/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2013-0169.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2013-0169.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream 
Initial import
1 diff -up openssl-fips-0.9.8e/crypto/cryptlib.c.lucky13 openssl-fips-0.9.8e/crypto/cryptlib.c
2 --- openssl-fips-0.9.8e/crypto/cryptlib.c.lucky13 2007-07-26 18:46:54.000000000 +0200
3 +++ openssl-fips-0.9.8e/crypto/cryptlib.c 2013-02-25 14:56:11.392381859 +0100
4 @@ -543,3 +543,16 @@ void OpenSSLDie(const char *file,int lin
5 }
6
7 void *OPENSSL_stderr(void) { return stderr; }
8 +
9 +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
10 + {
11 + size_t i;
12 + const unsigned char *a = in_a;
13 + const unsigned char *b = in_b;
14 + unsigned char x = 0;
15 +
16 + for (i = 0; i < len; i++)
17 + x |= a[i] ^ b[i];
18 +
19 + return x;
20 + }
21 diff -up openssl-fips-0.9.8e/crypto/crypto.h.lucky13 openssl-fips-0.9.8e/crypto/crypto.h
22 --- openssl-fips-0.9.8e/crypto/crypto.h.lucky13 2013-02-25 14:56:11.049380949 +0100
23 +++ openssl-fips-0.9.8e/crypto/crypto.h 2013-02-25 14:56:11.393381862 +0100
24 @@ -592,6 +592,13 @@ unsigned long *OPENSSL_ia32cap_loc(void)
25
26 #endif /* def OPENSSL_FIPS */
27
28 +/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
29 + * takes an amount of time dependent on |len|, but independent of the contents
30 + * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
31 + * defined order as the return value when a != b is undefined, other than to be
32 + * non-zero. */
33 +int CRYPTO_memcmp(const void *a, const void *b, size_t len);
34 +
35 /* BEGIN ERROR CODES */
36 /* The following lines are auto generated by the script mkerr.pl. Any changes
37 * made after this point may be overwritten when the script is next run.
38 diff -up openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c.lucky13 openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c
39 --- openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c.lucky13 2007-03-22 01:38:34.000000000 +0100
40 +++ openssl-fips-0.9.8e/crypto/rsa/rsa_oaep.c 2013-02-25 14:56:11.394381865 +0100
41 @@ -136,7 +136,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigne
42
43 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
44
45 - if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
46 + if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
47 goto decoding_err;
48 else
49 {
50 diff -up openssl-fips-0.9.8e/ssl/d1_enc.c.lucky13 openssl-fips-0.9.8e/ssl/d1_enc.c
51 --- openssl-fips-0.9.8e/ssl/d1_enc.c.lucky13 2013-02-25 14:56:11.374381809 +0100
52 +++ openssl-fips-0.9.8e/ssl/d1_enc.c 2013-02-25 14:56:11.395381868 +0100
53 @@ -122,18 +122,30 @@
54 #include <openssl/rand.h>
55
56
57 +/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
58 + *
59 + * Returns:
60 + * 0: (in non-constant time) if the record is publically invalid (i.e. too
61 + * short etc).
62 + * 1: if the record's padding is valid / the encryption was successful.
63 + * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
64 + * an internal error occured. */
65 int dtls1_enc(SSL *s, int send)
66 {
67 SSL3_RECORD *rec;
68 EVP_CIPHER_CTX *ds;
69 unsigned long l;
70 - int bs,i,ii,j,k,n=0;
71 + int bs,i,j,k,mac_size=0;
72 const EVP_CIPHER *enc;
73
74 if (send)
75 {
76 - if (s->write_hash != NULL)
77 - n=EVP_MD_size(s->write_hash);
78 + if (s->write_hash)
79 + {
80 + mac_size=EVP_MD_size(s->write_hash);
81 + if (mac_size < 0)
82 + return -1;
83 + }
84 ds=s->enc_write_ctx;
85 rec= &(s->s3->wrec);
86 if (s->enc_write_ctx == NULL)
87 @@ -147,15 +159,18 @@ int dtls1_enc(SSL *s, int send)
88 __FILE__, __LINE__);
89 else if ( EVP_CIPHER_block_size(ds->cipher) > 1)
90 {
91 - if (!RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)))
92 + if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0)
93 return -1;
94 }
95 }
96 }
97 else
98 {
99 - if (s->read_hash != NULL)
100 - n=EVP_MD_size(s->read_hash);
101 + if (s->read_hash)
102 + {
103 + mac_size=EVP_MD_size(s->read_hash);
104 + OPENSSL_assert(mac_size >= 0);
105 + }
106 ds=s->enc_read_ctx;
107 rec= &(s->s3->rrec);
108 if (s->enc_read_ctx == NULL)
109 @@ -219,11 +234,7 @@ int dtls1_enc(SSL *s, int send)
110 if (!send)
111 {
112 if (l == 0 || l%bs != 0)
113 - {
114 - SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
115 - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
116 return 0;
117 - }
118 }
119
120 EVP_Cipher(ds,rec->data,rec->input,l);
121 @@ -238,43 +249,7 @@ int dtls1_enc(SSL *s, int send)
122 #endif /* KSSL_DEBUG */
123
124 if ((bs != 1) && !send)
125 - {
126 - ii=i=rec->data[l-1]; /* padding_length */
127 - i++;
128 - if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
129 - {
130 - /* First packet is even in size, so check */
131 - if ((memcmp(s->s3->read_sequence,
132 - "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
133 - s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
134 - if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
135 - i--;
136 - }
137 - /* TLS 1.0 does not bound the number of padding bytes by the block size.
138 - * All of them must have value 'padding_length'. */
139 - if (i + bs > (int)rec->length)
140 - {
141 - /* Incorrect padding. SSLerr() and ssl3_alert are done
142 - * by caller: we don't want to reveal whether this is
143 - * a decryption error or a MAC verification failure
144 - * (see http://www.openssl.org/~bodo/tls-cbc.txt)
145 - */
146 - return -1;
147 - }
148 - for (j=(int)(l-i); j<(int)l; j++)
149 - {
150 - if (rec->data[j] != ii)
151 - {
152 - /* Incorrect padding */
153 - return -1;
154 - }
155 - }
156 - rec->length-=i;
157 -
158 - rec->data += bs; /* skip the implicit IV */
159 - rec->input += bs;
160 - rec->length -= bs;
161 - }
162 + return tls1_cbc_remove_padding(s, rec, bs, mac_size);
163 }
164 return(1);
165 }
166 diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/d1_pkt.c
167 --- openssl-fips-0.9.8e/ssl/d1_pkt.c.lucky13 2013-02-25 14:56:11.278381571 +0100
168 +++ openssl-fips-0.9.8e/ssl/d1_pkt.c 2013-02-25 14:56:11.400381882 +0100
169 @@ -328,16 +328,12 @@ dtls1_get_buffered_record(SSL *s)
170 static int
171 dtls1_process_record(SSL *s)
172 {
173 - int al;
174 - int clear=0;
175 - int enc_err;
176 + int i,al;
177 + int enc_err;
178 SSL_SESSION *sess;
179 - SSL3_RECORD *rr;
180 - unsigned int mac_size;
181 + SSL3_RECORD *rr;
182 + unsigned int mac_size, orig_len;
183 unsigned char md[EVP_MAX_MD_SIZE];
184 - int decryption_failed_or_bad_record_mac = 0;
185 - unsigned char *mac = NULL;
186 -
187
188 rr= &(s->s3->rrec);
189 sess = s->session;
190 @@ -369,12 +365,16 @@ dtls1_process_record(SSL *s)
191 rr->data=rr->input;
192
193 enc_err = s->method->ssl3_enc->enc(s,0);
194 - if (enc_err <= 0)
195 + /* enc_err is:
196 + * 0: (in non-constant time) if the record is publically invalid.
197 + * 1: if the padding is valid
198 + * -1: if the padding is invalid */
199 + if (enc_err == 0)
200 {
201 - /* To minimize information leaked via timing, we will always
202 - * perform all computations before discarding the message.
