CBC mode: Allow zero-length message fragments (100% padding)

Possible fix for Mbed-TLS#1632
espressif · Jun 20, 2018 · 0f3e552 · 0f3e552
1 parent b3a48ac
commit 0f3e552
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
@@ -1902,27 +1902,27 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
              * and fake check up to 256 bytes of padding
              */
             size_t pad_count = 0, real_count = 1;
-            size_t padding_idx = ssl->in_msglen - padlen - 1;
+            size_t padding_idx = ssl->in_msglen - padlen;
 
             /*
              * Padding is guaranteed to be incorrect if:
-             *   1. padlen >= ssl->in_msglen
+             *   1. padlen > ssl->in_msglen
              *
-             *   2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
+             *   2. padding_idx > MBEDTLS_SSL_MAX_CONTENT_LEN +
              *                     ssl->transform_in->maclen
              *
              * In both cases we reset padding_idx to a safe value (0) to
              * prevent out-of-buffer reads.
              */
-            correct &= ( ssl->in_msglen >= padlen + 1 );
-            correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
+            correct &= ( padlen <= ssl->in_msglen );
+            correct &= ( padding_idx <= MBEDTLS_SSL_MAX_CONTENT_LEN +
                                        ssl->transform_in->maclen );
 
             padding_idx *= correct;
 
-            for( i = 1; i <= 256; i++ )
+            for( i = 0; i < 256; i++ )
             {
-                real_count &= ( i <= padlen );
+                real_count &= ( i < padlen );
                 pad_count += real_count *
                              ( ssl->in_msg[padding_idx + i] == padlen - 1 );
             }

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
@@ -3752,6 +3752,20 @@ run_test    "Small packet TLS 1.2 AEAD shorter tag" \
             0 \
             -s "Read from client: 1 bytes read"
 
+# Test for zero-length application data messages with CBC
+# (using a CBC cipher here causes a zero length application data
+# message to be sent (16 padding bytes.) This should be ignored
+# by mbedTLS and not returned as data to the caller
+#
+# (The actual bad data is 16 repeated 0x0f bytes, which can't
+# be matched by cross-platform grep.)
+
+run_test    "Zero-length application data message with CBC" \
+            "$O_SRV -tls1" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA" \
+            0 \
+            -C "Read from server: 16 bytes read"
+
 # Tests for small packets in DTLS
 
 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS