[Pkg-openssl-changes] r590 - openssl/branches/squeeze/debian/patches
Kurt Roeckx
kroeckx at alioth.debian.org
Mon Feb 11 20:28:47 UTC 2013
Author: kroeckx
Date: 2013-02-11 20:28:46 +0000 (Mon, 11 Feb 2013)
New Revision: 590
Modified:
openssl/branches/squeeze/debian/patches/CVE-2013-0169.patch
Log:
Make the patch apply to our version.
Modified: openssl/branches/squeeze/debian/patches/CVE-2013-0169.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2013-0169.patch 2013-02-11 19:42:29 UTC (rev 589)
+++ openssl/branches/squeeze/debian/patches/CVE-2013-0169.patch 2013-02-11 20:28:46 UTC (rev 590)
@@ -28,11 +28,11 @@
5864fd2061f43dc8f89b5755f19bd2a35dec636c
-diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
-index dd74ea8..dec3286 100644
---- a/crypto/cryptlib.c
-+++ b/crypto/cryptlib.c
-@@ -542,3 +542,19 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
+Index: openssl-0.9.8o/crypto/cryptlib.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/cryptlib.c 2009-09-13 13:20:36.000000000 +0200
++++ openssl-0.9.8o/crypto/cryptlib.c 2013-02-11 20:44:24.000000000 +0100
+@@ -543,3 +543,19 @@
}
void *OPENSSL_stderr(void) { return stderr; }
@@ -52,14 +52,14 @@
+ return x;
+ }
+#endif
-diff --git a/crypto/crypto.h b/crypto/crypto.h
-index fc1374f..6161697 100644
---- a/crypto/crypto.h
-+++ b/crypto/crypto.h
-@@ -591,6 +591,13 @@ int OPENSSL_isservice(void);
- #define OPENSSL_HAVE_INIT 1
- void OPENSSL_init(void);
+Index: openssl-0.9.8o/crypto/crypto.h
+===================================================================
+--- openssl-0.9.8o.orig/crypto/crypto.h 2008-10-26 19:42:00.000000000 +0100
++++ openssl-0.9.8o/crypto/crypto.h 2013-02-11 20:44:24.000000000 +0100
+@@ -588,6 +588,13 @@
+ #endif /* def OPENSSL_FIPS */
+
+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
+ * takes an amount of time dependent on |len|, but independent of the contents
+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
@@ -70,34 +70,34 @@
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
-diff --git a/crypto/o_init.c b/crypto/o_init.c
-index d767a90..c89fda5 100644
---- a/crypto/o_init.c
-+++ b/crypto/o_init.c
-@@ -93,4 +93,18 @@ void OPENSSL_init(void)
+Index: openssl-0.9.8o/crypto/o_init.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/o_init.c 2010-03-25 13:17:15.000000000 +0100
++++ openssl-0.9.8o/crypto/o_init.c 2013-02-11 20:44:24.000000000 +0100
+@@ -93,4 +93,18 @@
#endif
}
+#ifdef OPENSSL_FIPS
-+
+
+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
+ {
+ size_t i;
+ const unsigned char *a = in_a;
+ const unsigned char *b = in_b;
+ unsigned char x = 0;
-
++
+ for (i = 0; i < len; i++)
+ x |= a[i] ^ b[i];
+
+ return x;
+ }
+#endif
-diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
-index 546ae5f..b8e3edc 100644
---- a/crypto/rsa/rsa_oaep.c
-+++ b/crypto/rsa/rsa_oaep.c
-@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+Index: openssl-0.9.8o/crypto/rsa/rsa_oaep.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/rsa/rsa_oaep.c 2009-06-27 01:56:10.000000000 +0200
++++ openssl-0.9.8o/crypto/rsa/rsa_oaep.c 2013-02-11 20:44:24.000000000 +0100
+@@ -143,7 +143,7 @@
EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
@@ -106,11 +106,11 @@
goto decoding_err;
else
{
-diff --git a/ssl/Makefile b/ssl/Makefile
-index 5ac3507..64f021d 100644
---- a/ssl/Makefile
-+++ b/ssl/Makefile
-@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
+Index: openssl-0.9.8o/ssl/Makefile
+===================================================================
+--- openssl-0.9.8o.orig/ssl/Makefile 2010-01-20 17:35:30.000000000 +0100
++++ openssl-0.9.8o/ssl/Makefile 2013-02-11 20:44:24.000000000 +0100
+@@ -22,7 +22,7 @@
SHARED_LIB= libssl$(SHLIB_EXT)
LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
@@ -119,7 +119,7 @@
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
-@@ -33,7 +33,7 @@ LIBSRC= \
+@@ -33,7 +33,7 @@
bio_ssl.c ssl_err.c kssl.c t1_reneg.c
LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
@@ -128,11 +128,11 @@
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
-diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
-index baa75f9..f0c446d 100644
---- a/ssl/d1_enc.c
-+++ b/ssl/d1_enc.c
-@@ -126,16 +126,30 @@
+Index: openssl-0.9.8o/ssl/d1_enc.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_enc.c 2013-02-11 20:43:18.000000000 +0100
++++ openssl-0.9.8o/ssl/d1_enc.c 2013-02-11 21:08:32.000000000 +0100
+@@ -126,18 +126,30 @@
#include <openssl/des.h>
#endif
@@ -149,12 +149,14 @@
SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds;
unsigned long l;
-- int bs,i,ii,j,k;
+- int bs,i,ii,j,k,n=0;
+ int bs,i,j,k,mac_size=0;
const EVP_CIPHER *enc;
if (send)
{
+- if (s->write_hash != NULL)
+- n=EVP_MD_size(s->write_hash);
+ if (s->write_hash)
+ {
+ mac_size=EVP_MD_size(s->write_hash);
@@ -164,7 +166,7 @@
ds=s->enc_write_ctx;
rec= &(s->s3->wrec);
if (s->enc_write_ctx == NULL)
-@@ -156,6 +170,11 @@ int dtls1_enc(SSL *s, int send)
+@@ -158,6 +170,11 @@
}
else
{
@@ -173,19 +175,10 @@
+ mac_size=EVP_MD_size(s->read_hash);
+ OPENSSL_assert(mac_size >= 0);
+ }
+ if (s->read_hash != NULL)
+ n=EVP_MD_size(s->read_hash);
ds=s->enc_read_ctx;
- rec= &(s->s3->rrec);
- if (s->enc_read_ctx == NULL)
-@@ -220,7 +239,7 @@ int dtls1_enc(SSL *s, int send)
