projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 061e68c)
Add checks to the return value of EVP_Cipher to prevent silent encryption failure.
authorMatt Caswell <matt@openssl.org>
Tue, 18 Nov 2014 12:56:26 +0000 (12:56 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 27 Nov 2014 21:53:02 +0000 (21:53 +0000)
PR#1767

Reviewed-by: Richard Levitte <levitte@openssl.org>
ssl/d1_enc.c patch | blob | history
ssl/d1_pkt.c patch | blob | history
ssl/s3_enc.c patch | blob | history
ssl/s3_pkt.c patch | blob | history

diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
index 712c4647f24cb072beddda21a79d993f583a100d..3da2b4c8c2a79c8611d9a6606dbc8df233cd2554 100644 (file)
--- a/ssl/d1_enc.c
+++ b/ssl/d1_enc.c
@@ -241,7 +241,8 @@ int dtls1_enc(SSL *s, int send)
                                return 0;
                        }
                
-               EVP_Cipher(ds,rec->data,rec->input,l);
+               if(EVP_Cipher(ds,rec->data,rec->input,l) < 1)
+                       return -1;
 
 #ifdef KSSL_DEBUG
                {
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 438c0913d24e7207e30e956f5dc64b36d7449905..edd17df54b50acb05d68832b261ac3ef5d98b96a 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1619,7 +1619,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
                wr->length += bs;
                }
 
-       s->method->ssl3_enc->enc(s,1);
+       if(s->method->ssl3_enc->enc(s,1) < 1) goto err;
 
        /* record length after mac and block padding */
 /*     if (type == SSL3_RT_APPLICATION_DATA ||
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 9db45af7ea7f5af8bf4f1e9a07b202edfe49ff33..89c133e681ed840b9cf8cb2eda84450b338b1ade 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -535,7 +535,8 @@ int ssl3_enc(SSL *s, int send)
                        /* otherwise, rec->length >= bs */
                        }
                
-               EVP_Cipher(ds,rec->data,rec->input,l);
+               if(EVP_Cipher(ds,rec->data,rec->input,l) < 1)
+                       return -1;
 
                if (EVP_MD_CTX_md(s->read_hash) != NULL)
                        mac_size = EVP_MD_CTX_size(s->read_hash);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 4c9285f355b264e0bed95d2676322176601a1d4e..d1cd752209ff973162a1882feb1a6f15181b3a56 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -856,8 +856,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                wr->length += eivlen;
                }
 
-       /* ssl3_enc can only have an error on read */
-       s->method->ssl3_enc->enc(s,1);
+       if(s->method->ssl3_enc->enc(s,1)<1) goto err;
 
        /* record length after mac and block padding */
        s2n(wr->length,plen);
Unnamed repository; edit this file 'description' to name the repository.