diff options
Diffstat (limited to 'src/lib/libssl/s3_cbc.c')
| -rw-r--r-- | src/lib/libssl/s3_cbc.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c index 74e0562c2d..4f84c9485b 100644 --- a/src/lib/libssl/s3_cbc.c +++ b/src/lib/libssl/s3_cbc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */ | 1 | /* $OpenBSD: s3_cbc.c,v 1.23 2020/10/03 17:35:16 jsing Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -101,7 +101,7 @@ constant_time_eq_8(unsigned int a, unsigned int b) | |||
| 101 | return DUPLICATE_MSB_TO_ALL_8(c); | 101 | return DUPLICATE_MSB_TO_ALL_8(c); |
| 102 | } | 102 | } |
| 103 | 103 | ||
| 104 | /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC | 104 | /* ssl3_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC |
| 105 | * record in |rec| in constant time and returns 1 if the padding is valid and | 105 | * record in |rec| in constant time and returns 1 if the padding is valid and |
| 106 | * -1 otherwise. It also removes any explicit IV from the start of the record | 106 | * -1 otherwise. It also removes any explicit IV from the start of the record |
| 107 | * without leaking any timing about whether there was enough space after the | 107 | * without leaking any timing about whether there was enough space after the |
| @@ -113,26 +113,24 @@ constant_time_eq_8(unsigned int a, unsigned int b) | |||
| 113 | * 1: if the padding was valid | 113 | * 1: if the padding was valid |
| 114 | * -1: otherwise. */ | 114 | * -1: otherwise. */ |
| 115 | int | 115 | int |
| 116 | tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec, | 116 | ssl3_cbc_remove_padding(SSL3_RECORD_INTERNAL *rec, unsigned int eiv_len, |
| 117 | unsigned int block_size, unsigned int mac_size) | 117 | unsigned int mac_size) |
| 118 | { | 118 | { |
| 119 | unsigned int padding_length, good, to_check, i; | 119 | unsigned int padding_length, good, to_check, i; |
| 120 | const unsigned int overhead = 1 /* padding length byte */ + mac_size; | 120 | const unsigned int overhead = 1 /* padding length byte */ + mac_size; |
| 121 | 121 | ||
| 122 | /* Check if version requires explicit IV */ | 122 | /* |
| 123 | if (SSL_USE_EXPLICIT_IV(s)) { | 123 | * These lengths are all public so we can test them in |
| 124 | /* These lengths are all public so we can test them in | 124 | * non-constant time. |
| 125 | * non-constant time. | 125 | */ |
| 126 | */ | 126 | if (overhead + eiv_len > rec->length) |
| 127 | if (overhead + block_size > rec->length) | ||
| 128 | return 0; | ||
| 129 | /* We can now safely skip explicit IV */ | ||
| 130 | rec->data += block_size; | ||
| 131 | rec->input += block_size; | ||
| 132 | rec->length -= block_size; | ||
| 133 | } else if (overhead > rec->length) | ||
| 134 | return 0; | 127 | return 0; |
| 135 | 128 | ||
| 129 | /* We can now safely skip explicit IV, if any. */ | ||
| 130 | rec->data += eiv_len; | ||
| 131 | rec->input += eiv_len; | ||
| 132 | rec->length -= eiv_len; | ||
| 133 | |||
| 136 | padding_length = rec->data[rec->length - 1]; | 134 | padding_length = rec->data[rec->length - 1]; |
| 137 | 135 | ||
| 138 | good = constant_time_ge(rec->length, overhead + padding_length); | 136 | good = constant_time_ge(rec->length, overhead + padding_length); |