- if (!send)
- {
- if (l == 0 || l%bs != 0)
-- return -1;
-+ return 0;
- }
-
- EVP_Cipher(ds,rec->data,rec->input,l);
-@@ -235,43 +254,7 @@ int dtls1_enc(SSL *s, int send)
+@@ -243,43 +260,7 @@
#endif /* KSSL_DEBUG */
if ((bs != 1) && !send)
@@ -230,22 +223,21 @@
}
return(1);
}
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 65b1ef2..72c5d9d 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -327,16 +327,12 @@ dtls1_get_buffered_record(SSL *s)
- static int
+Index: openssl-0.9.8o/ssl/d1_pkt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_pkt.c 2013-02-11 20:43:18.000000000 +0100
++++ openssl-0.9.8o/ssl/d1_pkt.c 2013-02-11 21:23:46.000000000 +0100
+@@ -332,15 +332,11 @@
dtls1_process_record(SSL *s)
{
-- int al;
+ int i,al;
- int clear=0;
-- int enc_err;
-+ int i,al;
-+ int enc_err;
+ int enc_err;
SSL_SESSION *sess;
- SSL3_RECORD *rr;
- unsigned int mac_size;
+- SSL3_RECORD *rr;
+- unsigned int mac_size;
++ SSL3_RECORD *rr;
++ unsigned int mac_size, orig_len;
unsigned char md[EVP_MAX_MD_SIZE];
- int decryption_failed_or_bad_record_mac = 0;
- unsigned char *mac = NULL;
@@ -253,11 +245,8 @@
rr= &(s->s3->rrec);
sess = s->session;
-@@ -366,14 +362,19 @@ dtls1_process_record(SSL *s)
-
- /* decrypt in place in 'rr->input' */
+@@ -372,12 +368,16 @@
rr->data=rr->input;
-+ rr->orig_len=rr->length;
enc_err = s->method->ssl3_enc->enc(s,0);
- if (enc_err <= 0)
@@ -278,7 +267,7 @@
}
#ifdef TLS_DEBUG
-@@ -383,41 +384,59 @@ printf("\n");
+@@ -387,41 +387,62 @@
#endif
/* r->length is now the compressed data plus mac */
@@ -299,15 +288,18 @@
+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
++ /* kludge: *_cbc_remove_padding passes padding length in rr->type */
++ orig_len = rr->length+((unsigned int)rr->type>>8);
++
+ /* orig_len is the length of the record before any padding was
+ * removed. This is public information, as is the MAC in use,
+ * therefore we can safely process the record in a different
+ * amount of time if it's too short to possibly contain a MAC.
+ */
-+ if (rr->orig_len < mac_size ||
++ if (orig_len < mac_size ||
+ /* CBC records must have a padding length byte too. */
+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+ rr->orig_len < mac_size+1))
++ orig_len < mac_size+1))
{
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
- al=SSL_AD_RECORD_OVERFLOW;
@@ -330,17 +322,17 @@
+ * without leaking the contents of the padding bytes.
+ * */
+ mac = mac_tmp;
-+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
++ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
rr->length -= mac_size;
- mac = &rr->data[rr->length];
}
else
- rr->length = 0;
-- s->method->ssl3_enc->mac(s,md,0);
-- if (mac == NULL || memcmp(md, mac, mac_size) != 0)
+- i=s->method->ssl3_enc->mac(s,md,0);
+- if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
{
- decryption_failed_or_bad_record_mac = 1;
-+ /* In this case there's no padding, so |rec->orig_len|
++ /* In this case there's no padding, so |orig_len|
+ * equals |rec->length| and we checked that there's
+ * enough bytes for |mac_size| above. */
+ rr->length -= mac_size;
@@ -359,11 +351,11 @@
{
/* decryption failed, silently discard message */
rr->length = 0;
-diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
-index 782129c..c13a640 100644
---- a/ssl/s2_clnt.c
-+++ b/ssl/s2_clnt.c
-@@ -935,7 +935,7 @@ static int get_server_verify(SSL *s)
+Index: openssl-0.9.8o/ssl/s2_clnt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s2_clnt.c 2009-01-07 11:48:23.000000000 +0100
++++ openssl-0.9.8o/ssl/s2_clnt.c 2013-02-11 20:44:24.000000000 +0100
+@@ -935,7 +935,7 @@
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
p += 1;
@@ -372,11 +364,11 @@
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
-diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
-index a10929a..7387d8b 100644
---- a/ssl/s2_pkt.c
-+++ b/ssl/s2_pkt.c
-@@ -267,8 +267,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
+Index: openssl-0.9.8o/ssl/s2_pkt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s2_pkt.c 2003-12-27 17:10:30.000000000 +0100
++++ openssl-0.9.8o/ssl/s2_pkt.c 2013-02-11 20:44:24.000000000 +0100
+@@ -267,8 +267,7 @@
s->s2->ract_data_length-=mac_size;
ssl2_mac(s,mac,0);
s->s2->ract_data_length-=s->s2->padding;
@@ -386,11 +378,11 @@
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 869a25d..86ad598 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -242,7 +242,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
+Index: openssl-0.9.8o/ssl/s3_both.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_both.c 2010-03-25 00:16:35.000000000 +0100
++++ openssl-0.9.8o/ssl/s3_both.c 2013-02-11 20:44:24.000000000 +0100
+@@ -242,7 +242,7 @@
goto f_err;
}
@@ -399,12 +391,11 @@
{
al=SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-new file mode 100644
-index 0000000..2ab7bfb
---- /dev/null
-+++ b/ssl/s3_cbc.c
-@@ -0,0 +1,759 @@
+Index: openssl-0.9.8o/ssl/s3_cbc.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ openssl-0.9.8o/ssl/s3_cbc.c 2013-02-11 20:44:24.000000000 +0100
+@@ -0,0 +1,783 @@
+/* ssl/s3_cbc.c */
+/* ====================================================================
+ * Copyright (c) 2012 The OpenSSL Project. All rights reserved.
