From dab4c2824fe6dd055b17cc6a736059222cd03282 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Fri, 15 Jun 2001 18:06:06 +0000
Subject: [PATCH] pay attention to blocksize before attempting decryption

---
 CHANGES      |  4 ++++
 ssl/s3_enc.c | 15 +++++++++++++--
 ssl/t1_enc.c | 14 +++++++++++++-
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 90fd18b0e1..2d5f6b8622 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6a and 0.9.6b  [XX xxx XXXX]
 
+  *) Verify that incoming data obeys the block size in
+     ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
+     [Bodo Moeller]
+
   *) Fix OAEP check.
      [Ulf Möller, Bodo Möller]
 
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 455a6f3d06..8709da9175 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -366,7 +366,6 @@ int ssl3_enc(SSL *s, int send)
 
 		/* COMPRESS */
 
-		/* This should be using (bs-1) and bs instead of 7 and 8 */
 		if ((bs != 1) && send)
 			{
 			i=bs-((int)l%bs);
@@ -376,12 +375,24 @@ int ssl3_enc(SSL *s, int send)
 			rec->length+=i;
 			rec->input[l-1]=(i-1);
 			}
-
+		
+		if (!send)
+			{
+			if (l == 0 || l%bs != 0)
+				{
+				SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR);
+				return(0);
+				}
+			}
+		
 		EVP_Cipher(ds,rec->data,rec->input,l);
 
 		if ((bs != 1) && !send)
 			{
 			i=rec->data[l-1]+1;
+			/* SSL 3.0 bounds the number of padding bytes by the block size;
+			 * padding bytes (except that last) are arbitrary */
 			if (i > bs)
 				{
 				SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 18e98602bc..a0758e9261 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -447,11 +447,21 @@ int tls1_enc(SSL *s, int send)
 			rec->length+=i;
 			}
 
+		if (!send)
+			{
+			if (l == 0 || l%bs != 0)
+				{
+				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR);
+				return(0);
+				}
+			}
+		
 		EVP_Cipher(ds,rec->data,rec->input,l);
 
 		if ((bs != 1) && !send)
 			{
-			ii=i=rec->data[l-1];
+			ii=i=rec->data[l-1]; /* padding_length */
 			i++;
 			if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
 				{
@@ -462,6 +472,8 @@ int tls1_enc(SSL *s, int send)
 				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
 					i--;
 				}
+			/* TLS 1.0 does not bound the number of padding bytes by the block size.
+			 * All of them must have value 'padding_length'. */
 			if (i > (int)rec->length)
 				{
 				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-- 
2.25.1