From 89a62bf3aa4e239ea23e1626223425e9f85dfd97 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sun, 6 Nov 2016 17:21:04 +0000 Subject: Remove unused SSLv3 from ssl3_cbc_record_digest_supported(). From Markus Uhlin ok beck@ bcooK@ --- src/lib/libssl/s3_cbc.c | 101 +++++++++++++--------------------------------- src/lib/libssl/ssl_locl.h | 4 +- src/lib/libssl/t1_enc.c | 5 +-- 3 files changed, 33 insertions(+), 77 deletions(-) diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c index 414d493150..42aa4b8d4d 100644 --- a/src/lib/libssl/s3_cbc.c +++ b/src/lib/libssl/s3_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_cbc.c,v 1.12 2016/03/20 16:50:29 krw Exp $ */ +/* $OpenBSD: s3_cbc.c,v 1.13 2016/11/06 17:21:04 jsing Exp $ */ /* ==================================================================== * Copyright (c) 2012 The OpenSSL Project. All rights reserved. * @@ -349,7 +349,7 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) } } -/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS +/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS * record. * * ctx: the EVP_MD_CTX from which we take the hash function. @@ -362,7 +362,6 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) * once the padding has been removed. * data_plus_mac_plus_padding_size: the public length of the whole * record, including padding. - * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. * * On entry: by virtue of having been through one of the remove_padding * functions, above, we know that data_plus_mac_size is large enough to contain @@ -373,7 +372,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, size_t* md_out_size, const unsigned char header[13], const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3) + unsigned mac_secret_length) { union { double align; unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; @@ -381,7 +380,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, void (*md_final_raw)(void *ctx, unsigned char *md_out); void (*md_transform)(void *ctx, const unsigned char *block); unsigned md_size, md_block_size = 64; - unsigned sslv3_pad_length = 40, header_length, variance_blocks, + unsigned header_length, variance_blocks, len, max_mac_bytes, num_blocks, num_starting_blocks, k, mac_end_offset, c, index_a, index_b; unsigned int bits; /* at most 18 bits */ @@ -407,7 +406,6 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_final_raw = tls1_md5_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; md_size = 16; - sslv3_pad_length = 48; length_is_big_endian = 0; break; case NID_sha1: @@ -459,33 +457,20 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); header_length = 13; - if (is_sslv3) { - header_length = mac_secret_length + sslv3_pad_length + - 8 /* sequence number */ + - 1 /* record type */ + - 2 /* record length */; - } /* variance_blocks is the number of blocks of the hash that we have to * calculate in constant time because they could be altered by the * padding value. * - * In SSLv3, the padding must be minimal so the end of the plaintext - * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that - * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash - * termination (0x80 + 64-bit length) don't fit in the final block, we - * say that the final two blocks can vary based on the padding. - * * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not * required to be minimal. Therefore we say that the final six blocks * can vary based on the padding. * * Later in the function, if the message is short and there obviously * cannot be this many blocks then variance_blocks can be reduced. */ - variance_blocks = is_sslv3 ? 2 : 6; + variance_blocks = 6; /* From now on we're dealing with the MAC, which conceptually has 13 - * bytes of `header' before the start of the data (TLS) or 71/75 bytes - * (SSLv3) */ + * bytes of `header' before the start of the data (TLS) */ len = data_plus_mac_plus_padding_size + header_length; /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including * |header|, assuming that there's no padding. */ @@ -515,30 +500,23 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, * length, in bits. */ index_b = (mac_end_offset + md_length_size) / md_block_size; /* bits is the hash-length in bits. It includes the additional hash - * block for the masked HMAC key, or whole of |header| in the case of - * SSLv3. */ + * block for the masked HMAC key. */ - /* For SSLv3, if we're going to have any starting blocks then we need - * at least two because the header is larger than a single block. */ - if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) { + if (num_blocks > variance_blocks) { num_starting_blocks = num_blocks - variance_blocks; k = md_block_size*num_starting_blocks; } bits = 8*mac_end_offset; - if (!is_sslv3) { - /* Compute the initial HMAC block. For SSLv3, the padding and - * secret bytes are included in |header| because they take more - * than a single block. */ - bits += 8*md_block_size; - memset(hmac_pad, 0, md_block_size); - OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); - memcpy(hmac_pad, mac_secret, mac_secret_length); - for (i = 0; i < md_block_size; i++) - hmac_pad[i] ^= 0x36; - - md_transform(md_state.c, hmac_pad); - } + /* Compute the initial HMAC block. */ + bits += 8*md_block_size; + memset(hmac_pad, 0, md_block_size); + OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); + memcpy(hmac_pad, mac_secret, mac_secret_length); + for (i = 0; i < md_block_size; i++) + hmac_pad[i] ^= 0x36; + + md_transform(md_state.c, hmac_pad); if (length_is_big_endian) { memset(length_bytes, 0, md_length_size - 4); @@ -555,26 +533,12 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, } if (k > 0) { - if (is_sslv3) { - /* The SSLv3 header is larger than a single block. - * overhang is the number of bytes beyond a single - * block that the header consumes: either 7 bytes - * (SHA1) or 11 bytes (MD5). */ - unsigned overhang = header_length - md_block_size; - md_transform(md_state.c, header); - memcpy(first_block, header + md_block_size, overhang); - memcpy(first_block + overhang, data, md_block_size - overhang); - md_transform(md_state.c, first_block); - for (i = 1; i < k/md_block_size - 1; i++) - md_transform(md_state.c, data + md_block_size*i - overhang); - } else { - /* k is a multiple of md_block_size. */ - memcpy(first_block, header, 13); - memcpy(first_block + 13, data, md_block_size - 13); - md_transform(md_state.c, first_block); - for (i = 1; i < k/md_block_size; i++) - md_transform(md_state.c, data + md_block_size*i - 13); - } + /* k is a multiple of md_block_size. */ + memcpy(first_block, header, 13); + memcpy(first_block + 13, data, md_block_size - 13); + md_transform(md_state.c, first_block); + for (i = 1; i < k/md_block_size; i++) + md_transform(md_state.c, data + md_block_size*i - 13); } memset(mac_out, 0, sizeof(mac_out)); @@ -632,21 +596,14 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, EVP_MD_CTX_cleanup(&md_ctx); return 0; } - if (is_sslv3) { - /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ - memset(hmac_pad, 0x5c, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); - EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); - } else { - /* Complete the HMAC in the standard manner. */ - for (i = 0; i < md_block_size; i++) - hmac_pad[i] ^= 0x6a; + /* Complete the HMAC in the standard manner. */ + for (i = 0; i < md_block_size; i++) + hmac_pad[i] ^= 0x6a; + + EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); + EVP_DigestUpdate(&md_ctx, mac_out, md_size); - EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); - } EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); if (md_out_size) *md_out_size = md_out_size_u; diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 4386f0f7e5..6c36795b1d 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.135 2016/11/05 08:26:36 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.136 2016/11/06 17:21:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -834,7 +834,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, const unsigned char header[13], const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3); + unsigned mac_secret_length); __END_HIDDEN_DECLS diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 6305a6ffb9..04219eb1b7 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.86 2016/11/03 08:15:22 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.87 2016/11/06 17:21:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1242,8 +1242,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) md, &md_size, header, rec->input, rec->length + md_size, orig_len, ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, - 0 /* not SSLv3 */)) + ssl->s3->read_mac_secret_size)) return -1; } else { EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); -- cgit v1.2.3-55-g6feb