203 - */
204 - decryption_failed_or_bad_record_mac = 1;
205 + /* For DTLS we simply ignore bad packets. */
206 + rr->length = 0;
207 + s->packet_length = 0;
208 + goto err;
209 }
210
211 #ifdef TLS_DEBUG
212 @@ -384,41 +384,62 @@ printf("\n");
213 #endif
214
215 /* r->length is now the compressed data plus mac */
216 -if ( (sess == NULL) ||
217 - (s->enc_read_ctx == NULL) ||
218 - (s->read_hash == NULL))
219 - clear=1;
220 -
221 - if (!clear)
222 + if ((sess != NULL) &&
223 + (s->enc_read_ctx != NULL) &&
224 + (s->read_hash != NULL))
225 {
226 + /* s->read_hash != NULL => mac_size != -1 */
227 + unsigned char *mac = NULL;
228 + unsigned char mac_tmp[EVP_MAX_MD_SIZE];
229 mac_size=EVP_MD_size(s->read_hash);
230 + OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
231
232 - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
233 + /* kludge: *_cbc_remove_padding passes padding length in rr->type */
234 + orig_len = rr->length+((unsigned int)rr->type>>8);
235 +
236 + /* orig_len is the length of the record before any padding was
237 + * removed. This is public information, as is the MAC in use,
238 + * therefore we can safely process the record in a different
239 + * amount of time if it's too short to possibly contain a MAC.
240 + */
241 + if (orig_len < mac_size ||
242 + /* CBC records must have a padding length byte too. */
243 + (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
244 + orig_len < mac_size+1))
245 {
246 -#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
247 - al=SSL_AD_RECORD_OVERFLOW;
248 - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
249 + al=SSL_AD_DECODE_ERROR;
250 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
251 goto f_err;
252 -#else
253 - decryption_failed_or_bad_record_mac = 1;
254 -#endif
255 }
256 - /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
257 - if (rr->length >= mac_size)
258 +
259 + if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
260 {
261 + /* We update the length so that the TLS header bytes
262 + * can be constructed correctly but we need to extract
263 + * the MAC in constant time from within the record,
264 + * without leaking the contents of the padding bytes.
265 + * */
266 + mac = mac_tmp;
267 + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
268 rr->length -= mac_size;
269 - mac = &rr->data[rr->length];
270 }
271 else
272 - rr->length = 0;
273 - s->method->ssl3_enc->mac(s,md,0);
274 - if (mac == NULL || memcmp(md, mac, mac_size) != 0)
275 {
276 - decryption_failed_or_bad_record_mac = 1;
277 + /* In this case there's no padding, so |orig_len|
278 + * equals |rec->length| and we checked that there's
279 + * enough bytes for |mac_size| above. */
280 + rr->length -= mac_size;
281 + mac = &rr->data[rr->length];
282 }
283 +
284 + i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
285 + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
286 + enc_err = -1;
287 + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
288 + enc_err = -1;
289 }
290
291 - if (decryption_failed_or_bad_record_mac)
292 + if (enc_err < 0)
293 {
294 /* decryption failed, silently discard message */
295 rr->length = 0;
296 diff -up openssl-fips-0.9.8e/ssl/Makefile.lucky13 openssl-fips-0.9.8e/ssl/Makefile
297 --- openssl-fips-0.9.8e/ssl/Makefile.lucky13 2013-02-25 14:56:11.212381386 +0100
298 +++ openssl-fips-0.9.8e/ssl/Makefile 2013-02-25 14:56:11.404381893 +0100
299 @@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
300 SHARED_LIB= libssl$(SHLIB_EXT)
301 LIBSRC= \
302 s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
303 - s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
304 + s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
305 s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
306 t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
307 d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
308 @@ -33,7 +33,7 @@ LIBSRC= \
309 bio_ssl.c ssl_err.c kssl.c t1_reneg.c
310 LIBOBJ= \
311 s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
312 - s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
313 + s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
314 s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
315 t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
316 d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
317 diff -up openssl-fips-0.9.8e/ssl/s2_clnt.c.lucky13 openssl-fips-0.9.8e/ssl/s2_clnt.c
318 --- openssl-fips-0.9.8e/ssl/s2_clnt.c.lucky13 2013-02-25 14:56:11.097381084 +0100
319 +++ openssl-fips-0.9.8e/ssl/s2_clnt.c 2013-02-25 14:56:11.404381893 +0100
320 @@ -935,7 +935,7 @@ static int get_server_verify(SSL *s)
321 s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
322 p += 1;
323
324 - if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
325 + if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
326 {
327 ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
328 SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
329 diff -up openssl-fips-0.9.8e/ssl/s2_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/s2_pkt.c
330 --- openssl-fips-0.9.8e/ssl/s2_pkt.c.lucky13 2003-12-27 17:10:30.000000000 +0100
331 +++ openssl-fips-0.9.8e/ssl/s2_pkt.c 2013-02-25 14:56:11.405381896 +0100
332 @@ -267,8 +267,7 @@ static int ssl2_read_internal(SSL *s, vo
333 s->s2->ract_data_length-=mac_size;
334 ssl2_mac(s,mac,0);
335 s->s2->ract_data_length-=s->s2->padding;
336 - if ( (memcmp(mac,s->s2->mac_data,
337 - (unsigned int)mac_size) != 0) ||
338 + if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
339 (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
340 {
341 SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
342 diff -up openssl-fips-0.9.8e/ssl/s3_both.c.lucky13 openssl-fips-0.9.8e/ssl/s3_both.c
343 --- openssl-fips-0.9.8e/ssl/s3_both.c.lucky13 2013-02-25 14:56:11.221381411 +0100
344 +++ openssl-fips-0.9.8e/ssl/s3_both.c 2013-02-25 14:56:11.406381899 +0100
345 @@ -242,7 +242,7 @@ int ssl3_get_finished(SSL *s, int a, int
346 goto f_err;
347 }
348
349 - if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
350 + if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
351 {
352 al=SSL_AD_DECRYPT_ERROR;
353 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
354 diff -up openssl-fips-0.9.8e/ssl/s3_cbc.c.lucky13 openssl-fips-0.9.8e/ssl/s3_cbc.c
355 --- openssl-fips-0.9.8e/ssl/s3_cbc.c.lucky13 2013-02-25 14:56:11.407381902 +0100
356 +++ openssl-fips-0.9.8e/ssl/s3_cbc.c 2013-02-25 14:56:11.407381902 +0100
357 @@ -0,0 +1,783 @@
358 +/* ssl/s3_cbc.c */
359 +/* ====================================================================
360 + * Copyright (c) 2012 The OpenSSL Project. All rights reserved.
361 + *
362 + * Redistribution and use in source and binary forms, with or without
363 + * modification, are permitted provided that the following conditions
364 + * are met:
365 + *
366 + * 1. Redistributions of source code must retain the above copyright
367 + * notice, this list of conditions and the following disclaimer.
368 + *
369 + * 2. Redistributions in binary form must reproduce the above copyright
370 + * notice, this list of conditions and the following disclaimer in
371 + * the documentation and/or other materials provided with the
372 + * distribution.
373 + *
374 + * 3. All advertising materials mentioning features or use of this
375 + * software must display the following acknowledgment:
376 + * "This product includes software developed by the OpenSSL Project
377 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
378 + *
379 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
380 + * endorse or promote products derived from this software without
381 + * prior written permission. For written permission, please contact
382 + * openssl-core@openssl.org.
383 + *
384 + * 5. Products derived from this software may not be called "OpenSSL"
385 + * nor may "OpenSSL" appear in their names without prior written
386 + * permission of the OpenSSL Project.
387 + *
388 + * 6. Redistributions of any form whatsoever must retain the following
389 + * acknowledgment:
390 + * "This product includes software developed by the OpenSSL Project
391 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
392 + *
393 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
394 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
395 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
396 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
397 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
398 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
399 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
400 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
401 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
402 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
403 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
404 + * OF THE POSSIBILITY OF SUCH DAMAGE.
405 + * ====================================================================
406 + *
407 + * This product includes cryptographic software written by Eric Young
408 + * (eay@cryptsoft.com). This product includes software written by Tim
409 + * Hudson (tjh@cryptsoft.com).
410 + *
411 + */
412 +
413 +#include "ssl_locl.h"
414 +
415 +#include <openssl/md5.h>
416 +#include <openssl/sha.h>
417 +
418 +/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
419 + * field. (SHA-384/512 have 128-bit length.) */
420 +#define MAX_HASH_BIT_COUNT_BYTES 16
421 +
422 +/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
423 + * Currently SHA-384/512 has a 128-byte block size and that's the largest
424 + * supported by TLS.) */
425 +#define MAX_HASH_BLOCK_SIZE 128
426 +
427 +/* Some utility functions are needed:
428 + *
429 + * These macros return the given value with the MSB copied to all the other
430 + * bits. They use the fact that arithmetic shift shifts-in the sign bit.
