From 4874610e087dfc56cd25acdca3ddba4d533bbe02 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 19 Jun 2020 21:26:40 +0000
Subject: We inherited the constant time CBC padding removal from BoringSSL,
 but missed a subsequent fix for an off-by-one in that code.  If the first
 byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi
---
 src/lib/libssl/s3_cbc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 004b92118e..74e0562c2d 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.21 2020/03/16 15:25:13 tb Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -145,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
 	 * decrypted information. Therefore we always have to check the maximum
 	 * amount of padding possible. (Again, the length of the record is
 	 * public information so we can use it.) */
-	to_check = 255; /* maximum amount of padding. */
-	if (to_check > rec->length - 1)
-		to_check = rec->length - 1;
+	to_check = 256; /* maximum amount of padding, inc length byte. */
+	if (to_check > rec->length)
+		to_check = rec->length;
 
 	for (i = 0; i < to_check; i++) {
 		unsigned char mask = constant_time_ge(padding_length, i);
-- 
cgit v1.2.3-55-g6feb