From 0bf9289206bff820f1f01fc27ff5bd16a92d1aee Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@cvs.openbsd.org>
Date: Wed, 4 May 2016 15:01:34 +0000
Subject: fix a padding oracle in aesni cbc mac check. there must be enough
 data for both the mac and padding bytes. CVE-2016-2107 from openssl

---
 lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'lib/libcrypto')

diff --git a/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c b/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
index 42aa20701b9..8574823aed3 100644
--- a/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.11 2016/05/04 14:53:29 tedu Exp $ */
+/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.12 2016/05/04 15:01:33 tedu Exp $ */
 /* ====================================================================
  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
@@ -60,6 +60,7 @@
 #include <openssl/aes.h>
 #include <openssl/sha.h>
 #include "evp_locl.h"
+#include "constant_time_locl.h"
 
 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
 #define EVP_CIPH_FLAG_AEAD_CIPHER	0x200000
@@ -282,6 +283,8 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
 			maxpad &= 255;
 
+			ret &= constant_time_ge(maxpad, pad);
+
 			inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
 			mask = (0 - ((inp_len - len) >>
 			    (sizeof(inp_len) * 8 - 1)));
-- 
cgit v1.2.3