[openssl-commits] [openssl] OpenSSL source code branch OpenSSL_0_9_8-stable updated. OpenSSL_0_9_8zc-16-g1cb10d9

Emilia Kasper emilia at openssl.org
Wed Dec 17 13:58:55 UTC 2014 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_0_9_8-stable has been updated
       via  1cb10d9c7d95e36fcc8ed0ade3eafda90e5e3172 (commit)
      from  62abc80540c4adf5b0d50ad604001a39024f5c21 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1cb10d9c7d95e36fcc8ed0ade3eafda90e5e3172
Author: Emilia Kasper <emilia at openssl.org>
Date:   Wed Dec 17 14:52:13 2014 +0100

    Revert "RT3425: constant-time evp_enc"
    
    Causes more problems than it fixes: even though error codes
    are not part of the stable API, several users rely on the
    specific error code, and the change breaks them. Conversely,
    we don't have any concrete use-cases for constant-time behaviour here.
    
    This reverts commit 1bb01b1b5f27a7de33e7a67946b8c001b54e09e9.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile  |    3 +--
 crypto/evp/evp_enc.c |   49 +++++++++++++++++++++----------------------------
 2 files changed, 22 insertions(+), 30 deletions(-)

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index e5082b7..c204f84 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -385,8 +385,7 @@ evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-evp_enc.o: ../../include/openssl/x509_vfy.h ../constant_time_locl.h
-evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 2cbf992..30e0ca4 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -64,7 +64,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -302,11 +301,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-	unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 
 	*outl=0;
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -325,34 +324,28 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
 			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
 			}
-
-		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
-		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		for (i=0; i<n; i++)
+			{
+			if (ctx->final[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; i<n; i++)
+			out[i]=ctx->final[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)


hooks/post-receive
-- 
OpenSSL source code

More information about the openssl-commits mailing list