projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3b12515)
Add checks to the return value of EVP_Cipher to prevent silent encryption failure.
authorMatt Caswell <matt@openssl.org>
Tue, 18 Nov 2014 12:56:26 +0000 (12:56 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 27 Nov 2014 21:58:31 +0000 (21:58 +0000)
PR#1767

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 244d0955adc027c0f41a3251e55d145bf940f9ce)

ssl/d1_enc.c patch | blob | history
ssl/d1_pkt.c patch | blob | history
ssl/s3_enc.c patch | blob | history
ssl/s3_pkt.c patch | blob | history

diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
index 712c4647f24cb072beddda21a79d993f583a100d..3da2b4c8c2a79c8611d9a6606dbc8df233cd2554 100644 (file)
--- a/ssl/d1_enc.c
+++ b/ssl/d1_enc.c
@@ -241,7 +241,8 @@ int dtls1_enc(SSL *s, int send)
                                return 0;
                        }
                
-               EVP_Cipher(ds,rec->data,rec->input,l);
+               if(EVP_Cipher(ds,rec->data,rec->input,l) < 1)
+                       return -1;
 
 #ifdef KSSL_DEBUG
                {
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 3615423f69571fcf7a6c89a9d0ab9f75b5188af1..800452827558b4e490e0294588f76d4af929990c 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1511,7 +1511,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
                wr->length += bs;
                }
 
-       s->method->ssl3_enc->enc(s,1);
+       if(s->method->ssl3_enc->enc(s,1) < 1) goto err;
 
        /* record length after mac and block padding */
 /*     if (type == SSL3_RT_APPLICATION_DATA ||
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 9a494f30630e5c484299c25ab236656b0d264b4f..2ba52c45a120a743dbf2bcbc84af5c6f27e02310 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -534,7 +534,8 @@ int ssl3_enc(SSL *s, int send)
                        /* otherwise, rec->length >= bs */
                        }
                
-               EVP_Cipher(ds,rec->data,rec->input,l);
+               if(EVP_Cipher(ds,rec->data,rec->input,l) < 1)
+                       return -1;
 
                if (EVP_MD_CTX_md(s->read_hash) != NULL)
                        mac_size = EVP_MD_CTX_size(s->read_hash);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 504b468ec8eb3cc35d6d415aa80ed61570ea59e9..92a65c38bf9b1c41bfda2826e681758eab33577e 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -816,8 +816,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                wr->data=p;
                }
 
-       /* ssl3_enc can only have an error on read */
-       s->method->ssl3_enc->enc(s,1);
+       if(s->method->ssl3_enc->enc(s,1)<1) goto err;
 
        /* record length after mac and block padding */
        s2n(wr->length,plen);
Unnamed repository; edit this file 'description' to name the repository.