431 + * However, this is not ensured by the C standard so you may need to replace
432 + * them with something else on odd CPUs. */
433 +#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
434 +#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
435 +
436 +/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
437 +static unsigned constant_time_lt(unsigned a, unsigned b)
438 + {
439 + a -= b;
440 + return DUPLICATE_MSB_TO_ALL(a);
441 + }
442 +
443 +/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
444 +static unsigned constant_time_ge(unsigned a, unsigned b)
445 + {
446 + a -= b;
447 + return DUPLICATE_MSB_TO_ALL(~a);
448 + }
449 +
450 +/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
451 +static unsigned char constant_time_eq_8(unsigned a, unsigned b)
452 + {
453 + unsigned c = a ^ b;
454 + c--;
455 + return DUPLICATE_MSB_TO_ALL_8(c);
456 + }
457 +
458 +/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
459 + * record in |rec| by updating |rec->length| in constant time.
460 + *
461 + * block_size: the block size of the cipher used to encrypt the record.
462 + * returns:
463 + * 0: (in non-constant time) if the record is publicly invalid.
464 + * 1: if the padding was valid
465 + * -1: otherwise. */
466 +int ssl3_cbc_remove_padding(const SSL* s,
467 + SSL3_RECORD *rec,
468 + unsigned block_size,
469 + unsigned mac_size)
470 + {
471 + unsigned padding_length, good;
472 + const unsigned overhead = 1 /* padding length byte */ + mac_size;
473 +
474 + /* These lengths are all public so we can test them in non-constant
475 + * time. */
476 + if (overhead > rec->length)
477 + return 0;
478 +
479 + padding_length = rec->data[rec->length-1];
480 + good = constant_time_ge(rec->length, padding_length+overhead);
481 + /* SSLv3 requires that the padding is minimal. */
482 + good &= constant_time_ge(block_size, padding_length+1);
483 + padding_length = good & (padding_length+1);
484 + rec->length -= padding_length;
485 + rec->type |= padding_length<<8; /* kludge: pass padding length */
486 + return (int)((good & 1) | (~good & -1));
487 +}
488 +
489 +/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
490 + * record in |rec| in constant time and returns 1 if the padding is valid and
491 + * -1 otherwise. It also removes any explicit IV from the start of the record
492 + * without leaking any timing about whether there was enough space after the
493 + * padding was removed.
494 + *
495 + * block_size: the block size of the cipher used to encrypt the record.
496 + * returns:
497 + * 0: (in non-constant time) if the record is publicly invalid.
498 + * 1: if the padding was valid
499 + * -1: otherwise. */
500 +int tls1_cbc_remove_padding(const SSL* s,
501 + SSL3_RECORD *rec,
502 + unsigned block_size,
503 + unsigned mac_size)
504 + {
505 + unsigned padding_length, good, to_check, i;
506 + const unsigned overhead = 1 /* padding length byte */ + mac_size;
507 + /* Check if version requires explicit IV */
508 + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
509 + {
510 + /* These lengths are all public so we can test them in
511 + * non-constant time.
512 + */
513 + if (overhead + block_size > rec->length)
514 + return 0;
515 + /* We can now safely skip explicit IV */
516 + rec->data += block_size;
517 + rec->input += block_size;
518 + rec->length -= block_size;
519 + }
520 + else if (overhead > rec->length)
521 + return 0;
522 +
523 + padding_length = rec->data[rec->length-1];
524 +
525 + /* NB: if compression is in operation the first packet may not be of
526 + * even length so the padding bug check cannot be performed. This bug
527 + * workaround has been around since SSLeay so hopefully it is either
528 + * fixed now or no buggy implementation supports compression [steve]
529 + */
530 + if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand)
531 + {
532 + /* First packet is even in size, so check */
533 + if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&
534 + !(padding_length & 1))
535 + {
536 + s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
537 + }
538 + if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
539 + padding_length > 0)
540 + {
541 + padding_length--;
542 + }
543 + }
544 +
545 + good = constant_time_ge(rec->length, overhead+padding_length);
546 + /* The padding consists of a length byte at the end of the record and
547 + * then that many bytes of padding, all with the same value as the
548 + * length byte. Thus, with the length byte included, there are i+1
549 + * bytes of padding.
550 + *
551 + * We can't check just |padding_length+1| bytes because that leaks
552 + * decrypted information. Therefore we always have to check the maximum
553 + * amount of padding possible. (Again, the length of the record is
554 + * public information so we can use it.) */
555 + to_check = 255; /* maximum amount of padding. */
556 + if (to_check > rec->length-1)
557 + to_check = rec->length-1;
558 +
559 + for (i = 0; i < to_check; i++)
560 + {
561 + unsigned char mask = constant_time_ge(padding_length, i);
562 + unsigned char b = rec->data[rec->length-1-i];
563 + /* The final |padding_length+1| bytes should all have the value
564 + * |padding_length|. Therefore the XOR should be zero. */
565 + good &= ~(mask&(padding_length ^ b));
566 + }
567 +
568 + /* If any of the final |padding_length+1| bytes had the wrong value,
569 + * one or more of the lower eight bits of |good| will be cleared. We
570 + * AND the bottom 8 bits together and duplicate the result to all the
571 + * bits. */
572 + good &= good >> 4;
573 + good &= good >> 2;
574 + good &= good >> 1;
575 + good <<= sizeof(good)*8-1;
576 + good = DUPLICATE_MSB_TO_ALL(good);
577 +
578 + padding_length = good & (padding_length+1);
579 + rec->length -= padding_length;
580 + rec->type |= padding_length<<8; /* kludge: pass padding length */
581 +
582 + return (int)((good & 1) | (~good & -1));
583 + }
584 +
585 +/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
586 + * constant time (independent of the concrete value of rec->length, which may
587 + * vary within a 256-byte window).
588 + *
589 + * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
590 + * this function.
591 + *
592 + * On entry:
593 + * rec->orig_len >= md_size
594 + * md_size <= EVP_MAX_MD_SIZE
595 + *
596 + * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
597 + * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
598 + * a single or pair of cache-lines, then the variable memory accesses don't
599 + * actually affect the timing. CPUs with smaller cache-lines [if any] are
600 + * not multi-core and are not considered vulnerable to cache-timing attacks.
601 + */
602 +#define CBC_MAC_ROTATE_IN_PLACE
603 +
604 +void ssl3_cbc_copy_mac(unsigned char* out,
605 + const SSL3_RECORD *rec,
606 + unsigned md_size,unsigned orig_len)
607 + {
608 +#if defined(CBC_MAC_ROTATE_IN_PLACE)
609 + unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE];
610 + unsigned char *rotated_mac;
611 +#else
612 + unsigned char rotated_mac[EVP_MAX_MD_SIZE];
613 +#endif
614 +
615 + /* mac_end is the index of |rec->data| just after the end of the MAC. */
616 + unsigned mac_end = rec->length;
617 + unsigned mac_start = mac_end - md_size;
618 + /* scan_start contains the number of bytes that we can ignore because
619 + * the MAC's position can only vary by 255 bytes. */
620 + unsigned scan_start = 0;
621 + unsigned i, j;
622 + unsigned div_spoiler;
623 + unsigned rotate_offset;
624 +
625 + OPENSSL_assert(orig_len >= md_size);
626 + OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
627 +
628 +#if defined(CBC_MAC_ROTATE_IN_PLACE)
629 + rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63);
630 +#endif
631 +
632 + /* This information is public so it's safe to branch based on it. */
633 + if (orig_len > md_size + 255 + 1)
634 + scan_start = orig_len - (md_size + 255 + 1);
635 + /* div_spoiler contains a multiple of md_size that is used to cause the
636 + * modulo operation to be constant time. Without this, the time varies
637 + * based on the amount of padding when running on Intel chips at least.
638 + *
639 + * The aim of right-shifting md_size is so that the compiler doesn't
640 + * figure out that it can remove div_spoiler as that would require it
641 + * to prove that md_size is always even, which I hope is beyond it. */
642 + div_spoiler = md_size >> 1;
643 + div_spoiler <<= (sizeof(div_spoiler)-1)*8;
644 + rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
645 +
646 + memset(rotated_mac, 0, md_size);
647 + for (i = scan_start, j = 0; i < orig_len; i++)
648 + {
649 + unsigned char mac_started = constant_time_ge(i, mac_start);
650 + unsigned char mac_ended = constant_time_ge(i, mac_end);
651 + unsigned char b = rec->data[i];
652 + rotated_mac[j++] |= b & mac_started & ~mac_ended;
653 + j &= constant_time_lt(j,md_size);
654 + }
655 +
656 + /* Now rotate the MAC */
657 +#if defined(CBC_MAC_ROTATE_IN_PLACE)
658 + j = 0;
659 + for (i = 0; i < md_size; i++)
660 + {
661 + /* in case cache-line is 32 bytes, touch second line */
662 + ((volatile unsigned char *)rotated_mac)[rotate_offset^32];
663 + out[j++] = rotated_mac[rotate_offset++];
664 + rotate_offset &= constant_time_lt(rotate_offset,md_size);
665 + }
666 +#else
667 + memset(out, 0, md_size);
668 + rotate_offset = md_size - rotate_offset;
669 + rotate_offset &= constant_time_lt(rotate_offset,md_size);
670 + for (i = 0; i < md_size; i++)
671 + {
672 + for (j = 0; j < md_size; j++)
673 + out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
674 + rotate_offset++;
675 + rotate_offset &= constant_time_lt(rotate_offset,md_size);
676 + }
677 +#endif
678 + }
679 +
680 +/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
681 + * little-endian order. The value of p is advanced by four. */
682 +#define u32toLE(n, p) \
683 + (*((p)++)=(unsigned char)(n), \
684 + *((p)++)=(unsigned char)(n>>8), \
685 + *((p)++)=(unsigned char)(n>>16), \
686 + *((p)++)=(unsigned char)(n>>24))
687 +
688 +/* These functions serialize the state of a hash and thus perform the standard
689 + * "final" operation without adding the padding and length that such a function
690 + * typically does. */
691 +static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
692 + {
693 + MD5_CTX *md5 = ctx;
694 + u32toLE(md5->A, md_out);
695 + u32toLE(md5->B, md_out);
696 + u32toLE(md5->C, md_out);
697 + u32toLE(md5->D, md_out);
698 + }
699 +
700 +static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
701 + {
702 + SHA_CTX *sha1 = ctx;
703 + l2n(sha1->h0, md_out);
704 + l2n(sha1->h1, md_out);
705 + l2n(sha1->h2, md_out);
706 + l2n(sha1->h3, md_out);
707 + l2n(sha1->h4, md_out);
708 + }
709 +#define LARGEST_DIGEST_CTX SHA_CTX
710 +
711 +#ifndef OPENSSL_NO_SHA256
712 +static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
713 + {
714 + SHA256_CTX *sha256 = ctx;
715 + unsigned i;
716 +
717 + for (i = 0; i < 8; i++)
718 + {
719 + l2n(sha256->h[i], md_out);
720 + }
721 + }
722 +#undef LARGEST_DIGEST_CTX
723 +#define LARGEST_DIGEST_CTX SHA256_CTX
724 +#endif
725 +
726 +#ifndef OPENSSL_NO_SHA512
727 +static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
728 + {
729 + SHA512_CTX *sha512 = ctx;
730 + unsigned i;
731 +
732 + for (i = 0; i < 8; i++)
733 + {
734 + l2n8(sha512->h[i], md_out);
735 + }
736 + }
737 +#undef LARGEST_DIGEST_CTX
738 +#define LARGEST_DIGEST_CTX SHA512_CTX
739 +#endif
740 +
741 +/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
742 + * which ssl3_cbc_digest_record supports. */
743 +char ssl3_cbc_record_digest_supported(const EVP_MD *digest)
744 + {
745 +#ifdef OPENSSL_FIPS
746 + if (FIPS_mode())
747 + return 0;
748 +#endif
749 + switch (EVP_MD_type(digest))
750 + {
751 + case NID_md5:
752 + case NID_sha1:
753 +#ifndef OPENSSL_NO_SHA256
754 + case NID_sha224:
755 + case NID_sha256:
756 +#endif
757 +#ifndef OPENSSL_NO_SHA512
758 + case NID_sha384:
759 + case NID_sha512:
760 +#endif
761 + return 1;
762 + default:
763 + return 0;
764 + }
765 + }
766 +
767 +/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
768 + * record.
769 + *
770 + * ctx: the EVP_MD_CTX from which we take the hash function.
771 + * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
772 + * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
773 + * md_out_size: if non-NULL, the number of output bytes is written here.
774 + * header: the 13-byte, TLS record header.
775 + * data: the record data itself, less any preceeding explicit IV.
776 + * data_plus_mac_size: the secret, reported length of the data and MAC
777 + * once the padding has been removed.
778 + * data_plus_mac_plus_padding_size: the public length of the whole
779 + * record, including padding.
780 + * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
781 + *
782 + * On entry: by virtue of having been through one of the remove_padding
783 + * functions, above, we know that data_plus_mac_size is large enough to contain
784 + * a padding byte and MAC. (If the padding was invalid, it might contain the
785 + * padding too. ) */
786 +void ssl3_cbc_digest_record(
787 + const EVP_MD *digest,
788 + unsigned char* md_out,
789 + size_t* md_out_size,
790 + const unsigned char header[13],
791 + const unsigned char *data,
792 + size_t data_plus_mac_size,
793 + size_t data_plus_mac_plus_padding_size,
794 + const unsigned char *mac_secret,
795 + unsigned mac_secret_length,
796 + char is_sslv3)
797 + {
798 + union { double align;
799 + unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;
800 + void (*md_final_raw)(void *ctx, unsigned char *md_out);
801 + void (*md_transform)(void *ctx, const unsigned char *block);
802 + unsigned md_size, md_block_size = 64;
803 + unsigned sslv3_pad_length = 40, header_length, variance_blocks,
804 + len, max_mac_bytes, num_blocks,
805 + num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
806 + unsigned int bits; /* at most 18 bits */
807 + unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
808 + /* hmac_pad is the masked HMAC key. */
809 + unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
810 + unsigned char first_block[MAX_HASH_BLOCK_SIZE];
811 + unsigned char mac_out[EVP_MAX_MD_SIZE];
812 + unsigned i, j, md_out_size_u;
813 + EVP_MD_CTX md_ctx;
814 + /* mdLengthSize is the number of bytes in the length field that terminates
815 + * the hash. */
816 + unsigned md_length_size = 8;
817 + char length_is_big_endian = 1;
818 +
819 + /* This is a, hopefully redundant, check that allows us to forget about
820 + * many possible overflows later in this function. */
821 + OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
822 +
823 + switch (EVP_MD_type(digest))
824 + {
825 + case NID_md5:
826 + MD5_Init((MD5_CTX*)md_state.c);
827 + md_final_raw = tls1_md5_final_raw;
828 + md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
829 + md_size = 16;
830 + sslv3_pad_length = 48;
831 + length_is_big_endian = 0;
832 + break;
833 + case NID_sha1:
834 + SHA1_Init((SHA_CTX*)md_state.c);
835 + md_final_raw = tls1_sha1_final_raw;
836 + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
837 + md_size = 20;
838 + break;
839 +#ifndef OPENSSL_NO_SHA256
840 + case NID_sha224:
841 + SHA224_Init((SHA256_CTX*)md_state.c);
842 + md_final_raw = tls1_sha256_final_raw;
843 + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
844 + md_size = 224/8;
845 + break;
846 + case NID_sha256:
847 + SHA256_Init((SHA256_CTX*)md_state.c);
848 + md_final_raw = tls1_sha256_final_raw;
849 + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
850 + md_size = 32;
851 + break;
852 +#endif
853 +#ifndef OPENSSL_NO_SHA512
854 + case NID_sha384:
855 + SHA384_Init((SHA512_CTX*)md_state.c);
856 + md_final_raw = tls1_sha512_final_raw;
857 + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
858 + md_size = 384/8;
859 + md_block_size = 128;
860 + md_length_size = 16;
861 + break;
862 + case NID_sha512:
863 + SHA512_Init((SHA512_CTX*)md_state.c);
864 + md_final_raw = tls1_sha512_final_raw;
865 + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
866 + md_size = 64;
867 + md_block_size = 128;
868 + md_length_size = 16;
869 + break;
870 +#endif
871 + default:
872 + /* ssl3_cbc_record_digest_supported should have been
873 + * called first to check that the hash function is
874 + * supported. */
875 + OPENSSL_assert(0);
876 + if (md_out_size)
877 + *md_out_size = -1;
878 + return;
879 + }
880 +
881 + OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
882 + OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
883 + OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
884 +
885 + header_length = 13;
886 + if (is_sslv3)
887 + {
888 + header_length =
889 + mac_secret_length +
890 + sslv3_pad_length +
891 + 8 /* sequence number */ +
892 + 1 /* record type */ +
893 + 2 /* record length */;
894 + }
895 +
896 + /* variance_blocks is the number of blocks of the hash that we have to
897 + * calculate in constant time because they could be altered by the
898 + * padding value.
