openssl/sme8/openssl-fips-0.9.8e-dtls-fixes2.patch

diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-fixes2 openssl-fips-0.9.8e/ssl/d1_pkt.c
--- openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-fixes2        2012-01-16 11:00:34.242797904 +0100
+++ openssl-fips-0.9.8e/ssl/d1_pkt.c    2012-01-18 15:45:25.144865068 +0100
@@ -134,7 +134,7 @@ static int dtls1_record_needs_buffering(
        unsigned short *priority, unsigned long *offset);
 #endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-       PQ_64BIT priority);
+       PQ_64BIT *priority);
 static int dtls1_process_record(SSL *s);
 #if PQ_64BIT_IS_INTEGER
 static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
@@ -156,13 +156,16 @@ dtls1_copy_record(SSL *s, pitem *item)
     s->packet_length = rdata->packet_length;
     memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
     memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+       
+       /* Set proper sequence number for mac calculation */
+       memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
     
     return(1);
     }
 
 
 static int
-dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
+dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT *priority)
 {
     DTLS1_RECORD_DATA *rdata;
        pitem *item;
@@ -172,7 +175,7 @@ dtls1_buffer_record(SSL *s, record_pqueu
                return 0;
                
        rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
-       item = pitem_new(priority, rdata);
+       item = pitem_new(*priority, rdata);
        if (rdata == NULL || item == NULL)
                {
                if (rdata != NULL) OPENSSL_free(rdata);
@@ -253,9 +256,6 @@ dtls1_process_buffered_records(SSL *s)
     item = pqueue_peek(s->d1->unprocessed_rcds.q);
     if (item)
         {
-        DTLS1_RECORD_DATA *rdata;
-        rdata = (DTLS1_RECORD_DATA *)item->data;
-        
         /* Check if epoch is current. */
         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
             return(1);  /* Nothing to do. */
@@ -267,7 +267,7 @@ dtls1_process_buffered_records(SSL *s)
             if ( ! dtls1_process_record(s))
                 return(0);
             dtls1_buffer_record(s, &(s->d1->processed_rcds), 
-                s->s3->rrec.seq_num);
+                &s->s3->rrec.seq_num);
             }
         }
 
@@ -328,13 +328,15 @@ dtls1_get_buffered_record(SSL *s)
 static int
 dtls1_process_record(SSL *s)
 {
-    int i,al;
+    int al;
        int clear=0;
     int enc_err;
        SSL_SESSION *sess;
     SSL3_RECORD *rr;
        unsigned int mac_size;
        unsigned char md[EVP_MAX_MD_SIZE];
+       int decryption_failed_or_bad_record_mac = 0;
+       unsigned char *mac = NULL;
 
 
        rr= &(s->s3->rrec);
@@ -369,12 +371,10 @@ dtls1_process_record(SSL *s)
        enc_err = s->method->ssl3_enc->enc(s,0);
        if (enc_err <= 0)
                {
-               if (enc_err == 0)
-                       /* SSLerr() and ssl3_send_alert() have been called */
-                       goto err;
-
-               /* otherwise enc_err == -1 */
-               goto decryption_failed_or_bad_record_mac;
+               /* To minimize information leaked via timing, we will always
+                * perform all computations before discarding the message.
+                */
+               decryption_failed_or_bad_record_mac = 1;
                }
 
 #ifdef TLS_DEBUG
@@ -400,28 +400,32 @@ if (      (sess == NULL) ||
                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
                        goto f_err;
 #else
-                       goto decryption_failed_or_bad_record_mac;
+                       decryption_failed_or_bad_record_mac = 1;
 #endif                 
                        }
                /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-               if (rr->length < mac_size)
+               if (rr->length >= mac_size)
                        {
-#if 0 /* OK only for stream ciphers */
-                       al=SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
-                       goto f_err;
-#else
-                       goto decryption_failed_or_bad_record_mac;
-#endif
+                       rr->length -= mac_size;
+                       mac = &rr->data[rr->length];
                        }
-               rr->length-=mac_size;
-               i=s->method->ssl3_enc->mac(s,md,0);
-               if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+               else
+                       rr->length = 0;
+               s->method->ssl3_enc->mac(s,md,0);
+               if (mac == NULL || memcmp(md, mac, mac_size) != 0)
                        {
-                       goto decryption_failed_or_bad_record_mac;
+                       decryption_failed_or_bad_record_mac = 1;
                        }
                }
 
+       if (decryption_failed_or_bad_record_mac)
+               {
+               /* decryption failed, silently discard message */
+               rr->length = 0;
+               s->packet_length = 0;
+               goto err;
+               }
+
        /* r->length is now just compressed */
        if (s->expand != NULL)
                {
@@ -460,14 +464,6 @@ if (       (sess == NULL) ||
     dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
     return(1);
 
