Bug 822365: Fix the constant-time versions of HMAC-MD5 and SSLv3 MD5 MAC.

Remove the workaround from ssl3_ComputeRecordMACConstantTime. The patch is
contributed by Adam Langley <agl@chromium.org>. r=rrelyea,wtc.
Modified Files:
	lib/freebl/hmacct.c lib/softoken/sftkhmac.c lib/ssl/ssl3con.c

3 files changed, 11 insertions, 9 deletions

diff --git a/security/nss/lib/freebl/hmacct.c b/security/nss/lib/freebl/hmacct.c
index cdb7300a5..9cf04f88e 100644
--- a/security/nss/lib/freebl/hmacct.c
+++ b/security/nss/lib/freebl/hmacct.c
@@ -172,8 +172,16 @@ static SECStatus mac(
     if (mdLengthSize == 16) {
 	j = 8;
     }
-    for (i = 0; i < 4; i++) {
-	lengthBytes[4+i+j] = bits >> (8*(7-i));
+    if (hashObj->type == HASH_AlgMD5) {
+	/* MD5 appends a little-endian length. */
+	for (i = 0; i < 4; i++) {
+	    lengthBytes[i+j] = bits >> (8*i);
+	}
+    } else {
+	/* All other TLS hash functions use a big-endian length. */
+	for (i = 0; i < 4; i++) {
+	    lengthBytes[4+i+j] = bits >> (8*(7-i));
+	}
     }
 
     if (k > 0) {
diff --git a/security/nss/lib/softoken/sftkhmac.c b/security/nss/lib/softoken/sftkhmac.c
index 412ee4dc4..04b325b4b 100644
--- a/security/nss/lib/softoken/sftkhmac.c
+++ b/security/nss/lib/softoken/sftkhmac.c
@@ -106,7 +106,7 @@ sftk_MACConstantTimeCtx* sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech,
 	return NULL;
     }
 
-    if (params->hashAlg == CKM_MD5) {
+    if (params->hashAlg == CKM_SSL3_MD5_MAC) {
 	padLength = 48;
     }
 
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index d5d6ef0f9..1388a454a 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -2063,12 +2063,6 @@ ssl3_ComputeRecordMACConstantTime(
 	goto fallback;
     }
 
-    if (spec->cipher_def->cipher == cipher_rc2_40) {
-	/* This function doesn't work for SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5.
-	 * We fallback on the non-constant time version. */
-	goto fallback;
-    }
-
     if (spec->mac_def->mac == mac_null) {
 	*outLen = 0;
 	return SECSuccess;