From d39ce0a95b4874f3806c49689da955f5743f74fd Mon Sep 17 00:00:00 2001
From: "jaekuk, lee" <juku1999@samsung.com>
Date: Mon, 12 Jun 2017 13:30:54 +0900
Subject: [PATCH] Check that we have enough padding characters
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

https://nvd.nist.gov/vuln/detail/CVE-2016-2107

https://git.openssl.org/?p=openssl.git;a=commit;h=68595c0c2886e7942a14f98c17a55a88afb6c292
Reviewed-by: Emilia Käsper <emilia@openssl.org>
CVE-2016-2107
MR: #2572

Change-Id: I63f9b88dab5cfeb85841578851a528407acdf1cb
Signed-off-by: jaekuk, lee <juku1999@samsung.com>
---
 deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c   | 2 ++
 deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c | 2 ++
 2 files changed, 4 insertions(+)
 mode change 100644 => 100755 deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
 mode change 100644 => 100755 deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c

diff --git a/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c b/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
old mode 100644
new mode 100755
index 8330964..ccf3043
--- a/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -578,6 +578,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
             maxpad &= 255;
 
+            ret &= constant_time_ge(maxpad, pad);
+
             inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
             mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
             inp_len &= mask;
diff --git a/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c b/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c
old mode 100644
new mode 100755
index 3780021..3faae63
--- a/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c
+++ b/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha256.c
@@ -589,6 +589,8 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
             maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
             maxpad &= 255;
 
+            ret &= constant_time_ge(maxpad, pad);
+
             inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1);
             mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
             inp_len &= mask;
-- 
2.7.4