From 00eab3af460c4af05c8b8506af1e1b44f19673d3 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Wed, 4 May 2016 15:01:33 +0000
Subject: fix a padding oracle in aesni cbc mac check. there must be enough
 data for both the mac and padding bytes. CVE-2016-2107 from openssl

---
 src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c         | 5 ++++-
 src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
index 42aa20701b..8574823aed 100644
--- a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.11 2016/05/04 14:53:29 tedu Exp $ */
+/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.12 2016/05/04 15:01:33 tedu Exp $ */
 /* ====================================================================
  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
@@ -60,6 +60,7 @@
 #include <openssl/aes.h>
 #include <openssl/sha.h>
 #include "evp_locl.h"
+#include "constant_time_locl.h"
 
 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
 #define EVP_CIPH_FLAG_AEAD_CIPHER	0x200000
@@ -282,6 +283,8 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
 			maxpad &= 255;
 
+			ret &= constant_time_ge(maxpad, pad);
+
 			inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
 			mask = (0 - ((inp_len - len) >>
 			    (sizeof(inp_len) * 8 - 1)));
diff --git a/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c b/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
index 42aa20701b..8574823aed 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.11 2016/05/04 14:53:29 tedu Exp $ */
+/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.12 2016/05/04 15:01:33 tedu Exp $ */
 /* ====================================================================
  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
@@ -60,6 +60,7 @@
 #include <openssl/aes.h>
 #include <openssl/sha.h>
 #include "evp_locl.h"
+#include "constant_time_locl.h"
 
 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
 #define EVP_CIPH_FLAG_AEAD_CIPHER	0x200000
@@ -282,6 +283,8 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
 			maxpad &= 255;
 
+			ret &= constant_time_ge(maxpad, pad);
+
 			inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
 			mask = (0 - ((inp_len - len) >>
 			    (sizeof(inp_len) * 8 - 1)));
-- 
cgit v1.2.3-55-g6feb