Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net> ok beck@ bcooK@
author: jsing <> 2016-11-06 17:21:04 +0000
committer: jsing <> 2016-11-06 17:21:04 +0000
commit: a7c1d6ee7eeba1971186270659e8111e6a109e82 (patch)
tree: 424c134bad58d437166ae1e55c8f2e29ae9c27c8 /src
parent: 7730a5f4a9fdc193de29b6010f94c160ddc06f9b (diff)
download: openbsd-a7c1d6ee7eeba1971186270659e8111e6a109e82.tar.gz
openbsd-a7c1d6ee7eeba1971186270659e8111e6a109e82.tar.bz2
openbsd-a7c1d6ee7eeba1971186270659e8111e6a109e82.zip
3 files changed, 33 insertions, 77 deletions
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 414d493150..42aa4b8d4d 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.12 2016/03/20 16:50:29 krw Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.13 2016/11/06 17:21:04 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
 *
@@ -349,7 +349,7 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
        }
 }
-/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
+/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS
 * record.
 *
 *   ctx: the EVP_MD_CTX from which we take the hash function.
@@ -362,7 +362,6 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 *     once the padding has been removed.
 *   data_plus_mac_plus_padding_size: the public length of the whole
 *     record, including padding.
- *   is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
 *
 * On entry: by virtue of having been through one of the remove_padding
 * functions, above, we know that data_plus_mac_size is large enough to contain
@@ -373,7 +372,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
    size_t* md_out_size, const unsigned char header[13],
    const unsigned char *data, size_t data_plus_mac_size,
    size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
-    unsigned mac_secret_length, char is_sslv3)
+    unsigned mac_secret_length)
 {
        union { double align;
                unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
@@ -381,7 +380,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
        void (*md_final_raw)(void *ctx, unsigned char *md_out);
        void (*md_transform)(void *ctx, const unsigned char *block);
        unsigned md_size, md_block_size = 64;
-        unsigned sslv3_pad_length = 40, header_length, variance_blocks,
+        unsigned header_length, variance_blocks,
        len, max_mac_bytes, num_blocks,
        num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
        unsigned int bits;      /* at most 18 bits */
@@ -407,7 +406,6 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
                md_final_raw = tls1_md5_final_raw;
                md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
                md_size = 16;
-                sslv3_pad_length = 48;
                length_is_big_endian = 0;
                break;
        case NID_sha1:
@@ -459,33 +457,20 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
        OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
        header_length = 13;
-        if (is_sslv3) {
-                header_length = mac_secret_length + sslv3_pad_length +
-                    8 /* sequence number */ +
-                    1 /* record type */ +
-                    2 /* record length */;
-        }
        /* variance_blocks is the number of blocks of the hash that we have to
         * calculate in constant time because they could be altered by the
         * padding value.
         *
-         * In SSLv3, the padding must be minimal so the end of the plaintext
-         * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
-         * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
-         * termination (0x80 + 64-bit length) don't fit in the final block, we
-         * say that the final two blocks can vary based on the padding.
-         *
         * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
         * required to be minimal. Therefore we say that the final six blocks
         * can vary based on the padding.
