Peter Wu
changed
bug 9144
| What |
Removed |
Added |
| Attachment #11603 Flags |
|
review_for_checkin?
|
Comment # 19
on bug 9144
from Peter Wu
Created attachment 11603 [details]
Use IV from record for CBC mode, add padding/IV length check
Add summary of RFCs to make it more obvious why certain parts (IV, MAC,
padding) are used. Merge DTLS and TLS blocks for extracting IV. This
saves an unnecessary memmove() because the input pointer is, well, just
a local variable and can therefore be incremented.
Validate padding and IV lengths before using it. A crash could occur
if the explicit IV is missing (this would make memmove write before its
buffer). The missing padding check had as implication that a misleading
error is returning with a negative length (not exploitable).
Use IV from record for CBC mode, previously it decrypted the first block
incorrectly and then threw this "decrypted" IV away. Now it extracts the
IV and uses this for decrypting the first fragment block. (remember that
CBC xor's the output of the block cipher with the previous ciphertext
(or IV for the first block)).
This is a preparation for GCM which does not have a MAC. The skip_mac
branch is necessary to make the compiler happy in this patch, 'mac'
could otherwise be uninitialised.
---
Commit message above, I added the "goto" to avoid re-indenting all MAC code
below. This patch was compile and runtime tested on captures using CBC mode.
A patch to support GCM (CTR w/o auth) is still being cooked.
If you haven't noticed it, I put some tools in my repo[1] to ease generation of
test captures for all ciphers supported by OpenSSL. Some captures and debug
logs are also available. Miscellaneous tools: convert ciphers to numbers (and
v.v.), decrypt AES256-CBC (used for this patch).
As for the AUTHORS file, I don't mind being listed on there ;)
[1]: https://git.lekensteyn.nl/peter/wireshark-notes/
You are receiving this mail because:
- You are watching all bug changes.
