From b3a959a337b8083bc855623f24cebaf43a477350 Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Mon, 28 Jan 2013 17:33:18 +0000 Subject: [PATCH] Don't crash when processing a zero-length, TLS >= 1.1 record. The previous CBC patch was bugged in that there was a path through enc() in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left at the previous value which could suggest that the packet was a sufficient length when it wasn't. (cherry picked from commit 6cb19b7681f600b2f165e4adc57547b097b475fd) (cherry picked from commit 2c948c1bb218f4ae126e14fd3453d42c62b93235) Conflicts: ssl/s3_enc.c --- ssl/d1_enc.c | 1 - ssl/d1_pkt.c | 1 + ssl/s3_enc.c | 10 ++++++++++ ssl/s3_pkt.c | 5 +++++ ssl/t1_enc.c | 11 +++++++++-- 5 files changed, 25 insertions(+), 3 deletions(-) diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c index ab8ccd1f6b..906a26364b 100644 --- a/ssl/d1_enc.c +++ b/ssl/d1_enc.c @@ -246,7 +246,6 @@ int dtls1_enc(SSL *s, int send) } #endif /* KSSL_DEBUG */ - rec->orig_len = rec->length; if ((bs != 1) && !send) return tls1_cbc_remove_padding(s, rec, bs, mac_size); } diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index cdbbe347d9..d367524536 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -367,6 +367,7 @@ dtls1_process_record(SSL *s) /* decrypt in place in 'rr->input' */ rr->data=rr->input; + rr->orig_len=rr->length; enc_err = s->method->ssl3_enc->enc(s,0); if (enc_err <= 0) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 6471ac4901..a7830a2d43 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -433,6 +433,15 @@ void ssl3_cleanup_key_block(SSL *s) s->s3->tmp.key_block_length=0; } +/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. + * + * Returns: + * 0: (in non-constant time) if the record is publically invalid (i.e. too + * short etc). + * 1: if the record's padding is valid / the encryption was successful. + * -1: if the record's padding is invalid or, if sending, an internal error + * occured. + */ int ssl3_enc(SSL *s, int send) { SSL3_RECORD *rec; @@ -503,6 +512,7 @@ int ssl3_enc(SSL *s, int send) if (s->read_hash != NULL) mac_size = EVP_MD_size(s->read_hash); + if ((bs != 1) && !send) return ssl3_cbc_remove_padding(s, rec, bs, mac_size); } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 0d27f514af..e658edbb1d 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -352,8 +352,13 @@ again: /* decrypt in place in 'rr->input' */ rr->data=rr->input; + rr->orig_len=rr->length; enc_err = s->method->ssl3_enc->enc(s,0); + /* enc_err is: + * 0: (in non-constant time) if the record is publically invalid. + * 1: if the padding is valid + * -1: if the padding is invalid */ if (enc_err == 0) { /* SSLerr() and ssl3_send_alert() have been called */ diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 6d6046b337..8968ed0ef7 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -528,6 +528,15 @@ err: return(0); } +/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. + * + * Returns: + * 0: (in non-constant time) if the record is publically invalid (i.e. too + * short etc). + * 1: if the record's padding is valid / the encryption was successful. + * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, + * an internal error occured. + */ int tls1_enc(SSL *s, int send) { SSL3_RECORD *rec; @@ -628,8 +637,6 @@ int tls1_enc(SSL *s, int send) } #endif /* KSSL_DEBUG */ - rec->orig_len = rec->length; - ret = 1; if (s->read_hash != NULL) mac_size = EVP_MD_size(s->read_hash);