Revert "RT3425: constant-time evp_enc"

Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 1bb01b1b5f27a7de33e7a67946b8c001b54e09e9.

Reviewed-by: Andy Polyakov <appro@openssl.org>

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index e5082b714c9d88ae042f56cd10ee41a8c181572d..c204f84c1d66e920f9fb0a2b023f5103a6cd100d 100644 (file)
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -385,8 +385,7 @@ evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-evp_enc.o: ../../include/openssl/x509_vfy.h ../constant_time_locl.h
-evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 2cbf9922578f6538220ce4f3180f383d38c3f65c..30e0ca4d9faaf2d36e1f7de2c1b089ca06e24eb3 100644 (file)
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -64,7 +64,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -302,11 +301,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        {
-       unsigned int i, b;
-       unsigned char pad, padding_good;
+       int i,n;
+       unsigned int b;
 
        *outl=0;
-       b=(unsigned int)(ctx->cipher->block_size);
+       b=ctx->cipher->block_size;
        if (ctx->flags & EVP_CIPH_NO_PADDING)
                {
                if(ctx->buf_len)
@@ -325,34 +324,28 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
                        return(0);
                        }
                OPENSSL_assert(b <= sizeof ctx->final);
-               pad=ctx->final[b-1];
-
-               padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-               padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
+               n=ctx->final[b-1];
+               if (n == 0 || n > (int)b)
                        {
-                       unsigned char is_pad_index = constant_time_lt_8(i, pad);
-                       unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-                       padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
+                       EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+                       return(0);
                        }
-
-               /*
-                * At least 1 byte is always padding, so we always write b - 1
-                * bytes to avoid a timing leak. The caller is required to have |b|
-                * bytes space in |out| by the API contract.
-                */
-               for (i = 0; i < b - 1; ++i)
-                       out[i] = ctx->final[i] & padding_good;
-               /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-               *outl = padding_good & ((unsigned char)(b - pad));
-               return padding_good & 1;
+               for (i=0; i<n; i++)
+                       {
+                       if (ctx->final[--b] != n)
+                               {
+                               EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+                               return(0);
+                               }
+                       }
+               n=ctx->cipher->block_size-n;
+               for (i=0; i<n; i++)
+                       out[i]=ctx->final[i];
+               *outl=n;
                }
        else
-               {
-               *outl = 0;
-               return 1;
-               }
+               *outl=0;
+       return(1);
        }
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)