pay attention to blocksize before attempting decryption
authorBodo Möller <bodo@openssl.org>
Fri, 15 Jun 2001 18:05:09 +0000 (18:05 +0000)
committerBodo Möller <bodo@openssl.org>
Fri, 15 Jun 2001 18:05:09 +0000 (18:05 +0000)
CHANGES
ssl/s3_enc.c
ssl/t1_enc.c

diff --git a/CHANGES b/CHANGES
index 0cca19538dfc5de3bdd098e9d523e0033eaa1cae..e8ffbf700c7ff911408bc103fc41906be21e28c9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
          *) applies to 0.9.6a (/0.9.6b) and 0.9.7
          +) applies to 0.9.7 only
 
+  *) Verify that incoming data obeys the block size in
+     ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
+     [Bodo Moeller]
+
   +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
      attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
      [Steve Henson]
index 8cd36a395c8b5fe4f89672c1801a04f3dc2f4b86..d1c1946e549e78445a043a13fa4192691ce68d6a 100644 (file)
@@ -373,7 +373,6 @@ int ssl3_enc(SSL *s, int send)
 
                /* COMPRESS */
 
-               /* This should be using (bs-1) and bs instead of 7 and 8 */
                if ((bs != 1) && send)
                        {
                        i=bs-((int)l%bs);
@@ -383,12 +382,24 @@ int ssl3_enc(SSL *s, int send)
                        rec->length+=i;
                        rec->input[l-1]=(i-1);
                        }
-
+               
+               if (!send)
+                       {
+                       if (l == 0 || l%bs != 0)
+                               {
+                               SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR);
+                               return(0);
+                               }
+                       }
+               
                EVP_Cipher(ds,rec->data,rec->input,l);
 
                if ((bs != 1) && !send)
                        {
                        i=rec->data[l-1]+1;
+                       /* SSL 3.0 bounds the number of padding bytes by the block size;
+                        * padding bytes (except that last) are arbitrary */
                        if (i > bs)
                                {
                                SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
index 5f0976f9e7a9983e8176edf56d7ca1a9db195f10..d3a15e3441d05d6ddba52da2461cba6d760fe3c2 100644 (file)
@@ -509,6 +509,16 @@ int tls1_enc(SSL *s, int send)
                }
 #endif /* KSSL_DEBUG */
 
+               if (!send)
+                       {
+                       if (l == 0 || l%bs != 0)
+                               {
+                               SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR);
+                               return(0);
+                               }
+                       }
+               
                EVP_Cipher(ds,rec->data,rec->input,l);
 
 #ifdef KSSL_DEBUG
@@ -522,7 +532,7 @@ int tls1_enc(SSL *s, int send)
 
                if ((bs != 1) && !send)
                        {
-                       ii=i=rec->data[l-1];
+                       ii=i=rec->data[l-1]; /* padding_length */
                        i++;
                        if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
                                {
@@ -533,6 +543,8 @@ int tls1_enc(SSL *s, int send)
                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
                                        i--;
                                }
+                       /* TLS 1.0 does not bound the number of padding bytes by the block size.
+                        * All of them must have value 'padding_length'. */
                        if (i > (int)rec->length)
                                {
                                SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);