Fail when encountering invalid CBC padding in EtM records This commit changes the behavior of the record decryption routine `ssl_decrypt_buf()` in the following situation: 1. A CBC ciphersuite with Encrypt-then-MAC is used. 2. A record with valid MAC but invalid CBC padding is received. In this situation, the previous code would not raise and error but instead forward the decrypted packet, including the wrong padding, to the user. This commit changes this behavior to return the error MBEDTLS_ERR_SSL_INVALID_MAC instead. While erroneous, the previous behavior does not constitute a security flaw since it can only happen for properly authenticated records, that is, if the peer makes a mistake while preparing the padded plaintext.

commit: dd3ab13da3fd3dc9ec2d3d247c25ac954ca66f5e [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Oct 17 14:43:14 2018 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Oct 17 14:43:14 2018 +0100
tree: b275c7c6e69cbf1c2aef3c76544d3579a772ceb7
parent: 0592ea772aee48ca1e6d9eb84eca8e143033d973 [diff]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8bd74db..6afb624 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -2304,13 +2304,13 @@
             correct = 0;
         }
         auth_done++;
-
-        /*
-         * Finally check the correct flag
-         */
-        if( correct == 0 )
-            return( MBEDTLS_ERR_SSL_INVALID_MAC );
     }
+
+    /*
+     * Finally check the correct flag
+     */
+    if( correct == 0 )
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
 #endif /* SSL_SOME_MODES_USE_MAC */
 
     /* Make extra sure authentication was performed, exactly once */
commit	dd3ab13da3fd3dc9ec2d3d247c25ac954ca66f5e	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Oct 17 14:43:14 2018 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Oct 17 14:43:14 2018 +0100
tree	b275c7c6e69cbf1c2aef3c76544d3579a772ceb7
parent	0592ea772aee48ca1e6d9eb84eca8e143033d973 [diff]