generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make CBC decoding constant time.

Browse Source 
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
This commit is contained in:
Ben Laurie 2013-01-28 17:31:49 +00:00 committed by Dr. Stephen Henson
parent f5cd3561ba
commit fb0a59cc58
9 changed files with 214 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/evp/c_allc.c
View File

@ -195,11 +195,13 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_256_xts()); EVP_add_cipher(EVP_aes_256_xts());
EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif #endif
#endif #endif
#endif
#ifndef OPENSSL_NO_CAMELLIA #ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_ecb()); EVP_add_cipher(EVP_camellia_128_ecb());

4
ssl/Makefile
View File

@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
SHARED_LIB= libssl$(SHLIB_EXT) SHARED_LIB= libssl$(SHLIB_EXT)
LIBSRC= \ LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
@ -33,7 +33,7 @@ LIBSRC= \
bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c
LIBOBJ= \ LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \ d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \

49
ssl/d1_enc.c
View File

@ -131,15 +131,15 @@ int dtls1_enc(SSL *s, int send)
SSL3_RECORD *rec; SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds; EVP_CIPHER_CTX *ds;
unsigned long l; unsigned long l;
int bs,i,ii,j,k,n=0; int bs,i,j,k,mac_size=0;
const EVP_CIPHER *enc; const EVP_CIPHER *enc;
if (send) if (send)
{ {
if (EVP_MD_CTX_md(s->write_hash)) if (EVP_MD_CTX_md(s->write_hash))
{ {
n=EVP_MD_CTX_size(s->write_hash); mac_size=EVP_MD_CTX_size(s->write_hash);
if (n < 0) if (mac_size < 0)
return -1; return -1;
} }
ds=s->enc_write_ctx; ds=s->enc_write_ctx;
@ -164,8 +164,8 @@ int dtls1_enc(SSL *s, int send)
{ {
if (EVP_MD_CTX_md(s->read_hash)) if (EVP_MD_CTX_md(s->read_hash))
{ {
n=EVP_MD_CTX_size(s->read_hash); mac_size=EVP_MD_CTX_size(s->read_hash);
if (n < 0) if (mac_size < 0)
return -1; return -1;
} }
ds=s->enc_read_ctx; ds=s->enc_read_ctx;
@ -245,44 +245,9 @@ int dtls1_enc(SSL *s, int send)
} }
#endif /* KSSL_DEBUG */ #endif /* KSSL_DEBUG */
rec->orig_len = rec->length;
if ((bs != 1) && !send) if ((bs != 1) && !send)
{ return tls1_cbc_remove_padding(s, rec, bs, mac_size);
ii=i=rec->data[l-1]; /* padding_length */
i++;
if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
{
/* First packet is even in size, so check */
if ((memcmp(s->s3->read_sequence,
"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
i--;
}
/* TLS 1.0 does not bound the number of padding bytes by the block size.
* All of them must have value 'padding_length'. */
if (i + bs > (int)rec->length)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
* by caller: we don't want to reveal whether this is
* a decryption error or a MAC verification failure
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
*/
return -1;
}
for (j=(int)(l-i); j<(int)l; j++)
{
if (rec->data[j] != ii)
{
/* Incorrect padding */
return -1;
}
}
rec->length-=i;
rec->data += bs; /* skip the implicit IV */
rec->input += bs;
rec->length -= bs;
}
} }
return(1); return(1);
} }