899 + *
900 + * In SSLv3, the padding must be minimal so the end of the plaintext
901 + * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
902 + * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
903 + * termination (0x80 + 64-bit length) don't fit in the final block, we
904 + * say that the final two blocks can vary based on the padding.
905 + *
906 + * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
907 + * required to be minimal. Therefore we say that the final six blocks
908 + * can vary based on the padding.
909 + *
910 + * Later in the function, if the message is short and there obviously
911 + * cannot be this many blocks then variance_blocks can be reduced. */
912 + variance_blocks = is_sslv3 ? 2 : 6;
913 + /* From now on we're dealing with the MAC, which conceptually has 13
914 + * bytes of `header' before the start of the data (TLS) or 71/75 bytes
915 + * (SSLv3) */
916 + len = data_plus_mac_plus_padding_size + header_length;
917 + /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
918 + * |header|, assuming that there's no padding. */
919 + max_mac_bytes = len - md_size - 1;
920 + /* num_blocks is the maximum number of hash blocks. */
921 + num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
922 + /* In order to calculate the MAC in constant time we have to handle
923 + * the final blocks specially because the padding value could cause the
924 + * end to appear somewhere in the final |variance_blocks| blocks and we
925 + * can't leak where. However, |num_starting_blocks| worth of data can
926 + * be hashed right away because no padding value can affect whether
927 + * they are plaintext. */
928 + num_starting_blocks = 0;
929 + /* k is the starting byte offset into the conceptual header||data where
930 + * we start processing. */
931 + k = 0;
932 + /* mac_end_offset is the index just past the end of the data to be
933 + * MACed. */
934 + mac_end_offset = data_plus_mac_size + header_length - md_size;
935 + /* c is the index of the 0x80 byte in the final hash block that
936 + * contains application data. */
937 + c = mac_end_offset % md_block_size;
938 + /* index_a is the hash block number that contains the 0x80 terminating
939 + * value. */
940 + index_a = mac_end_offset / md_block_size;
941 + /* index_b is the hash block number that contains the 64-bit hash
942 + * length, in bits. */
943 + index_b = (mac_end_offset + md_length_size) / md_block_size;
944 + /* bits is the hash-length in bits. It includes the additional hash
945 + * block for the masked HMAC key, or whole of |header| in the case of
946 + * SSLv3. */
947 +
948 + /* For SSLv3, if we're going to have any starting blocks then we need
949 + * at least two because the header is larger than a single block. */
950 + if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0))
951 + {
952 + num_starting_blocks = num_blocks - variance_blocks;
953 + k = md_block_size*num_starting_blocks;
954 + }
955 +
956 + bits = 8*mac_end_offset;
957 + if (!is_sslv3)
958 + {
959 + /* Compute the initial HMAC block. For SSLv3, the padding and
960 + * secret bytes are included in |header| because they take more
961 + * than a single block. */
962 + bits += 8*md_block_size;
963 + memset(hmac_pad, 0, md_block_size);
964 + OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
965 + memcpy(hmac_pad, mac_secret, mac_secret_length);
966 + for (i = 0; i < md_block_size; i++)
967 + hmac_pad[i] ^= 0x36;
968 +
969 + md_transform(md_state.c, hmac_pad);
970 + }
971 +
972 + if (length_is_big_endian)
973 + {
974 + memset(length_bytes,0,md_length_size-4);
975 + length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
976 + length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
977 + length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
978 + length_bytes[md_length_size-1] = (unsigned char)bits;
979 + }
980 + else
981 + {
982 + memset(length_bytes,0,md_length_size);
983 + length_bytes[md_length_size-5] = (unsigned char)(bits>>24);
984 + length_bytes[md_length_size-6] = (unsigned char)(bits>>16);
985 + length_bytes[md_length_size-7] = (unsigned char)(bits>>8);
986 + length_bytes[md_length_size-8] = (unsigned char)bits;
987 + }
988 +
989 + if (k > 0)
990 + {
991 + if (is_sslv3)
992 + {
993 + /* The SSLv3 header is larger than a single block.
994 + * overhang is the number of bytes beyond a single
995 + * block that the header consumes: either 7 bytes
996 + * (SHA1) or 11 bytes (MD5). */
997 + unsigned overhang = header_length-md_block_size;
998 + md_transform(md_state.c, header);
999 + memcpy(first_block, header + md_block_size, overhang);
1000 + memcpy(first_block + overhang, data, md_block_size-overhang);
1001 + md_transform(md_state.c, first_block);
1002 + for (i = 1; i < k/md_block_size - 1; i++)
1003 + md_transform(md_state.c, data + md_block_size*i - overhang);
1004 + }
1005 + else
1006 + {
1007 + /* k is a multiple of md_block_size. */
1008 + memcpy(first_block, header, 13);
1009 + memcpy(first_block+13, data, md_block_size-13);
1010 + md_transform(md_state.c, first_block);
1011 + for (i = 1; i < k/md_block_size; i++)
1012 + md_transform(md_state.c, data + md_block_size*i - 13);
1013 + }
1014 + }
1015 +
1016 + memset(mac_out, 0, sizeof(mac_out));
1017 +
1018 + /* We now process the final hash blocks. For each block, we construct
1019 + * it in constant time. If the |i==index_a| then we'll include the 0x80
1020 + * bytes and zero pad etc. For each block we selectively copy it, in
1021 + * constant time, to |mac_out|. */
1022 + for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++)
1023 + {
1024 + unsigned char block[MAX_HASH_BLOCK_SIZE];
1025 + unsigned char is_block_a = constant_time_eq_8(i, index_a);
1026 + unsigned char is_block_b = constant_time_eq_8(i, index_b);
1027 + for (j = 0; j < md_block_size; j++)
1028 + {
1029 + unsigned char b = 0, is_past_c, is_past_cp1;
1030 + if (k < header_length)
1031 + b = header[k];
1032 + else if (k < data_plus_mac_plus_padding_size + header_length)
1033 + b = data[k-header_length];
1034 + k++;
1035 +
1036 + is_past_c = is_block_a & constant_time_ge(j, c);
1037 + is_past_cp1 = is_block_a & constant_time_ge(j, c+1);
1038 + /* If this is the block containing the end of the
1039 + * application data, and we are at the offset for the
1040 + * 0x80 value, then overwrite b with 0x80. */
1041 + b = (b&~is_past_c) | (0x80&is_past_c);
1042 + /* If this the the block containing the end of the
1043 + * application data and we're past the 0x80 value then
1044 + * just write zero. */
1045 + b = b&~is_past_cp1;
1046 + /* If this is index_b (the final block), but not
1047 + * index_a (the end of the data), then the 64-bit
1048 + * length didn't fit into index_a and we're having to
1049 + * add an extra block of zeros. */
1050 + b &= ~is_block_b | is_block_a;
1051 +
1052 + /* The final bytes of one of the blocks contains the
1053 + * length. */
1054 + if (j >= md_block_size - md_length_size)
1055 + {
1056 + /* If this is index_b, write a length byte. */
1057 + b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);
1058 + }
1059 + block[j] = b;
1060 + }
1061 +
1062 + md_transform(md_state.c, block);
1063 + md_final_raw(md_state.c, block);
1064 + /* If this is index_b, copy the hash value to |mac_out|. */
1065 + for (j = 0; j < md_size; j++)
1066 + mac_out[j] |= block[j]&is_block_b;
1067 + }
1068 +
1069 + EVP_MD_CTX_init(&md_ctx);
1070 + EVP_DigestInit_ex(&md_ctx, digest, NULL /* engine */);
1071 + if (is_sslv3)
1072 + {
1073 + /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
1074 + memset(hmac_pad, 0x5c, sslv3_pad_length);
1075 +
1076 + EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
1077 + EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
1078 + EVP_DigestUpdate(&md_ctx, mac_out, md_size);
1079 + }
1080 + else
1081 + {
1082 + /* Complete the HMAC in the standard manner. */
1083 + for (i = 0; i < md_block_size; i++)
1084 + hmac_pad[i] ^= 0x6a;
1085 +
1086 + EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
1087 + EVP_DigestUpdate(&md_ctx, mac_out, md_size);
1088 + }
1089 + EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
1090 + if (md_out_size)
1091 + *md_out_size = md_out_size_u;
1092 + EVP_MD_CTX_cleanup(&md_ctx);
1093 + }
1094 +
1095 +#ifdef OPENSSL_FIPS
1096 +
1097 +/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
1098 + * we can ensure the number of blocks processed is equal for all cases
1099 + * by digesting additional data.
1100 + */
1101 +
1102 +void tls_fips_digest_extra(
1103 + const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx,
1104 + const unsigned char *data, size_t data_len, size_t orig_len)
1105 + {
1106 + size_t block_size, digest_pad, blocks_data, blocks_orig;
1107 + if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
1108 + return;
1109 + block_size = EVP_MD_block_size(hash);
1110 + /* We are in FIPS mode if we get this far so we know we have only SHA*
1111 + * digests and TLS to deal with.
1112 + * Minimum digest padding length is 17 for SHA384/SHA512 and 9
1113 + * otherwise.
1114 + * Additional header is 13 bytes. To get the number of digest blocks
1115 + * processed round up the amount of data plus padding to the nearest
1116 + * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
1117 + * So we have:
1118 + * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
1119 + * equivalently:
1120 + * blocks = (payload_len + digest_pad + 12)/block_size + 1
1121 + * HMAC adds a constant overhead.
1122 + * We're ultimately only interested in differences so this becomes
1123 + * blocks = (payload_len + 29)/128
1124 + * for SHA384/SHA512 and
1125 + * blocks = (payload_len + 21)/64
1126 + * otherwise.
1127 + */
1128 + digest_pad = block_size == 64 ? 21 : 29;
1129 + blocks_orig = (orig_len + digest_pad)/block_size;
1130 + blocks_data = (data_len + digest_pad)/block_size;
1131 + /* MAC enough blocks to make up the difference between the original
1132 + * and actual lengths plus one extra block to ensure this is never a
1133 + * no op. The "data" pointer should always have enough space to
1134 + * perform this operation as it is large enough for a maximum
1135 + * length TLS buffer.
1136 + */
1137 + HMAC_Update(hctx, data,
1138 + (blocks_orig - blocks_data + 1) * block_size);
1139 + }
1140 +#endif
1141 diff -up openssl-fips-0.9.8e/ssl/s3_enc.c.lucky13 openssl-fips-0.9.8e/ssl/s3_enc.c
1142 --- openssl-fips-0.9.8e/ssl/s3_enc.c.lucky13 2013-02-25 14:56:11.285381591 +0100
1143 +++ openssl-fips-0.9.8e/ssl/s3_enc.c 2013-02-25 14:56:11.407381902 +0100
1144 @@ -434,12 +434,21 @@ void ssl3_cleanup_key_block(SSL *s)
1145 s->s3->tmp.key_block_length=0;
1146 }
1147
1148 +/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
1149 + *
1150 + * Returns:
1151 + * 0: (in non-constant time) if the record is publically invalid (i.e. too
1152 + * short etc).
1153 + * 1: if the record's padding is valid / the encryption was successful.
1154 + * -1: if the record's padding is invalid or, if sending, an internal error
1155 + * occured.
1156 + */
1157 int ssl3_enc(SSL *s, int send)
1158 {
1159 SSL3_RECORD *rec;
1160 EVP_CIPHER_CTX *ds;
1161 unsigned long l;
1162 - int bs,i;
1163 + int bs,i,mac_size=0;
1164 const EVP_CIPHER *enc;
1165
1166 if (send)
1167 @@ -490,32 +499,17 @@ int ssl3_enc(SSL *s, int send)
1168 if (!send)
1169 {
1170 if (l == 0 || l%bs != 0)
1171 - {
1172 - SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
1173 - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
1174 return 0;
1175 - }
1176 /* otherwise, rec->length >= bs */
1177 }
1178
1179 EVP_Cipher(ds,rec->data,rec->input,l);
1180
1181 + if (s->read_hash != NULL)
1182 + mac_size = EVP_MD_size(s->read_hash);
1183 +
1184 if ((bs != 1) && !send)
1185 - {
1186 - i=rec->data[l-1]+1;
1187 - /* SSL 3.0 bounds the number of padding bytes by the block size;
1188 - * padding bytes (except the last one) are arbitrary */
1189 - if (i > bs)
1190 - {
1191 - /* Incorrect padding. SSLerr() and ssl3_alert are done
1192 - * by caller: we don't want to reveal whether this is
1193 - * a decryption error or a MAC verification failure
1194 - * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
1195 - return -1;
1196 - }
1197 - /* now i <= bs <= rec->length */
1198 - rec->length-=i;
1199 - }
1200 + return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
1201 }
1202 return(1);
1203 }
1204 @@ -592,7 +586,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md
1205 EVP_MD_CTX md_ctx;
1206 const EVP_MD *hash;
1207 unsigned char *p,rec_char;
1208 - unsigned int md_size;
1209 + size_t md_size, orig_len;
1210 int npad;
1211
1212 if (send)
1213 @@ -613,28 +607,72 @@ int ssl3_mac(SSL *ssl, unsigned char *md
1214 md_size=EVP_MD_size(hash);
1215 npad=(48/md_size)*md_size;
1216
1217 - /* Chop the digest off the end :-) */
1218 - EVP_MD_CTX_init(&md_ctx);
1219 -
1220 - EVP_DigestInit_ex( &md_ctx,hash, NULL);
1221 - EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
1222 - EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
1223 - EVP_DigestUpdate(&md_ctx,seq,8);
1224 - rec_char=rec->type;
1225 - EVP_DigestUpdate(&md_ctx,&rec_char,1);
1226 - p=md;
1227 - s2n(rec->length,p);
1228 - EVP_DigestUpdate(&md_ctx,md,2);
1229 - EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
1230 - EVP_DigestFinal_ex( &md_ctx,md,NULL);
1231 -
1232 - EVP_DigestInit_ex( &md_ctx,hash, NULL);
1233 - EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
1234 - EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
1235 - EVP_DigestUpdate(&md_ctx,md,md_size);
1236 - EVP_DigestFinal_ex( &md_ctx,md,&md_size);
1237 + /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */
1238 + orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
1239 + rec->type &= 0xff;
1240 +
1241 + if (!send &&
1242 + EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1243 + ssl3_cbc_record_digest_supported(hash))
1244 + {
1245 + /* This is a CBC-encrypted record. We must avoid leaking any
1246 + * timing-side channel information about how many blocks of
1247 + * data we are hashing because that gives an attacker a
1248 + * timing-oracle. */
1249 +
1250 + /* npad is, at most, 48 bytes and that's with MD5:
1251 + * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
1252 + *
1253 + * With SHA-1 (the largest hash speced for SSLv3) the hash size
1254 + * goes up 4, but npad goes down by 8, resulting in a smaller
1255 + * total size. */
1256 + unsigned char header[75];
1257 + unsigned j = 0;
1258 + memcpy(header+j, mac_sec, md_size);
1259 + j += md_size;
1260 + memcpy(header+j, ssl3_pad_1, npad);
1261 + j += npad;
1262 + memcpy(header+j, seq, 8);
1263 + j += 8;
1264 + header[j++] = rec->type;
1265 + header[j++] = rec->length >> 8;
1266 + header[j++] = rec->length & 0xff;
1267 +
1268 + ssl3_cbc_digest_record(
1269 + hash,
1270 + md, &md_size,
1271 + header, rec->input,
1272 + rec->length + md_size, orig_len,
1273 + mac_sec, md_size,
1274 + 1 /* is SSLv3 */);
1275 + }
1276 + else
1277 + {
1278 + unsigned int md_size_u;
1279 + /* Chop the digest off the end :-) */
1280 + EVP_MD_CTX_init(&md_ctx);
1281 +
1282 + EVP_DigestInit_ex( &md_ctx,hash, NULL);
1283 + EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
1284 + EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
1285 + EVP_DigestUpdate(&md_ctx,seq,8);
1286 + rec_char=rec->type;
1287 + EVP_DigestUpdate(&md_ctx,&rec_char,1);
1288 + p=md;
1289 + s2n(rec->length,p);
1290 + EVP_DigestUpdate(&md_ctx,md,2);
1291 + EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
1292 + EVP_DigestFinal_ex( &md_ctx,md,NULL);
1293 +
1294 + EVP_DigestInit_ex( &md_ctx,hash, NULL);
1295 + EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
1296 + EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
1297 + EVP_DigestUpdate(&md_ctx,md,md_size);
1298 + EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
1299 + md_size = md_size_u;
1300
1301 - EVP_MD_CTX_cleanup(&md_ctx);
1302 + EVP_MD_CTX_cleanup(&md_ctx);
1303 + }
1304
1305 ssl3_record_sequence_update(seq);
1306 return(md_size);
1307 diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.lucky13 openssl-fips-0.9.8e/ssl/s3_pkt.c
1308 --- openssl-fips-0.9.8e/ssl/s3_pkt.c.lucky13 2013-02-25 14:56:11.225381423 +0100
1309 +++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2013-02-25 14:56:11.408381905 +0100
1310 @@ -237,11 +237,8 @@ static int ssl3_get_record(SSL *s)
1311 unsigned char *p;
1312 unsigned char md[EVP_MAX_MD_SIZE];
1313 short version;
1314 - unsigned int mac_size;
1315 - int clear=0;
1316 + unsigned mac_size, orig_len;
1317 size_t extra;
1318 - int decryption_failed_or_bad_record_mac = 0;
1319 - unsigned char *mac = NULL;
1320
1321 rr= &(s->s3->rrec);
1322 sess=s->session;
1323 @@ -347,17 +344,15 @@ again:
1324 rr->data=rr->input;
1325
1326 enc_err = s->method->ssl3_enc->enc(s,0);
1327 - if (enc_err <= 0)
1328 + /* enc_err is:
1329 + * 0: (in non-constant time) if the record is publically invalid.
