~ubuntu-branches/ubuntu/hardy/openssl/hardy-security

Viewing changes to ssl/s3_pkt.c

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2013-02-18 15:49:05 UTC
Revision ID: package-import@ubuntu.com-20130218154905-wk025r1lxtt4g4ug

Tags: 0.9.8g-4ubuntu3.20

* SECURITY UPDATE: denial of service via invalid OCSP key
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=66e8211c0b1347970096e04b18aa52567c325200
  - CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=270881316664396326c461ec7a124aec2c6cc081
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=35a65e814beb899fa1c69a7673a8956c6059dce7
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a33e6702a0db1b9f4648d247b8b28a5c0e42ca13
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2928cb4c82d6516d9e65ede4901a5957d8c39c32
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3a959a337b8083bc855623f24cebaf43a477350
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=be88529753897c29c677d1becb321f0072c0659c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=99f5093347c65eecbd05f0668aea94b32fcf20d7
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=24b28060975c01b749391778d13ec2ea1323a1aa
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=924b11742296c13816a9f301e76fea023003920c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c23a7458209e773ffcd42bdcfa5cf2564df86bd7
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1909df070fb5c5b87246a2de19c17588deba5818
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=33ccde59a1ece0f68cc4b64e930001ab230725b1
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=5f9345a2f0b592457fc4a619ac98ea59ffd394ba
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=40e0de03955e218f45a7979cb46fba193f4e7fc2
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1213e6c3c2d7abeeb886d911a3c6c06c5da2e3a4
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca3b81c8580a609edac1f13a3f62d4348d66c3a8
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6351adecb4726476def5f5ad904a7d2e63480d53
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fb092ef4fca897344daf7189526f5f26be6487ce
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=59b1129e0a50fdf7e4e58d7c355783a7bfc1f44c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4ea7019165db53b92b4284461c5c88bfe7c6e57d
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=76c61a5d1adb92388f39e585e4af860a20feb9bb
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ff58eaa4b645a38f3a226cf566d969fffa64ef94
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=5864fd2061f43dc8f89b5755f19bd2a35dec636c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fbe621d08f2026926c91c1c5f386b27605e39a43
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a8655eb21a7f9a313db18daa6ccaed928fb6027c
  - CVE-2013-0169

Show diffs side-by-side

added added

removed removed

ssl/s3_pkt.c

237

unsigned char *p;

238

unsigned char md[EVP_MAX_MD_SIZE];

239

short version;

240

unsigned int mac_size;

241

int clear=0;

240

unsigned mac_size, orig_len;

242

241

size_t extra;

243

int decryption_failed_or_bad_record_mac = 0;

244

unsigned char *mac = NULL;

245

242

246

243

rr= &(s->s3->rrec);

247

244

sess=s->session;

347

344

rr->data=rr->input;

348

345

349

346

enc_err = s->method->ssl3_enc->enc(s,0);

350

if (enc_err <= 0)

347

/* enc_err is:

348

* 0: (in non-constant time) if the record is publically invalid.

349

* 1: if the padding is valid

350

* -1: if the padding is invalid */

351

if (enc_err == 0)

351

352

{

352

if (enc_err == 0)

353

/* SSLerr() and ssl3_send_alert() have been called */

354

goto err;

355

356

/* Otherwise enc_err == -1, which indicates bad padding

357

* (rec->length has not been changed in this case).

358

* To minimize information leaked via timing, we will perform

359

* the MAC computation anyway. */

360

decryption_failed_or_bad_record_mac = 1;

353

al=SSL_AD_DECRYPTION_FAILED;

354

SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);

355

goto f_err;

361

356

}

362

357

363

358

#ifdef TLS_DEBUG

367

362

#endif

368

363

369

364

/* r->length is now the compressed data plus mac */

370

if ( (sess == NULL) ||

371

(s->enc_read_ctx == NULL) ||

372

(s->read_hash == NULL))

373

clear=1;

374

375

if (!clear)

365

if ((sess != NULL) &&

366

(s->enc_read_ctx != NULL) &&

367

(s->read_hash != NULL))

376

368

{

369

/* s->read_hash != NULL => mac_size != -1 */

370

unsigned char *mac = NULL;

371

unsigned char mac_tmp[EVP_MAX_MD_SIZE];

377

372

mac_size=EVP_MD_size(s->read_hash);

378

373

OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);

374

375

/* kludge: *_cbc_remove_padding passes padding length in rr->type */

376

orig_len = rr->length+((unsigned int)rr->type>>8);

377

378

/* orig_len is the length of the record before any padding was

379

* removed. This is public information, as is the MAC in use,

380

* therefore we can safely process the record in a different

381

* amount of time if it's too short to possibly contain a MAC.

382

383

if (orig_len < mac_size ||

384

/* CBC records must have a padding length byte too. */

385

(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&

386

orig_len < mac_size+1))

387

{

388

al=SSL_AD_DECODE_ERROR;

389

SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);

390

goto f_err;

391

}

392

393

if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)

394

{

395

/* We update the length so that the TLS header bytes

396

* can be constructed correctly but we need to extract

397

* the MAC in constant time from within the record,

398

* without leaking the contents of the padding bytes.

399

* */

400

mac = mac_tmp;

401

ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);

402

rr->length -= mac_size;

403

}

404

else

405

{

406

/* In this case there's no padding, so |orig_len|

407

* equals |rec->length| and we checked that there's

408

* enough bytes for |mac_size| above. */

409

rr->length -= mac_size;

410

mac = &rr->data[rr->length];

411

}

412

413

i=s->method->ssl3_enc->mac(s,md,0 /* not send */);

414

if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)

415

enc_err = -1;

379

416

if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)

380

{

381

#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */

382

al=SSL_AD_RECORD_OVERFLOW;

383

SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);

384

goto f_err;

385

#else

386

decryption_failed_or_bad_record_mac = 1;

387

#endif

388

}

389

/* check the MAC for rr->input (it's in mac_size bytes at the tail) */

390

if (rr->length >= mac_size)

391

{

392

rr->length -= mac_size;

393

mac = &rr->data[rr->length];

394

}

395

else

396

{

397

/* record (minus padding) is too short to contain a MAC */

398

#if 0 /* OK only for stream ciphers */

399

al=SSL_AD_DECODE_ERROR;

400

SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);

401

goto f_err;

402

#else

403

decryption_failed_or_bad_record_mac = 1;

404

rr->length = 0;

405

#endif

406

}

407

i=s->method->ssl3_enc->mac(s,md,0);

408

if (mac == NULL || memcmp(md, mac, mac_size) != 0)

409

{

410

decryption_failed_or_bad_record_mac = 1;

411

}

417

enc_err = -1;

412

418

}

413

419

414

if (decryption_failed_or_bad_record_mac)

420

if (enc_err < 0)

415

421

{

416

422

/* A separate 'decryption_failed' alert was introduced with TLS 1.0,

417

423

* SSL 3.0 only has 'bad_record_mac'. But unless a decryption

Older »