{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752059378, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"204159dd8f2e25aa344bd5be3cd8ea64", "commit": {"type":"commit", "time": 1476742659, "time_ofs": 60, "oid_tree": { "oid": "ed8e1464484e0e8d2d196bf1c99a3219865eac22", "alias": []}, "oid":{ "oid": "e23d5071ec4c7aa6bb2b0f2c3e0fc2182ed7e63f", "alias": []}, "msg": "Fix encrypt-then-mac implementation for DTLS", "sig_commit": { "git_time": { "time": 1476742659, "offset": 60 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1476310324, "offset": 60 }, "name": "David Woodhouse", "email": "David.Woodhouse@intel.com", "md5": "8cd01b144c9d24be9003072a596a65b0" }}, "body": "Fix encrypt-then-mac implementation for DTLS\n\nOpenSSL 1.1.0 will negotiate EtM on DTLS but will then not actually *do* it.\n\nIf we use DTLSv1.2 that will hopefully be harmless since we'll tend to use\nan AEAD ciphersuite anyway. But if we're using DTLSv1, then we certainly\nwill end up using CBC, so EtM is relevant — and we fail to interoperate with\nanything that implements EtM correctly.\n\nFixing it in HEAD and 1.1.0c will mean that 1.1.0[ab] are incompatible with\n1.1.0c+... for the limited case of non-AEAD ciphers, where they're *already*\nincompatible with other implementations due to this bug anyway. That seems\nreasonable enough, so let's do it. The only alternative is just to turn it\noff for ever... which *still* leaves 1.0.0[ab] failing to communicate with\nnon-OpenSSL implementations anyway.\n\nTested against itself as well as against GnuTLS both with and without EtM.\n\nReviewed-by: Tim Hudson \u003ctjh@openssl.org\u003e\nReviewed-by: Matt Caswell \u003cmatt@openssl.org\u003e\n" , "diff": "diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c\nindex 1d16319..c9fd066 100644\n--- a/ssl/record/rec_layer_d1.c\n+++ b/ssl/record/rec_layer_d1.c\n@@ -1094,7 +1094,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,\n * wb-\u003ebuf\n */\n \n- if (mac_size !\u003d 0) {\n+ if (!SSL_USE_ETM(s) \u0026\u0026 mac_size !\u003d 0) {\n if (s-\u003emethod-\u003essl3_enc-\u003emac(s, \u0026wr,\n \u0026(p[SSL3_RECORD_get_length(\u0026wr) + eivlen]),\n 1) \u003c 0)\n@@ -1112,6 +1112,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,\n if (s-\u003emethod-\u003essl3_enc-\u003eenc(s, \u0026wr, 1, 1) \u003c 1)\n goto err;\n \n+ if (SSL_USE_ETM(s) \u0026\u0026 mac_size !\u003d 0) {\n+ if (s-\u003emethod-\u003essl3_enc-\u003emac(s, \u0026wr,\n+ \u0026(p[SSL3_RECORD_get_length(\u0026wr)]),\n+ 1) \u003c 0)\n+ goto err;\n+ SSL3_RECORD_add_length(\u0026wr, mac_size);\n+ }\n+\n /* record length after mac and block padding */\n /*\n * if (type \u003d\u003d SSL3_RT_APPLICATION_DATA || (type \u003d\u003d SSL3_RT_ALERT \u0026\u0026 !\ndiff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c\nindex 32a97af..3236166 100644\n--- a/ssl/record/ssl3_record.c\n+++ b/ssl/record/ssl3_record.c\n@@ -1314,6 +1314,26 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)\n rr-\u003edata \u003d rr-\u003einput;\n rr-\u003eorig_len \u003d rr-\u003elength;\n \n+ if (SSL_USE_ETM(s) \u0026\u0026 s-\u003eread_hash) {\n+ unsigned char *mac;\n+ mac_size \u003d EVP_MD_CTX_size(s-\u003eread_hash);\n+ OPENSSL_assert(mac_size \u003c\u003d EVP_MAX_MD_SIZE);\n+ if (rr-\u003eorig_len \u003c mac_size) {\n+ al \u003d SSL_AD_DECODE_ERROR;\n+ SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);\n+ goto f_err;\n+ }\n+ rr-\u003elength -\u003d mac_size;\n+ mac \u003d rr-\u003edata + rr-\u003elength;\n+ i \u003d s-\u003emethod-\u003essl3_enc-\u003emac(s, rr, md, 0 /* not send */ );\n+ if (i \u003c 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) !\u003d 0) {\n+ al \u003d SSL_AD_BAD_RECORD_MAC;\n+ SSLerr(SSL_F_DTLS1_PROCESS_RECORD,\n+ SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\n+ goto f_err;\n+ }\n+ }\n+\n enc_err \u003d s-\u003emethod-\u003essl3_enc-\u003eenc(s, rr, 1, 0);\n /*-\n * enc_err is:\n@@ -1338,7 +1358,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)\n #endif\n \n /* r-\u003elength is now the compressed data plus mac */\n- if ((sess !\u003d NULL) \u0026\u0026\n+ if ((sess !\u003d NULL) \u0026\u0026 !SSL_USE_ETM(s) \u0026\u0026\n (s-\u003eenc_read_ctx !\u003d NULL) \u0026\u0026 (EVP_MD_CTX_md(s-\u003eread_hash) !\u003d NULL)) {\n /* s-\u003eread_hash !\u003d NULL \u003d\u003e mac_size !\u003d -1 */\n unsigned char *mac \u003d NULL;\n","s":{"c":1752059378,"u": 15127}} ],"g": 16830,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}