tls: Check all bytes of the padding if they equal the padding length

author Martin Willi <martin@revosec.ch>

Wed, 15 Oct 2014 12:17:30 +0000 (14:17 +0200)

committer Martin Willi <martin@revosec.ch>

Wed, 15 Oct 2014 12:21:01 +0000 (14:21 +0200)
author Martin Willi <martin@revosec.ch>
Wed, 15 Oct 2014 12:17:30 +0000 (14:17 +0200)
committer Martin Willi <martin@revosec.ch>
Wed, 15 Oct 2014 12:21:01 +0000 (14:21 +0200)
diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c

index 5e4d33e141318fcabc50359f1ae211c72eaea8ee..37779a1eed9abed8e6ce48da7db57456018674ab 100644 (file)
--- a/src/libtls/tls_aead_expl.c
+++ b/src/libtls/tls_aead_expl.c
@@ -106,6 +106,7 @@ METHOD(tls_aead_t, decrypt, bool,
         chunk_t assoc, mac, iv;
         u_int8_t bs, padlen;
         sigheader_t hdr;
+       size_t i;
  
         iv.len = this->crypter->get_iv_size(this->crypter);
         if (data->len < iv.len)
@@ -126,6 +127,13 @@ METHOD(tls_aead_t, decrypt, bool,
         padlen = data->ptr[data->len - 1];
         if (padlen < data->len)
         {       /* If padding looks valid, remove it */
+               for (i = data->len - padlen - 1; i < data->len - 1; i++)
+               {
+                       if (data->ptr[i] != padlen)
+                       {
+                               return FALSE;
+                       }
+               }
                 data->len -= padlen + 1;
         }
  
diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c

index fb14026e0b5cfef39d1b87eeb46aae66f66b16b8..d529ceba73c109243db8cd6823bcb97bcff6742e 100644 (file)
--- a/src/libtls/tls_aead_impl.c
+++ b/src/libtls/tls_aead_impl.c
@@ -100,6 +100,7 @@ METHOD(tls_aead_t, decrypt, bool,
         chunk_t assoc, mac, iv;
         u_int8_t bs, padlen;
         sigheader_t hdr;
+       size_t i;
  
         bs = this->crypter->get_block_size(this->crypter);
         if (data->len < bs || data->len < this->iv.len || data->len % bs)
@@ -116,6 +117,13 @@ METHOD(tls_aead_t, decrypt, bool,
         padlen = data->ptr[data->len - 1];
         if (padlen < data->len)
         {       /* If padding looks valid, remove it */
+               for (i = data->len - padlen - 1; i < data->len - 1; i++)
+               {
+                       if (data->ptr[i] != padlen)
+                       {
+                               return FALSE;
+                       }
+               }
                 data->len -= padlen + 1;
         }
author	Martin Willi <martin@revosec.ch>
	Wed, 15 Oct 2014 12:17:30 +0000 (14:17 +0200)
committer	Martin Willi <martin@revosec.ch>
	Wed, 15 Oct 2014 12:21:01 +0000 (14:21 +0200)
src/libtls/tls_aead_expl.c		patch \| blob \| blame \| history
src/libtls/tls_aead_impl.c		patch \| blob \| blame \| history