Commit e0da2c2e authored by Ben Laurie's avatar Ben Laurie Committed by Dr. Stephen Henson
Browse files

Don't crash when processing a zero-length, TLS >= 1.1 record. 

The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b76)
parent fb0a59cc

ssl/d1_enc.c

+0 −1
Original line number Diff line number Diff line
@@ -245,7 +245,6 @@ int dtls1_enc(SSL *s, int send) 
                }

#endif	/* KSSL_DEBUG */



		rec->orig_len = rec->length;

		if ((bs != 1) && !send)

			return tls1_cbc_remove_padding(s, rec, bs, mac_size);

		}

ssl/d1_pkt.c

+1 −0
Original line number Diff line number Diff line
@@ -414,6 +414,7 @@ dtls1_process_record(SSL *s) 


	/* decrypt in place in 'rr->input' */

	rr->data=rr->input;

	rr->orig_len=rr->length;



	enc_err = s->method->ssl3_enc->enc(s,0);

	if (enc_err <= 0)

ssl/s3_enc.c

+9 −2
Original line number Diff line number Diff line
@@ -487,6 +487,15 @@ void ssl3_cleanup_key_block(SSL *s) 
	s->s3->tmp.key_block_length=0;

	}



/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.

 *

 * Returns:

 *   0: (in non-constant time) if the record is publically invalid (i.e. too

 *       short etc).

 *   1: if the record's padding is valid / the encryption was successful.

 *   -1: if the record's padding is invalid or, if sending, an internal error

 *       occured.

 */

int ssl3_enc(SSL *s, int send)

	{

	SSL3_RECORD *rec;
@@ -553,8 +562,6 @@ int ssl3_enc(SSL *s, int send) 
		

		EVP_Cipher(ds,rec->data,rec->input,l);



		rec->orig_len = rec->length;



		if (EVP_MD_CTX_md(s->read_hash) != NULL)

			mac_size = EVP_MD_CTX_size(s->read_hash);

		if ((bs != 1) && !send)

ssl/s3_pkt.c

+5 −0
Original line number Diff line number Diff line
@@ -401,8 +401,13 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); 


	/* decrypt in place in 'rr->input' */

	rr->data=rr->input;

	rr->orig_len=rr->length;



	enc_err = s->method->ssl3_enc->enc(s,0);

	/* enc_err is:

	 *    0: (in non-constant time) if the record is publically invalid.

	 *    1: if the padding is valid

	 *    -1: if the padding is invalid */

	if (enc_err == 0)

		{

		/* SSLerr() and ssl3_send_alert() have been called */

ssl/t1_enc.c

+9 −4
Original line number Diff line number Diff line
@@ -691,6 +691,15 @@ err: 
	return(ret);

	}



/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.

 *

 * Returns:

 *   0: (in non-constant time) if the record is publically invalid (i.e. too

 *       short etc).

 *   1: if the record's padding is valid / the encryption was successful.

 *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,

 *       an internal error occured.

 */

int tls1_enc(SSL *s, int send)

	{

	SSL3_RECORD *rec;
@@ -841,8 +850,6 @@ int tls1_enc(SSL *s, int send) 
			{

			if (l == 0 || l%bs != 0)

				{

				if (s->version >= TLS1_1_VERSION)

					return -1;

				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);

				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);

				return 0;
@@ -870,8 +877,6 @@ int tls1_enc(SSL *s, int send) 
		}

#endif	/* KSSL_DEBUG */



		rec->orig_len = rec->length;



		ret = 1;

		if (EVP_MD_CTX_md(s->read_hash) != NULL)

			mac_size = EVP_MD_CTX_size(s->read_hash);