verify the mac even if the padding is 1 byte long

off-by-one error on mac checking, if the padding is of minimal length (a single 0x00 byte), the mac is not checked and thus the return value is never falsified this fixes the issue
tlsfuzzer · Mar 27, 2018 · 3674815 · 3674815
1 parent 5b3c7b6
commit 3674815
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py
@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes, contentType, version):
     data_mac.update(compatHMAC(data[:start_pos]))
 
     # don't check past the array end (already checked to be >= zero)
-    end_pos = data_len - 1 - mac.digest_size
+    end_pos = data_len - mac.digest_size
 
     # calculate all possible
     for i in range(start_pos, end_pos): # constant for given overall length

diff --git a/unit_tests/test_tlslite_utils_constanttime.py b/unit_tests/test_tlslite_utils_constanttime.py
@@ -16,6 +16,7 @@
 from hypothesis import given, example
 import hypothesis.strategies as st
 from tlslite.utils.compat import compatHMAC
+from tlslite.utils.cryptomath import getRandomBytes
 from tlslite.recordlayer import RecordLayer
 import tlslite.utils.tlshashlib as hashlib
 import hmac
@@ -266,6 +267,26 @@ def test_with_invalid_hash(self):
         self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
                                                   content_type, version))
 
+    @given(i=st.integers(1, 20))
+    def test_with_invalid_random_hash(self, i):
+        key = compatHMAC(getRandomBytes(20))
+        seqnum_bytes = bytearray(16)
+        content_type = 0x15
+        version = (3, 3)
+        application_data = getRandomBytes(63)
+        mac = hashlib.sha1
+
+        data = self.data_prepare(application_data, seqnum_bytes, content_type,
+                                 version, mac, key)
+        data[-i] ^= 0xff
+        padding = bytearray(b'\x00')
+        data += padding
+
+        h = hmac.new(key, digestmod=mac)
+        h.block_size = mac().block_size
+        self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
+                                                  content_type, version))
+
     def test_with_invalid_pad(self):
         key = compatHMAC(bytearray(20))
         seqnum_bytes = bytearray(16)