diff options
author | Dmitry Belyavskiy <beldmit@gmail.com> | 2022-07-27 12:15:07 +0200 |
---|---|---|
committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2022-08-02 14:38:57 +0200 |
commit | cc750a9a81e24d46076b5de0b700aec478c2bd13 (patch) | |
tree | bddeb9970cd6d91a07bb6cc51ac3b8047d868609 /ssl/record | |
parent | 2db226ce01be804fbd2d60b019c897305a8f091e (diff) | |
download | openssl-cc750a9a81e24d46076b5de0b700aec478c2bd13.zip openssl-cc750a9a81e24d46076b5de0b700aec478c2bd13.tar.gz openssl-cc750a9a81e24d46076b5de0b700aec478c2bd13.tar.bz2 |
Check that IV length is not less than zero
As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
assigned to an unsigned variable.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18922)
Diffstat (limited to 'ssl/record')
-rw-r--r-- | ssl/record/rec_layer_d1.c | 4 | ||||
-rw-r--r-- | ssl/record/rec_layer_s3.c | 4 | ||||
-rw-r--r-- | ssl/record/ssl3_record_tls13.c | 7 |
3 files changed, 14 insertions, 1 deletions
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 7cf3169..7f3d1a7 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -874,6 +874,10 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) { eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); + if (eivlen < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); + return -1; + } if (eivlen <= 1) eivlen = 0; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index d26437f..e8b5654 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -832,6 +832,10 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) { eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); + if (eivlen < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); + goto err; + } if (eivlen <= 1) eivlen = 0; } else if (mode == EVP_CIPH_GCM_MODE) { diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index 8671b61..45eefce 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -25,7 +25,8 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, { EVP_CIPHER_CTX *ctx; unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; - size_t ivlen, taglen, offset, loop, hdrlen; + size_t taglen, offset, loop, hdrlen; + int ivlen; unsigned char *staticiv; unsigned char *seq; int lenu, lenf; @@ -62,6 +63,10 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); + if (ivlen < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return 0; + } if (s->early_data_state == SSL_EARLY_DATA_WRITING || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { |