Don't crash when processing a zero-length, TLS >= 1.1 record.
authorBen Laurie <ben@links.org>
Mon, 28 Jan 2013 17:33:18 +0000 (17:33 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 5 Feb 2013 16:50:33 +0000 (16:50 +0000)
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681f600b2f165e4adc57547b097b475fd)
(cherry picked from commit 2c948c1bb218f4ae126e14fd3453d42c62b93235)

Conflicts:
ssl/s3_enc.c

ssl/d1_enc.c
ssl/d1_pkt.c
ssl/s3_enc.c
ssl/s3_pkt.c
ssl/t1_enc.c

index ab8ccd1f6ba8138f29cb69a5fa0f271faef11d32..906a26364bb8b3af629f0ed49d9f086e7d3c75fc 100644 (file)
@@ -246,7 +246,6 @@ int dtls1_enc(SSL *s, int send)
                 }
 #endif /* KSSL_DEBUG */
 
-               rec->orig_len = rec->length;
                if ((bs != 1) && !send)
                        return tls1_cbc_remove_padding(s, rec, bs, mac_size);
                }
index cdbbe347d96c43a706fde5d53e4863140dd3fd15..d367524536a27b3c6fa802c8b0515be00c0b32bf 100644 (file)
@@ -367,6 +367,7 @@ dtls1_process_record(SSL *s)
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
+       rr->orig_len=rr->length;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
        if (enc_err <= 0)
index 6471ac49016e6c307232bf80d4b79aef565f7529..a7830a2d430fe0cdc1e39bde3933088fcf071e36 100644 (file)
@@ -433,6 +433,15 @@ void ssl3_cleanup_key_block(SSL *s)
        s->s3->tmp.key_block_length=0;
        }
 
+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding is invalid or, if sending, an internal error
+ *       occured.
+ */
 int ssl3_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
@@ -503,6 +512,7 @@ int ssl3_enc(SSL *s, int send)
 
                if (s->read_hash != NULL)
                        mac_size = EVP_MD_size(s->read_hash);
+
                if ((bs != 1) && !send)
                        return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
                }
index 0d27f514af206c0d633804d8f91b66199d463872..e658edbb1dc1a6c2c2aa5899f46eacdc692ea280 100644 (file)
@@ -352,8 +352,13 @@ again:
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
+       rr->orig_len=rr->length;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */
        if (enc_err == 0)
                {
                /* SSLerr() and ssl3_send_alert() have been called */
index 6d6046b3376b7858f27f0b9cd73b44638e356834..8968ed0ef77cdadf0a9a949290389cc2d342d3c4 100644 (file)
@@ -528,6 +528,15 @@ err:
        return(0);
        }
 
+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
+ *       an internal error occured.
+ */
 int tls1_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
@@ -628,8 +637,6 @@ int tls1_enc(SSL *s, int send)
                 }
 #endif /* KSSL_DEBUG */
 
-               rec->orig_len = rec->length;
-
                ret = 1;
                if (s->read_hash != NULL)
                        mac_size = EVP_MD_size(s->read_hash);