@@ -483,6 +474,13 @@
+#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
+#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
+
++/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
++static unsigned constant_time_lt(unsigned a, unsigned b)
++ {
++ a -= b;
++ return DUPLICATE_MSB_TO_ALL(a);
++ }
++
+/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
+static unsigned constant_time_ge(unsigned a, unsigned b)
+ {
@@ -491,7 +489,7 @@
+ }
+
+/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
-+static unsigned char constant_time_eq_8(unsigned char a, unsigned char b)
++static unsigned char constant_time_eq_8(unsigned a, unsigned b)
+ {
+ unsigned c = a ^ b;
+ c--;
@@ -523,7 +521,9 @@
+ good = constant_time_ge(rec->length, padding_length+overhead);
+ /* SSLv3 requires that the padding is minimal. */
+ good &= constant_time_ge(block_size, padding_length+1);
-+ rec->length -= good & (padding_length+1);
++ padding_length = good & (padding_length+1);
++ rec->length -= padding_length;
++ rec->type |= padding_length<<8; /* kludge: pass padding length */
+ return (int)((good & 1) | (~good & -1));
+}
+
@@ -544,14 +544,21 @@
+ unsigned mac_size)
+ {
+ unsigned padding_length, good, to_check, i;
-+ const char has_explicit_iv = s->version == DTLS1_VERSION;
-+ const unsigned overhead = 1 /* padding length byte */ +
-+ mac_size +
-+ (has_explicit_iv ? block_size : 0);
-+
-+ /* These lengths are all public so we can test them in non-constant
-+ * time. */
-+ if (overhead > rec->length)
++ const unsigned overhead = 1 /* padding length byte */ + mac_size;
++ /* Check if version requires explicit IV */
++ if (s->version == DTLS1_VERSION)
++ {
++ /* These lengths are all public so we can test them in
++ * non-constant time.
++ */
++ if (overhead + block_size > rec->length)
++ return 0;
++ /* We can now safely skip explicit IV */
++ rec->data += block_size;
++ rec->input += block_size;
++ rec->length -= block_size;
++ }
++ else if (overhead > rec->length)
+ return 0;
+
+ padding_length = rec->data[rec->length-1];
@@ -609,31 +616,13 @@
+ good <<= sizeof(good)*8-1;
+ good = DUPLICATE_MSB_TO_ALL(good);
+
-+ rec->length -= good & (padding_length+1);
++ padding_length = good & (padding_length+1);
++ rec->length -= padding_length;
++ rec->type |= padding_length<<8; /* kludge: pass padding length */
+
-+ /* We can always safely skip the explicit IV. We check at the beginning
-+ * of this function that the record has at least enough space for the
-+ * IV, MAC and padding length byte. (These can be checked in
-+ * non-constant time because it's all public information.) So, if the
-+ * padding was invalid, then we didn't change |rec->length| and this is
-+ * safe. If the padding was valid then we know that we have at least
-+ * overhead+padding_length bytes of space and so this is still safe
-+ * because overhead accounts for the explicit IV. */
-+ if (has_explicit_iv)
-+ {
-+ rec->data += block_size;
-+ rec->input += block_size;
-+ rec->length -= block_size;
-+ rec->orig_len -= block_size;
-+ }
-+
+ return (int)((good & 1) | (~good & -1));
+ }
+
-+#if defined(_M_AMD64) || defined(__x86_64__)
-+#define CBC_MAC_ROTATE_IN_PLACE
-+#endif
-+
+/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
+ * constant time (independent of the concrete value of rec->length, which may
+ * vary within a 256-byte window).
@@ -647,15 +636,18 @@
+ *
+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
-+ * a single cache-line, then the variable memory accesses don't actually affect
-+ * the timing. This has been tested to be true on Intel amd64 chips.
++ * a single or pair of cache-lines, then the variable memory accesses don't
++ * actually affect the timing. CPUs with smaller cache-lines [if any] are
++ * not multi-core and are not considered vulnerable to cache-timing attacks.
+ */
++#define CBC_MAC_ROTATE_IN_PLACE
++
+void ssl3_cbc_copy_mac(unsigned char* out,
+ const SSL3_RECORD *rec,
-+ unsigned md_size)
++ unsigned md_size,unsigned orig_len)
+ {
+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+ unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
++ unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE];
+ unsigned char *rotated_mac;
+#else
+ unsigned char rotated_mac[EVP_MAX_MD_SIZE];
@@ -671,16 +663,16 @@
+ unsigned div_spoiler;
+ unsigned rotate_offset;
+
-+ OPENSSL_assert(rec->orig_len >= md_size);
++ OPENSSL_assert(orig_len >= md_size);
+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
+
+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+ rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63);
++ rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63);
+#endif
+
+ /* This information is public so it's safe to branch based on it. */
-+ if (rec->orig_len > md_size + 255 + 1)
-+ scan_start = rec->orig_len - (md_size + 255 + 1);
++ if (orig_len > md_size + 255 + 1)
++ scan_start = orig_len - (md_size + 255 + 1);
+ /* div_spoiler contains a multiple of md_size that is used to cause the
+ * modulo operation to be constant time. Without this, the time varies
+ * based on the amount of padding when running on Intel chips at least.
@@ -693,16 +685,13 @@
+ rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
+
+ memset(rotated_mac, 0, md_size);
-+ for (i = scan_start; i < rec->orig_len;)
++ for (i = scan_start, j = 0; i < orig_len; i++)
+ {
-+ for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
-+ {
-+ unsigned char mac_started = constant_time_ge(i, mac_start);
-+ unsigned char mac_ended = constant_time_ge(i, mac_end);
-+ unsigned char b = 0;
-+ b = rec->data[i];
-+ rotated_mac[j] |= b & mac_started & ~mac_ended;
-+ }
++ unsigned char mac_started = constant_time_ge(i, mac_start);
++ unsigned char mac_ended = constant_time_ge(i, mac_end);
++ unsigned char b = rec->data[i];
++ rotated_mac[j++] |= b & mac_started & ~mac_ended;
++ j &= constant_time_lt(j,md_size);
+ }
+
+ /* Now rotate the MAC */
@@ -710,30 +699,43 @@
+ j = 0;
+ for (i = 0; i < md_size; i++)
+ {
-+ unsigned char offset = (div_spoiler + rotate_offset + i) % md_size;
-+ out[j++] = rotated_mac[offset];
++ /* in case cache-line is 32 bytes, touch second line */
++ ((volatile unsigned char *)rotated_mac)[rotate_offset^32];
++ out[j++] = rotated_mac[rotate_offset++];
++ rotate_offset &= constant_time_lt(rotate_offset,md_size);
+ }
+#else
+ memset(out, 0, md_size);
++ rotate_offset = md_size - rotate_offset;
++ rotate_offset &= constant_time_lt(rotate_offset,md_size);
+ for (i = 0; i < md_size; i++)
+ {
-+ unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size;
+ for (j = 0; j < md_size; j++)
-+ out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset);
++ out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
++ rotate_offset++;
++ rotate_offset &= constant_time_lt(rotate_offset,md_size);
+ }
+#endif
+ }
+
++/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
++ * little-endian order. The value of p is advanced by four. */
++#define u32toLE(n, p) \
++ (*((p)++)=(unsigned char)(n), \
++ *((p)++)=(unsigned char)(n>>8), \
++ *((p)++)=(unsigned char)(n>>16), \
++ *((p)++)=(unsigned char)(n>>24))
++
+/* These functions serialize the state of a hash and thus perform the standard
+ * "final" operation without adding the padding and length that such a function
+ * typically does. */
+static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
+ {
+ MD5_CTX *md5 = ctx;
-+ l2n(md5->A, md_out);
-+ l2n(md5->B, md_out);
-+ l2n(md5->C, md_out);
-+ l2n(md5->D, md_out);
++ u32toLE(md5->A, md_out);
++ u32toLE(md5->B, md_out);
++ u32toLE(md5->C, md_out);
++ u32toLE(md5->D, md_out);
+ }
+
+static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
@@ -853,6 +855,7 @@
+ /* mdLengthSize is the number of bytes in the length field that terminates
+ * the hash. */
+ unsigned md_length_size = 8;
++ char length_is_big_endian = 1;
+
+ /* This is a, hopefully redundant, check that allows us to forget about
+ * many possible overflows later in this function. */
@@ -866,6 +869,7 @@
+ md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
+ md_size = 16;
+ sslv3_pad_length = 48;
++ length_is_big_endian = 0;
+ break;
+ case NID_sha1:
+ SHA1_Init((SHA_CTX*)md_state.c);
@@ -1006,11 +1010,22 @@
+ md_transform(md_state.c, hmac_pad);
+ }
+
-+ memset(length_bytes,0,md_length_size-4);
-+ length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
-+ length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
-+ length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
-+ length_bytes[md_length_size-1] = (unsigned char)bits;
++ if (length_is_big_endian)
++ {
++ memset(length_bytes,0,md_length_size-4);
++ length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
++ length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
++ length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
++ length_bytes[md_length_size-1] = (unsigned char)bits;
++ }
++ else
++ {
++ memset(length_bytes,0,md_length_size);
++ length_bytes[md_length_size-5] = (unsigned char)(bits>>24);
++ length_bytes[md_length_size-6] = (unsigned char)(bits>>16);
++ length_bytes[md_length_size-7] = (unsigned char)(bits>>8);
++ length_bytes[md_length_size-8] = (unsigned char)bits;
++ }
+
+ if (k > 0)
+ {
@@ -1164,11 +1179,11 @@
+ (blocks_orig - blocks_data + 1) * block_size);
+ }
+#endif
-diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
-index 759231d..170953c 100644
---- a/ssl/s3_enc.c
-+++ b/ssl/s3_enc.c
-@@ -433,12 +433,21 @@ void ssl3_cleanup_key_block(SSL *s)
+Index: openssl-0.9.8o/ssl/s3_enc.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_enc.c 2013-02-11 20:43:18.000000000 +0100
++++ openssl-0.9.8o/ssl/s3_enc.c 2013-02-11 20:44:24.000000000 +0100
+@@ -434,12 +434,21 @@
s->s3->tmp.key_block_length=0;
}
@@ -1191,7 +1206,7 @@
const EVP_CIPHER *enc;
if (send)
-@@ -489,32 +498,19 @@ int ssl3_enc(SSL *s, int send)
+@@ -490,32 +499,17 @@
if (!send)
{
if (l == 0 || l%bs != 0)
@@ -1205,8 +1220,6 @@
EVP_Cipher(ds,rec->data,rec->input,l);
-+ rec->orig_len = rec->length;
-+
+ if (s->read_hash != NULL)
+ mac_size = EVP_MD_size(s->read_hash);
+
@@ -1230,16 +1243,16 @@
}
return(1);
}
-@@ -591,7 +587,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
+@@ -592,7 +586,7 @@
EVP_MD_CTX md_ctx;
const EVP_MD *hash;
unsigned char *p,rec_char;
- unsigned int md_size;
-+ size_t md_size;
++ size_t md_size, orig_len;
int npad;
if (send)
-@@ -612,28 +608,68 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
+@@ -613,28 +607,72 @@
md_size=EVP_MD_size(hash);
npad=(48/md_size)*md_size;
@@ -1263,8 +1276,10 @@
- EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
- EVP_DigestUpdate(&md_ctx,md,md_size);
- EVP_DigestFinal_ex( &md_ctx,md,&md_size);
--
-- EVP_MD_CTX_cleanup(&md_ctx);
++ /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */
++ orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
++ rec->type &= 0xff;
++
+ if (!send &&
+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+ ssl3_cbc_record_digest_supported(hash))
@@ -1296,7 +1311,7 @@
+ hash,
+ md, &md_size,
+ header, rec->input,
-+ rec->length + md_size, rec->orig_len,
++ rec->length + md_size, orig_len,
+ mac_sec, md_size,
+ 1 /* is SSLv3 */);
+ }
@@ -1324,34 +1339,32 @@
+ EVP_DigestUpdate(&md_ctx,md,md_size);
+ EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
+ md_size = md_size_u;
-+
+
+- EVP_MD_CTX_cleanup(&md_ctx);
+ EVP_MD_CTX_cleanup(&md_ctx);
+ }
ssl3_record_sequence_update(seq);
return(md_size);
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 5e3583c..9f5abd5 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -246,11 +246,8 @@ static int ssl3_get_record(SSL *s)
+Index: openssl-0.9.8o/ssl/s3_pkt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_pkt.c 2010-03-24 14:16:42.000000000 +0100
++++ openssl-0.9.8o/ssl/s3_pkt.c 2013-02-11 20:44:24.000000000 +0100
+@@ -246,11 +246,8 @@
unsigned char *p;
unsigned char md[EVP_MAX_MD_SIZE];
short version;
- unsigned int mac_size;
- int clear=0;
-+ unsigned mac_size;
++ unsigned mac_size, orig_len;
size_t extra;
- int decryption_failed_or_bad_record_mac = 0;
- unsigned char *mac = NULL;
rr= &(s->s3->rrec);
sess=s->session;
-@@ -354,19 +351,18 @@ again:
-
- /* decrypt in place in 'rr->input' */
+@@ -356,17 +353,15 @@
rr->data=rr->input;
-+ rr->orig_len=rr->length;
enc_err = s->method->ssl3_enc->enc(s,0);
- if (enc_err <= 0)
@@ -1376,7 +1389,7 @@
}
#ifdef TLS_DEBUG
-@@ -376,51 +372,59 @@ printf("\n");
+@@ -376,51 +371,62 @@
#endif
/* r->length is now the compressed data plus mac */
@@ -1386,10 +1399,11 @@
- clear=1;
-
- if (!clear)
+- {
+ if ((sess != NULL) &&
+ (s->enc_read_ctx != NULL) &&
+ (s->read_hash != NULL))
- {
++ {
+ /* s->read_hash != NULL => mac_size != -1 */
+ unsigned char *mac = NULL;
+ unsigned char mac_tmp[EVP_MAX_MD_SIZE];
@@ -1397,15 +1411,18 @@
+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
++ /* kludge: *_cbc_remove_padding passes padding length in rr->type */
++ orig_len = rr->length+((unsigned int)rr->type>>8);
++
+ /* orig_len is the length of the record before any padding was
+ * removed. This is public information, as is the MAC in use,
+ * therefore we can safely process the record in a different
+ * amount of time if it's too short to possibly contain a MAC.
+ */
-+ if (rr->orig_len < mac_size ||
++ if (orig_len < mac_size ||
+ /* CBC records must have a padding length byte too. */
+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+ rr->orig_len < mac_size+1))
++ orig_len < mac_size+1))
{
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
- al=SSL_AD_RECORD_OVERFLOW;
@@ -1428,7 +1445,7 @@
+ * without leaking the contents of the padding bytes.
+ * */
+ mac = mac_tmp;
-+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
++ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
rr->length -= mac_size;
- mac = &rr->data[rr->length];
}
@@ -1448,7 +1465,7 @@
- if (mac == NULL || memcmp(md, mac, mac_size) != 0)
- {
- decryption_failed_or_bad_record_mac = 1;
-+ /* In this case there's no padding, so |rec->orig_len|
++ /* In this case there's no padding, so |orig_len|
+ * equals |rec->length| and we checked that there's
+ * enough bytes for |mac_size| above. */
+ rr->length -= mac_size;
@@ -1467,25 +1484,10 @@
{
/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
* SSL 3.0 only has 'bad_record_mac'. But unless a decryption
-diff --git a/ssl/ssl3.h b/ssl/ssl3.h
-index b9a85ef..7709eff 100644
---- a/ssl/ssl3.h
-+++ b/ssl/ssl3.h
-@@ -304,6 +304,10 @@ typedef struct ssl3_record_st
- /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
- /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
- /*r */ PQ_64BIT seq_num; /* sequence number, needed by DTLS1 */
-+/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
-+ was removed? This is used to implement the
-+ MAC check in constant time for CBC records.
-+ */
- } SSL3_RECORD;
-
- typedef struct ssl3_buffer_st
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 9059b7d..57e9232 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
+Index: openssl-0.9.8o/ssl/ssl_locl.h
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_locl.h 2009-12-08 14:15:37.000000000 +0100
++++ openssl-0.9.8o/ssl/ssl_locl.h 2013-02-11 20:44:24.000000000 +0100
@@ -189,6 +189,15 @@
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
*((c)++)=(unsigned char)(((l) )&0xff))
@@ -1502,14 +1504,14 @@
#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
l|=((BN_ULLONG)(*((c)++)))<<32, \
l|=((BN_ULLONG)(*((c)++)))<<24, \
-@@ -1003,5 +1012,33 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
+@@ -999,5 +1008,33 @@
int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
int *al);
#endif
+/* s3_cbc.c */
+void ssl3_cbc_copy_mac(unsigned char* out,
+ const SSL3_RECORD *rec,
-+ unsigned md_size);
++ unsigned md_size,unsigned orig_len);
+int ssl3_cbc_remove_padding(const SSL* s,
+ SSL3_RECORD *rec,
+ unsigned block_size,
@@ -1536,11 +1538,11 @@
+ const unsigned char *data, size_t data_len, size_t orig_len);
#endif
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 3516fe1..e75a66b 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -528,12 +528,21 @@ err:
+Index: openssl-0.9.8o/ssl/t1_enc.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/t1_enc.c 2009-04-19 20:08:12.000000000 +0200
++++ openssl-0.9.8o/ssl/t1_enc.c 2013-02-11 20:47:39.000000000 +0100
+@@ -530,12 +530,21 @@
return(0);
}
@@ -1558,12 +1560,12 @@
SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds;
unsigned long l;
-- int bs,i,ii,j,k;
+- int bs,i,ii,j,k,n=0;
+ int bs,i,j,k,pad=0,ret,mac_size=0;
const EVP_CIPHER *enc;
if (send)
-@@ -559,11 +568,11 @@ int tls1_enc(SSL *s, int send)
+@@ -565,11 +574,11 @@
printf("tls1_enc(%d)\n", send);
#endif /* KSSL_DEBUG */
@@ -1577,7 +1579,7 @@
}
else
{
-@@ -591,14 +600,13 @@ int tls1_enc(SSL *s, int send)
+@@ -597,14 +606,13 @@
#ifdef KSSL_DEBUG
{
@@ -1598,7 +1600,7 @@
printf("\t\tIV: ");
for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
printf("\n");
-@@ -611,11 +619,7 @@ int tls1_enc(SSL *s, int send)
+@@ -617,11 +625,7 @@
if (!send)
{
if (l == 0 || l%bs != 0)
@@ -1610,7 +1612,7 @@
}
EVP_Cipher(ds,rec->data,rec->input,l);
-@@ -629,49 +633,15 @@ int tls1_enc(SSL *s, int send)
+@@ -635,49 +639,15 @@
}
#endif /* KSSL_DEBUG */
@@ -1667,12 +1669,12 @@
}
int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
-@@ -719,10 +689,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
+@@ -725,10 +695,10 @@
SSL3_RECORD *rec;
unsigned char *mac_sec,*seq;
const EVP_MD *hash;
- unsigned int md_size;
-+ size_t md_size;
++ size_t md_size, orig_len;
int i;
HMAC_CTX hmac;
- unsigned char buf[5];
@@ -1680,7 +1682,7 @@
if (send)
{
-@@ -741,20 +711,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
+@@ -747,20 +717,6 @@
md_size=EVP_MD_size(hash);
@@ -1701,7 +1703,7 @@
/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
HMAC_CTX_init(&hmac);
HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
-@@ -766,16 +722,53 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
+@@ -772,16 +728,57 @@
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
memcpy (p,&seq[2],6);
@@ -1716,12 +1718,16 @@
- HMAC_Update(&hmac,rec->input,rec->length);
- HMAC_Final(&hmac,md,&md_size);
- HMAC_CTX_cleanup(&hmac);
++ /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
++ orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
++ rec->type &= 0xff;
++
+ header[8]=rec->type;
+ header[9]=(unsigned char)(ssl->version>>8);
+ header[10]=(unsigned char)(ssl->version);
+ header[11]=(rec->length)>>8;
+ header[12]=(rec->length)&0xff;
-
++
+ if (!send &&
+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+ ssl3_cbc_record_digest_supported(hash))
@@ -1734,7 +1740,7 @@
+ hash,
+ md, &md_size,
+ header, rec->input,
-+ rec->length + md_size, rec->orig_len,
++ rec->length + md_size, orig_len,
+ ssl->s3->read_mac_secret,
+ EVP_MD_size(ssl->read_hash),
+ 0 /* not SSLv3 */);
@@ -1742,7 +1748,7 @@
+ else
+ {
+ unsigned mds;
-+
+
+ HMAC_Update(&hmac,header,sizeof(header));
+ HMAC_Update(&hmac,rec->input,rec->length);
+ HMAC_Final(&hmac,md,&mds);
@@ -1761,11 +1767,11 @@
#ifdef TLS_DEBUG
printf("sec=");
{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 00b8286..d56456e 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1012,7 +1012,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
+Index: openssl-0.9.8o/ssl/t1_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/t1_lib.c 2013-02-11 20:43:18.000000000 +0100
++++ openssl-0.9.8o/ssl/t1_lib.c 2013-02-11 20:44:24.000000000 +0100
+@@ -966,7 +966,7 @@
HMAC_Update(&hctx, etick, eticklen);
HMAC_Final(&hctx, tick_hmac, NULL);
HMAC_CTX_cleanup(&hctx);
@@ -1774,11 +1780,11 @@
goto tickerr;
/* Attempt to decrypt session data */
/* Move p after IV to start of encrypted ticket, update length */
-diff --git a/util/libeay.num b/util/libeay.num
-index dd4c87e..46d3b83 100755
---- a/util/libeay.num
-+++ b/util/libeay.num
-@@ -3510,6 +3510,7 @@ BIO_get_callback_arg 3902 EXIST::FUNCTION:
+Index: openssl-0.9.8o/util/libeay.num
+===================================================================
+--- openssl-0.9.8o.orig/util/libeay.num 2010-03-25 13:17:16.000000000 +0100
++++ openssl-0.9.8o/util/libeay.num 2013-02-11 20:44:24.000000000 +0100
+@@ -3510,6 +3510,7 @@
BIO_set_callback 3903 EXIST::FUNCTION:
d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779
i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779
@@ -1786,496 +1792,11 @@
SEED_decrypt 3908 EXIST::FUNCTION:SEED
SEED_encrypt 3909 EXIST::FUNCTION:SEED
SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 3f0f983..55765d1 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -330,8 +330,8 @@ dtls1_process_record(SSL *s)
- int i,al;
- int enc_err;
- SSL_SESSION *sess;
-- SSL3_RECORD *rr;
-- unsigned int mac_size;
-+ SSL3_RECORD *rr;
-+ unsigned int mac_size, orig_len;
- unsigned char md[EVP_MAX_MD_SIZE];
-
- rr= &(s->s3->rrec);
-@@ -362,7 +362,6 @@ dtls1_process_record(SSL *s)
-
- /* decrypt in place in 'rr->input' */
- rr->data=rr->input;
-- rr->orig_len=rr->length;
-
- enc_err = s->method->ssl3_enc->enc(s,0);
- /* enc_err is:
-@@ -394,15 +393,18 @@ printf("\n");
- mac_size=EVP_MD_size(s->read_hash);
- OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-
-+ /* kludge: *_cbc_remove_padding passes padding length in rr->type */
-+ orig_len = rr->length+((unsigned int)rr->type>>8);
-+
- /* orig_len is the length of the record before any padding was
- * removed. This is public information, as is the MAC in use,
- * therefore we can safely process the record in a different
- * amount of time if it's too short to possibly contain a MAC.
- */
-- if (rr->orig_len < mac_size ||
-+ if (orig_len < mac_size ||
- /* CBC records must have a padding length byte too. */
- (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-- rr->orig_len < mac_size+1))
-+ orig_len < mac_size+1))
- {
- al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
-@@ -417,12 +419,12 @@ printf("\n");
- * without leaking the contents of the padding bytes.
- * */
- mac = mac_tmp;
-- ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
-+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
- rr->length -= mac_size;
- }
- else
- {
-- /* In this case there's no padding, so |rec->orig_len|
-+ /* In this case there's no padding, so |orig_len|
- * equals |rec->length| and we checked that there's
- * enough bytes for |mac_size| above. */
- rr->length -= mac_size;
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-index 2ab7bfb..6b9b11b 100644
---- a/ssl/s3_cbc.c
-+++ b/ssl/s3_cbc.c
-@@ -76,6 +76,13 @@
- #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
- #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
-
-+/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
-+static unsigned constant_time_lt(unsigned a, unsigned b)
-+ {
-+ a -= b;
-+ return DUPLICATE_MSB_TO_ALL(a);
-+ }
-+
- /* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
- static unsigned constant_time_ge(unsigned a, unsigned b)
- {
-@@ -84,7 +91,7 @@ static unsigned constant_time_ge(unsigned a, unsigned b)
- }
-
- /* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
--static unsigned char constant_time_eq_8(unsigned char a, unsigned char b)
-+static unsigned char constant_time_eq_8(unsigned a, unsigned b)
- {
- unsigned c = a ^ b;
- c--;
-@@ -116,7 +123,9 @@ int ssl3_cbc_remove_padding(const SSL* s,
- good = constant_time_ge(rec->length, padding_length+overhead);
- /* SSLv3 requires that the padding is minimal. */
- good &= constant_time_ge(block_size, padding_length+1);
-- rec->length -= good & (padding_length+1);
-+ padding_length = good & (padding_length+1);
-+ rec->length -= padding_length;
-+ rec->type |= padding_length<<8; /* kludge: pass padding length */
- return (int)((good & 1) | (~good & -1));
- }
-
-@@ -137,14 +146,21 @@ int tls1_cbc_remove_padding(const SSL* s,
- unsigned mac_size)
- {
- unsigned padding_length, good, to_check, i;
-- const char has_explicit_iv = s->version == DTLS1_VERSION;
-- const unsigned overhead = 1 /* padding length byte */ +
-- mac_size +
-- (has_explicit_iv ? block_size : 0);
--
-- /* These lengths are all public so we can test them in non-constant
-- * time. */
-- if (overhead > rec->length)
-+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
-+ /* Check if version requires explicit IV */
-+ if (s->version == DTLS1_VERSION)
-+ {
-+ /* These lengths are all public so we can test them in
-+ * non-constant time.