1330 + * 1: if the padding is valid
1331 + * -1: if the padding is invalid */
1332 + if (enc_err == 0)
1333 {
1334 - if (enc_err == 0)
1335 - /* SSLerr() and ssl3_send_alert() have been called */
1336 - goto err;
1337 -
1338 - /* Otherwise enc_err == -1, which indicates bad padding
1339 - * (rec->length has not been changed in this case).
1340 - * To minimize information leaked via timing, we will perform
1341 - * the MAC computation anyway. */
1342 - decryption_failed_or_bad_record_mac = 1;
1343 + al=SSL_AD_DECRYPTION_FAILED;
1344 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
1345 + goto f_err;
1346 }
1347
1348 #ifdef TLS_DEBUG
1349 @@ -367,51 +362,62 @@ printf("\n");
1350 #endif
1351
1352 /* r->length is now the compressed data plus mac */
1353 - if ( (sess == NULL) ||
1354 - (s->enc_read_ctx == NULL) ||
1355 - (s->read_hash == NULL))
1356 - clear=1;
1357 -
1358 - if (!clear)
1359 - {
1360 + if ((sess != NULL) &&
1361 + (s->enc_read_ctx != NULL) &&
1362 + (s->read_hash != NULL))
1363 + {
1364 + /* s->read_hash != NULL => mac_size != -1 */
1365 + unsigned char *mac = NULL;
1366 + unsigned char mac_tmp[EVP_MAX_MD_SIZE];
1367 mac_size=EVP_MD_size(s->read_hash);
1368 + OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
1369
1370 - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
1371 + /* kludge: *_cbc_remove_padding passes padding length in rr->type */
1372 + orig_len = rr->length+((unsigned int)rr->type>>8);
1373 +
1374 + /* orig_len is the length of the record before any padding was
1375 + * removed. This is public information, as is the MAC in use,
1376 + * therefore we can safely process the record in a different
1377 + * amount of time if it's too short to possibly contain a MAC.
1378 + */
1379 + if (orig_len < mac_size ||
1380 + /* CBC records must have a padding length byte too. */
1381 + (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1382 + orig_len < mac_size+1))
1383 {
1384 -#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
1385 - al=SSL_AD_RECORD_OVERFLOW;
1386 - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
1387 + al=SSL_AD_DECODE_ERROR;
1388 + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
1389 goto f_err;
1390 -#else
1391 - decryption_failed_or_bad_record_mac = 1;
1392 -#endif
1393 }
1394 - /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
1395 - if (rr->length >= mac_size)
1396 +
1397 + if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
1398 {
1399 + /* We update the length so that the TLS header bytes
1400 + * can be constructed correctly but we need to extract
1401 + * the MAC in constant time from within the record,
1402 + * without leaking the contents of the padding bytes.
1403 + * */
1404 + mac = mac_tmp;
1405 + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
1406 rr->length -= mac_size;
1407 - mac = &rr->data[rr->length];
1408 }
1409 else
1410 {
1411 - /* record (minus padding) is too short to contain a MAC */
1412 -#if 0 /* OK only for stream ciphers */
1413 - al=SSL_AD_DECODE_ERROR;
1414 - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
1415 - goto f_err;
1416 -#else
1417 - decryption_failed_or_bad_record_mac = 1;
1418 - rr->length = 0;
1419 -#endif
1420 - }
1421 - i=s->method->ssl3_enc->mac(s,md,0);
1422 - if (mac == NULL || memcmp(md, mac, mac_size) != 0)
1423 - {
1424 - decryption_failed_or_bad_record_mac = 1;
1425 + /* In this case there's no padding, so |orig_len|
1426 + * equals |rec->length| and we checked that there's
1427 + * enough bytes for |mac_size| above. */
1428 + rr->length -= mac_size;
1429 + mac = &rr->data[rr->length];
1430 }
1431 +
1432 + i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
1433 + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
1434 + enc_err = -1;
1435 + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
1436 + enc_err = -1;
1437 }
1438
1439 - if (decryption_failed_or_bad_record_mac)
1440 + if (enc_err < 0)
1441 {
1442 /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
1443 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
1444 diff -up openssl-fips-0.9.8e/ssl/ssl_locl.h.lucky13 openssl-fips-0.9.8e/ssl/ssl_locl.h
1445 --- openssl-fips-0.9.8e/ssl/ssl_locl.h.lucky13 2013-02-25 14:56:11.219381406 +0100
1446 +++ openssl-fips-0.9.8e/ssl/ssl_locl.h 2013-02-25 14:57:27.348538698 +0100
1447 @@ -133,6 +133,7 @@
1448 #ifndef OPENSSL_NO_DSA
1449 #include <openssl/dsa.h>
1450 #endif
1451 +#include <openssl/hmac.h>
1452 #include <openssl/err.h>
1453 #include <openssl/ssl.h>
1454 #include <openssl/symhacks.h>
1455 @@ -187,6 +188,15 @@
1456 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
1457 *((c)++)=(unsigned char)(((l) )&0xff))
1458
1459 +#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
1460 + *((c)++)=(unsigned char)(((l)>>48)&0xff), \
1461 + *((c)++)=(unsigned char)(((l)>>40)&0xff), \
1462 + *((c)++)=(unsigned char)(((l)>>32)&0xff), \
1463 + *((c)++)=(unsigned char)(((l)>>24)&0xff), \
1464 + *((c)++)=(unsigned char)(((l)>>16)&0xff), \
1465 + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
1466 + *((c)++)=(unsigned char)(((l) )&0xff))
1467 +
1468 #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
1469 l|=((BN_ULLONG)(*((c)++)))<<32, \
1470 l|=((BN_ULLONG)(*((c)++)))<<24, \
1471 @@ -946,5 +956,33 @@ int ssl_add_clienthello_renegotiate_ext(
1472 int maxlen);
1473 int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1474 int *al);
1475 +/* s3_cbc.c */
1476 +void ssl3_cbc_copy_mac(unsigned char* out,
1477 + const SSL3_RECORD *rec,
1478 + unsigned md_size,unsigned orig_len);
1479 +int ssl3_cbc_remove_padding(const SSL* s,
1480 + SSL3_RECORD *rec,
1481 + unsigned block_size,
1482 + unsigned mac_size);
1483 +int tls1_cbc_remove_padding(const SSL* s,
1484 + SSL3_RECORD *rec,
1485 + unsigned block_size,
1486 + unsigned mac_size);
1487 +char ssl3_cbc_record_digest_supported(const EVP_MD *hash);
1488 +void ssl3_cbc_digest_record(
1489 + const EVP_MD *hash,
1490 + unsigned char* md_out,
1491 + size_t* md_out_size,
1492 + const unsigned char header[13],
1493 + const unsigned char *data,
1494 + size_t data_plus_mac_size,
1495 + size_t data_plus_mac_plus_padding_size,
1496 + const unsigned char *mac_secret,
1497 + unsigned mac_secret_length,
1498 + char is_sslv3);
1499 +
1500 +void tls_fips_digest_extra(
1501 + const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx,
1502 + const unsigned char *data, size_t data_len, size_t orig_len);
1503
1504 #endif
1505 diff -up openssl-fips-0.9.8e/ssl/t1_enc.c.lucky13 openssl-fips-0.9.8e/ssl/t1_enc.c
1506 --- openssl-fips-0.9.8e/ssl/t1_enc.c.lucky13 2013-02-25 14:56:11.027380889 +0100
1507 +++ openssl-fips-0.9.8e/ssl/t1_enc.c 2013-02-25 15:30:15.511540650 +0100
1508 @@ -523,18 +523,25 @@ err:
1509 return(0);
1510 }
1511
1512 +/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
1513 + *
1514 + * Returns:
1515 + * 0: (in non-constant time) if the record is publically invalid (i.e. too
1516 + * short etc).
