Commit fb092ef4 authored by Andy Polyakov's avatar Andy Polyakov Committed by Dr. Stephen Henson
Browse files

ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. 

Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 413cbfe6)
parent 6351adec

ssl/d1_pkt.c

+7 −7
Original line number Diff line number Diff line
@@ -331,7 +331,7 @@ dtls1_process_record(SSL *s) 
	int enc_err;

	SSL_SESSION *sess;

	SSL3_RECORD *rr;

	unsigned int mac_size;

	unsigned int mac_size, orig_len;

	unsigned char md[EVP_MAX_MD_SIZE];



	rr= &(s->s3->rrec);
@@ -362,7 +362,7 @@ dtls1_process_record(SSL *s) 


	/* decrypt in place in 'rr->input' */

	rr->data=rr->input;

	rr->orig_len=rr->length;

	orig_len=rr->length;



	enc_err = s->method->ssl3_enc->enc(s,0);

	/* enc_err is:
@@ -399,10 +399,10 @@ printf("\n"); 
		 * therefore we can safely process the record in a different

		 * amount of time if it's too short to possibly contain a MAC.

		 */

		if (rr->orig_len < mac_size ||

		if (orig_len < mac_size ||

		    /* CBC records must have a padding length byte too. */

		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&

		     rr->orig_len < mac_size+1))

		     orig_len < mac_size+1))

			{

			al=SSL_AD_DECODE_ERROR;

			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
@@ -417,12 +417,12 @@ printf("\n"); 
			 * without leaking the contents of the padding bytes.

			 * */

			mac = mac_tmp;

			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);

			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);

			rr->length -= mac_size;

			}

		else

			{

			/* In this case there's no padding, so |rec->orig_len|

			/* In this case there's no padding, so |orig_len|

			 * equals |rec->length| and we checked that there's

			 * enough bytes for |mac_size| above. */

			rr->length -= mac_size;

ssl/s3_cbc.c

+12 −9
Original line number Diff line number Diff line
@@ -116,7 +116,9 @@ int ssl3_cbc_remove_padding(const SSL* s, 
	good = constant_time_ge(rec->length, padding_length+overhead);

	/* SSLv3 requires that the padding is minimal. */

	good &= constant_time_ge(block_size, padding_length+1);

	rec->length -= good & (padding_length+1);

	padding_length = good & (padding_length+1);

	rec->length -= padding_length;

	rec->type |= padding_length<<8;	/* kludge: pass padding length */

	return (int)((good & 1) | (~good & -1));

}
@@ -202,7 +204,9 @@ int tls1_cbc_remove_padding(const SSL* s, 
	good <<= sizeof(good)*8-1;

	good = DUPLICATE_MSB_TO_ALL(good);



	rec->length -= good & (padding_length+1);

	padding_length = good & (padding_length+1);

	rec->length -= padding_length;

	rec->type |= padding_length<<8;	/* kludge: pass padding length */



	/* We can always safely skip the explicit IV. We check at the beginning

	 * of this function that the record has at least enough space for the
@@ -217,7 +221,6 @@ int tls1_cbc_remove_padding(const SSL* s, 
		rec->data += block_size;

		rec->input += block_size;

		rec->length -= block_size;

		rec->orig_len -= block_size;

		}



	return (int)((good & 1) | (~good & -1));
@@ -245,7 +248,7 @@ int tls1_cbc_remove_padding(const SSL* s, 
 */

void ssl3_cbc_copy_mac(unsigned char* out,

		       const SSL3_RECORD *rec,

		       unsigned md_size)

		       unsigned md_size,unsigned orig_len)

	{

#if defined(CBC_MAC_ROTATE_IN_PLACE)

	unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
@@ -264,7 +267,7 @@ void ssl3_cbc_copy_mac(unsigned char* out, 
	unsigned div_spoiler;

	unsigned rotate_offset;



	OPENSSL_assert(rec->orig_len >= md_size);

	OPENSSL_assert(orig_len >= md_size);

	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);



#if defined(CBC_MAC_ROTATE_IN_PLACE)
@@ -272,8 +275,8 @@ void ssl3_cbc_copy_mac(unsigned char* out, 
#endif



	/* This information is public so it's safe to branch based on it. */

	if (rec->orig_len > md_size + 255 + 1)

		scan_start = rec->orig_len - (md_size + 255 + 1);

	if (orig_len > md_size + 255 + 1)

		scan_start = orig_len - (md_size + 255 + 1);

	/* div_spoiler contains a multiple of md_size that is used to cause the

	 * modulo operation to be constant time. Without this, the time varies

	 * based on the amount of padding when running on Intel chips at least.
@@ -286,9 +289,9 @@ void ssl3_cbc_copy_mac(unsigned char* out, 
	rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;



	memset(rotated_mac, 0, md_size);

	for (i = scan_start; i < rec->orig_len;)

	for (i = scan_start; i < orig_len;)

		{

		for (j = 0; j < md_size && i < rec->orig_len; i++, j++)

		for (j = 0; j < md_size && i < orig_len; i++, j++)

			{

			unsigned char mac_started = constant_time_ge(i, mac_start);

			unsigned char mac_ended = constant_time_ge(i, mac_end);

ssl/s3_enc.c

+6 −2
Original line number Diff line number Diff line
@@ -587,7 +587,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) 
	EVP_MD_CTX md_ctx;

	const EVP_MD *hash;

	unsigned char *p,rec_char;

	size_t md_size;

	size_t md_size, orig_len;

	int npad;



	if (send)
@@ -608,6 +608,10 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) 
	md_size=EVP_MD_size(hash);

	npad=(48/md_size)*md_size;



	/* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */

	orig_len = rec->length+md_size+((unsigned int)rec->type>>8);

	rec->type &= 0xff;



	if (!send &&

	    EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&

	    ssl3_cbc_record_digest_supported(hash))
@@ -639,7 +643,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) 
			hash,

			md, &md_size,

			header, rec->input,

			rec->length + md_size, rec->orig_len,

			rec->length + md_size, orig_len,

			mac_sec, md_size,

			1 /* is SSLv3 */);

		}

ssl/s3_pkt.c

+6 −6
Original line number Diff line number Diff line
@@ -246,7 +246,7 @@ static int ssl3_get_record(SSL *s) 
	unsigned char *p;

	unsigned char md[EVP_MAX_MD_SIZE];

	short version;

	unsigned mac_size;

	unsigned mac_size, orig_len;

	size_t extra;



	rr= &(s->s3->rrec);
@@ -351,7 +351,7 @@ again: 


	/* decrypt in place in 'rr->input' */

	rr->data=rr->input;

	rr->orig_len=rr->length;

	orig_len=rr->length;



	enc_err = s->method->ssl3_enc->enc(s,0);

	/* enc_err is:
@@ -387,10 +387,10 @@ printf("\n"); 
		 * therefore we can safely process the record in a different

		 * amount of time if it's too short to possibly contain a MAC.

		 */

		if (rr->orig_len < mac_size ||

		if (orig_len < mac_size ||

		    /* CBC records must have a padding length byte too. */

		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&

		     rr->orig_len < mac_size+1))

		     orig_len < mac_size+1))

			{

			al=SSL_AD_DECODE_ERROR;

			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
@@ -405,12 +405,12 @@ printf("\n"); 
			 * without leaking the contents of the padding bytes.

			 * */

			mac = mac_tmp;

			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);

			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);

			rr->length -= mac_size;

			}

		else

			{

			/* In this case there's no padding, so |rec->orig_len|

			/* In this case there's no padding, so |orig_len|

			 * equals |rec->length| and we checked that there's

			 * enough bytes for |mac_size| above. */

			rr->length -= mac_size;

ssl/ssl3.h

+0 −4
Original line number Diff line number Diff line
@@ -304,10 +304,6 @@ typedef struct ssl3_record_st 
/*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */

/*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */

/*r */  PQ_64BIT seq_num;       /* sequence number, needed by DTLS1 */

/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding

				   was removed? This is used to implement the

				   MAC check in constant time for CBC records.

				 */

	} SSL3_RECORD;



typedef struct ssl3_buffer_st