-decryption_failed_or_bad_record_mac:
-       /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
-        * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
-        * failure is directly visible from the ciphertext anyway,
-        * we should not reveal which kind of error occured -- this
-        * might become visible to an attacker (e.g. via logfile) */
-       al=SSL_AD_BAD_RECORD_MAC;
-       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -486,22 +482,19 @@ err:
 /* used only by dtls1_read_bytes */
 int dtls1_get_record(SSL *s)
        {
-       int ssl_major,ssl_minor,al;
+       int ssl_major,ssl_minor;
        int i,n;
        SSL3_RECORD *rr;
-       SSL_SESSION *sess;
-       unsigned char *p;
+       unsigned char *p = NULL;
        unsigned short version;
        DTLS1_BITMAP *bitmap;
        unsigned int is_next_epoch;
 
        rr= &(s->s3->rrec);
-       sess=s->session;
 
     /* The epoch may have changed.  If so, process all the
      * pending records.  This is a non-blocking operation. */
-    if ( ! dtls1_process_buffered_records(s))
-        return 0;
+    dtls1_process_buffered_records(s);
 
        /* if we're renegotiating, then there may be buffered records */
        if (dtls1_get_processed_record(s))
@@ -517,7 +510,12 @@ again:
                /* read timeout is handled by dtls1_read_bytes */
                if (n <= 0) return(n); /* error or non-blocking */
 
-               OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
+               /* this packet contained a partial record, dump it */
+               if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
+                       {
+                       s->packet_length = 0;
+                       goto again;
+                       }
 
                s->rstate=SSL_ST_READ_BODY;
 
@@ -542,27 +540,28 @@ again:
                        {
                        if (version != s->version && version != DTLS1_BAD_VER)
                                {
-                               SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                               /* Send back error using their
-                                * version number :-) */
-                               s->version=version;
-                               al=SSL_AD_PROTOCOL_VERSION;
-                               goto f_err;
+                               /* unexpected version, silently discard */
+                               rr->length = 0;
+                               s->packet_length = 0;
+                               goto again;
                                }
                        }
 
                if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
                    (version & 0xff00) != (DTLS1_BAD_VER & 0xff00))
                        {
-                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                       goto err;
+                       /* wrong version, silently discard record */
+                       rr->length = 0;
+                       s->packet_length = 0;
+                       goto again;
                        }
 
                if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
                        {
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
-                       goto f_err;
+                       /* record too long, silently discard it */
+                       rr->length = 0;
+                       s->packet_length = 0;
+                       goto again;
                        }
 
                s->client_version = version;
@@ -581,6 +580,7 @@ again:
                /* this packet contained a partial record, dump it */
                if ( n != i)
                        {
+                       rr->length = 0;
                        s->packet_length = 0;
                        goto again;
                        }
@@ -594,6 +594,7 @@ again:
        bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
        if ( bitmap == NULL)
         {
+       rr->length = 0;
         s->packet_length = 0;  /* dump this record */
         goto again;   /* get another record */
                }
@@ -601,6 +602,7 @@ again:
        /* check whether this is a repeat, or aged record */
        if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
                {
+               rr->length = 0;
                s->packet_length=0; /* dump this record */
                goto again;     /* get another record */
                }
@@ -615,21 +617,22 @@ again:
     if (is_next_epoch)
         {
         dtls1_record_bitmap_update(s, bitmap);
-        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num);
+               rr->length = 0;
         s->packet_length = 0;
         goto again;
         }
 
-    if ( ! dtls1_process_record(s))
-        return(0);
+    if (!dtls1_process_record(s))
+               {
+               rr->length = 0;
+               s->packet_length=0; /* dump this record */
+               goto again;     /* get another record */
+               }
 
        dtls1_clear_timeouts(s);  /* done waiting */
        return(1);
 
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-       return(0);
        }
 
