summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2020-06-19 21:26:41 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2020-06-19 21:26:41 +0000
commit5663396cb05ee9c5cdae3690e0511203a8ac3ae7 (patch)
tree6e8384baa24f6f25c5714b039ac1d60aa94d3b0c /lib
parentb0bae9e482cf7b6c1a205cd3290e506e00990997 (diff)
We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first byte of a CBC padding of length 255 is mangled, we don't detect that. Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7 Fixes the failing tlsfuzzer lucky 13 test case. ok beck inoguchi
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/s3_cbc.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/libssl/s3_cbc.c b/lib/libssl/s3_cbc.c
index 004b92118e2..74e0562c2db 100644
--- a/lib/libssl/s3_cbc.c
+++ b/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.21 2020/03/16 15:25:13 tb Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */
/* ====================================================================
* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
*
@@ -145,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec,
* decrypted information. Therefore we always have to check the maximum
* amount of padding possible. (Again, the length of the record is
* public information so we can use it.) */
- to_check = 255; /* maximum amount of padding. */
- if (to_check > rec->length - 1)
- to_check = rec->length - 1;
+ to_check = 256; /* maximum amount of padding, inc length byte. */
+ if (to_check > rec->length)
+ to_check = rec->length;
for (i = 0; i < to_check; i++) {
unsigned char mask = constant_time_ge(padding_length, i);