diff options
| author | Matt Caswell <matt@openssl.org> | 2022-10-27 14:14:53 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-11-02 10:23:40 +0000 |
| commit | eaa206007322ab0b1eaf9f83485e56deafc9df80 (patch) | |
| tree | 3077607d0ba3870887f45928e30b7ef7bd7e3698 /ssl/record | |
| parent | 27cf118437c3979165e7f37d5c2eb3b88fc0c035 (diff) | |
| download | openssl-eaa206007322ab0b1eaf9f83485e56deafc9df80.zip openssl-eaa206007322ab0b1eaf9f83485e56deafc9df80.tar.gz openssl-eaa206007322ab0b1eaf9f83485e56deafc9df80.tar.bz2 | |
Fix the ceiling on how much encryption growth we can have
Stitched ciphersuites can grow by more during encryption than the code
allowed for. We fix the calculation and add an assert to check we go it
right.
Note that this is not a security issue. Even though we can overflow the
amount of bytes reserved in the WPACKET for the encryption, the underlying
buffer is still big enough.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19517)
Diffstat (limited to 'ssl/record')
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index a267889..a36ae8d 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -16,6 +16,7 @@ #include <openssl/rand.h> #include "record_local.h" #include "internal/packet.h" +#include "internal/cryptlib.h" #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AES_ASM) && ( \ @@ -676,6 +677,14 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, } } +/* + * Encryption growth may result from padding in CBC ciphersuites (never more + * than SSL_RT_MAX_CIPHER_BLOCK_SIZE bytes), or from an AEAD tag (never more + * than EVP_MAX_MD_SIZE bytes). In the case of stitched ciphersuites growth can + * come from both of these. + */ +#define MAX_ENCRYPTION_GROWTH (EVP_MAX_MD_SIZE + SSL_RT_MAX_CIPHER_BLOCK_SIZE) + int do_ssl3_write(SSL *s, int type, const unsigned char *buf, size_t *pipelens, size_t numpipes, int create_empty_fragment, size_t *written) @@ -1014,15 +1023,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } } - /* - * Reserve some bytes for any growth that may occur during encryption. - * This will be at most one cipher block or the tag length if using - * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. - */ + /* Reserve some bytes for any growth that may occur during encryption. */ if (!BIO_get_ktls_send(s->wbio)) { - if (!WPACKET_reserve_bytes(thispkt, - SSL_RT_MAX_CIPHER_BLOCK_SIZE, - NULL) + if (!WPACKET_reserve_bytes(thispkt, MAX_ENCRYPTION_GROWTH, NULL) /* * We also need next the amount of bytes written to this * sub-packet @@ -1074,6 +1077,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* Allocate bytes for the encryption overhead */ if (!WPACKET_get_length(thispkt, &origlen) + /* Check we allowed enough room for the encryption growth */ + || !ossl_assert(origlen + MAX_ENCRYPTION_GROWTH + >= thiswr->length) /* Encryption should never shrink the data! */ || origlen > thiswr->length || (thiswr->length > origlen |