Fix SSL_BUFFER_LEN

This commit is contained in:
Manuel Pégourié-Gonnard 2014-06-18 23:11:34 +02:00 committed by Paul Bakker
parent 8920f69fef
commit 08485cca81
2 changed files with 8 additions and 4 deletions

View File

@ -34,9 +34,13 @@ Bugfix
* Fix symlink command for cross compiling with CMake (found by Andre * Fix symlink command for cross compiling with CMake (found by Andre
Heinecke) Heinecke)
* Fix DER output of gen_key app (found by Gergely Budai) * Fix DER output of gen_key app (found by Gergely Budai)
* Very small packets were incorrectly rejected when truncated HMAC was in * Very small records were incorrectly rejected when truncated HMAC was in
use with some ciphersuites and versions (RC4 in all versions, CBC with use with some ciphersuites and versions (RC4 in all versions, CBC with
versions < TLS 1.1). versions < TLS 1.1).
* Very large records using more than 224 bytes of padding were incorrectly
rejected with CBC-based ciphersuites and TLS >= 1.1
* Very large records using less padding could cause a buffer overread of up
to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
= PolarSSL 1.3.7 released on 2014-05-02 = PolarSSL 1.3.7 released on 2014-05-02
Features Features

View File

@ -258,8 +258,8 @@
/* \} name SECTION: Module settings */ /* \} name SECTION: Module settings */
/* /*
* Allow an extra 301 bytes for the record header * Allow an extra 301 bytes for the record header and encryption overhead:
* and encryption overhead: counter (8) + header (5) + MAC (32) + padding (256) * counter (8) + header (5) + IV(16) + MAC (48) + padding (256)
* and allow for a maximum of 1024 of compression expansion if * and allow for a maximum of 1024 of compression expansion if
* enabled. * enabled.
*/ */
@ -269,7 +269,7 @@
#define SSL_COMPRESSION_ADD 0 #define SSL_COMPRESSION_ADD 0
#endif #endif
#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 301) #define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 333)
#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */ #define SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */