diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-08-03 21:51:58 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-09-06 09:44:56 +0200 |
commit | daa49b9e455d262a1a2bc1b641e72dc004e2cb3e (patch) | |
tree | f00d09e42ac1e549673831d088cece476664c294 | |
parent | 5074fb7f22c0d09ad0ceb57bd8f9420ae9dc74d3 (diff) | |
download | gnutls-daa49b9e455d262a1a2bc1b641e72dc004e2cb3e.tar.gz |
_gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites
Since some point in 3.6.x we updated the calculation of maximum record size,
however that did not include the possibility of random record padding available
for CBC ciphersuites which exceeds the maximum. This commit allows for larger
sizes for these ciphersuites to account for random padding as applied by
gnutls 2.12.x.
Resolves: #811
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | lib/constate.c | 11 | ||||
-rw-r--r-- | lib/record.c | 4 |
3 files changed, 15 insertions, 4 deletions
@@ -15,10 +15,14 @@ See the end for copying conditions. ** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2 functions that will perform in-place encryption/decryption on data buffers (#718). +** libgnutls: added interoperability tests with gnutls 2.12.x; addressed + issue with large record handling due to random padding (#811). + ** API and ABI modifications: gnutls_aead_cipher_encryptv2: Added gnutls_aead_cipher_decryptv2: Added + * Version 3.6.9 (released 2019-07-25) ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy diff --git a/lib/constate.c b/lib/constate.c index 51a4eca30a..4c6ca0fd0f 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t return gnutls_assert_val(ret); } - if (ver->tls13_sem) { + /* The TLS1.3 limit of 256 additional bytes is also enforced under CBC + * ciphers to ensure we interoperate with gnutls 2.12.x which could add padding + * data exceeding the maximum. */ + if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { session->internals.max_recv_size = 256; } else { - session->internals.max_recv_size = _gnutls_record_overhead(ver, params->cipher, params->mac, 1); + session->internals.max_recv_size = 0; + } + + if (!ver->tls13_sem) { + session->internals.max_recv_size += _gnutls_record_overhead(ver, params->cipher, params->mac, 1); if (session->internals.allow_large_records != 0) session->internals.max_recv_size += EXTRA_COMP_SIZE; } diff --git a/lib/record.c b/lib/record.c index 39d2a16be2..7c7e365611 100644 --- a/lib/record.c +++ b/lib/record.c @@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session, if (record->length == 0 || record->length > max_record_recv_size(session)) { _gnutls_audit_log - (session, "Received packet with illegal length: %u\n", - (unsigned int) record->length); + (session, "Received packet with illegal length: %u (max: %u)\n", + (unsigned int) record->length, (unsigned)max_record_recv_size(session)); if (record->length == 0) { /* Empty, unencrypted records are always unexpected. */ |