mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-30 03:54:16 +01:00
CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
This commit is contained in:
parent
57e9fe2df4
commit
1226dd7715
@ -15,6 +15,11 @@ Bugfix
|
|||||||
by Brendan Shanks. Part of a fix for #992.
|
by Brendan Shanks. Part of a fix for #992.
|
||||||
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
|
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
|
||||||
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
|
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
|
||||||
|
* Fix decryption of zero length messages (all padding) in some circumstances:
|
||||||
|
DTLS 1.0 and 1.2, and CBC ciphersuites using encrypt-then-MAC. Most often
|
||||||
|
seen when communicating with OpenSSL using TLS 1.0. Reported by @kFYatek
|
||||||
|
(#1632) and by Conor Murphy on the forum. Fix contributed by Espressif
|
||||||
|
Systems.
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Change the shebang line in Perl scripts to look up perl in the PATH.
|
* Change the shebang line in Perl scripts to look up perl in the PATH.
|
||||||
|
@ -1881,27 +1881,27 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
|||||||
* and fake check up to 256 bytes of padding
|
* and fake check up to 256 bytes of padding
|
||||||
*/
|
*/
|
||||||
size_t pad_count = 0, real_count = 1;
|
size_t pad_count = 0, real_count = 1;
|
||||||
size_t padding_idx = ssl->in_msglen - padlen - 1;
|
size_t padding_idx = ssl->in_msglen - padlen;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Padding is guaranteed to be incorrect if:
|
* Padding is guaranteed to be incorrect if:
|
||||||
* 1. padlen >= ssl->in_msglen
|
* 1. padlen > ssl->in_msglen
|
||||||
*
|
*
|
||||||
* 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
|
* 2. padding_idx > MBEDTLS_SSL_MAX_CONTENT_LEN +
|
||||||
* ssl->transform_in->maclen
|
* ssl->transform_in->maclen
|
||||||
*
|
*
|
||||||
* In both cases we reset padding_idx to a safe value (0) to
|
* In both cases we reset padding_idx to a safe value (0) to
|
||||||
* prevent out-of-buffer reads.
|
* prevent out-of-buffer reads.
|
||||||
*/
|
*/
|
||||||
correct &= ( ssl->in_msglen >= padlen + 1 );
|
correct &= ( padlen <= ssl->in_msglen );
|
||||||
correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
|
correct &= ( padding_idx <= MBEDTLS_SSL_MAX_CONTENT_LEN +
|
||||||
ssl->transform_in->maclen );
|
ssl->transform_in->maclen );
|
||||||
|
|
||||||
padding_idx *= correct;
|
padding_idx *= correct;
|
||||||
|
|
||||||
for( i = 1; i <= 256; i++ )
|
for( i = 0; i < 256; i++ )
|
||||||
{
|
{
|
||||||
real_count &= ( i <= padlen );
|
real_count &= ( i < padlen );
|
||||||
pad_count += real_count *
|
pad_count += real_count *
|
||||||
( ssl->in_msg[padding_idx + i] == padlen - 1 );
|
( ssl->in_msg[padding_idx + i] == padlen - 1 );
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user