_gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuites

Since some point in 3.6.x we updated the calculation of maximum record size,
however that did not include the possibility of random record padding available
for CBC ciphersuites which exceeds the maximum. This commit allows for larger
sizes for these ciphersuites to account for random padding as applied by
gnutls 2.12.x.

Resolves: #811

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/NEWS b/NEWS
index 1e3658840de98725936ae66d78294c807f3ce262..e0320042c3769c33cde1a00b47ca92314aa7fef8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,10 +15,14 @@ See the end for copying conditions.
 ** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
    functions that will perform in-place encryption/decryption on data buffers (#718).
 
+** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
+   issue with large record handling due to random padding (#811).
+
 ** API and ABI modifications:
 gnutls_aead_cipher_encryptv2: Added
 gnutls_aead_cipher_decryptv2: Added
 
+
 * Version 3.6.9 (released 2019-07-25)
 
 ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy

diff --git a/lib/constate.c b/lib/constate.c
index 51a4eca30a9e54edd795e53fe01b50879eb58833..4c6ca0fd0f646e98a29a53fbac29a67892edaa04 100644 (file)
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t
                        return gnutls_assert_val(ret);
        }
 
-       if (ver->tls13_sem) {
+       /* The TLS1.3 limit of 256 additional bytes is also enforced under CBC
+        * ciphers to ensure we interoperate with gnutls 2.12.x which could add padding
+        * data exceeding the maximum. */
+       if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
                session->internals.max_recv_size = 256;
        } else {
-               session->internals.max_recv_size = _gnutls_record_overhead(ver, params->cipher, params->mac, 1);
+               session->internals.max_recv_size = 0;
+       }
+
+       if (!ver->tls13_sem) {
+               session->internals.max_recv_size += _gnutls_record_overhead(ver, params->cipher, params->mac, 1);
                if (session->internals.allow_large_records != 0)
                        session->internals.max_recv_size += EXTRA_COMP_SIZE;
        }

diff --git a/lib/record.c b/lib/record.c
index 39d2a16be2d7523ea206d00e12b744f2e95df1d2..7c7e36561124865ab0b02ed05595dd26ee58ba30 100644 (file)
--- a/lib/record.c
+++ b/lib/record.c
@@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session,
 
        if (record->length == 0 || record->length > max_record_recv_size(session)) {
                _gnutls_audit_log
-                   (session, "Received packet with illegal length: %u\n",
-                    (unsigned int) record->length);
+                   (session, "Received packet with illegal length: %u (max: %u)\n",
+                    (unsigned int) record->length, (unsigned)max_record_recv_size(session));
 
                if (record->length == 0) {
                        /* Empty, unencrypted records are always unexpected. */