1311 |
|
|
unsigned char *p; |
1312 |
|
|
unsigned char md[EVP_MAX_MD_SIZE]; |
1313 |
|
|
short version; |
1314 |
|
|
- unsigned int mac_size; |
1315 |
|
|
- int clear=0; |
1316 |
|
|
+ unsigned mac_size, orig_len; |
1317 |
|
|
size_t extra; |
1318 |
|
|
- int decryption_failed_or_bad_record_mac = 0; |
1319 |
|
|
- unsigned char *mac = NULL; |
1320 |
|
|
|
1321 |
|
|
rr= &(s->s3->rrec); |
1322 |
|
|
sess=s->session; |
1323 |
|
|
@@ -347,17 +344,15 @@ again: |
1324 |
|
|
rr->data=rr->input; |
1325 |
|
|
|
1326 |
|
|
enc_err = s->method->ssl3_enc->enc(s,0); |
1327 |
|
|
- if (enc_err <= 0) |
1328 |
|
|
+ /* enc_err is: |
1329 |
|
|
+ * 0: (in non-constant time) if the record is publically invalid. |
1330 |
|
|
+ * 1: if the padding is valid |
1331 |
|
|
+ * -1: if the padding is invalid */ |
1332 |
|
|
+ if (enc_err == 0) |
1333 |
|
|
{ |
1334 |
|
|
- if (enc_err == 0) |
1335 |
|
|
- /* SSLerr() and ssl3_send_alert() have been called */ |
1336 |
|
|
- goto err; |
1337 |
|
|
- |
1338 |
|
|
- /* Otherwise enc_err == -1, which indicates bad padding |
1339 |
|
|
- * (rec->length has not been changed in this case). |
1340 |
|
|
- * To minimize information leaked via timing, we will perform |
1341 |
|
|
- * the MAC computation anyway. */ |
1342 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
1343 |
|
|
+ al=SSL_AD_DECRYPTION_FAILED; |
1344 |
|
|
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); |
1345 |
|
|
+ goto f_err; |
1346 |
|
|
} |
1347 |
|
|
|
1348 |
|
|
#ifdef TLS_DEBUG |
1349 |
|
|
@@ -367,51 +362,62 @@ printf("\n"); |
1350 |
|
|
#endif |
1351 |
|
|
|
1352 |
|
|
/* r->length is now the compressed data plus mac */ |
1353 |
|
|
- if ( (sess == NULL) || |
1354 |
|
|
- (s->enc_read_ctx == NULL) || |
1355 |
|
|
- (s->read_hash == NULL)) |
1356 |
|
|
- clear=1; |
1357 |
|
|
- |
1358 |
|
|
- if (!clear) |
1359 |
|
|
- { |
1360 |
|
|
+ if ((sess != NULL) && |
1361 |
|
|
+ (s->enc_read_ctx != NULL) && |
1362 |
|
|
+ (s->read_hash != NULL)) |
1363 |
|
|
+ { |
1364 |
|
|
+ /* s->read_hash != NULL => mac_size != -1 */ |
1365 |
|
|
+ unsigned char *mac = NULL; |
1366 |
|
|
+ unsigned char mac_tmp[EVP_MAX_MD_SIZE]; |
1367 |
|
|
mac_size=EVP_MD_size(s->read_hash); |
1368 |
|
|
+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); |
1369 |
|
|
|
1370 |
|
|
- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) |
1371 |
|
|
+ /* kludge: *_cbc_remove_padding passes padding length in rr->type */ |
1372 |
|
|
+ orig_len = rr->length+((unsigned int)rr->type>>8); |
1373 |
|
|
+ |
1374 |
|
|
+ /* orig_len is the length of the record before any padding was |
1375 |
|
|
+ * removed. This is public information, as is the MAC in use, |
1376 |
|
|
+ * therefore we can safely process the record in a different |
1377 |
|
|
+ * amount of time if it's too short to possibly contain a MAC. |
1378 |
|
|
+ */ |
1379 |
|
|
+ if (orig_len < mac_size || |
1380 |
|
|
+ /* CBC records must have a padding length byte too. */ |
1381 |
|
|
+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
1382 |
|
|
+ orig_len < mac_size+1)) |
1383 |
|
|
{ |
