We inherited the constant time CBC padding removal from BoringSSL, but

missed a subsequent fix for an off-by-one in that code. If the first byte of a CBC padding of length 255 is mangled, we don't detect that. Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7 Fixes the failing tlsfuzzer lucky 13 test case. ok beck inoguchi
author: tb <> 2020-06-19 21:26:40 +0000
committer: tb <> 2020-06-19 21:26:40 +0000
commit: 4874610e087dfc56cd25acdca3ddba4d533bbe02 (patch)
tree: a0416e45ad6fcaa33901e33b7aafcca7267fe381
parent: faae55c9b393e2dcc156eb7b14185e156ea09be8 (diff)
download: openbsd-4874610e087dfc56cd25acdca3ddba4d533bbe02.tar.gz
openbsd-4874610e087dfc56cd25acdca3ddba4d533bbe02.tar.bz2
openbsd-4874610e087dfc56cd25acdca3ddba4d533bbe02.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 004b92118e..74e0562c2d 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.21 2020/03/16 15:25:13 tb Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
 *
@@ -145,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
         * decrypted information. Therefore we always have to check the maximum
         * amount of padding possible. (Again, the length of the record is
         * public information so we can use it.) */
-        to_check = 255; /* maximum amount of padding. */
+        to_check = 256; /* maximum amount of padding, inc length byte. */
-        if (to_check > rec->length - 1)
+        if (to_check > rec->length)
-                to_check = rec->length - 1;
+                to_check = rec->length;
        for (i = 0; i < to_check; i++) {
                unsigned char mask = constant_time_ge(padding_length, i);
author	tb <>	2020-06-19 21:26:40 +0000
committer	tb <>	2020-06-19 21:26:40 +0000
commit	4874610e087dfc56cd25acdca3ddba4d533bbe02 (patch)
tree	a0416e45ad6fcaa33901e33b7aafcca7267fe381
parent	faae55c9b393e2dcc156eb7b14185e156ea09be8 (diff)
download	openbsd-4874610e087dfc56cd25acdca3ddba4d533bbe02.tar.gz openbsd-4874610e087dfc56cd25acdca3ddba4d533bbe02.tar.bz2 openbsd-4874610e087dfc56cd25acdca3ddba4d533bbe02.zip

diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c index 004b92118e..74e0562c2d 100644 --- a/src/lib/libssl/s3_cbc.c +++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_cbc.c,v 1.21 2020/03/16 15:25:13 tb Exp $ */	1	/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -145,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
145	* decrypted information. Therefore we always have to check the maximum	145	* decrypted information. Therefore we always have to check the maximum
146	* amount of padding possible. (Again, the length of the record is	146	* amount of padding possible. (Again, the length of the record is
147	* public information so we can use it.) */	147	* public information so we can use it.) */
148	to_check = 255; /* maximum amount of padding. */	148	to_check = 256; /* maximum amount of padding, inc length byte. */
149	if (to_check > rec->length - 1)	149	if (to_check > rec->length)
150	to_check = rec->length - 1;	150	to_check = rec->length;
151		151
152	for (i = 0; i < to_check; i++) {	152	for (i = 0; i < to_check; i++) {
153	unsigned char mask = constant_time_ge(padding_length, i);	153	unsigned char mask = constant_time_ge(padding_length, i);