102
ssl/s3_enc.c
View File

@ -492,7 +492,7 @@ int ssl3_enc(SSL *s, int send)
SSL3_RECORD *rec; SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds; EVP_CIPHER_CTX *ds;
unsigned long l; unsigned long l;
int bs,i; int bs,i,mac_size=0;
const EVP_CIPHER *enc; const EVP_CIPHER *enc;
if (send) if (send)
@ -553,22 +553,12 @@ int ssl3_enc(SSL *s, int send)
EVP_Cipher(ds,rec->data,rec->input,l); EVP_Cipher(ds,rec->data,rec->input,l);
rec->orig_len = rec->length;
if (EVP_MD_CTX_md(s->read_hash) != NULL)
mac_size = EVP_MD_CTX_size(s->read_hash);
if ((bs != 1) && !send) if ((bs != 1) && !send)
{ return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
i=rec->data[l-1]+1;
/* SSL 3.0 bounds the number of padding bytes by the block size;
* padding bytes (except the last one) are arbitrary */
if (i > bs)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
* by caller: we don't want to reveal whether this is
* a decryption error or a MAC verification failure
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
return -1;
}
/* now i <= bs <= rec->length */
rec->length-=i;
}
} }
return(1); return(1);
} }
@ -737,7 +727,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
EVP_MD_CTX md_ctx; EVP_MD_CTX md_ctx;
const EVP_MD_CTX *hash; const EVP_MD_CTX *hash;
unsigned char *p,rec_char; unsigned char *p,rec_char;
unsigned int md_size; size_t md_size;
int npad; int npad;
int t; int t;
@ -762,28 +752,68 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
md_size=t; md_size=t;
npad=(48/md_size)*md_size; npad=(48/md_size)*md_size;
/* Chop the digest off the end :-) */ if (!send &&
EVP_MD_CTX_init(&md_ctx); EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
ssl3_cbc_record_digest_supported(hash))
{
/* This is a CBC-encrypted record. We must avoid leaking any
* timing-side channel information about how many blocks of
* data we are hashing because that gives an attacker a
* timing-oracle. */
EVP_MD_CTX_copy_ex( &md_ctx,hash); /* npad is, at most, 48 bytes and that's with MD5:
EVP_DigestUpdate(&md_ctx,mac_sec,md_size); * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); *
EVP_DigestUpdate(&md_ctx,seq,8); * With SHA-1 (the largest hash speced for SSLv3) the hash size
rec_char=rec->type; * goes up 4, but npad goes down by 8, resulting in a smaller
EVP_DigestUpdate(&md_ctx,&rec_char,1); * total size. */
p=md; unsigned char header[75];
s2n(rec->length,p); unsigned j = 0;
EVP_DigestUpdate(&md_ctx,md,2); memcpy(header+j, mac_sec, md_size);
EVP_DigestUpdate(&md_ctx,rec->input,rec->length); j += md_size;
EVP_DigestFinal_ex( &md_ctx,md,NULL); memcpy(header+j, ssl3_pad_1, npad);
j += npad;
memcpy(header+j, seq, 8);
j += 8;
header[j++] = rec->type;
header[j++] = rec->length >> 8;
header[j++] = rec->length & 0xff;
EVP_MD_CTX_copy_ex( &md_ctx,hash); ssl3_cbc_digest_record(
EVP_DigestUpdate(&md_ctx,mac_sec,md_size); hash,
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); md, &md_size,
EVP_DigestUpdate(&md_ctx,md,md_size); header, rec->input,
EVP_DigestFinal_ex( &md_ctx,md,&md_size); rec->length + md_size, rec->orig_len,
mac_sec, md_size,
1 /* is SSLv3 */);
}
else
{
unsigned int md_size_u;
/* Chop the digest off the end :-) */
EVP_MD_CTX_init(&md_ctx);
EVP_MD_CTX_cleanup(&md_ctx); EVP_MD_CTX_copy_ex( &md_ctx,hash);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
EVP_DigestUpdate(&md_ctx,seq,8);
rec_char=rec->type;
EVP_DigestUpdate(&md_ctx,&rec_char,1);
p=md;
s2n(rec->length,p);
EVP_DigestUpdate(&md_ctx,md,2);
EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
EVP_DigestFinal_ex( &md_ctx,md,NULL);
EVP_MD_CTX_copy_ex( &md_ctx,hash);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
EVP_DigestUpdate(&md_ctx,md,md_size);
EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
md_size = md_size_u;
EVP_MD_CTX_cleanup(&md_ctx);
}
ssl3_record_sequence_update(seq); ssl3_record_sequence_update(seq);
return(md_size); return(md_size);

82
ssl/s3_pkt.c
View File

@ -290,11 +290,9 @@ static int ssl3_get_record(SSL *s)
unsigned char *p; unsigned char *p;
unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE];
short version; short version;
int mac_size; unsigned mac_size;
int clear=0; int clear=0;
size_t extra; size_t extra;
int decryption_failed_or_bad_record_mac = 0;
unsigned char *mac = NULL;
rr= &(s->s3->rrec); rr= &(s->s3->rrec);
sess=s->session; sess=s->session;
@ -405,17 +403,10 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
rr->data=rr->input; rr->data=rr->input;
enc_err = s->method->ssl3_enc->enc(s,0); enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0) if (enc_err == 0)
{ {
if (enc_err == 0) /* SSLerr() and ssl3_send_alert() have been called */
/* SSLerr() and ssl3_send_alert() have been called */ goto err;
goto err;
/* Otherwise enc_err == -1, which indicates bad padding
* (rec->length has not been changed in this case).
* To minimize information leaked via timing, we will perform
* the MAC computation anyway. */
decryption_failed_or_bad_record_mac = 1;
} }
#ifdef TLS_DEBUG #ifdef TLS_DEBUG
@ -433,45 +424,54 @@ printf("\n");
if (!clear) if (!clear)
{ {
/* !clear => s->read_hash != NULL => mac_size != -1 */ /* !clear => s->read_hash != NULL => mac_size != -1 */
unsigned char *mac = NULL;
unsigned char mac_tmp[EVP_MAX_MD_SIZE];
mac_size=EVP_MD_CTX_size(s->read_hash); mac_size=EVP_MD_CTX_size(s->read_hash);
OPENSSL_assert(mac_size >= 0); OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) /* orig_len is the length of the record before any padding was
* removed. This is public information, as is the MAC in use,
* therefore we can safely process the record in a different
* amount of time if it's too short to possibly contain a MAC.
*/
if (rr->orig_len < mac_size ||
/* CBC records must have a padding length byte too. */
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
rr->orig_len < mac_size+1))
{ {
#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
al=SSL_AD_RECORD_OVERFLOW;
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
if (rr->length >= (unsigned int)mac_size)
{
rr->length -= mac_size;
mac = &rr->data[rr->length];
}
else
{
/* record (minus padding) is too short to contain a MAC */
#if 0 /* OK only for stream ciphers */
al=SSL_AD_DECODE_ERROR; al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err; goto f_err;
#else
decryption_failed_or_bad_record_mac = 1;
rr->length = 0;
#endif
} }
i=s->method->ssl3_enc->mac(s,md,0);
if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
{ {
decryption_failed_or_bad_record_mac = 1; /* We update the length so that the TLS header bytes
* can be constructed correctly but we need to extract
* the MAC in constant time from within the record,
* without leaking the contents of the padding bytes.
* */
mac = mac_tmp;
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
rr->length -= mac_size;
} }
else
{
/* In this case there's no padding, so |rec->orig_len|
* equals |rec->length| and we checked that there's
* enough bytes for |mac_size| above. */
rr->length -= mac_size;
mac = &rr->data[rr->length];
}
i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
enc_err = -1;
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
enc_err = -1;
} }
if (decryption_failed_or_bad_record_mac) if (enc_err < 0)
{ {
/* A separate 'decryption_failed' alert was introduced with TLS 1.0, /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
* SSL 3.0 only has 'bad_record_mac'. But unless a decryption * SSL 3.0 only has 'bad_record_mac'. But unless a decryption

4
ssl/ssl3.h
View File

@ -372,6 +372,10 @@ typedef struct ssl3_record_st
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ /*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
was removed? This is used to implement the
MAC check in constant time for CBC records.
*/
} SSL3_RECORD; } SSL3_RECORD;
typedef struct ssl3_buffer_st typedef struct ssl3_buffer_st

3
ssl/ssl_algs.c
View File

@ -90,10 +90,13 @@ int SSL_library_init(void)
EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_cipher(EVP_aes_256_cbc());
EVP_add_cipher(EVP_aes_128_gcm()); EVP_add_cipher(EVP_aes_128_gcm());
EVP_add_cipher(EVP_aes_256_gcm()); EVP_add_cipher(EVP_aes_256_gcm());
#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif #endif
#endif
#endif #endif
#ifndef OPENSSL_NO_CAMELLIA #ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_cbc()); EVP_add_cipher(EVP_camellia_128_cbc());

34
ssl/ssl_locl.h
View File

@ -215,6 +215,15 @@
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
*((c)++)=(unsigned char)(((l) )&0xff)) *((c)++)=(unsigned char)(((l) )&0xff))
#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
*((c)++)=(unsigned char)(((l)>>48)&0xff), \
*((c)++)=(unsigned char)(((l)>>40)&0xff), \
*((c)++)=(unsigned char)(((l)>>32)&0xff), \
*((c)++)=(unsigned char)(((l)>>24)&0xff), \
*((c)++)=(unsigned char)(((l)>>16)&0xff), \
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
*((c)++)=(unsigned char)(((l) )&0xff))
#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
l|=((BN_ULLONG)(*((c)++)))<<32, \ l|=((BN_ULLONG)(*((c)++)))<<32, \
l|=((BN_ULLONG)(*((c)++)))<<24, \ l|=((BN_ULLONG)(*((c)++)))<<24, \
@ -1265,4 +1274,29 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
/* s3_cbc.c */
void ssl3_cbc_copy_mac(unsigned char* out,
const SSL3_RECORD *rec,
unsigned md_size);
int ssl3_cbc_remove_padding(const SSL* s,
SSL3_RECORD *rec,
unsigned block_size,
unsigned mac_size);
int tls1_cbc_remove_padding(const SSL* s,
SSL3_RECORD *rec,
unsigned block_size,
unsigned mac_size);
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
void ssl3_cbc_digest_record(
const EVP_MD_CTX *ctx,
unsigned char* md_out,
size_t* md_out_size,
const unsigned char header[13],
const unsigned char *data,
size_t data_plus_mac_size,
size_t data_plus_mac_plus_padding_size,
const unsigned char *mac_secret,
unsigned mac_secret_length,
char is_sslv3);
#endif #endif

131
ssl/t1_enc.c
View File

@ -696,7 +696,7 @@ int tls1_enc(SSL *s, int send)
SSL3_RECORD *rec; SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds; EVP_CIPHER_CTX *ds;
unsigned long l; unsigned long l;
int bs,i,ii,j,k,pad=0; int bs,i,j,k,pad=0,ret,mac_size=0;
const EVP_CIPHER *enc; const EVP_CIPHER *enc;
if (send) if (send)
@ -753,11 +753,11 @@ int tls1_enc(SSL *s, int send)
printf("tls1_enc(%d)\n", send); printf("tls1_enc(%d)\n", send);
#endif /* KSSL_DEBUG */ #endif /* KSSL_DEBUG */
if ((s->session == NULL) || (ds == NULL) || if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
(enc == NULL))
{ {
memmove(rec->data,rec->input,rec->length); memmove(rec->data,rec->input,rec->length);
rec->input=rec->data; rec->input=rec->data;
ret = 1;
} }
else else
{ {
@ -821,13 +821,13 @@ int tls1_enc(SSL *s, int send)
#ifdef KSSL_DEBUG #ifdef KSSL_DEBUG
{ {
unsigned long ui; unsigned long ui;
printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
ds,rec->data,rec->input,l); ds,rec->data,rec->input,l);
printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
ds->buf_len, ds->cipher->key_len, ds->buf_len, ds->cipher->key_len,
DES_KEY_SZ, DES_SCHEDULE_SZ, DES_KEY_SZ, DES_SCHEDULE_SZ,
ds->cipher->iv_len); ds->cipher->iv_len);
printf("\t\tIV: "); printf("\t\tIV: ");
for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
printf("\n"); printf("\n");
@ -863,68 +863,26 @@ int tls1_enc(SSL *s, int send)
#ifdef KSSL_DEBUG #ifdef KSSL_DEBUG
{ {
unsigned long i; unsigned long i;
printf("\trec->data="); printf("\trec->data=");
for (i=0; i<l; i++) for (i=0; i<l; i++)
printf(" %02x", rec->data[i]); printf("\n"); printf(" %02x", rec->data[i]); printf("\n");
} }
#endif /* KSSL_DEBUG */ #endif /* KSSL_DEBUG */
rec->orig_len = rec->length;
ret = 1;
if (EVP_MD_CTX_md(s->read_hash) != NULL)
mac_size = EVP_MD_CTX_size(s->read_hash);
if ((bs != 1) && !send) if ((bs != 1) && !send)
{ ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
ii=i=rec->data[l-1]; /* padding_length */
i++;
/* NB: if compression is in operation the first packet
* may not be of even length so the padding bug check
* cannot be performed. This bug workaround has been
* around since SSLeay so hopefully it is either fixed
* now or no buggy implementation supports compression
* [steve]
*/
if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
&& !s->expand)
{
/* First packet is even in size, so check */
if ((memcmp(s->s3->read_sequence,
"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
i--;
}
/* TLS 1.0 does not bound the number of padding bytes by the block size.
* All of them must have value 'padding_length'. */
if (i > (int)rec->length)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
* by caller: we don't want to reveal whether this is
* a decryption error or a MAC verification failure
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
return -1;
}
for (j=(int)(l-i); j<(int)l; j++)
{
if (rec->data[j] != ii)
{
/* Incorrect padding */
return -1;
}
}
rec->length -=i;
if (s->version >= TLS1_1_VERSION
&& EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
{
if (bs > (int)rec->length)
return -1;
rec->data += bs; /* skip the explicit IV */
rec->input += bs;
rec->length -= bs;
}
}
if (pad && !send) if (pad && !send)
rec->length -= pad; rec->length -= pad;
} }
return(1); return ret;
} }
int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
{ {
unsigned int ret; unsigned int ret;
@ -1017,7 +975,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
size_t md_size; size_t md_size;
int i; int i;
EVP_MD_CTX hmac, *mac_ctx; EVP_MD_CTX hmac, *mac_ctx;
unsigned char buf[5]; unsigned char header[13];
int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
int t; int t;
@ -1038,12 +996,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
OPENSSL_assert(t >= 0); OPENSSL_assert(t >= 0);
md_size=t; md_size=t;
buf[0]=rec->type;
buf[1]=(unsigned char)(ssl->version>>8);
buf[2]=(unsigned char)(ssl->version);
buf[3]=rec->length>>8;
buf[4]=rec->length&0xff;
/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
if (stream_mac) if (stream_mac)
{ {
@ -1062,17 +1014,44 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
memcpy (p,&seq[2],6); memcpy (p,&seq[2],6);
EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); memcpy(header, dtlsseq, 8);
} }
else else
EVP_DigestSignUpdate(mac_ctx,seq,8); memcpy(header, seq, 8);
EVP_DigestSignUpdate(mac_ctx,buf,5); header[8]=rec->type;
EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); header[9]=(unsigned char)(ssl->version>>8);
t=EVP_DigestSignFinal(mac_ctx,md,&md_size); header[10]=(unsigned char)(ssl->version);
OPENSSL_assert(t > 0); header[11]=(rec->length)>>8;
header[12]=(rec->length)&0xff;
if (!send &&
EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
ssl3_cbc_record_digest_supported(mac_ctx))
{
/* This is a CBC-encrypted record. We must avoid leaking any
* timing-side channel information about how many blocks of
* data we are hashing because that gives an attacker a
* timing-oracle. */
ssl3_cbc_digest_record(
mac_ctx,
md, &md_size,
header, rec->input,
rec->length + md_size, rec->orig_len,
ssl->s3->read_mac_secret,
ssl->s3->read_mac_secret_size,
0 /* not SSLv3 */);
}
else
{
EVP_DigestSignUpdate(mac_ctx,header,sizeof(header));
EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
OPENSSL_assert(t > 0);
}
if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); if (!stream_mac)
EVP_MD_CTX_cleanup(&hmac);
#ifdef TLS_DEBUG #ifdef TLS_DEBUG
printf("sec="); printf("sec=");
{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }