Bug 565047: have ssl3_HandleRecord send a bad_record_mac alert instead of

decode_error when the cipher text is shorter than an IV block. Reduce MAX_IV_LENGTH to 24 to match the size of IVs in ssl3SidKeys. r=rrelyea. Modified Files: ssl3con.c sslimpl.h git-svn-id: svn://10.0.0.236/trunk@263570 18797224-902f-48f8-a5cc-f745e15eee43
2012-03-14 23:02:01 +00:00 · 2012-03-14 23:02:01 +00:00 · ca327be5b5
commit ca327be5b5
parent 88b087d95d
2 changed files with 18 additions and 7 deletions
--- a/mozilla/security/nss/lib/ssl/ssl3con.c
+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
@ -40,7 +40,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.170 2012-03-13 02:39:11 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.171 2012-03-14 23:02:00 wtc%google.com Exp $ */

 #include "cert.h"
 #include "ssl.h"
@ -2046,6 +2046,7 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
 	}
 	rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen);
 	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
 	    return rv;
 	}
 	rv = cwSpec->encode( cwSpec->encodeContext, 
@ -9026,21 +9027,31 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
 	int decoded;

 	ivLen = cipher_def->iv_size;
-	if (ivLen < 8 || ivLen > sizeof(iv) || ivLen > cText->buf->len) {
+	if (ivLen < 8 || ivLen > sizeof(iv)) {
+	    ssl_ReleaseSpecReadLock(ss);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return SECFailure;
+	}
+	if (ivLen > cText->buf->len) {
 	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, IV length check failed",
 		     SSL_GETPID(), ss->fd));
 	    /* must not hold spec lock when calling SSL3_SendAlert. */
 	    ssl_ReleaseSpecReadLock(ss);
-	    ssl3_DecodeError(ss);
+	    SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+	    /* always log mac error, in case attacker can read server logs. */
+	    PORT_SetError(SSL_ERROR_BAD_MAC_READ);
 	    return SECFailure;
 	}

 	PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen));

+	/* The decryption result is garbage, but since we just throw away
+	 * the block it doesn't matter.  The decryption of the next block
+	 * depends only on the ciphertext of the IV block.
+	 */
 	rv = crSpec->decode(crSpec->decodeContext, iv, &decoded,
 			    sizeof(iv), cText->buf->buf, ivLen);

-	PRINT_BUF(80, (ss, "IV (cleartext):", iv, ivLen));
 	if (rv != SECSuccess) {
 	    /* All decryption failures must be treated like a bad record
 	     * MAC; see RFC 5246 (TLS 1.2). 
--- a/mozilla/security/nss/lib/ssl/sslimpl.h
+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
@ -39,7 +39,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.97 2012-03-13 02:39:11 wtc%google.com Exp $ */
+/* $Id: sslimpl.h,v 1.98 2012-03-14 23:02:01 wtc%google.com Exp $ */

 #ifndef __sslimpl_h_
 #define __sslimpl_h_
@ -490,8 +490,8 @@ typedef enum {

 typedef enum { type_stream, type_block } CipherType;

-/* XXX Why is MAX_IV_LENGTH so big? */
-#define MAX_IV_LENGTH 64
+/* This value matches the size of IVs in ssl3SidKeys. */
+#define MAX_IV_LENGTH 24

 /*
 * Do not depend upon 64 bit arithmetic in the underlying machine.