Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix buffer overrun in creating key transport blob according to RFC 91…
…89, 4.2.4.1

Resolves: CVE-2022-29242
  • Loading branch information
beldmit committed May 23, 2022
1 parent ee1986c commit c6655a0
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
1 change: 1 addition & 0 deletions e_gost_err.c
Expand Up @@ -141,6 +141,7 @@ static ERR_STRING_DATA GOST_str_reasons[] = {
{ERR_PACK(0, 0, GOST_R_ERROR_SETTING_PEER_KEY), "error setting peer key"},
{ERR_PACK(0, 0, GOST_R_INCOMPATIBLE_ALGORITHMS), "incompatible algorithms"},
{ERR_PACK(0, 0, GOST_R_INCOMPATIBLE_PEER_KEY), "incompatible peer key"},
{ERR_PACK(0, 0, GOST_R_INVALID_BUFFER_SIZE), "invalid buffer size"},
{ERR_PACK(0, 0, GOST_R_INVALID_CIPHER), "invalid cipher"},
{ERR_PACK(0, 0, GOST_R_INVALID_CIPHER_PARAMS), "invalid cipher params"},
{ERR_PACK(0, 0, GOST_R_INVALID_CIPHER_PARAM_OID),
Expand Down
1 change: 1 addition & 0 deletions e_gost_err.h
Expand Up @@ -115,6 +115,7 @@ void ERR_GOST_error(int function, int reason, char *file, int line);
# define GOST_R_ERROR_SETTING_PEER_KEY 139
# define GOST_R_INCOMPATIBLE_ALGORITHMS 108
# define GOST_R_INCOMPATIBLE_PEER_KEY 109
# define GOST_R_INVALID_BUFFER_SIZE 140
# define GOST_R_INVALID_CIPHER 134
# define GOST_R_INVALID_CIPHER_PARAMS 110
# define GOST_R_INVALID_CIPHER_PARAM_OID 111
Expand Down
21 changes: 20 additions & 1 deletion gost_ec_keyx.c
Expand Up @@ -406,6 +406,7 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out,
int exp_len = 0, iv_len = 0;
unsigned char *exp_buf = NULL;
int key_is_ephemeral = 0;
int res_len = 0;

switch (data->cipher_nid) {
case NID_magma_ctr:
Expand Down Expand Up @@ -499,8 +500,26 @@ static int pkey_gost2018_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out,
goto err;
}

if ((*out_len = i2d_PSKeyTransport_gost(pst, out ? &out : NULL)) > 0)
res_len = i2d_PSKeyTransport_gost(pst, NULL);
if (res_len <= 0) {
GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, ERR_R_ASN1_LIB);
goto err;
}

if (out == NULL) {
*out_len = res_len;
ret = 1;
} else {
if ((size_t)res_len > *out_len) {
GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, GOST_R_INVALID_BUFFER_SIZE);
goto err;
}
if ((*out_len = i2d_PSKeyTransport_gost(pst, &out)) > 0)
ret = 1;
else
GOSTerr(GOST_F_PKEY_GOST2018_ENCRYPT, ERR_R_ASN1_LIB);
}

err:
OPENSSL_cleanse(expkeys, sizeof(expkeys));
if (key_is_ephemeral)
Expand Down

0 comments on commit c6655a0

Please sign in to comment.