-+ */
-+ if (overhead + block_size > rec->length)
-+ return 0;
-+ /* We can now safely skip explicit IV */
-+ rec->data += block_size;
-+ rec->input += block_size;
-+ rec->length -= block_size;
-+ }
-+ else if (overhead > rec->length)
- return 0;
-
- padding_length = rec->data[rec->length-1];
-@@ -202,31 +218,13 @@ int tls1_cbc_remove_padding(const SSL* s,
- good <<= sizeof(good)*8-1;
- good = DUPLICATE_MSB_TO_ALL(good);
-
-- rec->length -= good & (padding_length+1);
--
-- /* We can always safely skip the explicit IV. We check at the beginning
-- * of this function that the record has at least enough space for the
-- * IV, MAC and padding length byte. (These can be checked in
-- * non-constant time because it's all public information.) So, if the
-- * padding was invalid, then we didn't change |rec->length| and this is
-- * safe. If the padding was valid then we know that we have at least
-- * overhead+padding_length bytes of space and so this is still safe
-- * because overhead accounts for the explicit IV. */
-- if (has_explicit_iv)
-- {
-- rec->data += block_size;
-- rec->input += block_size;
-- rec->length -= block_size;
-- rec->orig_len -= block_size;
-- }
-+ padding_length = good & (padding_length+1);
-+ rec->length -= padding_length;
-+ rec->type |= padding_length<<8; /* kludge: pass padding length */
-
- return (int)((good & 1) | (~good & -1));
- }
-
--#if defined(_M_AMD64) || defined(__x86_64__)
--#define CBC_MAC_ROTATE_IN_PLACE
--#endif
--
- /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
- * constant time (independent of the concrete value of rec->length, which may
- * vary within a 256-byte window).
-@@ -240,15 +238,18 @@ int tls1_cbc_remove_padding(const SSL* s,
- *
- * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
- * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
-- * a single cache-line, then the variable memory accesses don't actually affect
-- * the timing. This has been tested to be true on Intel amd64 chips.
-+ * a single or pair of cache-lines, then the variable memory accesses don't
-+ * actually affect the timing. CPUs with smaller cache-lines [if any] are
-+ * not multi-core and are not considered vulnerable to cache-timing attacks.
- */
-+#define CBC_MAC_ROTATE_IN_PLACE
-+
- void ssl3_cbc_copy_mac(unsigned char* out,
- const SSL3_RECORD *rec,
-- unsigned md_size)
-+ unsigned md_size,unsigned orig_len)
- {
- #if defined(CBC_MAC_ROTATE_IN_PLACE)
-- unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
-+ unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE];
- unsigned char *rotated_mac;
- #else
- unsigned char rotated_mac[EVP_MAX_MD_SIZE];
-@@ -264,16 +265,16 @@ void ssl3_cbc_copy_mac(unsigned char* out,
- unsigned div_spoiler;
- unsigned rotate_offset;
-
-- OPENSSL_assert(rec->orig_len >= md_size);
-+ OPENSSL_assert(orig_len >= md_size);
- OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
-
- #if defined(CBC_MAC_ROTATE_IN_PLACE)
-- rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63);
-+ rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63);
- #endif
-
- /* This information is public so it's safe to branch based on it. */
-- if (rec->orig_len > md_size + 255 + 1)
-- scan_start = rec->orig_len - (md_size + 255 + 1);
-+ if (orig_len > md_size + 255 + 1)
-+ scan_start = orig_len - (md_size + 255 + 1);
- /* div_spoiler contains a multiple of md_size that is used to cause the
- * modulo operation to be constant time. Without this, the time varies
- * based on the amount of padding when running on Intel chips at least.
-@@ -286,16 +287,13 @@ void ssl3_cbc_copy_mac(unsigned char* out,
- rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
-
- memset(rotated_mac, 0, md_size);
-- for (i = scan_start; i < rec->orig_len;)
-+ for (i = scan_start, j = 0; i < orig_len; i++)
- {
-- for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
-- {
-- unsigned char mac_started = constant_time_ge(i, mac_start);
-- unsigned char mac_ended = constant_time_ge(i, mac_end);
-- unsigned char b = 0;
-- b = rec->data[i];
-- rotated_mac[j] |= b & mac_started & ~mac_ended;
-- }
-+ unsigned char mac_started = constant_time_ge(i, mac_start);
-+ unsigned char mac_ended = constant_time_ge(i, mac_end);
-+ unsigned char b = rec->data[i];
-+ rotated_mac[j++] |= b & mac_started & ~mac_ended;
-+ j &= constant_time_lt(j,md_size);
- }
-
- /* Now rotate the MAC */
-@@ -303,30 +301,43 @@ void ssl3_cbc_copy_mac(unsigned char* out,
- j = 0;
- for (i = 0; i < md_size; i++)
- {
-- unsigned char offset = (div_spoiler + rotate_offset + i) % md_size;
-- out[j++] = rotated_mac[offset];
-+ /* in case cache-line is 32 bytes, touch second line */
-+ ((volatile unsigned char *)rotated_mac)[rotate_offset^32];
-+ out[j++] = rotated_mac[rotate_offset++];
-+ rotate_offset &= constant_time_lt(rotate_offset,md_size);
- }
- #else
- memset(out, 0, md_size);
-+ rotate_offset = md_size - rotate_offset;
-+ rotate_offset &= constant_time_lt(rotate_offset,md_size);
- for (i = 0; i < md_size; i++)
- {
-- unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size;
- for (j = 0; j < md_size; j++)
-- out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset);
-+ out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
-+ rotate_offset++;
-+ rotate_offset &= constant_time_lt(rotate_offset,md_size);
- }
- #endif
- }
-
-+/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
-+ * little-endian order. The value of p is advanced by four. */
-+#define u32toLE(n, p) \
-+ (*((p)++)=(unsigned char)(n), \
-+ *((p)++)=(unsigned char)(n>>8), \
-+ *((p)++)=(unsigned char)(n>>16), \
-+ *((p)++)=(unsigned char)(n>>24))
-+
- /* These functions serialize the state of a hash and thus perform the standard
- * "final" operation without adding the padding and length that such a function
- * typically does. */
- static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
- {
- MD5_CTX *md5 = ctx;
-- l2n(md5->A, md_out);
-- l2n(md5->B, md_out);
-- l2n(md5->C, md_out);
-- l2n(md5->D, md_out);
-+ u32toLE(md5->A, md_out);
-+ u32toLE(md5->B, md_out);
-+ u32toLE(md5->C, md_out);
-+ u32toLE(md5->D, md_out);
- }
-
- static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
-@@ -446,6 +457,7 @@ void ssl3_cbc_digest_record(
- /* mdLengthSize is the number of bytes in the length field that terminates
- * the hash. */
- unsigned md_length_size = 8;
-+ char length_is_big_endian = 1;
-
- /* This is a, hopefully redundant, check that allows us to forget about
- * many possible overflows later in this function. */
-@@ -459,6 +471,7 @@ void ssl3_cbc_digest_record(
- md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
- md_size = 16;
- sslv3_pad_length = 48;
-+ length_is_big_endian = 0;
- break;
- case NID_sha1:
- SHA1_Init((SHA_CTX*)md_state.c);
-@@ -599,11 +612,22 @@ void ssl3_cbc_digest_record(
- md_transform(md_state.c, hmac_pad);
- }
-
-- memset(length_bytes,0,md_length_size-4);
-- length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
-- length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
-- length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
-- length_bytes[md_length_size-1] = (unsigned char)bits;
-+ if (length_is_big_endian)
-+ {
-+ memset(length_bytes,0,md_length_size-4);
-+ length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
-+ length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
-+ length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
-+ length_bytes[md_length_size-1] = (unsigned char)bits;
-+ }
-+ else
-+ {
-+ memset(length_bytes,0,md_length_size);
-+ length_bytes[md_length_size-5] = (unsigned char)(bits>>24);
-+ length_bytes[md_length_size-6] = (unsigned char)(bits>>16);
-+ length_bytes[md_length_size-7] = (unsigned char)(bits>>8);
-+ length_bytes[md_length_size-8] = (unsigned char)bits;
-+ }
-
- if (k > 0)
- {
-diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
-index 170953c..5d8f8ae 100644
---- a/ssl/s3_enc.c
-+++ b/ssl/s3_enc.c
-@@ -504,8 +504,6 @@ int ssl3_enc(SSL *s, int send)
-
- EVP_Cipher(ds,rec->data,rec->input,l);
-
-- rec->orig_len = rec->length;
--
- if (s->read_hash != NULL)
- mac_size = EVP_MD_size(s->read_hash);
-
-@@ -587,7 +585,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
- EVP_MD_CTX md_ctx;
- const EVP_MD *hash;
- unsigned char *p,rec_char;
-- size_t md_size;
-+ size_t md_size, orig_len;
- int npad;
-
- if (send)
-@@ -608,6 +606,10 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
- md_size=EVP_MD_size(hash);
- npad=(48/md_size)*md_size;
-
-+ /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */
-+ orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
-+ rec->type &= 0xff;
-+
- if (!send &&
- EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
- ssl3_cbc_record_digest_supported(hash))
-@@ -639,7 +641,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
- hash,
- md, &md_size,
- header, rec->input,
-- rec->length + md_size, rec->orig_len,
-+ rec->length + md_size, orig_len,
- mac_sec, md_size,
- 1 /* is SSLv3 */);
- }
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 6d0a2ee..ff54ab7 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -246,7 +246,7 @@ static int ssl3_get_record(SSL *s)
- unsigned char *p;
- unsigned char md[EVP_MAX_MD_SIZE];
- short version;
-- unsigned mac_size;
-+ unsigned mac_size, orig_len;
- size_t extra;
-
- rr= &(s->s3->rrec);
-@@ -351,7 +351,6 @@ again:
-
- /* decrypt in place in 'rr->input' */
- rr->data=rr->input;
-- rr->orig_len=rr->length;
-
- enc_err = s->method->ssl3_enc->enc(s,0);
- /* enc_err is:
-@@ -382,15 +381,18 @@ printf("\n");
- mac_size=EVP_MD_size(s->read_hash);
- OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-
-+ /* kludge: *_cbc_remove_padding passes padding length in rr->type */
-+ orig_len = rr->length+((unsigned int)rr->type>>8);
-+
- /* orig_len is the length of the record before any padding was
- * removed. This is public information, as is the MAC in use,
- * therefore we can safely process the record in a different
- * amount of time if it's too short to possibly contain a MAC.
- */
-- if (rr->orig_len < mac_size ||
-+ if (orig_len < mac_size ||
- /* CBC records must have a padding length byte too. */
- (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-- rr->orig_len < mac_size+1))
-+ orig_len < mac_size+1))
- {
- al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
-@@ -405,12 +407,12 @@ printf("\n");
- * without leaking the contents of the padding bytes.
- * */
- mac = mac_tmp;
-- ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
-+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
- rr->length -= mac_size;
- }
- else
- {
-- /* In this case there's no padding, so |rec->orig_len|
-+ /* In this case there's no padding, so |orig_len|
- * equals |rec->length| and we checked that there's
- * enough bytes for |mac_size| above. */
- rr->length -= mac_size;
-diff --git a/ssl/ssl3.h b/ssl/ssl3.h
-index 7709eff..b9a85ef 100644
---- a/ssl/ssl3.h
-+++ b/ssl/ssl3.h
-@@ -304,10 +304,6 @@ typedef struct ssl3_record_st
- /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
- /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
- /*r */ PQ_64BIT seq_num; /* sequence number, needed by DTLS1 */
--/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
-- was removed? This is used to implement the
-- MAC check in constant time for CBC records.
-- */
- } SSL3_RECORD;
-
- typedef struct ssl3_buffer_st
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 57e9232..d4b642c 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -1015,7 +1015,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
- /* s3_cbc.c */
- void ssl3_cbc_copy_mac(unsigned char* out,
- const SSL3_RECORD *rec,
-- unsigned md_size);
-+ unsigned md_size,unsigned orig_len);
- int ssl3_cbc_remove_padding(const SSL* s,
- SSL3_RECORD *rec,
- unsigned block_size,
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index e75a66b..3dd36b8 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -689,7 +689,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- SSL3_RECORD *rec;
- unsigned char *mac_sec,*seq;
- const EVP_MD *hash;
-- size_t md_size;
-+ size_t md_size, orig_len;
- int i;
- HMAC_CTX hmac;
- unsigned char header[13];
-@@ -727,6 +727,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- else
- memcpy(header, seq, 8);
-
-+ /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
-+ orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
-+ rec->type &= 0xff;
-+
- header[8]=rec->type;
- header[9]=(unsigned char)(ssl->version>>8);
- header[10]=(unsigned char)(ssl->version);
-@@ -745,7 +749,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- hash,
- md, &md_size,
- header, rec->input,
-- rec->length + md_size, rec->orig_len,
-+ rec->length + md_size, orig_len,
- ssl->s3->read_mac_secret,
- EVP_MD_size(ssl->read_hash),
- 0 /* not SSLv3 */);
-diff --git a/test/testssl b/test/testssl
-index 8ac90ae..4c7584a 100644
---- a/test/testssl
-+++ b/test/testssl
-@@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
+Index: openssl-0.9.8o/test/testssl
+===================================================================
+--- openssl-0.9.8o.orig/test/testssl 2005-02-02 00:48:36.000000000 +0100
++++ openssl-0.9.8o/test/testssl 2013-02-11 20:44:24.000000000 +0100
+@@ -119,6 +119,23 @@
echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
More information about the Pkg-openssl-changes
mailing list