We inherited the constant time CBC padding removal from BoringSSL, but

missed a subsequent fix for an off-by-one in that code.  If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi

1 files changed, 4 insertions, 4 deletions

diff --git a/lib/libssl/s3_cbc.c b/lib/libssl/s3_cbc.c
index 004b92118e2..74e0562c2db 100644
--- a/lib/libssl/s3_cbc.c
+++ b/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.21 2020/03/16 15:25:13 tb Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -145,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
 	 * decrypted information. Therefore we always have to check the maximum
 	 * amount of padding possible. (Again, the length of the record is
 	 * public information so we can use it.) */
-	to_check = 255; /* maximum amount of padding. */
-	if (to_check > rec->length - 1)
-		to_check = rec->length - 1;
+	to_check = 256; /* maximum amount of padding, inc length byte. */
+	if (to_check > rec->length)
+		to_check = rec->length;
 
 	for (i = 0; i < to_check; i++) {
 		unsigned char mask = constant_time_ge(padding_length, i);