 /* Return up to 'len' payload bytes received in 'type' records.
1	diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-fixes2 openssl-fips-0.9.8e/ssl/d1_pkt.c
2	--- openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-fixes2 2012-01-16 11:00:34.242797904 +0100
3	+++ openssl-fips-0.9.8e/ssl/d1_pkt.c 2012-01-18 15:45:25.144865068 +0100
4	@@ -134,7 +134,7 @@ static int dtls1_record_needs_buffering(
5	unsigned short priority, unsigned long offset);
6	#endif
7	static int dtls1_buffer_record(SSL s, record_pqueue q,
8	- PQ_64BIT priority);
9	+ PQ_64BIT *priority);
10	static int dtls1_process_record(SSL *s);
11	#if PQ_64BIT_IS_INTEGER
12	static PQ_64BIT bytes_to_long_long(unsigned char bytes, PQ_64BIT num);
13	@@ -156,13 +156,16 @@ dtls1_copy_record(SSL s, pitem item)
14	s->packet_length = rdata->packet_length;
15	memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
16	memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
17	+
18	+ /* Set proper sequence number for mac calculation */
19	+ memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
20
21	return(1);
22	}
23
24
25	static int
26	-dtls1_buffer_record(SSL s, record_pqueue queue, PQ_64BIT priority)
27	+dtls1_buffer_record(SSL s, record_pqueue queue, PQ_64BIT *priority)
28	{
29	DTLS1_RECORD_DATA *rdata;
30	pitem *item;
31	@@ -172,7 +175,7 @@ dtls1_buffer_record(SSL *s, record_pqueu
32	return 0;
33
34	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
35	- item = pitem_new(priority, rdata);
36	+ item = pitem_new(*priority, rdata);
37	if (rdata == NULL \|\| item == NULL)
38	{
39	if (rdata != NULL) OPENSSL_free(rdata);
40	@@ -253,9 +256,6 @@ dtls1_process_buffered_records(SSL *s)
41	item = pqueue_peek(s->d1->unprocessed_rcds.q);
42	if (item)
43	{
44	- DTLS1_RECORD_DATA *rdata;
45	- rdata = (DTLS1_RECORD_DATA *)item->data;
46	-
47	/* Check if epoch is current. */
48	if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
49	return(1); /* Nothing to do. */
50	@@ -267,7 +267,7 @@ dtls1_process_buffered_records(SSL *s)
51	if ( ! dtls1_process_record(s))
52	return(0);
53	dtls1_buffer_record(s, &(s->d1->processed_rcds),
54	- s->s3->rrec.seq_num);
55	+ &s->s3->rrec.seq_num);
56	}
57	}
58
59	@@ -328,13 +328,15 @@ dtls1_get_buffered_record(SSL *s)
60	static int
61	dtls1_process_record(SSL *s)
62	{
63	- int i,al;
64	+ int al;
65	int clear=0;
66	int enc_err;
67	SSL_SESSION *sess;
68	SSL3_RECORD *rr;
69	unsigned int mac_size;
70	unsigned char md[EVP_MAX_MD_SIZE];
71	+ int decryption_failed_or_bad_record_mac = 0;
72	+ unsigned char *mac = NULL;
73
74
75	rr= &(s->s3->rrec);
76	@@ -369,12 +371,10 @@ dtls1_process_record(SSL *s)
77	enc_err = s->method->ssl3_enc->enc(s,0);
78	if (enc_err <= 0)
79	{
80	- if (enc_err == 0)
81	- /* SSLerr() and ssl3_send_alert() have been called */
82	- goto err;
83	-
84	- /* otherwise enc_err == -1 */
85	- goto decryption_failed_or_bad_record_mac;
86	+ /* To minimize information leaked via timing, we will always
87	+ * perform all computations before discarding the message.
88	+ */
89	+ decryption_failed_or_bad_record_mac = 1;
90	}
91
92	#ifdef TLS_DEBUG
93	@@ -400,28 +400,32 @@ if ( (sess == NULL) \|\|
94	SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
95	goto f_err;
96	#else
97	- goto decryption_failed_or_bad_record_mac;
98	+ decryption_failed_or_bad_record_mac = 1;
99	#endif
100	}
101	/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
102	- if (rr->length < mac_size)
103	+ if (rr->length >= mac_size)
104	{
105	-#if 0 /* OK only for stream ciphers */
106	- al=SSL_AD_DECODE_ERROR;
107	- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
108	- goto f_err;
109	-#else
110	- goto decryption_failed_or_bad_record_mac;
111	-#endif
112	+ rr->length -= mac_size;
113	+ mac = &rr->data[rr->length];
114	}
115	- rr->length-=mac_size;
116	- i=s->method->ssl3_enc->mac(s,md,0);
117	- if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
118	+ else
119	+ rr->length = 0;
120	+ s->method->ssl3_enc->mac(s,md,0);
121	+ if (mac == NULL \|\| memcmp(md, mac, mac_size) != 0)
122	{
123	- goto decryption_failed_or_bad_record_mac;
124	+ decryption_failed_or_bad_record_mac = 1;
125	}
126	}
127
128	+ if (decryption_failed_or_bad_record_mac)
129	+ {
130	+ /* decryption failed, silently discard message */
131	+ rr->length = 0;
132	+ s->packet_length = 0;
133	+ goto err;
134	+ }
135	+
136	/* r->length is now just compressed */
137	if (s->expand != NULL)
