Import OpenSSL-1.0.1e.
authorPeter Avalos <pavalos@dragonflybsd.org>
Wed, 13 Feb 2013 17:15:43 +0000 (09:15 -0800)
committerPeter Avalos <pavalos@dragonflybsd.org>
Wed, 13 Feb 2013 17:15:43 +0000 (09:15 -0800)
o Corrected fix for CVE-2013-0169.

16 files changed:
crypto/openssl/CHANGES
crypto/openssl/FAQ
crypto/openssl/NEWS
crypto/openssl/README
crypto/openssl/apps/s_client.c
crypto/openssl/apps/s_server.c
crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
crypto/openssl/crypto/opensslv.h
crypto/openssl/ssl/d1_pkt.c
crypto/openssl/ssl/d1_srtp.c
crypto/openssl/ssl/s3_cbc.c
crypto/openssl/ssl/s3_clnt.c
crypto/openssl/ssl/s3_pkt.c
crypto/openssl/ssl/s3_srvr.c
crypto/openssl/ssl/ssl_lib.c
crypto/openssl/ssl/t1_lib.c

index b7d36c2..ca82ad2 100644 (file)
@@ -2,6 +2,10 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
+
+  *)
+
  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
 
   *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
index fcd6e1a..35780f8 100644 (file)
@@ -83,11 +83,11 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1d was released on Feb 5th, 2013.
+OpenSSL 1.0.1e was released on Feb 11th, 2013.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
 
 
 * Where is the documentation?
index a5ba7dd..0269f22 100644 (file)
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e:
+
+      o Corrected fix for CVE-2013-0169
+
   Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d:
 
       o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
index 31bb2f0..ad2d90f 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1d 5 Feb 2013
+ OpenSSL 1.0.1e 11 Feb 2013
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  reason as to why that feature isn't implemented.
 
  Patches should be as up to date as possible, preferably relative to the
- current CVS or the last snapshot. They should follow the coding style of
+ current Git or the last snapshot. They should follow the coding style of
  OpenSSL and compile without warnings. Some of the core team developer targets
  can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
  compiles on many varied platforms: try to ensure you only use portable
index 0248447..3ba6605 100644 (file)
@@ -362,7 +362,9 @@ static void sc_usage(void)
 # endif
 #endif
        BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+#ifndef OPENSSL_NO_SRTP
        BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+#endif
        BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
        }
@@ -502,7 +504,9 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
        }
 
 #endif
+#ifndef OPENSSL_NO_SRTP
        char *srtp_profiles = NULL;
+#endif
 
 # ifndef OPENSSL_NO_NEXTPROTONEG
 /* This the context that we pass to next_proto_cb */
@@ -945,11 +949,13 @@ int MAIN(int argc, char **argv)
                        jpake_secret = *++argv;
                        }
 #endif
+#ifndef OPENSSL_NO_SRTP
                else if (strcmp(*argv,"-use_srtp") == 0)
                        {
                        if (--argc < 1) goto bad;
                        srtp_profiles = *(++argv);
                        }
+#endif
                else if (strcmp(*argv,"-keymatexport") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1130,6 +1136,8 @@ bad:
                        BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
                SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
                }
+#endif
+#ifndef OPENSSL_NO_SRTP
        if (srtp_profiles != NULL)
                SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
 #endif
@@ -2067,6 +2075,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        }
 #endif
 
+#ifndef OPENSSL_NO_SRTP
        {
        SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
  
@@ -2074,6 +2083,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
                           srtp_profile->name);
        }
+#endif
  
        SSL_SESSION_print(bio,SSL_get_session(s));
        if (keymatexportlabel != NULL)
index 4720c05..8198d7f 100644 (file)
@@ -556,7 +556,9 @@ static void sv_usage(void)
 # ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 # endif
+# ifndef OPENSSL_NO_SRTP
         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+# endif
 #endif
        BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
@@ -923,7 +925,9 @@ static char *jpake_secret = NULL;
 #ifndef OPENSSL_NO_SRP
        static srpsrvparm srp_callback_parm;
 #endif
+#ifndef OPENSSL_NO_SRTP
 static char *srtp_profiles = NULL;
+#endif
 
 int MAIN(int argc, char *argv[])
        {
@@ -1319,11 +1323,13 @@ int MAIN(int argc, char *argv[])
                        jpake_secret = *(++argv);
                        }
 #endif
+#ifndef OPENSSL_NO_SRTP
                else if (strcmp(*argv,"-use_srtp") == 0)
                        {
                        if (--argc < 1) goto bad;
                        srtp_profiles = *(++argv);
                        }
+#endif
                else if (strcmp(*argv,"-keymatexport") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1549,8 +1555,10 @@ bad:
        else
                SSL_CTX_sess_set_cache_size(ctx,128);
 
