diff options
author | Matt Caswell <matt@openssl.org> | 2020-06-26 18:22:18 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-07-06 09:26:09 +0100 |
commit | 2d9f56e9992ef3725b87a0a8e6165a18d038b784 (patch) | |
tree | 3d206e641a8b27bcfefb627f305e91887dac5c6e /ssl | |
parent | b5588178232f5cbf32662dfa173c72a001d54aeb (diff) |
Ensure TLS padding is added during encryption on the provider side
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12288)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/record/ssl3_record.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 6359c79bb1..80990e8296 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -869,13 +869,19 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, memmove(rec->data, rec->input, rec->length); rec->input = rec->data; } else { + int provided = (EVP_CIPHER_provider(enc) != NULL); + l = rec->length; /* TODO(size_t): Convert this call */ bs = EVP_CIPHER_CTX_block_size(ds); /* COMPRESS */ - if ((bs != 1) && sending) { + if ((bs != 1) && sending && !provided) { + /* + * We only do this for legacy ciphers. Provided ciphers add the + * padding on the provider side. + */ i = bs - (l % bs); /* we need to add 'i-1' padding bytes */ @@ -1038,6 +1044,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, recs[ctr].input = recs[ctr].data; } } else { + int provided = (EVP_CIPHER_provider(enc) != NULL); + bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds)); if (n_recs > 1) { @@ -1097,7 +1105,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, recs[ctr].length += pad; } - } else if ((bs != 1) && sending) { + } else if ((bs != 1) && sending && !provided) { + /* + * We only do this for legacy ciphers. Provided ciphers add the + * padding on the provider side. + */ padnum = bs - (reclen[ctr] % bs); /* Add weird padding of up to 256 bytes */ @@ -1170,7 +1182,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } } - if (EVP_CIPHER_provider(enc) != NULL) { + if (provided) { int outlen; /* Provided cipher - we do not support pipelining on this path */ @@ -1275,7 +1287,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, : NULL, bs, macsize, - (EVP_CIPHER_CTX_flags(s->enc_read_ctx) + (EVP_CIPHER_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, s->ctx->libctx)) return 0; |