diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/d1_pkt.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 39aac73e10..e0c0f0cc9a 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
| @@ -375,6 +375,7 @@ dtls1_process_record(SSL *s) | |||
| 375 | SSL3_RECORD *rr; | 375 | SSL3_RECORD *rr; |
| 376 | unsigned int mac_size; | 376 | unsigned int mac_size; |
| 377 | unsigned char md[EVP_MAX_MD_SIZE]; | 377 | unsigned char md[EVP_MAX_MD_SIZE]; |
| 378 | int decryption_failed_or_bad_record_mac = 0; | ||
| 378 | 379 | ||
| 379 | 380 | ||
| 380 | rr= &(s->s3->rrec); | 381 | rr= &(s->s3->rrec); |
| @@ -409,13 +410,10 @@ dtls1_process_record(SSL *s) | |||
| 409 | enc_err = s->method->ssl3_enc->enc(s,0); | 410 | enc_err = s->method->ssl3_enc->enc(s,0); |
| 410 | if (enc_err <= 0) | 411 | if (enc_err <= 0) |
| 411 | { | 412 | { |
| 412 | /* decryption failed, silently discard message */ | 413 | /* To minimize information leaked via timing, we will always |
| 413 | if (enc_err < 0) | 414 | * perform all computations before discarding the message. |
| 414 | { | 415 | */ |
| 415 | rr->length = 0; | 416 | decryption_failed_or_bad_record_mac = 1; |
| 416 | s->packet_length = 0; | ||
| 417 | } | ||
| 418 | goto err; | ||
| 419 | } | 417 | } |
| 420 | 418 | ||
| 421 | #ifdef TLS_DEBUG | 419 | #ifdef TLS_DEBUG |
| @@ -445,7 +443,7 @@ printf("\n"); | |||
| 445 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); | 443 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); |
| 446 | goto f_err; | 444 | goto f_err; |
| 447 | #else | 445 | #else |
| 448 | goto err; | 446 | decryption_failed_or_bad_record_mac = 1; |
| 449 | #endif | 447 | #endif |
| 450 | } | 448 | } |
| 451 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | 449 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ |
| @@ -456,17 +454,25 @@ printf("\n"); | |||
| 456 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); | 454 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); |
| 457 | goto f_err; | 455 | goto f_err; |
| 458 | #else | 456 | #else |
| 459 | goto err; | 457 | decryption_failed_or_bad_record_mac = 1; |
| 460 | #endif | 458 | #endif |
| 461 | } | 459 | } |
| 462 | rr->length-=mac_size; | 460 | rr->length-=mac_size; |
| 463 | i=s->method->ssl3_enc->mac(s,md,0); | 461 | i=s->method->ssl3_enc->mac(s,md,0); |
| 464 | if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) | 462 | if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) |
| 465 | { | 463 | { |
| 466 | goto err; | 464 | decryption_failed_or_bad_record_mac = 1; |
| 467 | } | 465 | } |
| 468 | } | 466 | } |
| 469 | 467 | ||
| 468 | if (decryption_failed_or_bad_record_mac) | ||
| 469 | { | ||
| 470 | /* decryption failed, silently discard message */ | ||
| 471 | rr->length = 0; | ||
| 472 | s->packet_length = 0; | ||
| 473 | goto err; | ||
| 474 | } | ||
| 475 | |||
| 470 | /* r->length is now just compressed */ | 476 | /* r->length is now just compressed */ |
| 471 | if (s->expand != NULL) | 477 | if (s->expand != NULL) |
| 472 | { | 478 | { |