diff options
author | Jack Lloyd <[email protected]> | 2016-04-15 02:09:45 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-04-15 02:09:45 -0400 |
commit | 6315841fca399cf9bdc62b324fdfe0e23b9afbe9 (patch) | |
tree | 30aada06ff2169efe442c39ccd48e644dcfb2364 /src/lib | |
parent | 0b06b4f61b497c7ad9869441f12ee287b65cde36 (diff) |
Don't reject TLS packets with zero plaintext bytes
OpenSSL sends an empty record before each new data record in TLS v1.0
to randomize the IV, as a countermeasure to the BEAST attack. Most
implementations use 1/(n-1) splitting for this instead.
Bug introduced with the const time changes in 1.11.23
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/tls/tls_record.cpp | 26 | ||||
-rw-r--r-- | src/lib/utils/ct_utils.h | 6 |
2 files changed, 19 insertions, 13 deletions
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp index efa6e2d18..8af6587e3 100644 --- a/src/lib/tls/tls_record.cpp +++ b/src/lib/tls/tls_record.cpp @@ -139,20 +139,16 @@ Connection_Cipher_State::format_ad(u64bit msg_sequence, Protocol_Version version, u16bit msg_length) { - std::vector<byte> m_ad; - m_ad.reserve(13); + std::vector<byte> ad(13); - for(size_t i = 0; i != 8; ++i) - m_ad.push_back(get_byte(i, msg_sequence)); - m_ad.push_back(msg_type); + store_be(msg_sequence, &ad[0]); + ad[8] = msg_type; + ad[9] = version.major_version(); + ad[10] = version.minor_version(); + ad[11] = get_byte(0, msg_length); + ad[12] = get_byte(1, msg_length); - m_ad.push_back(version.major_version()); - m_ad.push_back(version.minor_version()); - - m_ad.push_back(get_byte(0, msg_length)); - m_ad.push_back(get_byte(1, msg_length)); - - return m_ad; + return ad; } void write_record(secure_vector<byte>& output, @@ -425,7 +421,7 @@ void decrypt_record(secure_vector<byte>& output, u16bit pad_size = tls_padding_check(record_contents, record_len); // This mask is zero if there is not enough room in the packet - const u16bit size_ok_mask = CT::is_less<u16bit>(mac_size + pad_size + iv_size, record_len); + const u16bit size_ok_mask = CT::is_lte<u16bit>(mac_size + pad_size + iv_size, record_len); pad_size &= size_ok_mask; CT::unpoison(record_contents, record_len); @@ -454,9 +450,13 @@ void decrypt_record(secure_vector<byte>& output, CT::unpoison(ok_mask); if(ok_mask) + { output.assign(plaintext_block, plaintext_block + plaintext_length); + } else + { throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); + } } } diff --git a/src/lib/utils/ct_utils.h b/src/lib/utils/ct_utils.h index 5a1d03d4f..1f095ba88 100644 --- a/src/lib/utils/ct_utils.h +++ b/src/lib/utils/ct_utils.h @@ -129,6 +129,12 @@ inline T is_less(T x, T y) } template<typename T> +inline T is_lte(T x, T y) + { + return expand_mask<T>(x <= y); + } + +template<typename T> inline void conditional_copy_mem(T value, T* to, const T* from0, |