1384 |
|
|
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ |
1385 |
|
|
- al=SSL_AD_RECORD_OVERFLOW; |
1386 |
|
|
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); |
1387 |
|
|
+ al=SSL_AD_DECODE_ERROR; |
1388 |
|
|
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); |
1389 |
|
|
goto f_err; |
1390 |
|
|
-#else |
1391 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
1392 |
|
|
-#endif |
1393 |
|
|
} |
1394 |
|
|
- /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ |
1395 |
|
|
- if (rr->length >= mac_size) |
1396 |
|
|
+ |
1397 |
|
|
+ if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) |
1398 |
|
|
{ |
1399 |
|
|
+ /* We update the length so that the TLS header bytes |
1400 |
|
|
+ * can be constructed correctly but we need to extract |
1401 |
|
|
+ * the MAC in constant time from within the record, |
1402 |
|
|
+ * without leaking the contents of the padding bytes. |
1403 |
|
|
+ * */ |
1404 |
|
|
+ mac = mac_tmp; |
1405 |
|
|
+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); |
1406 |
|
|
rr->length -= mac_size; |
1407 |
|
|
- mac = &rr->data[rr->length]; |
1408 |
|
|
} |
1409 |
|
|
else |
1410 |
|
|
{ |
1411 |
|
|
- /* record (minus padding) is too short to contain a MAC */ |
1412 |
|
|
-#if 0 /* OK only for stream ciphers */ |
1413 |
|
|
- al=SSL_AD_DECODE_ERROR; |
1414 |
|
|
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); |
1415 |
|
|
- goto f_err; |
1416 |
|
|
-#else |
1417 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
1418 |
|
|
- rr->length = 0; |
1419 |
|
|
-#endif |
1420 |
|
|
- } |
1421 |
|
|
- i=s->method->ssl3_enc->mac(s,md,0); |
1422 |
|
|
- if (mac == NULL || memcmp(md, mac, mac_size) != 0) |
1423 |
|
|
- { |
1424 |
|
|
- decryption_failed_or_bad_record_mac = 1; |
1425 |
|
|
+ /* In this case there's no padding, so |orig_len| |
1426 |
|
|
+ * equals |rec->length| and we checked that there's |
1427 |
|
|
+ * enough bytes for |mac_size| above. */ |
1428 |
|
|
+ rr->length -= mac_size; |
1429 |
|
|
+ mac = &rr->data[rr->length]; |
1430 |
|
|
} |
1431 |
|
|
+ |
1432 |
|
|
+ i=s->method->ssl3_enc->mac(s,md,0 /* not send */); |
1433 |
|
|
+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) |
1434 |
|
|
+ enc_err = -1; |
1435 |
|
|
+ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) |
1436 |
|
|
+ enc_err = -1; |
1437 |
|
|
} |
1438 |
|
|
|
1439 |
|
|
- if (decryption_failed_or_bad_record_mac) |
1440 |
|
|
+ if (enc_err < 0) |
1441 |
|
|
{ |
1442 |
|
|
/* A separate 'decryption_failed' alert was introduced with TLS 1.0, |
1443 |
|
|
* SSL 3.0 only has 'bad_record_mac'. But unless a decryption |
1444 |
|
|
diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.lucky13 openssl-fips-0.9.8e/ssl/ssl_locl.h |
1445 |
|
|
--- openssl-fips-0.9.8e/ssl/ssl_locl.h.lucky13 2013-02-25 14:56:11.219381406 +0100 |
1446 |
|
|
+++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2013-02-25 14:57:27.348538698 +0100 |
1447 |
|
|
@@ -133,6 +133,7 @@ |
1448 |
|
|
#ifndef OPENSSL_NO_DSA |
1449 |
|
|
#include <openssl/dsa.h> |
1450 |
|
|
#endif |
1451 |
|
|
+#include <openssl/hmac.h> |
1452 |
|
|
#include <openssl/err.h> |
1453 |
|
|
#include <openssl/ssl.h> |
1454 |
|
|
#include <openssl/symhacks.h> |
1455 |
|
|
@@ -187,6 +188,15 @@ |
1456 |
|
|
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
1457 |
|
|
*((c)++)=(unsigned char)(((l) )&0xff)) |
1458 |
|
|
|
1459 |
|
|
+#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ |
1460 |
|
|
+ *((c)++)=(unsigned char)(((l)>>48)&0xff), \ |
1461 |
|
|
+ *((c)++)=(unsigned char)(((l)>>40)&0xff), \ |
1462 |
|
|
+ *((c)++)=(unsigned char)(((l)>>32)&0xff), \ |
1463 |
|
|
+ *((c)++)=(unsigned char)(((l)>>24)&0xff), \ |
1464 |
|
|
+ *((c)++)=(unsigned char)(((l)>>16)&0xff), \ |
1465 |
|
|
+ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
1466 |
|
|
+ *((c)++)=(unsigned char)(((l) )&0xff)) |
1467 |
|
|
+ |
1468 |
|
|
#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ |
1469 |
|
|
l|=((BN_ULLONG)(*((c)++)))<<32, \ |
1470 |
|
|
l|=((BN_ULLONG)(*((c)++)))<<24, \ |
1471 |
|
|
@@ -946,5 +956,33 @@ int ssl_add_clienthello_renegotiate_ext( |
1472 |
|
|
int maxlen); |
1473 |
|
|
int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, |
1474 |
|
|
int *al); |
1475 |
|
|
+/* s3_cbc.c */ |
1476 |
|
|
+void ssl3_cbc_copy_mac(unsigned char* out, |
1477 |
|
|
+ const SSL3_RECORD *rec, |
1478 |
|
|
+ unsigned md_size,unsigned orig_len); |
1479 |
|
|
+int ssl3_cbc_remove_padding(const SSL* s, |
1480 |
|
|
+ SSL3_RECORD *rec, |
1481 |
|
|
+ unsigned block_size, |
1482 |
|
|
+ unsigned mac_size); |
1483 |
|
|
+int tls1_cbc_remove_padding(const SSL* s, |
1484 |
|
|
+ SSL3_RECORD *rec, |
1485 |
|
|
+ unsigned block_size, |
1486 |
|
|
+ unsigned mac_size); |
1487 |
|
|
+char ssl3_cbc_record_digest_supported(const EVP_MD *hash); |
1488 |
|
|
+void ssl3_cbc_digest_record( |
1489 |
|
|
+ const EVP_MD *hash, |
1490 |
|
|
+ unsigned char* md_out, |
1491 |
|
|
+ size_t* md_out_size, |
1492 |
|
|
+ const unsigned char header[13], |
1493 |
|
|
+ const unsigned char *data, |
1494 |
|
|
+ size_t data_plus_mac_size, |
1495 |
|
|
+ size_t data_plus_mac_plus_padding_size, |
1496 |
|
|
+ const unsigned char *mac_secret, |
1497 |
|
|
+ unsigned mac_secret_length, |
1498 |
|
|
+ char is_sslv3); |
1499 |
|
|
+ |
1500 |
|
|
+void tls_fips_digest_extra( |
1501 |
|
|
+ const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx, |
1502 |
|
|
+ const unsigned char *data, size_t data_len, size_t orig_len); |
1503 |
|
|
|
1504 |
|
|
#endif |
1505 |
|
|
diff -up openssl-fips-0.9.8e/ssl/t1_enc.c.lucky13 openssl-fips-0.9.8e/ssl/t1_enc.c |
1506 |
|
|
--- openssl-fips-0.9.8e/ssl/t1_enc.c.lucky13 2013-02-25 14:56:11.027380889 +0100 |
1507 |
|
|
+++ openssl-fips-0.9.8e/ssl/t1_enc.c 2013-02-25 15:30:15.511540650 +0100 |
1508 |
|
|
@@ -523,18 +523,25 @@ err: |
1509 |
|
|
return(0); |
1510 |
|
|
} |
1511 |
|
|
|
1512 |
|
|
+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
1513 |
|
|
+ * |
1514 |
|
|
+ * Returns: |
1515 |
|
|
+ * 0: (in non-constant time) if the record is publically invalid (i.e. too |
1516 |
|
|
+ * short etc). |
1517 |
|
|
+ * 1: if the record's padding is valid / the encryption was successful. |
1518 |
|
|
+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, |
1519 |
|
|
+ * an internal error occured. |
1520 |
|
|
+ */ |
1521 |
|
|
int tls1_enc(SSL *s, int send) |
1522 |
|
|
{ |
1523 |
|
|
SSL3_RECORD *rec; |
1524 |
|
|
EVP_CIPHER_CTX *ds; |
1525 |
|
|
unsigned long l; |
1526 |
|
|
- int bs,i,ii,j,k,n=0; |
1527 |
|
|
+ int bs,i,j,k,pad=0,ret,mac_size=0; |
1528 |
|
|
const EVP_CIPHER *enc; |
1529 |
|
|
|
1530 |
|
|
if (send) |
1531 |
|
|
{ |
1532 |
|
|
- if (s->write_hash != NULL) |
1533 |
|
|
- n=EVP_MD_size(s->write_hash); |
1534 |
|
|
ds=s->enc_write_ctx; |
1535 |
|
|
rec= &(s->s3->wrec); |
1536 |
|
|
if (s->enc_write_ctx == NULL) |
1537 |
|
|
@@ -544,8 +551,6 @@ int tls1_enc(SSL *s, int send) |
1538 |
|
|
} |
1539 |
|
|
else |
1540 |
|
|
{ |
1541 |
|
|
- if (s->read_hash != NULL) |
1542 |
|
|
- n=EVP_MD_size(s->read_hash); |
1543 |
|
|
ds=s->enc_read_ctx; |
1544 |
|
|
rec= &(s->s3->rrec); |
1545 |
|
|
if (s->enc_read_ctx == NULL) |
1546 |
|
|
@@ -558,11 +563,11 @@ int tls1_enc(SSL *s, int send) |
1547 |
|
|
printf("tls1_enc(%d)\n", send); |
1548 |
|
|
#endif /* KSSL_DEBUG */ |
1549 |
|
|
|
1550 |
|
|
- if ((s->session == NULL) || (ds == NULL) || |
1551 |
|
|
- (enc == NULL)) |
1552 |
|
|
+ if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) |
1553 |
|
|
{ |
1554 |
|
|
memmove(rec->data,rec->input,rec->length); |
1555 |
|
|
rec->input=rec->data; |
1556 |
|
|
+ ret = 1; |
1557 |
|
|
} |
1558 |
|
|
else |
1559 |
|
|
{ |
1560 |
|
|
@@ -609,11 +614,7 @@ int tls1_enc(SSL *s, int send) |
1561 |
|
|
if (!send) |
1562 |
|
|
{ |
1563 |
|
|
if (l == 0 || l%bs != 0) |
1564 |
|
|
- { |
1565 |
|
|
- SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); |
1566 |
|
|
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); |
1567 |
|
|
return 0; |
1568 |
|
|
- } |
1569 |
|
|
} |
1570 |
|
|
|
1571 |
|
|
EVP_Cipher(ds,rec->data,rec->input,l); |
1572 |
|
|
@@ -627,49 +628,15 @@ int tls1_enc(SSL *s, int send) |
1573 |
|
|
} |
1574 |
|
|
#endif /* KSSL_DEBUG */ |
1575 |
|
|
|
1576 |
|
|
+ ret = 1; |
1577 |
|
|
+ if (s->read_hash != NULL) |
1578 |
|
|
+ mac_size = EVP_MD_size(s->read_hash); |
1579 |
|
|
if ((bs != 1) && !send) |
1580 |
|
|
- { |
1581 |
|
|
- ii=i=rec->data[l-1]; /* padding_length */ |
1582 |
|
|
- i++; |
1583 |
|
|
- /* NB: if compression is in operation the first packet |
1584 |
|
|
- * may not be of even length so the padding bug check |
1585 |
|
|
- * cannot be performed. This bug workaround has been |
1586 |
|
|
- * around since SSLeay so hopefully it is either fixed |
1587 |
|
|
- * now or no buggy implementation supports compression |
1588 |
|
|
- * [steve] |
1589 |
|
|
- */ |
1590 |
|
|
- if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) |
1591 |
|
|
- && !s->expand) |
1592 |
|
|
- { |
1593 |
|
|
- /* First packet is even in size, so check */ |
1594 |
|
|
- if ((memcmp(s->s3->read_sequence, |
1595 |
|
|
- "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) |
1596 |
|
|
- s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; |
1597 |
|
|
- if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) |
1598 |
|
|
- i--; |
1599 |
|
|
- } |
1600 |
|
|
- /* TLS 1.0 does not bound the number of padding bytes by the block size. |
1601 |
|
|
- * All of them must have value 'padding_length'. */ |
1602 |
|
|
- if (i > (int)rec->length) |
1603 |
|
|
- { |
1604 |
|
|
- /* Incorrect padding. SSLerr() and ssl3_alert are done |
1605 |
|
|
- * by caller: we don't want to reveal whether this is |
1606 |
|
|
- * a decryption error or a MAC verification failure |
1607 |
|
|
- * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ |
1608 |
|
|
- return -1; |
1609 |
|
|
- } |
1610 |
|
|
- for (j=(int)(l-i); j<(int)l; j++) |
1611 |
|
|
- { |
1612 |
|
|
- if (rec->data[j] != ii) |
1613 |
|
|
- { |
1614 |
|
|
- /* Incorrect padding */ |
1615 |
|
|
- return -1; |
1616 |
|
|
- } |
1617 |
|
|
- } |
1618 |
|
|
- rec->length-=i; |
1619 |
|
|
- } |
1620 |
|
|
+ ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); |
1621 |
|
|
+ if (pad && !send) |
1622 |
|
|
+ rec->length -= pad; |
1623 |
|
|
} |
1624 |
|
|
- return(1); |
1625 |
|
|
+ return ret; |
1626 |
|
|
} |
1627 |
|
|
|
1628 |
|
|
int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) |
1629 |
|
|
@@ -717,10 +684,10 @@ int tls1_mac(SSL *ssl, unsigned char *md |
1630 |
|
|
SSL3_RECORD *rec; |
1631 |
|
|
unsigned char *mac_sec,*seq; |
1632 |
|
|
const EVP_MD *hash; |
1633 |
|
|
- unsigned int md_size; |
1634 |
|
|
+ size_t md_size, orig_len; |
1635 |
|
|
int i; |
1636 |
|
|
HMAC_CTX hmac; |
1637 |
|
|
- unsigned char buf[5]; |
1638 |
|
|
+ unsigned char header[13]; |
1639 |
|
|
|
1640 |
|
|
if (send) |
1641 |
|
|
{ |
1642 |
|
|
@@ -739,20 +706,6 @@ int tls1_mac(SSL *ssl, unsigned char *md |
1643 |
|
|
|
1644 |
|
|
md_size=EVP_MD_size(hash); |
1645 |
|
|
|
1646 |
|
|
- buf[0]=rec->type; |
1647 |
|
|
- if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER) |
1648 |
|
|
- { |
1649 |
|
|
- buf[1]=TLS1_VERSION_MAJOR; |
1650 |
|
|
- buf[2]=TLS1_VERSION_MINOR; |
1651 |
|
|
- } |
1652 |
|
|
- else { |
1653 |
|
|
- buf[1]=(unsigned char)(ssl->version>>8); |
1654 |
|
|
- buf[2]=(unsigned char)(ssl->version); |
1655 |
|
|
- } |
1656 |
|
|
- |
1657 |
|
|
- buf[3]=rec->length>>8; |
1658 |
|
|
- buf[4]=rec->length&0xff; |
1659 |
|
|
- |
1660 |
|
|
/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ |
1661 |
|
|
HMAC_CTX_init(&hmac); |
1662 |
|
|
HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); |
1663 |
|
|
@@ -764,16 +717,57 @@ int tls1_mac(SSL *ssl, unsigned char *md |
1664 |
|
|
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); |
1665 |
|
|
memcpy (p,&seq[2],6); |
1666 |
|
|
|
1667 |
|
|
- HMAC_Update(&hmac,dtlsseq,8); |
1668 |
|
|
+ memcpy(header, dtlsseq, 8); |
1669 |
|
|
} |
1670 |
|
|
else |
1671 |
|
|
- HMAC_Update(&hmac,seq,8); |
1672 |
|
|
+ memcpy(header, seq, 8); |
1673 |
|
|
|
1674 |
|
|
- HMAC_Update(&hmac,buf,5); |
1675 |
|
|
- HMAC_Update(&hmac,rec->input,rec->length); |
1676 |
|
|
- HMAC_Final(&hmac,md,&md_size); |
1677 |
|
|
- HMAC_CTX_cleanup(&hmac); |
1678 |
|
|
+ /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ |
1679 |
|
