From 432196951390796cf2353de2d92f952f1deaa9d0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 6 Mar 2017 15:13:25 +0000 Subject: [PATCH] Tweak the TLSv1.3 record overflow limits Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2861) --- include/openssl/ssl3.h | 11 +++++++---- ssl/record/ssl3_record.c | 26 +++++++++++++++++++------- 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index e6df97b741..604a704a2e 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -170,7 +170,8 @@ extern "C" { * practice the value is lower than this. The overhead is the maximum number * of padding bytes (256) plus the mac size. */ -# define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE) +# define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE) +# define SSL3_RT_MAX_TLS13_ENCRYPTED_OVERHEAD 256 /* * OpenSSL currently only uses a padding length of at most one block so the @@ -186,12 +187,14 @@ extern "C" { # define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH # else # define SSL3_RT_MAX_COMPRESSED_LENGTH \ - (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD) + (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD) # endif # define SSL3_RT_MAX_ENCRYPTED_LENGTH \ - (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH) + (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH) +# define SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH \ + (SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_TLS13_ENCRYPTED_OVERHEAD) # define SSL3_RT_MAX_PACKET_SIZE \ - (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH) + (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH) # define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54" # define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52" diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 4149969f2d..1e281fc19f 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -340,6 +340,25 @@ int ssl3_get_record(SSL *s) /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } + if (SSL_IS_TLS13(s)) { + if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { + al = SSL_AD_RECORD_OVERFLOW; + SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + goto f_err; + } + } else { + size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; + + if (s->expand == NULL) + len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; + + if (thisrr->length > len) { + al = SSL_AD_RECORD_OVERFLOW; + SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + goto f_err; + } + } + /* * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data. * Calculate how much more data we need to read for the rest of the @@ -388,13 +407,6 @@ int ssl3_get_record(SSL *s) * thisrr->length bytes of encrypted compressed stuff. */ - /* check is not needed I believe */ - if (thisrr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - /* decrypt in place in 'thisrr->input' */ thisrr->data = thisrr->input; thisrr->orig_len = thisrr->length; -- 2.25.1