138	{
139	@@ -460,14 +464,6 @@ if ( (sess == NULL) \|\|
140	dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
141	return(1);
142
143	-decryption_failed_or_bad_record_mac:
144	- /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
145	- * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
146	- * failure is directly visible from the ciphertext anyway,
147	- * we should not reveal which kind of error occured -- this
148	- * might become visible to an attacker (e.g. via logfile) */
149	- al=SSL_AD_BAD_RECORD_MAC;
150	- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
151	f_err:
152	ssl3_send_alert(s,SSL3_AL_FATAL,al);
153	err:
154	@@ -486,22 +482,19 @@ err:
155	/* used only by dtls1_read_bytes */
156	int dtls1_get_record(SSL *s)
157	{
158	- int ssl_major,ssl_minor,al;
159	+ int ssl_major,ssl_minor;
160	int i,n;
161	SSL3_RECORD *rr;
162	- SSL_SESSION *sess;
163	- unsigned char *p;
164	+ unsigned char *p = NULL;
165	unsigned short version;
166	DTLS1_BITMAP *bitmap;
167	unsigned int is_next_epoch;
168
169	rr= &(s->s3->rrec);
170	- sess=s->session;
171
172	/* The epoch may have changed. If so, process all the
173	* pending records. This is a non-blocking operation. */
174	- if ( ! dtls1_process_buffered_records(s))
175	- return 0;
176	+ dtls1_process_buffered_records(s);
177
178	/* if we're renegotiating, then there may be buffered records */
179	if (dtls1_get_processed_record(s))
180	@@ -517,7 +510,12 @@ again:
181	/* read timeout is handled by dtls1_read_bytes */
182	if (n <= 0) return(n); /* error or non-blocking */
183
184	- OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
185	+ /* this packet contained a partial record, dump it */
186	+ if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
187	+ {
188	+ s->packet_length = 0;
189	+ goto again;
190	+ }
191
192	s->rstate=SSL_ST_READ_BODY;
193
194	@@ -542,27 +540,28 @@ again:
195	{
196	if (version != s->version && version != DTLS1_BAD_VER)
197	{
198	- SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
199	- /* Send back error using their
200	- * version number :-) */
201	- s->version=version;
202	- al=SSL_AD_PROTOCOL_VERSION;
203	- goto f_err;
204	+ /* unexpected version, silently discard */
205	+ rr->length = 0;
206	+ s->packet_length = 0;
207	+ goto again;
208	}
209	}
210
211	if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
212	(version & 0xff00) != (DTLS1_BAD_VER & 0xff00))
213	{
214	- SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
215	- goto err;
216	+ /* wrong version, silently discard record */
217	+ rr->length = 0;
218	+ s->packet_length = 0;
219	+ goto again;
220	}
221
222	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
223	{
224	- al=SSL_AD_RECORD_OVERFLOW;
225	- SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
226	- goto f_err;
227	+ /* record too long, silently discard it */
228	+ rr->length = 0;
229	+ s->packet_length = 0;
230	+ goto again;
231	}
232
233	s->client_version = version;
234	@@ -581,6 +580,7 @@ again:
235	/* this packet contained a partial record, dump it */
236	if ( n != i)
237	{
238	+ rr->length = 0;
239	s->packet_length = 0;
240	goto again;
241	}
242	@@ -594,6 +594,7 @@ again:
243	bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
244	if ( bitmap == NULL)
245	{
246	+ rr->length = 0;
247	s->packet_length = 0; /* dump this record */
248	goto again; /* get another record */
249	}
250	@@ -601,6 +602,7 @@ again:
251	/* check whether this is a repeat, or aged record */
252	if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
253	{
254	+ rr->length = 0;
255	s->packet_length=0; /* dump this record */
256	goto again; /* get another record */
257	}
258	@@ -615,21 +617,22 @@ again:
259	if (is_next_epoch)
260	{
261	dtls1_record_bitmap_update(s, bitmap);
262	- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
263	+ dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num);
264	+ rr->length = 0;
265	s->packet_length = 0;
266	goto again;
267	}
268
269	- if ( ! dtls1_process_record(s))
270	- return(0);
271	+ if (!dtls1_process_record(s))
272	+ {
273	+ rr->length = 0;
274	+ s->packet_length=0; /* dump this record */
275	+ goto again; /* get another record */
276	+ }
277
278	dtls1_clear_timeouts(s); /* done waiting */
279	return(1);
280
281	-f_err:
282	- ssl3_send_alert(s,SSL3_AL_FATAL,al);
283	-err:
284	- return(0);
285	}
286
287	/* Return up to 'len' payload bytes received in 'type' records.