From: Matt Caswell <matt@openssl.org>
Date: Mon, 24 Oct 2022 16:30:42 +0000 (+0100)
Subject: Fix the ceiling on how much encryption growth we can have
X-Git-Tag: openssl-3.2.0-alpha1~1788
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=830eae60a61876a5bcd267f47e224269852dcc29;p=thirdparty%2Fopenssl.git

Fix the ceiling on how much encryption growth we can have

Stitched ciphersuites can grow by more during encryption than the code
allowed for. We fix the calculation and add an assert to check we go it
right.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19516)
---

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 666a4f6ae2c..8dc1bf3be05 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -1546,6 +1546,14 @@ int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
     return 1;
 }
 
+/*
+ * Encryption growth may result from padding in CBC ciphersuites (never more
+ * than SSL_RT_MAX_CIPHER_BLOCK_SIZE bytes), or from an AEAD tag (never more
+ * than EVP_MAX_MD_SIZE bytes). In the case of stitched ciphersuites growth can
+ * come from both of these.
+ */
+#define MAX_ENCRYPTION_GROWTH (EVP_MAX_MD_SIZE + SSL_RT_MAX_CIPHER_BLOCK_SIZE)
+
 int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
                                        size_t mac_size,
                                        WPACKET *thispkt,
@@ -1570,14 +1578,8 @@ int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
         }
     }
 
-    /*
-     * Reserve some bytes for any growth that may occur during encryption.
-     * This will be at most one cipher block or the tag length if using
-     * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
-     */
-    if (!WPACKET_reserve_bytes(thispkt,
-                               SSL_RT_MAX_CIPHER_BLOCK_SIZE,
-                               NULL)
+    /* Reserve some bytes for any growth that may occur during encryption. */
+    if (!WPACKET_reserve_bytes(thispkt, MAX_ENCRYPTION_GROWTH, NULL)
             /*
              * We also need next the amount of bytes written to this
              * sub-packet
@@ -1608,6 +1610,8 @@ int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl,
 
     /* Allocate bytes for the encryption overhead */
     if (!WPACKET_get_length(thispkt, &origlen)
+               /* Check we allowed enough room for the encryption growth */
+            || !ossl_assert(origlen + MAX_ENCRYPTION_GROWTH >= thiswr->length)
             /* Encryption should never shrink the data! */
             || origlen > thiswr->length
             || (thiswr->length > origlen