diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2020-06-19 21:26:41 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-06-19 21:26:41 +0000 |
commit | 5663396cb05ee9c5cdae3690e0511203a8ac3ae7 (patch) | |
tree | 6e8384baa24f6f25c5714b039ac1d60aa94d3b0c /lib | |
parent | b0bae9e482cf7b6c1a205cd3290e506e00990997 (diff) |
We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.
Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7
Fixes the failing tlsfuzzer lucky 13 test case.
ok beck inoguchi
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/s3_cbc.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/libssl/s3_cbc.c b/lib/libssl/s3_cbc.c index 004b92118e2..74e0562c2db 100644 --- a/lib/libssl/s3_cbc.c +++ b/lib/libssl/s3_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_cbc.c,v 1.21 2020/03/16 15:25:13 tb Exp $ */ +/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */ /* ==================================================================== * Copyright (c) 2012 The OpenSSL Project. All rights reserved. * @@ -145,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec, * decrypted information. Therefore we always have to check the maximum * amount of padding possible. (Again, the length of the record is * public information so we can use it.) */ - to_check = 255; /* maximum amount of padding. */ - if (to_check > rec->length - 1) - to_check = rec->length - 1; + to_check = 256; /* maximum amount of padding, inc length byte. */ + if (to_check > rec->length) + to_check = rec->length; for (i = 0; i < to_check; i++) { unsigned char mask = constant_time_ge(padding_length, i); |