+#ifndef OPENSSL_NO_SRTP
        if (srtp_profiles != NULL)
                SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
+#endif
 
 #if 0
        if (cipher == NULL) cipher=getenv("SSL_CIPHER");
@@ -2450,6 +2458,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out, "\n");
                }
 #endif
+#ifndef OPENSSL_NO_SRTP
        {
        SRTP_PROTECTION_PROFILE *srtp_profile
          = SSL_get_selected_srtp_profile(con);
@@ -2458,6 +2467,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n",
                           srtp_profile->name);
        }
+#endif
        if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n");
        if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
                TLS1_FLAGS_TLS_PADDING_BUG)
index b7aff44..483e04b 100644 (file)
@@ -244,7 +244,10 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                }
        } else {
                union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
-                       unsigned char c[SHA_DIGEST_LENGTH]; } mac;
+                       unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac;
+
+               /* arrange cache line alignment */
+               pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32));
 
                /* decrypt HMAC|padding at once */
                aesni_cbc_encrypt(in,out,len,
@@ -300,17 +303,21 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
                        /* but pretend as if we hashed padded payload */
                        bitlen = key->md.Nl+(inp_len<<3);       /* at most 18 bits */
+#ifdef BSWAP
+                       bitlen = BSWAP(bitlen);
+#else
                        mac.c[0] = 0;
                        mac.c[1] = (unsigned char)(bitlen>>16);
                        mac.c[2] = (unsigned char)(bitlen>>8);
                        mac.c[3] = (unsigned char)bitlen;
                        bitlen = mac.u[0];
+#endif
 
-                       mac.u[0]=0;
-                       mac.u[1]=0;
-                       mac.u[2]=0;
-                       mac.u[3]=0;
-                       mac.u[4]=0;
+                       pmac->u[0]=0;
+                       pmac->u[1]=0;
+                       pmac->u[2]=0;
+                       pmac->u[3]=0;
+                       pmac->u[4]=0;
 
                        for (res=key->md.num, j=0;j<len;j++) {
                                size_t c = out[j];
@@ -325,11 +332,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                data->u[SHA_LBLOCK-1] |= bitlen&mask;
                                sha1_block_data_order(&key->md,data,1);
                                mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
-                               mac.u[0] |= key->md.h0 & mask;
-                               mac.u[1] |= key->md.h1 & mask;
-                               mac.u[2] |= key->md.h2 & mask;
-                               mac.u[3] |= key->md.h3 & mask;
-                               mac.u[4] |= key->md.h4 & mask;
+                               pmac->u[0] |= key->md.h0 & mask;
+                               pmac->u[1] |= key->md.h1 & mask;
+                               pmac->u[2] |= key->md.h2 & mask;
+                               pmac->u[3] |= key->md.h3 & mask;
+                               pmac->u[4] |= key->md.h4 & mask;
                                res=0;
                        }
 
@@ -340,11 +347,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                data->u[SHA_LBLOCK-1] |= bitlen&mask;
                                sha1_block_data_order(&key->md,data,1);
                                mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
-                               mac.u[0] |= key->md.h0 & mask;
-                               mac.u[1] |= key->md.h1 & mask;
-                               mac.u[2] |= key->md.h2 & mask;
-                               mac.u[3] |= key->md.h3 & mask;
-                               mac.u[4] |= key->md.h4 & mask;
+                               pmac->u[0] |= key->md.h0 & mask;
+                               pmac->u[1] |= key->md.h1 & mask;
+                               pmac->u[2] |= key->md.h2 & mask;
+                               pmac->u[3] |= key->md.h3 & mask;
+                               pmac->u[4] |= key->md.h4 & mask;
 
                                memset(data,0,SHA_CBLOCK);
                                j+=64;
@@ -352,32 +359,32 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        data->u[SHA_LBLOCK-1] = bitlen;
                        sha1_block_data_order(&key->md,data,1);
                        mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
-                       mac.u[0] |= key->md.h0 & mask;
-                       mac.u[1] |= key->md.h1 & mask;
-                       mac.u[2] |= key->md.h2 & mask;
-                       mac.u[3] |= key->md.h3 & mask;
-                       mac.u[4] |= key->md.h4 & mask;
+                       pmac->u[0] |= key->md.h0 & mask;
+                       pmac->u[1] |= key->md.h1 & mask;
+                       pmac->u[2] |= key->md.h2 & mask;
+                       pmac->u[3] |= key->md.h3 & mask;
+                       pmac->u[4] |= key->md.h4 & mask;
 
 #ifdef BSWAP
-                       mac.u[0] = BSWAP(mac.u[0]);
-                       mac.u[1] = BSWAP(mac.u[1]);
-                       mac.u[2] = BSWAP(mac.u[2]);
-                       mac.u[3] = BSWAP(mac.u[3]);
-                       mac.u[4] = BSWAP(mac.u[4]);
+                       pmac->u[0] = BSWAP(pmac->u[0]);
+                       pmac->u[1] = BSWAP(pmac->u[1]);
+                       pmac->u[2] = BSWAP(pmac->u[2]);
+                       pmac->u[3] = BSWAP(pmac->u[3]);
+                       pmac->u[4] = BSWAP(pmac->u[4]);
 #else
                        for (i=0;i<5;i++) {
-                               res = mac.u[i];
-                               mac.c[4*i+0]=(unsigned char)(res>>24);
-                               mac.c[4*i+1]=(unsigned char)(res>>16);
-                               mac.c[4*i+2]=(unsigned char)(res>>8);
-                               mac.c[4*i+3]=(unsigned char)res;
+                               res = pmac->u[i];
+                               pmac->c[4*i+0]=(unsigned char)(res>>24);
+                               pmac->c[4*i+1]=(unsigned char)(res>>16);
+                               pmac->c[4*i+2]=(unsigned char)(res>>8);
+                               pmac->c[4*i+3]=(unsigned char)res;
                        }
 #endif
                        len += SHA_DIGEST_LENGTH;
 #else
                        SHA1_Update(&key->md,out,inp_len);
                        res = key->md.num;
-                       SHA1_Final(mac.c,&key->md);
+                       SHA1_Final(pmac->c,&key->md);
 
                        {
                        unsigned int inp_blocks, pad_blocks;
@@ -393,8 +400,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        }
 #endif
                        key->md = key->tail;
-                       SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
-                       SHA1_Final(mac.c,&key->md);
+                       SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH);
+                       SHA1_Final(pmac->c,&key->md);
 
                        /* verify HMAC */
                        out += inp_len;
@@ -411,7 +418,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
                                res |= (c^pad)&~cmask;  /* ... and padding */
                                cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
-                               res |= (c^mac.c[i])&cmask;
+                               res |= (c^pmac->c[i])&cmask;
                                i += 1&cmask;
                        }
                        maxpad -= SHA_DIGEST_LENGTH;
@@ -421,7 +428,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        }
 #else
                        for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
-                               res |= out[i]^mac.c[i];
+                               res |= out[i]^pmac->c[i];
                        res = 0-((0-res)>>(sizeof(res)*8-1));
                        ret &= (int)~res;
 
index dbea4ad..5bc8e53 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x1000104fL
+#define OPENSSL_VERSION_NUMBER 0x1000105fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1d-fips 5 Feb 2013"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1e-fips 11 Feb 2013"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1d 5 Feb 2013"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1e 11 Feb 2013"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index b0302a7..0bf87be 100644 (file)
@@ -410,7 +410,6 @@ dtls1_process_record(SSL *s)
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
-       orig_len=rr->length;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
        /* enc_err is:
@@ -442,6 +441,9 @@ printf("\n");
                mac_size=EVP_MD_CTX_size(s->read_hash);
                OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
+               /* kludge: *_cbc_remove_padding passes padding length in rr->type */
+               orig_len = rr->length+((unsigned int)rr->type>>8);
+
                /* orig_len is the length of the record before any padding was
                 * removed. This is public information, as is the MAC in use,
                 * therefore we can safely process the record in a different
index 928935b..ab9c419 100644 (file)
   Copyright (C) 2011, RTFM, Inc.
 */
 
-#ifndef OPENSSL_NO_SRTP
-
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
+
+#ifndef OPENSSL_NO_SRTP
+
 #include "srtp.h"
 
 
index 3c2c165..02edf3f 100644 (file)
 #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
 
+/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
+static unsigned constant_time_lt(unsigned a, unsigned b)
+       {
+       a -= b;
+       return DUPLICATE_MSB_TO_ALL(a);
+       }
+
 /* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
 static unsigned constant_time_ge(unsigned a, unsigned b)
        {
@@ -84,7 +91,7 @@ static unsigned constant_time_ge(unsigned a, unsigned b)
        }
 
 /* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
-static unsigned char constant_time_eq_8(unsigned char a, unsigned char b)
+static unsigned char constant_time_eq_8(unsigned a, unsigned b)
        {
        unsigned c = a ^ b;
        c--;
@@ -139,31 +146,22 @@ int tls1_cbc_remove_padding(const SSL* s,
                            unsigned mac_size)
        {
        unsigned padding_length, good, to_check, i;
-       const char has_explicit_iv =
-               s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
-       const unsigned overhead = 1 /* padding length byte */ +
-                                 mac_size +
-                                 (has_explicit_iv ? block_size : 0);
-
-       /* These lengths are all public so we can test them in non-constant
-        * time. */
-       if (overhead > rec->length)
-               return 0;
-
-       /* We can always safely skip the explicit IV. We check at the beginning
-        * of this function that the record has at least enough space for the
-        * IV, MAC and padding length byte. (These can be checked in
-        * non-constant time because it's all public information.) So, if the
-        * padding was invalid, then we didn't change |rec->length| and this is
-        * safe. If the padding was valid then we know that we have at least
-        * overhead+padding_length bytes of space and so this is still safe
-        * because overhead accounts for the explicit IV. */
-       if (has_explicit_iv)
+       const unsigned overhead = 1 /* padding length byte */ + mac_size;
+       /* Check if version requires explicit IV */
+       if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
                {
+               /* These lengths are all public so we can test them in
+                * non-constant time.
+                */
+               if (overhead + block_size > rec->length)
+                       return 0;
+               /* We can now safely skip explicit IV */
                rec->data += block_size;
                rec->input += block_size;
                rec->length -= block_size;
                }
+       else if (overhead > rec->length)
+               return 0;
 
        padding_length = rec->data[rec->length-1];
 
@@ -190,7 +188,7 @@ int tls1_cbc_remove_padding(const SSL* s,
        if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
                {
                /* padding is already verified */
-               rec->length -= padding_length;
+               rec->length -= padding_length + 1;
                return 1;
                }
 
@@ -234,10 +232,6 @@ int tls1_cbc_remove_padding(const SSL* s,
        return (int)((good & 1) | (~good & -1));
        }
 
-#if defined(_M_AMD64) || defined(__x86_64__)
-#define CBC_MAC_ROTATE_IN_PLACE
-#endif
-
 /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
  * constant time (independent of the concrete value of rec->length, which may
  * vary within a 256-byte window).
@@ -251,15 +245,18 @@ int tls1_cbc_remove_padding(const SSL* s,
  *
  * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
  * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
- * a single cache-line, then the variable memory accesses don't actually affect
- * the timing. This has been tested to be true on Intel amd64 chips.
+ * a single or pair of cache-lines, then the variable memory accesses don't
+ * actually affect the timing. CPUs with smaller cache-lines [if any] are
+ * not multi-core and are not considered vulnerable to cache-timing attacks.
  */
+#define CBC_MAC_ROTATE_IN_PLACE
+
 void ssl3_cbc_copy_mac(unsigned char* out,
                       const SSL3_RECORD *rec,
                       unsigned md_size,unsigned orig_len)
        {
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
-       unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
+       unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE];
        unsigned char *rotated_mac;
 #else
        unsigned char rotated_mac[EVP_MAX_MD_SIZE];
@@ -279,7 +276,7 @@ void ssl3_cbc_copy_mac(unsigned char* out,
        OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
 
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
-       rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63);
+       rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63);
 #endif
 
        /* This information is public so it's safe to branch based on it. */
@@ -297,16 +294,13 @@ void ssl3_cbc_copy_mac(unsigned char* out,
        rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
 
        memset(rotated_mac, 0, md_size);
-       for (i = scan_start; i < orig_len;)
+       for (i = scan_start, j = 0; i < orig_len; i++)
                {
-               for (j = 0; j < md_size && i < orig_len; i++, j++)
-                       {
-                       unsigned char mac_started = constant_time_ge(i, mac_start);
-                       unsigned char mac_ended = constant_time_ge(i, mac_end);
-                       unsigned char b = 0;
-                       b = rec->data[i];
-                       rotated_mac[j] |= b & mac_started & ~mac_ended;
-                       }
+               unsigned char mac_started = constant_time_ge(i, mac_start);
+               unsigned char mac_ended = constant_time_ge(i, mac_end);
+               unsigned char b = rec->data[i];
+               rotated_mac[j++] |= b & mac_started & ~mac_ended;
+               j &= constant_time_lt(j,md_size);
                }
 
        /* Now rotate the MAC */
@@ -314,30 +308,43 @@ void ssl3_cbc_copy_mac(unsigned char* out,
        j = 0;
        for (i = 0; i < md_size; i++)
                {
-               unsigned char offset = (div_spoiler + rotate_offset + i) % md_size;
-               out[j++] = rotated_mac[offset];
+               /* in case cache-line is 32 bytes, touch second line */
+               ((volatile unsigned char *)rotated_mac)[rotate_offset^32];
+               out[j++] = rotated_mac[rotate_offset++];
+               rotate_offset &= constant_time_lt(rotate_offset,md_size);
                }
 #else
        memset(out, 0, md_size);
+       rotate_offset = md_size - rotate_offset;
+       rotate_offset &= constant_time_lt(rotate_offset,md_size);
        for (i = 0; i < md_size; i++)
                {
-               unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size;
                for (j = 0; j < md_size; j++)
-                       out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset);
+                       out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
+               rotate_offset++;
+               rotate_offset &= constant_time_lt(rotate_offset,md_size);
                }
 #endif
        }
 
+/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+ * little-endian order. The value of p is advanced by four. */
+#define u32toLE(n, p) \
+       (*((p)++)=(unsigned char)(n), \
+        *((p)++)=(unsigned char)(n>>8), \
+        *((p)++)=(unsigned char)(n>>16), \
+        *((p)++)=(unsigned char)(n>>24))
+
 /* These functions serialize the state of a hash and thus perform the standard
  * "final" operation without adding the padding and length that such a function
  * typically does. */
 static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
        {
        MD5_CTX *md5 = ctx;
-       l2n(md5->A, md_out);
-       l2n(md5->B, md_out);
-       l2n(md5->C, md_out);
-       l2n(md5->D, md_out);
+       u32toLE(md5->A, md_out);
+       u32toLE(md5->B, md_out);
+       u32toLE(md5->C, md_out);
+       u32toLE(md5->D, md_out);
        }
 
 static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
@@ -457,6 +464,7 @@ void ssl3_cbc_digest_record(
        /* mdLengthSize is the number of bytes in the length field that terminates
        * the hash. */
        unsigned md_length_size = 8;
+       char length_is_big_endian = 1;
 
        /* This is a, hopefully redundant, check that allows us to forget about
         * many possible overflows later in this function. */
@@ -470,6 +478,7 @@ void ssl3_cbc_digest_record(
                        md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
                        md_size = 16;
                        sslv3_pad_length = 48;
+                       length_is_big_endian = 0;
                        break;
                case NID_sha1:
                        SHA1_Init((SHA_CTX*)md_state.c);
@@ -610,11 +619,22 @@ void ssl3_cbc_digest_record(
                md_transform(md_state.c, hmac_pad);
                }
 
-       memset(length_bytes,0,md_length_size-4);
-       length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
-       length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
-       length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
-       length_bytes[md_length_size-1] = (unsigned char)bits;
+       if (length_is_big_endian)
+               {
+               memset(length_bytes,0,md_length_size-4);
+               length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
+               length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
+               length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
+               length_bytes[md_length_size-1] = (unsigned char)bits;
+               }
+       else
+               {
+               memset(length_bytes,0,md_length_size);
+               length_bytes[md_length_size-5] = (unsigned char)(bits>>24);
+               length_bytes[md_length_size-6] = (unsigned char)(bits>>16);
+               length_bytes[md_length_size-7] = (unsigned char)(bits>>8);
+               length_bytes[md_length_size-8] = (unsigned char)bits;
+               }
 
        if (k > 0)
                {
index 7b4bc63..344e2eb 100644 (file)
@@ -986,7 +986,10 @@ int ssl3_get_server_hello(SSL *s)
         * client authentication.
         */
        if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
+               {
+               al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
+               }
        /* lets get the compression algorithm */
        /* COMPRESSION */
 #ifdef OPENSSL_NO_COMP
index bf8da98..804291e 100644 (file)
@@ -398,7 +398,6 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
-       orig_len=rr->length;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
        /* enc_err is:
@@ -429,6 +428,9 @@ printf("\n");
                mac_size=EVP_MD_CTX_size(s->read_hash);
                OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
+               /* kludge: *_cbc_remove_padding passes padding length in rr->type */
+               orig_len = rr->length+((unsigned int)rr->type>>8);
+
                /* orig_len is the length of the record before any padding was
                 * removed. This is public information, as is the MAC in use,
                 * therefore we can safely process the record in a different
index 5e10070..bfb8480 100644 (file)
@@ -1391,7 +1391,10 @@ int ssl3_get_client_hello(SSL *s)
        if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
                {
                if (!ssl3_digest_cached_records(s))
+                       {
+                       al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
+                       }
                }
        
        /* we now have the following setup. 
index 1a14c42..14d143d 100644 (file)
@@ -597,8 +597,10 @@ void SSL_free(SSL *s)
                OPENSSL_free(s->next_proto_negotiated);
 #endif
 
+#ifndef OPENSSL_NO_SRTP
         if (s->srtp_profiles)
             sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
+#endif
 
        OPENSSL_free(s);
        }
@@ -1952,8 +1954,10 @@ void SSL_CTX_free(SSL_CTX *a)
        a->comp_methods = NULL;
 #endif
 
+#ifndef OPENSSL_NO_SRTP
         if (a->srtp_profiles)
                 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
+#endif
 
 #ifndef OPENSSL_NO_PSK
        if (a->psk_identity_hint)
index 27010dd..e08088c 100644 (file)
@@ -649,6 +649,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 #endif
 
+#ifndef OPENSSL_NO_SRTP
         if(SSL_get_srtp_profiles(s))
                 {
                 int el;
@@ -667,6 +668,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                        }
                 ret += el;
                 }
+#endif
 
        if ((extdatalen = ret-p-2)== 0) 
                return p;
@@ -781,6 +783,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 #endif
 
+#ifndef OPENSSL_NO_SRTP
         if(s->srtp_profile)
                 {
                 int el;
@@ -799,6 +802,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                        }
                 ret+=el;
                 }
+#endif
 
        if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
                && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
@@ -1329,12 +1333,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 #endif
 
                /* session ticket processed earlier */
+#ifndef OPENSSL_NO_SRTP
                else if (type == TLSEXT_TYPE_use_srtp)
-                        {
+                       {
                        if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
                                                              al))
                                return 0;
-                        }
+                       }
+#endif
 
                data+=size;
                }
@@ -1529,7 +1535,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        unsigned char selected_len;
 
                        /* We must have requested it. */
-                       if ((s->ctx->next_proto_select_cb == NULL))
+                       if (s->ctx->next_proto_select_cb == NULL)
                                {
                                *al = TLS1_AD_UNSUPPORTED_EXTENSION;
                                return 0;
@@ -1579,12 +1585,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                }
                        }
 #endif
+#ifndef OPENSSL_NO_SRTP
                else if (type == TLSEXT_TYPE_use_srtp)
-                        {
+                       {
                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
                                                              al))
                                 return 0;
-                        }
+                       }
+#endif
 
                data+=size;             
                }