1517 + * 1: if the record's padding is valid / the encryption was successful.
1518 + * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
1519 + * an internal error occured.
1520 + */
1521 int tls1_enc(SSL *s, int send)
1522 {
1523 SSL3_RECORD *rec;
1524 EVP_CIPHER_CTX *ds;
1525 unsigned long l;
1526 - int bs,i,ii,j,k,n=0;
1527 + int bs,i,j,k,pad=0,ret,mac_size=0;
1528 const EVP_CIPHER *enc;
1529
1530 if (send)
1531 {
1532 - if (s->write_hash != NULL)
1533 - n=EVP_MD_size(s->write_hash);
1534 ds=s->enc_write_ctx;
1535 rec= &(s->s3->wrec);
1536 if (s->enc_write_ctx == NULL)
1537 @@ -544,8 +551,6 @@ int tls1_enc(SSL *s, int send)
1538 }
1539 else
1540 {
1541 - if (s->read_hash != NULL)
1542 - n=EVP_MD_size(s->read_hash);
1543 ds=s->enc_read_ctx;
1544 rec= &(s->s3->rrec);
1545 if (s->enc_read_ctx == NULL)
1546 @@ -558,11 +563,11 @@ int tls1_enc(SSL *s, int send)
1547 printf("tls1_enc(%d)\n", send);
1548 #endif /* KSSL_DEBUG */
1549
1550 - if ((s->session == NULL) || (ds == NULL) ||
1551 - (enc == NULL))
1552 + if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
1553 {
1554 memmove(rec->data,rec->input,rec->length);
1555 rec->input=rec->data;
1556 + ret = 1;
1557 }
1558 else
1559 {
1560 @@ -609,11 +614,7 @@ int tls1_enc(SSL *s, int send)
1561 if (!send)
1562 {
1563 if (l == 0 || l%bs != 0)
1564 - {
1565 - SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
1566 - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
1567 return 0;
1568 - }
1569 }
1570
1571 EVP_Cipher(ds,rec->data,rec->input,l);
1572 @@ -627,49 +628,15 @@ int tls1_enc(SSL *s, int send)
1573 }
1574 #endif /* KSSL_DEBUG */
1575
1576 + ret = 1;
1577 + if (s->read_hash != NULL)
1578 + mac_size = EVP_MD_size(s->read_hash);
1579 if ((bs != 1) && !send)
1580 - {
1581 - ii=i=rec->data[l-1]; /* padding_length */
1582 - i++;
1583 - /* NB: if compression is in operation the first packet
1584 - * may not be of even length so the padding bug check
1585 - * cannot be performed. This bug workaround has been
1586 - * around since SSLeay so hopefully it is either fixed
1587 - * now or no buggy implementation supports compression
1588 - * [steve]
1589 - */
1590 - if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
1591 - && !s->expand)
1592 - {
1593 - /* First packet is even in size, so check */
1594 - if ((memcmp(s->s3->read_sequence,
1595 - "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
1596 - s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
1597 - if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
1598 - i--;
1599 - }
1600 - /* TLS 1.0 does not bound the number of padding bytes by the block size.
1601 - * All of them must have value 'padding_length'. */
1602 - if (i > (int)rec->length)
1603 - {
1604 - /* Incorrect padding. SSLerr() and ssl3_alert are done
1605 - * by caller: we don't want to reveal whether this is
1606 - * a decryption error or a MAC verification failure
1607 - * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
1608 - return -1;
1609 - }
1610 - for (j=(int)(l-i); j<(int)l; j++)
1611 - {
1612 - if (rec->data[j] != ii)
1613 - {
1614 - /* Incorrect padding */
1615 - return -1;
1616 - }
1617 - }
1618 - rec->length-=i;
1619 - }
1620 + ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
1621 + if (pad && !send)
1622 + rec->length -= pad;
1623 }
1624 - return(1);
1625 + return ret;
1626 }
1627
1628 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
1629 @@ -717,10 +684,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
1630 SSL3_RECORD *rec;
1631 unsigned char *mac_sec,*seq;
1632 const EVP_MD *hash;
1633 - unsigned int md_size;
1634 + size_t md_size, orig_len;
1635 int i;
1636 HMAC_CTX hmac;
1637 - unsigned char buf[5];
1638 + unsigned char header[13];
1639
1640 if (send)
1641 {
1642 @@ -739,20 +706,6 @@ int tls1_mac(SSL *ssl, unsigned char *md
1643
1644 md_size=EVP_MD_size(hash);
1645
1646 - buf[0]=rec->type;
1647 - if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
1648 - {
1649 - buf[1]=TLS1_VERSION_MAJOR;
1650 - buf[2]=TLS1_VERSION_MINOR;
1651 - }
1652 - else {
1653 - buf[1]=(unsigned char)(ssl->version>>8);
1654 - buf[2]=(unsigned char)(ssl->version);
1655 - }
1656 -
1657 - buf[3]=rec->length>>8;
1658 - buf[4]=rec->length&0xff;
1659 -
1660 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1661 HMAC_CTX_init(&hmac);
1662 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
1663 @@ -764,16 +717,57 @@ int tls1_mac(SSL *ssl, unsigned char *md
1664 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
1665 memcpy (p,&seq[2],6);
1666
1667 - HMAC_Update(&hmac,dtlsseq,8);
1668 + memcpy(header, dtlsseq, 8);
1669 }
1670 else
1671 - HMAC_Update(&hmac,seq,8);
1672 + memcpy(header, seq, 8);
1673
1674 - HMAC_Update(&hmac,buf,5);
1675 - HMAC_Update(&hmac,rec->input,rec->length);
1676 - HMAC_Final(&hmac,md,&md_size);
1677 - HMAC_CTX_cleanup(&hmac);
1678 + /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
1679 + orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
1680 + rec->type &= 0xff;
1681 +
1682 + header[8]=rec->type;
1683 + header[9]=(unsigned char)(ssl->version>>8);
1684 + header[10]=(unsigned char)(ssl->version);
1685 + header[11]=(rec->length)>>8;
1686 + header[12]=(rec->length)&0xff;
1687 +
1688 + if (!send &&
1689 + EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1690 + ssl3_cbc_record_digest_supported(hash))
1691 + {
1692 + /* This is a CBC-encrypted record. We must avoid leaking any
1693 + * timing-side channel information about how many blocks of
1694 + * data we are hashing because that gives an attacker a
1695 + * timing-oracle. */
1696 + ssl3_cbc_digest_record(
1697 + hash,
1698 + md, &md_size,
1699 + header, rec->input,
1700 + rec->length + md_size, orig_len,
1701 + ssl->s3->read_mac_secret,
1702 + EVP_MD_size(ssl->read_hash),
1703 + 0 /* not SSLv3 */);
1704 + }
1705 + else
1706 + {
1707 + unsigned mds;
1708
1709 + HMAC_Update(&hmac,header,sizeof(header));
1710 + HMAC_Update(&hmac,rec->input,rec->length);
1711 + HMAC_Final(&hmac,md,&mds);
1712 + md_size = mds;
1713 +#ifdef OPENSSL_FIPS
1714 + if (!send && FIPS_mode())
1715 + tls_fips_digest_extra(
1716 + ssl->enc_read_ctx,
1717 + hash,
1718 + &hmac, rec->input,
1719 + rec->length, orig_len);
1720 +#endif
1721 + }
1722 +
1723 + HMAC_CTX_cleanup(&hmac);
1724 #ifdef TLS_DEBUG
1725 printf("sec=");
1726 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
1727 diff -up openssl-fips-0.9.8e/test/testssl.lucky13 openssl-fips-0.9.8e/test/testssl
1728 --- openssl-fips-0.9.8e/test/testssl.lucky13 2005-02-02 00:48:36.000000000 +0100
1729 +++ openssl-fips-0.9.8e/test/testssl 2013-02-25 14:56:11.422381943 +0100
1730 @@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_
1731 echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
1732 $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
1733
1734 +echo "Testing ciphersuites"
1735 +for protocol in SSLv3; do
1736 + echo "Testing ciphersuites for $protocol"
1737 + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
1738 + echo "Testing $cipher"
1739 + prot=""
1740 + if [ $protocol == "SSLv3" ] ; then
1741 + prot="-ssl3"
1742 + fi
1743 + $ssltest -cipher $cipher $prot
1744 + if [ $? -ne 0 ] ; then
1745 + echo "Failed $cipher"
1746 + exit 1
1747 + fi
1748 + done
1749 +done
1750 +
1751 #############################################################################
1752
1753 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed