root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

crypto/evp: harden AEAD ciphers. 

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Andy Polyakov 2017-01-19 00:20:49 +01:00 committed by Matt Caswell
parent 8e20499629
commit 2198b3a55d
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
crypto/evp/e_aes.c
View File

@ -1388,10 +1388,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
| EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
/* Correct length for explicit IV */ /* Correct length for explicit IV */
if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
return 0;
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
/* If decrypting correct for tag too */ /* If decrypting correct for tag too */
if (!EVP_CIPHER_CTX_encrypting(c)) if (!EVP_CIPHER_CTX_encrypting(c)) {
if (len < EVP_GCM_TLS_TAG_LEN)
return 0;
len -= EVP_GCM_TLS_TAG_LEN; len -= EVP_GCM_TLS_TAG_LEN;
}
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
} }
@ -1946,10 +1951,15 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8 EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
| EVP_CIPHER_CTX_buf_noconst(c)[arg - 1]; | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
/* Correct length for explicit IV */ /* Correct length for explicit IV */
if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
return 0;
len -= EVP_CCM_TLS_EXPLICIT_IV_LEN; len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
/* If decrypting correct for tag too */ /* If decrypting correct for tag too */
if (!EVP_CIPHER_CTX_encrypting(c)) if (!EVP_CIPHER_CTX_encrypting(c)) {
if (len < cctx->M)
return 0;
len -= cctx->M; len -= cctx->M;
}
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8; EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff; EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
} }

5
crypto/evp/e_chacha20_poly1305.c
View File

@ -398,6 +398,8 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
aad[EVP_AEAD_TLS1_AAD_LEN - 1]; aad[EVP_AEAD_TLS1_AAD_LEN - 1];
if (!ctx->encrypt) { if (!ctx->encrypt) {
if (len < POLY1305_BLOCK_SIZE)
return 0;
len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2);
aad = temp; aad = temp;
@ -407,8 +409,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
actx->tls_payload_length = len; actx->tls_payload_length = len;
/* /*
* merge record sequence number as per * merge record sequence number as per RFC7905
* draft-ietf-tls-chacha20-poly1305-03
*/ */
actx->key.counter[1] = actx->nonce[0]; actx->key.counter[1] = actx->nonce[0];
actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad); actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);