         *
         * Later in the function, if the message is short and there obviously
         * cannot be this many blocks then variance_blocks can be reduced. */
-        variance_blocks = is_sslv3 ? 2 : 6;
+        variance_blocks = 6;
        /* From now on we're dealing with the MAC, which conceptually has 13
-         * bytes of `header' before the start of the data (TLS) or 71/75 bytes
+         * bytes of `header' before the start of the data (TLS) */
-         * (SSLv3) */
        len = data_plus_mac_plus_padding_size + header_length;
        /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
        * |header|, assuming that there's no padding. */
@@ -515,30 +500,23 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
         * length, in bits. */
        index_b = (mac_end_offset + md_length_size) / md_block_size;
        /* bits is the hash-length in bits. It includes the additional hash
-         * block for the masked HMAC key, or whole of |header| in the case of
+         * block for the masked HMAC key. */
-         * SSLv3. */
-        /* For SSLv3, if we're going to have any starting blocks then we need
+        if (num_blocks > variance_blocks) {
-         * at least two because the header is larger than a single block. */
-        if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
                num_starting_blocks = num_blocks - variance_blocks;
                k = md_block_size*num_starting_blocks;
        }
        bits = 8*mac_end_offset;
-        if (!is_sslv3) {
+        /* Compute the initial HMAC block. */
-                /* Compute the initial HMAC block. For SSLv3, the padding and
+        bits += 8*md_block_size;
-                 * secret bytes are included in |header| because they take more
+        memset(hmac_pad, 0, md_block_size);
-                 * than a single block. */
+        OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
-                bits += 8*md_block_size;
+        memcpy(hmac_pad, mac_secret, mac_secret_length);
-                memset(hmac_pad, 0, md_block_size);
+        for (i = 0; i < md_block_size; i++)
-                OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
+                hmac_pad[i] ^= 0x36;
-                memcpy(hmac_pad, mac_secret, mac_secret_length);
-                for (i = 0; i < md_block_size; i++)
+        md_transform(md_state.c, hmac_pad);
-                        hmac_pad[i] ^= 0x36;
-                md_transform(md_state.c, hmac_pad);
-        }
        if (length_is_big_endian) {
                memset(length_bytes, 0, md_length_size - 4);
@@ -555,26 +533,12 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
        }
        if (k > 0) {
-                if (is_sslv3) {
+                /* k is a multiple of md_block_size. */
-                        /* The SSLv3 header is larger than a single block.
+                memcpy(first_block, header, 13);
-                         * overhang is the number of bytes beyond a single
+                memcpy(first_block + 13, data, md_block_size - 13);
-                         * block that the header consumes: either 7 bytes
+                md_transform(md_state.c, first_block);
-                         * (SHA1) or 11 bytes (MD5). */
+                for (i = 1; i < k/md_block_size; i++)
-                        unsigned overhang = header_length - md_block_size;
+                        md_transform(md_state.c, data + md_block_size*i - 13);
-                        md_transform(md_state.c, header);
-                        memcpy(first_block, header + md_block_size, overhang);
-                        memcpy(first_block + overhang, data, md_block_size - overhang);
-                        md_transform(md_state.c, first_block);
-                        for (i = 1; i < k/md_block_size - 1; i++)
-                                md_transform(md_state.c, data + md_block_size*i - overhang);
-                } else {
-                        /* k is a multiple of md_block_size. */
-                        memcpy(first_block, header, 13);
-                        memcpy(first_block + 13, data, md_block_size - 13);
-                        md_transform(md_state.c, first_block);
-                        for (i = 1; i < k/md_block_size; i++)
-                                md_transform(md_state.c, data + md_block_size*i - 13);
-                }
        }
        memset(mac_out, 0, sizeof(mac_out));
@@ -632,21 +596,14 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
                EVP_MD_CTX_cleanup(&md_ctx);
                return 0;
        }
-        if (is_sslv3) {
-                /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
-                memset(hmac_pad, 0x5c, sslv3_pad_length);
-                EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
+        /* Complete the HMAC in the standard manner. */
-                EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
+        for (i = 0; i < md_block_size; i++)
-                EVP_DigestUpdate(&md_ctx, mac_out, md_size);
+                hmac_pad[i] ^= 0x6a;
-        } else {
-                /* Complete the HMAC in the standard manner. */
+        EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
-                for (i = 0; i < md_block_size; i++)
+        EVP_DigestUpdate(&md_ctx, mac_out, md_size);
-                        hmac_pad[i] ^= 0x6a;
-                EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
-                EVP_DigestUpdate(&md_ctx, mac_out, md_size);
-        }
        EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
        if (md_out_size)
                *md_out_size = md_out_size_u;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 4386f0f7e5..6c36795b1d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.135 2016/11/05 08:26:36 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.136 2016/11/06 17:21:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -834,7 +834,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
    size_t *md_out_size, const unsigned char header[13],
    const unsigned char *data, size_t data_plus_mac_size,
    size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
-    unsigned mac_secret_length, char is_sslv3);
+    unsigned mac_secret_length);
 __END_HIDDEN_DECLS
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 6305a6ffb9..04219eb1b7 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.86 2016/11/03 08:15:22 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.87 2016/11/06 17:21:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1242,8 +1242,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
                    md, &md_size, header, rec->input,
                    rec->length + md_size, orig_len,
                    ssl->s3->read_mac_secret,
-                    ssl->s3->read_mac_secret_size,
+                    ssl->s3->read_mac_secret_size))
-                    0 /* not SSLv3 */))
                        return -1;
        } else {
                EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
author	jsing <>	2016-11-06 17:21:04 +0000
committer	jsing <>	2016-11-06 17:21:04 +0000
commit	a7c1d6ee7eeba1971186270659e8111e6a109e82 (patch)
tree	424c134bad58d437166ae1e55c8f2e29ae9c27c8 /src
parent	7730a5f4a9fdc193de29b6010f94c160ddc06f9b (diff)
download	openbsd-a7c1d6ee7eeba1971186270659e8111e6a109e82.tar.gz openbsd-a7c1d6ee7eeba1971186270659e8111e6a109e82.tar.bz2 openbsd-a7c1d6ee7eeba1971186270659e8111e6a109e82.zip

diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c index 414d493150..42aa4b8d4d 100644 --- a/src/lib/libssl/s3_cbc.c +++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_cbc.c,v 1.12 2016/03/20 16:50:29 krw Exp $ */	1	/* $OpenBSD: s3_cbc.c,v 1.13 2016/11/06 17:21:04 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -349,7 +349,7 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
349	}	349	}
350	}	350	}
351		351
352	/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS	352	/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS
353	* record.	353	* record.
354	*	354	*
355	* ctx: the EVP_MD_CTX from which we take the hash function.	355	* ctx: the EVP_MD_CTX from which we take the hash function.
@@ -362,7 +362,6 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
362	* once the padding has been removed.	362	* once the padding has been removed.
363	* data_plus_mac_plus_padding_size: the public length of the whole	363	* data_plus_mac_plus_padding_size: the public length of the whole
364	* record, including padding.	364	* record, including padding.
365	* is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
366	*	365	*
367	* On entry: by virtue of having been through one of the remove_padding	366	* On entry: by virtue of having been through one of the remove_padding
368	* functions, above, we know that data_plus_mac_size is large enough to contain	367	* functions, above, we know that data_plus_mac_size is large enough to contain
@@ -373,7 +372,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
373	size_t* md_out_size, const unsigned char header[13],	372	size_t* md_out_size, const unsigned char header[13],
374	const unsigned char *data, size_t data_plus_mac_size,	373	const unsigned char *data, size_t data_plus_mac_size,
375	size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,	374	size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
376	unsigned mac_secret_length, char is_sslv3)	375	unsigned mac_secret_length)
377	{	376	{
378	union { double align;	377	union { double align;
379	unsigned char c[sizeof(LARGEST_DIGEST_CTX)];	378	unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
@@ -381,7 +380,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
381	void (md_final_raw)(void ctx, unsigned char *md_out);	380	void (md_final_raw)(void ctx, unsigned char *md_out);
382	void (md_transform)(void ctx, const unsigned char *block);	381	void (md_transform)(void ctx, const unsigned char *block);
383	unsigned md_size, md_block_size = 64;	382	unsigned md_size, md_block_size = 64;
384	unsigned sslv3_pad_length = 40, header_length, variance_blocks,	383	unsigned header_length, variance_blocks,
385	len, max_mac_bytes, num_blocks,	384	len, max_mac_bytes, num_blocks,
386	num_starting_blocks, k, mac_end_offset, c, index_a, index_b;	385	num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
387	unsigned int bits; /* at most 18 bits */	386	unsigned int bits; /* at most 18 bits */
@@ -407,7 +406,6 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
407	md_final_raw = tls1_md5_final_raw;	406	md_final_raw = tls1_md5_final_raw;
408	md_transform = (void()(void ctx, const unsigned char *block)) MD5_Transform;	407	md_transform = (void()(void ctx, const unsigned char *block)) MD5_Transform;
409	md_size = 16;	408	md_size = 16;
410	sslv3_pad_length = 48;
411	length_is_big_endian = 0;	409	length_is_big_endian = 0;
412	break;	410	break;
413	case NID_sha1:	411	case NID_sha1:
@@ -459,33 +457,20 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
459	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);	457	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
460		458
461	header_length = 13;	459	header_length = 13;
462	if (is_sslv3) {
463	header_length = mac_secret_length + sslv3_pad_length +
464	8 /* sequence number */ +
465	1 /* record type */ +
466	2 /* record length */;
467	}
468		460
469	/* variance_blocks is the number of blocks of the hash that we have to	461	/* variance_blocks is the number of blocks of the hash that we have to
470	* calculate in constant time because they could be altered by the	462	* calculate in constant time because they could be altered by the
471	* padding value.	463	* padding value.
472	*	464	*
473	* In SSLv3, the padding must be minimal so the end of the plaintext
474	* varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
475	* the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
476	* termination (0x80 + 64-bit length) don't fit in the final block, we
477	* say that the final two blocks can vary based on the padding.
478	*
479	* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not	465	* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
480	* required to be minimal. Therefore we say that the final six blocks	466	* required to be minimal. Therefore we say that the final six blocks
481	* can vary based on the padding.	467	* can vary based on the padding.
482	*	468	*
483	* Later in the function, if the message is short and there obviously	469	* Later in the function, if the message is short and there obviously
484	* cannot be this many blocks then variance_blocks can be reduced. */	470	* cannot be this many blocks then variance_blocks can be reduced. */
485	variance_blocks = is_sslv3 ? 2 : 6;	471	variance_blocks = 6;
486	/* From now on we're dealing with the MAC, which conceptually has 13	472	/* From now on we're dealing with the MAC, which conceptually has 13
487	* bytes of `header' before the start of the data (TLS) or 71/75 bytes	473	* bytes of `header' before the start of the data (TLS) */
488	* (SSLv3) */
489	len = data_plus_mac_plus_padding_size + header_length;	474	len = data_plus_mac_plus_padding_size + header_length;
490	/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including	475	/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
491	* \|header\|, assuming that there's no padding. */	476	* \|header\|, assuming that there's no padding. */
@@ -515,30 +500,23 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
515	* length, in bits. */	500	* length, in bits. */
516	index_b = (mac_end_offset + md_length_size) / md_block_size;	501	index_b = (mac_end_offset + md_length_size) / md_block_size;
517	/* bits is the hash-length in bits. It includes the additional hash	502	/* bits is the hash-length in bits. It includes the additional hash
518	* block for the masked HMAC key, or whole of \|header\| in the case of	503	* block for the masked HMAC key. */
519	* SSLv3. */
520		504
521	/* For SSLv3, if we're going to have any starting blocks then we need	505	if (num_blocks > variance_blocks) {
522	* at least two because the header is larger than a single block. */
523	if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
524	num_starting_blocks = num_blocks - variance_blocks;	506	num_starting_blocks = num_blocks - variance_blocks;
525	k = md_block_size*num_starting_blocks;	507	k = md_block_size*num_starting_blocks;
526	}	508	}
527		509
528	bits = 8*mac_end_offset;	510	bits = 8*mac_end_offset;
529	if (!is_sslv3) {	511	/* Compute the initial HMAC block. */
530	/* Compute the initial HMAC block. For SSLv3, the padding and	512	bits += 8*md_block_size;
531	* secret bytes are included in \|header\| because they take more	513	memset(hmac_pad, 0, md_block_size);
532	* than a single block. */	514	OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
533	bits += 8*md_block_size;	515	memcpy(hmac_pad, mac_secret, mac_secret_length);
534	memset(hmac_pad, 0, md_block_size);	516	for (i = 0; i < md_block_size; i++)
535	OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));	517	hmac_pad[i] ^= 0x36;
536	memcpy(hmac_pad, mac_secret, mac_secret_length);	518
537	for (i = 0; i < md_block_size; i++)	519	md_transform(md_state.c, hmac_pad);
538	hmac_pad[i] ^= 0x36;
539
540	md_transform(md_state.c, hmac_pad);
541	}
542		520
543	if (length_is_big_endian) {	521	if (length_is_big_endian) {
544	memset(length_bytes, 0, md_length_size - 4);	522	memset(length_bytes, 0, md_length_size - 4);
@@ -555,26 +533,12 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
555	}	533	}
556		534
557	if (k > 0) {	535	if (k > 0) {
558	if (is_sslv3) {	536	/* k is a multiple of md_block_size. */
559	/* The SSLv3 header is larger than a single block.	537	memcpy(first_block, header, 13);
560	* overhang is the number of bytes beyond a single	538	memcpy(first_block + 13, data, md_block_size - 13);
561	* block that the header consumes: either 7 bytes	539	md_transform(md_state.c, first_block);
562	* (SHA1) or 11 bytes (MD5). */	540	for (i = 1; i < k/md_block_size; i++)
563	unsigned overhang = header_length - md_block_size;	541	md_transform(md_state.c, data + md_block_size*i - 13);
564	md_transform(md_state.c, header);
565	memcpy(first_block, header + md_block_size, overhang);
566	memcpy(first_block + overhang, data, md_block_size - overhang);
567	md_transform(md_state.c, first_block);
568	for (i = 1; i < k/md_block_size - 1; i++)
569	md_transform(md_state.c, data + md_block_size*i - overhang);
570	} else {
571	/* k is a multiple of md_block_size. */
572	memcpy(first_block, header, 13);
573	memcpy(first_block + 13, data, md_block_size - 13);
574	md_transform(md_state.c, first_block);
575	for (i = 1; i < k/md_block_size; i++)
576	md_transform(md_state.c, data + md_block_size*i - 13);
577	}
578	}	542	}
579		543
580	memset(mac_out, 0, sizeof(mac_out));	544	memset(mac_out, 0, sizeof(mac_out));
@@ -632,21 +596,14 @@ ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
632	EVP_MD_CTX_cleanup(&md_ctx);	596	EVP_MD_CTX_cleanup(&md_ctx);
633	return 0;	597	return 0;
634	}	598	}
635	if (is_sslv3) {
636	/* We repurpose \|hmac_pad\| to contain the SSLv3 pad2 block. */
637	memset(hmac_pad, 0x5c, sslv3_pad_length);
638		599
639	EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);	600	/* Complete the HMAC in the standard manner. */
640	EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);	601	for (i = 0; i < md_block_size; i++)
641	EVP_DigestUpdate(&md_ctx, mac_out, md_size);	602	hmac_pad[i] ^= 0x6a;
642	} else {	603
643	/* Complete the HMAC in the standard manner. */	604	EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
644	for (i = 0; i < md_block_size; i++)	605	EVP_DigestUpdate(&md_ctx, mac_out, md_size);
645	hmac_pad[i] ^= 0x6a;
646		606
647	EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
648	EVP_DigestUpdate(&md_ctx, mac_out, md_size);
649	}
650	EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);	607	EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
651	if (md_out_size)	608	if (md_out_size)
652	*md_out_size = md_out_size_u;	609	*md_out_size = md_out_size_u;


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 4386f0f7e5..6c36795b1d 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.135 2016/11/05 08:26:36 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.136 2016/11/06 17:21:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -834,7 +834,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX ctx, unsigned char md_out,
834	size_t *md_out_size, const unsigned char header[13],	834	size_t *md_out_size, const unsigned char header[13],
835	const unsigned char *data, size_t data_plus_mac_size,	835	const unsigned char *data, size_t data_plus_mac_size,
836	size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,	836	size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
837	unsigned mac_secret_length, char is_sslv3);	837	unsigned mac_secret_length);
838		838
839	__END_HIDDEN_DECLS	839	__END_HIDDEN_DECLS
840		840


diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 6305a6ffb9..04219eb1b7 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.86 2016/11/03 08:15:22 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.87 2016/11/06 17:21:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1242,8 +1242,7 @@ tls1_mac(SSL ssl, unsigned char md, int send)
1242	md, &md_size, header, rec->input,	1242	md, &md_size, header, rec->input,
1243	rec->length + md_size, orig_len,	1243	rec->length + md_size, orig_len,
1244	ssl->s3->read_mac_secret,	1244	ssl->s3->read_mac_secret,
1245	ssl->s3->read_mac_secret_size,	1245	ssl->s3->read_mac_secret_size))
1246	0 /* not SSLv3 */))
1247	return -1;	1246	return -1;
1248	} else {	1247	} else {
1249	EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));	1248	EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));