|
+ orig_len = rec->length+md_size+((unsigned int)rec->type>>8); |
1680 |
|
|
+ rec->type &= 0xff; |
1681 |
|
|
+ |
1682 |
|
|
+ header[8]=rec->type; |
1683 |
|
|
+ header[9]=(unsigned char)(ssl->version>>8); |
1684 |
|
|
+ header[10]=(unsigned char)(ssl->version); |
1685 |
|
|
+ header[11]=(rec->length)>>8; |
1686 |
|
|
+ header[12]=(rec->length)&0xff; |
1687 |
|
|
+ |
1688 |
|
|
+ if (!send && |
1689 |
|
|
+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
1690 |
|
|
+ ssl3_cbc_record_digest_supported(hash)) |
1691 |
|
|
+ { |
1692 |
|
|
+ /* This is a CBC-encrypted record. We must avoid leaking any |
1693 |
|
|
+ * timing-side channel information about how many blocks of |
1694 |
|
|
+ * data we are hashing because that gives an attacker a |
1695 |
|
|
+ * timing-oracle. */ |
1696 |
|
|
+ ssl3_cbc_digest_record( |
1697 |
|
|
+ hash, |
1698 |
|
|
+ md, &md_size, |
1699 |
|
|
+ header, rec->input, |
1700 |
|
|
+ rec->length + md_size, orig_len, |
1701 |
|
|
+ ssl->s3->read_mac_secret, |
1702 |
|
|
+ EVP_MD_size(ssl->read_hash), |
1703 |
|
|
+ 0 /* not SSLv3 */); |
1704 |
|
|
+ } |
1705 |
|
|
+ else |
1706 |
|
|
+ { |
1707 |
|
|
+ unsigned mds; |
1708 |
|
|
|
1709 |
|
|
+ HMAC_Update(&hmac,header,sizeof(header)); |
1710 |
|
|
+ HMAC_Update(&hmac,rec->input,rec->length); |
1711 |
|
|
+ HMAC_Final(&hmac,md,&mds); |
1712 |
|
|
+ md_size = mds; |
1713 |
|
|
+#ifdef OPENSSL_FIPS |
1714 |
|
|
+ if (!send && FIPS_mode()) |
1715 |
|
|
+ tls_fips_digest_extra( |
1716 |
|
|
+ ssl->enc_read_ctx, |
1717 |
|
|
+ hash, |
1718 |
|
|
+ &hmac, rec->input, |
1719 |
|
|
+ rec->length, orig_len); |
1720 |
|
|
+#endif |
1721 |
|
|
+ } |
1722 |
|
|
+ |
1723 |
|
|
+ HMAC_CTX_cleanup(&hmac); |
1724 |
|
|
#ifdef TLS_DEBUG |
1725 |
|
|
printf("sec="); |
1726 |
|
|
{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } |
1727 |
|
|
diff -up openssl-fips-0.9.8e/test/testssl.lucky13 openssl-fips-0.9.8e/test/testssl |
1728 |
|
|
--- openssl-fips-0.9.8e/test/testssl.lucky13 2005-02-02 00:48:36.000000000 +0100 |
1729 |
|
|
+++ openssl-fips-0.9.8e/test/testssl 2013-02-25 14:56:11.422381943 +0100 |
1730 |
|
|
@@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_ |
1731 |
|
|
echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify |
1732 |
|
|
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 |
1733 |
|
|
|
1734 |
|
|
+echo "Testing ciphersuites" |
1735 |
|
|
+for protocol in SSLv3; do |
1736 |
|
|
+ echo "Testing ciphersuites for $protocol" |
1737 |
|
|
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do |
1738 |
|
|
+ echo "Testing $cipher" |
1739 |
|
|
+ prot="" |
1740 |
|
|
+ if [ $protocol == "SSLv3" ] ; then |
1741 |
|
|
+ prot="-ssl3" |
1742 |
|
|
+ fi |
1743 |
|
|
+ $ssltest -cipher $cipher $prot |
1744 |
|
|
+ if [ $? -ne 0 ] ; then |
1745 |
|
|
+ echo "Failed $cipher" |
1746 |
|
|
+ exit 1 |
1747 |
|
|
+ fi |
1748 |
|
|
+ done |
1749 |
|
|
+done |
1750 |
|
|
+ |
1751 |
|
|
############################################################################# |
1752 |
|
|
|
1753 |
|
|
if ../util/shlib_wrap.sh ../apps/openssl no-dh; then |