Don't crash when processing a zero-length, TLS >= 1.1 record.

The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681f600b2f165e4adc57547b097b475fd)

diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
index c13b495a081f56941bea4e372ca149592cd035ee..da42348b3df2f50677f23f52558abc676b110f0f 100644 (file)
--- a/ssl/d1_enc.c
+++ b/ssl/d1_enc.c
@@ -245,7 +245,6 @@ int dtls1_enc(SSL *s, int send)
                 }
 #endif /* KSSL_DEBUG */
 
                 }
 #endif /* KSSL_DEBUG */
 

-               rec->orig_len = rec->length;

                if ((bs != 1) && !send)
                        return tls1_cbc_remove_padding(s, rec, bs, mac_size);
                }
                if ((bs != 1) && !send)
                        return tls1_cbc_remove_padding(s, rec, bs, mac_size);
                }

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 46a195089e046d6f33553f057857e17894b0d6cc..5ee7c0db921fbc9de91c8cc7d4b09056700fc20e 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -406,6 +406,7 @@ dtls1_process_record(SSL *s)
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;

+       rr->orig_len=rr->length;

 
        enc_err = s->method->ssl3_enc->enc(s,0);
        if (enc_err <= 0)
 
        enc_err = s->method->ssl3_enc->enc(s,0);
        if (enc_err <= 0)

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index de5354aefd1a0608a48eb789d55e13797ae7299a..a5829dc54e87a99db94e54df2264d462ebddf0b4 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -465,6 +465,15 @@ void ssl3_cleanup_key_block(SSL *s)
        s->s3->tmp.key_block_length=0;
        }
 
        s->s3->tmp.key_block_length=0;
        }
 

+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding is invalid or, if sending, an internal error
+ *       occured.
+ */

 int ssl3_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
 int ssl3_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;


@@ -531,8 +540,6 @@ int ssl3_enc(SSL *s, int send)
                
                EVP_Cipher(ds,rec->data,rec->input,l);
 
                
                EVP_Cipher(ds,rec->data,rec->input,l);
 

-               rec->orig_len = rec->length;
-

                if (EVP_MD_CTX_md(s->read_hash) != NULL)
                        mac_size = EVP_MD_CTX_size(s->read_hash);
                if ((bs != 1) && !send)
                if (EVP_MD_CTX_md(s->read_hash) != NULL)
                        mac_size = EVP_MD_CTX_size(s->read_hash);
                if ((bs != 1) && !send)

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 2e0c173ecdb1e7eceed4c93dd88339b3bdea528c..5bd0cd462ce83d1afcea799e8e5254cd6b71b232 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -398,8 +398,13 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;

+       rr->orig_len=rr->length;

 
        enc_err = s->method->ssl3_enc->enc(s,0);
 
        enc_err = s->method->ssl3_enc->enc(s,0);

+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */

        if (enc_err == 0)
                {
                /* SSLerr() and ssl3_send_alert() have been called */
        if (enc_err == 0)
                {
                /* SSLerr() and ssl3_send_alert() have been called */

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 0cb3c56478d6a57a338b9a01859d7840c830f53c..aaa4a5ef280296a6ef51a39167983563203fb6b6 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -635,6 +635,15 @@ err:
        return(ret);
        }
 
        return(ret);
        }
 

+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
+ *       an internal error occured.
+ */

 int tls1_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;
 int tls1_enc(SSL *s, int send)
        {
        SSL3_RECORD *rec;


@@ -746,8 +755,6 @@ int tls1_enc(SSL *s, int send)
                }
 #endif /* KSSL_DEBUG */
 
                }
 #endif /* KSSL_DEBUG */
 

-               rec->orig_len = rec->length;
-

                ret = 1;
                if (EVP_MD_CTX_md(s->read_hash) != NULL)
                        mac_size = EVP_MD_CTX_size(s->read_hash);
                ret = 1;
                if (EVP_MD_CTX_md(s->read_hash) != NULL)
                        mac_size = EVP_MD_CTX_size(s->read_hash);