From 0c7e9a01048b351fb87e54d3bd192d60b870cd6f Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 9 May 2022 10:40:35 +0200 Subject: [PATCH 1/4] internal.c: fix pad-size when more records are received at once don't consider the end of the record the end of received data as more records may be read at once when DTLS will be supported. --- src/internal.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index 2745ce123..0a74450d3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17360,13 +17360,13 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) ssl->keys.decryptedCur = 1; #ifdef WOLFSSL_TLS13 if (ssl->options.tls1_3) { - word16 i = (word16)(ssl->buffers.inputBuffer.length - - ssl->keys.padSz); + /* end of plaintext */ + word16 i = (word16)(ssl->buffers.inputBuffer.idx + + ssl->curSize - ssl->specs.aead_mac_size); - /* sanity check on underflow */ - if (ssl->keys.padSz >= ssl->buffers.inputBuffer.length) { - WOLFSSL_ERROR(DECRYPT_ERROR); - return DECRYPT_ERROR; + if (i > ssl->buffers.inputBuffer.length) { + WOLFSSL_ERROR(BUFFER_ERROR); + return BUFFER_ERROR; } /* Remove padding from end of plain text. */ @@ -17374,9 +17374,12 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) if (ssl->buffers.inputBuffer.buffer[i] != 0) break; } + /* Get the real content type from the end of the data. */ ssl->curRL.type = ssl->buffers.inputBuffer.buffer[i]; - ssl->keys.padSz = ssl->buffers.inputBuffer.length - i; + /* consider both contentType byte and MAC as padding */ + ssl->keys.padSz = ssl->buffers.inputBuffer.idx + + ssl->curSize - i; } #endif } From 445c1e6cebd2fd6c8661ac9d245cb281479918a2 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 10 May 2022 12:39:11 +0200 Subject: [PATCH 2/4] internal.c: don't check TLS13 plaintext limit twice Plaintext size is checked before decryption in TLS 1.3 --- src/internal.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 0a74450d3..a9bddbdf6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17410,7 +17410,9 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) } else #endif - if (ssl->buffers.inputBuffer.length - + /* TLS13 plaintext limit is checked earlier before decryption */ + if (!IsAtLeastTLSv1_3(ssl->version) + && ssl->buffers.inputBuffer.length - ssl->keys.padSz - ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ #ifdef WOLFSSL_ASYNC_CRYPT From db23d8a0cf2e08daee6c0d1fe18fc765192f66b9 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 10 May 2022 12:41:36 +0200 Subject: [PATCH 3/4] internal.c: don't skip records if we don't process early-data If we don't process early data, we want to skip only the current record and not all the received data --- src/internal.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index a9bddbdf6..4b637bd33 100644 --- a/src/internal.c +++ b/src/internal.c @@ -16278,7 +16278,10 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff) } if (!process) { WOLFSSL_MSG("Ignoring EarlyData!"); - *inOutIdx = ssl->buffers.inputBuffer.length; + *inOutIdx += ssl->curSize; + if (*inOutIdx > ssl->buffers.inputBuffer.length) + return BUFFER_E; + return 0; } } @@ -17285,8 +17288,11 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) if (ssl->keys.peer_sequence_number_lo-- == 0) ssl->keys.peer_sequence_number_hi--; ssl->options.processReply = doProcessInit; - ssl->buffers.inputBuffer.idx = - ssl->buffers.inputBuffer.length; + ssl->buffers.inputBuffer.idx += ssl->curSize; + if (ssl->buffers.inputBuffer.idx > + ssl->buffers.inputBuffer.length) + return BUFFER_E; + return 0; } WOLFSSL_MSG("Too much EarlyData!"); From f06ac9965c5105b9b767b4e894b52a816ec1a2f6 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 10 May 2022 12:49:18 +0200 Subject: [PATCH 4/4] internal.c: fix: plaintext check account for the current record only --- src/internal.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index 4b637bd33..d368ea9c0 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17398,10 +17398,9 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) { - if ((ssl->buffers.inputBuffer.length - + if ((ssl->curSize - ssl->keys.padSz - - MacSize(ssl) - - ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ) + MacSize(ssl) > MAX_PLAINTEXT_SZ) #ifdef WOLFSSL_ASYNC_CRYPT && ssl->buffers.inputBuffer.length != ssl->buffers.inputBuffer.idx @@ -17418,9 +17417,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) #endif /* TLS13 plaintext limit is checked earlier before decryption */ if (!IsAtLeastTLSv1_3(ssl->version) - && ssl->buffers.inputBuffer.length - - ssl->keys.padSz - - ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ + && ssl->curSize - ssl->keys.padSz > MAX_PLAINTEXT_SZ #ifdef WOLFSSL_ASYNC_CRYPT && ssl->buffers.inputBuffer.length != ssl->buffers.inputBuffer.idx